logo.

png

Public Key Cryptography: Elliptic

Curve Cryptography (ECC) - Part 2
Dr. Mohammad Wazid

IEEE Senior Member

Associate Professor
Department of Computer Science and Engineering
Graphic Era Deemed to be University, Dehradun, India
E-mail: wazidkec2005@gmail.com
URL: https://sites.google.com/site/mwazidiiith/home

Dr. Mohammad Wazid (IIIT-H) Elliptic Curve Cryptography (ECC) - Part 2 1 / 25

 logo.png

Elliptic Curve Cryptography Key Exchange

Protocol (ECC Key Exchange)

Dr. Mohammad Wazid (IIIT-H) Elliptic Curve Cryptography (ECC) - Part 2 2 / 25

Elliptic Curve Cryptography (ECC) logo.png

Elliptic Curve Cryptography Key Exchange Protocol (ECC Key

Exchange)
Pick a large integer q, where q = p; p being a prime, or q = 2m ,
for some positive integer m, and the elliptic curve parameters a
and b for the elliptic curves:

y2 = x 3 + ax + b (mod p) in GF (p);
2
y + xy = x 3 + ax 2 + b (mod p) in GF (2m ).

Pick a base point G = (x, y ) in Eq (a, b) whose order is a very

large value n, that is, nG = O.
Eq (a, b) and G are parameters of the cryptosystem known to all
participants.

Dr. Mohammad Wazid (IIIT-H) Elliptic Curve Cryptography (ECC) - Part 2 3 / 25

Elliptic Curve Cryptography (ECC) logo.png

Elliptic Curve Cryptography Key Exchange Protocol (ECC Key

Exchange)
A key exchange between two users A and B can be accomplished as
follows:
A selects an integer nA , where nA < n. A’s private key is nA .
A generates a public key PA = nA G; the public key is a point in
Eq (a, b).
B similarly selects a private key nB , where nB < n. B’s private key
is nB .
B generates a public key PB = nB G.
A generates the secret key KA,B = nA PB .
B generates the secret key KB,A = nB PA .

Dr. Mohammad Wazid (IIIT-H) Elliptic Curve Cryptography (ECC) - Part 2 4 / 25

ECC Key Exchange Protocol (continued...) logo.png

Summary
User A User B
1. Select private nA
2. Calculate public PA
3. PA = nA G
−−−−−−−→
1. Select private nB
2. Calculate public PB
3. PB = nB G
←−−−−−−−
4. KA,B = nA PB 4. KB,A = nB PA

Dr. Mohammad Wazid (IIIT-H) Elliptic Curve Cryptography (ECC) - Part 2 5 / 25

ECC Key Exchange Protocol (Continued...) logo.png

Correctness Proof

KA,B = nA × PB [User A]
= nA × (nB × G)
= (nA × nB ) × G
= (nB × nA ) × G
= nB × (nA × G)
= nB × PA
= KB,A [User B]

Dr. Mohammad Wazid (IIIT-H) Elliptic Curve Cryptography (ECC) - Part 2 6 / 25

ECC Key Exchange Protocol (Continued...) logo.png

Problem [ECC Key Exchange]

Users A and B use the ECC key exchange technique with a common
prime q = 13 and an elliptic curve Eq (a, b), where a = 0 and b = −4.
Let G = (2, 2) a base point on Eq (a, b).
(a) If user A has private key nA = 3, what is the A’s public key PA ?
Solution: PA = nA .G = 3.(2, 2) = (6, 11).
(b) If user B has private key nB = 5, what is the B’s public key PB ?
Solution: PB = nB .G = 5.(2, 2) = (5, 11).
(c) What is the secret shared key?
Solution: KA,B = nA .PB = 3.(5, 11) = (2, 2), by user A.
Similar key will be computed by user B, KB,A =? (Homework).

Dr. Mohammad Wazid (IIIT-H) Elliptic Curve Cryptography (ECC) - Part 2 7 / 25

ECC Key Exchange Protocol (Continued...) logo.png

Man-in-the-middle attack on ECC key exchange protocol???

Dr. Mohammad Wazid (IIIT-H) Elliptic Curve Cryptography (ECC) - Part 2 8 / 25

ECC Key Exchange Protocol (continued...) logo.png

Man-in-the-middle attack on ECC key exchange protocol

User A Adversary C User B
1. Select private nA
2. Calculate public PA Intercept & block PA
3. PA = nA G 1. Select private nC
−−−−−−−→
2. Calculate public PC
3. PC = nC G
−−−−−−−→
PC = nC G
←−−−−−−−
1. Select private nB
2. Calculate public PB
Intercept & block PB 3. PB = nB G
←−−−−−−−
4. K1 = nC PA
4. K1 = nA PC K2 = nC PB 4. K2 = nB PC

Dr. Mohammad Wazid (IIIT-H) Elliptic Curve Cryptography (ECC) - Part 2 9 / 25

 logo.png

Elliptic Curve Encryption/Decryption

Dr. Mohammad Wazid (IIIT-H) Elliptic Curve Cryptography (ECC) - Part 2 10 / 25

Elliptic Curve Encryption/Decryption logo.png

ECC Encryption
The first task in this system is to encode the plaintext message m
to be sent as an x-y point Pm in Eq (a, b). (For example, Koblitz
method (Available at http://zoo.cs.yale.edu/classes/
cs467/2012s/lectures/ln13.pdf)).
It is the point Pm that will be encrypted as a ciphertext and
subsequently decrypted.
As with the ECC key exchange system, an encryption/decryption
system requires a base point G and an elliptic curve Eq (a, b).
Let user A’s private-public key pair (KRa , KUa ) = (nA , PA ) and
user B’s private-public key pair (KRb , KUb ) = (nB , PB )

Dr. Mohammad Wazid (IIIT-H) Elliptic Curve Cryptography (ECC) - Part 2 11 / 25

Elliptic Curve Encryption/Decryption logo.png

ECC Encryption
To encrypt and send a plaintext message (encoded) Pm to user B,
user A proceeds as follows:
I A chooses a random positive integer k .
I A produces the ciphertext Cm consisting of the pair of points

Cm = EPUb (Pm )
= EPB (Pm )
= {C1 , C2 }
= {kG, Pm + kPB },

where PB = nB G.

Dr. Mohammad Wazid (IIIT-H) Elliptic Curve Cryptography (ECC) - Part 2 12 / 25

Elliptic Curve Encryption/Decryption logo.png

ECC Decryption
To decrypt the ciphertext Cm , user B proceeds as follows:
I B uses its own private key KRb = nB .
I The plaintext Pm is recovered as

Pm = DPRb (Cm )
= DnB (Cm )
= C2 − nB C1
= Pm + kPB − nB (kG)
= Pm + k(nB G) − nB (kG)
= Pm .

Dr. Mohammad Wazid (IIIT-H) Elliptic Curve Cryptography (ECC) - Part 2 13 / 25

ECC Encryption/Decryption (Continued...) logo.png

Problem [ECC Encryption/Decryption]

Suppose two users A and B rely on the ECC key cryptosystem. An
elliptic curve cryptosystem operates on the curve y 2 = x 3 + ax + b
(mod q) with the parameters E11 (1, 6), and the base point G = (2, 7).
Assume that B’s private key is nB = 7.
(a) Find B’s public key PB .
(b) Determine the ciphertext Cm , if the user A sends the message
Pm = (10, 9) with the random value k = 3.

Dr. Mohammad Wazid (IIIT-H) Elliptic Curve Cryptography (ECC) - Part 2 14 / 25

ECC Encryption/Decryption (Continued...) logo.png

Solution:
(a) PB = nB G = 7.(2, 7) = (7, 2).
(b) Cm = (C1 , C2 ), where

C1 = kG
= 3.(2, 7)
= (8, 3),

and

C2 = Pm + kPB
= (10, 9) + 3.(7, 2)
= (10, 9) + (3, 5)
= (10, 2).

Dr. Mohammad Wazid (IIIT-H) Elliptic Curve Cryptography (ECC) - Part 2 15 / 25

ECC Encryption/Decryption (Continued...) logo.png

Online Demo on ECC Encryption/Decryption

Generating private/public keys pair for User A (Alice) and User B
(Bob)
Encrypting a message
Decryping a message
https://8gwifi.org/ecfunctions.jsp

Dr. Mohammad Wazid (IIIT-H) Elliptic Curve Cryptography (ECC) - Part 2 16 / 25

 logo.png

Elliptic Curve Digital Signature Algorithm

(ECDSA)

Dr. Mohammad Wazid (IIIT-H) Elliptic Curve Cryptography (ECC) - Part 2 17 / 25

Digital Signatures logo.png

Signature Schemes
A signature scheme is a five-tuple (P, A, K, S, V), where the
following conditions are satisfied:
1. P is a finite set of possible messages;
2. A is a finite set of possible signatures;
3. K, the key space, is a finite set of possible keys;
4. For each k ∈ K, there is a signing algorithm sigk ∈ S and a
corresponding verification algorithm verk ∈ V. Each sigk : P → A
and verk : P × A → {true, false} are functions such that the
following equation is satisfied for every message x ∈ P and for
every signature y ∈ A:
verk (x, y ) = true, if y = sigk (x),
verk (x, y ) = false, if y 6= sigk (x).
The pair (x, y) with x ∈ P and y ∈ A is called a signed message.

Dr. Mohammad Wazid (IIIT-H) Elliptic Curve Cryptography (ECC) - Part 2 18 / 25

Elliptic Curve Digital Signature Algorithm logo.png

Key generation
The domain parameters for the Elliptic Curve Digital Signature
Algorithm (ECDSA) consist of a suitably chosen elliptic cure Ep (a, b)
defined over a finite field GF (p), and a base point G ∈ Ep (a, b) with
order n. Each entity A does the following:
Step 1. Select a random or pseudorandom integer k in the interval
[1, n − 1].
Step 2. Compute Q = kG.
Step 3. A’s public key is Q; A’s private key is k.

Dr. Mohammad Wazid (IIIT-H) Elliptic Curve Cryptography (ECC) - Part 2 19 / 25

Elliptic Curve Digital Signature Algorithm logo.png

Signature generation
To sign a message, say m, an entity A with domain parameters
D = (p, n, Q, G, Ep (a, b), h(·)), where h(·) is a secure hash function
and associated key pair (k , Q) does the following steps:
Step 1. Select a random integer l, with 1 ≤ l ≤ n − 1.
Step 2. Compute lG = (x1 , y1 ) and r = x1 mod n. If r = 0 then go
to step 1.
Step 3. Compute e = h(m) and s = l −1 (e + kr ) mod n. If s = 0
then go to step 1.
Step 4. A’s signature for the message m is (r , s).

Dr. Mohammad Wazid (IIIT-H) Elliptic Curve Cryptography (ECC) - Part 2 20 / 25

Elliptic Curve Digital Signature Algorithm logo.png

Signature verification
In order to verify A’s signature (r , s) on m, the verifier B obtains an
authentic copy of A’s domain parameters D and associated public key
Q. Then B does the following steps:
Step 1. Verify that r and s are integers in the interval [1, n − 1].
Step 2. Compute e = h(m).
Step 3. Compute w = s−1 mod n, u1 = ew mod n,
u2 = rw mod n and X = u1 G + u2 Q. If X = O, then reject the
signature. Otherwise, compute v = x1 mod n, where X = (x1 , y1 ).
Step 4. Accept the signature if and only if v = r .

Dr. Mohammad Wazid (IIIT-H) Elliptic Curve Cryptography (ECC) - Part 2 21 / 25

Elliptic Curve Digital Signature Algorithm logo.png

Online Demo on ECDSA

Generating EC keypair
Signing and verifying ECDSA signature
https:
//kjur.github.io/jsrsasign/sample/sample-ecdsa.html

Dr. Mohammad Wazid (IIIT-H) Elliptic Curve Cryptography (ECC) - Part 2 22 / 25

Elliptic Curve Cryptography (ECC) logo.png

Security of ECC
The security of ECC depends on how difficult it to determine the
discrete logarithm k given kP and P. This is referred to as the
“elliptic curve discrete logarithm problem (ECDLP)”. The fasted
known technique for taking the elliptic curve logarithm is known as
the Pollard rho method, which is exponential in time complexity.
Considerably smaller key size can be used for ECC compared to
RSA (for example, the security of 160-bit ECC is equivalent to that
for 1024-bit RSA).
There is a computational advantage to using ECC with a shorter
key length than a comparably secure RSA.

Dr. Mohammad Wazid (IIIT-H) Elliptic Curve Cryptography (ECC) - Part 2 23 / 25

Elliptic Curve Cryptography (ECC) logo.png

Comparison of security issues between RSA and ECC

RSA ECC
Hard problem: Hard problem:
n = p × q, Q = kP, where P
finding d ≡ e−1 (mod φ(n)) and Q ∈ Ep (a, b) are known,
is a hard problem given n and e. to compute k is a hard problem.

Dr. Mohammad Wazid (IIIT-H) Elliptic Curve Cryptography (ECC) - Part 2 24 / 25

Elliptic Curve Cryptography (ECC) logo.png

References
Cryptography and Network Security: Principles and Practice by
William Stallings (7th edition)
ECC based secure communication schemes by Dr. A. K. Das,
Associate Professor in the Center for Security, Theory and
Algorithmic Research, International Institute of Information
Technology (IIIT), Hyderabad 500 032, India.

Dr. Mohammad Wazid (IIIT-H) Elliptic Curve Cryptography (ECC) - Part 2 25 / 25