introduction to elliptic curve cryptography

1. Elliptic Curve Cryptography - An Introduction
Marisa Paryasto
33207002
27 October 2011
Friday, October 28, 2011 1

2. What is Elliptic Curve Cryptography?
‣ Originally
proposed
by
Victor
Miller
and
Neal
Koblitz
independently
from
one
another
in
1985
‣ ECC
proposed
an
alterna@ve
to
other
public-­‐key
encryp@on
algorithms,
such
as
RSA
Friday, October 28, 2011 2

3. Elliptic Curve
Called
“ellip@c”
because
of
its
rela@onship
with
ellip@c
integrals,
which
are
natural
expressions
for
the
arc
length
of
an
ellipse
y2
=
x3
+
ax
+
b
Ellip@c
curve
is
not
an
ellipse!
Friday, October 28, 2011 3

4. y2 = x3 - x
Friday, October 28, 2011 4

5. y2 = x3
Friday, October 28, 2011 5

6. y2 = x3 - 4/3x + 16/27
Friday, October 28, 2011 6

7. y2 = x3 - 1/2x + 1/2
Friday, October 28, 2011 7

8. Elliptic Curve Cryptography
‣ Point
mul@plica@on
Q
=
kP
‣ Repeated
point
addi@on
and
doubling:
9P
=
2(2(2P))
+
P
‣ Public
key
opera@on:
Q(x,y)
=
kP(x,y)
Q
=
public
key
P
=
base
point
(curve
parameter)
k
=
private
key
n
=
order
of
P
‣ Ellip@c
curve
discrete
logarithm
Given
public
key
kP,
find
private
key
k
Friday, October 28, 2011 8

9. Elliptic Curve Addition
Q
P
P+Q
Friday, October 28, 2011 9

10. Multiplying 3P in Elliptic Curve (1)
P+P = 2P
P
Friday, October 28, 2011 10

11. Multiplying 3P in Elliptic Curve (2)
P+P = 2P
Notes: 3P = 2P + P -> draw a line
that crosses point 2P and P
3P
P
Friday, October 28, 2011 11

12. Encryption Process
'1)'7+ '%3,/!&'7+
30%4',6$0%+ &0+ 7#&#+
&0+ 32,4' *+&,-,.,/,/&,01*22,0& 8!0$%&9 *+&2/-;#.,6&.<-467<2&
!"#$$%& %21)', *+,-,.,/,/&,01*22,0& 21,/,3**&4******5& 7-21##6*&6*7<-;665&
'%($)! 21,/,3**&4******&& *+&,6,1,7,3&212.,6,1& 89: *+&-7327-16&<3*;))37&
,.,7,3,1&2127,.,2 -7;3-73*&1;1;7-71
)$*+$%&'*', (-.+/-
!"#$%&'(& !0$%&+ (5.+/5
12"&$!"$3#&$0%+
0%+32,4'
Friday, October 28, 2011 12

13. Decryption Process
*+&2/-:#.,6&.;-467;2& 5'3,/!&$0%+
*+&,-,.,/,/&,01*22,0&
7-21##6*&6*7;-:665& !,03'66 21,/,3**&4******5& *+,-,.,/,/&,01*22,0& !"#$$%&
*+&-7327-16&;3*:))37& )&8&9 *+&,6,1,7,3&212.,6,1& 21,/,3**&4******&&
'%($)!
-7:3-73*&1:1:7-71 ,.,7,3,1&2127,.,2
7+8+9(:.+/:; !0$%&+ (-.+/- )$*+$%&'*', !"#$%&'(&
12"&$!"$3#&$0%+
0%+32,4'
Friday, October 28, 2011 13

14. Elliptic Curve y2 = x3 + x + 6 is defined over Z11
Z11
10
9
8
7
6
5
4
3
2
1
0
0 2 4 6 8 10 12
Friday, October 28, 2011 14

15. An elliptic curve E: y2 = x 3 + x + 6 is defined over
Z11
Friday, October 28, 2011 15

16. Calculating Quadratic Residue
Friday, October 28, 2011 16

17. Points on Curve
Friday, October 28, 2011 17

18. ‣ There
are
12
points
lying
on
the
ellip@c
curve.
Together
with
the
point
O
at
infinity,
the
points
on
the
ellip@c
curve
form
a
group
with
n
=
13
elements.
‣ n
is
called
the
order
of
the
ellip@c
curve
group
and
depends
on
the
choice
of
the
curve
parameters
a
and
b.
Friday, October 28, 2011 18

19. Point Addition
P1 = (2, 4) P2 = (5, 9)
P1 + P2 = P3 = (x3 , y3 )
y2 − y 1 9−4 5
m= = = = 5 · 4 = 20 = 9
x2 − x1 5−2 3
x3 = m2 − x1 − x2 = (9)2 − 2 − 5 = 81 − 7 = 74 = 8
y3 = m(x1 − x3 ) − y1 = 9(2 − 8) − 4 = 9(−6) − 4 = −54 − 4 = −58 = 8
P3 = (x3 , y3 ) = (8, 8)
Friday, October 28, 2011 19

20. Point Doubling
‣ Iterate the point (7, 2) lying on y_2 = x_3 + x + 6 mod 11
‣ Compute P2 = P * P by doubling the point P
dy x1 2 + b 3(7)2 + 1 147 + 1 148 ˙
m= = = = = = 148 · 3 = 53 = 15 = 4
dx 2y1 2(2) 4 4
x2 = m2 − 2x1 = (4)2 − 2(7) = 16 − 14 = 2
y2 = m(x1 − x2 ) − y1 = 4(7 − 2) − 2 = 4(5) − 2 = 20 − 2 = 18 = 7
P 2 = P ∗ P = (x2 , y2 ) = (2, 7)
Friday, October 28, 2011 20

21. More point doubling
Compute P3 = P2 * P
P 2 = (2, 7)
P = (7, 2)
y2 − y 1 2−7 −5 6
m= = = = = 6 · 9 = 54 = 10
x2 − x1 7−2 5 5
x3 = m2 − x1 − x2 = (10)2 − 2 − 7 = 100 − 9 = 91 = 3
y3 = m(x1 − x3 ) − y1 = 10(2 − 3) − 7 = 10(−1) − 7 = −10 − 7 = −17 =
P 2 = P ∗ P = (x3 , y3 ) = (3, 5)
Friday, October 28, 2011 21

22. Representing plaintext
‣ Let E : y 2 ≡ x3 + bx + c(mod p)
‣ Message m (representated as a number) will be embedded in the x-
coordinate of a point
‣ Adjoin a few bits at the end of m and adjust until we get a number x such that
x3 + bx + c is square mod p
Friday, October 28, 2011 22

23. Representing plaintext (example)
‣ Let p = 179 and E : y 2 = x3 + 2x + 7
1
‣ If failure rate of 10 then we may take K = 10
2
‣ We need m.K + K < 179 , we need 0 ≤ m ≤ 16
‣ Suppose our message is m = 5. We consider x of the form
m.K + j = 50 + j
‣ The possible choices for x are 50, 51, .., 59. For x = 51 we get
x3 + 2x + 7 ≡ 121(mod 179) 112 = 121(mod 179)
‣ Thus, we represent the message m = 5 by the point (insert encryption process)
Pm = (51, 11)
51
‣ The message m can be recovered by m= 10 =5
Friday, October 28, 2011 23

24. Basic ElGamal
ElGamal Encryption ElGamal Decryption
INPUT: Elliptic curve domain INPUT: Domain parameters,(p, E, P, n)
parameters (p, E, P, n) ,public private key d , ciphertext (C1 , C2 )
key Q , plaintext m
OUTPUT: Plaintext m
OUTPUT: Ciphertext (C1 , C2 )
1. Compute M = C2 − dC1 , and
1.Represent the message m as a extract m from M
point M in E(Fp ) 2. Return( m)
2.Select k ∈R [1, n − 1]
3.Compute C1 = kP
4.Compute C2 = M + kQ
5.Return (C1 , C2 )
Friday, October 28, 2011 24

25. poly_prime = Time of execution: 0.013889 seconds
80000000 3 =====IN send_elgamal=====
NUMBITS = 63 data (in send_gamal function) :
NUMWORD = 1 0 123
setting up curve Base point
x: 2e7cf965 63323eab
the curve after setting up: y: 730a0498 5b456f7d
form: 1 Base curve
a2: 0 2 form: 1
a6: 0 1 a2: 0 2
a6: 0 1
counter = 0
inc = 1 random value:
Base point 52d518f2 9979dd24
x: 2e7cf965 63323eab Random point C1
y: 730a0498 5b456f7d x: 5458cfc 12efc03c
y: 52d6eb3 a6af454b
create side 2's private key counter = 0
inc = 0
Side 2 secret: raw point M (after poly_embed)
10fc68f8 254d4d11 x: 0 123
y: 628f64a8 105671e3
Generate side 2's public key Their_public:
x: 47a20fe7 9afa870f
Side 2 public key y: 3c871ef9 9f291729
x: 47a20fe7 9afa870f hidden point (after poly_elptic_mul)
y: 3c871ef9 9f291729 x: 3e2ca01d e1b52870
data = y: 523fa9bd ab463883
0 123 Hidden data (C2):
x: 23f5fe99 de42125d
Hide data on curve and send from side 1 to side 2 y: 68420248 dfab3f44
Random point (C1):
curve before send_elgamal: x: 5458cfc 12efc03c
form: 1 y: 52d6eb3 a6af454b
a2: 0 2 =====OUT send_elgamal
a6: 0 1
Their_public before send_elgamal:
x: 47a20fe7 9afa870f
y: 3c871ef9 9f291729
Friday, October 28, 2011 25

26. x: 0 123
y: 628f64a8 105671e3
raw_point.x
AFTER send_elgamal 0 123
curve after send_elgamal: raw_data (point):
form: 1 x: bffff5ac bffff5e8
a2: 0 2 y: 8fe018b1 0
a6: 0 1 raw_data (point):
x: 0 123
Hidden data (C2) y: 0 123
x: 23f5fe99 de42125d raw_data (field):
y: 68420248 dfab3f44 bffff5ac bffff5e8
Random point (C1) raw_data (field):
x: 5458cfc 12efc03c 0 123
y: 52d6eb3 a6af454b =====OUT receive elgamal
Recover transmitted message sent data
0 123
IN receive_elgamal received data (field)
Base curve in receive_elgamal 0 123
form: 1
a2: 0 2
a6: 0 1
Hidden_data (in receive_elgamal) :
x: 23f5fe99 de42125d
y: 68420248 dfab3f44
Random point
x: 5458cfc 12efc03c
y: 52d6eb3 a6af454b
hidden_point (d*C1):
x: 3e2ca01d e1b52870
y: 523fa9bd ab463883
raw_point:
Friday, October 28, 2011 26