Introduction to Elliptic Curve Cryptography

CSCI 5857: Encoding and Encryption

Outline

• Encryption as points on elliptic curves in space• Elliptic curves and modular arithmetic• Mathematical operations on elliptic curves• Elliptic curve Diffie-Hellman• Elliptic curve Elgamal• Security and speed of elliptic curve cryptography

Elliptic Curve Mathematics• General mathematical form (Weierstraus equation):

y2 = x3 + ax + b

For some a, b (curve parameters)

Elliptic Curve Encryption• Encryption:

Transforming points on curve (P, KPU) into other point on same curve (C)

• Main idea (Abelian group): Need a definition of “+” so that “sum” of two points on a curve is also on the same curve

R = P + Q where P = (xP, yP) Q = (xQ, yQ) R = (xR, yR)

Elliptic Curve Addition Cases

• Case 1: R based on line formed by P, Q (xP ≠ xQ, yP ≠ yQ)

Equations:• = (yQ – yP) / (xQ – xP) • xR = 2 – xP – xQ

• yR = (xP – xR) – yP

Elliptic Curve Addition Cases

• Case 2: P = Q, R based on tangent to curve (xP = xQ, yP = yQ)

Equations:• xR = ((3xP

2 + a) / 2yP)2 - 2xP

• yR = ((3xP2 + a) / 2yP)2(xP – xR) – yP

Elliptic Curve Addition Cases

• Case 3: P = -Q, line does not intercept curve (xP = xQ, yP ≠ yQ)

• R = “0” (additive identity)– Point at infinity– 0 = -0

Elliptic Curves over Zp

• Encryption requires modular arithmetic– Must be difficult to recover original points from R.– Modular arithmetic prevents “working backward”, as in

RSA

• Define “curve” as Ep(a, b) where p is the modulus, a, b are the coefficients of y2 = x3 + ax + b

• Looking for (x, y) such that y2 = (x3 + ax + b) mod p

– Note: “points” on curve are integers

Finding Points on a Zp Curve

• Points on elliptic curve y2 = x3 + x + 1 for GF(13):– Must find integer values for x, y < 13 such that

(y2) mod 13 = (x3 + x + 1) mod 13

x = 0: y2 mod 13 = 1 mod 13 y = 1

y = 1, 12 (-1 mod 13 = 12)

x = 1: y2 mod 13 = 3 mod 13 y = 4 (16 mod 13 = 3) y = 4, 9

Finding Points on a Zp Curve

Note: Not all values of x have a corresponding y

x = 2: y2 mod 13 = 11 mod 13 No solution for y (Can test all y < 13)

x = 3: y2 mod 13 = 31 mod 13 = 5 No solution for y (Can test all y < 13)

x = 4: y2 mod 13 = 69 mod 13 = 4 y = 2 y = 2, 11

Finding Points on a Zp Curve

• Points on elliptic curve y2 = x3 + x + 1 over GF(13):

Elliptic Curve Mathematics

• Computing (xR, yR) = (xP, yP) + (xQ, yQ) – Necessary to turn 2 points corresponding to key,

plaintext into point corresponding to ciphertext

• Use same rules for “+” as curves in space

• Main ideas:– Addition/subtraction/multiplication in mod p– Division = multiplication by inverse mod p

Example: (4, 2) + (10, 6) on E13(1, 1)

• step 1: compute = (yQ – yP) / (xQ – xP) = (6 – 2) x (10 – 4)-1 mod 13 = 4 x 6-1 mod 13 6-1 mod 13 = 11

= 4 x 11 mod 13 = 5

• step 2: compute xR = 2 – xP – xQ

xR = 25 – 4 – 10 mod 13 = 11

• step 3: compute yR = (xP – xR) – yP

yR = 5 x (4 – 11) – 2 mod 13 = 2

(4, 2) + (10, 6) = (11, 2) note: also on curve!

Multiplication on an Elliptic Curve

• Multiplication = addition multiple times– Necessary for some forms of elliptic curve cryptography– Must use formula where P = Q for first addition

• Example: 3 x (1, 4) on E13(1, 1)

3 x (1, 4) = ((1, 4) + (1, 4)) + (1, 4) = (8, 1) + (1, 4) = (1, 9)

Elliptic Curve Encryption

• Generally based on using elliptic curves in place of exponentiation in existing public key algorithm

• Examples: –Elliptic Curve Diffie-Hellman–Elliptic Curve Elgamal

Elliptic Curve Diffie-Hellman

• Alice and Bob agree on global parameters:– Ep(a, b): Elliptic curve mod p (prime) with

parameters a and b– G : “Generator” point on that elliptic curve

• For all points R on the curve, there exists some n such that G n = R

– Example: P = 211 Ep(0, -4) the curve y2 = x3 - 4 G = (2, 2)

Elliptic Curve Diffie-Hellman

• Alice and Bob select own private x and y• They each generate a public R1 and R2 as

R1 = x G and R2 = y G • They exchange these values

• Example: x = 121 R1 = 121 (2, 2) = (115, 48) y = 203 R2 = 203 (2, 2) = (130, 203)

(115, 48)

(130, 203)

Elliptic Curve Diffie-Hellman

• Alice and Bob generate the same key kAlice: k = R2 x

Bob: k = R1 y • Proof: R2 x = (G y) x

R1 y = (G x) y • Example:

121 (130, 203) = 203 (115, 48) = (161, 69)

Elliptic Curve Elgamal

Generating public and private keys:• Bob chooses an Ep(a, b) for an elliptic curve in Zp

• Bob chooses a point (x1, y1) on that curve• Bob chooses a secret integer multiplier d < p• Bob computes a second point (x2, y2) on the curve as

(x2, y2) = d (x1, y1)

• public key: the values p, a, and b that define the curve the two points (x1, y1) and (x2, y2)

• private key: the multiplier d

Elliptic Curve Elgamal

Encryption:• Alice selects a point P on Ep(a, b) that corresponds to

the plaintext message she wishes to send• Alice selects a random multiplier r• Alice creates the ciphertext as two points on the

curve:

C1 = r (x1, y1) C2 = P + r (x2, y2)

Elliptic Curve Elgamal

Decryption:• Bob computes the plaintext as: P = C2 – (d C1))

• Why does this work?

P = C2 – (d C1)) = (P + r (x2, y2) ) – (d r (x1, y1) )) = (P + d r (x1, y1) ) – (d r (x1, y1) )) = P

Security and Speed

• Why is this secure?– Same type of inverse modular problem

(elliptic curve logarithm problem)

– No simple way to determine d from (x1, y1) and

(x2, y2) without trying all possible values

– Computationally secure as long as p large enough to prevent this (2160 for example)

Security and Speed

• Why is this fast?– Only uses addition and multiplication –

no exponents!

– Smaller key sizes • 160 bit ECC key equivalent to 1024 bit RSA key