Points of High Order on Elliptic Curves ECDSA

Transcription

1 ! Independent thesis advanced level (degree of master (two years)) Points of High Order on Elliptic Curves ECDSA Author: Behnaz Kouchaki Barzi Supervisor: Per-Anders Svensson Examiner: Andrei Khrennikov Date: Course Code: 5MA41E Subject: Mathematics Level: Master degree Department Of Technology

2 Abstract This master thesis is about Elliptic Curve Digital Signature Algorithm or ECDSA and two of the known attacks on this security system. The purpose of this thesis is to find points that are likely to be points of high order on an elliptic curve. If we have a point P of high order and if Q = mp, then we have a large set of possible values of m. Therefore it is hard to solve the Elliptic Curve Discrete Logarithm Problem or ECDLP. We have investigated on the time of finding the solution of ECDLP for a certain amount of elliptic curves based on the order of the point which is used to create the digital signatures by those elliptic curves. Method: Algebraic Structure of elliptic curves over finite fields and Discrete logarithms. This has been done by two types of attacks namely Baby Step, Giant Step and Pollard s Rho and all of the programming parts has been done by means of Mathematica. Conclusion: We have come into a conclusion of having the probable good points which are the points of high order on elliptic curves through the mentioned attacks in which solving the ECDLP is harder if these points have been used in generating the digital signature. These probable good points can be estimated by means of a function we have come up with. The input of this function is the order of the point and the output is the time of finding the answer of ECDLP. Keywords: Digital signature (DS.), Elliptic Curve Digital Signature Algorithm (ECDSA), Elliptic Curve Discrete Logarithm Problem (ECDLP), Baby Step, Giant Step (Bs.Gs.), Pollard s Rho.

3 Acknowledgements I would like to thank my supervisor, Per-Anders Svensson for an amazing supervision. I thank him for his patience and his massive help through this master thesis. I also thank my husband for his encouragement and infinite support besides his unconditional love. Eventually, I appreciate all of those who has been working on the related subject and has been trying to improve it. Behnaz Kouchaki Barzi 2

4 List of Tables 1 The table of Double-and-Add example Multiple of the point P List of Q jmp The table of Pollard s Rho example Order Of Points P i Order Of Points P i The Table of Bs.Gs. for 100 Curves with Only One Q

5 List of Figures 1 The story of sending secret messages Generation and Verification of Digital Signature [13] Addition of Points on an Elliptic Curve[13] Addition of Points on an Elliptic Curve [13] Addition of Points on an Elliptic Curve [13] Baby Step, Giant Step for 30 different Q Baby Step, Giant Step for Only One Q Time Limit/ Baby Step, Giant Step Time Limit/ Baby Step, Giant Step Time Limit/ Baby Step, Giant Step Time Limit/ Baby Step, Giant Step Final Time Limit/ Baby Step, Giant Step The graph of the Bs.Gs. according to the real data The graph of the data according to the function (Bs.Gs) The combination of the last two graphs (Bs.Gs) Time Limit/ Pollard s Rho Time Limit/ Pollard s Rho Final Time Limit/ Pollard s Rho The graph of the Pollard s Rho according to the real data The graph of the data according to the function (Pollard s Rho) The combination of the last two graphs (Pollard s Rho)

6 Contents 1 Introduction 6 2 Background A brief history and some Terminology The Discrete Logarithm Problem Symmetric and Asymmetric ciphers Diffie-Hellman key exchange for DLP Digital signature Elliptic Curve Addition of Points on an Elliptic Curve Elliptic Curve over Finite Fields Double-and-Add Algorithm ECDLP & ECDSA The Elliptic Curve Discrete Logarithm Problem or ECDLP The Elliptic Curve Digital Signature Algorithm or ECDSA Attacks on ECDSA Baby Step, Giant Step Attack Pollard s Rho Attack Implementation on Baby Step, Giant Step and Pollard s Rho method Baby Step, Giant Step Implementation Pollard s Rho Implementation Performance Evaluation Of Implementation Appendix. 49 5

7 1 Introduction Security is one of the most controversial concepts in the world. People are communicating with each other every single second via their mobile phones or laptops by sending and receiving s, electronic documents, electronic payments, financial transactions and so forth. Obviously, there has to be many ways of providing the security of these communications so that people could trust them. Digital signature is a form of providing security for some kinds of communications and one of the newest form of security system is Elliptic Curve Digital Signature Algorithm (ECDSA). We all know that there is no form of security which is complete and has 100% reliability, thus there is always a risk of an attack on any security system. Two of the known attacks on ECDSA are namely Baby Step, Giant Step (Bs.Gs) and Pollard s Rho. The Baby Step, Giant Step (Bs.Gs) attack is based on two steps and we would reach to a solution of Elliptic Curve Discrete Logarithm Problem (ECDLP) if we could have an intersection between those two steps. The Pollard s Rho attack is almost similar to the Bs.Gs attack and also they have the same running time but there is a quite important difference between them. The difference is that the Bs.Gs. attack requires more storage space than the Pollard s Rho attack. In this thesis, we have tried to see how these two attacks work together with a hint of how to choose the point on the elliptic curve in a way that the digital signature generated by it would be more secure against the mentioned attacks. This more secure way is that we need to find points with high order and the entire process will be explained within this thesis. First of all, we need to know about digital signatures in general and then about digital signatures based on elliptic curves. In order to generate a digital signature, asymmetric cryptography is used. We have two keys in asymmetric cryptography namely a Public key and a Private key. The public key is obviously revealed for everybody. However the private key is a key which is not clear at all and if somebody knows it then the digital signature can be forged. Therefore the solution of ECDLP is the private key. There are known deterministic algorithm of different types of attacks on ECDLP; for more reading, refer to the book [13], or some articles namely [15], [3], [4], [23]. If one uses any of the attacks and is not able to reach to the private key within a certain time limit, then one has found a point on the curve which is likely to be a good point. A good point means a point with high order which is used in ECDSA and make the digital signature more secure. Behnaz Kouchaki Barzi 6

8 Therefore, we are going to use the algorithm of these two attacks and see if we are able to find a probable good point. The mathematics which is used in this method is Algebraic Structure of elliptic curves over finite fields and Discrete logarithms. We are almost done with the first section (Introduction Section) and the second section is devoted to definitions of the cryptography, asymmetric cryptography, The discrete logarithm problem, Diffie and Hellman and digital signatures as a background. In the section three, we will have a quite complete section about elliptic curve and its properties. Section four is all about ECDSA and ECDLP with some examples. For the fifth section, we will have a quite complete explanation of two types of attacks on ECDSA; Baby Step, Giant Step attack and Pollard s Rho attack. Eventually, in section six, we will have a section of explaining what we have done within this thesis and the hint about the point of high order which was mentioned earlier together with Mathematica codes of the entire process. After all, there will be a section of performance evaluation of implementation as the final section; Section seven. Behnaz Kouchaki Barzi 7

9 2 Background 2.1 A brief history and some Terminology. The word cryptography comes from the Greek words; kryptos and graphein which means hidden and writing [5]. Cryptology is a science which has been used to help people to communicate with each other hidden and it has provided security for the communications. In other words, the main reason of this science is to provide a security for two people or a group of people to communicate without letting other people or stranger to know about the details of that communication. Throughout the history, cryptography has been used and the earliest ones are from the ancient Egypt, Greece and Rome. Egyptian used hieroglyphs in order to communicate hidden. In Greece, they have the idea of wrapping a tape of paper around a specific stick and then write a message on it and afterwards send the paper tape to the receiver; On the other hand, the receiver should have had similar stick in order to wrap the paper tape around it so that he or she could decrypt the message. The Roman s idea was Caesar Shift Cipher which was named after the Julius Caesar and it is a type of substitution cipher. In this method, they simply wrote the message down and shift the letters and the receiver should have done the shifting backwards in order to read the message [5]. After middle ages, both cryptography and cryptanalysis have improved due to need of security for communications. This science has been used in World War I and II. The invention of radio in 1900 made the cryptographic concept change and improve especially in military and political situations therefore the need of such these security kept increasing until now that the communications are often made digitally with more complicated algorithms thus we are always in urge of preparing security [13]. We have barely touched the concept of the history of the cryptography so far and for further reading refer to [24] and [16]. Here we explain some useful terminology: Plaintext: Ciphertext: A message that is not encrypted. A message that has been encrypted. Key: A parameter which is used in both encryption and decryption in order to convert plaintext to ciphertext or contrariwise. Behnaz Kouchaki Barzi 8

10 Symmetric cipher: In these kinds of algorithms, the same key is used both for encryption and decryption. Asymmetric cipher: Or Public Key Cryptosystems that different keys are used for encryption and decryption. The story is that for example Alice wants to send Bob a message, without Eve knowing the concept of the message. Figure 1: The story of sending secret messages As mentioned earlier, the word cryptology comes from the Greek word kryptos and it is divided into two categories; Cryptography and Cryptanalysis: Cryptography: Designing the cryptosystems or the algorithm of encryptions are in the concept of cryptography. We have mainly two types of ciphers namely substitution ciphers and transposition ciphers. Below, the definition of these two ciphers are respectively explained: 1. Substitution cipher: In this type, each letter (or a group of letters) is replaced by another letter (or group of letters). Behnaz Kouchaki Barzi 9

11 2. Transposition cipher: The letters are permuted. We can mix both substitution cipher and transposition cipher in order to encrypt. Cryptanalysis: In this concept, the problem of breaking the ciphers and finding the keys are discussed in which there are four different types of attacks based on how much information does Eve know. 1. Ciphertext only: Eve only has the information about the ciphertext. 2. Known plaintext: In addition to the ciphertext, Eve knows the plaintext as well. (So that she can conclude about the key.) 3. Chosen plaintext: Eve can choose her own plaintext and encrypt it and she can do this more and more until a conclusion will be derived about the nature of the key based on the ciphertext she receives. 4. Chosen ciphertext: Eve can choose her own ciphertext and decrypt it and get the conclusion about the nature of the key based on the plaintext she receives. A secure cryptosystem is a system which is mixed of both substitution and transpositions ciphers as well as being secure against all of these four mentioned attacks. When it comes to design a cryptosystem, it is only important to have the key secret not the algorithm of encryption and decryption; this is called Kerckhoff s principle [13]. In this thesis, we mainly focus on asymmetric cryptography or public key cryptosystem in which there are two keys; private key and public key. Imagine that Alice and Bob want to exchange a message using a symmetric cipher. In order to exchange a message without letting their adversary Eve knows the message, they have to agree on a secret key in advance but what if there is no secure way of communication so that they can agree on a secret key?[6]. Behnaz Kouchaki Barzi 10

12 2.2 The Discrete Logarithm Problem In order to explain the discrete logarithm problem, first we need to know some definitions and theorems. Theorem 1. [13].Primitive Root Theorem. Let p be a prime number and F p be a finite group. Thus there exists an element g F p whose powers give every element of F p i.e, F p = {1, g, g 2, g 3,, g p 2 }. Those elements which have this property are called primitive roots of F p or generators of F p. They are the elements of F p having the order of p 1. Theorem 2. [13].Fermat s little theorem. If p is a prime number then we have: g p 1 1 (mod p) for every integer g such that (g, p) = 1. Now we can define the discrete logarithm problem as the following: Definition 2.1. [13].The Discrete Logarithm. Let p be a prime number and g be a primitive root modulo p. The discrete logarithm modulo p of h is the smallest positive integer x satisfying g x h (mod p). And it is written as log g (h) (mod p). The Discrete Logarithm Problem or DLP. Before we state the DLP, we need some algebra definitions. Behnaz Kouchaki Barzi 11

13 Definition 2.2. [10].Group. A set G under a binary operation is a group G, if the following axioms are satisfied: 1. Associativity. For all a, b, c G, we have: (a b) c = a (b c). 2. Identity element. There is an element, usually stated as e such that for every other element a in G we have: a e = e a = a. 3. Inverse. For every element a in G, there is an element a in G such that:. a a = a a = e [3]. Definition 2.3. [10].Abelian Group. Let G be a group with binary operation. If for every element a, b G we have: a b = b a then we say that the group G is Abelian. Definition 2.4. [10].Order of the group G. Let G be a group. If G is a finite set, then the order of G is the number of elements in G and we write o(g) = m, where m is the number of elements in G. Behnaz Kouchaki Barzi 12

14 Definition 2.5. [10].Order of an element a. Let G be a finite group and a G. The order of the element a is the smallest positive integer n such that a n = e. It is written: o(a) = n. Theorem 3. [10].Let G be a finite group and a G. The order of the element a is a divisor of the order of G; i.e. o(a) o(g). Definition 2.6. [10].Cyclic Group. Let G be a group and a G. Assume that G is a finite group and o(g) = n. If the order of the element a is the same as the order of the group G; i.e. o(g) = o(a) = n, then the element a is a generator of the group G. We write, G = a and say that G is a cyclic group. Eventually, we are ready to define the DLP. Definition 2.7. [13].Discrete Logarithm Problem or DLP. Let G be a group and g, h G. The problem of solving the following discrete logarithm g x = h is the so-called Discrete Logarithm Problem or DLP. The solution will be denoted as x = log g h; if there is a solution though. Remark. [13].If G is a finite group then the element g generates a subgroup {e, g, g 2,, g n 1 } where n is the order of g and besides the solutions to g x = h are calculated modulo n. Behnaz Kouchaki Barzi 13

15 2.3 Symmetric and Asymmetric ciphers. In a symmetric cryptography, we need only one key in order to encrypt and decrypt. This key is chosen from a set of possible keys K. Let C be the set of all possible ciphertexts and M be the set of all possible plaintexts. In the encryption step we will do as the following function: e : K M C and for the decryption step we will have the following function: d : K C M which satisfies d(k, e(k, m)) = m k K, m M. In an asymmetric cryptography, we use a pair of key as mentioned before; i.e. the key is: k = (k public, k private ). Everybody can do the encryption by the public key however, in order to decrypt, one has to know the private key. In our example, if Alice and Bob wants to use the symmetric cipher, they must have exchanged their private key before. What will happen if there is no secure way for them to exchange the private key? This has an answer which Diffie and Hellman came up with and it ended up to the new concept which is called public key cryptosystem [6]. Remark. In 1985, Koblitz and Miller has proposed the public key cryptosystem based on elliptic curves over finite fields [17], [11] and afterwards, many people has been putting lots of efforts on the mentioned concept. They have used elliptic curves over finite fields for several cryptosystems, namely, Diffie-Hellman key exchange algorithm, elliptic curve digital signature algorithm (ECDLP) [9]. 2.4 Diffie-Hellman key exchange for DLP. Alice and Bob wants to agree on a key through an insecure channel. They can do this according to the following steps without letting Eve get the key [13]. 1. Alice and Bob agree on a prime number p and a nonzero integer g modulo p. Behnaz Kouchaki Barzi 14

16 2. Alice chooses a secret number a randomly and computes A = g a (mod p) and sends it to Bob. 3. Bob chooses a secret number b randomly and computes B = g b (mod p) and sends it to Alice. 4. Alice computes B a = g ab (mod p) and Bob computes A b = g ab (mod p). This number is their key. Therefore, according to the above key exchange, Alice and Bob are safe to communicate, however this depends on the level of the security which they have. The problem for Eve to solve, in order to get the key is the so-called DLP which is somehow difficult and this difficulty relies on the numbers which Alice and Bob has chosen to make the key. Eventually, after Diffie-Hellman s paper New Direction in Cryptography [6], there were several related contribution. To know more about the public key cryptography see [16], [7], [8], [33]. 2.5 Digital signature. A digital signature is a way of proving authentication and therefore, it can increase the security of communication. It is not a scanned form of the usual signature which we do it by paper and ink but an electronic stamp of authentication. Digital signatures are generated by cryptography methods thus they are some encrypted data to indicate the validity of the signer. Here, we have Samantha as the signer and Victor as the verifier. The story is about Samantha having a document and sending it to Victor but she wants Victor to be sure that she has sent the document. She has to use a secure way of signing the document so that the signature can not be forged by adversaries. Yes! Digital signature is what she is looking for! Asymmetric cryptography is used to generate the digital signature therefore, there are two keys; public key and private key. Samantha has a document which she wants to sign. She uses her private key to sign the document via a special algorithm (which will be explained later on). Then, Victor can verify the digital signature by the public key according to a specific algorithm. Some terminology: K P ri K P ub D sig A private signing key. A public verification key. Digital signature. Behnaz Kouchaki Barzi 15

17 D Digital document. Remark. Hash function A cryptographic hash function is a function which takes document of arbitrary length as an input and refers to a number of fixed length as the output. The mentioned hash function has to be quick to calculate as well as being almost impossible to find the original document from the hash value (output) i.e, a hash function has to be a one way function that it is quite hard to invert. In addition to the earlier properties, the hash function is strongly collision-free which means that it is almost impossible to find different messages while their hash values are the same. For more reading refer to [23], [35]. In order to sign a document, first the signer (Samantha) uses a hash function to get a unique hash result and then by means of a private key one can transform the hash result into a digital signature. Totally, Samantha sends the digital document, the public key and the information about how to verify the signature (such as a hash algorithm). To verify a digital signature Victor needs a new hash; this is provided by computing a new hash result of the digital document. The new hash result is created by the same hash function which Samantha has used to generate the digital signature. Therefore by using the public key and the new hash result, one can verify whether the digital signature is valid or not [13]. Figure 2: Generation and Verification of Digital Signature [13]. Behnaz Kouchaki Barzi 16

18 In figure 2, the process of generating a digital signature together with the verification step is shown. In this thesis, we are working with elliptic curves therefore, we will explain the digital signature algorithm based on elliptic curves after we explained all about elliptic curves and the related properties. Behnaz Kouchaki Barzi 17

19 3 Elliptic Curve. The concept of elliptic curve is a quite vast topic and we try to only focus on the part we need and some useful properties for cryptography. There are several references for additional reading related to elliptic curve cryptography namely [2], [18], [22], [27]. An elliptic curve with real coefficients is defined by an equation of the form: y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 5 (1) where a 1, a 2, a 3, a 4, a 5 R. We may assume a 1 = a 2 = a 3 = 0 since the affine change of variables x = X a a 2 3 y = Y a 1 2 X + a a 1a 2 a alter (1) to the so-called Weierestrass form as the following: Y 2 = X 3 + AX + B (2) for some A, B R. Definition 3.1. Elliptic Curve. An elliptic curve over R is a set of all solutions to the equation (2) where A, B R and 4A B 2 0, together with the point at infinity O. Behnaz Kouchaki Barzi 18

20 3.1 Addition of Points on an Elliptic Curve Let E be an elliptic curve and let P = (x 1, y 1 ) and Q = (x 2, y 2 ) be two points on E. There are three cases that we are facing. First, we explain about the case in which x 1 x 2. In this case, the line L through P and Q intersects the curve E at a third point that is called R. Next, we reflect this point in the x axis, in order to obtain another point on E which is called R. The point R is defined as the sum of P and Q for the first case, see figure 3, [13]. Figure 3: Addition of Points on an Elliptic Curve[13]. In the second case, assume that x 1 = x 2 whereas P and Q are different. The line through the points P and Q is a vertical line and therefore, it does not intersect E in a third point. In the case of P = Q while y coordinate is zero, the same thing as the second case will happen. In these cases, we consider the point at infinity O as the sum of P and Q, see figure 4, [13]. Remark. For every point P on E, we have P + O = P since the line through P and the point at infinity is a vertical line through P. Remark. We define O + O = O. Behnaz Kouchaki Barzi 19

21 Figure 4: Addition of Points on an Elliptic Curve [13]. Finally the third case. In this case we want to add the point P to itself or i.e. P = Q = (x, y). As we have done for the other cases, we draw a line through the both points which we want to add together and in this case, it will be the line L which has to be the tangent of the curve E at the point P and it intersects the curve E at the point R. Then we reflect the point R in the x axis which yields to the point of R. Hence we have: P + P = 2P = R, see figure 5, [13]. Behnaz Kouchaki Barzi 20

22 Figure 5: Addition of Points on an Elliptic Curve [13]. Theorem 4. [13].Let E be an elliptic curve then E is an Abelian group with respect to addition of points on E. In other words (P + Q) + R = P + (Q + R) for all P, Q, R E Associative. P + Q = Q + P for all P, Q E Commutative. P + O = P for all P E Identity. P + ( P ) = O Inverse. Theorem 5. [13].Elliptic Curve Addition Algorithm. Let Y 2 = X 3 + AX + B be an elliptic curve and let P 1 and P 2 be points on E. If P i = O for i = 1 or i = 2, then P 1 + P 2 = P 3 i. Otherwise, put P 1 = (x 1, y 1 ) and P 2 = (x 2, y 2 ). If x 1 = x 2 and y 1 = y 2, then P 1 + P 2 = O. Otherwise, let x 3 = λ 2 x 1 x 2 and y 3 = λ(x 1 x 3 ) y 1 where λ is defined as Behnaz Kouchaki Barzi 21

23 λ = y 2 y 1 x 2 x 1 if P 1 P 2 and λ = 3x2 1 + A 2y 1 if P 1 = P 2. Then we have P 1 + P 2 = (x 3, y 3 ). 3.2 Elliptic Curve over Finite Fields In this section we will study the elliptic curves over finite fields which are quite useful and important in cryptography in terms of the order of the curve, their properties and so forth [13], [36]. Definition 3.2. Let F = F p be the finite field of order p where p 5 (For more reading see the chapter 5.7 of [13]). An elliptic curve over F p is: E : Y 2 = X 3 + AX + B where A, B F p satisfy 4A 3 +27B 2 0 in F p. In addition to all of the solutions of the above equation of E, we have the point at infinity O. Example 1. Let E : Y 2 = X 3 + 3X + 2 be a finite elliptic curve over F 5. In order to write all of the points on E, we need to solve the above equation for all possible x in F 5 = {0, 1, 2, 3, 4}. Afterwards, we will get E(F 5 ) = {O, (1, 1), (1, 4), (2, 1), (2, 4)}. Theorem 6. [36].Let E be a finite elliptic curve over the finite field F p. Then E(F p ) Z n or Z n1 Z n2 for some integers n 1, or for some integers n 1, n 2 1 with n 1 dividing n 2. Behnaz Kouchaki Barzi 22

24 Theorem 7. [13].Hasse s Inequality. Let E be an elliptic curve over a finite field of F p. Then the order of the curve i.e, #E(F p ) satisfies the following inequality: p + 1 #E(F p ) 2 p. 3.3 Double-and-Add Algorithm. In this section we explain an efficient way of calculating the multiple of a point on an elliptic curve which is called double-and-add algorithm. There are several papers which have proposed some ways to speed up the above algorithm namely [12], [37], [27]. We would like to compute np := P + P + P. }{{} n terms We use the binary expansion n = Σ r i=0 n i2 i where n i {0, 1}. Then we compute the sequence Q 0, Q 1,, Q r in E(F p ) as it is explained below: Q 0 = P, Q 1 = 2Q 0, Q 2 = 2Q 1,, Q r = 2Q r 1. We notice that Q i = 2 i P hence: Σ r i=0n i Q i = Σ r i=0(n i 2 i )P = np. The double-and-add algorithm for elliptic curves.[13]. Input. P E(F p ) and integer n Set Q = P and R = O. 2. Loop while n > 0. (a) If n 1 (mod 2), set R = R + Q. (b) Set Q = 2Q and n = n Return the point R, which equals np. Behnaz Kouchaki Barzi 23

25 Example 2. Assume that we have an elliptic curve E over a finite field F 997. Let P = (36, 88) be a point on the curve. We want to calculate 250P according to the double-and-add algorithm. Since 250 = we need the multiple of the point P with the above numbers. i Q i = 2 i P P = 2P = (191, 446) P = 4P = (937, 766) P = 8P = (696, 429) P = 16P = (481, 657) P = 32P = (810, 587) P = 64P = (962, 310) P = 128P = (134, 332) Table 1: The table of Double-and-Add example. Now we add the needed Q i in order to get 250P. 250P = Q 1 + Q 3 + Q 4 + Q 5 + Q 6 + Q 7 = (220, 367). Behnaz Kouchaki Barzi 24

26 4 ECDLP & ECDSA. 4.1 The Elliptic Curve Discrete Logarithm Problem or ECDLP. In the section 2.7, we have defined DLP in a group G. In the case of elliptic curves, we have the group of points on an elliptic curve and the group is E(F p ) where F p is a finite field. Let P, Q E(F p ). The elliptic discrete logarithm of Q with respect to P is the smallest positive integer n satisfying Q = P + P + + P. }{{} n additions on E It is also written as n = log P (Q). Definition 4.1. ECDLP. The ECDLP is the problem of finding the answer of n = log P (Q) which is the integer n such that Q = np i.e., finding out that how many times P must be added to itself in order to create Q. The discrete logarithm problem for elliptic curves is rather difficult in comparison to the corresponding problem in the multiplicative group of F p. One might have though that why we use elliptic curves in cryptography and the answer is quite simple; it is very hard to attack the ECDLP. Besides, there is an estimation in [2] that indicates elliptic curve cryptosystem needs less power consumption and smaller chip size [36]. In the following, we will study the Elliptic Curve Digital Signature Algorithm or ECDSA and in the fifth section we will study two types of attacks on it namely, Baby Step, Giant Step attack and Pollard s Rho Method. Behnaz Kouchaki Barzi 25

27 4.2 The Elliptic Curve Digital Signature Algorithm or ECDSA. The Elliptic Curve Digital Signature Algorithm is an analogue of the Digital Signature Algorithm [15]. DSA method uses the multiplicative group of finite fields whereas ECDSA uses the group of E(F p ) where E is an elliptic curve over a finite field F p. The story is about Samantha who wants to sign a document m by means of ECDSA. She uses a hash function in order to refer to the document she wants to sign, therefore m is an integer. Samantha chooses an elliptic curve E over a finite field F p where #E(F p ) = fr, where r is a quite large prime and f is a small integer. She also chooses a point P on the curve such that the order of P is r. Then, Samantha takes a secret number a as her private key and she computes Q = ap. The following information will be public F p, E, r, P, Q (f can be also public). Below, there will be the steps of generating the digital signature based on elliptic curves. First, we have the steps for signing the document as the following [36]: 1. Samantha chooses a random integer k where 1 k < r, then computes R = kp = (x, y). 2. She also computes s = k 1 (m + ax) (mod r). Remark.. One may wonder that what if k does not have an inverse? The answer is that since r is a prime number hence the inverse of k and s do exist. Hence, the signed document is (m, R, s). Below comes the steps of verification of the signature [36]; hence, Victor does the following: 1. He computes u 1 = s 1 m (mod r) and u 2 = s 1 x (mod r). 2. He also computes V = u 1 P + u 2 Q. 3. The signature is valid if and only if V = R. i.e. for verification we have: V = u 1 P + u 2 Q = s 1 mp + s 1 xq = s 1 (mp + xap ) = kp = R. Accordingly, the problem of finding the private key a is the so-called ECDLP. Behnaz Kouchaki Barzi 26

28 Example 3. Samantha wants to sign a document and send it to Victor. First, she uses an arbitrary hash function to get the hash value of the document she wants to sign. Document Hash Value: m = Next, she chooses an elliptic curve over a finite field; such as: y 2 = x x Over the Finite Field F Then, she chooses a point on the curve such that the order of the point is quite large. P = (5859, 5775), r = o(p ) = Samantha chooses a private key a = and she computes Q = ap = (12591, 12520). Generation Step. 1. Samantha chooses a random integer k such that 1 k < r = 9284 = k = 6683 and computes R = kp = (148, 9595) = (x, y) 2. Secondly, she calculates: s = k 1 (m + ax) (mod r) = s = ( ) = 1805 (mod 9284). The signed document would be: (m, R, s) = (1991, (148, 9595), 1805). Verification Step. Behnaz Kouchaki Barzi 27

29 1. To verify the signature, Victor computes u 1 = s 1 m = = 6127 (mod 9284) and also u 2 = s 1 x = = 3976 (mod 9284). 2. Eventually, he computes V = u 1 P + u 2 Q = (148, 9595) = R. Since Victor has V = R, then he verified that the signature is valid. Behnaz Kouchaki Barzi 28

30 5 Attacks on ECDSA. There are several known attacks on ECDSA so far but we will mention only two of them here in this section and for more reading refer to [15]. 5.1 Baby Step, Giant Step Attack. This method has been developed by Shanks [30] and it needs approximately N steps and also N storage to be accomplished where N is the order of the group [36]. Since our main focus is elliptic curves then we always assume that we have an elliptic curve E over a finite field F p and we let P and Q be points on the curve such that Q = ap where a is the private key. Since this type of attack needs N storage to be accomplished then it is not useful for large elliptic curve groups. Baby Step, Giant Step Algorithm. 1. Compute p p and name it m. 2. Make and store a list of ip for 1 i < m as the Baby Step. 3. Make another list of Q jmp for j = 0, 1, 2,, m 1 until a match is found with the stored list above; as the Giant Step. As soon as a match is found then we can find the private key a; i.e. a = i + mj (mod o(p )). Example 4. Consider E : Y 2 = X X as an elliptic curve over the finite field F Let P = (1049, 1968) and Q = (725, 1836). We have Q = ap and we want to compute m. The order of P is Now we start to generate the first list which is the Baby Step by multiplying the point P by i = 1, 2,, m 1 where m is calculated as m = = 61. Behnaz Kouchaki Barzi 29

31 Baby Step. i ip = (1049, 1968) 1 P = (1049, 1968) 2 2P = (2161, 625) 3 3P = (1509, 565) P = (384, 744).. Table 2: Multiple of the point P. We also generate the Giant Step as the following: Giant Step. j Q jmp 0 Q = (725, 1836) 1 Q mp = (2879, 3415) 2 Q 2mP = (3465, 2958). 60 Q 60mP = (384, 744). Table 3: List of Q jmp. Now that we have found a match, we can compute a. Since the position of the match in the first list is 37 and for the second one is 60, then we have: a = i + mj = m = = 181 (mod 1758). Therefore, we have found the private key or in other word the integer which is multiplied by P and gives us Q. Q = ap (725, 1836) = 181 (1049, 1968). Behnaz Kouchaki Barzi 30

32 5.2 Pollard s Rho Attack. Pollard s Rho attack has an advantage in comparison to the Baby Step, Giant Step attack which is about the storage of data. Baby Step, Giant Step method requires a storage of N however Pollard s Rho attack needs less storage [36]. There are several papers about Pollard s Rho method namely, [3], [1], [34], [38]. In the last two mentioned papers, there are some random walks through the Pollard s Rho method in order to speed up the entire process and we will explain some of it later in this section. The Pollard s Rho method is an improvement of the Baby Step, Giant Step method which was first proposed by Pollard [32]. It is called Pollard s Rho method since the shape of the points within its algorithm looks like the Greek letter ρ. First, we explain the Pollard s Rho method by its original walk then we mention a few words about the other iterating functions which is used in the algorithm [34]. Let E be an elliptic curve over a finite field F p and write G = E(F p ). Let P and Q be two points on the curve such that Q = kp where k is the private key and the order of P is n. We want to find k. Pollard s Rho Algorithm.[28]. 1. By using a hash function we divide the group of elliptic curve G into three parts; roughly equal size say S 1, S 2, S Define an iterating function f : G G such that: Q + R i, R i S 1 R i+1 = f(r i ) = 2R i, R i S 2 P + R i, R i S 3 3. Put R i = a i P + b i Q and a i, R i S 1 a i+1 = 2a i (mod n) R i S 2 a i + 1, R i S 3 and b i+1 = b i + 1, R i S 1 2b i (mod n) R i S 2 b i, R i S 3 Behnaz Kouchaki Barzi 31

33 4. Start by an initial value R 1 = P thus a 1 = 1 and b 1 = 0. Then generate pairs (R i, R 2i ) until you find a pair which is a match or R m = R 2m for some integer m. 5. As soon as a match is found then we can compute the private key k. We have: R m = a m P + b m Q R 2m = a 2m P + b 2m Q Since we have Q = kp and also we can have the order of the point P then we can do the computation modulo the order of P, hence a m P + b m Q = a 2m P + b 2m Q a m P + b m kp = a 2m P + b 2m kp (mod n). k = a 2m a m b m b 2m (mod n). Remark. In order to find a unique answer for k there must be gcd (b m b 2m, n) = 1 otherwise we will have d answers for it where gcd (b m b 2m, n) = d. Remark. There are always a match in the sequences in both Baby Step, Giant Step method and Pollard s Rho method since there are finitely many points on an elliptic curve thus soon or later we end up in a cycle. Behnaz Kouchaki Barzi 32

34 Example 5. Assume that E : Y 2 = X X is an elliptic curve over the finite field F 307. Let P = (159, 207) and Q = (72, 10). We compute the order of P which is 31. Now, we are ready to start the process of Pollard s Rho method. We will generate two lists however we do not have to store the lists since we always have to only compare the last element of each list to each other; i.e. we have to compare R i to R 2i where R i is R i = a i P + b i Q. First, we split E(F 307 ) into three subsets: S 1 = {R = (x, y) E(F 307 ) 0 x < }. S 2 = {R = (x, y) E(F 307 ) x < }. S 3 = {R = (x, y) E(F 307 ) x < 307}. Next step is to generate the lists. We start by the initial value R 1 = P thus, a 1 and b 1 = 0 then we will compute R i = a i P + b i Q. i (α i, β i ) R i 1 (1, 0) R 1 = P 2 (2, 0) R 2 = (153, 204) 3 (4, 0) R 3 = (295, 156) 4 (4, 140) R 4 = (270, 165) 5 (4, 267) R 5 = (168, 214). Table 4: The table of Pollard s Rho example. If we keep doing the above process, we will end up having a match which is 4P = 16P + 4Q = (295, 156). Now that we know the coefficients, we can compute the private key k as the following: k = = 28 (mod 31). In the above example, we have used the original Pollard s Rho method in which we have the function f in a way that we only add 1 in the definition of the coefficients a i+1 and b i+1. This function (f) is not random enough since it is following somehow a pattern to generate a i+1 and b i+1 therefore, in order to get a proper result out of Pollard s Rho method, we need to make it as random as we can. Teske has worked on this concept in [34] and we will explain one of the methods that Teske presented, in order to do our implementation within the next section. Behnaz Kouchaki Barzi 33

35 6 Implementation on Baby Step, Giant Step and Pollard s Rho method. The main idea is to find points of high order which seem to be a probable good point in order to generate the digital signature with. A probable good point on an elliptic curve in our case means a point that increases the security of the ECDSA which is made by the mentioned point and by the word probable we try to mention that when we want to find a collision, we do not want to run the algorithm forever! Therefore we have to abort the program after a while and in that case even if we could not find the collision and we say that the point is secure to generate the ECDSA, it would happen that after even one second more that the program would have run, we would have had the collision. This is the reason that we call this point a probable good point. 6.1 Baby Step, Giant Step Implementation. The problem is to find the private key a when Q = ap. We start to explain the Baby Step, Giant Step implementation with our Mathematica codes by an example. We generate 100 elliptic curves and choose 100 points P i on them such that we have one point P on each. Then by random, first, we take 30 points Q ij such that Q ij = ap i for j = 1,, 30 for each curve, second, we take only one point Q i for each curve i. In the third step, we take eleven different intervals to choose the prime number p i from and apply the Baby Step, Giant Step attack with only one point of Q i. Remark. Since the points Q i are randomly chosen, it might be quite quick to solve the ECDLP in some cases although the points P i are the points of high order; i.e. the private key a can be found quicker as you will see later in this section. 1. First, we have done our experiment by choosing 30 points of Q i,j for j = 1, 2,, 30 for each curve. Assume that we have chosen 100 elliptic curves by random and let P i be the 100 points on them in a way that was explained above. We will calculate the order of each P i by the Mathematica codes we have provided as you can see at the end of this section. The curves have been chosen between the primes of 10 6 and 10 7 and below you can see the chart of the points P i and their order. Behnaz Kouchaki Barzi 34

36 P i Order Of Point P i P i Order Of Point P i P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P P Table 5: Order Of Points P i. Behnaz Kouchaki Barzi 35

37 P i Order Of Point P i P i Order Of Point P i P P P P P P P P P P P P P P P P Table 6: Order Of Points P i. Now we get 30 randomly chosen points Q ij for i = 1, 2,, 100 and j = 1, 2,, 30 and for each different Q we solve the ECDLP. The steps we are taking from now on start by fixing the integer m for each curve as it is explained in the section Attacks on ECDSA and the subsection of Baby Step, Giant Step Attack according to Hasse s theorem. Then we generate the two lists of Baby Step and Giant Step. (All is done by the Mathematica codes.) By means of a command in Mathematica which is called Timing, we can calculate the time which takes to get an intersection between the two lists of Baby Step and Giant Step. We get the time of intersection for each Q ij i.e. for each Q ij = ap i where a is a random integer that plays the role of the private key for each turn. Then we have plotted the graph of the order of the points P i according to the times which have taken for each Q ij in order to get the intersection between the two lists. For instance, for P 1 we have 30 different time due to 30 different Q 1j. For our example, we have plotted the graph as you can see the figure 6. Time.Of.Intersection Order.Of.Point Figure 6: Baby Step, Giant Step for 30 different Q. Behnaz Kouchaki Barzi 36

38 In the above graph, each color presents a same point P i but different times for different Q ij. As we have mentioned it earlier, since the points Q are chosen randomly, they might have been multiplied with small integers which is the reason that we get the intersection quickly although sometimes the order of the related point P is high. 2. In this part, we generate 100 elliptic curves as we have done for the previous part. Then, we take only one Q randomly for each curve in order to have Q i = ap i. We calculate the order of each point P i and compute the time of each intersection. Eventually, we plot the graph of time of intersection based on the order of point P i, figure 7. P i Order Of Point P i Point Q i Time Of Intersection P 1 = (34319, 34302) (8578, 15104) P 2 = (32692, 3356) (20732, 21022) P 3 = (9152, 9119) 7315 (3449, 25209) P 4 = (8882, 3674) 7407 (15724, 21439) P 5 = (3141, 4261) 9962 (4269, 2083) P 6 = (18027, 19771) (11011, 5070) P 7 = (35037, 17916) (38386, 33691) P 8 = (6396, 6644) 5174 (2246, 7812) P 9 = (26919, 16796) (10817, 17379) P 10 = (30911, 26839) (19702, 19846) Table 7: The Table of Bs.Gs. for 100 Curves with Only One Q. We keep finding the time of intersection for all of the 100 curves and then we plot the graph as the following, figure 7: TimeOfIntersection OrderofPoint Figure 7: Baby Step, Giant Step for Only One Q. Behnaz Kouchaki Barzi 37

39 By observing the last two graphs, we can say that the time of intersection increases as the order of the point P increases. However, we could observe that since we have chosen the points Q randomly, then the choice of a good point of P might be in relation to the point Q as well, since even if the order of the point P is high enough, we might have had an integer which is multiplied by P and we have got a not so good point Q and this is the reason why some of the intersection times are short although the order of the point P is high. Nevertheless, we conclude that as long as the order of the point P increases the time of intersection increases as well but how and in which manner? It will be explained later on. 3. In the following we have worked on eleven different intervals in which the elliptic curves are chosen in between them in order to do the Baby Step, Giant Step attack. As we have done before, we choose 100 elliptic curves over finite fields F pi and for each eleven times, these p i are chosen from one of those eleven different intervals. Then we take only one point Q i for each P i E(F pi ) and apply the Baby Step, Giant Step method. After, we have applied the method, we plot the graph of the time of intersection of each P i E(F pi ) with Q i. By observing the graph, there is a time for each graph that there are only a couple of points above it; which means that we can stop running the algorithm of Baby Step, Giant Step from that certain time and say that we have found a time limit i.e. we always can find the intersection below this time limit and after that, we might be able to find the intersection or might not! It totally depends on the point Q in this case. Below comes the graphs of the above process. In figure 8, we have those 100 elliptic curves which were chosen among the primes between and and as we can observe from the graph, we can always find the intersection under 0.5 seconds or else we might not find the intersection i.e, most of the intersections have been found under the time of 0.5 seconds. Behnaz Kouchaki Barzi 38

40 TimeOfIntersection OrderofPoint Figure 8: Time Limit/ Baby Step, Giant Step. Here, we will have some more graphs of our investigation and we will see the final graph of all eleven attempts at the end; the graph 12. TimeOfIntersection OrderofPoint Figure 9: Time Limit/ Baby Step, Giant Step. Behnaz Kouchaki Barzi 39

41 TimeOfIntersection OrderofPoint Figure 10: Time Limit/ Baby Step, Giant Step. TimeOfIntersection OrderofPoint Figure 11: Time Limit/ Baby Step, Giant Step. The graph 12 shows that the time limit based on the order of the point P grows exponentially. Behnaz Kouchaki Barzi 40

42 TimeOfIntersection OrderofPoint Figure 12: Final Time Limit/ Baby Step, Giant Step. All of the above three items shows that the order of the point increases as the time of intersection increases and this growth is exponential. By means of the FindFit command in Mathematica (which finds numerical values of the parameters that makes the function give a best fit to the data as a function of variables) we have found the function with the input of the order of the point and the output of the time of intersection as an estimation of finding a probable good point. The function is: f(x) = log x In order to understand the work which has been done, first we will plot the graph of the data, graph 13 and then the graph of the function that has been found according to the data via the FindFit command, graph Figure 13: The graph of the Bs.Gs. according to the real data. Behnaz Kouchaki Barzi 41

43 Figure 14: The graph of the data according to the function (Bs.Gs). Finally, we have combined the both graphs by means of the Show command in Mathematica, in order to see that how close they are and in some sense, how accurate the function is, graph Figure 15: The combination of the last two graphs (Bs.Gs). 6.2 Pollard s Rho Implementation. Here again, the problem is to find the private key a if we have Q = ap. For the Pollard s Rho implementation, we have also used the same method as for Behnaz Kouchaki Barzi 42

44 the Baby Step and Giant Step but this time only for one point of Q or in other word, we have only applied the item three of the Baby Step and Giant Step Implementation. To apply the Pollard s Rho method, we need to have the iterating function f as random as possible. Thus, instead of adding 1 to the sequence of a i and b i according to their definitions, we find two random number t and s and then add it to the sequence a i and b i respectively [34] i.e., a i+1 = a i + t and b i+1 = b i + s. We work with eleven different intervals in which the primes are chosen from and then we do our implementation for only one point Q to find the time of intersection. For instance the first interval is between and After we have applied the Pollard s Rho method - in a way that has been explained for the third item of Bs.Gs. attack- we will have the following graphs: TimeOfIntersection OrderofPoint Figure 16: Time Limit/ Pollard s Rho. Moreover, we will have the following graph for the second interval which is between and Behnaz Kouchaki Barzi 43

45 TimeOfIntersection OrderofPoint Figure 17: Time Limit/ Pollard s Rho. Likewise, we plot the other ninth graph according to the observation we have from the data derived by applying the Pollard s Rho method and then we will see the final graph of all eleven attempts we have done at the end; the graph 18. TimeOfIntersection OrderofPoint Figure 18: Final Time Limit/ Pollard s Rho. As we see from the above graph, the time of intersection grows exponentially as the order of the point grows. It is important to mention that for this investigation, the Pollard s Rho method we have applied is not random enough and that is why we have got longer time to catch the intersection in comparison to Bs.Gs. attack however this process can be applied for sufficiently random Pollard s Rho method and get some useful result out of it. Furthermore, we have found the function with the input of the order of the point and the output of the time of intersection as an estimation of finding a probable good point which can be used in creating a safe digital signature against the Behnaz Kouchaki Barzi 44

46 Pollard s Rho attack. In order to find the function, we have done the same process as in Bs.Gs. therefore, we have used the FindFit command again and then we have found the two parameters a, b which are needed to have a function in the form of a log x + b. The function is: f(x) = log x Below, there are three graphs namely the graph of the real data, graph 19, the graph of the data according to the function which has been found, graph 20 and the last graph is the combination of the first two graphs, graph 21 as we have done for the Bs.Gs attack as well Figure 19: The graph of the Pollard s Rho according to the real data Figure 20: The graph of the data according to the function (Pollard s Rho). Behnaz Kouchaki Barzi 45

47 Figure 21: The combination of the last two graphs (Pollard s Rho). Behnaz Kouchaki Barzi 46

48 7 Performance Evaluation Of Implementation. As we have explained so far in this thesis, the time of intersection increases as the order of the point increases in both types of attacks; Baby Step, Giant Step and Pollard s Rho attack. Now the question is if the method which has been explained before in order to find a time limit for the mentioned attacks can be applied to the ECDSA in which there are larger primes as in reality? In reality, in order to create a digital signature based on elliptic curve we need a quite large prime therefore the primes which have been used in this thesis are considered to be very small primes. The result of the thesis shows that the time of intersection grows exponentially as the order of the prime grows and the large primes will most possibly follow the same function. The main goal of the thesis was to find the probable good point which can be used to create a digital signature based on elliptic curves in a safer way. The time limits which has been found by observing the graphs indicates that under the certain time limit we are able to find the intersection therefore the ECDSA is forged otherwise we might not find the intersection which means that the point which has been used for ECDSA is considered to be a good point or a safer point. However, we might find the intersection right after the time limit we have been expecting, for example the intersection might be found half a second later than the time limit. In other words, assume that we have a certain time limit to see if we can find the intersection. Since we have a certain time limit then the attack has to be stopped when the time limit is over. Here we have two different results. First is the result when the intersection is found within the certain time limit we had. Second is the result when the intersection is not found within the time limit. In the second case we never know the time of intersection which is obviously later than the time limit we have already had, maybe half a second later than the time limit or even one hour later. That is the reason we say those points are probably good points because if the intersection is not found within a certain time limit then we do not know that how long does it take to find the intersection after the time limit, maybe even less than half a second or maybe one hour after the time limit we have estimated. Therefore, if an adversary waits just half a second more then he or she may forge the ECDSA. The above estimation can help us to have a safer ECDSA and have a hint about the point which we better use to create the digital signature we need. There are deterministic methods of finding the generators of elliptic curves over finite fields [19], [29], [31]. Therefore one may ask why not using the deterministic method in order to find the proper elliptic curve which is safe enough for the cryptography purpose? Behnaz Kouchaki Barzi 47

49 The fact is that, the deterministic methods are practically too slow. The deterministic method in [19] computes the group structure of an elliptic curve over a finite field F p under the time of O(p o(1)) [31]. Hence we want to speed up the process as much as possible. The method which has been presented in this thesis has a benefit in comparison to the deterministic methods. The benefit is that, we can decide about the time limit i.e. we can put a time limit ourselves. Since we put the time limit ourselves, we may save some times in order to find the proper elliptic curve according to a certain purpose of a cryptography concept. There is only one important fact that it has been already mentioned couple of times within the thesis and it is that our Pollard s Rho attack is not random enough and therefore in comparison to Bs.Gs. attack it takes more time to be accomplished however if the Pollard s Rho method is random enough then of course it takes less time to find the intersection and to forge the ECDSA. This would be as a future work to find out how the function of order of the point and the time limit will look like with the random enough Pollard s Rho method and the assumption is that it will be exponentially as well. This thesis has the potential of several future works such as working on the larger primes and do the same process or find a way to estimate how fast this method which has been presented within this thesis is. In addition, one can work on the deterministic methods more and see if we can speed up the process. Behnaz Kouchaki Barzi 48

50 8 Appendix. Here comes the Mathematica codes which have been used to implement the goals of the thesis. If we want to add two points on an elliptic curve, we use the following codes: addpoints [ { x1, y1 }, { x2, y2 }, a, b, p ] := Module [ { \ [ Lambda ], x3, y3 }, Quiet [ I f [Mod[ 4 aˆ b ˆ2, p ] == 0, Print [ The curve i s s i n g u l a r! ] ; Abort [ ] ] ; I f [Mod[ y1 ˆ2 x1ˆ3 a x1 b, p ]!= 0 Mod[ y2ˆ2 x2ˆ3 a x2 b, p ]!= 0, Print [ Error : Point ( s ) not on curve! ] ; Abort [ ] ] ; I f [ { x1, y1} == { \ [ I n f i n i t y ], \ [ I n f i n i t y ] }, Return [ { x2, y2 } ] ; Break [ ] ] ; I f [ { x2, y2} == { \ [ I n f i n i t y ], \ [ I n f i n i t y ] }, Return [ { x1, y1 } ] ; Break [ ] ] ; I f [ x1 == x2 && y1 == Mod[ y2, p ], Return [ { \ [ I n f i n i t y ], \ [ I n f i n i t y ] } ] ; Break [ ] ] ; I f [ { x1, y1} == {x2, y2 }, \ [ Lambda ] = Mod[ ( 3 x1ˆ2 + a ) PowerMod [ 2 y1, 1, p ], p ], \ [ Lambda ] = Mod [ ( y2 y1 ) PowerMod [ x2 x1, 1, p ], p ] ] ; x3 = Mod [ \ [ Lambda ] ˆ 2 x1 x2, p ] ; y3 = Mod [ \ [ Lambda ] ( x1 x3 ) y1, p ] ; {x3, y3 } ] ] In order to multiply a point on an elliptic curve with an integer, we use the following codes: multpoint [ n, { x, y }, a, b, p ] := Module [ { double, base2, rounds, x2, y2, neg }, neg = n < 0 ; {x2, y2} = {x, y } ; Behnaz Kouchaki Barzi 49

51 double = { } ; base2 = Reverse [ I n t e g e r D i g i t s [ Abs [ n ], 2 ] ] ; Do [ AppendTo [ double, {x2, y2 } ] ; {x2, y2} = addpoints [ { x2, y2 }, {x2, y2 }, a, b, p ], { Length [ base2 ] } ] ; {x2, y2} = { \ [ I n f i n i t y ], \ [ I n f i n i t y ] } ; Do [ I f [ base2 [ [ i ] ] == 1, {x2, y2} = addpoints [ { x2, y2 }, double [ [ i ] ], a, b, p ] ], { i, Length [ base2 ] } ] ; I f [ neg, Return [ { x2, p y2 } ], Return [ { x2, y2 } ] ] ] In order to subtract two points i.e., (x 1, y 1 ) (x 2, y 2 ): s u b t r a c t p o i n t s [ { x1, y1 }, { x2, y2 }, a, b, p ] := Module [ { }, I f [ x2 == \ [ I n f i n i t y ], Return [ { x1, y1 } ] ] ; I f [ x1 == \ [ I n f i n i t y ], I f [ x2 == \ [ I n f i n i t y ], Return [ { \ [ I n f i n i t y ], \ [ I n f i n i t y ] } ], Return [ { x2, Mod[ y2, p ] } ] ] ; I f [ { x1, y1} == {x2, y2 }, Return [ { \ [ I n f i n i t y ], \ [ I n f i n i t y ] } ] ] ] ; addpoints [ { x1, y1 }, {x2, Mod[ y2, p ] }, a, b, p ] ] In order to find the order of the curve: OrderOfCurve [ a, b, p ] := I f [Mod[ 4 aˆ bˆ2 + b, p ] == 0, Print [ The curve i s s i n g u l a r! ], p Sum [ JacobiSymbol [ xˆ3 + a x + b, p ], {x, 0, p 1 } ] ] We can find the order of a point by using the following codes: OrderOfPoint [ { x, y }, a, b, p ] := Module [ { c a n d i d a t e s }, I f [Mod[ 4 aˆ b ˆ2, p ] == 0, Print [ The curve i s s i n g u l a r! ] ; Abort [ ] ] ; I f [Mod[ yˆ2 xˆ3 a x b, p ]!= 0, Print [ Error : Point not on curve! ] ; Abort [ ] ] ; Behnaz Kouchaki Barzi 50

52 c a n d i d a t e s = D i v i s o r s [ OrderOfCurve [ a, b, p ] ] ; Do [ I f [ multpoint [ c a n didates [ [ i ] ], {x, y }, a, b, p ] == { \ [ I n f i n i t y ], \ [ I n f i n i t y ] }, Return [ candidates [ [ i ] ] ] ; Break [ ] ], { i, Length [ c a n d idates ] } ] ] If we want to find some random elliptic curves which their primes are chosen from an interval such as [A, B] where A, B N then we will use the following codes: RandomElliptic [ s e e d ] := Module [ { p, a, b, x, y, pointp, pointq }, SeedRandom [ seed ] ; p = RandomPrime [ {A, B } ] ; {a, b} = {0, 0 } ; While [Mod[ 4 aˆ b ˆ2, p ] == 0, {a, x, y} = RandomChoice [ Range [ 0, p 1 ], 3 ] ; b = Mod[ yˆ2 xˆ3 a x, p ] ] ; pointp = {x, y } ; pointq = multpoint [ RandomInteger [ Floor [ p Sqrt [ p ] ] ], pointp, a, b, p ] ; {a, b, p, pointp, OrderOfPoint [ { x, y }, a, b, p ], pointq } ] Now we have two more codes; Bs.Gs. and Pollard s Rho codes respectively: c u r v e l i s t = Table [ RandomElliptic [ h ], {h, 1, } ] ; l i s t o f r e s u l t 1 = { } ; Do[ { a, b, p, P, order, Q} = c u r v e l i s t [ [ i ] ] ; m = C e i l i n g [ Sqrt [ Floor [ p Sqrt [ p ] ] ] ] ; AppendTo [ l i s t o f r e s u l t 1, Timing [ I n t e r s e c t i o n [ Table [ multpoint [ l, P, a, b, p ], { l, 1, m 1 } ], Table [ s u b t r a c t p o i n t s [Q, multpoint [m j, P, a, b, p ], a, b, p ], { j, 0, m 1 } ] ] ] ], { i, } ] ; AND Behnaz Kouchaki Barzi 51

53 c u r v e l i s t = Table [ RandomElliptic [ h ], {h, 1, } ] ; l i s t o f r e s u l t 1 = { } ; Do[ { a, b, p, P, order, Q} = c u r v e l i s t [ [ i ] ] ; {t, s } = RandomSample [ Range [ order ], 2 ] ; AppendTo [ l i s t o f r e s u l t 1, Timing [ { \ [ Alpha ], \ [ Beta ] } = {1, 0 } ; j = 1 ; { \ [ Alpha ], \ [ Beta ] } = Mod[ nextpoint [ a, b, p, P, Q, { \ [ Alpha ], \ [ Beta ] }, {t, s } ], order ] ; R1 = g e t p o i n t [ { \ [ Alpha ], \ [ Beta ] }, P, Q, a, b, p ] ; { \ [Gamma], \ [ Delta ] } = Mod[ nextpoint [ a, b, p, P, Q, { \ [ Alpha ], \ [ Beta ] }, {t, s } ], order ] ; R2 = g e t p o i n t [ { \ [Gamma], \ [ Delta ] }, P, Q, a, b, p ] ; While [ R1!= R2 && j <= 1000, { \ [ Alpha ], \ [ Beta ] } = Mod[ nextpoint [ a, b, p, P, Q, { \ [ Alpha ], \ [ Beta ] }, {t, s } ], order ] ; R1 = g e t p o i n t [ { \ [ Alpha ], \ [ Beta ] }, P, Q, a, b, p ] ; Do [ { \ [Gamma], \ [ Delta ] } = Mod[ nextpoint [ a, b, p, P, Q, { \ [Gamma], \ [ Delta ] }, {t, s } ], order ] ; R2 = g e t p o i n t [ { \ [Gamma], \ [ Delta ] }, P, Q, a, b, p ], { 2 } ] ; j ++]; I f [ R1 == R2, { \ [ Alpha ], \ [ Beta ], \ [Gamma], \ [ Delta ] } ] ] ], { i, 100}] where the codes of getpoint and nextpoint are the following: g e t p o i n t [ { \ [ Alpha ], \ [ Beta ] }, P, Q, a, b, p ] := addpoints [ multpoint [ \ [ Alpha ], P, a, b, p ], multpoint [ \ [ Beta ], Q, a, b, p ], a, b, p ] ; ( computes \ [ Alpha ]P + \ [ Beta ]Q on the curve ) AND nextpoint [ a, b, p, pointp, pointq, {m, n }, { t, s } ] := Module [ { nextx }, nextx = F i r s t [ g e t p o i n t [ {m, n }, pointp, pointq, a, b, p ] ] ; I f [ nextx == \ [ I n f i n i t y ], Return [ { 0, 0 } ], Which [ 0 <= nextx < p /3, Return [ {m + t, n } ], p/3 <= nextx < 2 p /3, Return [ { 2 m, 2 n } ], 2 p/3 <= nextx < p, Return [ {m, n + s } ] ] ] ] Behnaz Kouchaki Barzi 52

54 References [1] Bai, S. and Brent, R.P., 2008, January. On the efficiency of Pollard s rho method for discrete logarithms. In Proceedings of the fourteenth symposium on Computing: the Australasian theory-volume 77 (pp ). Australian Computer Society, Inc. [2] Blake, I., Seroussi, G. and Smart, N., Elliptic Curves in Cryptography, volume 265 of London Mathematical Society Lecture Note Series. Vancouver [3] Blumenfeld, A., Pollard s Rho Algorithm for Elliptic Curves. [4] Brumley, B.B. and Tuveri, N., Remote timing attacks are still practical. In Computer Security ESORICS 2011 (pp ). Springer Berlin Heidelberg. [5] Damico, T. (2009). A Brief History of Cryptography. Student Pulse, [online] 1(11). Available at: [Accessed 29 Apr. 2016]. [6] Diffie, W. and Hellman, M. (1976). New directions in cryptography. IEEE Trans. Inform. Theory, 22(6), pp [7] Diffie, W 1992, The first ten years of public key cryptology, Contemporary Cryptology. [8] Ellis, JH 1999, THE HISTORY OF NON-SECRET ENCRYPTION, Cryptologia, 23, 3, p. 267, Publisher Provided Full Text Searching File. [9] Fangguo, Z, & Ping, W 2013, Speeding up elliptic curve discrete logarithm computations with point halving, Designs, Codes And Cryptography, 67, 2, pp [10] Fraleigh, J, & Katz, V 2003, A First Course In Abstract Algebra, n.p.: Boston, Mass. : Addison-Wesley, cop [11] Goos, G, Hartmanis, J, Barstow, D, Brauer, W, Brinch Hansen, P, Gries, D, Luckham, D, Moler, C, Pnueli, A, Seegmüller, G, Stoer, J, Wirth, N, Williams, H, & Miller, V 1986, Use of Elliptic Curves in Cryptography, Advances in Cryptology - CRYPTO 85 Proceedings p. 417 n.p.: Supplemental Index. [12] Guajardo, J, & Paar, C 1997, Efficient algorithms for elliptic curve cryptosystems, Advances In Cryptology CRYPTO 97 (Santa Barbara, CA, 1997). [13] Hoffstein, J, Pipher, J, & Silverman, J 2008, An Introduction To Mathematical Cryptography. [Electronic Resource], n.p.: New York ; London : Springer, Behnaz Kouchaki Barzi 53

55 [14] Johnson, D.B. and Menezes, A.J., 1998, January. Elliptic curve DSA (ECDSA): an enhanced DSA. In Proceedings of the 7th conference on USENIX Security Symposium (Vol. 7, pp ). [15] Johnson, D., Menezes, A. and Vanstone, S., The elliptic curve digital signature algorithm (ECDSA). International Journal of Information Security, 1(1), pp [16] Kahn, D 1967, The Code Breakers: The Story Of Secret Writing, London: Weidenfeld & Nicolson, MLA International Bibliography [17] Koblitz, N 1987, Elliptic Curve Cryptosystems, Mathematics of Computation, 177, p. 203, JSTOR Journals [18] Koblitz, N, & Menezes, A 1998, Algebraic Aspects Of Cryptography, n.p.: Berlin : Springer, cop [19] Kohel, D.R. and Shparlinski, I.E., 2000, July. On exponential sums and group generators for elliptic curves over finite fields. In International Algorithmic Number Theory Symposium (pp ). Springer Berlin Heidelberg. [20] Medwed, M. and Oswald, E., Template attacks on ECDSA. In Information Security Applications (pp ). Springer Berlin Heidelberg. [21] Menezes, A., Qu, M., Stinson, D. and Wang, Y., Evaluation of Security Level of Cryptography: ECDSA Signature Scheme. Certicom Research. January, 15. [22] Menezes, A.J., Elliptic curve public key cryptosystems (Vol. 234). Springer Science & Business Media. [23] Menezes, A.J., Van Oorschot, P.C. and Vanstone, S.A., Handbook of Applied Cryptography. Series on discrete mathematics and its applications. [24] Pagni, D 2007, The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cyrptography, Journal Of Chemical Education, 84, 6, p [25] Pfitzmann, B. (1996). Digital signature schemes. Berlin: Springer. [26] Pollard, J.M., Monte Carlo methods for index computation (mod p). Mathematics of computation, 32(143), pp [27] Rashidi, B, Sayedi, S, & Farashahi, R 2016, High-speed hardware architecture of scalar multiplication for binary elliptic curve cryptosystems, Microelectronics Journal, 52, pp [28] Seet, M.Z., ELLIPTIC CURVE CRYPTOGRAPHY (Doctoral dissertation, School of Mathematics and Statistics, The University of New South Wales). Behnaz Kouchaki Barzi 54

56 [29] Schoof, R., Elliptic curves over finite fields and the computation of square roots mod p. Mathematics of computation, 44(170), pp [30] Shanks, D., Class number, a theory of factorization, and genera. In Proc. Symp. Pure Math (Vol. 20, pp ). [31] Shparlinski, I.E. and Voloch, J.F., Generators of elliptic curves over finite fields. Preprint. [32] Silverman, J.H., Elliptic curves and cryptography. In PROCEED- INGS OF SYMPOSIA IN APPLIED MATHEMATICS (Vol. 62, p. 91). [33] Singh, S., The code book: the science of secrecy from ancient Egypt to quantum cryptography. Anchor. [34] Teske, E., Speeding up Pollard s rho method for computing discrete logarithms (pp ). Springer Berlin Heidelberg. [35] Wang, X., Yin, Y.L. and Yu, H., 2005, August. Finding collisions in the full SHA-1. In Advances in Cryptology CRYPTO 2005 (pp ). Springer Berlin Heidelberg. [36] Washington, LC 2008, Elliptic Curves. Number Theory And Cryptography, n.p.: Boca Raton, Fla. [u.a.] CRC Press [37] Woei-Jiunn, T, & Chih-Ho, C 2005, Efficient algorithms for speeding up the computations of elliptic curve cryptosystems, Applied Mathematics And Computation, 168, 2, pp [38] Zhang, F. and Wang, P., Speeding up elliptic curve discrete logarithm computations with point halving. Designs, codes and cryptography, 67(2), pp Behnaz Kouchaki Barzi 55

57 !! Faculty of Technology SE Kalmar SE Växjö Phone +46 (0) Lnu.se/faculty-of-technology?l=en