2010-01-1.report
advertisement
Project in Computer Security 236349
Mar. 2011
General Attacks on Elliptic Curve Based
Cryptosystems
Final Report
By Roi Avgil & Yael Peled
Instructor: Barukh Ziv
Introduction to elliptic curves (EC)
An elliptic curve E over a prime field ℤ𝑝 for p>3 is an
equation E: 𝑦 2 = 𝑥 3 + 𝑎𝑥 + 𝑏 where 𝑎, 𝑏 ∈ ℤ𝑝 and Δ = −16(4𝑎3 + 27𝑏 2 ) ≠ 0.
A solution of E over ℤ𝑝 is a pair (𝑥, 𝑦) ∈ ℤ𝑝 × ℤ𝑝 where x and y
satisfy the equation.
𝐸(ℤ𝑝 ) is the set of all solutions of E over ℤ𝑝 along with the
point in infinity which is denoted ∞.
If we define a binary operation + on the set 𝐸(ℤ𝑝 ) by:
o (𝑥, 𝑦) + ∞ = ∞ + (𝑥, 𝑦) = (𝑥, 𝑦)
o (𝑥, 𝑦) + (𝑥, −𝑦) = ∞
3𝑥 2 +𝑎
o (𝑥, 𝑦) + (𝑥, 𝑦) = ((
⏟
2𝑦
2
3𝑥 2 +𝑎
) − 2𝑥 , (
2𝑦
) (𝑥 − 𝑥 ′ ) − 𝑦) (doubling)
𝑥′
2
𝑦 −𝑦
𝑦 −𝑦
o (𝑥1 , 𝑦1 ) + (𝑥2 , 𝑦2 ) = ((𝑥2 −𝑥1 ) − 𝑥2 − 𝑥1 , (𝑥2−𝑥1 ) (𝑥1 − 𝑥 ′ ) − 𝑦1 )
⏟2 1
2
1
𝑥′
where 𝑥1 ≠ 𝑥2 or 𝑦1 ≠ ±𝑦2
Then (𝐸(ℤ𝑝 ), +) is an abelian group with ∞ as its identity.
In particular- the opposite of a solution (𝑥, 𝑦) is (𝑥, −𝑦), which
is also a solution, and the result of adding two solutions is
also a solution.
For 𝑘 ∈ ℕ and 𝑃 ∈ 𝐸(ℤ𝑝 ) we denote 𝑘𝑃 = ⏟
𝑃 + ⋯ + 𝑃, and 0𝑃 = ∞.
𝑘 𝑡𝑖𝑚𝑒𝑠
1
Project in Computer Security 236349
Mar. 2011
The addition of two different non-infinity points can be
thought of geometrically as passing a chord between them, and
taking the opposite point to the (new) intersection of the
chord and the curve, which is demonstrated graphically as:
If the points are opposites, the new intersection is at ∞.
The addition of a non-infinity point to itself can be thought
of geometrically as passing a tangent to the curve at the
point, and taking the opposite point to the (new) intersection
of the tangent and the curve, which is demonstrated
graphically as:
The condition Δ ≠ 0 guarantees that the curve is "smooth" and
does not have more than one tangent in each point.
2
Project in Computer Security 236349
Mar. 2011
Goals and targets
Learn the principle theory of elliptic curve cryptography.
Implement the arithmetic of elliptic curve groups.
Study and implement general-purpose attacks on elliptic curve
based cryptosystems, focusing on the Pollard’s rho and PohligHellman algorithms for solving the ECDLP.
Understand the influence of elliptic curve parameters on the
strength of an elliptic curve based cryptosystem, in terms of
attack complexity.
Demonstrate how careless selection of elliptic curve
parameters allows to attack the cryptosystem efficiently
Setup choices
The elliptic curves used were over a field ℤ𝑝 for p>3.
We used both Affine and Jacobean projective coordinates to
represent points on a curve, to speed up calculations.
The project was written in C++ and designed to run on Windows.
We used the NTL library for managing large integer numbers,
modular calculus in ℤ𝑝 and testing for primality.
Why use elliptic curve cryptography (ECC)?
With the algorithms known today, the number of bits required
to obtain a certain level of security with elliptic curve
cryptography is twice that required by a symmetric cipher.
In other public key schemes, the number of required bits can
get as high as 60 times that required by a symmetric cipher.
This difference is especially noticed in high security levels.
This means that, for the same level of security, fewer bits
can be used- thus making calculations faster and allowing more
efficient encryption, decryption, key generation, etc.
3
Project in Computer Security 236349
Mar. 2011
The ECDLP
The elliptic curve discrete logarithm problem:
Given a point 𝑃 ∈ 𝐸(ℤ𝑝 ) of order 𝑛, and a point 𝑄 ∈ ⟨𝑃⟩ ⊆ 𝐸(ℤ𝑝 ),
find the unique 𝑘 ∈ {0, … , 𝑛 − 1} such that 𝑄 = 𝑘𝑃.
The integer 𝑘 is called the discrete logarithm of 𝑸 to the
base 𝑷, and is denoted 𝑙𝑜𝑔𝑃 𝑄.
The hardness of this problem is the base of elliptic curve
based cryptographic schemes.
The best general-purpose attack on the ECDLP known today is
the combination of the Pohlig-Hellman algorithm with Pollard's
Rho algorithm, which (if parameters are chosen carefully) has
a fully exponential average running time of 𝑂(√𝑞), where 𝑞 is
the largest prime factor of 𝑛 = 𝑂𝑟𝑑𝑒𝑟(𝑃).
An example of an EC based cryptographic system
Uses the El-Gamal public key cryptography scheme.
Each message is associated with a point on the curve.
System parameters:
o An elliptic curve E over a prime field ℤ𝑝 .
o A point 𝑃 ∈ 𝐸(ℤ𝑝 ) of order 𝑛.
Key generation:
o The key owner choose a random integer 𝑘 ∈ {0, … , 𝑛 − 1}.
o The private key is (𝑃, 𝑘) and the public key is (𝑃, 𝑘𝑃).
Encryption:
o The sender chooses a random integer 𝑠 ∈ {0, … , 𝑛 − 1}.
o The encryption of the plaintext M is (𝐶, 𝑄) = (𝑀 + 𝑠(𝑘𝑃), 𝑠𝑃).
Decryption:
o The recipient, who knows 𝑘, calculates:
𝐶 − 𝑘𝑄 = 𝑀 + 𝑠(𝑘𝑃) − 𝑘(𝑠𝑃) = 𝑀 + 𝑠(𝑘𝑃) − 𝑠(𝑘𝑃) = 𝑀
4
Project in Computer Security 236349
Mar. 2011
Point Representation
Affine coordinates- the standard representation as ∞ or a pair
(𝑥, 𝑦) ∈ ℤ𝑝 × ℤ𝑝 where 𝑥, 𝑦 solve the elliptic curve's equation.
Jacobean projective coordinates3
o Each point is represented by a nonzero triple (𝑋, 𝑌, 𝑍) ∈ (ℤ𝑝 ) .
o Two representations (𝑋, 𝑌, 𝑍), (𝑋̃, 𝑌̃, 𝑍̃) are equivalent if
and
𝑌
𝑍3
𝑋
𝑍2
𝑌̃
𝑋̃
= 𝑍̃ 2
𝑋
𝑌
= 𝑍̃ 3, and both correspond to the Affine point (𝑍 2 , 𝑍 3).
o In particular- (𝑥, 𝑦, 1) corresponds to (𝑥, 𝑦) and (1,1,0) to ∞.
o Each "point" in Jacobean coordinates is actually an
equivalence class of representations corresponding to the
same affine point.
The choice of representation has an effect on the number of
field operations required to perform an operation on elliptic
curve group points.
The most substantial field operations, in terms of execution
time, are field multiplication, squaring and inversion.
It is summarized in the following table:
Doubling
Addition
Conversion
2AA
I+2M+2S
A+AA
I+2M+S
AJ
-
2JJ
4M+6S
J+JJ
12M+4S
JA
I+3M+S
J+AJ
8M+3S
A – Affine coordinates , J – Jacobean coordinates
M – Multiplication , S - Squaring , I – inversion
We implemented all operations for both representations.
We chose the best representation for every operation, i.e.
Jacobean for doubling and mixed coordinates for addition,
unless it demanded conversions which made it unattractive.
We tried to avoid the need for such conversion, but in some
cases a few inversions were worth having a better
representation for an operation which is repeated many times.
5
Project in Computer Security 236349
Mar. 2011
Non Adjacent Form (NAF) and Point Multiplication
Every positive integer 𝑚 has a unique representation
𝑖
𝑚 = ∑𝑙−1
𝑖=0 𝑚𝑖 2 , for some 𝑙 > 0, where:
o 𝑚𝑖 ∈ {−1,0,1}
o 𝑚𝑙−1 ≠ 0
o No two consecutive digits 𝑚𝑖 , 𝑚𝑖+1 are nonzero
This representation is called the NAF of 𝑚 and denoted 𝑁𝐴𝐹(𝑚).
𝑁𝐴𝐹(𝑚) can be efficiently computed in 𝑂(log(𝑚)).
𝑁𝐴𝐹(𝑚) is at most one digit longer then the binary
representation of 𝑚.
𝑁𝐴𝐹(𝑚) has the fewest nonzero digits of any signed digit
representation of 𝑚.
left-to-right (LTOR) binary method point multiplication:
𝑖
o 𝑚 = ∑𝑙−1
𝑖=0 𝑚𝑖 2 is given in binary representation.
o A point 𝑃 is given, and we want to calculate 𝑚𝑃.
o 𝑄=∞
o For 𝑖 = 𝑙 − 1, … ,0:
𝑄 = 2𝑄
If 𝑚𝑖 = 1 then 𝑄 = 𝑄 + 𝑃
o Return 𝑄
LTOR NAF method point multiplication:
𝑖
o 𝑚 = ∑𝑙−1
𝑖=0 𝑚𝑖 2 is given in NAF form.
o A point 𝑃 is given, and we want to calculate 𝑚𝑃.
o 𝑄=∞
o For 𝑖 = 𝑙 − 1, … ,0:
𝑄 = 2𝑄
If 𝑚𝑖 = 1 then 𝑄 = 𝑄 + 𝑃
If 𝑚𝑖 = −1 then 𝑄 = 𝑄 − 𝑃
o Return 𝑄
Notice that subtracting 𝑃 is equivalent to adding – 𝑃, which is
obtained easily (and efficiently), in both affine and Jacobean
coordinates, by negating the y coordinate in the field.
In LTOR point multiplication, a point doubling occurs every
iteration, and a point addition occurs once for every nonzero
digit of 𝑚. The number of iterations is 𝑙 = 𝑂(log(𝑚)).
The average number of nonzero digits among all NAFs of length 𝑙
is 𝑙/3, while in binary form it is 𝑙/2.
This means that the expected number of group additions for
calculating 𝑚𝑃 when m is given in its NAF form is
log(𝑚)
log(𝑚)
3
,
instead of
when m is given in binary representation.
2
The expected number of multiplications is about log(𝑚) for both.
6
Project in Computer Security 236349
Mar. 2011
We chose LTOR multiplication over RTOL, since it allowed us to
use mixed addition between the constant point 𝑃, normally
given in affine coordinates, and the changing point 𝑄, which
is doubled in every iteration, and which we chose to represent
in Jacobean coordinates.
The result of mixed-coordinates addition is returned in
Jacobean coordinates, which also fits well with this choice.
Using RTOL multiplication would require either using a uniform
representation for all points, or many conversions from
Jacobean coordinates to affine coordinates.
We have implemented the algorithm for finding the NAF form of
a positive integer, and used NAF LTOR multiplication.
Isomorphism
If the parameter 𝑎 ∈ ℤ𝑝 in the equation that defines the
elliptic curve satisfies 𝑎 ≡ −3 (𝑚𝑜𝑑 𝑝), an expression- 3𝑋 2 + 𝑎𝑍 4 ,
which appears in the process of point doubling in Jacobean
coordinates, can be written as 3𝑋 2 − 3𝑍 4 = 3(𝑋 + 𝑍 2 )(𝑋 − 𝑍 2 ), thus
requiring one field squaring to calculate instead of three.
Using this property, point doubling in Jacobean coordinates
can be performed using four field multiplications and four
field squaring- giving an improvement of approximately 20% in
point doubling, in the case where 𝑎 ≡ −3.
For 𝑝 > 3, if there exists 𝑢 ∈ ℤ𝑝 \{0} such that 𝑢4 ≡ 𝑎(−3)−1 (𝑚𝑜𝑑 𝑝),
then the change of variables (𝑥, 𝑦) ⟼ (𝑢2 𝑥, 𝑢3 𝑦) transforms the EC
𝐸1 : 𝑦 2 = 𝑥 3 + 𝑎𝑥 + 𝑏 to 𝐸2 : 𝑦 2 = 𝑥 3 − 3𝑥 + 𝑢−6 𝑏.
In this case- 𝜑: 𝐸1 (ℤ𝑝 ) → 𝐸2 (ℤ𝑝 ) defined by 𝜑(∞) = ∞ and
𝜑(𝑥, 𝑦) = (𝑢−2 𝑥, 𝑢−3 𝑦) is well defined and is a group isomorphism.
Given 𝑃 ∈ 𝐸1 (ℤ𝑝 ) of order 𝑛 and 𝑄 ∈ ⟨𝑃⟩, the order of 𝜑(𝑃) is also
n, and if 𝑄 = 𝑘𝑃 then 𝑘𝜑(𝑃) = 𝜑(𝑘𝑃) = 𝜑(𝑄) (see Appendix A).
This means that ECDLP(𝜑(𝑃), 𝑛, 𝜑(𝑄)) can be solved in 𝐸2 (ℤ𝑝 ) using
𝑎 = −3, instead of solving ECDLP(𝑃, 𝑛, 𝑄).
We have added checks to see if these conditions apply, and
find 𝑢 - using Legendre symbol to check if an element in ℤ𝑝 is
a QR, and an NTL function to find square roots in ℤ𝑝 .
If 𝑢 was found, we applied the isomorphism it defines on 𝑃, 𝑄
and the curve, and solved the equivalent problem with improved
point doubling- as described above.
7
Project in Computer Security 236349
Mar. 2011
Pollard's Rho Algorithm for solving the ECDLP
Suitable when 𝑛 = 𝑂𝑟𝑑𝑒𝑟(𝑃) is prime.
The goal is to find two distinct pairs (𝑐, 𝑑) ≠ (𝑐 ′ , 𝑑′) in ℤ𝑝 × ℤ𝑝
such that 𝑐𝑃 + 𝑑𝑄 = 𝑐 ′ 𝑃 + 𝑑′𝑄, and then (𝑐 − 𝑐′)𝑃 = (𝑑 ′ − 𝑑)𝑄 = (𝑑 ′ − 𝑑)𝑘𝑃.
This implies by looking at both sides of the equation in ⟨𝑃⟩
that (𝑐 − 𝑐′) = (𝑑′ − 𝑑)𝑘 (𝑚𝑜𝑑 𝑛), and thus 𝑘 = (𝑐 − 𝑐′)(𝑑 ′ − 𝑑)−1 (𝑚𝑜𝑑 𝑛).
Notice that if 𝑑′ = 𝑑 (𝑚𝑜𝑑 𝑛) then 𝑐 ′ = 𝑐 (𝑚𝑜𝑑 𝑛), so if (𝑐, 𝑑) ≠ (𝑐 ′ , 𝑑′)
it follows that 𝑑′ ≠ 𝑑 (𝑚𝑜𝑑 𝑛) and 𝑑 ′ − 𝑑 ≠ 0 (𝑚𝑜𝑑 𝑛).
Since 𝑛 is prime, every nonzero element in ℤ𝑝 is invertible,
and thus (𝑑 ′ − 𝑑)−1 (𝑚𝑜𝑑 𝑛) really exists.
The algorithm finds such pairs by using a function 𝑓: ⟨𝑃⟩ → ⟨𝑃⟩,
and choosing an initial point 𝑋0 of the form 𝑐𝑃 + 𝑑𝑄.
It then iterates over points 𝑋𝑖+1 = 𝑓(𝑋𝑖 ) of the form 𝑐𝑃 + 𝑑𝑄.
Since ⟨𝑃⟩ is finite (of size 𝑛), at some point
the algorithm returns to a point it had already
visited, and the run is cyclic from that point
on, i.e there are 1 ≤ 𝑡, 𝑠 ≤ 𝑛 such that 𝑋𝑖+𝑠 = 𝑋𝑖
for every 𝑖 ≥ 𝑡, yielding a 𝜌-shaped stride.
Floyd's algorithm for detecting a cycle is
used- in the i'th iteration, 𝑋𝑖 , 𝑋2𝑖 are computed (by applying 𝑓
once on 𝑋𝑖−1 and twice on 𝑋2(𝑖−1) ) until they are equal.
At that point, if 𝑋𝑖 , 𝑋2𝑖 have the same 𝑐, 𝑑 values the algorithm
fails, but the probability for that is negligible as 𝑛 grows.
The function 𝑓 is defined in the following manner:
o Choose a "branching parameter" L, typically 16 or 32.
o Define a function 𝐻: ⟨𝑃⟩ → {0, … , 𝐿 − 1}, e.g. by taking the
appropriate number of LSBs of a point's x coordinate.
o For 0 ≤ 𝑗 ≤ 𝐿 − 1 choose random 𝑎𝑗 , 𝑏𝑗 ∈ ℤ𝑝 and define 𝑅𝑗 = 𝑎𝑗 𝑃 + 𝑏𝑗 𝑄.
o 𝑓(𝑋) = 𝑋 + 𝑅𝐻(𝑋)
8
Project in Computer Security 236349
Mar. 2011
If 𝑋 = 𝑐𝑃 + 𝑑𝑄 and 𝑗 = 𝐻(𝑋) then 𝑓(𝑋) = 𝑋 + 𝑅𝑗 = (𝑐 + 𝑎𝑗 )𝑃 + (𝑑 + 𝑏𝑗 )𝑄,
so 𝑓(𝑋) is of the required form, and the new 𝑐, 𝑑 can be easily
found from the old ones by addition modulo n.
In practice- c,d are not saved for all points, just for the
two points of the current iteration, which makes the memory
used by the algorithm very low- it depends on L and not the
number of points traversed.
Due to the random properties of 𝑓, derived from its definition
by 𝐻 and the birthday paradox, the expected number of
𝜋𝑛
iterations before a collision is found is √ 2 .
The full algorithm:
o Given 𝑃 ∈ 𝐸(ℤ𝑝 ) of order 𝑛 and 𝑄 ∈ ⟨𝑃⟩
o Select the branching parameter L and function 𝐻.
o For 0 ≤ 𝑗 ≤ 𝐿 − 1:
Choose random 𝑎𝑗 , 𝑏𝑗 ∈ ℤ𝑝 and store them.
Compute 𝑅𝑗 = 𝑎𝑗 𝑃 + 𝑏𝑗 𝑄 and store it.
o Select random 𝑐, 𝑑 ∈ ℤ𝑝 and compute 𝑋 = 𝑐𝑃 + 𝑑𝑄.
o Set 𝑐 ′ = 𝑐, 𝑑 ′ = 𝑑 and 𝑋 ′ = 𝑋.
(both are at 𝑋0 )
o Do
𝑗 = 𝐻(𝑋) , 𝑋 = 𝑋 + 𝑅𝑗 , 𝑐 = 𝑐 + 𝑎𝑗 (𝑚𝑜𝑑 𝑛) , 𝑑 = 𝑑 + 𝑏𝑗 (𝑚𝑜𝑑 𝑛)
For i=1 to 2
(𝑋′ advances twice!)
- 𝑗 = 𝐻(𝑋′) , 𝑋′ = 𝑋′ + 𝑅𝑗 , 𝑐′ = 𝑐′ + 𝑎𝑗 (𝑚𝑜𝑑 𝑛) , 𝑑′ = 𝑑′ + 𝑏𝑗 (𝑚𝑜𝑑 𝑛)
While 𝑋 ′ ≠ 𝑋.
o If 𝑑 = 𝑑′ return failure.
o Else- return (𝑐 − 𝑐′)(𝑑 ′ − 𝑑)−1 (𝑚𝑜𝑑 𝑛).
We have implemented the algorithm with L as an adjustable
parameter which should be a power of 2, we mostly used L=16.
𝑅𝑗 was computed in Jacobean coordinates, but converted to
affine coordinates and stored that way, and 𝑋 ′ , 𝑋 were in
Jacobean coordinates- so that the additions in each iteration
of the main loop are in mixed coordinates.
Our implementation of 𝐻 will be discussed in detail later on.
9
Project in Computer Security 236349
Mar. 2011
The Chinese Remainder Theorem (CRT)
The Chinese Remainder Theorem states that given positive and
pairwise-coprime integers 𝑚1 , … , 𝑚𝑛 and any integers 𝑥1 , … , 𝑥𝑛 ,
there exists a single solution 𝑥𝜖ℤ𝑚=𝑚1 ⋅⋅⋅𝑚𝑛 for the system:
𝑥 = 𝑥1 (𝑚𝑜𝑑 𝑚1 )
⋮
{
𝑥 = 𝑥𝑛 (𝑚𝑜𝑑 𝑚𝑛 )
An incremental algorithm for finding the solution:
o 𝑥 = 𝑥1
o 𝑀=1
o For i=1 to n:
𝑀 ∗= 𝑚𝑖−1
𝑥+= ((𝑥𝑖 − 𝑥)(𝑀−1 𝑚𝑜𝑑 𝑚𝑖−1 )𝑚𝑜𝑑 𝑚𝑖−1 )𝑀
o Return x
We have implemented this algorithm as an auxiliary method for
the Pohlig-Hellman algorithm.
The Pohlig-Hellman Algorithm for solving the ECDLP
Reduces the computation of 𝑘 = 𝑙𝑜𝑔𝑃 𝑄 to solving the ECDLP in
subgroups of ⟨𝑃⟩ of prime orders (which divide 𝑛 = 𝑂𝑟𝑑𝑒𝑟(𝑃)).
This means that solving the ECDLP in ⟨𝑃⟩ is no harder than
solving it in a subgroup of ⟨𝑃⟩ which has an order 𝑞, where 𝑞
is the largest prime factor of 𝑛.
Given the factorization 𝑛 = 𝑝1 𝑒1 ⋅ … ⋅ 𝑝𝑟 𝑒𝑟 where 𝑝1 , … , 𝑝𝑟 are
different primes, the algorithm finds 𝑘𝑖 = 𝑘 (𝑚𝑜𝑑 𝑝𝑖 𝑒𝑖 ) for every
1 ≤ 𝑖 ≤ 𝑟, and then uses the Chinese Remainder Theorem to find 𝑘.
Notice that the moduli are pairwise-coprime since 𝑝1 , … , 𝑝𝑟 are
different primes.
In base 𝑝𝑖 , 𝑘𝑖 can be written as 𝑘𝑖 = 𝑧𝑖,0 + 𝑧𝑖,1 𝑝𝑖 + ⋯ + 𝑧𝑖,𝑒𝑖 −1 𝑝𝑖 𝑒𝑖 −1.
There are no powers greater than 𝑒𝑖 − 1 since 𝑘𝑖 = 𝑘 (𝑚𝑜𝑑 𝑝𝑖 𝑒𝑖 ).
10
Project in Computer Security 236349
Mar. 2011
𝑛
Each 𝑘𝑖 is computed by solving 𝑒𝑖 ECDLPs in the subgroup ⟨𝑝 𝑃⟩,
𝑖
whose order is 𝑝𝑖 , each one revealing another digit in the
representation of 𝑘𝑖 in base 𝑝𝑖 .
𝑛
We compute 𝑃𝑖 = 𝑝 𝑃, then the order of 𝑃𝑖 is 𝑝𝑖 .
𝑖
We also compute:
𝑛
𝑛
𝑛
𝑖
𝑖
𝑖
o 𝑄𝑖,0 = 𝑝 𝑄, then 𝑄𝑖,0 = 𝑝 𝑘𝑃 = 𝑘 (𝑝 𝑃) = 𝑘𝑃𝑖 .
Since the order of 𝑃𝑖 is 𝑝𝑖 , 𝑘𝑃𝑖 = (𝑘 𝑚𝑜𝑑 𝑝𝑖 )𝑃𝑖 = 𝑧𝑖,0 𝑃𝑖 , so we get:
𝑄𝑖,0 = 𝑧𝑖,0 𝑃𝑖 and so 𝑧𝑖,0 = 𝑙𝑜𝑔𝑃𝑖 𝑄𝑖,0 can be found in ⟨𝑃𝑖 ⟩.
𝑛
𝑛
𝑛
o 𝑄𝑖,1 = 𝑝 2 (𝑄 − 𝑧𝑖,0 𝑃), then 𝑄𝑖,1 = 𝑝 2 (𝑘 − 𝑧𝑖,0 )𝑃 = (𝑘 − 𝑧𝑖,0 ) 𝑝 2 𝑃.
𝑖
Since the order of
𝑖
𝑛
𝑝𝑖 2
𝑖
𝑛
2
𝑛
𝑃 is 𝑝𝑖 , 𝑘 𝑝 2 𝑃 = (𝑧𝑖,0 + 𝑧𝑖,1 𝑝𝑖 ) 𝑝 2 𝑃, so:
𝑖
𝑖
𝑛
𝑛
𝑛
𝑖
𝑖
𝑖
𝑄𝑖,1 = (𝑧𝑖,0 + 𝑧𝑖,1 𝑝𝑖 − 𝑧𝑖,0 ) 𝑝 2 𝑃 = 𝑧𝑖,1 𝑝𝑖 𝑝 2 𝑃 = 𝑧𝑖,1 𝑝 𝑃 = 𝑧𝑖,1 𝑃𝑖 , and so 𝑧𝑖,1 =
𝑙𝑜𝑔𝑃𝑖 𝑄𝑖,1 can also be found in ⟨𝑃𝑖 ⟩.
In general- if we have already found 𝑧𝑖,0 , … , 𝑧𝑖,𝑡−1 we compute:
𝑛
o 𝑄𝑖,𝑡 = 𝑝 𝑡+1 (𝑄 − 𝑧𝑖,0 𝑃 − 𝑧𝑖,1 𝑝𝑖 𝑃 − ⋯ − 𝑧𝑖,𝑡−1 𝑝𝑖 𝑡−1 𝑃) and get 𝑧𝑖,𝑡 = 𝑙𝑜𝑔𝑃𝑖 𝑄𝑖,𝑡 ,
𝑖
which can be found by solving the ECDLP in ⟨𝑃𝑖 ⟩.
In our attack, we use Pollard's Rho algorithm to solve each of
the ECDLPs with prime orders in ⟨𝑃𝑖 ⟩, with runtime 𝑂(√𝑝𝑖 ).
The full algorithm:
o Given the factorization 𝑛 = 𝑝1 𝑒1 ⋅ … ⋅ 𝑝𝑟 𝑒𝑟 as above.
o For 𝑖 = 1, … , 𝑟:
For 𝑡 = 0, … , 𝑒𝑖 − 1:
𝑛
- Compute 𝑄𝑖,𝑡 = 𝑝 𝑡+1 (𝑄 − (𝑧𝑖,0 + 𝑧𝑖,1 𝑝𝑖 + ⋯ + 𝑧𝑖,𝑡−1 𝑝𝑖 𝑡−1 )𝑃)
𝑖
- Find 𝑧𝑖,𝑡 = 𝑙𝑜𝑔𝑃𝑖 𝑄𝑖,𝑡 using Pollard's Rho with order 𝑝𝑖 .
Compute 𝑘𝑖 = 𝑧𝑖,0 + 𝑧𝑖,1 𝑝𝑖 + ⋯ + 𝑧𝑖,𝑒𝑖 −1 𝑝𝑖 𝑒𝑖 −1
o Use CRT to find 𝑘 from 𝑘𝑖 = 𝑘 (𝑚𝑜𝑑 𝑝𝑖 𝑒𝑖 )
The computation of powers of 𝑝𝑖 and of 𝑧𝑖,0 + ⋯ + 𝑧𝑖,𝑡−1 𝑝𝑖 𝑡−1 are done
incrementally to avoid repeating calculations.
The combined attack runs in 𝑂(√𝑞), where 𝑞 is the largest prime
factor of 𝑛.
11
Project in Computer Security 236349
Mar. 2011
First Challenge
We received two points on a curve 𝑦 2 = 𝑥 3 + 𝑎𝑥 + 𝑏:
𝑃 = (215672232155085007005, 176420948314972445409) and
𝑄 = (49818534942346740253, 67908233076804365605)
over ℤ𝑝 for 𝑝 = 414507122857381699247.
It is known that 𝑄 = 𝑘𝑃 for some 𝑘. 𝑎 and 𝑏 are unknown.
Since 𝑃 and 𝑄 are solutions they satisfy the curve's equation.
This yields two linear equation which allow to find 𝑎 and 𝑏.
We have found that 𝑎 = 0 and 𝑏 = 354497773196996188796.
We were pointed to a section that describes a condition, which
in our case translates to the order of 𝐸(ℤ𝑝 ) being 𝑝 ± 1.
Since the order of every point in a group divides the order of
the group- we have calculated 𝑃𝑝±1 , 𝑄 𝑝±1 , and found that for 𝑝 + 1
they were both ∞, and for 𝑝 − 1 they were not.
By analyzing the number of possible solutions we have found
that when 𝑝 > 2 and 𝑝 (𝑚𝑜𝑑 3) = 2, the curve 𝑦 2 = 𝑥 3 + 𝑏 (with 𝑎 = 0)
over ℤ𝑝 has 𝑝 + 1 solutions for any 𝑏𝜖ℤ𝑝 (see Appendix B).
This is the case for the problem we were given.
We were also hinted that the group order could be factored
easily. We assumed that it has a dominant prime factor with
multiplicity 1, and used Eratosthenes' Sieve and RabinMiller's primality test to find its factorization:
o 𝑚 = 2, 𝑖 = 1, 𝑞 = 𝑝 + 1
o While 𝑞 > 1:
If 𝑞 is prime- 𝑝𝑖 = 𝑞, 𝑒𝑖 = 1 and break.
If 𝑞 (𝑚𝑜𝑑 𝑚) = 0:
- 𝑒 = 0, 𝑝𝑖 = 𝑚
- While 𝑞 (𝑚𝑜𝑑 𝑚) = 0
𝑞
𝑒 + +, 𝑞 = 𝑚
- 𝑒𝑖 = 𝑒, 𝑖 + +
𝑚++
o Return 𝑛 = 𝑝1 𝑒1 ⋅ … ⋅ 𝑝𝑖 𝑒𝑖
12
Project in Computer Security 236349
Mar. 2011
The algorithm doesn't check that 𝑚 is prime, but since we
divide as "much as possible", thanks to Eratosthenes' Sieve,
only prime numbers will be added as factors.
So checking whether 𝑞 (𝑚𝑜𝑑 𝑚) = 0 is enough, and much lighter
than finding the next prime at each iteration.
We have found that 𝑝 + 1 = 24 ⋅ 3 ⋅ 673 ⋅ 10092 ⋅ 28202267.
Next we wanted to find the order of the point 𝑃 and its
factorization, which are needed for Pohlig-Hellman.
We started by computing
𝑝+1
28202267
𝑃.
If this was ∞, then 𝑛 = 𝑂𝑟𝑑𝑒𝑟(𝑃) would divide 24 ⋅ 3 ⋅ 672 ⋅ 10092 , and
the factor 28202267 would not be appear in 𝑛's factorization.
We then realized that we could use the same idea to find the
whole factorization of 𝑛 (and thus 𝑛 itself), by computing
𝑝+1
𝑝𝑖 𝑡
𝑃
for 1 ≤ 𝑡 ≤ 𝑒𝑖 and checking whether it is ∞.
If all are
𝑝+1
𝑝𝑖 𝑒𝑖
𝑃 = ∞ then 𝑝𝑖 does not appear in the factorization
of 𝑛. Otherwise- let 1 ≤ 𝑡′ ≤ 𝑒𝑖 be the smallest value of 𝑡 for
which
𝑝+1
𝑝𝑖 𝑡
𝑃 ≠ ∞, then the multiplicity of 𝑝𝑖 in the factorization
of 𝑛 is 𝑒𝑖 − 𝑡 ′ + 1.
This was an algorithm we have seen before, and were reminded
of it by our experiments, it runs in 𝑂((log 𝑛)2 ) field
operations, since each point multiplication is done in 𝑂(log 𝑛)
point doublings and additions, and since the number of point
multiplications is at most ∑𝑟𝑖=1 𝑒𝑖 , and
𝑟
𝑛 = 𝑝1 𝑒1 ⋅ … ⋅ 𝑝𝑟 𝑒𝑟 ≥ 2𝑒1 ⋅ … ⋅ 2𝑒𝑟 = 2∑𝑖=1 𝑒𝑖 implies ∑𝑟𝑖=1 𝑒𝑖 ≤ log 𝑛.
We have implemented the algorithm for factoring 𝑛 = 𝑂𝑟𝑑𝑒𝑟(𝑃)
given the factorization of a group that contains 𝑃, and found
that 𝑛 = 23 ⋅ 3 ⋅ 672 ⋅ 10092 ⋅ 28202267.
We then used our combined attack to find 𝑘 = 1815014470915166467.
13
Project in Computer Security 236349
Mar. 2011
While the solution was correct, we got a much larger runtime
than we expected- approximately 8 hours.
We have added a debug feature that counts the number of
iterations in the main loop of PR (Pollard's Rho).
We noticed that we get the same number of iterations and about
the same runtime, every time we run the program.
Further more- Pollard-Rho has failed at exactly the same
places (for 𝑝𝑖 = 2 or 3).
We have examined the way we choose random numbers using an NTL
method and read about the subject in the internet.
We found that we were not using it correctly- we were missing
seed initialization.
After fixing the issue we got a distribution of runtimes, but
still ranging from 10 minutes to hours.
We have examined the implementation of group operations and
attack algorithms, and found no problem.
We have collected data about 15 different runs and analyzed
the runtime as a function of the number of PR iteration for
the dominant factor 𝑞 = 28202267 (25 bits):
14
Project in Computer Security 236349
Mar. 2011
With the help of our instructor, we estimated that the implied
average runtime per iteration- 0.22 miliseconds, was good.
However- the number of iterations for PR did not seem to
behave like 𝑂(√𝑞 ≈ 5311), but rather like 𝑂(𝑞).
Under our instructor's advice, we then tried to simulate a
small instance of the ECDLP for which all intermediate values
were specified.
We have disabled the random choices in PR and forced it to
choose the same initial values as we had in the example.
We then ran the simulation and found that we get a different
iteration count and different intermediate values.
Debugging this example we found that our algorithm differed in
the values returned from the function 𝐻 used by Pollard's Rho.
We have realized that, while it wasn't explicitly stated in
the algorithm, the function 𝐻 was applied on the affine
representation of group points, while we have applied it on
points represented in Jacobean coordinates.
We did not expect this to have a significant effect on PR's
iteration count- however, after changing 𝐻 to compute the x
coordinate of the Affine representation before taking the
required number of LSBs, we got the result in second, and the
expected iteration count around thousands instead of millions.
In order to figure out why applying 𝐻 on Jacobean coordinates
had such implications, we added another debug feature that
counts the number of times a point is mapped by 𝐻 to each of
the possible values {0, … , 𝐿 − 1}, and prints the relative
commonness of each value.
We only counted the number of times the variable 𝑋′ in PR is
mapped to each value, since it runs ahead of 𝑋 and goes over
all points in the run, to try and avoid repeating points.
15
Project in Computer Security 236349
Mar. 2011
We have analyzed the distribution of 𝐻 values when using
Jacobean and Affine coordinates, and found that the
distribution was actually better for Jacobean coordinates,
that is the variance of relative commonness was lower in
Jacobean coordinates:
We suggest that it might be because the same point can appear
with almost any X coordinate in Jacobean coordinates but did
not further explore this issue.
In any case- we have concluded that the problem was not that
we do not get a uniform enough distribution when using
Jacobean coordinates.
Our hypothesis is that the cause for this phenomena is the
fact that when defining 𝐻 the way we did- 𝐻 is not really a
function, since the same point has different representations
in Jacobean coordinates, with different values of 𝐻.
If we remember that a point in Jacobean representation is
actually an equivalence class, then the 𝐻 we have defined
depends on the choice of representative, and therefore is not
a well defined function on equivalence classes.
We also claim that as a result- the run of PR may not follow
its characteristic rho shape, and will take more iterations.
The point 𝑋 still trails after the point 𝑋′, and receives the
same values it did, but it is not guaranteed that when one of
them returns to a group point it had already visited it would
have the same representation, get the same value of 𝐻, and
cause the run to continue to the same point it did last time.
16
Project in Computer Security 236349
Mar. 2011
Second Challenge
We received two points on a curve 𝑦 2 = 𝑥 3 − 3𝑥 + 𝑏:
𝑃1 = (3985405989425567967156018419845895538146634120778821183269911
386471222329765150440620991823676837980440324457306600557245758586
407123663426871114407190797434 ,
1035164599827052925462550162884
725780347280725228534828045908870597656594533958917186968508732093
297803706226959330852416205850480211654091223250466044015472)
and 𝑃2 =
(2776337839878622907459911570883077287064232747988983340664646
570554424675512432427452835254055623705198536338718514654123364891
577242648186860775805757142087 ,
4942339385789742525658089491384
392327504318294820546412397333474890706483258294206826547242681422
834868263941273328445841215839421288486970749123144565809055)
over ℤ𝑝 for 𝑝 = 2521 − 1, where 𝑏 =
3527776260069785152007274377287143876629163004151083436918
06724583402309535280335261959207177615306499501004598173992363
3622717991755444624957640186908953364
The order of 𝐸(ℤ𝑝 ) is 1822190461 times the prime number:
q=37673326729870361861047525256918756404736965090189358692919112252
91801801061920383167539090076234467461672461238763684291062219801126
187996488014639
It is known that one of the points is the base of an
intractable ECDLP, while the other is not.
We have chosen integers 1 ≤ 𝑘1 , 𝑘2 < 1822190461, computed 𝑄𝑖 = 𝑘𝑖 𝑃𝑖 ,
randomly chose 𝑖𝜖{1,2} and tried to attack the ECDLP with 𝑃𝑖 and
𝑄𝑖 , under the assumption that the order of 𝑃𝑖 is 1822190461.
17
Project in Computer Security 236349
Mar. 2011
As an experiment- when attacking each problem we have used PR
directly as if 1822190461 was a prime number and, which it is
not, and the actual order of the point.
This is done instead of factoring it (which is not hard1822190461 = 7 ⋅ 13 ⋅ 3413 ⋅ 5867) and using the combined attack.
Pollard's Rho algorithm only assumes that the order of P is
prime when it assumes that (𝑑 ′ − 𝑑) has an inverse modulo that
order if it is not zero.
What we saw in practice is that for 𝑖 = 2 attacks sometimes
failed when trying to invert (𝑑 ′ − 𝑑), which was not invertible
even though it was not zero.
At other times they completed within seconds to about one
minute and returned the correct 𝑘𝑖 .
The number of iterations it took corresponded to √1822190461,
and not √5867 which we would get if we factored the number and
used Pohlig-Hellman with Pollard's Rho.
For 𝑖 = 1 no run has completed, even after hours.
We have concluded that the order of 𝑃2 divides 1822190461, and
does not include the large factor q, while the order of 𝑃1 is a
multiple of 𝑞, and thus 𝑃1 is the base of an intractable ECDLP.
Third Challenge
We received several curves 𝑦 2 = 𝑥 3 + 𝑎𝑥 + 𝑏 over ℤ𝑝 where 𝑎, 𝑏, 𝑝 are
given, and the order of 𝐸(ℤ𝑝 ) is a prime number which is also
given.
According to Hasse's theorem,| #𝐸(ℤ𝑝 ) − (𝑝 + 1)| ≤ 2√p, where #𝐸(ℤ𝑝 )
is the size of 𝐸(ℤ𝑝 ), and thus #𝐸(ℤ𝑝 ) ≈ 𝑝.
In the curves we got, p and #𝐸(ℤ𝑝 ) were of 40-60 bits.
18
Project in Computer Security 236349
Mar. 2011
When the group's order is prime, any 𝑃 ≠ ∞ is of the same order
as the group, since 𝑂𝑟𝑑𝑒𝑟(𝑃)|#𝐸(ℤ𝑝 ) and 𝑂𝑟𝑑𝑒𝑟(𝑃) ≠ 1.
We got 7 40-bit curves, 10 50-bit curves and 9 60-bit curves,
out of which we have attacked all 40-50 bit curves and 2 of
the 60 bit curves, some several times with the isomorphism
enhancement enabled or disabled, or for different values of L.
For each curve we have attacked, we found a point 𝑃 on the
curve in the following manner: starting from 𝑥 = 0 we checked
if 𝑥 3 + 𝑎𝑥 + 𝑏 is a quadratic residue modulo 𝑝, if so- we found a
square root modulo 𝑝 of 𝑥 3 + 𝑎𝑥 + 𝑏 and set it to be 𝑦, and then
𝑃 = (𝑥, 𝑦), otherwise we advance to the next value of 𝑥.
The most attempts it took us to find a point was 6, and
usually either 𝑥 = 0 or 𝑥 = 1 worked.
After finding the first point, we randomly chose an integer 0 ≤
𝑘 < #𝐸(ℤ𝑝 ), computed 𝑄 = 𝑘𝑃 and solved ECDLP(𝑃, #𝐸(ℤ𝑝 ), 𝑄) using
Pollard's Rho algorithm, since the order is a prime.
The average results from our runs:
π⋅#𝐸(ℤ𝑝 )
Where the expected iteration number is estimated as √
2
.
It is worth pointing out that the average iteration count for n
bits is approximately
n
2
-bits, as we would expect from PR.
The average runtime per iteration is lower for 60 bit than it
is for 40 and 50 bit.
This could result from the fact that the average here reflects
only 2 60-bit runs, and that even for 40 and 40 bit there was
some distribution of this parameter- all runs were done on two
different laptops with other active processes, and perhaps the
19
Project in Computer Security 236349
Mar. 2011
changes in workload had an effect on the average runtime per
iteration.
These runs were done on a different computer than the one used
for the first challenge where we got 0.22ms per iteration,
which is much better- even if we consider the fact that q in
the first challenge was only 25-bits.
We also used the third challenge to debug and test the
isomorphism optimization, since none of the previous curves
satisfied the required conditions to activate it.
Only 6 of the 19 curves we have attacked could be optimized.
We got a modest average improvement of about 3.5%:
Another experiment we have conducted was with the parameter L.
We used one of the 40-bit curves, and attacked it with values
of L which are powers of 2, from 4 to 128.
The optimal value of L is supposed to be around 16 or 32, in
this case L=8 performed slightly better than those values, and
all other values yielded a larger number of iterations:
20
Project in Computer Security 236349
Mar. 2011
Cryptosystem Strength
The complexity of the attack we have used is proportional to
√q, where 𝑞 is the largest prime factor of 𝑛 = 𝑂𝑟𝑑𝑒𝑟(𝑃).
By Lagrange, 𝑛 divides #𝐸(ℤ𝑝 ), and thus 𝑞 divides #𝐸(ℤ𝑝 ).
In order to resist this attack, the curve 𝐸 should be chosen
such that #𝐸(ℤ𝑝 ) has a prime factor 𝑞, large enough so that √q
is an infeasible number of computations, and further more- the
point 𝑃 which is the base of the ECDLP (on the hardness of
which a cryptosystem's security may rely) should be chosen
such that q divides the order of 𝑃.
There always exists such a point Pϵ𝐸(ℤ𝑝 ) according to Sylow /
Cauchy which state that if 𝐺 is a group and 𝑞 is a prime which
divides #𝐸(ℤ𝑝 ), then there exists a 𝑔𝜖𝐺 of order 𝑞.
In order to obtain the desired level of security, but avoid
unnecessary complication of computations and an increase in
the size of stored values, 𝐸 should be chosen such that
#𝐸(ℤ𝑝 ) = ℎ𝑞, where ℎ is relatively small, and thus 𝑝 ≈ #𝐸(ℤ𝑝 ) ≈ 𝑞
(as we have mentioned earlier, #𝐸(ℤ𝑝 ) ≈ 𝑝 according to Hasse).
We have demonstrated in the first challenge that when
parameter are not chosen carefully, the ECDLP could be
attacked efficiently- 𝑝 there was approximately 68 bits and an
attack with our algorithm should have taken approximately √28 =
16 times longer than our attacks on 60 bit curves.
Since our attacks on 60 bit curves took about 100 hours in
average, we get an estimated runtime of 1600 hours, which is
more than two months, for an attack on 68-bit curves.
A similar estimation using our attacks on 50-bit curves (which
were more numerous) results in almost three months.
21
Project in Computer Security 236349
Mar. 2011
Despite that, since the largest factor of #𝐸(ℤ𝑝 ) was only 25
bits, we have managed to find the solution in 5-11 seconds.
We have also demonstrated this in the second challenge, where 𝑝
was a staggering 521 bit, but we were still able to break the
problem for 𝑃2 .
Even though #𝐸(ℤ𝑝 ) had a huge prime factor of ~490 bits, 𝑃2 was
chosen such that all the factors of 𝑂𝑟𝑑𝑒𝑟(𝑃2 ) were small, which
made the ECDLP based on it susceptible to attack.
Subjects for future research
Further explore the phenomena we have encountered when
applying the function 𝐻 on points in Jacobean coordinates:
o Is PR's run guaranteed to terminate?
o Why does PR seem to run in 𝑂(𝑞) iterations?
o Is there a logical operation which can be performed on bits
of the Jacobean representation in order to produce a well
defined 𝐻 function without calculating Affine coordinates?
Run the parallelized version of Pollard's Rho algorithm:
o If there are more than 2 cores or machines, one would run
the server process and the rest would be clients.
o If there are 2 cores, one would run a client thread and the
other would run 2 threads- one of a client and one for the
server.
o If there s only one core, run the normal, non-parallelized
version of the algorithm.
o Communication between the clients and the server is done
through writing and reading from a common file.
Sources
Guide to Elliptic Curve Cryptography – Darrel Hankerson,
Alfred Menezes and Scott Vanstone
22
Project in Computer Security 236349
Mar. 2011
Slides of the course 236506 – Modern Cryptology, Technion.
Slides of the course Elliptic Curves, Penn State University.
Appendix A – Proof of isomorphism properties
𝐸1 : 𝑦 2 = 𝑥 3 + 𝑎𝑥 + 𝑏 , 𝐸2 : 𝑦 2 = 𝑥 3 − 3𝑥 + 𝑢−6 𝑏 over ℤ𝑝 for 𝑝 > 3,
where 𝑢 ∈ ℤ𝑝 \{0} satisfies 𝑢4 ≡ 𝑎(−3)−1 (𝑚𝑜𝑑 𝑝).
We will first show that 𝜑: 𝐸1 (ℤ𝑝 ) → 𝐸2 (ℤ𝑝 ), defined by 𝜑(∞) = ∞ and
𝜑(𝑥, 𝑦) = (𝑢−2 𝑥, 𝑢−3 𝑦) ≜ (𝑥̃, 𝑦̃) is a group isomorphism:
𝜑 is well defined:
It is clear that 𝜑(∞) = ∞𝜖𝐸2 (ℤ𝑝 ).
If (𝑥, 𝑦)𝜖𝐸1 (ℤ𝑝 ) 𝜑(𝑥, 𝑦) = (𝑥̃, 𝑦̃) satisfies (𝑥̃, 𝑦̃)𝜖ℤ𝑝 × ℤ𝑝 and (𝑥̃, 𝑦̃)𝜖𝐸2 (ℤ𝑝 )
since 𝑥̃ 3 − 3𝑥̃ + 𝑢−6 𝑏 = 𝑢−6 𝑥 3 + 𝑢−4 𝑎𝑢−2 𝑥 + 𝑢−6 𝑏 = 𝑢−6 (𝑥 3 + 𝑎𝑥 + 𝑏) = 𝑢−6 𝑦 2 = 𝑦̃ 2
𝜑 is a group homomorphism:
𝜑(∞ + 𝑃) = 𝜑(𝑃) = ∞ + 𝜑(𝑃) = 𝜑(∞) + 𝜑(𝑃)
𝜑((𝑥, 𝑦) + (𝑥, −𝑦)) = 𝜑(∞) = ∞ = (𝑢−2 𝑥, 𝑢−3 𝑦) + (𝑢−2 𝑥, −𝑢−3 𝑦) = 𝜑((𝑥, 𝑦)) + 𝜑((𝑥, −𝑦))
It can be verified by examining the formulas for adding two
distinct points 𝑃 = (𝑥, 𝑦), 𝑄 = (𝑥′, 𝑦′) and for point doubling that:
𝜑(𝑃 + 𝑄) = 𝜑(𝑃) + 𝜑(𝑄) and 𝜑(𝑃 + 𝑃) = 𝜑(𝑃) + 𝜑(𝑃).
So 𝜑(𝑃 + 𝑄) = 𝜑(𝑃) + 𝜑(𝑄) for any 𝑃, 𝑄𝜖𝐸1 (ℤ𝑝 ).
𝜑 is injective:
By 𝜑's definition, 𝜑(𝑃) = ∞ ⇔ 𝑃 = ∞, and so ker(𝜑) = {∞}.
𝜑 is surjective:
𝜑(∞) = ∞, if (𝑥′, 𝑦′)𝜖𝐸2 (ℤ𝑝 ) then:
(𝑢3 𝑦′)2 = 𝑢6 𝑦′2 = 𝑢6 𝑥′3 − 3𝑢4 𝑢2 𝑥 ′ + 𝑢6 𝑢−6 𝑏 = (𝑢2 𝑥 ′ )3 + 𝑎(𝑢2 𝑥 ′ ) + 𝑏 and thus
(𝑢2 𝑥 ′ , 𝑢3 𝑦′)𝜖𝐸1 (ℤ𝑝 ), and 𝜑((𝑢2 𝑥 ′ , 𝑢3 𝑦 ′ )) = (𝑥 ′ , 𝑦′)
∎
Given 𝑃1 ∈ 𝐸1 (ℤ𝑝 ) we denote 𝑂𝑟𝑑𝑒𝑟(𝑃1 ) = 𝑛1 , 𝜑(𝑃1 ) = 𝑃2 and 𝑂𝑟𝑑𝑒𝑟(𝑃2 ) = 𝑛2 .
Then:
𝑛1 𝑃2 = 𝑛1 𝜑(𝑃1 ) = ⏟
𝜑(𝑃1 ) + ⋯ + 𝜑(𝑃1 ) = 𝜑 (𝑃
⏟1 + ⋯ + 𝑃1 ) = 𝜑(𝑛1 𝑃1 ) = 𝜑(∞) = ∞
𝑛1 𝑡𝑖𝑚𝑒𝑠
𝑛1 𝑡𝑖𝑚𝑒𝑠
and thus 𝑛2 |𝑛1.
Similarly, by using 𝜑 −1 which is also an isomorphism we get 𝑛1 |𝑛2 .
Since both are positive integers we get 𝑂𝑟𝑑𝑒𝑟(𝑃1 ) = 𝑛1 = 𝑛2 = 𝑂𝑟𝑑𝑒𝑟(𝑃2 ).
23
Project in Computer Security 236349
Mar. 2011
If 𝑃 ∈ 𝐸1 (ℤ𝑝 ) and 𝑄 = 𝑘𝑃 then:
𝑘𝜑(𝑃) = ⏟
𝜑(𝑃) + ⋯ + 𝜑(𝑃) = 𝜑 (𝑃
⏟ + ⋯ + 𝑃 ) = 𝜑(𝑘𝑃) = 𝜑(𝑄).
𝑘 𝑡𝑖𝑚𝑒𝑠
𝑘 𝑡𝑖𝑚𝑒𝑠
Appendix B – Proof of group order for a=0
𝐸: 𝑦 2 = 𝑥 3 + 𝑏 over ℤ𝑝 for where 𝑝 (𝑚𝑜𝑑 3) = 2.
We will show that #𝐸(ℤ𝑝 ) = 𝑝 + 1:
The function 𝜎: ℤ𝑝 → ℤ𝑝 , 𝜎(𝑥) = 𝑥 3 is surjective when 𝑝 (𝑚𝑜𝑑 3) = 2:
In ℤ∗𝑝 - 𝑥1 3 𝑥2 3 = (𝑥1 𝑥2 )3 , and so 𝜎|ℤ∗𝑝 : ℤ∗𝑝 → ℤ∗𝑝 is a group homomorphism.
If 𝑥 3 = 1 for 𝑥 ∈ ℤ∗𝑝 then 𝑂𝑟𝑑𝑒𝑟(𝑥) in ℤ𝑝∗ divides 3, and so 𝑂𝑟𝑑𝑒𝑟(𝑥)
is either 1 or 3. In addition- 𝑂𝑟𝑑𝑒𝑟(𝑥) divides |ℤ∗𝑝 | = 𝑝 − 1.
3 does not divide 𝑝 − 1 since 𝑝 − 1 ≡ 1 (𝑚𝑜𝑑 3), and so 𝑂𝑟𝑑𝑒𝑟(𝑥) = 1,
which means that 𝑥 = 𝑥1 = 1. It follows that ker (𝜎|ℤ∗𝑝 ) = {1} and so
𝜎|ℤ∗𝑝 is injective, and does not receive the value 0.
Its extension to ℤ𝑝 , 𝜎, satisfies 𝜎(0) = 0, and so it is also
injective, and since 𝜎: ℤ𝑝 → ℤ𝑝 , it is a permutation on ℤ𝑝 , and
in particular it is surjective.
For every 𝑥̃𝜖ℤ𝑝 it holds that 𝑥̃ − 𝑏𝜖ℤ𝑝 .
Thus there exists an 𝑥𝜖ℤ𝑝 such that 𝑥 3 = 𝑥̃ − 𝑏, or 𝑥 3 + 𝑏 = 𝑥̃, and
therefore the function 𝜏: ℤ𝑝 → ℤ𝑝 , 𝜏(𝑥) = 𝑥 3 + 𝑏 is also surjective.
Since 𝜏: ℤ𝑝 → ℤ𝑝 is surjective, it is a permutation on ℤ𝑝 .
For every 𝑦𝜖ℤ𝑝 there exists exactly one 𝑥𝜖ℤ𝑝 such that
𝑦 2 = 𝜏(𝑥) = 𝑥 3 + 𝑏, so there are exactly 𝑝 solutions to the
equation of the form (𝑥, 𝑦)𝜖ℤ𝑝 × ℤ𝑝 .
(𝑦 and – 𝑦 share the same 𝑥 coordinate, but still there is only
one point associated with each one of them)
𝐸(ℤ𝑝 ) is the set of all these solutions, with the addition of
the point ∞, and therefore #𝐸(ℤ𝑝 ) = 𝑝 + 1.
24
∎
Project in Computer Security 236349
Mar. 2011
*In fact this is also true if 𝑝 (𝑚𝑜𝑑 3) = 0, since the only prime
number that satisfies this condition is 𝑝 = 3 itself, and for 𝑝 = 3
the function 𝜎: ℤ𝑝 → ℤ𝑝 , 𝜎(𝑥) = 𝑥 3 is a permutation.
25
