A Modified Menezes-Vanstone Elliptic Curve Multi-Keys Cryptosystem

Transcription

1 A Modified Menezes-Vanstone Ellitic Curve Multi-Keys Crytosystem By K.H. Rahouma Electrical Technology Deartment Technical College in Riyadh Riyadh, Kingdom of Saudi Arabia Abstract- This aer rooses a new modified variant of Menezes and Vanstone ellitic curve crytosystem. This new variant uses the same original Menezes and Vanstone ellitic curve crytosystem but in an elegant way. The new variant uses a not only one ellitic curve but a number of curves. Each curve is chosen with its corresonding keys to constitute a searate crytosystem. The message is then divided into blocks such that each block is of a length less than the smallest rime number P of the used ellitic curves. The system uses a random sequence generator and modulus calculus to determine the ellitic curve which is used to encryt/decryt a certain message block. Added to the ublic keys of the system, the legal arties have a re-communication session to comute and echange some other rivate mutual keys (e.g., the keys of the random sequence generator). An imlementation eamle will be elained and the security of the roosed variant will be discussed. Keywords- Ellitic curve, Multi-key crytosystems, Menezes_Vanstone Crytosystem, Discrete logarithm roblem.. INTRODUCTION Discrete logarithm roblem, in Z P, is a general difficult roblem secially if P is carefully chosen. In articular, there is no known olynomial time algorithm for solving the discrete logarithm roblem []. Therefore, crytograhers have been attracted to benefit from the roblem. There are three main grous whose discrete logarithms are of interest to crytograhers []: - The multilicative grou of rime fields: GF(). - The multilicative grou of finite fields of characteristics : GF( n ). - Ellitic curve grous over finite fields F: EC(F). If is the modulus and rime, then the comleity of finding discrete logarithms in GF() is essentially the same as factoring an integer n of about the same size, where n is the roduct of two aroimately equal length rimes []. Ellitic curve crytograhy (ECC) is used to rovide secure key distribution for the Public Key Echange (PKE), encrytion, and digital signature rotocols [,,4]. The strength of ECC is that it uses smaller key sizes than its rival RSA [5]. RSA is beginning to show signs that it can not coe with the increased demands laced on it, ECC is the fast and effective solution. This results in a significant erformance against giving higher seeds and lower ower comutation because less comutation and less lines of code are required. Ellitic curve roblem was identified by disroving Fermat's last theorem that "There is no right triangle with rational sides and area " [6]. It was discovered in the early 90's where the sides of a triangle with any area could be comuted using: y = d () Furthermore, the set of values of (,y) is modeled by an ellitic curve with: y = + a + b, where (a,b) are integers such that: 4 a + 7 b 0 () The earliest alications of ellitic curves were urely aesthetic; used in geometry and fine arts. The first serious alication of ellitic curves was for rime factorization and rimality roving [7]. Also, Koblitz [8] and Miller [4] indeendently roosed that ellitic curves could rovide an effective crytograhic system. This was to be alied as an alternative mechanism for digital signatures and encrytion for secure key distribution [9]. Attacks against ECC are an imortant asect that has not been elored widely. There are a number of attacks which vary in effectiveness. As yet, the only sure methods are through social engineering, hence byassing the encrytion comletely, and brute force that has been shown to be infeasible even with massively distributed systems [0]. This aer rooses a new modified variant of Menezes and Vanstone ECC. This new variant uses the same original Menezes and Vanstone ellitic curve crytosystem but in an elegant way. The new variant uses a not only one ECC but a number of curves. Each curve is chosen with its corresonding keys to constitute a searate crytosystem. The message is then divided into blocks such that each block is of a length less than the smallest rime number P of the used ECC. The system uses a random sequence generator and modulus calculus to determine the ellitic curve which is used to encryt/decryt a certain message block. Added to the ublic keys of the system, the legal arties have a recommunication session to comute and echange some other rivate mutual keys (e.g., the keys of the random sequence generator). The mathematic of ellitic curves are elained in section () and the original Menezes_Vanstone ellitic

2 curve crytosystem is introduced in section (). The modified multi-key crytosystem is elored in section (4) and an imlementation eamle is deicted in section (5). The security of the modified crytosystem is discussed in section (6) and some conclusions are highlighted in section (7). A list of the used references is given at the end of the aer.. MATHEMATIC OF ECC The mathematics of ECC is etensively comle and in a brief we will cover it in this section. Equation () gives a tyical ellitic curve formula. With changing values of a, and b, different figures of ellitic curves could be obtained. These figures may be continuous or disjoint. This however, does not change the comutations [4,6]. For a tyical ellitic curve, a grou of oints (,y) could be derived with fied values a and b. This can be erformed geometrically by defining tangent lines and calculating the oints of intersection. This is unnecessarily comle. Therefore, imlementations use algebraic reresentations to calculate the set. Another consideration is when calculations on real numbers is slow and introduces rounding errors. Therefore, the calculations are constrained to a finite field F P satisfying the following where (a,b) are within (0,f): y mod P = + a + b, () or (y + y) mod P = + a + b (4) Using an F P means that all oerations will result in numbers between 0 and -, therefore all rounding errors are eliminated. The given ellitic curves have the following conditions: - If is an odd rime, then a and b shall satisfy 4 a + 7 b 0 in F q, and every oint P=(,y) on E (other than the infinity oint) shall satisfy the equation: y = + a + b on F q. - If is a ower of, b will be non-zero in F q, and every oint P=(,y) on E (other than the infinity oint) shall satisfy the equation: y + y = + a + b in F q. The resent aer is interested in the first imlementation form in (). Equation () is symmetric about the -ais. With the set of (,y) values, three additional values (P, Q, and R) must be calculated. For all lines formed by any two oints P and Q, where Q - P, there is a third oint R on the ellitic curve that intersects it. The oint R may be derived by adding the oints P and Q. The distinction of R is made as the critical roerty of the ellitic curve is that P = R. Further to this P + P = P, this can be continued until np is defined. This rocess is known as the scalar multilication of oints. The ellitic curve roblem is based on the fact that this rocess can only be reversed through brute force r = q k mod P where k is the key, r and q are arbitrary oints on the ellitic curve, is some rime number that defined the ellitic curves finite field. Therefore, to crack the system, a key k must be found for kp=q. Proerties of ECC (y mod = + a + b) are given below [,4,6,8]: - Identity: P + = + P = P P E(K). - Negatives: If P = (,y) E(K), then (,y) + (,-y) =. The oint (,-y) is denoted by P and is called the negative of P; note that P is a oint in E(K) and - =. - Point addition: An Ellitic curve E can be made as abelian grou by defining a suitable oeration on it oints. The oeration is written additively, and is defined as follows (where all arithmetic oerations are erformed in Z P ): Let P = (,y ) E(K) and Q =(,y ) E(K), where P ± Q. Then P + Q = (,y ), where: y y y = y - - and (5) y y = ( ) y For oint doubling, let P = (,y) E(K) and P -P, then P = (,y) where: + a = and y (6) + a = ( ) y y With this definition of addition, it can be shown that E is an abelian grou with the oint of infinity an identity element. 4- Point multilication: To obtain np, the multilier n is binary bit reresented and then the techniques of double and add is used as follows: Assume n=(0) 0 =(00) =(b b b b 0 ) where b 0 =0, b =, b =0, and b = This means that: 0 P = P + P = 8 P + P Thus we obtain P = P + P, then obtain 4 P = P + P And finally we obtain 8 P = 4 P + 4 P To obtain 0 P, we add P + 8 P Eamle a=, b= 9, P= z=4 a + 7 b = 8 0 y = + a + b mod Thus, E is indeed an ellitic curve. The Hasse interval is determined from (q + q =-6=6) to (q + q =+6=8), i.e. [6,8] The oints on this curve (beside the infinity oint) are obtained as: (0,),(0,8),(,),(,0),(,),(,8),(4,9),(4,),(5,),(5,0), (7,5),(7,6),(8,),(8,8) It is clear that the number of oint=5 Notes - Because any grou of rime order is cyclic, any oint other than the infinity oint is a generator of E which means that the other oints can be obtained by reeated addition of the oint to itself.

3 - For a given, we can test if z= +a*+b mod is a quadratic residue by alying the Euler's criterion " ((-)/) mod =". - There is an elicit formula to comute square roots of quadratic residues modulo for rimes mod 4. Alying this formula, we have that the square roots of a quadratic residue z are: ± z ((+)/4) mod 5- Order of a oint: The reeated addition of a oint to itself, scalar multilication, generates a new oint, Q=kP; however, there is always a time when adding the oint to itself the result of kp is the oint at infinity. The order of a oint P is the smallest ositive number r such that kp yields the oint at infinity.. ORIGINAL MENEZES_VANSTONE ECC - Let E be an ellitic curve defined over Z P (> rime) such that E contains a cyclic subgrou H in which the discrete log roblem is intractable []. Let: * * Ρ=Ζ Ζ, andefine Κ= and * * C= EΖ Ζ, {( E, α,a, β) : β = a } α (7) where α E. The values α and β are ublic, and a is secret. - For K = (E, α, a, β), for a secret random number k * E H, and for =(, ) Z P Z * P, define the encrytion oeration as: (, k) = ( y, y, y ) where e K y 0 0 = kα, (c, c ) = kβ, y = c mod, (8) and y = c mod - For a cihertet y=(y 0,y,y ), define the decrytion oeration as: d K ( y) = ( yc mod, yc mod), (9) where a y = ( c, c ) 0 4. THE MODIFIED MULTI-KEY ECC In the original Menezes-Vanstone ellitic curve crytosystem, the following remarks could be highlighted: - The system uses only one key set K = (E, α, a, β). - For each air of values (, ), four values (y 0,y,y ) are obtained where y 0 =kα. This means that the ciheret is of double the size of the original lain tet. - The encrytion key is k and the decrytion key is a. 4- The sizes of k,a are made big enough and carefully selected to make it difficult for any intruder to guess or disclose them. However, if someone can disclose them, the system will be very easily broken. In the modified crytosystem, multi-key sets are used such that each of them is of the form: K i = (E i, α i, a i, β i ). The lain tet is divided into blocks and each block is encryted by a different key set. The key sets are randomly selected. For each key set, the values (E i, α i, β i ) are made ublic and the encrytion keys (a i ) as well as the decrytion keys (k i ) are ket secret. Also, the values (y 0i ) = (k i *α i ) are comuted by the transmitter and sent to the receiver who comutes (c i,c i )=(a i *y 0i ) and their inverses (c i -,c i - ) which will be used for decrytion. This haens in a re-comutation session before starting the main encrytion and decrytion session. Accordingly, the transmitter needs to comuter the cihertet as (y,y ) for each air (, ) and send it to the receiver who can comute the original laintet using the corresonding (c i -,c i - ). The following algorithm describes the system. 4.. COMPUTING THE ELLIPTIC CURVE PARAMETERS - The number of curves to be used in the system is selected as nec and ublished. - For each curve (E i ), the arameters (P i,a i,b i ) are chosen such that: (4 a i + 7 b i ) 0 and a oint (,y) E i is also chosen such that z i = +a i *+b i mod P i is a quadratic residue. The oint (,y) is defined as (α i,α i ). The key sets (E i,p i,a i,b i,α i,α i ) are made ublic. - For each curve (E i ), a secret key (a i ) is chosen for decrytion and the values (β i,β i )=a i *(α i,α i ) are comuted using the oint multilication as described in the mathematics of ECC. The values (β i,β i ) are made ublic and the values (a i ) are made secret. 4.. THE PRE-COMPUTATION SESSION - For each curve (E i ), a secret key (k i ) is chosen for encrytion and the values (y 0i )= k i *(α i,α i ) and the values (c i,c i )=k i *(β i,β i ) are comuted using the oint multilication as described in the mathematics of ECC. The values (y 0i ) are sent to the decrytor and the values (c i,c i ) as well as (k i ) are ket by the encrytor. - The decrytor uses the values (a i ) to comute the values (c i,c i )=a i *y 0i and their inverses (c i -,c i - ). The values (c i -,c i - ) will be used for decrytion. - Note that the ellitic curves will be randomly chosen by the encrytor and decrytor. To do that, a quadratic chaotic formula of the form: X n =µ * X n- * ( X n- ) (0) is used to obtain a random number which is transformed into an integer number (n). The modular value n mod nec is comuted to determine which one of the ellitic curves will be used. Once the ellitic curve is determined, its arameters are used for decrytion. The same rocess is done by the decrytor to determine the ellitic curve which will be used for decrytion. The equation is rum a certain number of times before using its outut. This means that the values of µ and X0 as well as the number of running the chaotic equation should be echanged between the legal arties before starting the main encrytion/decrytion session. Now the two arties are ready for the main encrytion/decrytion session. 4.. ENCRYPTION/DECRYPTION MAIN SESSION - The message is divided into blocks ( i, i ) of suitable lengths (block length<p). For each air of blocks (, ), the encrytor determines the ellitic curve to be used for encrytion and uses the

4 corresonding values (c i,c i ) to obtain the cihertet (y,y )=(c i mod P, c i mod P) which will be sent to the decrytor. - The decrytor determines the ellitic curve to be used for decrytion and uses the corresonding comuted inverses of c i and c i to comute the original laintet as (c i - y mod P, c i - y mod P). 5. AN IMPLEMENTATION EXAMPLE The modified algorithm has been rogrammed. The rogram was run for a case eamle of two ellitic curves with the following results: 5.. SYSTEM PARAMETERS The number of ellitic curves (i.e., nec) = Assume the ellitic curve arameters are chosen as: 5... FOR THE FIRST CURVE: P =6, a =, b =7, α =7, α =98 With the decrytion key a =9, we can comute: β = 9, β = An encrytion key is chosen as k = FOR THE SECOND CURVE: P =7, a =4, b =4, α =7, α =5 With the decrytion key a =47, we can comute: β = 5, β =45 An encrytion key is chosen as k =5. The coefficients of the quadratic chaotic equation are chosen to be: X 0 = 0. and µ= PRE-OPERATION COMPUTATIONS. Using these information, the encrytor comutes the following values y 0, y 0 and sends them to the decrytor: Y 0 =k * (α,α )= * (,98) = (9,0) Y 0 =k * (α,α )=5 * (7,5) = (60,50). The decrytor uses the received values of y 0, y 0 to comute c,c and their inverses as follows: (c,c )=a * y 0 = 9 * (9,0) = (7,65) The inverses (c -,c - ) = (,74) (c,c )=a * y 0 = 47 * (60,50) = (00,7) The inverses (c -,c - ) = (9,55) 5.. MAIN ENCRYPTION/DECRYPTION SESSION Now the encrytor uses the values (c i,c i ) to encryt the laintets and the decrytor uses the inverses (c i -,c i - ) to decryt the cihertets and obtain the original laintets. Because the rime numbers were short, the message blocks were only alhabetical characters. In other words, each alhabetical character is treated as a searate block and encihered in the encrytor and then decihered in the decrytor. For real imlementation, rime numbers are chosen to be big enough and suitable message blocks are accordingly treated. The following tet has been given to the rogram and the results will be elained in the following. The obtained airs were given to the rogram and deciher them and the original laintet was successfully etracted. This is an algorithm for multi-alication of the ellitic curve crytograhy (ECC). A system of the ECCs is designed with different ellitic curves. The message is divided into blocks where each block is dealt with searately. A simle quadratic equation is used in it chaotic region as seudo-random number generator. The generated numbers indicate which ellitic curve will be used for encrytion. The Menezes-Vanstone algorithm is mainly alied to each block to take two blocks (m,m) and yield two cihers (C,C). The receiver decryts (C,C) to obtain the received message (m,m). The outut of the encrytion in airs is: (,85), (,6), (8,50), (4,9), (59,8), (8,56), (58,0), (46,46), (,70), (90,47), (67,7), (49,56), (67,), (94,4), (65,9), (57,7), (6,79), (9,9), (05,56), (65,9), (49,8), (8,4), (56,9), (65,86), (46,4), (9,8), (58,50), (78,70), (,5), (8,), (94,56), (,65), (67,5), (97,8), (6,76), (49,79), (97,56), (6,85), (8,4), (54,4), (87,47), (70,5), (8,7), (8,), (8,6), (65,65), (0,4), (49,7), (8,76), (90,5), (67,), (87,47), (6,4), (07,), (8,88), (46,6), (07,0), (49,65), (,9), (,9), (65,86), (67,58), (,7), (75,65), (97,5), (49,70), (8,5), (58,8), (07,79), (65,9), (7,4), (7,6), (97,4), (9,), (56,9), (69,86), (46,4), (,5), (6,6), (7,0), (46,4), (07,), (67,58), (07,4), (,58), (9,88), (67,9), (49,70), (46,9), (88,4), (49,5), (6,6), (8,08), (04,65), (6,65), (67,65), (7,), (04,4), (88,8), (49,5), (4,9), (07,), (67,58), (46,7), (58,76), (67,0), (07,76), (04,4), (6,65), (6,56), (97,56), (65,65), (9,4), (56,9), (5,9), (4,50), (0,4), (58,5), (8,44), (94,7), (7,56), (59,70), (07,), (67,65), (07,6), (59,70), (07,4), (49,4), (07,), (67,6), (4,5), (7,4), (07,49), (8,50), (,9), (7,86), (7,4), (65,9), (7,4), (97,5), (4,9), (46,49), (67,7), (4,9), (78,6), (9,4), (,4), (57,56), (7,49), (,4), (0,4), (49,6), (0,44), (46,56), (67,79), (46,8), (46,56), (7,76), (49,56), (56,9), (,85), (9,9), (4,65), (9,5), (6,7), (65,65), (,9), (9,4), (,58), (9,46), (4,9), (,8), (,50), (05,56), (,5), (67,0), (04,9), (7,86), (8,5), (9,4), (,4), (65,9), (7,4), (7,6), (97,4), (46,4), (8,50), (58,8), (88,5), (8,4), (6,65), (,9), (75,5), (6,4), (9,49), (7,56), (8,4), (65,9), (49,8), (56,9), (,85), (9,9), (57,5), (9,5), (0,65), (6,44), (7,7), (9,), (65,5), (49,65), (8,56), (58,0), (49,56), (,70), (90,47), (8,50), (6,4), (,56), (,8), (58,8), (8,56), (6,79), (58,50), (46,58), (67,70), (49,4), (46,7), (7,86), (8,58), (58,4), (7,07), (67,70), (49,4), (,56), (4,5), (8,76), (,5), (67,44), (58,4), (7,07), (4,9), (4,), (44,0), (0,79), (70,4), (59,8), (7,4), (6,50), (9,8), (7,4), (65,0), (49,4), (7,9), (78,86), (46,56), (6,4), (4,5), (44,7), (7,79), (70,5), (67,46), (90,5), (8,9), (97,5), (7,65), (07,4), (9,46), (8,88), (46,5), (6,4), (78,70), (4,9), (54,), (44,0), (7,79), (7,9), (,4), (8,4), (88,70), (7,50), (9,9), (65,86), (46,4), (97,5), (7,65), (,), (46,58), (8,47), (46,6), (4,56), (7,5), (8,), (,9), (,47), (6,5), (57,4) 6. SECURITY OF THE SYSTEM All the discussion about the security of the ellitic curve crytosystems aly to our system. Beside that, new security features arise. In this section, we will discuss the following security issues:

5 6.. CHOOSING THE SYSTEM KEYS There are two tyes of system keys. - The first tye includes the encrytion/decrytion keys where the encrytion keys are (a i ) and the decrytion keys are (k i ) with i nec where nec is the number of ellitic curves used by the system. - The second tye of keys includes the coefficients of the chaotic quadratic equation, i.e., X 0 and µ as well as the number of iterations of the quadratic equation before using it to generate the random numbers to determine the used ellitic curve. The first tye of keys is more critical than the second one. However, keeing both the tyes secret makes the system more strong. For both tyes of keys we have some different cases that might or might not hel the system attacker THE ENCRYPTION/DECRYPTION KEYS ECC offers considerably greater security for a given key size. Comared to its cometitive Diffie Hellman and RSA crytosystems, ECC uses keys with smaller lengths for encrytion and decrytion. The smaller key size makes ossible much more comact imlementations for a given level of security, which means faster crytograhic oerations, running on smaller chis or more comact software. This advantage is because its inverse oeration gets harder, faster, against increasing key length than do the inverse oerations in Diffie Hellman and RSA. This means that as security requirements become more stringent, and as rocessing ower gets cheaer and more available, ECC becomes the more ractical system for use. And as security requirements become more demanding, and rocessors become more owerful, considerably more modest increases in key length are necessary, if you're using the ECC crytosystem to address the threat. This kees ECC imlementations smaller and more efficient than other imlementations. ECC can use a considerably shorter key and offer the same level of security as other asymmetric algorithms using much larger ones. Moreover, the gulf between ECC and its cometitors in terms of key size required for a given level of security becomes dramatically more ronounced, at higher levels of security [,4,6,8]. For instance, equivalent key sizes for ECC and RSA according to NIST guidelines for ublic key sizes for AES are given in the following table []. Table (): Equivalent key sizes for ECC and RSA according to NIST guidelines for ublic key sizes for AES ECC Key RSA Key Key size size (bits) size (bits) ratio 6 04 : : : : 0 56 AES Key size (bits) 6... COEFFICIENTS OF THE PSEUDORANDOM SEQUENCE GENERATOR The equation, used to determine the ellitic curve system which will be used for encrytion/decrytion, is a simle quadratic equation uses an initial value X 0 to generate new values X n =X n- * µ * (-X n- ) [,]. There are three keys for the quadratic equation, these are the initial value X 0, the coefficient µ and the number of iterations before the actual use of the equation. It should be highlighted here that such tye of equation has been tested and used for generating seudorandom outut sequences. Under certain conditions on X 0 and µ, the outut of the equation can be seudorandom with very long cycles. This means that the outut sequences satisfy the randomness tests inside each cycle and thus do not reeat. Ecellent results showed that the outut of the equation is very sensitive for the values of X 0 & µ. The value of X 0 is less than and the value of µ should be.57 µ 4.. The lengths of the values X 0 and µ can be chosen in the order of at least 0-40 decimal digit. The number of iterations (N i ) of the equation can be chosen to be in the order of iterations. It is better to choose different keys (X 0, µ and N i ) for each session [-4]. 6.. DISCLOSING THE SYSTEM KEYS We have four cases for disclosing the system keys. Tale () shows these cases. Table (): Cases of disclosing the system keys Encrytion/decryt ion keys Quadratic equation keys Not known Not known Disclosed Not know Not known Disclosed Disclosed Disclosed. CASE (): NO KEYS ARE DISCLOSED: This is the secured case where no one, ecet the legal arties, can encryt/decryt any messages. To become a legal arty, a re-communication session should be done to echange the different keys.. CASE (): ONLY THE ENCRYPTION/DECRYPTION KEYS ARE DISCLOSED: Disclosing some of the encrytion/decrytion keys does not hel an attacker decryt a message was sent by a legal arty. This is because the used ellitic curve and alied keys are changed from a message block to another. This means that if some of the encrytion/decrytion keys are known, then it is known when they are alied and to which ellitic curve they will be used. Moreover, disclosing all the encrytion/ decrytion keys does not hel the attacker decryt a message that was sent by a legal arty. This is again because although the attacker knows all of the encrytion/ decrytion keys, he/she does not know when and to which ellitic curve they will be alied.. CASE (): ONLY THE RANDOM NUMBER GENERATOR KEYS ARE KNOWN: This case does not hel an attacker decryt any message received from the

6 encrytor. This is because the attacker does not know any one of the encrytion/decrytion keys. 4. CASE (4): BOTH OF THE ENCRYPTION/DECRYPTION AND THE RANDOM NUMBER GENERATOR KEYS ARE KNOWN: If this case haens, then the system is fully broken. The attacker can then do whatever he/she likes to do. The attacker can forge the ersonalities of the legal arties. This means that he/she can send new messages to the receiver in stead of the original transmitter. Also, he/she can decryt any message sent by the transmitter and disclose the information in this message. It should be highlighted here that there is a fifth case in which some of the encrytion/ decrytion keys as well as some of the random number generator coefficients are disclosed. Breaking the system here deends on the disclosed information. However, it is still hard to have all the system keys disclosed by knowing some of them. 6.. ATTACKING THE SYSTEM There is a rofound difference in the difficulty of the forward and inverse oerations at the centre of all oular asymmetric schemes. That is the soul of their usefulness. In RSA, it's the integer multilication (forward) and the factorization (inverse) which make the system work. In Diffie Hellman it's the discrete eonentiation (forward) and the log (inverse). In ECC it's the oint multilication (forward) and the ellitic curve discrete logarithm roblem (inverse). In all of these cases, it's easy to see that the difficulty of the brute force aroach to the inverse oeration increases eonentially with the size of the key. Simly look at the number of values that must be tried; it doubles with each bit added to the key length [5]. Now it turns out that for all of these crytosystems, the brute force method isn't quite the best you can do. You can, for Diffie Hellman and RSA, try to retrieve the rivate key from the ublic (or the laintet from the ublic key and the cihertet) via the inde calculus method. Its difficulty grows sub-eonentially with the key length. There are shortcuts for doing the inverse oerations, just as there was a shortcut for doing oint multilication but the shortcuts for doing the inverse oerations aren't good. A tyical number field sieve variant of the inde calculus method, the best you can do for Diffie Hellman, gets sub-eonentially more difficult as the field size increases. However, a grah of the number of stes you must erform (on average) to find a key via the inde calculus method versus the key size is still retty stee [5]. Curve of the number of stes versus the key size, and the inde calculus attack it describes, are what you have to kee in mind when you choose your key length in doing asymmetric crytograhy. And that's the calculation you're actually doing when you choose the size of your RSA and your Diffie Hellman keys. How big do you have to make this so the best attack available, inde calculus, in this case, is still too much trouble, for now and for some decades, assuming hardware continues to get faster at roughly the rate it has in the ast? Inde calculus attacks are demanding enough that asymmetric crytograhy is feasible desite them, rovided the key is ket large enough. However, ECC can do better and with smaller keys because ECC crytosystems aren't vulnerable to inde calculus attacks. Inde calculus attacks rely on certain grou roerties not resent in grous defined using ellitic curves [5]. The best you can do for ECC is another attack, a more general-urose attack called Pollard's rho attack. Pollard's rho attack is a class of what are known as "collision search" attacks. They also do better than brute force attack. But they also get a lot harder and a lot faster than do the inde calculus attacks, as the field size increases. Pollard's rho attack gets more difficult increased size (again, remember, itself eonential to the key size). The resulting curve, a lot of the number of oerations against key length, is considerably steeer than is the curve for the inde calculus attack described above [5]. 7. CONCLUSIONS A new modified variant of Menezes and Vanstone ellitic curve crytosystem has been roosed. The new variant uses the same original Menezes and Vanstone ellitic curve crytosystem but in an elegant way. A number of ellitic curves are used instead of using only one ellitic curve in the former variant. Each curve has its corresonding keys and can be considered a searate crytosystem. The message is thus divided into blocks where each block is of a length less than the smallest rime number P of the used ellitic curves. The system uses a random sequence generator and modulus calculus to determine the ellitic curve which is used to encryt/decryt a certain message block. The system keys are of two tyes. The first tye includes the encrytion/decrytion keys and the second tye includes the random sequence generator coefficients. The legal arties have a re-communication session to comute and echange their rivate mutual keys (e.g., the keys of the random sequence generator). Mathematic of the ellitic curve crytosystem were discussed. The original Menezes-Vanstone and the roosed variants of ellitic curve crytosystems were introduced. An imlementation eamle was elained and the security of the roosed variant was discussed. REFERENCES [] Stinson, D.R.: "Crytograhy: Theory and Practice", CRC Press, London, 995. [] Schneier, B.: "Alied Crytograhy: Protocols, Algorithms, and Source Code in C", nd Edition, John Wiley & Sons, Inc., New York, 996. [] Arslanian, S.T.: "An imlementation of the ElGamal ellitic curve crytosystem over a finite field of characteristic P", A Master thesis submitted to the University of Maine, 998. [4] Miller, V.: "Uses of ellitic curves in crytograhy", Advances in Crytology, Proceedings of Cryto85, Lecture note in Comuter

7 Science, v , Sringer Verlag, 986. [5] Rivest, R.L.; Shamir, A.; and Adleman, L.M.: A method for obtaining digital signatures and ublic [] Rahouma, K.H: A chaos-based stream ciher algorithm for high seed networks and real time key crytosystems, Communications of the ACM, alications, Proceedings of the alied v., n., 978, telecommunication symosium, art of the 000 [6] Hankerson, D.; Menezes, A.J. and Vanstone, S.: advanced simulation technologies conference "Guide to ellitic curve crytograhy", Sringer- Verlag, 004. (ASTC000), Aril 6-0, 000, Washington, D.C. USA. [7] Koblitz, N.; Menezes, A. and Vanstone, S.: The [] Rahouma, K.H. and Zinterhof, P.: An state of ellitic curve crytograhy", Designs, codes, and crytograhy, 9, 7-9, Kluwer Academic Publisher, 000. [8] Koblitz, N.: "Ellitic curve crytosystems", Mathematics of comutation, 48: 0-09, 987. [9] Defie, W. and Hellman, M.E.: "New directions in crytograhy", IEEE transaction in information theory, (6): , Nov [0] Wiener, M.and Zuccherato, R.: "Faster attacks on ellitic curve crytosystems", In Selected areas in crytograhy, v. 556, 90-00, Sringer Verlag, August, 999. [] ANSI X9.6: "Public key crytograhy for the financial services industry: The ellitic curve digital signature algorithm (ECDSA)", 999. authentication and digital signature scheme based on block ciher hashing and RSA crytograhy, Proceedings of the Symosium on Performance Evaluation of Comuter and Telecommunication Systems (SPECTS000), Vancouver, BC., Canada, July 6-0, 000. [4] Alligood, K.T. et. Al.: Chaos An introduction to dynamical systems, Sringer, New York, 996. [5] Deviceforge cor.: "An intro to Ellitical Curve Crytograhy (from Certicom): An Ellitic Curve Crytograhy (ECC) Primer, Why ECC is the net generation of ublic key crytograhy", available at: htt:// 8.html