Elliptic Curve Cryptography

1
Elliptic Curve Cryptography

• Burt KaliskiChief Scientist and Director
• RSA Laboratories

2
Outline

• I. Elliptic curves
• II. Elliptic curve cryptosystems
• III. Advantages and disadvantages
• IV. Standardization efforts

3
Notation

• GF(q) or Fq finite field with q elements
• typically, q p where p is prime, or 2m
• E(Fq) elliptic curve over Fq
• (x, y) point on E(Fq)
• O point at infinity

4
Acronyms

• EC Elliptic Curve
• as in EC Digital Signature Algorithm
• ECC Elliptic Curve Cryptography

5
Part I Elliptic Curves
6
Elliptic Curves

• An elliptic curve is the set of solutions (x, y)
  to an equation of the form
• y2 x3 ax b
• where 4a3 27b2 ? 0, together with a point at
  infinity denoted O
• Originally developed to measure circumference of
  an ellipse

7
An Example Curve

• Over the reals, the solutions form a curve with
  one or two components
• Example
• y2 x3-x

8
Elliptic Curve Arithmetic

• A group law may be defined where the sum of two
  points is the reflection across the x-axis of the
  third point on the same line
• Chords and tangents

9
Group Law Axioms

• Closure
• IdentityP O O P P
• Inverse(x, y) (x, -y) O
• Associativity
• Commutativity

10
Addition Formulae

• Let P1 (x1, y1) and P2 (x2, y2) be
  non-inverses
• Then P1 P2 (x3, y3) where
• x3 ?2 - x1 - x2
• y3 ? (x1 - x3) - y1
• and ? is the slope of the line
• ? (3x12a)/2y1 if x1 x2
• ? (y2-y1)/(x2-x1) otherwise

11
Elliptic Curves over Finite Fields

• An elliptic curve may be defined over any finite
  field GF(q)
• For GF(2m), the curve has a different form
• y2 xy x3 ax2 b
• where b ? 0
• Addition formulae are similar to those over the
  reals

12
Group Properties

• Let E(Fq) denote the number of points on an
  elliptic curve E(Fq), including O
• Hasse bound E(Fq) q1-t, where
• t ? 2 sqrt(q)
• The group of points is either cyclic or a product
  of two cyclic groups

13
Scalar Multiplication

• Scalar multiplication is repeated group addition
• cP P P (c times)
• where c is an integer
• For all P ? E(Fq),
• nP O
• where n E(Fq)

14
Elliptic Curve Research Areas

• EC over finite fields has been an increasing
  focus of research
• 1. Efficient elliptic curve arithmetic, scalar
  multiplication
• including finite field arithmetic
• 2. Efficient curve generation
• 3. Cryptographic properties

15
Some Interesting Applications

• Factoring (Lenstra 1985)
• running time of Elliptic Curve Method (ECM)
  depends on size of prime factors of a number,
  ideal for smooth numbers
• Primality proving (Goldwasser-Kilian 1986)
• under number-theory assumptions, method for
  proving primality in random polynomial time
• Fermats Last Theorem

16
Analogy with Multiplicative Groups
17
Part II Elliptic Curve Cryptosystems
18
Elliptic Curve Cryptosystems

• EC discrete logarithm problem
• Domain parameters
• Key pairs
• Cryptographic schemes

19
EC Discrete Logarithm Problem

• Problem Given two points W, G, find s such that
  W sG
• first suggested by Miller 1985, Koblitz 1987
• With appropriate cryptographic restrictions, this
  is believed to take exponential time
• O(sqrt(r)) time, where r is the order of W

20
EC Discrete Logarithm Problem (contd)

• By comparison, factoring and ordinary discrete
  logarithms can be solved in subexponential time
• ECC thus offers much shorter key sizes than other
  public-key cryptosystems

21
Typical Cryptographic Restrictions

• E(Fq) kr for large prime r
• k is cofactor
• GCD (k, r) 1
• Anomalous condition r ? q
• MOV condition r does not divide qi-1 for small i

22
Domain Parameters

• Common values shared by a group of users from
  which key pairs may be generated
• User or trusted party may generate domain
  parameters
• Anyone may validate domain parameters

23
EC Domain Parameters

• Finite field Fq
• Elliptic curve E(Fq) with cryptographic
  restrictions
• Prime divisor r of E(Fq)
• Cofactor k
• Base point G ? E(Fq) of order r

24
Generating EC Domain Parameters

• 1. Select a prime power q
• 2. Select an elliptic cuve E over Fq with
  cryptographic restrictions
• order E(Fq) kr
• 3. Generate a point G of order r
• 4. Output Fq, E(Fq), r, k, G

25
Selecting an Elliptic Curve

• Random method
• Complex multiplication method
• Subfield method
• Methods provide tradeoff between speed,
  structure in curves
• less structure more conservative in assumptions
  about security

26
Random Method

• 1. Generate a random curve
• 2. Count the number of points E(Fq)
• 3. If restrictions not met, goto 1
• No structure, but step 2 may be slow
• (Schoof 1985, etc.)

27
Complex Multiplication Method

• 1. Generate a curve order n with a small CM
  discriminant D
• 2. If restrictions not met, goto 1
• 3. Given D, find a curve with n points
• Fast, some structure, but complex
• (Atkin-Morain 1991, Lay-Zimmer 1994)

28
Subfield Method

• For q 2m with m composite
• 1. Generate a curve over a subfield
• 2. Count the number of points
• 3. Apply formula to compute E(Fq)
• 4. If restrictions not met, goto 1
• Fast, but significant structure
• (Koblitz)

29
Generating a Point of Order r

• 1. Generate a point H ? E(Fq)
• 2. Compute G kH
• 3. If G O, goto 1
• 4. Output G

30
Validating EC Domain Parameters

• 1. Check that q is a prime power
• 2. Check that E is an elliptic curve over Fq with
  cryptographic restrictions
• order E(Fq) kr, where r is prime
• 3. Check that G is a point on E(Fq) of order r
• 4. Output valid if all checks pass, invalid
  otherwise

31
Key Pairs

• Pairs of public, private values with which users
  may perform cryptographic operations
• User or trusted third party may generate key pair
• Anyone may validate public key

32
EC Key Pairs

• Public key W ? E(Fq)
• Private key s ? 1, r-1
• where W sG

33
Generating an EC Key Pair

• 1. Randomly generate s ? 1, n-1
• 2. Compute W sG
• 3. Output (W, s)

34
Validating an EC Public Key

• Assume valid domain parameters
• 1. Check that W is a point on E(Fq) of order r
• 2. Output valid if so, invalid otherwise

35
Cryptographic Schemes

• Following general model from IEEE P1363, a scheme
  is a set of related operations providing the
  building blocks for a protocol
• Examples
• key agreement
• signature with appendix
• encryption

36
Scheme Operations

• Depending on the scheme, related operations may
  include
• domain parameter generation, validation
• key pair generation, public-key validation
• one or more scheme-specific operations

37
Key Agreement Scheme

• Key agreement operation derives a shared secret
  key from a private key, anothers public key, and
  key derivation parameters
• Multiple secret keys can be obtained by varying
  parameters

38
Elliptic Curve Diffie-Hellman

• Key agreement scheme based on Diffie-Hellman
  protocol
• In IEEE P1363, ECKAS-DH1 with ECSDVP-DH primitive
• Underlying function
• KDF key derivation function

39
ECDH Key Agreement

• Input private key s, others public key W, key
  derivation parameters P
• Output shared secret key K
• 1. Compute Z sW
• 2. Compute K KDF (Z, P)
• 3. Output K

40
Key Agreement Modes

• Each key pair may be ephemeral, authenticated, or
  a combination, depending on security goals
• Examples of protocol modes
• anonymous
• static-static
• signed ephemeral-ephemeral
• ephemeral-static

41
Signature Scheme

• Signature generation operation computes a
  signature on a message with a private key
• Signature verification operation verifies a
  signature with a public key

42
Elliptic Curve Digital Signature Algorithm

• Signature scheme based on NIST FIPS 186-1 DSA
• In IEEE P1363, ECSSA with ECSP/VP-DSA primitives
• Underlying function
• Hash collision-resistant hash function

43
ECDSA Signature Generation

• Input private key s, message M
• Output signature (c,d)
• 1. Compute f Hash (M)
• 2. Generate a one-time key pair (u, V)
• 3. Compute c int (xV) mod r
• 4. Compute d u-1(f sc) mod r
• 5. If c 0 or d 0, goto 2
• 6. Output (c,d)

44
ECDSA Signature Verification

• Input signers public key W, message M,
  signature (c,d)
• Output valid or invalid
• 1. Compute f Hash (M)
• 2. Check that 1 ? c,d ? r-1
• 3. Compute h d-1 mod r
• 4. Compute P fhG chW
• (contd)

45
ECDSA Signature Verification (contd)

• 5. Check that P ? O
• 6. Check that c int (xP) mod r
• 7. If all checks pass, output valid, otherwise
  output invalid

46
Encryption Scheme

• Encryption operation computes a ciphertext from a
  message with a public key
• Decryption operation recovers a message from a
  ciphertext with a private key
• Augmented encryption scheme also binds control
  information to message

47
Elliptic Curve Augmented Encryption Scheme

• Augmented encryption scheme based on DHAES
  (Bellare-Rogaway 1998)
• In ANSI X9.63 draft
• Underlying functions
• KDF key derivation function
• Encrypt symmetric encryption
• MAC message authentication code

48
ECAES Encryption

• Input recipients public key W, message M,
  control information P
• Output ciphertext (V,C,T)
• 1. Generate a one-time key pair (u,V)
• 2. Compute Z uW
• 3. Compute (K1,K2) KDF (Z)
• (contd)

49
ECAES Encryption (contd)

• 4. Compute C Encrypt (K1,M)
• 5. Compute T MAC (K2,C P)
• 6. Output (V,C,T)
• Note Steps 13 are like ECDH ephemeral-static

50
ECAES Decryption

• Input private key s, ciphertext (V,C,T), control
  information P
• Output message M or invalid
• 1. Compute Z sV
• 2. Compute (K1,K2) KDF (Z)
• (contd)

51
ECAES Decryption (contd)

• 3. Compute M Decrypt (K1,C)
• 4. Check that T MAC (K2,C P)
• 5. If the check passes, output M, otherwise
  output invalid

52
Some Observations

• In these schemes, only one or two steps are EC
  operations, some are modular arithmetic, the rest
  are Hash, KDF, Encrypt, MAC
• the additional operations help provide provable
  security
• Schemes are readily adapated to multiplicative
  groups

53
Part III Advantages and Disadvantages
54
Advantages and Disadvantages

• Three families
• Key size comparison
• Advantages
• Disadvantages

55
Three Families

• Today, three families of public-key techniques
  are prominent
• Following P1363, named according to the hard
  problem
• DL (ordinary) discrete logarithms
• EC elliptic curve discrete logarithms
• IF integer factorization
• Each has its own advantages

56
Key Size Comparison

• Key size is length in bits of
• DL field order q
• also consider group order r
• EC group order r
• IF modulus n
• Key sizes can be compared based on running time
  for solving hard problem with current methods
• other factors to consider

57
Comparable Key Sizes(Based on Running Time)
58
Advantages

• Alternative hard problem
• Speed
• Data size
• New types of schemes
• Many options

59
Alternative Hard Problem

• EC Discrete Logarithm Problem is very different
  than DL, IF hard problems
• does not appear feasible to apply DL, IF
  approaches to solve it
• Thus, it is an effective alternative against
  advances in methods for other problems

60
Speed

• EC operations are generally faster than DL, IF
  counterparts at comparable key sizes
• GF(2m) arithmetic affords further speedups
• Key pair generation is much faster than for IF

61
Data Size

• EC data are shorter than DL, IF counterparts
• Intermediate values are shorter
• Keys are shorter
• benefit depends on certificate content
• Signatures with appendix are same size as for DL,
  shorter than IF

62
New Types of Schemes

• EC family, like DL, has great flexibility due to
  the availability of common domain parameters
• Multiple schemes can be combined efficiently,
  e.g.
• signature encryption
• signature / key agreement certification
• (Zheng 1997, Arazi 1998, Vanstone)

63
Many Options

• EC family affords many choices
• field type, size, representation
• curve formula
• group order
• base point
• cryptographic scheme
• Appropriate choices can meet varying security and
  implementation objectives

64
Disadvantages

• Alternative hard problem
• Curve generation
• Many options

65
Alternative Hard Problem

• ECDLP has not been studied as long as DL, IF hard
  problems, and even a modest improvement in
  methods could have great impact
• However, the focus on this area has grown
  considerably over the past few years, with
  increased confidence

66
Curve Generation

• EC curve generation is complex, not readily
  implemented
• However, implementers can rely on third parties
  for curves, which can be validated
• e.g., NIST curves

67
Many Options

• ECC affords many options, so interoperability is
  challenging
• no conversion between GF(2m), GF(p)
• hardware optimizations may be specific to one set
  of domain parameters
• However, much of this will be settled by
  standards and industry practice

68
Part IV Standardization Efforts
69
Standardization Efforts

• Elliptic curves are parts of standards being
  developed by several groups
• ANSI X9F1
• IEEE P1363
• ISO JTC1 SC27
• SECG
• U.S. NIST
• Generally, all three families arebeing developed
  together

70
ANSI X9F1

• Cryptographic techniques for U.S. financial
  services industry
• ANSI X9.62 specifies ECDSA
• ANSI X9.63 (draft) specifies ECDH, ECAES and more
• Technical Guideline on elliptic curve mathematics
• www.x9.org

71
IEEE P1363

• Public-key cryptography specifications,
  transnational
• Specifies ECDH, ECDSA and much more (including
  other families)
• framework for ANSI X9F1 work
• ECAES proposed for addendum
• grouper.ieee.org/groups/1363

72
ISO SC27

• IT security techniques, international
• ISO/IEC DIS 14888-3 includes ECDSA
• aligned with ANSI X9.62
• ISO/IEC CD 15946 covers elliptic curve techniques
  including digital signatures, key establishment
• www.iso.ch/meme/JTC1SC27.html

73
SECG

• Standards for Efficient Cryptography Group
• Industry implementers agreements, intended to
  profile other standards
• www.secg.org

74
U.S. NIST

• Information processing for U.S. government
• FIPS 186 (Digital Signature Standard) to add
  support for ANSI X9.62
• Eventual ANSI X9.63 support likely
• Reference elliptic curves published
• csrc.nist.gov/fips

75
Summary
76
Summary

• ECC offers an attractive alternative to other
  public-key cryptosystems
• new hard problem
• smaller key size
• Many standards are emerging
• Number theory continues to be useful