# Elliptic Curve Cryptography Jen-Chang Liu, 2004 Adapted from lecture slides by Lawrie Brown Ref: RSA Security ’ s Official Guide to Cryptography.

## Presentation on theme: "Elliptic Curve Cryptography Jen-Chang Liu, 2004 Adapted from lecture slides by Lawrie Brown Ref: RSA Security ’ s Official Guide to Cryptography."— Presentation transcript:

Elliptic Curve Cryptography Jen-Chang Liu, 2004 Adapted from lecture slides by Lawrie Brown Ref: RSA Security ’ s Official Guide to Cryptography

No Singhalese( 錫蘭人 ), whether man or woman, would venture out of the house without a bunch of keys in his hand, for without such a talisman( 護身符 ) he would fear that some devil might take advantage of his weak state to slip into his body. — The Golden Bough, Sir James George Frazer

Review: Requirement for public- key cryptography Diffie and Hellman (1976) proposed the public-key cryptography requirement: It is computationally easy to generate a pair of keys It is computationally easy for a sender to encrypt It is computationally easy for a receiver to decrypt It is computationally infeasible for an opponent, knowing the public key, to determine the private key It is computationally infeasible for an opponent, knowing the public key and ciphtertext, to recover the plaintext b X = D KR (Y) Y = E KU (X) b => Trap-door one-way function

Review: one-way function 1968, R. M. Needham ’ s system 1974, G. Purdy published the first detail description of such a one-way function One-way function Computation in Z p, A ’ s password One-way cipher Encrypted password list … … A ’ s encrypted password Hard to invert!

Review: (trapdoor) one-way function domain target Y=f(X): easy X=f -1 (Y): infeasible ( > polynomial time) X=f K -1 (Y): easy if trap-door K is known ( ~ polynomial time) The notion of “ computationally infeasible ” plays an important role A enciphering transformation that can safely be regarded as a (trapdoor) one-way function in 1994 might lose its one-way or trapdoor status in 2004 or 2994

Elliptic Curve Cryptography (ECC) majority of public-key crypto (RSA, D-H) use either integer or polynomial arithmetic with very large numbers/polynomials imposes a significant load in storing and processing keys and messages an alternative is to use elliptic curves offers same security with smaller bit sizes

Outline Operations over abelian groups ( 可換群 ) Elliptic curves over the reals Elliptic curves over the finite fields Elliptic curve cryptography

Abelian group Group with communicative property Group: {G, } G: a set of elements : binary operation to each pair (a,b) in G obeys: closure: a b is also in G associative law: (a b) c = a (b c) has identity e : e a = a e = a has inverses a -1 : a a -1 = e

Public ciphers based on an abelian group Exponentiation (repeated multiplication) in RSA and D-H algorithm Idea: Find another abelian group! In elliptic curves, we define the addition operation such that it forms an abelian group k times hard problem k times

Classes of elliptic curves used by cryptographers

Outline Operations over abelian groups ( 可換群 ) Elliptic curves over the reals Elliptic curves over the finite fields Elliptic curve cryptography

Real Elliptic Curves Elliptic curves are not ellipses an elliptic curve is defined by an equation in two variables x & y, with coefficients consider a cubic elliptic curve of form y 2 = x 3 + ax + b where x, y, a, b are all real numbers also define O (point at infinity)

Real Elliptic Curve Example#1 Given x, there will be two solutions for y Multiple roots of x 3 +x+1=0

Real Elliptic Curve Example#2 Roots of x 3 -x=0

Real Elliptic Curve Example#2: F(x,y)

3-d 圖俯視

Addition over elliptic curve Definition: Let E be an elliptic curve over the real numbers. P and Q be two points on E. We define the negative of P and the sum P+Q as: 1. If P is the point at infinity O, then – P=O and P+Q = Q. [i.e. O servers as the identity (zero)] 2. P = (x,y), then –P=(x,-y) [-P must lie on elliptic curve]

Addition over elliptic curve (cont.) 3. If P and Q have different x-coordinate, then P+Q = … R Why not P+Q=R? 1.P+Q = R => R-Q = P 2. However, by definition R+Q = P 3. R-Q = R+Q ?

Addition over elliptic curve (cont.) 4. If Q=-P, then P+Q = O 5. If P=Q, then P+Q = … P Q P 2P

Closure of addition operation Why there is exactly one point where the line intersects with elliptic curve? (P+Q 一定有定義 ?) Case 1: P=Q (x 1, y 1 )= (x 2, y 2 )= Line function: (x,  x  (x 3,  x 3  Solve

Closure of addition operation (cont.) Solve => 三個根： (x 1, y 1 ), (x 2, y 2 ), (x 3, y 3 ) =>

Closure of addition operation (cont.) Case 2: P=Q Slope of the tangent line: Solution of P+Q:

Outline Operations over abelian groups ( 可換群 ) Elliptic curves over the reals Elliptic curves over the finite fields Over Z p Over GF(2 m ) Elliptic curve cryptography

Finite Elliptic Curves Elliptic curve cryptography uses curves whose variables & coefficients are discrete and finite have two families commonly used: prime curves E p (a,b) defined over Z p use integers modulo a prime best in software binary curves E 2 m (a,b) defined over GF(2 m ) use polynomials with binary coefficients best in hardware

Example: discrete EC over Z p Ex. (9, 7) is on EC

EC over Z p 1. P+O = P 2. If P=(x p, y p ), then P+ (x p, -y p ) = O 3. If P=(x p, y p ), Q=(x q, y q ), R=P+Q=(x R, y R ) is where

EC over Z p (cont.) 4. Scalar multiplication is defined as repeated addition. Ex. 4P = P+P+P+P Q: How many points are defined on EC (given prime modulo p)? When p is large, it approximates the size of Z p

Outline Operations over abelian groups ( 可換群 ) Elliptic curves over the reals Elliptic curves over the finite fields Elliptic curve cryptography

Elliptic Curve Cryptography ECC addition is analog of modulo multiply in RSA ECC repeated addition is analog of modulo exponentiation need “hard” problem equiv. to discrete log Q=kP, where Q,P belong to a prime curve is “ easy ” to compute Q given k and P but “hard” to find k given Q,P known as the elliptic curve logarithm problem

EC discrete log problem Certicom example: E 23 (9,17) Certicom EC: P=(16,5), Q=(4,5), determine k s.t. Q=kP Brute force method: P=(16,5); 2P=(20,20); 3P=(14,14); 4P=(19,20) 5P=(13,10); 6P=(7,3); 7P=(8,7); 8P=(12,17); 9P=(4,5)

ECC Diffie-Hellman can do key exchange analogous to D-H users select a suitable curve E p (a,b) select base point G=(x 1,y 1 ) with large order n s.t. nG=O A & B select private keys n A <n, n B <n compute public keys: P A =n A ×G, P B =n B ×G compute shared key: K=n A ×P B, K=n B ×P A same since K=n A ×n B ×G

Protocol of D-H key exchange Public: E p (a,b) G=(x 1,y 1 ) n A <n P A =n A × G n B <n P B =n B × G K=n A ×P B K=n B ×P A PAPA PBPB The same secret key: K=n A ×n B ×G

ECC Encryption/Decryption several alternatives, will consider simplest must first encode any message M as a point on the elliptic curve P m Problem: not all discrete points are defined in EC select suitable curve & point G as in D-H each user chooses private key n A <n and computes public key P A =n A ×G to encrypt P m : C m ={kG, P m +kP A }, k random decrypt C m compute: P m +kP A –n A (kG) = P m +k(n A G)–n A (kG) = P m

Example: ECC encryption EC curve on Z p : y 2 = x 3 -x + 188 G = (0, 376), p = 751 A ’ s public key P A = (201, 5) Plaintext P m =(562, 201) B selects random k=386, then encryt P m as C m ={kG, P m +kP A } = {386(0,376), (562, 201)+386(201, 5)} = {(676, 558), (385, 328)}

ECC Security compared to factoring, can use much smaller key sizes than with RSA etc for equivalent key lengths computations are roughly equivalent

Download ppt "Elliptic Curve Cryptography Jen-Chang Liu, 2004 Adapted from lecture slides by Lawrie Brown Ref: RSA Security ’ s Official Guide to Cryptography."

Similar presentations