Elliptic Curve Cryptography Aditya Babel F090740 Universiteit Utrecht INFOB3CRP - Cryptography Abstract In this paper we explore the basic features of elliptic curve cryptography (ECC) without going into the intricate mathematical details. We develop some mathematical theory in describing elliptic curve groups and their internal operations. Throughout this paper, we compare ECC to other asymmetric encryption schemes such as RSA and ELGamal and, in doing so, hope to convince the reader that, despite its somewhat uninviting and complicated look, ECC is indeed a reliable cryptographic scheme that will be important in the near future (with even the potential to replace RSA or ELGamal as the de facto asymmetric encryption scheme). Introduction: The prominence of asymmetric cryptography in today’s world The emergence of asymmetric cryptography over the recent decades has opened a wide range of applications for both commercial and government use. The importance of this form of cryptography cannot be understated because several current security schemes will be rendered much less useful/efficient if we were to stick to symmetric cryptographic protocols like DES or AES. One of the big problems in symmetric cryptographic systems is the distribution of the secret key. While symmetric systems can be reasonably strong themselves and are often easier to understand to a novice in computer security, one question that is often posed is if two parties wanted to communicate securely how will they exchange their secret key required for encryption? This age-old problem does not have too many solutions, and often the parties are resigned to agreeing on the key beforehand. This is fraught with danger especially if the information is highly valuable and much-sought-after by some third party. Also, this tends to become very difficult to process in the modern world with millions of users trying to connect with each other securely. In a large network of N communicating entities, if it is fully meshed, maintaining unique symmetric keys for each communicating pair of entities would require the management of (N 2-1)/2 keys. Using asymmetric cryptography, this quantity can be reduced to N key pairs. In a group of 1,000 users, it's the difference between managing 1,000 key pairs or 499,500 keys. The key underlying idea behind asymmetric cryptography is the use of public keys and private keys with the difficulty of obtaining the private key from the public key. Looking at this form of cryptography more closely, we see that asymmetric cryptography tends to be based on a mathematical function, so to speak, whose forward step is relatively easy to perform whereas the inverse step is far, far more computationally intensive. In fact, one of the greatest triumphs of most asymmetric cryptographic systems is that as we increase the key size the forward step of the mathematical function’s difficulty seems to increase slowly, where, on the other hand, the inverse step’s difficulty increases in an exponential manner. This is important because this renders that even though there is a rapid increase of computational power over time, computers simply cannot cope with this form of cryptography. Even if we were to get a computer that is 20 times more powerful than the most powerful computer available today it would not be able to crack RSA completely since we could just increase the size of the primes in question to create a much harder problem. In this way we can be sure of security: all we have to do is to take Moore’s Law (that due to technological advances an average computer’s speed doubles every fixed amount of time, approximately 2 years) into account and use keys large enough so that we will not face the necessity to change them for the required amount of time. So it is clear that asymmetric cryptography is absolutely necessary in today’s active world. But which of the many kinds of asymmetric cryptography must we use? Is there any form of asymmetric cryptography that is better than another? Why bother with Elliptic Curve Cryptography, which is one of the newer forms of asymmetric cryptography, when one could stick to more standard forms of encryption such as RSA? It is natural to begin with a quick survey of some of the more prominent asymmetric cryptographic schemes. Different asymmetric cryptographic systems Several forms of asymmetric cryptographic schemes have been invented by mathematicians and computer scientists over the past years such as RSA, the DiffieHellman key exchange, and its close neighbor ELGamal. All these systems, as stated before, use a one-way mathematical function to enable security. The word “one-way” is used because whilst the inverse operation is possible it is definitely not feasible as the problem’s size increases. In RSA, the intractability of integer factorization is exploited. Rivest, Shamir, and Adleman were able to notice that while multiplying two primes is very easy to do (even if they are very large), factorizing them to their constituent factors has no efficient algorithm. The best we can do is a “sub-exponential” attack to find these elusive prime factors from the larger composite number. Both the Diffie-Hellman key exchange and ELGamal use the difficulty of solving the discrete logarithm problem effectively to create a simple key exchange scheme and a way to encrypt messages securely. It is worthwhile, in this paper, to describe these systems in more detail. We work in a finite group of prime order (hence it is cyclic and every nonidentity element is a generator). Suppose two parties, Alice and Bob, wish to communicate securely. To start things off, they decide openly on the group, Zp, to use, and an element (non-identity), g, to use as the generator. Alice then proceeds to use another integer a as her private key. She then sends the number A = ga to Bob. Bob, for his part, also chooses his own private key, b. He then sends Alice the number B = gb. Alice computes the secret key, s, by computing Ba and Bob does the same by computing Ab. These two values are the same (since gab = gba). Through this simple exchange both parties now have the secret key s. With this secret key Alice and Bob can encrypt messages that they wish to send to each other. A third party, the eavesdropper Eve, knows the values of p, g, A, and B. But since the discrete log problem (determining a from p, g, and A) is considered hard, Eve cannot do anything to find the value of s. Elliptic Curve Cryptography is very similar to the Diffie-Hellman key exchange system and ELGamal in that it also relies on the difficulty of the discrete log, but it does the same under a different underlying group. To understand Elliptic Curve Cryptography it is essential to first understand elliptic curves and their group structure. Elliptic Curve Groups Elliptic Curves are mathematical objects that have been subject to much scrutiny by top mathematicians over the past 150 years. They have many important, elegant, and delightful properties and many research papers have been written solely exploring the various characteristics of these objects. An important feature of these curves is that their points can be interpreted as part of a mathematical group. But before describing their group structure which is so important to cryptography, we first define what an elliptic curve actually is. It is natural to explore the case for real numbers first. An elliptic curve over the field of real numbers is the set of points that satisfy an elliptic curve equation of the form: y2 = x3 + ax + b, with all parameters involved being real numbers Every choice of a and b produces a different curve. For example, with a = -4 and b = 0.67 we have the following curve drawn on the next page: We can create a group out of an elliptic curve if it does not contain any repeated zeros, or equivalently, if 4a3+27b2, the determinant of the curve, is not zero. We include a special point for an imaginary “point at infinity” called O. This is the identity of the group. The other elements of the group are the points on the curve. Since the graph is symmetric around the x-axis, a point P = (x, y) has its inverse defined as -P = (x, -y). Given two points P and Q on the curve, we add them by drawing a line through them. This line will either intersect the curve at exactly one point, R, or no points. It can be proven that if it intersects no other point then Q = -P and the line is a vertical line through P. Otherwise, we employ the addition relation P + Q + R = O or P + Q = -R. This addition operation forms a group (the verification that this is indeed a group is standard and can be found in any mathematical text on basic algebraic geometry). To add a point P to itself, we simply draw a tangent line at the point P and see what point it intersects on the curve. It is not a difficult to determine a formula for the addition of two points P and Q (they are assumed to be distinct here with Q not equal to -P): Let P = (xP,yP), Q = (xQ,yQ), M = (yP - yQ) / (xP - xQ), and R = P + Q Then xR = M2 - xP - xQ and yR = -yP + M(xP - xR) Note that M is the slope of the line through P and Q. We now turn to more relevant cases, where the underlying field is not the real numbers but of finite order. Calculations over real numbers are infeasible because they are tougher to do and cause a lot of round-off errors. Hence in cryptography finite fields are more often in use and this case is no different. The first case we consider is the field Fp for a prime p. We put one assumption on the field at first: that it is not of characteristic 2. The same basic ideas from the real case follow through for finite fields. For Fp we consider the same elliptic curve equation except with everything taken in modulo p. An elliptic curve equation defines a group if there are no repeated roots or equivalently if the determinant (mod p) is not equal to 0. The elliptic curve group for a finite field consists of the points that satisfy the elliptic curve together with a point at infinity O, just like in the real case. For instance, consider y2 = x3 + x in the field F23. The point (9, 5) satisfies this equation as can be easily checked by substitution and then taking (mod 23) on both sides. In fact, exactly 23 points satisfy the equation: Although these points may seem random at first look, they are actually symmetric about the line y = 11.5. A point P = (x, y) has inverse –P = (x, -y (mod p)). Since it seems difficult at first sight to “connect points” in finite fields, mathematicians define the sum of points by using simple formulas (assuming Q is not P or -P): Let P = (xP,yP), Q = (xQ,yQ), M = (yP - yQ) / (xP - xQ) (mod p), and R = P + Q Then xR = M2 - xP - xQ (mod p) and yR = -yP + M(xP - xR) (mod p) Note that M is the slope of the line through P and Q. A similar equation is used to double a point P: If P = (xP,yP), 2P = R, and M = (3xP2 + a) / (2yP ) (mod p) xR = M2 - 2xP (mod p) and yR = -yP + M(xP - xR) (mod p) As in the case for real numbers, a group is indeed constructed using these operations. Finally, we consider the case for when the field is of characteristic 2. This is of most interest to us, because operations in this field are performed over bit strings which make it easy for computers to do arithmetic in. Consider the field F2^m with 2m elements; addition, multiplication, and division are performed either using an irreducible polynomial or by optimal normal basis representation. An elliptic curve group over this field is formed by choosing elements a and b from the field with the only condition being that b is not 0. Since the field has characteristic 0, we adjust the elliptic curve equation for binary representation: y2 + xy = x3 + ax2 + b The elliptic curve, as always, includes all points that satisfy the equation over the field. The elliptic curve group for this field consists of all these satisfied points together with the usual point at infinity, O. There are finitely many points on such an elliptic curve which is illustrated with the following example: consider the elliptic curve equation y2 + xy = x3 + g4x2 + 1 over the field F24. Here g = (0010) is a (multiplicative) generator of the field and its powers are: g0 = (0001) g1 = (0010) g2 = (0100) g3 = (1000) g4 = (0011) g5 = (0110) g6 = (1100) g7 = (1011) g8 = (0101) g9 = (1010) g10 = (0111) g11 = (1110) g12 = (1111) g13 = (1101) g14 = (1001) g15 = (0001) We note that in cryptographic applications the order of the group is much larger to prevent a simple generation of the elements by a computer (normally a field with 2 160 elements). We can compute, as in previous cases, the set of points that satisfy the elliptic curve. Using generator notion helps to reduce notation and simplify computations. The fifteen points that satisfy the equation are: (1, g13) (g3, g13) (g5, g11) (g6, g14) (g9, g13) (g10, g8) (g12, g12) (1, g6) (g3, g8) (g5, g3) (g6, g8) (g9, g10) (g10, g) (g12, 0) (0, 1) As in the previous cases, we can determine formulas to add different points of the curve. If Q is not P or -P, R = P+Q, and M = (yP - yQ) / (xP + xQ) then: xR = M2 + M + xP + xQ + a and yR = M(xP + xR) + xR + yP Or to double a point P, we have: If R = 2P and M = xP + yP / xP xR = M2+ M + a and yR = xP2 + (M + 1) * xR Indeed, as always, we have P + O = P for all P. Through these elliptic curve groups, the understanding of elliptic curve cryptography becomes possible. Elliptic Curve Cryptography This form of cryptography is very akin to Diffie-Hellman and ELGamal in that the underlying computationally infeasible mathematical problem to solve is the discrete logarithm. Taking a point P on the curve, we choose a random large integer n. Then we proceed to compute nP (P added to itself n times). Mathematicians have devised very fast ways of computing this “scalar multiplication” instead of manually doing it one by one. The discrete logarithm problem in this case asks one to return the value n after being given the elliptic curve group in question, P, and nP. This question turns out to be much harder than the forward process. In fact it is harder than either the DiffieHellman/ELGamal or even RSA with respect to the number of bits used. A precise description of this “superiority” of ECC of this is considered in the next section. So now using this varied discrete logarithm problem we are able to do exactly the same procedures as with Diffie-Hellman (exchange keys) or with ELGamal (encrypt messages). The same protocols may be used for the same effect. Comparison versus other forms of cryptography While ECC does sound elegant to many computer scientists and mathematicians it is definitely not an easy subject to understand. Indeed, in today's modern world, where cryptographic schemes are regularly explained to managers of giant corporations who intend to use the technology for use within their respective companies, it is often difficult to explain to a layman about the potential benefits of using fancy mathematical objects like fields and elliptic curves. While this may put ECC a step behind other standard forms of cryptography like RSA, the advantages of ECC must not be ignored. Most types of cryptography can be made as difficult to crack as one requires; all the user has to do is to increase the key size. The difference between two cryptographic schemes then lies in the key size required to give the same amount of “protection”. One of the state-of-the-art methods to decipher messages encrypted using either RSA or ELGamal is the Index Calculus method. This turns the problem of either factorizing a number or finding the discrete logarithm into a sub-exponential process with respect to the bit-size. However, the key for ECC lies in the fact that this Index Calculus method only works with groups of the form Zn and fails to apply to most elliptic curve groups. The Pollard's rho attack on elliptic curve cryptography is one of the strongest known today. While this attack works well on certain elliptic curve groups, it fails to give this sub-exponential bound on other elliptic curve groups. Furthermore, it is not difficult to isolate those groups that are easily cracked by known attacks. Because of this, much larger group sizes are required to provide the same security for RSA or ELGamal as is illustrated in the following table which compares RSA and ECC (ELGamal is weaker than either RSA or ECC): ECC RSA System parameters 641 bits 0 bits Public key 161 bits 1041 bits Private key 160 bits 2048 to 2560 bits The above table tells us the amount of information in bits required to enforce the same amount of security as specified and verified by the RSA Laboratories. Quite understandably ECC requires a lot of system parameters for initialization, but for the same amount of security as recommended by security organizations in the US, ECC requires a much smaller bit-size. An elliptic curve group of order 2 160 can give the same amount of security as a group of order 21024 when used with RSA. When we couple this fact with Morse's law that computer speeds double every two years, we realize that RSA systems may soon become more and more difficult to manage with greater and greater group sizes needed. Using ECC this problem can be avoided without difficulty. Based on the research trends over the past five years, it was seen that very little progress was made toward solving the ECC discrete logarithm problem faster. This highlights the potential of ECC in the future. Small group sizes also increase processor speeds. reduce heat generation, and save energy in considerable amounts. Finally, ECC has helped pave the way for several other different kinds of cryptography such as Pairing Based Cryptography which is supposedly the “next big thing”. Conclusion While ECC may be relatively difficult to understand for the layman, it is nevertheless an important technology that has great potential to prosper in the future. The challenging and somewhat complicated nature of elliptic curve groups make it harder to crack the ECC discrete logarithm problem. With less bits required to give the same security, ECC has fared favorably compared to either RSA or Diffie-Hellman. Through this paper, I hope that I have been able to communicate some of the major aspects of ECC whilst censoring out some of the very technical mathematical details involved. References - Wikipedia: Elliptic Curve Cryptography http://en.wikipedia.org/wiki/Elliptic_curve_cryptography - Device Forge: An Intro to Elliptic Curve Cryptography http://www.deviceforge.com/articles/AT4234154468.html - RSA Laboratories - Overview of Elliptic Curve Cryptosystems http://www.rsa.com/rsalabs/node.asp?id=2013 - Steven Galbriath; Elliptic Curve Cryptography http://www.isg.rhul.ac.uk/~sdg/ecc.html - certicom: ECC Tutorial http://www.certicom.com/index.php/10-introduction - Wikipedia: Elliptic Curves http://en.wikipedia.org/wiki/Elliptic_curve - Wikipedia: Diffie-Hellman key exchange http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange - Wikipedia: Elgamal encryption http://en.wikipedia.org/wiki/ElGamal_encryption