Elliptic Curve Cryptography

based on
Chapter 16 of Trappe & Washington

Section IV of A Course in Number Theory and Cryptography/2e

by Neal Koblitz
CIS 428/628 O Intro. to Cryptography
April 11, 2011
CIS 428/628 O Intro. to Cryptography () Elliptic Curve Cryptography April 11, 2011 1 / 16
Elliptic Curves
Denition
An elliptic curve E over a eld F is a curve given by
an equation of the form:
Y
2
+ a
1
XY + a
3
Y = X
3
+ a
2
X
2
+ a
4
X + a
6
where a
1
, . . . , a
6
F.
If char(F) = 2, 3, then this can be simplied to:
Y
2
= X
3
+ aX + b or Y
2
= X (X 1) (X a)
where a, b F.
See pictures on the board &
http://www.certicom.com/index.php/ecc-tutorial
CIS 428/628 O Intro. to Cryptography () Elliptic Curve Cryptography April 11, 2011 2 / 16
Why are Elliptic Curves cool?
There are abelian groups hidding in these curves that are very
similar to Z

p
k
.
There are a lot more elliptic curves that Z

p
k
s.
You can build cryptosystems based on E.C.s that require much
smaller key length (e.g., 4096 bits vs. 313 bits) for similar security.
They played a key role in Wiles solution to the Fermats Last
Theorem problem and the solution of the Taniyama-Shimura
conjecture.
CIS 428/628 O Intro. to Cryptography () Elliptic Curve Cryptography April 11, 2011 3 / 16
Elliptic Curves: Addition Rules
Addition Rules (Geometric)
The curves always include a point at , where = .
The curves are really on a torus/doughnut.
The curves are symmetric around the x-axis.
P
1
+ P
2
= P
3
.
Draw a line through P
1
and P
2
.
(If P
1
= P
2
, use the tangent line.)
The line hits the curve at a unique third point Q.
Let P
3
be the point symmetric to Q on the other side of the
x-axis.
O Note: P
1
+ = P
1
. ( acts like 0.)
O Fact: P + Q + R = iff P, Q, and R are co-linear.
O The addition rules dont work for ECs with double roots.
See the pictures on the board.
CIS 428/628 O Intro. to Cryptography () Elliptic Curve Cryptography April 11, 2011 4 / 16
Elliptic Curves: Addition Rules, Continued
Addition Rules (Algebraic)
Suppose
E : Y
2
= X
3
+ aX + b
P
1
= (x
1
, y
1
)
P
2
= (x
2
, y
2
)
Then P
1
+ P
2
= P
3
= (x
3
, y
3
) where
x
3
= m
2
x
1
x
2
y
3
= m (x
1
x
2
) y
1
m =

(y
2
y
1
)/(x
1
x
2
), if P
1
= P
2
(3x
3
1
+ a)/(2y
1
) if P
1
= P
2
(If m = , then P
3
= .)
Facts: (P + Q) + R = P + (Q + R) and P + Q = Q + P.
CIS 428/628 O Intro. to Cryptography () Elliptic Curve Cryptography April 11, 2011 5 / 16
Elliptic Curves Mod n, Part I
Example
Consider:
E : y
2
= x
3
+2x +3 (mod 5).
E = (x, y) (Z
5
Z
5
) (, ) [ y
2
x
3
+2x +3 (mod 5)
= (1, 0), (2, 2), (2, 3), (3, 0), (4, 2), (4, 3), (, )
Point Arithmetic: (1, 4) + (3, 1) = ?.
Since (1, 4) = (3, 1),
m =
y
2
y
1
x
2
x
1

1 4
3 1
2 2
1
1 (mod 5).
x
3
m
2
x
1
x
2
1
2
1 3 2 (mod 5).
y
3
m (x
1
x
2
) y
1
1 (1 2) 4 0 (mod 5).
(1, 4) + (3, 1) = (2, 0).
CIS 428/628 O Intro. to Cryptography () Elliptic Curve Cryptography April 11, 2011 6 / 16
Elliptic Curves Mod n, Part II
How many points are there on an curve mod m?
Theorem (Hasses Theorem)
Let F
q
be a nite eld with q elements. (E.g., F
q
= Z
q
where q is a prime.)
Suppose E over F
q
has N points. Then:
[Nq 1[ < 2

q
which means
(q 1) 2

q < N < (q 1) +2

q
which in turn means there are enough to make trouble.
Schoofs Algorithm
Given E.C. E over F
q
, one can nd [E[ in O((log
2
q)
8
) time.
(There are faster algs for special cases.)
CIS 428/628 O Intro. to Cryptography () Elliptic Curve Cryptography April 11, 2011 7 / 16
Elliptic Curves Mod N, Part III
The Classical Discrete Log Problem
Given: , , and p
k
(mod p). Find: k.
The Discrete log problem for Elliptic Curves mod m
Given: A & B are points on E (mod p) B = k A. Find: k.
k A =
def
A + + A

k many
in F
q
. ( : Z

p
:: + :E.C.s (mod p).)
State of Play: The known algorithms for solving the E.C.-discrete log
problem are even worse that the ones for the classical problem.
(Good news for Crypto.)
Factoring and Primality Testing with E.C.s
See text.
CIS 428/628 O Intro. to Cryptography () Elliptic Curve Cryptography April 11, 2011 8 / 16
RECALL: Quadratic Residues
We want to solve equations like:
x
2
b (mod n)
There may not be a solution. E.g.,
x
2
3 (mod 5).
Denition
Suppose a Z

p
, where p is a prime.
We say that a is a quadratic residue
mod p (written a QR(p)) when
x
2
a (mod p) has a solution,
otherwise we say that a is a
nonresidue.
Fact: | x Z

p
x is a
quad. res.| =
p1
2
.
CIS 428/628 O Intro. to Cryptography () Elliptic Curve Cryptography April 11, 2011 9 / 16
RECALL: Eulers Criterion
Theorem
Suppose a Z

p
where p is prime.
a is a quadratric residue mod p iff a
(p1)/2
1 (mod p).
Proposition
Suppose p is a prime and p 3 (mod 4).
Let y Z

p
and x = y
(p+1)/4
(mod p).
Then either
y is a quadratic residue with roots x or
y is a quadratic residue with roots x.
CIS 428/628 O Intro. to Cryptography () Elliptic Curve Cryptography April 11, 2011 10 / 16
Representing Plaintext on E.C.s
Finding points on a given E.C.
There is no known deterministic poly-time algorithm for this.
However, there are reasonably fast probabilistic methods
(that have a certain probability of failure).
CIS 428/628 O Intro. to Cryptography () Elliptic Curve Cryptography April 11, 2011 11 / 16
Koblitzs Method
All of the following will be public
Suppose p is a prime with p 3 (mod 4) (Why?)
and that E : y
2
= x
3
+ ax + b is the E.C. in question.
Pick K so that 1/2
K
(the failure bound) is tolerably small.
Messages will be from m Z
p
m <
pK
K
. Let m be a message.
For j = 0, . . . , K 1:
Set x
j
= m K + j & w
j
= x
3
j
+ ax
j
+ b & z
j
= w
p+1
4
j
(mod p).
If z
2
j
= w
j
, then (x
j
, z
j
) is the point on E that will encode m.
Else we have z
2
j
= w
j
(Why?) and we keep on.
If no j works, report failure. Prob. of failure 2
K
. (Why?)
If (x, y) on E encodes a message m, then m = x/K|.
CIS 428/628 O Intro. to Cryptography () Elliptic Curve Cryptography April 11, 2011 12 / 16
The El Gamal Cryptosystem for E.C.s
Classical Elliptic Curve
Bob Chooses Bob Chooses
p, prime E (mod p), p prime
Z

p
E
a Z a Z
=
a
(mod p) = a
Public: p, , Private: a Public: E, [E[, , Private: a
Alice with message x Alice with message m P E
Chooses k
ran
Z
p1
Chooses k
ran
Z

[E[1
Computes: Computes:
y
1

k
(mod p) y
1
= k
y
2
x
k
(mod p) y
2
= P + k
Bob Computes: Bob Computes: P = y
2
a y
1
x y
2
y
a
1
(mod p) Extracts m from P
CIS 428/628 O Intro. to Cryptography () Elliptic Curve Cryptography April 11, 2011 13 / 16
Dife-Hellman on Elliptic Curves
Setup E : y
2
x
3
+ ax + b (mod p) with e points Public
G, a point on E Public
Alice Chooses n
a
ran
Z

e1
. Private
Sends n
a
G to Bob.
Bob Chooses n
b
ran
Z

e1
. Private
Sends n
b
G to Alice.
Alice Computes K
ab
= n
a
(n
b
G) = n
a
n
b
G.
Bob Computes K
ab
= n
b
(n
a
G) = n
a
n
b
G.
CIS 428/628 O Intro. to Cryptography () Elliptic Curve Cryptography April 11, 2011 14 / 16
El Gamal Signatures on E.C.s
Alices Setup
Chooses an E.C. E (mod p), where p is a prime. public
Chooses A, a point on E. public
Computes n, the number of points on E. public
Assume n > any message.
Chooses a N. private
Computes B = a A public
Alice: signs m
Chooses k
ran
Z

n
Computes R = k A = (x, y).
Computes s k
1
(max) (mod n)
Sends (m, R, s).
more. . .
CIS 428/628 O Intro. to Cryptography () Elliptic Curve Cryptography April 11, 2011 15 / 16
El Gamal Signatures on E.C.s, Continued
Bob: Wants to verify (m, R, s)
Obtains p, E, n, A, and B. B = a A
Computes V
1
= x B + s R R = k A = (x, y)
Computes V
2
= m A s = k
1
(max) (mod n)
Checks if V
1
= V
2
Why does this work?
V
1
= x B + s R
= x a A + k
1
(ma x) (k A)
= x a A + (ma x) A
= x a A + m Aa x A
= m A
= V
2
.
CIS 428/628 O Intro. to Cryptography () Elliptic Curve Cryptography April 11, 2011 16 / 16