JOURNAL OF INFORMATION, KNOWLEDGE AND RESEARCH IN
COMPUTER ENGINEERING
AN ELLIPTIC CURVE CRYPTOSYSTEM
A L SRIRAM, A L SUBRAMANIAN
Department of Computer Science and Engineering, Shri JJT University
sendtoals@gmail.com
ABSTRACT: The data security is the prime and most vital point in the design of future IT systems. Many of
those IT applications will be realized as embedded systems which rely heavily on security mechanisms. This
paper focuses on basics, attributes and performance of Elliptic Curves Cryptosystems (ECC), the relevance
between ECC and embedded systems applications, and the performance anticipated in the embedded systems
Keywords: ECC; Embedded System; Security
1. Introduction
In cryptosystems the main subject of concern is data
security and that is the main focus in the design
process. The security of wide range of embedded
products like e-cards, wireless products whose
growth has increased to manifolds demands high
security. Many of those applications rely heavily on
security mechanisms, such as security for wireless
phones, faxes, wireless computing, pay-tv, and copy
protection schemes for audio/video consumer
products and digital cinemas. Note that a large share
of those embedded applications will be wireless,
which makes the communication channel especially
vulnerable and the need for security even more
obvious. The growth of communication devices also
demands additional security challenges. The
ecommerce and ebusiness also demands a similar
security cover. In the future, valuable business
opportunities will be realized over the Internet and
megabytes of sensitive data will be transferred and
moved over insecure communication. Therefore, both
for secure (authenticated, private) Web transactions
and for secure (signed, encrypted) messaging, a full
and efficient public key infrastructure is needed.
Three basic choices for public key systems are
available for these applications:
* RSA
RSA is an algorithm for public-key cryptography that
is based on the presumed difficulty of factoring large
integers, the factoring problem. RSA stands for Ron
Rivest, Adi Shamir and Leonard Adleman, who first
publicly described it in 1978. A user of RSA creates
and then publishes the product of two large prime
numbers, along with an auxiliary value, as their
public key. The prime factors must be kept secret
• DH or DSA
The Digital Signature Algorithm (DSA) is a United
States Federal Government standard or FIPS for
digital signatures. Key generation has two phases.
The first phase is a choice of algorithm parameters
which may be shared between different users of the
system, while the second phase computes public and
private keys for a single user.
2. ECDSA - Elliptic Curve Digital Signature
Algorithm
Signature algorithm is used for authenticating a
device or a message sent by the device.
For example consider two devices A and B. To
authenticate a message sent by A, the device A signs
the message using its private key. The device A sends
the message and the signature to the device B. This
signature can be verified only by using the public key
of device A. Since the device B knows A’s public
key, it can verify whether the message is
indeed send by A or not.
ECDSA is a variant of the Digital Signature
Algorithm (DSA) that operates on elliptic curve
groups. For sending a signed message from A to B,
both have to agree up on
Elliptic Curve domain parameters. Sender ‘A’ have a
key pair consisting of a private key dA (a randomly
selected integer less than n, where n is the order of
the curve, an elliptic curve domain parameter) and a
public key QA = dA * G (G is the generator point, an
elliptic curve domain parameter). An
overview of ECDSA process is defined below.
Signature Generation
For signing a message m by sender A, using A’s
private key dA
1. Calculate e = HASH (m), where HASH is a
cryptographic hash function, such as SHA-1
2. Select a random integer k from
[1, n − 1]
3. Calculate r = x1 (mod n), where (x1, y1) = k * G.
If r = 0, go to step 2
4. Calculate s = k − 1(e + dAr)(mod n). If s = 0, go to
step 2
5. The signature is the pair (r, s)
Signature Verification
For B to authenticate A's signature, B must have A’s
public key QA
1.
Verify that r and s are integers in
[1, n − 1]. If not, the signature is invalid
2. Calculate e = HASH (m), where HASH is the same
function used in the signature generation
3. Calculate w = s −1 (mod n)
ISSN: 0975 – 6760| NOV 12 TO OCT 13 | VOLUME – 02, ISSUE - 02
Page 150
JOURNAL OF INFORMATION, KNOWLEDGE AND RESEARCH IN
COMPUTER ENGINEERING
4. Calculate u1 = ew (mod n) and
u2 = rw (mod n)
5. Calculate (x1, y1) = u1G + u2QA
6. The signature is valid if x1 = r(mod n), invalid
otherwise
3. ECDH – Elliptic Curve Diffie Hellman
ECDH is a key agreement protocol that allows two
parties to establish a shared secret key that can be
used for private key algorithms. Both parties
exchange some public information to each other.
Using this public data and their own private data
these parties calculates the shared secret. Any third
party, who doesn’t have access to the private details
of each device, will not be able to calculate the
shared secret from the available public information.
For generating a shared secret between A and B using
ECDH, both have to agree up on Elliptic Curve
domain parameters. Both end have a key pair
consisting of a private key d (a randomly selected
integer less than n, where n is the order of the curve,
an elliptic curve domain parameter) and a public key
Q = d * G (G is the generator point, an elliptic curve
domain parameter). Let (dA, QA) be the private key public key pair of A and (dB, QB) be the private key public key pair of
B.
1. The end A computes K = (XK, YK) = dA * QB
2. The end B computes L = (XL, YL) = dB * QA
3. Since dAQB = dAdBG = dBdAG = dBQA. Therefore K
= L and hence XK = XL
4. Hence the shared secret is XK
Since it is practically impossible to find the private
key dA or dB from the public key K or L, it’s not
possible to obtain the shared secret for a third party.
4. Discrete Logarithm Problem
The security of ECC depends on the difficulty of
Elliptic Curve Discrete Logarithm Problem. Let P
and Q be two points on an elliptic curve such that kP
= Q, where k is a scalar. Given P and Q, it is
computationally infeasible to obtain k, if k is
sufficiently large. k is the discrete logarithm of Q to
the base P.
Hence the main operation involved in ECC is point
multiplication. i.e. multiplication of a scalar k with
any point P on the curve to obtain another point Q on
the curve.
Elliptic Curve Cryptography
Elliptic Curve Cryptography (ECC) is a public key
cryptography. In public key
cryptography each user or the device taking part in
the communication generally have a pair of keys, a
public key and a private key, and a set of operations
associated with the keys to do the cryptographic
operations. Only the particular user knows the private
key whereas the public key is distributed to all users
taking part in the communication. Some public key
algorithm may require a set of predefined constants
to be known by all the devices taking part in the
communication. ‘Domain parameters’ in ECC is an
example of such constants. Public key cryptography,
unlike private key cryptography, does not require any
shared secret between the communicating parties but
it is much slower than the private key cryptography.
The mathematical operations of ECC is defined over
the elliptic curve y2 = x3 + ax + b, where 4a3 + 27b2
≠ 0. Each value of the ‘a’ and ‘b’ gives a different
elliptic curve. All points (x, y) which satisfies the
above equation plus a point at infinity lies on the
elliptic curve. The public key is a point in the curve
and the private key is a random number. The public
key is obtained by multiplying the private key with
the generator point G in the curve. The generator
point G, the curve parameters ‘a’ and ‘b’, together
with few more constants constitutes the domain
parameter of ECC.
One main advantage of ECC is its small key size. A
160-bit key in ECC is considered to be as secured as
1024-bit key in RSA.
4.1. Point multiplication
In point multiplication a point P on the elliptic curve
is multiplied with a scalar k using elliptic curve
equation to obtain another point Q on the same
elliptic curve. i.e. kP=Q Point multiplication is
achieved by two basic elliptic curve operations
• Point addition, adding two points J and K to obtain
another point L i.e.
L = J + K.
• Point doubling, adding a point J to itself to obtain
another point L i.e.
L = 2J.
Here is a simple example of point multiplication.
Let P be a point on an elliptic curve. Let k be a scalar
that is multiplied with the point P to obtain another
point Q on the curve. i.e. to find Q = kP.
If k = 23 then kP = 23.P = 2(2(2(2P) + P) + P) + P.
Thus point multiplication uses point addition and
point doubling repeatedly to find the result. The
above method is called ‘double and add’ method for
point multiplication. There are other efficient
methods for point multiplication such as NAF (Non –
Adjacent Form) and wNAF (windowed NAF)
method for point multiplication.
4.2 Point addition
Point addition is the addition of two points J and K
on an elliptic curve to obtain another point L on the
same elliptic curve.
Geometrical explanation
ISSN: 0975 – 6760| NOV 12 TO OCT 13 | VOLUME – 02, ISSUE - 02
Page 151
JOURNAL OF INFORMATION, KNOWLEDGE AND RESEARCH IN
COMPUTER ENGINEERING
Consider two points J and K on an elliptic curve as
shown in figure (a). If K ≠ -J then a line drawn
through the points J and K will intersect the elliptic
curve at exactly one more point –L. The reflection of
the point –L with respect to x-axis gives the point L,
which is the result of addition of points J and K.
Thus on an elliptic curve L = J + K.
If K = -J the line through this point intersect at a
point at infinity O. Hence J + (-J) = O.
This is shown in figure (b). O is the additive identity
of the elliptic curve group.
A negative of a point is the reflection of that point
with respect to x-axis.
Analytical explanation
Consider two distinct points J and K such that J =
(XJ, YJ) and K = (XK, YK)
Let L = J + K where L = (XL, YL), then
XL = S2 - XJ – XK
YL = -YJ + s (XJ – XL)
s = (YJ – YK)/(XJ – XK), s is the slope of the line
through J and K.
If K = -J i.e. K = (XJ, -YJ) then J + K = O. where O is
the point at infinity.
If K = J then J + K = 2J then point doubling
equations are used.
Also J + K = K + J
4.3 Point doubling
Point doubling is the addition of a point J on the
elliptic curve to itself to obtain another point L on the
same elliptic curve.
Geometrical explanation
Let L = 2J where L = (XL, YL), Then
XL = s2 – 2xJ
XL = -YJ + s(XJ - XL)
s = (3XJ2 + a) / (2YJ), s is the tangent at point J and a
is one of the parameters chosen with the elliptic curve
If yJ = 0 then 2J = O, where O is the point at infinity.
Analysis of security levels
Unlike systems based on the multiplicative group of a
finite field (and also over systems based on the
intractability of integer factorization) is the absence
of a sub-exponential-time algorithm (such as those
of “index-calculus” type) that could find discrete
logarithms in these groups, the elliptic curve systems
are far superior. So one can use an elliptic curve
group that is smaller in size while maintaining the
same level of security. The result is smaller key sizes,
bandwidth savings, and faster implementations—
features which are especially attractive for security
applications where computational power and
integrated circuit space is limited, such as smart
cards, personal digital assistants, and wireless
devices. Therefore, they have the potential to provide
faster public-key cryptosystems with smaller key
sizes in
comparison with RSA systems. Many public-key
algorithms, like Diffie-Hellman, ElGamal, and
Schnorr, can be easily implemented in elliptic curves
over finite fields.
We can found such as table 1 in a number of the
standards documents.
Table 1. Key sizes for equivalent security levels (in
bits)
ECC- ECC- DH/DSA
p
2m
Symmetric
/RSA-n
192
224
To double a point J to get L, i.e. to find L = 2J,
consider a point J on an elliptic curve as shown in
figure (a). If y coordinate of the point J is not zero
then the tangent line at J will intersect the elliptic
curve at exactly one more point –L. The reflection of
the point –L with respect to x-axis gives the point L,
which is the result of doubling the point J.
Thus L = 2J.
If y coordinate of the point J is zero then the tangent
at this point intersects at a point at infinity O. Hence
2J = O when YJ = 0. This is shown in figure (b).
Analytical explanation
Consider a point J such that J = (XJ, YJ), where YJ ≠
0
163
233
Skipjack: 80
3-DES: 112
AES-Small:
256
283
128
3072
AES384
409
Medium:192
7680
AES521
571
Large:256
15360
For the same level of resistance against the best
known attacks, the system parameters for an elliptic
curve- based system can be chosen to be much
smaller
than the parameters for RSA or mod p systems. For
example, in table 1, an elliptic curve over a 163-bit
field currently gives the same level of security as a
1024-bit RSA modulus or Diffie-Hellman prime. The
difference becomes even more dramatic as the
desired security level increases. For example, 571-bit
ECC is currently equivalent in security to 15,360-bit
RSA/DH/DSA. Public key protocols are used in
combination with symmetric key algorithms. The
overall strength of the system is the strength of the
weakest link. Recently the new federal Advanced
1024
2048
ISSN: 0975 – 6760| NOV 12 TO OCT 13 | VOLUME – 02, ISSUE - 02
Page 152
JOURNAL OF INFORMATION, KNOWLEDGE AND RESEARCH IN
COMPUTER ENGINEERING
Encryption Standard (AES) was introduced,
providing greater security than its symmetric key
predecessor. At
key lengths of 128, 192, and 256, AES has made
ECC systems even more attractive as a key
agreement alternative.
This growing difference in key bit length for
equivalent security levels accounts for the
performance advantages to be obtained from
substituting ECC for RSA/DH/DSA in public key
cryptographic protocols.
ECC on embedded systems
The contributions in [5] and [6] has been analysed
here in this section.
In [5], an ECC implementation over prime fields on
the 16-bit TI MSP430x33x family of low-cost
microcontrollers is described by the author. The
authors in [5] show that it is possible to implement
EC cryptosystems in highly constrained embedded
systems and still obtain acceptable performance at
low cost. They modified the EC point addition and
doubling formulae to reduce the number of
intermediate variables while at the same time
allowing for flexibility. In addition, [5] use
Generalized-Mersenne primes to implement the
arithmetic in the underlying field, taking advantage
of the special form of the moduli to minimize the
number of precomputations needed to implement the
underlying arithmetic. These ideas are combined to
achieve an EC scalar point multiplication in 3.4
seconds without any stored/precomputed values and
the processor clocked at 1 MHz.
The authors in [6] implemented EC over binary fields
on a Motorola Dragonball CPU which is used on the
popular Palm Personal Digital Assistants (PDAs).
The Dragonball offers 16-bit and 32-bit operations
and runs at 16 MHz. Using Koblitz curves over
GF(2163), [6] shows that it is possible to perform an
ECDSA
signature generation operation in less than 0.9 sec.
while a verification operation requires less than 2.4
sec.
The authors point out that Koblitz curves over fields
GF(2163) provide about the same level of security as
RSA with a 1024-bit length, while at the same time
providing acceptable performance which is not
possible to achieve by using RSA-based systems
since the integer multiplier in the Dragonball
processor is
very slow.
This paper focuses on the relevance between Elliptic
Curves Cryptosystems (ECC) and embedded systems
applications, and the performance advantages to be
obtained in the embedded systems.
Conclusion
The basic concepts, properties and performance of
Elliptic Curves Cryptosystems (ECC), the
performance advantages to be obtained in the
embedded systems has been discussed here and by
using the [5]and[6], illustrate the application of ECC
in embedded system has been analysed.
References
[1]. Kristin Lauter, The Advantages of Elliptic Curve
Cryptography for Wireless Security, IEEE Wireless
Communications February 2004
[2]. J. Silverman, The Arithmetic of Elliptic Curves,
Springer-Verlag, 1986.
[3]. Neal Koblitz, A Survey of Public-Key
Cryptosystems, August 7, 2004,
[4]. Additional ECC Groups for IKE, Mar. 2001,
http://www.
ietf.org/proceedings/01dec/I-D/draftietfipsec- ike-eccgroups-03.txt
[5]. J. Guajardo, R. Bluemel, U. Krieger, and C. Paar.
Efficient Implementation of Elliptic Curve
Cryptosystems on the TI MSP430x33x Family of
Microcontrollers. In K. Kim, editor, Fourth
International Workshop on Practice and Theory in
Public Key Cryptography - PKC 2001, volume
LNCS 1992, pages
365{382, Berlin, February 13-15 2001. SpringerVerlag.
[6]. A. Weimerskirch, C. Paar, and S. Chang Shantz.
Elliptic Curve Cryptography on a Palm OS Device.
In V. Varadharajan and Y. Mu, editors, The 6th
Australasian Conference on Information Security and
Privacy | ACISP 2001, volume LNCS 2119, pages
502-513, Berlin, 2001. Springer-Verlag.
[7]. R. L. Rivest, A. Shamir, and L. Adleman. A
method for obtaining digital signatures andpublic key
cryptosystems. Commun. of the ACM, 21:120-126,
1978.
[8]. W.Diffie and M.Hellman, New directions in
cryptography, IEEE Transactions on Information
Theory,
22 (1976), pp. 644-654.
ISSN: 0975 – 6760| NOV 12 TO OCT 13 | VOLUME – 02, ISSUE - 02
Page 153