CS 627 Elliptic Curves and Cryptography Paper by: Aleksandar Jurisic, Alfred J. Menezes Published: January 1998 Presented by: Sagar Chivate

Background in elliptic curves If p is a prime greater than 3 and Z p is group of non-zero elements under the operation of multiplication modulo p. Z p = {1, 2, …, p-1} Then an elliptic curve E over Z P is defined by the equation: y 2 = x 3 + ax + b where, a, b ∊ Z p and 4a b 2  0 (mod p), together with special point O, called as point at infinity.

Example of elliptic curve Let p = 23, a = 1, b = 1 Note: 4a b 2 = 8 (mod 23)  0 E : y 2 = x 3 + x + 1 The points on E(Z 23 ) are O and following: (0,1) (6,4) (12,19) (0,22) (6,19) (13,7) (1,7) (7,11) (13,16) (1,16) (7,12) (17,3) (3,10) (9,7) (17,20) (3,13) (9,16) (18,3) (4,0) (11,3) (18,20) (5,4) (11,20) (19,5) (5,19) (12,4) (19,18)

Elliptic curve addition If P, Q ∊ E(Z p ) then, 1.P + O = O + P = P 2.If P = (x,y) then –P = (x,-y) and P + (-P) = O 3.If P = (x 1, y 1 ) and Q = (x 2, y 2 ) and P  -Q then, P + Q = (x 3, y 3 ) where, x 3 = 2 – x 1 – x 2 andy 3 = (x 1 – x 3 ) – y 1 = y 2 – y 1 if P  Q, = 3x aif P = Q x 2 – x 1 2y 1

Elliptic curve discrete logarithm problem Select elliptic curve E(Z p ) such that the number of points in E are divisible by a large prime n. Then, The “hard” mathematical problem is: Given an elliptic curve E defined over Z p, a point P ∊ E(Z p ) of order n, and a point Q ∊ E(Z p ), determine the integer d, 0 <= d <= n-1, such that Q = dP, provided that d exists.

Digital Signature Algorithm (DSA)

Elliptic Curve Digital Signature Algorithm (ECDSA) ECDSA key pair generation: 1.Entity A selects an elliptic curve E defined over Z p. The number of points in E(Z p ) should be divisible by a large prime n. 2.Select a point P = E(Z p ) of order n. 3.Select a statistically unique and unpredictable integer d in the interval [1, n-1]. 4.Compute Q = dP. 5.A’s public key is (E, P, n, Q). A’s private key is d.

ECDSA…contd. ECDSA signature generation: 1.Entity A selects a statistically unique and unpredictable integer k in the interval [1, n-1]. 2.Compute kP = (x 1, y 1 ) and r = x 1 mod n. To avoid a security condition, r should not equal 0. If r = 0 go to step 1. 3.Compute k -1 mod n. 4.Compute s = k -1 {h(m) + dr} mod n. h is the Secure Hash Algorithm (SHA-1). 5.If s = 0, then go to Step 1. If s = 0, then s -1 mod n does not exist and s -1 is required in the signature verification process. 6.The signature for the message m is the pair of integers (r, s).

ECDSA…contd. ECDSA signature verification: 1.Entity B obtains an authentic copy of Entity A’s public key (E, P, n, Q). 2.Verify that r and s are integers in the interval [1, n-1]. 3.Compute w = s -1 mod n and h(m). 4.Compute u 1 = h(m)w mod n and u 2 = rw mod n. 5.Compute u 1 P + u 2 Q = (x 0, y 0 ) and v = x 0 mod n. 6.Entity B accepts the signature if and only if v =r.

Security Issues The best algorithm known to date is Pollard rho-method which takes about   n / 2 steps, where a step is an elliptic curve addition. Software attacks Hardware attacks Build a hardware for a parallel search using Pollard rho-method. Size of n (in bits)   n / 2 MIPS years * * *10 52

Advantages of ECC Equivalent ECC key size is 160 bits as compared to 1024 bit size of RSA ECC does not require prime numbers and exponential processing for encryption. ECC offers considerable bandwidth savings when being used to transform short messages. Disadvantages of ECC Hyper-elliptic cryptosystems offer even smaller key sizes ECC is mathematically more difficult to explain to client Confidence level in ECC is not as high as RSA

Applications Elliptic curves are used in: Factoring integers Primality proving Public key cryptography Implementations of ECC are particularly beneficial in applications where bandwidth, processing capacity, power availability, or storage is constrained. Such applications include: Wireless transactions Handheld computing Broadcast and Smart card applications.

Conclusion Elliptic Curves should receive rigorous testing before it is actually implemented in large networks, but it should provide a solution to many of the problems facing public-key encryption in general.

Thank you!