Elliptic Curve Cryptosystem And Its Applications
Mostly by 游菀瑄
Outline

Elliptic Curve



Basic definition
Operations：addition & scalar
Elliptic Curve Cryptosystem

Security considerations




ECC vs. RSA comparison
Implementation considerations
Applications
Conclusions
Some messages:
How secure are RSA and Diffie-Hellman?
There are known subexponential (but superpolynomial)
algorithms for breaking RSA and Diffie-Hellman based on modular
arithmetic. Elliptic Curve Cryptography(ECC) is important because
the mathematicians do not (yet?) have subexponential algorithms
for breaking it. Therefore, it is believed to be secure with much
smaller key sizes, which is important for performance. ECC is a
candidate replacement for public key cryptographic schemes like
RSA, Diffie-Hellman, ElGamal, DSS, etc. For some of these
cryptographic schemes, one can replace modular multiplication by
elliptic curve multiplication directly, resulting in algorithms
referred to as ECC Diffie-Hellman, ECC ElGamal, etc.
An elliptic curve is a set of points on the coordinate plane
satisfying an equation of the form y2 = x3 + ax + b. In order to use
elliptic curves for, say , Diffie-Hellman, there needs to be some
mathematical operation on two points in the set that will always
produce a point also in the set. Let’s call that operation
multiplication, although in ECC it will not look like the
multiplication you are used to. And the operation has to be
associative, so that you can use the repeated squaring trick to raise
a number to a large power in time linear with the length of the
exponent. In other words, to “exponentiate” a point by 128, you
should be able to “multiply” the point by itself, then multiply the
result by itself, again and again, etc. Since “multiplication” is
associative, it will be true that (gx)y = gxy = (gy)x . And it is also
important that doing discrete logs is hard.
Q: ECC之key size較 RSA之key size 小, why?
ECC是PKC之一種, 其安全之所繫乃基於ECDLP.
迄今止之alg’s 對ECDLP需 fully exponential time,
然而, RSA安全乃基於 the integer factorization,
不過, 目前對付因數分解之演算法卻有
subexponential-time之世出, 此即ECC之key size
較 RSA之key size 小 之因.
{ 160 vs. 1024 }
Basic definition (1/2)

Elliptic E curve over Zp：
y2=x3+ax+b,
where a,b Zp, and 4a3+27b2 0 (mod p),
together with  (the point at infinity).

The set E(Zp) consists of all points (x,y),
x  Zp, y  Zp, which satisfy the defining
equation E, together with O.
Basic definition (2/2)

假設P(x, y)是橢圓曲線上的一點，則





P+O = O+P = P (+ or ◎ or ®)
(O serves as the identity element)
-P=(x, -y)為點P(x, y)的負點
If Q = -P, then P+Q=O
If PO, QO, Q-P, then P+Q=R
若P的秩(order)為n，則n是最小的正整數
使得nP=O
The important criterion in selecting a generator point G(x1,y1)
is that the smallest value of n ,for which nG=O ,
be a very large prime number.
Ep(a,b) and G are parameters of the cryptosystem known
to all participants.
Operations
Zp*
E(Zp)
Multiplication
Addition(®)
Exponentiation
Scalar (Multiple) nP
Elliptic curves are interesting because they provide a way of constructing
“elements” and “rules of combining” that produce groups.
These groups have enough familiar properties to build cryptographic
algorithms, but they don’t have certain properties that may facilitate
cryptanalysis. For example, there is no good notion of “smooth.” That is, there
is no set of small elements in terms of which a random element has a good
chance of being expressed by a simple algorithm. Hence, index calculus
discrete logarithm algorithm do not work.
Elliptic curves over the finite field GF(2n) are particularly interesting. The
arithmetic processors for the underlying field are easy to construct and are
relatively simple to implement for n in the range of 130 to 200. These systems
have the potential to provide small and low-cost public-key cryptosystems.
Many public-key algorithms, like Diffie-Hellman, ElGamal, and Schnorr, can
be implemented in elliptic curves over finite fields.
Correspondence between Zp* and E(Zp) notation
Group
Zp*
E(Zp)
Group elements
Integers
{1, 2, …, p-1}
Points (x, y) on E
plus O
Group operation
Multiplication
modulo p
Addition of points
Notation
Elements：g, h
Multiplication：g•h
Inverse：g-1
Division： g / h
Exponentiation： ga
Elements：P, Q
Addition：P+Q
Negative：-P
Subtraction：P-Q
Multiple：aP
Given g Zp*
Discrete Logarithm and h = ga mod p,
Problem
find a
Given P E(Zp)
and Q = aP,
find a
Addition operation
橢圓曲線上成一直線的三
個點，其和為O。
P + Q + (-R) = O
P+Q=R
加法運算：
P+Q的結果R為“取P,Q兩
點的直線與橢圓曲線相交
之唯一交點的負點”。
Scalar operation
倍數運算：
P+P=2P的結果為“點2P是
經過P點的切線與橢圓曲線
相交之唯一交點的負點”。
依此類推…
kP=P+P+…+P (k個P相加)
Elliptic Curve Cryptosystem


Proposed by Neal Koblitz and V. S. Miller
(independently)in 1985.They did not invent a
cryptographic algorithm using ECs.
Standards：




ANSI X9.62 — ECDSA
ANSI X9.63 — EC Key Agreement and Transport Protocols
IEEE P1363 standard—Standard Specifications for PKI
Hard problem：

Elliptic curve discrete logarithm problem (ECDLP)

Given P, Q to find k such that Q=kP
ECC Security Considerations

Attacks：

Attacks on the elliptic curve discrete logarithm
problem








Naive exhaustive search
Pohlig-hellman algorithm
Baby-step Giant-step algorithm：(n)1/2 steps
Pollard’s rho algorithm：(n/2)1/2 steps
Parallelized Pollard’s rho algorithm：(n)1/2 /2r steps
Attacks on the hash function employed
Other attacks
Experimental Results 目前最快
Parallelized Pollard’s rho algorithm：(n)1/2 /2r steps
(r processors, n is the order of the point P)
Comparison：ECC vs. RSA
橢圓曲線密碼系統
RSA密碼系統
金鑰長度
(bits)
計算時間
(MIPS-Years)
金鑰長度
(bits)
計算時間
(MIPS-Years)
150
3.8 x 1010
512
3 x 104
205
7.1 x 1018
768
2 x 108
234
1.6 x 1028
1024
3 x 1011
1280
1 x 1014
1536
3 x 1016
2048
3 x 1020
160
使用Pollard rho method分析，解決
橢圓曲線離散對數問題。
使用Generalized number field sieve
method分析，解決質數分解問題。
ECC Implementation Considerations






Security considerations
Suitability of methods available for optimizing finite field
arithmetic(addition, multiplication, squaring, and inversion)
Suitability of methods available for optimizing elliptic curve
arithmetic (point addition, point doubling, and scalar
multiplication)
Application platform (software, hardware, or firmware)
Constraints of a particular computing environment (e.g.,
processor speed, storage, code size, gate count, power
consumption)
Constraints of a particular communications environment
(e.g., bandwidth, response time)
Applications





Key Exchange (analogous to DH)
Encryption & Decryption (analogous to ElGamal)
Digital Signature (analogous to DSA)
Authentication
……
D-H key exchange using ECC
q

公開參數
prime number
<q and is a primitive root of q
User A
產生Xa
收到Y
X= Xa mod q
Y= Xb mod q
Kab=YXa mod q
=XbXa mod q
=
公開參數
橢圓曲線Ep(a,b)及其generator G=(x1,y2)
User B
User A
收到X
產生亂數nA
,less than n.
產生Xb
Kab=XXb mod q
=XaXb mod q
Diffie-Hellman Key Exchange Algorithm
收到Y
Kab=nAY
=nAnB G
User B
X= nAG
Y=nBG
=
收到X
產生亂數K
,less than n.
Kab=nBX
=nAnB G
Key Exchange Using Elliptic Curve Cryptography
ElGamal encryption using ECC
ElGamal encryption
Key
generation
EC ElGamal encryption
Generate a prime p of length k bits.
Compute a generator g for Zp*
Select x, 2  x  p-2
Select (p, a, b, G), G E(Zp) such
that the smallest n for nG=O is large.
Select na<n
y = gx mod p
public key：(g, p, y)
private key：x
Pa=naG
public key：(p, a, b, Pa)
private key：na
Encryption Select k, 1  k  p-2
Select nk< n.
C={gk mod p, Myk mod p} Cm = {nkG, Pm+nkPa}
Decryption Receive C = {a, b}
M = b/ax mod p
Receive Cm = {Pk, Pb}
Pm=Pb- naPk = Pm+nkPa-naPk
y2=x3+ax+b
The simplest ECC example:
1. To encode the plaintext message m into an x-y point Pm .
2. As with the key exchange system, an encryption/decryption
system requires a point G and an elliptic group Ep(a,b) as
parameters. Each user A selects a private key nA and
generates a public key pA = nA * G.
3. To encrypt and send a message Pm to B. A chooses a
random positive integer k and produces the ciphertext Cm
consisting of the pair of points Cm = {kG, Pm + kPB} ,note
that A has used B’s public key PB.
4. To decrypt the ciphertext as: Pm + kPB – nB(kG) = Pm +
k(nBG) – nB(kG) = Pm .
[ 與 Diffie-Hellman Key Agreement 部份相同者]
設 g 為 GF(P)之原根, P 為一大質數, XB 是 B 選取之密鑰, YB = gXB
mod P 是
B的
公鑰(準備送給A的).
現在,若 A 欲送明文M, 0 <= M <= P-1, 給 B,
則 A 任選一亂數r, (0 <= r <= P-2), 且計算送出密文 C (根據下述定義):
A:
C = (C1 ,C2)
C1= g r mod P
B 收到 C 后計算下式
C2 = M(YB)r mod P
B:
C1XB = (g r ) XB = YBr
(mod P )
C2*(C1XB) -1 = M(YBr) (YBr) -1 = M
(mod P )
® 若 r 不重覆使用,則 ElGamal 之 PKC 安全性等於 Diffie-Hellman之 KDS.
® 每一明文M在不同的 r之下,可對應到不同的C密文,此即是所謂的
Probabilistic Public Key Cryptosystem.
此法之缺點: 傳輸效率祇有 1/2 ( 因為 C = (C1 ,C2) )
DSA vs. ECDSA
DSA
Key
generation
Signature
generation
ECDSA
Select p, q, x and q | p-1, 1 x < q. Select E over Zp, select d, 1 d < n.
Select h Zp* and compute
Select P E(Zp) of order n.
(p-1)/q
g=h
mod p until g1.
y = gx mod p
public key：(p, q, g, y)
private key：x
Q = dP
public key：(E, n, P, Q)
private key：d
Select k, 1  k < q.
r = (gk mod p) mod q
s = k-1( h(m) + xr) mod q
(r, s)為明文m之數位簽章
Select k, 1  k < n.
kP = (x1,y1) and r = x1 mod n
s = k-1( h(m) + dr) mod n
(r, s)為明文m之數位簽章
Signature w = s-1 mod q
verification u1 = h(m)w mod q
u2 = rw mod q
v = (gu1 yu2 mod p) mod q
若v = r, 則(r, s)通過驗證
w = s-1 mod n
u1 = h(m)w mod n
u2 = rw mod n
u1P+u2Q=(x0, y0), v = x0 mod n
若v = r, 則(r, s)通過驗證
Conclusions

ECC Advantages：





offers the highest strength-per-key-bit of any
known public-key system
offers the same level of security with smaller
key sizes
computational power
high-speed S/W and H/W implementations
integrated circuit space is limited

smart card, wireless devices
References

ECC Whitepapers
http://www.certicom.com/research/weccrypt.html

Elliptic Curves and Cryptography
Dr. Dobb’s Journal April 1997

The Elliptic Curve Digital Signature Algorithm (ECDSA)
http://www.certicom.com/pdfs/whitepapers/ecdsa.pdf

ECC Tutorial
http://www.certicom.com/resources/ecc_tutorial/ecc_tutorial.html

橢圓曲線密碼系統於GSM網路上的應用

設計植基於自我驗證公開金鑰系統之安全線上電子拍賣機制

行動電子商務環境下安全機制之研究