Elliptic Curves I. The first three sections introduce and explain the properties of elliptic curves.

Similar documents
6. ELLIPTIC CURVE CRYPTOGRAPHY (ECC)

Definition of a finite group

CPSC 467b: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security

Elliptic Curve Cryptography

Polynomial Interpolation in the Elliptic Curve Cryptosystem

APPLICATION OF ELLIPTIC CURVES IN CRYPTOGRAPHY-A REVIEW

Chapter 10 Elliptic Curves in Cryptography

Introduction to Elliptic Curve Cryptography. Anupam Datta

Pollard s Rho Algorithm for Elliptic Curves

Elliptic Curve Cryptography

Mechanizing Elliptic Curve Associativity

Introduction to Elliptic Curve Cryptography

8 Elliptic Curve Cryptography

The Elliptic Curve in https

Number Theory. Modular Arithmetic

International Journal of Advanced Computer Technology (IJACT)

Finite Fields. SOLUTIONS Network Coding - Prof. Frank H.P. Fitzek

Attacks on Elliptic Curve Cryptography Discrete Logarithm Problem (EC-DLP)

Public Key Cryptography

Chapter 4 Finite Fields

conp = { L L NP } (1) This problem is essentially the same as SAT because a formula is not satisfiable if and only if its negation is a tautology.

Elliptic Curves and an Application in Cryptography

CSC 774 Advanced Network Security

A field F is a set of numbers that includes the two numbers 0 and 1 and satisfies the properties:

CSC 774 Advanced Network Security

Other Public-Key Cryptosystems

Fields in Cryptography. Çetin Kaya Koç Winter / 30

Elliptic Curve Cryptography with Derive

Lecture 1: Introduction to Public key cryptography

SEMINAR SECURITY - REPORT ELLIPTIC CURVE CRYPTOGRAPHY

Mathematics of Cryptography

Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography

Minal Wankhede Barsagade, Dr. Suchitra Meshram

A Relation between Group Order of Elliptic Curve and Extension Degree of Definition Field

Modular Multiplication in GF (p k ) using Lagrange Representation

Elliptic Curve Cryptosystems

Arithmétique et Cryptographie Asymétrique

Curves, Cryptography, and Primes of the Form x 2 + y 2 D

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

CSC 5930/9010 Modern Cryptography: Number Theory

On the complexity of computing discrete logarithms in the field F

SM9 identity-based cryptographic algorithms Part 1: General

Hardware Implementation of Elliptic Curve Point Multiplication over GF (2 m ) for ECC protocols

Mathematical Foundations of Cryptography

Weak Curves In Elliptic Curve Cryptography

Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography

An Introduction to Elliptic Curve Cryptography

One can use elliptic curves to factor integers, although probably not RSA moduli.

Elliptic Curves and Public Key Cryptography

Distributed computation of the number. of points on an elliptic curve

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

Accredited Standards Committee X9 September 20, 1998 Title: X9-Financial Services Accredited by the American National Standards Institute

Public-key cryptography and the Discrete-Logarithm Problem. Tanja Lange Technische Universiteit Eindhoven. with some slides by Daniel J.

Chapter 4 Mathematics of Cryptography

CSCE 564, Fall 2001 Notes 6 Page 1 13 Random Numbers The great metaphysical truth in the generation of random numbers is this: If you want a function

Faster F p -arithmetic for Cryptographic Pairings on Barreto-Naehrig Curves

RSA Cryptosystem and Factorization

ElGamal type signature schemes for n-dimensional vector spaces

Functions and Equations

Goldbach s Conjecture on ECDSA Protocols N Vijayarangan, S Kasilingam, Nitin Agarwal

Arithmetic of split Kummer surfaces: Montgomery endomorphism of Edwards products

Tropical Polynomials

SCORE BOOSTER JAMB PREPARATION SERIES II

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Non-generic attacks on elliptic curve DLPs

Asymmetric Encryption

Candidates are expected to have available a calculator. Only division by (x + a) or (x a) will be required.

The Elliptic Curve Digital Signature Algorithm (ECDSA) 1 2. Alfred Menezes. August 23, Updated: February 24, 2000

A note on López-Dahab coordinates

Public Key Algorithms

Theoretical Cryptography, Lecture 13

UNC Charlotte Super Competition Level 3 Test March 4, 2019 Test with Solutions for Sponsors

SEC X.1: Supplemental Document for Odd Characteristic Extension Fields

Ti Secured communications

Elliptic Curves, Factorization, and Cryptography

Fault Tolerance & Reliability CDA Chapter 2 Cyclic Polynomial Codes

Elliptic Curve Crytography: A Computational Science Model

Elliptic Curves and Cryptography

b = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.

A Simple Architectural Enhancement for Fast and Flexible Elliptic Curve Cryptography over Binary Finite Fields GF(2 m )

Elliptic Curve Computations

Elliptic Curve Cryptography

2 3 DIGITAL SIGNATURE STANDARD (DSS) [PROPOSED BY NIST, 1991] Pick an x 2 Z p,1 as the private key Compute y = g x (mod p) asthe public key To sign a

Algebra Performance Level Descriptors

Elliptic curve cryptography. Matthew England MSc Applied Mathematical Sciences Heriot-Watt University

Other Public-Key Cryptosystems

Logic gates. Quantum logic gates. α β 0 1 X = 1 0. Quantum NOT gate (X gate) Classical NOT gate NOT A. Matrix form representation

Number Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers

Congruent number elliptic curves of high rank

COMP424 Computer Security

Mathematics of Public Key Cryptography

Elliptic Curve Cryptosystems and Scalar Multiplication

Public-key Cryptography and elliptic curves

COMPUTER ARITHMETIC. 13/05/2010 cryptography - math background pp. 1 / 162

Julio López and Ricardo Dahab. Institute of Computing (IC) UNICAMP. April,

Lecture 7: ElGamal and Discrete Logarithms

Lecture 6: Finite Fields (PART 3) PART 3: Polynomial Arithmetic. Theoretical Underpinnings of Modern Cryptography

LECTURE 5, FRIDAY

Introduction to Arithmetic Geometry Fall 2013 Lecture #2 09/10/2013

Transcription:

Elliptic Curves I 1.0 Introduction The first three sections introduce and explain the properties of elliptic curves. A background understanding of abstract algebra is required, much of which can be found in the Background Algebra section. The next section describes the factor that makes elliptic curve groups suitable for a cryptosystem though the introduction of the Elliptic Curve Discrete Logarithm Problem (ECDLP). The last section brings the theory together and explains how elliptic curves and the ECDLP are applied in an encryption scheme. Elliptic curves as algebraic/geometric entities have been studied extensively for the past 150 years, and from these studies has emerged a rich and deep theory. Elliptic curve systems as applied to cryptography were first proposed in 1985 independently by Neal Koblitz from the University of Washington, and Victor Miller, who was then at IBM, Yorktown Heights. Many cryptosystems often require the use of algebraic groups. Elliptic curves may be used to form elliptic curve groups. A group is a set of elements with custom-defined arithmetic operations on those elements. For elliptic curve groups, these specific operations are defined geometrically. Introducing more stringent properties to the elements of a group, such as limiting the number of 1

points on such a curve, creates an underlying field for an elliptic curve group. In this classroom, elliptic curves are first examined over real numbers in order to illustrate the geometrical properties of elliptic curve groups. Thereafter, elliptic curves groups are examined with the underlying fields of F p (where p is a prime) and F 2 m (a binary representation with 2 m elements). 2.0 Elliptic Curve Groups over Real Numbers In general, an elliptic curve over real numbers may be defined as the set of points (x, y) which satisfy an elliptic curve equation of the form: 2 3 2 y + axy + by = x + cx + dx+ e where x, y, a, b, c, d and e are real numbers. For our purpose, it is sufficient to limit ourselves to equation of the form 2 3 y = x + ax+ b where x, y, a and b are real numbers. Each choice of the numbers a and b yields a different elliptic curve. For example, a = -4 and b = 0.67 gives the elliptic curve with equation y 2 = x 3-4x + 0.67; the graph of this curve is shown below: 2

If x 3 + ax + b contains no repeated factors, or equivalently if 4a 3 + 27b 2 is not 0, then the elliptic curve y 2 = x 3 + ax + b can be used to form a group. An elliptic curve group over real numbers consists of the points on the corresponding elliptic curve, together with a special point O called the point at infinity. P + Q = R is the additive property defined geometrically. 2.1 Elliptic Curve Addition: A Geometric Approach Elliptic curve groups are additive groups; that is, their basic function is addition. The addition of two points in an elliptic curve is defined geometrically. 3

The negative of a point P = (x P, y P ) is its reflection in the x-axis: the point -P is (x P, -y P ). Notice that for each point P on an elliptic curve, the point -P is also on the curve. 2.1.1 Adding distinct points P and Q Suppose that P and Q are two distinct points on an elliptic curve, and the P is not -Q. To add the points P and Q, a line is drawn through the two points. This line will intersect the elliptic curve in exactly one more point, call -R. The point -R is reflected in the x-axis to the point R. The law for addition in an elliptic curve group is P + Q = R. For example: 4

2.1.2 Adding the points P and -P The line through P and -P is a vertical line which does not intersect the elliptic curve at a third point; thus the points P and -P cannot be added as previously. It is for this reason that the elliptic curve group includes the point at infinity O. By definition, P + (-P) = O. As a result of this equation, P + O = P in the elliptic curve group. O is called the additive identity of the elliptic curve group; all elliptic curves have an additive identity. 2.1.3 Doubling the point P To add a point P to itself, a tangent line to the curve is drawn at the point P. If y P is not 0, then the tangent line intersects the elliptic curve at exactly one other point, -R. -R is reflected in the x-axis to R. This operation is called doubling 5

the point P; the law for doubling a point on an elliptic curve group is defined by: P + P = 2P = R. 2.1.4 Doubling the point P if y P = 0 If a point P is such that y P = 0, then the tangent line to the elliptic curve at P is vertical and does not intersect the elliptic curve at any other point. By definition, 2P = O for such a point P. If one wanted to find 3P in this situation, one can add 2P + P. This becomes P + O = P. Thus 3P = P. 3P = P, 4P = O, 5P = P, 6P = O, 7P = P, etc. 6

2.2 Elliptic Curve Addition: An Algebraic Approach Although the previous geometric descriptions of elliptic curves provide an excellent method of illustrating elliptic curve arithmetic, it is not a practical way to implement arithmetic computations. Algebraic formulae are constructed to efficiently compute the geometric arithmetic. 2.2.1 Adding distinct points P and Q When P = (x P, y P ) and Q = (x Q, y Q ) are not negative of each other, P + Q = R, where s = (y P - y Q ) / (x P - x Q ) x R = s 2 - x P - x Q and y R = -y P + s(x P - x R ) 7

Note that s is the slope of the line through P and Q. 2.2.2 Doubling the point P When y P is not 0, 2P = R, where s = (3x 2 P + a) / (2y P ) x R = s 2-2x P and y R = -y P + s(x P - x R ) Recall that a is one of the parameters chosen with the elliptic curve and that s is the tangent on the point P. An essential property for cryptography is that a group has a finite number of points. 8

9

10

11

12

13

3.0 Elliptic Curve Groups over F p Calculations over the real numbers are slow and inaccurate due to round-off error. Cryptographic applications require fast and precise arithmetic; thus elliptic curve groups over the finite fields of F p and F 2 m are used in practice. Recall that the field F p uses the numbers from 0 to p - 1, and computations end by taking the remainder on division by p. For example, in F 23 the field is composed of integers from 0 to 22, and any operation within this field will result in an integer also between 0 and 22. An elliptic curve with the underlying field of F p can formed by choosing the variables a and b within the field of F p. The elliptic curve includes all points (x, y) which satisfy the elliptic curve equation modulo p (where x and y are numbers in F p ). For example: y 2 mod p = x 3 + ax + b mod p has an underlying field of F p if a and b are in F p. If x 3 + ax + b contains no repeating factors (or, equivalently, if 4a 3 + 27b 2 mod p is not 0), then the elliptic curve can be used to form a group. An elliptic curve group over F p consists of the points on the corresponding elliptic curve, together with a special point O called the point at infinity. There are finitely 14

many points on such an elliptic curve. Note the seemingly random spread of points for the elliptic curve over F p. 3.1 Example of an Elliptic Curve Group over F p As a very small example, consider an elliptic curve over the field F 23. With a = 1 and b = 0, the elliptic curve equation is y 2 = x 3 + x. The point (9,5) satisfies this equation since: y 2 mod p = x 3 + x mod p 25 mod 23 = 729 + 9 mod 23 25 mod 23 = 738 mod 23 2 = 2 The 23 points which satisfy this equation are: (0,0) (1,5) (1,18) (9,5) (9,18) (11,10) (11,13) (13,5) (13,18) (15,3) (15,20) (16,8) (16,15) (17,10) (17,13) (18,10) (18,13) (19,1) (19,22) (20,4) (20,19) (21,6) (21,17) These points may be graphed as below: 15

Note that there is two points for every x value. Even though the graph seems random, there is still symmetry about y = 11.5. Recall that elliptic curves over real numbers, there exists a negative point for each point which is reflected through the x-axis. Over the field of F 23, the negative components in the y-values are taken modulo 23, resulting in a positive number as a difference from 23. Here -P = (x P, (-y P mod 23)) Note that these rules are exactly the same as those for elliptic curve groups over real numbers, with the exception that computations are performed mod p. 16

3.2 Arithmetic in an Elliptic Curve Group over F p There are several major differences between elliptic curve groups over F p and over real numbers. Elliptic curve groups over F p have a finite number of points, which is a desirable property for cryptographic purposes. Since these curves consist of a few discrete points, it is not clear how to "connect the dots" to make their graph look like a curve. It is not clear how geometric relationships can be applied. As a result, the geometry used in elliptic curve groups over real numbers cannot be used for elliptic curve groups over F p. However, the algebraic rules for the arithmetic can be adapted for elliptic curves over F p. Unlike elliptic curves over real numbers, computations over the field of F p involve no round off error - an essential property required for a cryptosystem. 3.2.1 Adding distinct points P and Q The negative of the point P = (x P, y P ) is the point -P = (x P, -y P mod p). If P and Q are distinct points such that P is not -Q, then P + Q = R where s = (y P - y Q ) / (x P - x Q ) mod p x R = s 2 - x P - x Q mod p and y R = -y P + s(x P - x R ) mod p Note that s is the slope of the line through P and Q. 17

3.2.2 Doubling the point P Provided that y P is not 0, 2P = R, where s = (3x P 2 + a) / (2y P ) mod p x R = s 2-2x P mod p and y R = -y P + s(x P - x R ) mod p Recall that a is one of the parameters chosen with the elliptic curve and that s is the slope of the line through P and Q. 18

Adding two points 19

4.0 Elliptic Curve Groups over F 2 m Elements of the field F 2 m are m-bit strings. The rules for arithmetic in F 2 m can be defined by either polynomial representation or by optimal normal basis representation. Since F 2 m operates on bit strings, computers can perform arithmetic in this field very efficiently. An elliptic curve with the underlying field F 2 m is formed by choosing the elements a and b within F 2 m (the only condition is that b is not 0). As a result of the field F 2 m having a characteristic 2, the elliptic curve equation is slightly adjusted for binary representation: y 2 + xy = x 3 + ax 2 + b The elliptic curve includes all points (x, y) which satisfy the elliptic curve equation over F 2 m (where x and y are elements of F 2 m). An elliptic curve group over F 2 m consists of the points on the corresponding elliptic curve, together with a point at infinity, O. There are finitely many points on such an elliptic curve. Addition with bit-strings is controlled by an XOR function. 20

There are finitely many points on a curve over F 2 m. 4.1 An Example of an Elliptic Curve Group over F 2 m As a very small example, consider the field F 2 4, defined by using polynomial representation with the irreducible polynomial f(x) = x 4 + x + 1. The element g = (0010) is a generator for the field. The powers of g are: g 0 = (0001) g 1 = (0010) g 2 = (0100) g 3 = (1000) g 4 = (0011) g 5 = (0110) g 6 = (1100) g 7 = (1011) g 8 = (0101) g 9 = (1010) g 10 = (0111) g 11 = (1110) g 12 = (1111) g 13 = (1101) g 14 = (1001) g 15 = (0001) In a true cryptographic application, the parameter m must be large enough to preclude the efficient generation of such a table otherwise the cryptosystem can be broken. In today's practice, m = 160 is a suitable choice. The table allows the use of generator notation (g e ) rather than bit string notation, as used in the following example. Also, using generator notation allows multiplication without reference to the irreducible polynomial f(x) = x 4 + x + 1. Consider the elliptic curve y 2 + xy = x 3 + g 4 x 2 + 1. Here a = g 4 and b = g 0 =1. The point (g 5, g 3 ) satisfies this equation over F 2 m: 21

y 2 + xy = x 3 + g 4 x 2 + 1 (g 3 ) 2 + g 5 g 3 = (g 5 ) 3 + g 4 g 10 + 1 g 6 + g 8 = g 15 + g 14 + 1 (1100) + (0101) = (0001) + (1001) + (0001) (1001) = (1001) The fifteen points which satisfy this equation are: (1, g 13 ) (g 3, g 13 ) (g 5, g 11 ) (g 6, g 14 ) (g 9, g 13 ) (g 10, g 8 ) (g 12, g 12 ) (1, g 6 ) (g 3, g 8 ) (g 5, g 3 ) (g 6, g 8 ) (g 9, g 10 ) (g 10, g) (g 12, 0) (0, 1) These points are graphed below: 22

4.2 Arithmetic in an Elliptic Curve Group over F 2 m Elliptic curve groups over F 2 m have a finite number of points, and their arithmetic involves no round off error. This combined with the binary nature of the field, F 2 m arithmetic can be performed very efficiently by a computer. The following algebraic rules are applied for arithmetic over F 2 m: 4.2.1 Adding distinct points P and Q The negative of the point P = (x P, y P ) is the point -P = (x P, x P + y P ). If P and Q are distinct points such that P is not -Q, then P + Q = R where s = (y P - y Q ) / (x P + x Q ) x R = s 2 + s + x P + x Q + a and y R = s(x P + x R ) + x R + y P As with elliptic curve groups over real numbers, P + (-P) = O, the point at infinity. Furthermore, P + O = P for all points P in the elliptic curve group. 4.2.2 Doubling the point P If x P = 0, then 2P = O 23

Provided that x P is not 0, 2P = R where s = x P + y P / x P x R = s 2 + s + a and y R = x P 2 + (s + 1) x R Recall that a is one of the parameters chosen with the elliptic curve and that s is the slope of the line through P and Q. 24

Adding two points 25

26

5.0 Elliptic Curve groups and the Discrete Logarithm Problem At the foundation of every cryptosystem is a hard mathematical problem that is computationally infeasible to solve. The discrete logarithm problem is the basis for the security of many cryptosystems including the Elliptic Curve Cryptosystem. More specifically, the ECC relies upon the difficulty of the Elliptic Curve Discrete Logarithm Problem (ECDLP). Recall that we examined two geometrically defined operations over certain elliptic curve groups. These two operations were point addition and point doubling. By selecting a point in an elliptic curve group, one can double it to obtain the point 2P. After that, one can add the point P to the point 2P to obtain the point 3P. The determination of a point np in this manner is referred to as Scalar Multiplication of a point. The ECDLP is based upon the intractability of scalar multiplication products. 5.1 Scalar Multiplication While it is customary to use additive notation to describe an elliptic curve group, some insight is provided by using multiplicative notation. 27

Specifically, consider the operation called "scalar multiplication" under additive notation: that is, computing kp by adding together k copies of the point P. Using multiplicative notation, this operation consists of multiplying together k copies of the point P, yielding the point P*P*P*P&.*P = Pk. 5.2 The Elliptic Curve Discrete Logarithm Problem In the multiplicative group Zp*, the discrete logarithm problem is: Given elements r and q of the group, and a prime p, find a number k such that r = q k mod p. If the elliptic curve groups are described using multiplicative notation, then the elliptic curve discrete logarithm problem is: Given points P and Q in the group, find a number that Pk = Q; k is called the discrete logarithm of Q to the base P. When the elliptic curve group is described using additive notation, the elliptic curve discrete logarithm problem is: Given points P and Q in the group, find a number k such that kp = Q Example: 28

In the elliptic curve group defined by y 2 = x 3 + 9x + 17 over F 23, What is the discrete logarithm k of Q = (4,5) to the base P = (16,5)? One way to find k is to compute multiples of P until Q is found. The first few multiples of P are: P = (16,5) 2P = (20,20) 3P = (14,14) 4P = (19,20) 5P = (13,10) 6P = (7,3) 7P = (8,7) 8P = (12,17) 9P = (4,5) Since 9P = (4,5) = Q, the discrete logarithm of Q to the base P is k = 9. In a real application, k would be large enough such that it would be infeasible to determine k in this manner. 5.3 An Example of the Elliptic Curve Discrete Logarithm Problem What is the discrete logarithm of Q(-0.35, 2.39) to the base P(-1.65, -2.79) in the elliptic curve group y 2 = x 3-5x + 4 over real numbers? 29

30

31

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback