CRIPTOGRAFIA

MA II - FIB

ECC (Elliptic Curve Cryptography)

Let p be a prime > 3. An elliptic curve over the finite field Fp is a plane curve given by the equation

y 2 = x3 + ax + b,

where a, b are integers modulo p and 4a3 + 27b2 6≡ 0 (mod p), together with a point at infinity O.
The set of points of the curve is

E(Fp ) = {(x, y) | x, y integers modulo p that satisfy the equation } ∪ {O}

In terms of implementation, the point O can be represented with three coordinates, the last of which
being a 0.
In this set, addition is defined using the following condition: the sum of three points is O if and only if
the points lie on a line. More concretely, the sum of points is given in the following way: if P = (x1 , y1 )
is a point of the curve, set −P = (x1 , −y1 mod p). Then,

• P +O=P
• P + (−P ) = O
• if Q = (x2 , y2 ) 6= −P , then P + Q = (x0 , λ(x1 − x0 ) − y1 mod p), where x0 = λ2 − x1 − x2 mod p
and 
(y2 − y1 )(x2 − x1 )−1 mod p si Q 6= P,
λ=
(3x1 + a)(2y1 )−1 mod p
 2
si Q = P.

With this operation, the set of points of the elliptic curve has the structure of an abelian group: the sum
is associative and commutative, has an identity element (namely O) and every element P has an inverse
−P (the inverse of O is itself).
In this group, the exponentiation kP can be done with the algorithm of “successive squares”: first
the binary expression of k is computed, that is, k = br 2r + · · · + b1 2 + b0 , where bi ∈ {0, 1} and br = 1;
then
R ← O, i ← r
while i ≥ 0 do
R←R+R
if bi = 1 do R ← R + P
i←i−1
output R

In the elliptic curves that are used in Cryptography, the group of points E(Fp ) has size 2m n, where n is
a prime number and the cofactor h = 2m has exponent 0 ≤ m ≤ 16. Under these conditions, there is
always a point G of order n, that is, nG = O but all the previous multiples G, 2G, 3G, . . . , (n − 1)G are
6= O.
Given the parameters p, a, b, n, G of a cryptographic system, the private key of a user is a random
integer r, 1 < r < n − 1, and his/her public key is the point P = rG.

1
Diffie-Hellman key exchange. If the private and public keys of a pair of users are (r1 , P1 = r1 G)
and (r2 , P2 = r2 G), then the first user can compute r1 P2 and the second one can compute r2 P1 , so that
both of them are actually computing the same point: r1 r2 G = (x, y)
This can be used to obtain a 256-bit secret key, which they can, for instance, feed to AES:

K = SHA256(s||x)

where s is a random number that they can interchange publicly and || indicates the concatenation of
binary words.

ECDSA (Elliptic Curve Digital Signature Algorithm). With the same parameters p, a, b, n, G
as before, the signature of a message M by the user whose private key is r and whose public key is P
works as follows:

• kG = (x1 , y1 ) with 1 < k < n − 1 random

• f1 = x1 mod n
• f2 = k −1 ( H(M ) + f1 r) mod n
• Send the signature (f1 , f2 )

If f1 = 0 or f2 = 0, one must go back to the first step and generate a new value of k. Notice that if the
prime number p has length `, then the signature has length ≤ 2`.
The receiver verifies the signature in the following way:

• w1 = H(M )f2−1 mod n

• w2 = f1 f2−1 mod n
• w1 G + w2 P = (x0 , y0 )
• Accept if x0 mod n = f1

In this algorithm, H(M ) denotes a hash of the message M . In the implementation we will consider that
that the prime number p has 256 bits and that the hash function is SHA256. In particular, the signature
will be expressed with 64 bytes.

Implementation: signatures. Define the class ecc including the following methods:

public static BigInteger [] invers( BigInteger [] P, BigInteger[] ParametresCorba)

input: P point of the curve given by 3 coordinates (x, y, z), (if z = 0, it’s the point at infinity),
ParametresCorba={a, b, p}, are the parameters of the curve y 2 = x3 + ax + b mod p ;
output: a list {Rx ,Ry ,Rz } representing the inverse of P , R = −P (if Rz = 0, it’s the point at
infinity).

public static BigInteger [] suma( BigInteger [] P, BigInteger [] Q, BigInteger[] ParametresCorba)

input: P and Q points of the curve given by 3 coordinates (x, y, z), (if z = 0, it’s the point at
infinity),
ParametresCorba={a, b, p} are the parameters of the curve y 2 = x3 + ax + b mod p ;
output: a list {Rx ,Ry ,Rz } representing the point R = P +Q (if Rz = 0, it’s the point at infinity).

2
public static BigInteger [] multiple(BigInteger k, BigInteger [] P, BigInteger[] ParametresCorba)

input: k integer,
P point of the curve given by 3 coordinates (x, y, z), (if z = 0, it’s the point at infinity),
ParametresCorba={a, b, p} are the parameters of the curve y 2 = x3 + ax + b mod p ;
output: a list {Rx ,Ry ,Rz } representing the point R = P + · · · + P = k · P (if Rz = 0, it’s the
point at infinity.

public static BigInteger[] clausECC(BigInteger[] parametresECC)

input: parametresECC={n, Gx , Gy , a, b, p}, G = (Gx , Gy ) is a point of order n in the curve

y 2 = x3 + ax + b mod p (obviously, G is not the point at infinity);
output: a list {r, Px , Py }, r is the private key, and (Px , P y) is the point (different from the point
at infinity) that is the public key.

public static BigInteger ECCDHKT(byte[] bytesAleatoris, BigInteger clauPrivadaECC,

BigInteger[] clauPublicaECC, BigInteger[] parametresECC)

input: bytesAleatoris is a list of random bytes,

clauPrivadaECC is an integer,
clauPublicaECC={Px , Py } (different of the point at infinity)
parametresECC={n, Gx , Gy , a, b, p}, G = (Gx , Gy ) is a point of order n of the curve
y 2 = x3 + ax + b mod p (obviously, G is not the point at infinity);
output: a 256-bit secret key to be used in AES: With clauPrivadaECC and clauPublicaECC
a key DH with components (x, y) is computed. The secret key k is given by
k=sha256(bytesAleatoriskx), x in bytes (without two’s complement).

public static byte[] firmarECCDSA(byte[] M, BigInteger clauFirma, BigInteger[] parametresECC)

input: M is an arbitraryly long array of bytes, the message to be signed,

clauFirma is an integer, the privake key of the sender
parametresECC={n, Gx , Gy , a, b, p}, G = (Gx , Gy ) is a point of order n in the curve
y 2 = x3 + ax + b mod p (obviously, G is not the point at infinity);
output: an array of bytes, the signed message; it is the concatenation of the array M with an array
of exactly 64 bytes representing the signature.

public static boolean verificarECCDSA(byte[] MS, BigInteger[] clauVer, BigInteger[] parametresECC)

input: MS is a message (allegedly) signed by the system ECCDSA with parameters

parametresECC using the private key corresponding to the public key clauVer;
output: a boolean indicating whether the signature is authentic or not.