Professional Documents
Culture Documents
CURVE
CRYPTOGRAPHY)
• As applied to cryptography, elliptic curves were
first proposed in 1985 independently by N.
Koblitz, and V. Miller.
• Elliptic curves as algebraic/geometric entities
have been around since the second half of the
XIX century.
• They are used in devising algorithms for
factoring integers, primality tests, and in public-
INTRODUCTION key cryptography.
• Elliptic curves can be defined over any field, like
real numbers, complex numbers, etc.
• For cryptographic purposes we are only
concern with those over finite fields.
• More specifically we consider prime (GF(p)) and
binary elliptic curves (GF(2m) ).
§ Elliptic Curves are (abelian) groups that have the
following properties:
§ Closure
§ Associativity
§ Have identity element
P+Q+R=0
ADDITION
• P + Q = -R
• This equation, in this form, lets
us derive a geometric method
to compute the sum between
two points P and Q:
• if we draw a line passing
through P and Q, this line will
intersect a third point on the
curve, R (this is implied by the
fact that P, Q and R are aligned).
If we take the inverse of this
point, -R , we have found the
result of P+Q.
§ What if P=0 or Q=0? Certainly, we can’t draw any
line (0 is not on the xy-plane). But given that we
ADDITION have defined 0 as the identity element, P+0=P and
0+Q=Q for any P and Q.
§ What if P=-Q? In this case, the line going through
the two points is vertical, and does not intersect
any third point. But if P is the inverse of Q, then
we have P+Q=P+(-P) =0 from the definition of
inverse.
§ What if P=Q? In this case, there are infinitely
many lines passing through the point. Consider a
point Q’ ≠ P. What happens if we make Q’
approach P, getting closer and closer to it? The
line passing through P and Q’ becomes tangent to
the curve. We can say that P+P=-R, where R is the
point of intersection between the curve and the
line tangent to the curve in P.
SCALAR
MULTIPLICATION
• with ord(P)=n.
• Fact: The field F has exactly q-1=2m-1 nonzero elements plus the zero element.
GENERATING POLYNOMIAL AND POLYNOMIAL BASIS
• The finite field F=GF(2m) is completely described by a monic irreducible polynomial, often called
generating polynomial, of the form
• Let α be a primitive root of P(x), i.e., P(α) = 0. Then, we define the polynomial basis of GF(2m) over
GF(2) using the primitive element α and its m first powers.
• {1, α, α2,..., αm-1},
which happen to be linearly independent over GF(2).
• Using the polynomial basis, we can uniquely
represent any number A ∈ F=GF(2m) as
POLYNOMIAL
REPRESENTATION
• Sometimes, it is more convenient to represent a
field element using the so-called coordinate
representation,
EXAMPLE: NONZERO
ELEMENTS OF GF(24)
WITH DEFINING
POLYNOMIAL:
F(X)=X4+X+ 1
ADDITION
ELLIPTIC CURVE ADDITION
EXAMPLE
ECC - EXAMPLE
¡
ECC - EXAMPLE
¡ Elliptic Curve Addition
¡ Consider the elliptic curve defined in the previous example.
¡ Let P = (3, 10) and Q = (9, 7). Then P + Q = (x3, y3) is computed as follows:
CURVE TYPES
Twisted
Edwards
Edwards
curves.
curves.
• Weierstrass curves are the most
widely used type of elliptic curves in
ECC.
• They are defined by an equation of
the form
WEIERSTRASS y2 = x3 + ax + b
CURVES • where a and b are constants different
from 0.
• Weierstrass curves are relatively easy
to implement and offer a good
balance between security and
performance.
• A Montgomery curve E/Fp in the
variables u and v is written as
Bv2 = u3 + Au2 + u
MONTGOMERY • for some A,B ∈ Fp where B(A2−4) ≠ 0.
CURVES • Montgomery curves offer faster scalar
multiplication than Weierstrass curves
and are often used in high-performance
applications, such as cryptographic
hardware.
• Another way to describe an elliptic
curve E/Fp is in Edwards form, which
is
x2 + y2 = 1 + dx2y2
EDWARDS • where d ∈ Fp satisfies d ≠ 0,1.
CURVES • Edwards curves offer several security
advantages over Weierstrass curves,
such as resistance to certain types of
attacks and simpler implementation
of some cryptographic operations.
• Twisted Edwards curves are a
variation of Edwards curves that
offer faster scalar multiplication
and simpler formulas for some
TWISTED cryptographic operations.
EDWARDS • They are defined by an equation of
CURVES the form
ax2 + y2 = 1 + dx2y2
• where a and d are constants
different from 0.
CURVE TYPES
Curve25519: Curve25519 is an
elliptic curve designed by Daniel J. Ed25519: Ed25519 is a digital
Bernstein that is optimized for signature algorithm based on the
performance and security. It is Curve25519 elliptic curve. It is
widely used in modern designed to be fast, secure, and easy
cryptographic protocols, such as the to implement, and is available in
Signal protocol and the Tor many ECC programming libraries.
anonymity network.
§ Two widely used elliptic curves, called secp256r1 and secp256k1,
are specified in a standard called SEC2, where SEC is an acronym
for “standards for efficient cryptography.”
§ Both curves are defined over a 256-bit prime field, hence the
“256” in their names.
§ The ‘r’ in secp256r1 signifies that the curve is a random curve,
meaning that it was generated by a certain sampling procedure.
CURVE TYPES It is called Curve P256 by NIST. Widely used in Internet protocols.
§ The ‘k’ in secp256k1 signifies that the curve is a Koblitz. The
curve secp256r1 is, while secp256k1 is widely used in blockchain
systems (Bitcoin).
§ Curve25519, proposed by Daniel J. Bernstein and specified in
RFC 7748, is a popular curve which is notably used in TLS 1.3 for
key agreement.
ALGORITHM
ECDSA
• ECDSA stands for Elliptic Curve Digital Signature Algorithm, which is a
cryptographic algorithm used for creating digital signatures. ECDSA.
• ECDSA has several advantages over other digital signature algorithms.
• It is computationally efficient, meaning that it can generate and verify signatures
quickly and with relatively low computational resources.
• It offers a high level of security, making it resistant to various attacks, such as
forgery, replay, and key compromise.
• It is widely supported by many cryptographic libraries and is used in many
applications, such as secure communication protocols, electronic voting systems,
and digital certificates.
Each entity A does the following:
1. Select an elliptic curve E defined over Zp. The
number of points in E(Zp) should be divisible
by a large prime n.
2. Select a point P ∈ E(Zp) of order n.
ECDSA KEY
3. Select a statistically unique and unpredictable
GENERATION integer d in the interval [1, n - 1].
4. Compute Q = dP.
5. A's public key is (E, P, n, Q); A's private key is
d.
To sign a message m, A does the following:
1. Select a statistically unique and unpredictable
integer k in the interval [1, n - 1]
2. Compute kP = (x1, y1) and r = x1 mod n. (Here x1 is
regarded as an integer, for example by conversion
from its binary representation.) If r = 0, then go to
step 1. (This is a security condition: if r = 0, then the
ECDSA signing equation s = k-1{h(m) + dr} mod n does not
involve the private key d!)
SIGNATURE 3. Compute k-1 mod n.
GENERATION 4. Compute s = k-l {h(m) + dr} mod n, where h is the
Secure Hash Algorithm (SHA-2 or SHA-3).
If s = 0, then go to step 1. (If s = 0, then s-1 mod n
does not exist; s-1 is required in step 2 of signature
verification.)
5. The signature for the message m is the pair of
integers (r, s).
To verify A's signature (r, s) on m, B should:
1. Obtain an authentic copy of A's public key
(E, P, n, Q). Verify that r and s are integers in
the interval [1, n - 1].
2. Compute w = s-1 mod n and h(m).
ECDSA SIGNATURE
VERIFICATION 3. Compute u1 =h(m)w mod n and u2 =rw mod
n.
4. Compute u1P + u2Q = (x0, y0) and v = x0 mod
n.
5. Accept the signature if and only if v = r.
ELLIPTIC CURVES
• Security
1024-bit RSA and DSA 160-bit ECC offers
similar levels of security
• Efficiency
SECURITY AND
• Computational overheads
EFFICIENCY
• ECC has shorter system parameters,
keys, signatures
• ECC is bandwidth efficient
SECURITY AND
EFFICIENCY
Field size (in bits) Size of n (in bits) !n/2 MIPS years
163 160 280 9.6 x 1011
191 186 293 7.9 x 1015
239 234 2117 1.6 x 1023
359 354 2177 1.5 x 1041
431 426 2213 1.0 x 1052
• Handbook of Applied Cryptography, Menezes, Oorschot,
Vanstone. CRC Press, New York, fifth edition (2001).
REFERENCES • Guide to Elliptic Curve Cryptography, D. Hankerson, A. Menezes,
S. Vanstone, Springer-Verlag, 2004. ISBN 0-387-95273-X