# THE TECHNOLOGY STREAM

Elliptic Curve Cryptography
Burt Kaliski Chief Scientist and Director RSA Laboratories

Outline
I. Elliptic curves II. Elliptic curve cryptosystems III. Advantages and disadvantages IV. Standardization efforts

THE TECHNOLOGY STREAM

Notation
• GF(q) or Fq: finite field with q elements
– typically, q = p where p is prime, or 2m

THE TECHNOLOGY STREAM

• E(Fq): elliptic curve over Fq • (x, y): point on E(Fq) • O: point at infinity

Acronyms • EC = Elliptic Curve – as in EC Digital Signature Algorithm THE TECHNOLOGY STREAM • ECC = Elliptic Curve Cryptography .

THE TECHNOLOGY STREAM Part I: Elliptic Curves .

Elliptic Curves • An elliptic curve is the set of solutions (x. y) to an equation of the form y2 = x3 + ax + b where 4a3 + 27b2 ≠ 0. together with a point at infinity denoted O • Originally developed to measure circumference of an ellipse THE TECHNOLOGY STREAM .

An Example Curve • Over the reals. the solutions form a curve with one or two components • Example: y2 = x3-x THE TECHNOLOGY STREAM .

Elliptic Curve Arithmetic • A group law may be defined where the sum of two points is the reflection across the x-axis of the third point on the same line • “Chords and tangents” THE TECHNOLOGY STREAM .

y) + (x.Group Law Axioms • Closure • Identity: P+O=O+P=P • Inverse: (x. -y) = O • Associativity • Commutativity THE TECHNOLOGY STREAM .

x3) .x1 .y1 and λ is the slope of the line: λ = (3x12+a)/2y1 if x1 = x2 λ = (y2-y1)/(x2-x1) otherwise .x2 y3 = λ (x1 . y3) where x3 = λ 2 THE TECHNOLOGY STREAM . y1) and P2 = (x2. y2) be noninverses • Then P1 + P2 = (x3.Addition Formulae • Let P1 = (x1.

the curve has a different form: y2 + xy = x3 + ax2 + b where b ≠ 0 • Addition formulae are similar to those over the reals THE TECHNOLOGY STREAM .Elliptic Curves over Finite Fields • An elliptic curve may be defined over any finite field GF(q) • For GF(2m).

where |t| ≤ 2 sqrt(q) • The group of points is either cyclic or a product of two cyclic groups THE TECHNOLOGY STREAM . including O • Hasse bound: #E(Fq) = q+1-t.Group Properties • Let #E(Fq) denote the number of points on an elliptic curve E(Fq).

Scalar Multiplication • Scalar multiplication is repeated group addition: cP = P + ··· + P (c times) where c is an integer • For all P ∈ E(Fq). nP = O where n = #E(Fq) THE TECHNOLOGY STREAM .

Efficient curve generation 3.Elliptic Curve Research Areas • EC over finite fields has been an increasing focus of research 1. Cryptographic properties . Efficient elliptic curve arithmetic. scalar multiplication – including finite field arithmetic THE TECHNOLOGY STREAM 2.

Some Interesting Applications • Factoring (Lenstra 1985) – running time of Elliptic Curve Method (ECM) depends on size of prime factors of a number. ideal for “smooth” numbers THE TECHNOLOGY STREAM • Primality proving (Goldwasser-Kilian 1986) – under number-theory assumptions. method for proving primality in random polynomial time • Fermat’s Last Theorem .

Analogy with Multiplicative Groups Elliptic Curve Group point addition scalar multiplication elliptic curve discrete logarithm Multiplicative Group multiplication exponentiation discrete logarithm THE TECHNOLOGY STREAM .

THE TECHNOLOGY STREAM Part II: Elliptic Curve Cryptosystems .

Elliptic Curve Cryptosystems • • • • EC discrete logarithm problem Domain parameters Key pairs Cryptographic schemes THE TECHNOLOGY STREAM .

G. Koblitz 1987 THE TECHNOLOGY STREAM • With appropriate cryptographic restrictions.EC Discrete Logarithm Problem • Problem: Given two points W. where r is the order of W . this is believed to take exponential time – O(sqrt(r)) time. find s such that W = sG – first suggested by Miller 1985.

EC Discrete Logarithm Problem (cont’d) • By comparison. factoring and ordinary discrete logarithms can be solved in subexponential time • ECC thus offers much shorter key sizes than other public-key cryptosystems THE TECHNOLOGY STREAM .

Typical Cryptographic Restrictions • #E(Fq) = kr for large prime r – k is cofactor THE TECHNOLOGY STREAM • GCD (k. r) = 1 • “Anomalous” condition: r ≠ q • MOV condition: r does not divide qi-1 for small i .

Domain Parameters • Common values shared by a group of users from which key pairs may be generated • User or trusted party may generate domain parameters • Anyone may validate domain parameters THE TECHNOLOGY STREAM .

EC Domain Parameters • Finite field Fq • Elliptic curve E(Fq) with cryptographic restrictions • Prime divisor r of #E(Fq) • Cofactor k • Base point G ∈ E(Fq) of order r THE TECHNOLOGY STREAM .

G . Select a prime power q 2. Output Fq. Generate a point G of order r 4. Select an elliptic cuve E over Fq with cryptographic restrictions – order #E(Fq) = kr THE TECHNOLOGY STREAM 3. E(Fq).Generating EC Domain Parameters 1. r. k.

“structure” in curves – less structure = more conservative in assumptions about security THE TECHNOLOGY STREAM .Selecting an Elliptic Curve • Random method • Complex multiplication method • Subfield method • Methods provide tradeoff between speed.

Random Method 1. Generate a random curve 2. but step 2 may be slow • (Schoof 1985. Count the number of points #E(Fq) 3. If restrictions not met. goto 1 • No structure.) THE TECHNOLOGY STREAM . etc.

Generate a curve order n with a small CM discriminant D 2. Given D. Lay-Zimmer 1994) THE TECHNOLOGY STREAM . some structure. find a curve with n points • Fast. If restrictions not met. but complex • (Atkin-Morain 1991.Complex Multiplication Method 1. goto 1 3.

Apply formula to compute #E(Fq) 4.Subfield Method • For q = 2m with m composite 1. Generate a curve over a subfield 2. If restrictions not met. but significant structure • (Koblitz) THE TECHNOLOGY STREAM . goto 1 • Fast. Count the number of points 3.

If G = O. Generate a point H ∈ E(Fq) 2. Compute G = kH 3. goto 1 4.Generating a Point of Order r 1. Output G THE TECHNOLOGY STREAM .

invalid otherwise . Output valid if all checks pass. Check that E is an elliptic curve over Fq with cryptographic restrictions – order #E(Fq) = kr. where r is prime THE TECHNOLOGY STREAM 3. Check that q is a prime power 2.Validating EC Domain Parameters 1. Check that G is a point on E(Fq) of order r 4.

Key Pairs • Pairs of public. private values with which users may perform cryptographic operations • User or trusted third party may generate key pair • Anyone may validate public key THE TECHNOLOGY STREAM .

r-1] – where W = sG THE TECHNOLOGY STREAM .EC Key Pairs • Public key W ∈ E(Fq) • Private key s ∈ [1.

n-1] 2. Output (W. Randomly generate s ∈ [1.Generating an EC Key Pair 1. Compute W = sG 3. s) THE TECHNOLOGY STREAM .

Output valid if so. Check that W is a point on E(Fq) of order r 2. invalid otherwise THE TECHNOLOGY STREAM .Validating an EC Public Key • Assume valid domain parameters 1.

a scheme is a set of related operations providing the building blocks for a protocol • Examples: – key agreement – signature with appendix – encryption THE TECHNOLOGY STREAM .Cryptographic Schemes • Following general model from IEEE P1363.

related operations may include: – domain parameter generation. validation – key pair generation.Scheme Operations • Depending on the scheme. public-key validation – one or more scheme-specific operations THE TECHNOLOGY STREAM .

Key Agreement Scheme
• Key agreement operation derives a shared secret key from a private key, another’s public key, and key derivation parameters • Multiple secret keys can be obtained by varying parameters

THE TECHNOLOGY STREAM

Elliptic Curve DiffieHellman
• Key agreement scheme based on Diffie-Hellman protocol • In IEEE P1363, ECKAS-DH1 with ECSDVP-DH primitive • Underlying function:
– KDF: key derivation function

THE TECHNOLOGY STREAM

ECDH Key Agreement
• Input: private key s, other’s public key W*, key derivation parameters P • Output: shared secret key K 1. Compute Z = sW* 2. Compute K = KDF (Z, P) 3. Output K

THE TECHNOLOGY STREAM

authenticated. depending on security goals • Examples of protocol modes: – anonymous – static-static – signed ephemeral-ephemeral – ephemeral-static THE TECHNOLOGY STREAM .Key Agreement Modes • Each key pair may be ephemeral. or a combination.

Signature Scheme • Signature generation operation computes a signature on a message with a private key • Signature verification operation verifies a signature with a public key THE TECHNOLOGY STREAM .

Elliptic Curve Digital Signature Algorithm • Signature scheme based on NIST FIPS 186-1 DSA • In IEEE P1363. ECSSA with ECSP/VP-DSA primitives • Underlying function – Hash: collision-resistant hash function THE TECHNOLOGY STREAM .

Compute c = int (xV) mod r 4. message M • Output: signature (c. goto 2 6. Generate a one-time key pair (u. If c = 0 or d = 0. Compute f = Hash (M) 2. Compute d = u-1 (f + sc) mod r 5.d) THE TECHNOLOGY STREAM .d) 1. V) 3. Output (c.ECDSA Signature Generation • Input: private key s.

d) • Output: valid or invalid 1. Compute h = d-1 mod r 4. Compute f = Hash (M) 2. Check that 1 ≤ c. signature (c. Compute P = fhG + chW (cont’d) THE TECHNOLOGY STREAM .d ≤ r-1 3. message M.ECDSA Signature Verification • Input: signer’s public key W.

otherwise output invalid THE TECHNOLOGY STREAM . Check that P ≠ O 6.ECDSA Signature Verification (cont’d) 5. Check that c = int (xP) mod r 7. If all checks pass. output valid.

Encryption Scheme • Encryption operation computes a ciphertext from a message with a public key • Decryption operation recovers a message from a ciphertext with a private key • Augmented encryption scheme also binds control information to message THE TECHNOLOGY STREAM .

Elliptic Curve Augmented Encryption Scheme • Augmented encryption scheme based on DHAES (Bellare-Rogaway 1998) • In ANSI X9.63 draft • Underlying functions: – KDF: key derivation function – Encrypt: symmetric encryption – MAC: message authentication code THE TECHNOLOGY STREAM .

control information P • Output: ciphertext (V.C. Compute (K1. message M.ECAES Encryption • Input: recipient’s public key W. Generate a one-time key pair (u.V) 2. Compute Z = uW 3.T) 1.K2) = KDF (Z) (cont’d) THE TECHNOLOGY STREAM .

C || P) 6.M) 5. Output (V. Compute C = Encrypt (K1.ECAES Encryption (cont’d) 4.C.T) Note: Steps 1–3 are like ECDH ephemeral-static THE TECHNOLOGY STREAM . Compute T = MAC (K2.

Compute (K1.C.ECAES Decryption Input: private key s. control information P Output: message M or invalid 1.T). Compute Z = sV 2. ciphertext (V.K2) = KDF (Z) (cont’d) THE TECHNOLOGY STREAM .

ECAES Decryption (cont’d) 3. otherwise output invalid THE TECHNOLOGY STREAM . output M. If the check passes. Compute M = Decrypt (K1.C) 4. Check that T = MAC (K2.C || P) 5.

KDF. Encrypt. MAC – the additional operations help provide provable security THE TECHNOLOGY STREAM • Schemes are readily adapated to multiplicative groups . some are modular arithmetic. only one or two steps are EC operations. the rest are Hash.Some Observations • In these schemes.

THE TECHNOLOGY STREAM Part III: Advantages and Disadvantages .

Advantages and Disadvantages • • • • Three families Key size comparison Advantages Disadvantages THE TECHNOLOGY STREAM .

Three Families • Today. three families of public-key techniques are prominent • Following P1363. named according to the hard problem: – DL: (ordinary) discrete logarithms – EC: elliptic curve discrete logarithms – IF: integer factorization THE TECHNOLOGY STREAM • Each has its own advantages .

Key Size Comparison • Key size is length in bits of: – DL: field order q • also consider group order r THE TECHNOLOGY STREAM – EC: group order r – IF: modulus n • Key sizes can be compared based on running time for solving hard problem with current methods – other factors to consider .

IF 512 1024 2048 Symmetric 56 80 112 THE TECHNOLOGY STREAM .Comparable Key Sizes (Based on Running Time) EC 112 160 224 DL.

Advantages • • • • • Alternative hard problem Speed Data size New types of schemes Many options THE TECHNOLOGY STREAM .

it is an effective alternative against advances in methods for other problems .Alternative Hard Problem • EC Discrete Logarithm Problem is very different than DL. IF approaches to solve it THE TECHNOLOGY STREAM • Thus. IF hard problems – does not appear feasible to apply DL.

Speed • EC operations are generally faster than DL. IF counterparts at comparable key sizes – GF(2m) arithmetic affords further speedups THE TECHNOLOGY STREAM • Key pair generation is much faster than for IF .

Data Size • EC data are shorter than DL. IF counterparts • Intermediate values are shorter • Keys are shorter – benefit depends on certificate content THE TECHNOLOGY STREAM • Signatures with appendix are same size as for DL. shorter than IF .

: – signature + encryption – signature / key agreement + certification – (Zheng 1997.g. Arazi 1998. Vanstone) THE TECHNOLOGY STREAM . e. like DL.New Types of Schemes • EC family. has great flexibility due to the availability of common domain parameters • Multiple schemes can be combined efficiently.

Many Options • EC family affords many choices: – field type. size. representation – curve formula – group order – base point – cryptographic scheme THE TECHNOLOGY STREAM • Appropriate choices can meet varying security and implementation objectives .

Disadvantages • Alternative hard problem • Curve generation • Many options THE TECHNOLOGY STREAM .

with increased confidence THE TECHNOLOGY STREAM . and even a modest improvement in methods could have great impact • However. the focus on this area has grown considerably over the past few years.Alternative Hard Problem • ECDLP has not been studied as long as DL. IF hard problems.

NIST curves THE TECHNOLOGY STREAM .Curve Generation • EC curve generation is complex. not readily implemented • However. which can be validated – e.g. implementers can rely on third parties for curves..

Many Options • ECC affords many options. much of this will be settled by standards and industry practice . so interoperability is challenging: – no conversion between GF(2m). GF(p) – hardware optimizations may be specific to one set of domain parameters THE TECHNOLOGY STREAM • However.

THE TECHNOLOGY STREAM Part IV: Standardization Efforts .

NIST THE TECHNOLOGY STREAM • Generally. all three families are being developed together .Standardization Efforts • Elliptic curves are parts of standards being developed by several groups: – ANSI X9F1 – IEEE P1363 – ISO JTC1 SC27 – SECG – U.S.

financial services industry • ANSI X9.63 (draft) specifies ECDH.62 specifies ECDSA • ANSI X9.x9.org THE TECHNOLOGY STREAM .S. ECAES and more • Technical Guideline on elliptic curve mathematics • www.ANSI X9F1 • Cryptographic techniques for U.

ieee.IEEE P1363 • Public-key cryptography specifications. transnational • Specifies ECDH.org/groups/1363 . ECDSA and much more (including other families) – framework for ANSI X9F1 work THE TECHNOLOGY STREAM • ECAES proposed for addendum • grouper.

ISO SC27 • IT security techniques.ch/meme/JTC1SC27.html .62 THE TECHNOLOGY STREAM • ISO/IEC CD 15946 covers elliptic curve techniques including digital signatures. key establishment • www. international • ISO/IEC DIS 14888-3 includes ECDSA – aligned with ANSI X9.iso.

secg.SECG • Standards for Efficient Cryptography Group • Industry implementers agreements.org THE TECHNOLOGY STREAM . intended to profile other standards • www.

S.63 support likely • Reference elliptic curves published • csrc.S.nist. NIST • Information processing for U.62 • Eventual ANSI X9.gov/fips THE TECHNOLOGY STREAM . government • FIPS 186 (Digital Signature Standard) to add support for ANSI X9.U.

THE TECHNOLOGY STREAM Summary .

Summary • ECC offers an attractive alternative to other public-key cryptosystems – new hard problem – smaller key size THE TECHNOLOGY STREAM • Many standards are emerging • Number theory continues to be useful .

Sign up to vote on this title