Professional Documents
Culture Documents
www.crypto-textbook.com
These slides were prepared by Tim Güneysu, Christof Paar and Jan Pelzl
And modified by Sam Bowne
! Some legal stuff (sorry): Terms of Use
• The slides can be used free of charge. All copyrights for the slides remain with
Christof Paar and Jan Pelzl.
• The title of the accompanying book “Understanding Cryptography” by Springer
and the author’s names must remain on each slide.
• If the slides are modified, appropriate credits to the book authors and the book
title must remain within the slides.
• It is not permitted to reproduce parts or all of the slides in printed form
whatsoever without written consent by the authors.
Introduction
9.1 How to Compute with Elliptic Curves
9.2 Building a Discrete Logarithm
Problem with Elliptic Curves
9.3 Diffie-Hellman Key Exchange with
Elliptic Curves
9.4 Security
9.5 Implementation in Software and
Hardware
y2 = x3 + ax + b
▪▪ Identity Point θ
▪▪ In any group, a special element is required to allow for the identity operation,
i.e.,
given P ∈ E: P + θ = P = θ + P
▪▪ This identity point (which is not on the curve) is additionally added to the
group definition
▪▪ This (infinite) identity point is denoted by θ
Point Doubling
=P+P
3x12 + a
s= 2 y1
= (2 · 1)−1(3 · 52 + 2) = 2−1 · 9 ≡ 9 · 9 ≡ 13 mod 17
▪▪The points on an elliptic curve and the point at infinity θ form cyclic subgroups
Input: Elliptic curve E, an elliptic curve point P and a scalar d with bits di
Output: T = d P
Alice Bob
Choose kPrA= a ∈ {2, 3,…, #E-1} Choose kPrB= b ∈ {2, 3,…, #E-1}
Compute kPubA= A = aP = (xA,yA) Compute kPubB= B = bP = (xB,yB)
A
B
Choose kPrA= a ∈ {2, 3,…, #E-1} Choose kPrB= b ∈ {2, 3,…, #E-1}
Compute kPubA= A = aP = (xA,yA) Compute kPubB= B = bP = (xB,yB)
ECDH
A
B
encryption/decryption
Define key kAES = xT Define key kAES = xT
Symmetric
Given a message m:
c
Encrypt c = AESkAES(m) Received ciphertext c:
Decrypt m = AES-1kAES(c)
▪▪An elliptic curve using a prime p with 160 bits (and roughly 2160
points) provides a security of 280 steps required by an attacker
▪▪An elliptic curve using a prime p with 256 bit (roughly 2256 points)
provides a security of 2128 steps
▪▪ Software implementations
▪▪ Optimized 256-bit ECC implementation on
3GHz 64-bit CPU requires about 2 ms per
point multiplication
▪▪ Less powerful microprocessors (e.g, on
SmartCards or cell phones) even take
significantly longer (>10 ms)
▪▪ Hardware implementations
▪▪ High-performance implementations with
256-bit special primes can compute a point
multiplication in a few hundred
microseconds on reconfigurable hardware
▪▪ Dedicated chips for ECC can compute a
point multiplication in a few tens of
microseconds
27 Chapter 9 of Understanding Cryptography by Christof Paar and Jan Pelzl
Key Length
28
Chapter 6 of Understanding Cryptography by Christof Paar and Jan
Pelzl
Attacks against the Discrete Logarithm Problem
Elliptic curves challenges with key sizes of 108 and 109 bits
have been solved
30
Chapter 6 of Understanding Cryptography by Christof Paar and Jan
Pelzl
NIST Recommendations from 2016