Elliptic curve cryptosystem ECC

1
Elliptic curve cryptosystem (ECC)

• Why ECC?
• Exist sub-exponential algorithms of factoring or
  solving DLP.
• But for ECC, the sub-exponential algorithm of
  breaking it has not been found.
• Means ECC is more secure than RSA or ElGamal
• Or to say, using much smaller key size can
  achieve the same security as RSA or ElGamal with
  large key size, so more efficient.
• Some of the following figures are copied from
  http//www.certicom.com/resources/ecc_tutorial/ecc
  _tut_2_0.html

2
Elliptic curve group over real number

• y2 x3 ax b, where x, y, a and b are real
  numbers, where 4a3 27b2 ?0.
• All (x,y) points satisfying above equation along
  with infinite point O and addition operation,
  form a group
• Suppose P(x,y) then define
• P(x,-y)

3
Elliptic curve example
4
Addition operation (A Geometric Approach)

• If P and Q are distinct, and P ? -Q, define PQ
  as follows
• Draw a line through P and Q, then the line will
  intersect with the curve, the intersected point
  is denoted as R, and define PQR.
• Define P (-P) O
• If P(x,0), then PP O , (in fact, a vertical
  line)
• Otherwise, draw a tangent line through P, the
  intersected point is defined as R, then PP 2P
  R.

5
Definition of PQ R
6
Definition of P(-P)
7
Definition of PP (where y!0)
8
Definition of PP (where y0)
9
Elliptic Curve Addition An Algebraic Approach

• Adding distinct points P and Q When P (xP,yP)
  and Q (xQ,yQ) and P? Q, P ? -Q, P Q R
  where s (yP - yQ) / (xP - xQ)xR s2 - xP - xQ
  and yR s(xP - xR) - yP Note that s is the
  slope of the line through P and Q.
• Doubling the point P When yP is not 0,2P R
  where s (3xP2 a) / (2yP )xR s2 - 2xP and
  yR s(xP - xR) -yP
• P (-P) O,
• If P (xP,yP) and yP 0, then P P 2P O.

10
Elliptic Curve Groups over Zp

• Zp 0,1,,p-1
• y2 mod p x3 ax b mod p
• Where a and b are in Zp, and x, y are also in Zp.
• 4a3 27b2 ?0 mod p.
• Addition with modular p.
• Example P23, ZpZ23. y2 x3 x
• (0,0) (1,5) (1,18) (9,5) (9,18) (11,10) (11,13)
  (13,5) (13,18) (15,3) (15,20) (16,8) (16,15)
  (17,10) (17,13) (18,10) (18,13) (19,1) (19,22)
  (20,4) (20,19) (21,6) (21,17)

11
y2 mod 23 x3 x mod 23
12
Elliptic Curve groups and the Discrete Logarithm
Problem

• Points on Elliptic curve along with addition
  operation form a group.
• Given a point P (P ? (x, 0)), consider 2PPP,
  3P2PP, ., nP(n-1)PP,
• Given any n, it is easy to compute RnP, however
  given R, it is very difficult to find n, such
  that nPR. called Elliptic Curve Discrete
  Logarithm Problem (ECDLP).
• Here the addition is same as the multiplication
  in Zp.

13
Many cryptosystems can be formed based on
Elliptic Curve

• Given elliptic curve E and a point ? (generator)
• Example 1 ElGamal system
• Suppose ?b?, (E, ?, ?) are public, and b is
  secret.
• Encryption randomly select a k, E(x,k)(k?,
  xk?)
• Decryption D(y1,y2) y2 - by1.
• Example 2 Diffie-Hellman key exchange
• Alice selects an a, computes Aa?, send A to Bob
• Bob selects a b, computes Bb?, sends B to Alice
• Then Alice can compute the key KaBab?,
  similarly, Bob computes the key KbAab?.

14
ECC example, y2x3 x6 over Z11

• Computing the points
• For x0,1,..,10, compute z x3 x6 mod 11.
• Check whether z is a quadratic residue
• By Legendre symbol ( ) z(p-1)/2 mod p z5
  mod p.
• If YES, compute two square roots
• Algorithm 3.36, ? z(p1)/4 mod p ? z3 mod p.
• The points (2,4),(2,7), (3,5),(3,6),
  (5,2),(5,9), (7,2),(7,9), (8,3),(8,8),
  (10,2),(10,9), O.
• Any group of prime order is cyclic. So the group
  is isomorphic to Z13. (Note not Z13). Any
  element except O is a generator.

z
p
15
ECC example (cont.)

• Let us select ?(2,7) as a generator.
• Compute the 2?, 3?, as following
• xR s2 - xP - xQ and yR s(xP - xR) - yP
  where
• s (yP - yQ) / (xP - xQ) if P ? Q.
• s (3xP2 a) / (2yP ) if PQ.
• ?(2,7), 2?(5,2), 3?(8,3), 4?(10,2)
• 5?(3,6), 6?(7,9), 7?(7,2), 8?(3,5)
• 9?(10,9), 10?(8,8), 11?(5,9), 12?(2,4)

16
ECC exampleElGamal encryption

• ElGamal ?b? 7? (7,2).
• Suppose message is x(10,9) (a point on E).
• Select a random k3, then the encrypted message
  is
• y13 ? 3(2,7) (8,3).
• y2x3? (10,9)3(7,2)(10,9)(3,5) (10,2).
• Decryption y2 - by1(10,2) 7(8,3) (10,2)
  (3,5) (10,2) (3,6) (10,9).

17
Some discussions

• Key sizes
• ECC 163, 256, 384, 512
• RSA 1024, 3072, 7680, 15360
• Ratio 16, 112, 120, 130
• The number of points over Zp (p is prime)
• Hasse theorem p1-2sqr(p) ? E ? p12sqr(p)
• Plain text space points on E.
• How to generate points on E?
• How to convert a normal English content to points
  on E?

18
ECIES (Elliptic Curve Integrated Encryption
Scheme)

• Let E be an EC over Zp (pgt3 is a prime) such that
  E contains a cyclic subgroup HltPgt of prime order
  n in which the DLP is infeasible.
• Let PZp, C(Zp ? Z2)?Zp, and define
• K (E,P,m,Q,n) QmP
• P, Q, n are public and m is private.
• Encryption for K(E,P,m,Q,n) and x?Zp,
• Randomly select s?Zn, eK(x,s)(PointCompress(sP)
  , xx0 mod p)
• Where sQ(x0, y0) and x0?0 and
• PointCompress(P)PointCompress(x,y)(x, y mod 2),
  where P(x,y) ?E.
• Decryption for y(y1, y2) where y1?Zp ? Z2 and
  y2?Zp, define
• dK(y) y2(x0)-1 mod p Where (x0,
  y0)mPointDecompress(y1).
• PointDecompress(x,y)z x3axb mod p
• if z is a quadratic non-residue then return
  failure
• zSQRT(z) mod p
• if z y mod 2 then return (x, z) else return
  (x,p- z)