Introduction to Elliptic Curve Cryptography CSCI 5857: Encoding and Encryption

Outline Encryption as points on elliptic curves in space Elliptic curves and modular arithmetic Mathematical operations on elliptic curves Elliptic curve Diffie-Hellman Elliptic curve Elgamal Security and speed of elliptic curve cryptography

Elliptic Curve Mathematics General mathematical form (Weierstraus equation) : y 2 = x 3 + ax + b For some a, b (curve parameters)

Elliptic Curve Encryption Encryption: Transforming points on curve (P, K PU ) into other point on same curve (C) Main idea (Abelian group): Need a definition of “+” so that “sum” of two points on a curve is also on the same curve R = P + Q where P = (x P, y P ) Q = (x Q, y Q ) R = (x R, y R )

Elliptic Curve Addition Cases Case 1: R based on line formed by P, Q (x P ≠ x Q, y P ≠ y Q ) Equations:  = (y Q – y P ) / (x Q – x P ) x R =  2 – x P – x Q y R =  (x P – x R ) – y P

Elliptic Curve Addition Cases Case 2: P = Q, R based on tangent to curve (x P = x Q, y P = y Q ) Equations: x R = ((3x P 2 + a) / 2y P ) 2 - 2x P y R = ((3x P 2 + a) / 2y P ) 2 (x P – x R ) – y P

Elliptic Curve Addition Cases Case 3: P = -Q, line does not intercept curve (x P = x Q, y P ≠ y Q ) R = “0” (additive identity) –Point at infinity –0 = -0

Elliptic Curves over Z p Encryption requires modular arithmetic –Must be difficult to recover original points from R. –Modular arithmetic prevents “working backward”, as in RSA Define “curve” as E p (a, b) where p is the modulus, a, b are the coefficients of y 2 = x 3 + ax + b Looking for (x, y) such that y 2 = (x 3 + ax + b) mod p –Note: “points” on curve are integers

Finding Points on a Z p Curve Points on elliptic curve y 2 = x 3 + x + 1 for GF(13): –Must find integer values for x, y < 13 such that (y 2 ) mod 13 = (x 3 + x + 1) mod 13  x = 0: y 2 mod 13 = 1 mod 13 y =  1 y = 1, 12 (-1 mod 13 = 12)  x = 1: y 2 mod 13 = 3 mod 13 y =  4 (16 mod 13 = 3) y = 4, 9

Finding Points on a Z p Curve Note: Not all values of x have a corresponding y  x = 2: y 2 mod 13 = 11 mod 13 No solution for y (Can test all y < 13)  x = 3: y 2 mod 13 = 31 mod 13 = 5 No solution for y (Can test all y < 13)  x = 4: y 2 mod 13 = 69 mod 13 = 4 y =  2 y = 2, 11

Finding Points on a Z p Curve Points on elliptic curve y 2 = x 3 + x + 1 over GF(13):

Elliptic Curve Mathematics Computing (x R, y R ) = (x P, y P ) + (x Q, y Q ) –Necessary to turn 2 points corresponding to key, plaintext into point corresponding to ciphertext Use same rules for “+” as curves in space Main ideas: –Addition/subtraction/multiplication in mod p –Division = multiplication by inverse mod p

Example: (4, 2) + (10, 6) on E 13 (1, 1) step 1: compute  = (y Q – y P ) / (x Q – x P )  = (6 – 2) x (10 – 4) -1 mod 13 = 4 x 6 -1 mod mod 13 = 11 = 4 x 11 mod 13 = 5 step 2: compute x R =  2 – x P – x Q x R = 25 – 4 – 10 mod 13 = 11 step 3: compute y R =  (x P – x R ) – y P y R = 5 x (4 – 11) – 2 mod 13 = 2 (4, 2) + (10, 6) = (11, 2) note: also on curve!

Multiplication on an Elliptic Curve Multiplication = addition multiple times –Necessary for some forms of elliptic curve cryptography –Must use formula where P = Q for first addition Example: 3 x (1, 4) on E 13 (1, 1) 3 x (1, 4) = ((1, 4) + (1, 4)) + (1, 4) = (8, 1) + (1, 4) = (1, 9)

Elliptic Curve Encryption Generally based on using elliptic curves in place of exponentiation in existing public key algorithm Examples: –Elliptic Curve Diffie-Hellman –Elliptic Curve Elgamal

Elliptic Curve Diffie-Hellman Alice and Bob agree on global parameters: –E p (a, b): Elliptic curve mod p (prime) with parameters a and b –G : “Generator” point on that elliptic curve For all points R on the curve, there exists some n such that G  n = R –Example: P = 211 E p (0, -4) the curve y 2 = x G = (2, 2)

Elliptic Curve Diffie-Hellman Alice and Bob select own private x and y They each generate a public R 1 and R 2 as R 1 = x  G and R 2 = y  G They exchange these values Example: x = 121 R 1 = 121  (2, 2) = (115, 48) y = 203 R 2 = 203  (2, 2) = (130, 203) (115, 48) (130, 203)

Elliptic Curve Diffie-Hellman Alice and Bob generate the same key k Alice: k = R 2  x Bob: k = R 1  y Proof: R 2  x = (G  y)  x R 1  y = (G  x)  y Example: 121  (130, 203) = 203  (115, 48) = (161, 69)

Elliptic Curve Elgamal Generating public and private keys: Bob chooses an E p (a, b) for an elliptic curve in Z p Bob chooses a point (x 1, y 1 ) on that curve Bob chooses a secret integer multiplier d < p Bob computes a second point (x 2, y 2 ) on the curve as (x 2, y 2 ) = d  (x 1, y 1 ) public key: the values p, a, and b that define the curve the two points (x 1, y 1 ) and (x 2, y 2 ) private key: the multiplier d

Elliptic Curve Elgamal Encryption: Alice selects a point P on E p (a, b) that corresponds to the plaintext message she wishes to send Alice selects a random multiplier r Alice creates the ciphertext as two points on the curve: C 1 = r  (x 1, y 1 ) C 2 = P + r  (x 2, y 2 )

Elliptic Curve Elgamal Decryption: Bob computes the plaintext as: P = C 2 – (d  C 1 )) Why does this work? P = C 2 – (d  C 1 )) = (P + r  (x 2, y 2 ) ) – (d  r  (x 1, y 1 ) )) = (P + d  r  (x 1, y 1 ) ) – (d  r  (x 1, y 1 ) )) = P

Security and Speed Why is this secure? –Same type of inverse modular problem (elliptic curve logarithm problem) –No simple way to determine d from (x 1, y 1 ) and (x 2, y 2 ) without trying all possible values –Computationally secure as long as p large enough to prevent this (2 160 for example)

Security and Speed Why is this fast? –Only uses addition and multiplication – no exponents! –Smaller key sizes 160 bit ECC key equivalent to 1024 bit RSA key