Elimination of Weak Elliptic Curve Using Order of Points
Nishant Sinha
#1
, Aakash Bansal
*2#
School of IT CDAC Noida, India
1
sinha22nishant@gmail.com
*
School of IT CDAC Noida, India
2
aakashbansal.cdac@gmail.com
Abstract-
The elliptic curve cryptography (ECC) is a publickey cryptography. The mathematical operations of ECC isdefined over the elliptic curve y
2
=x
3
+ax+b, where4a
3
+27b
2
ǂ
0. Each value of the ‘a’ and ‘b’ gives a differentelliptic curve. All points (x,y) which satisfies the aboveequation plus a point at infinity lies on the elliptic curve.There are certain property of elliptic curve which makes thecryptography weak. In this paper, we have proposedtechnique which would eliminate such weak property andwill make elliptic curve cryptography more secure.
Keywords: cryptography, security, anomalous curve, discretelogarithm problem
I
INTRODUCTION
Cryptography is the study of “mathematical” systems forsolving two kinds of security problems: privacy andauthentication [1].Two types of cryptography are present– private key cryptography and public key cryptography.In public key cryptography, each user or the device takingpart in the communication generally have a pairs of keys,a public key and a private key, and a set of operationsassociated with the key to do the cryptographicoperations.Only the particular user knows the private key where asthe public key is distributed to all users taking part in thecommunication. Public key cryptography, unlike privatekey cryptography does not require any shared secretbetween communicating parties but it is much slower thanprivate key cryptography which is main drawbacks of public key cryptography.Elliptic curve cryptography is a variant of public keycryptography which eliminates the drawback of publiccryptography. Elliptic curve y
2
=x
3
+ax+b, where 4a
3
+27b
2
ǂ
0 for which each value of ‘a’ and ‘b’ gives a differentelliptic curve. In ECC, public key is the point on the curveand private key is a random number. The public key isobtained by multiplying the private key with the generatorpoint G in the curve.One main advantage of ECC is its small size. A 160 bitkey in ECC is considered to be as secured as 1024 bit keyin RSA.II
BACKGROUND KNOWLEDGE
Elliptic Curves
Elliptic curves are not ellipses, instead, they are cubiccurves of the form
y
2
= x
3
+ ax + b.
Elliptic curves over
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 10, No. 8, August 201248http://sites.google.com/site/ijcsis/ISSN 1947-5500
R
2
(
R
2
is the set
R x R
, where
R
= set of real numbers) isdefined by the set of points (
x
,
y
) which satisfy theequation
y
2
= x
3
+ ax + b
, along with a point
O
, which isthe point at infinity and which is the additive identityelement. The curve is represented as
E
(
R
).The following figure is an elliptic curve satisfying theequation
y
2
= x
3
–
3
x +
3
:-
Elliptic curve over R
2
: y
2
= x
3
– 3x + 3
A.
Elliptic Curves over Finite Fields
1)
Elliptic Curves over F
p:
An elliptic curve E(F
p
) over afinite field F
p
is defined by the parameters a, b
∈
F
p
(a, bsatisfy the relation 4a
3
+ 27b
2
≠
0), consists of the set of points (x, y)
∈
F
p
, satisfying the equation y
2
= x
3
+ ax + b.The set of points on E(F
p
) also include point O, which isthe point at infinity and which is the identity elementunder addition.2)
Elliptic curves over F
2
m:
An elliptic curve E(F
2
m) over afinite field F
2
m, is defined by the parameters a, b
∈
F
2
m,(a, b satisfy the relation 4a
3
+ 27b
2
≠
0, b
≠
0), consists of the set of points (x, y)
∈
F
2
m, satisfying the equation y
2
+xy = x
3
+ ax + b. The set of points on E(F
2
m) also includepoint O, which is the point at infinity and which is theidentity element under addition.Similar to
E
(
F
p
), addition is defined over E(
F
2
m
) and wecan similarly verify that even E(
F
2
m
) forms an abeliangroup under addition.
B.
Advantage of Elliptic Curve Cryptography Over RSA/DSA
The advantage of elliptic curve over the other public keysystems such as RSA, DSA etc is the key strength[2]. Thefollowing table summarizes the key strength of ECCbased systems in comparison to other public key schemes.RSA/DSA KeylengthECC Key Length for EquivalentSecurity
1024 1602048 2243072 2567680 38415360 512
Table 1:-Comparison of the key strengths of RSA/DSA and ECC
From the table it is very clear that elliptic curves offer acomparable amount of security offered by the otherpopular public key for a much smaller key strength. Thisproperty of ECC has made the scheme quite popular of late.
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 10, No. 8, August 201249http://sites.google.com/site/ijcsis/ISSN 1947-5500
III
ELLIPTIC CURVE DISCRETE LOGARITHM
The strength of the Elliptic Curve Cryptography lies inthe Elliptic Curve Discrete Log Problem (ECDLP). Thestatement of ECDLP is as follows.Let
E
be an elliptic curve and
P
∈
E
be a point of order
n
.Given a point
Q
∈
E
with
Q
=
mP
, for a certain
m
∈
{
2,3, ……,
m –
2
}
.Find the
m
for which the above equation holds.When
E
and
P
are properly chosen, the ECDLP is thoughtto be infeasible. Note that
m
= 0, 1 and
m –
1,
Q
takes thevalues
O
,
P
and –
P
. One of the conditions is that theorder of
P
i.e.
n
be large so that it is infeasible to check allthe possibilities of
m
.The difference between ECDLP and the DiscreteLogarithm Problem (DLP) is that, DLP though a hardproblem is known to have a sub exponential timesolution, and the solution of the DLP can be computedfaster than that to the ECDLP. This property of Ellipticcurves makes it favorable for its use in cryptography.A direct approach to determining
# E
(
Fq
)
is to compute z= x
3
+ A x + B for each x
∈
Fq
, and then to test if
z
has asquare root in
Fq.
If
z =
0
,
then
(
x,
0)
∈
E
(
Fq
).
If there exists
y
∈
Fq
such that
y
2
mod q= z,
then
(
x,y
)
,
(
x,- y
)
∈
E
(
Fq
)
,
else there is no point in
E
(
Fq)
with
x
-coordinate
x.
So there are at most
2
q +
1
elements in thegroup.A theorem of finite fields states that exactly 1
/
2 of thenon-zero elements of
Fq
are quadratic residues
.
So onaverage, there will be approximately
q +
1
elements in
E
(
Fq
).
A.
Hasse's Theorem
The following theorem, first proved by Helmut Hasse,told bounds on
#
E
(
Fq
)
.
Let
# E
(
Fq
) be an elliptic curveover the finite field
Fq
with
q = p
ⁿ
, n
∈
Z+
and
p
aprime. Then there exists a unique
t
∈
Z
such that
#E
(
Fq
)
= q +
1
- t
where
|t| <
2
√
q
.[4]B.
Reducing the problem of computing the order of curve#E(Fp
n
) to #E(Fp)
It tells that if we can compute
#E
(
Fp
)
,
then we cancompute
#E
(
F p
ⁿ
) in a direct manner.Let
#E
(
Fp
)
= p +
1
- t.
Write
X
2
- t X + p =
(
X –
α
)
(
X –
β
)
.
Then
αⁿ
+
βⁿ
∈
Z
and
#E
(
F p
ⁿ
)
= p
ⁿ
+ 1 –
(
αⁿ
+
βⁿ
)
.
If p is a small prime, then it is easy to determine #E(Fp)by direct counting or other simple methods.
C.
Weak curves
1)
Anomalous curve:
The curve E(Fq) is said to beanomalous if # E(Fq) = q. These curves are weak whenq=p, the field characteristic.2)
Supersingular elliptic curves:
The MOV(Menezes
,
Okamoto, and Vanstone) attack on elliptic curvesshows that ECDLP can be reduced to the classicaldiscrete logarithm problem on some extension field
Fq
k
, for some integer
k
(
k
is called the embeddingdegree or MOV degree). The MOV attack is onlypractical when
k
is small. For Supersingular ellipticcurves
k
<=6.3)
Prime-field anomalous curves:
If #
E
(
Fp
) =
p
, there ispolynomial algorithm solving the ECDLP by lifting thecurve and points to
Z
.The given properties of weak curve indicate that the orderof elliptic curve plays a major role in determining whetherthe given curve is weak or not. The Prime-fieldanomalous curve and anomalous curve where the order of
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 10, No. 8, August 201250http://sites.google.com/site/ijcsis/ISSN 1947-5500
Search History:
Result 00 of 00
00 results for result for
p.
Elimination of Weak Elliptic Curve Using Order of Points
The elliptic curve cryptography (ECC) is a public key cryptography. The mathematical operations of ECC is defined over the elliptic curve y2=x3+ax+b, where 4a3+27b2 ǂ 0. Each value of the ‘a’ and ‘b’ gives a different…
(More)
177
Reads
0
Readcasts
0
Embed Views
More From This User
Notes
Load more
