ELLIPTIC CURVE CRYPTOGRAPHY

Elliptic Curve Cryptography: Motivation

 Public key cryptographic algorithms (asymmetric key algorithms) play an important role in providing
security services:
 Key management
 Confidentiality
 User authentication
 Signature
 Public key cryptography systems are constructed by relying on the hardness of mathematical problems
 RSA: based on the integer factorization problem
 DH: based on the discrete logarithm problem
 The main problem of conventional public key cryptography systems
 key size has to be sufficient large in order to meet the high-level security requirement.
 This results in lower speed and consumption of more bandwidth
 Solution: Elliptic Curve Cryptography system
Introduction to Elliptic Curves

 Lets start with a puzzle…

What is the number of balls that may be piled as a square

pyramid and also rearranged into a square array?
Introduction to Elliptic Curves…

 Lets start with a puzzle…

What is the number of balls
that may be piled as a square
pyramid and also rearranged
into a square array?
Introduction to Elliptic Curves…

 What about the figure shown?

 Does it fulfil our requirements?
Introduction to Elliptic Curves…

 What about the figure shown?

 Does it fulfil our
requirements???
 Can you find solutions to this
problem???
Introduction to Elliptic Curves…

 Let x be the height of the pyramid, then the number of

balls in pyramid is,
x( x + 1)(2 x + 1)
12 + 22 + 32 + ... + x 2 =
6
 We also want this to be a square. Hence,
x( x + 1)(2 x + 1)
y =
2

6
Graphical Representation

Y axis

X axis

Curves of this nature

are called ELLIPTIC
CURVES
Method of Diophantus

 Uses a set of known points to produce new points

 (0,0) and (1,1) are two trivial solutions
 Equation of line through these points is y=x.
 Intersecting with the curve and rearranging terms:
3 2 1
x − x + x=0
3

2 2
 What are the roots of this equation???
Method of Diophantus…

 Uses a set of known points to produce new points

 (0,0) and (1,1) are two trivial solutions
 Equation of line through these points is y=x.
 Intersecting with the curve and rearranging terms:
3 2 1
x − x + x=0
3

2 2
 What are the roots of this equation???
 Two trivial roots x=0 and x=1…… But what about third one????
Method of Diophantus…

 We know that, for any numbers a,b,c, we have,

(x-a)(x-b)(x-c) = x3 – (a+b+c)x2 + (ab+bc+ac)x – abc
 Hence, for the equation
3 2 1
x − x + x=0
3

 We have, 2 2
3
a+b+x = 3 → 0+1+x = 2 → x= 1
2 2

▪ Hence, one more point (½ , ½) and because of the symmetry , another (½ , -

½)
Method of Diophantus… : Exercise

 Can you find out another point on curve using Diophantus’s

method ???

Consider two points (½ , -½) and (1,1) and find out another point
on the curve …..
Method of Diophantus… : Exercise solution

 Consider the line through (1/2,-1/2) and (1,1) => y=3x-2

 Intersecting with the curve we have:

51 2
x − x + ... = 0
3

2
 Thus ½ + 1 + x = 51/2 or x = 24 and y=70
 Thus if we have 4900 balls we may arrange them in either way
Weierstrass Equation

 For most situations, an elliptic curve E is the graph of an equation of the form:

y 2 = x3 + Ax + B
where A and B are constants. This refers to the Weierstrass Equation of
Elliptic Curve.
 Here, A, B, x and y all belong to a field of say rational numbers, complex
numbers, finite fields (Fp) or Galois Fields (GF(2n)).
 If K is the field where A,B  K, then we say that the Elliptic Curve E is defined
over K
Points on Elliptic Curve

 If we want to consider points with coordinates in some field L, we write E(L).

By definition, this set always contains the point at infinity O
E ( L) = {O}  {( x, y )  L  L y 2 = x 3 + Ax + B}

What about the roots of these

curves ????

We must have the equation

4A3 + 27B2 ≠0 satisfied

A condition for an Elliptic curve to

be a group !!!!!
Points on Elliptic Curve…
Points on Elliptic Curve…
 Adding points on Elliptic Curve…

y
 Consider elliptic curve
E: y2 = x3 - x + 1
P2  Start with two points : P1(x1,y1) and
P1 P2(x2,y2) on elliptic curve
x  To get a new point P3 ,
 Draw a line L through P1 and P2
P3
 Get the intersection P3’
 Reflect across x-axis to get P3
 We define P1 + P2 = P3
Adding points on Elliptic Curve…

Slope of the line L passing through P1 and P2 is,

 Case 1: P1 ≠ P2 and neither ( y 2 − y1 )
m=
point is O ( x2 − x1 )
For x1  x2 , equation of line L is,
 For x1 ≠ x2
y = m( x − x1 ) + y1
 For x1 = x2 ???? To find intersecti on with E, substitute to get,
 We get P1 + P2 = O ( m( x − x1 ) + y1) 2 = x 3 + Ax + B
Rearrange to form,
0 = x 3 − m 2 x 2 + ...
Given two roots x1 and x2 , third root can be calculated,
( a + b + c ) = m 2  ( x1 + x2 + x) = m 2
 x = m 2 − x1 − x2
and y = m( x − x1 ) + y1
refecting across the x - axis to obtain the point P3 = ( x3 , y3 ) :
x3 = m 2 − x1 − x2 and y3 = m( x1 − x3 ) − y1
Adding points on Elliptic Curve…

 Case II : P1 = P2 =(x1,y1)
 When two points on a curve
are very close to each other,
the line through them
approximates a tangent line.
Therefore, when the two
points coincide, we take the
line L through them to be the
tangent line.
 Implicit differentiation allows
us to find the slope m of L
Adding points on Elliptic Curve…

1 + A
2
 Case II : P1 = P2 =(x1,y1) dy dy 3 x
2 y = 3x + A, so m = =
2

 When two points on a curve are dx dx 2 y1

very close to each other, the line
through them approximates a If y1  0, the equation of L is,
tangent line. Therefore, when y = m( x − x1 ) + y1
the two points coincide, we take
the line L through them to be the We find the cubic equation,
tangent line.
 Implicit differentiation allows us
0 = x 3 − m 2 x 2 + ...
to find the slope m of L This time we know only one root x1 , we obtain :
x3 = m 2 − 2 x1 , y3 = m( x1 - x3 ) - y1
Adding points on Elliptic Curve…

 Case II : P1 = P2 =(x1,y1)
 If y1 = 0
 We get P1 + P2 = O

 Case III: P2 = O
 What about P1 + P2 ????
 Do we get P1 + P2 = P1 ??
 In other words, P1 + O = P1
Group Law

 The addition of points on an elliptic curve E satisfies the following properties:

 (Commutativity) : P1 + P2 = P2 + P1 for all P1, P2 on E

 (Existence of identity) : P + O = P for all P on E
 (Existence of inverses) : Given P on E, there exists P’ on E with P + P’ = O. This point P’
will usually be denoted as –P
 (Associatively) : (P1 + P2)+ P3 = P1 + (P2+ P3 ) for all P1, P2, P3 on E

The points on E form an additive abelian group with O as the identity element.
`
Integer times a point

 Let k be a positive integer and let P be a point on an elliptic curve, then

 kP denotes P + P + · · · + P (with k summands)
 Efficient computation for large k
 Successive doubling method
 For example, to compute 19P, we compute
 2P, 4P = 2P+2P, 8P = 4P+4P, 16P = 8P+8P, 19P = 16P+2P+P.
 But, the only difficulty is....
 The size of the coordinates of the points increases very rapidly if we are working
over the rational numbers
 What about finite fields ????
ELLIPTIC CURVES IN CRYPTOGRAPHY
Elliptic curves in Cryptography

 Elliptic Curve (EC) systems as applied to cryptography were first

proposed in 1985 independently by Neal Koblitz and Victor Miller.
 The discrete logarithm problem on elliptic curve groups
 More difficult than the corresponding problem in (the multiplicative group of
nonzero elements of) the underlying finite field.
Why finite field?

 Elliptic curves over real numbers

 Calculations prove to be slow
 Inaccurate due to rounding error
 Infinite field
 Cryptographic schemes need fast and accurate arithmetic
 In the cryptographic schemes, elliptic curves over two finite fields are
mostly used.
 Prime field Fp , where p is a prime.
 Binary field F2m, where m is a positive integer
Elliptic Curve over finite field F23

 As a very small example, consider an elliptic curve over the field F23. With A = 1 and
B = 0, the elliptic curve equation is y2 = x3 + x.
 The point (9,5) satisfies this equation since:
y2 mod p = x3 + x mod p
25 mod 23 = 729 + 9 mod 23
25 mod 23 = 738 mod 23
2=2
 The 23 points which satisfy this equation are:

(0,0) (1,5) (1,18) (9,5) (9,18) (11,10) (11,13) (13,5) (13,18) (15,3) (15,20) (16,8)
(16,15) (17,10) (17,13) (18,10) (18,13) (19,1) (19,22) (20,4) (20,19) (21,6) (21,17)
Elliptic Curve over finite field F23…
Elliptic curves over finite fields

x x3+x+1 y Points
 Let us do an exercise....
 Let E be the curve y2 = x3+x+1 over 0 1 ±1 (0,1),(0,4)

F5, find all the points on E 1 3 - -

2 1 ±1 (2,1),(2,4)
Therefore, E(F5) has order 9.
3 1 ±1 (3,1),(3,4)

Can you show that E(F5) is 4 4 ±2 (4,2),(4,3)

cyclic??? What is the O O O

generator??
Elliptic Curve Discrete Logarithm Problem (ECDLP)

If we are working over a large finite field and are given points P and kP, it
is computationally hard to determine the value of k.This is called the
discrete logarithm problem for elliptic curves (ECDLP) and is
the basis for the cryptographic applications.
What Is Elliptic Curve Cryptography (ECC)?

 Elliptic curve cryptography [ECC] is a public-key cryptosystem just like

RSA, El Gamal.
 Every user has a public and a private key.
 Public key is used for encryption/signature verification.
 Private key is used for decryption/signature generation.
 Elliptic curves are used as an extension to other current cryptosystems.
 Elliptic Curve El-Gamal Encryption
 Elliptic Curve Diffie-Hellman Key Exchange
 Elliptic Curve Digital Signature Algorithm
Using Elliptic Curves In Cryptography

 The central part of any cryptosystem involving elliptic curves is the

elliptic group.
 All public-key cryptosystems have some underlying mathematical
operation.
 RSA has exponentiation (raising the message or ciphertext to the public or
private values)
 ECC has point multiplication (repeated addition of two points).
Discrete Logarithm Key pair generation(Classical)

 A key pair is associated with a set of public domain parameters (p, q, g).
Here, p is a prime, and g ∈ [1, p−1] has order q

INPUT: Discrete Log domain parameters (p,q,g).

OUTPUT: Public key y and private key x.
1. Select x ∈𝑅 [1, 𝑞 − 1].
2. Compute y = 𝑔 𝑥 mod 𝑝
3. Return (y,x). (y is public key, x is private key)
Discrete Logarithm Key pair generation(ECC)

 Let E be an elliptic curve defined over a finite field Fp.

 Let P be a point in E(Fp), and suppose that P has prime order n. Then the
cyclic subgroup of E(Fp) generated by P is,
P = {O, P, 2P, 3P, . . ., (n−1)P}.

The public domain parameters A private key is an integer d that is

are : The prime p, the equation of selected uniformly at random from
the elliptic curve E, and the point P the interval [1, n −1], and the
and its order n : (p, E, P, n) corresponding public key is Q = dP.
Elgamal encryption scheme (Classical)

INPUT: DL ⥂ domain parameters (p,q,g), public key y, plaintext m

ElGamal ∈ [0, 𝑝 − 1].
OUTPUT: Ciphertext (c1 ,c2 ).
Encryption 1. Select 𝑘 ∈𝑅 [1, 𝑞 − 1].
2. Compute 𝑐1 = 𝑔𝑘 mod 𝑝
3. Compute 𝑐2 = 𝑚 ⋅ 𝑦 𝑘 mod 𝑝
4. Return (c1 ,c2 ).

ElGamal INPUT : DLdomain parameters (p, q, g), private key x, ciphertext (c1 , c2 ).
OUTPUT : Plaintext m.
Decryption −x
1. Compute m = c2 • c1 mod p.
2.Return (m).
ECC Analog to El Gamal : ECEG

INPUT : Elliptic curve domain parameters (p, E, P, n), public key Q, plaintext m.
OUTPUT : Ciphertext (C1 , C 2 )
1. Represent the message m as a point M in E(Fp )
EC-ElGamal 2. Select k R [1, n − 1].
3.Compute C1 = kP.
Encryption 4. Compute C 2 = M + kQ.
5. Return (C1 , C 2 ).

INPUT : Elliptic curve domain parameters (p, E, P, n), private key d, ciphertext (C1 , C 2 )
EC-ElGamal OUTPUT : Plaintext m.
Decryption 1. Compute M = C2 − dC1 , and extract m from M
2. Return M.
ECC Diffie-Hellman: ECDH
 Public: Elliptic curve and point P=(x,y) on curve
 Secret: Alice’s A and Bob’s B
a(x,y)
b(x,y)

Alice, a Bob, b

• Alice computes a(b(x,y))

• Bob computes b(a(x,y))
• These are the same since ab = ba
ECC Diffie-Hellman: ECDH…

 Public: Curve y2 = x3 + 7x + b (mod 37) and point P=(2,5)

 Alice’s secret: a = 4
 Bob’s secret: b = 7
 Alice sends Bob: 4(2,5) = (7,32)
 Bob sends Alice: 7(2,5) = (18,35)
 Alice computes: 4(18,35) = (22,1)
 Bob computes: 7(7,32) = (22,1)
Why use ECC?

 Criteria to be considered while selecting PKC for application

 Functionality: Does the public-key family provide the desired capabilities?
 Security: What assurances are available that the protocols are secure?
 Performance: For the desired level of security, do the protocols meet
performance objectives?
 Also some misc. factors such as existence of best-practice standards
developed by accredited standards organizations, the availability of
commercial cryptographic products, and patent coverage.
Why use ECC?...

 The RSA, DL and EC families all provide the basic functionality expected of
public-key cryptography
 But…… How do we analyze these Cryptosystems?
 How difficult is the underlying problem that it is based upon
 RSA – Integer Factorization
 DH – Discrete Logarithms
 ECC - Elliptic Curve Discrete Logarithm problem
Why use ECC?…

 How do we measure difficulty?

 We examine the algorithms used to solve these problems
 Integer factorization
 Number Field Sieve (NFS) : Sub exponential running time
 Discrete Logarithm
 Number Field Sieve (NFS) : Sub exponential running time
 Pollard’s rho algorithm
 Elliptic Curve Discrete Logarithm Problem(ECDLP)
 Pollard’s rho algorithm : Fully exponential running time
Why use ECC?...

 To protect a 128 bit AES key it

would take a:
 RSA Key Size: 3072 bits
 ECC Key Size: 256 bits

 How do we strengthen RSA?

 Increase the key length

 Impractical?
Applications of ECC

 Many devices are small and have limited storage and

computational power
 Where can we apply ECC?
 Wireless communication devices
 Smart cards
 Web servers that need to handle many encryption sessions
 Any application where security is needed but lacks the power, storage
and computational power that is necessary for our current
cryptosystems
Tutorial I : Elliptic curves over real numbers

1. Does the elliptic curve equation y2 = x3 - 7x - 6 over real numbers define a group?
2. What is the additive identity of regular integers?
3. Is (4,7) a point on the elliptic curve y2 = x3 - 5x + 5 over real numbers?
4. What are the negatives of the following elliptic curve points over real numbers?
P(-4,-6), Q(17,0), R(3,9), S(0,-4)
5. In the elliptic curve group defined by y2 = x3 - 17x + 16 over real numbers, what is P
+ Q if P = (0,-4) and Q = (1,0)?
6. In the elliptic curve group defined by y2 = x3 - 17x + 16 over real numbers, what is
2P if P = (4, 3.464)?
Tutorial II : Elliptic curves over real numbers

Consider the curve y2 = x3 + 5x -7

Answer the following for the above curve :

1. Does the curve form group ?
2. Consider the point P(1.1, 0) on curve. Find the points 2P,
3P, 4P, 5P, 6P and 7P on curve.
Tutorial IV : Elliptic curve over finite fields

1. Does the elliptic curve equation y2 = x3 + 10x + 5 define a group over F17?
2. Do the points P(2,0) and Q(6,3) lie on the elliptic curve y2 = x3 + x + 7 over F17?
3. What are the negatives of the following elliptic curve points over F 17?
P(5,8) Q(3,0) R(0,6)
4. In the elliptic curve group defined by y2 = x3 + x + 7 over F17, what is P + Q if P =
(2,0) and Q = (1,3)?
5. In the elliptic curve group defined by y2 = x3 + x + 7 over F17,
what is 2P if P = (1, 3)?
key references

 Elliptic Curves: Number Theory and Cryptography, by Lawrence C.

Washington
 Guide to Elliptic Curve Cryptography, Alfred J. Menezes
 Guide to Elliptic Curve Cryptography, Darrel R. Hankerson, A. Menezes and A.
Vanstone
 For Tutorials: www.certicom.com