Elliptic Curve Cryptography
Burt Kaliski Chief Scientist and Director RSA Laboratories

I. Elliptic curves II. Elliptic curve cryptosystems III. Advantages and disadvantages IV. Standardization efforts


• GF(q) or Fq: finite field with q elements
– typically, q = p where p is prime, or 2m


• E(Fq): elliptic curve over Fq • (x, y): point on E(Fq) • O: point at infinity

Acronyms • EC = Elliptic Curve – as in EC Digital Signature Algorithm THE TECHNOLOGY STREAM • ECC = Elliptic Curve Cryptography .

THE TECHNOLOGY STREAM Part I: Elliptic Curves .

Elliptic Curves • An elliptic curve is the set of solutions (x. y) to an equation of the form y2 = x3 + ax + b where 4a3 + 27b2 ≠ 0. together with a point at infinity denoted O • Originally developed to measure circumference of an ellipse THE TECHNOLOGY STREAM .

An Example Curve • Over the reals. the solutions form a curve with one or two components • Example: y2 = x3-x THE TECHNOLOGY STREAM .

Elliptic Curve Arithmetic • A group law may be defined where the sum of two points is the reflection across the x-axis of the third point on the same line • “Chords and tangents” THE TECHNOLOGY STREAM .

y) + (x.Group Law Axioms • Closure • Identity: P+O=O+P=P • Inverse: (x. -y) = O • Associativity • Commutativity THE TECHNOLOGY STREAM .

x3) .x1 .y1 and λ is the slope of the line: λ = (3x12+a)/2y1 if x1 = x2 λ = (y2-y1)/(x2-x1) otherwise .x2 y3 = λ (x1 . y3) where x3 = λ 2 THE TECHNOLOGY STREAM . y1) and P2 = (x2. y2) be noninverses • Then P1 + P2 = (x3.Addition Formulae • Let P1 = (x1.

the curve has a different form: y2 + xy = x3 + ax2 + b where b ≠ 0 • Addition formulae are similar to those over the reals THE TECHNOLOGY STREAM .Elliptic Curves over Finite Fields • An elliptic curve may be defined over any finite field GF(q) • For GF(2m).

where |t| ≤ 2 sqrt(q) • The group of points is either cyclic or a product of two cyclic groups THE TECHNOLOGY STREAM . including O • Hasse bound: #E(Fq) = q+1-t.Group Properties • Let #E(Fq) denote the number of points on an elliptic curve E(Fq).

Scalar Multiplication • Scalar multiplication is repeated group addition: cP = P + ··· + P (c times) where c is an integer • For all P ∈ E(Fq). nP = O where n = #E(Fq) THE TECHNOLOGY STREAM .

Efficient curve generation 3.Elliptic Curve Research Areas • EC over finite fields has been an increasing focus of research 1. Cryptographic properties . Efficient elliptic curve arithmetic. scalar multiplication – including finite field arithmetic THE TECHNOLOGY STREAM 2.

Some Interesting Applications • Factoring (Lenstra 1985) – running time of Elliptic Curve Method (ECM) depends on size of prime factors of a number. ideal for “smooth” numbers THE TECHNOLOGY STREAM • Primality proving (Goldwasser-Kilian 1986) – under number-theory assumptions. method for proving primality in random polynomial time • Fermat’s Last Theorem .

Analogy with Multiplicative Groups Elliptic Curve Group point addition scalar multiplication elliptic curve discrete logarithm Multiplicative Group multiplication exponentiation discrete logarithm THE TECHNOLOGY STREAM .

THE TECHNOLOGY STREAM Part II: Elliptic Curve Cryptosystems .

Elliptic Curve Cryptosystems • • • • EC discrete logarithm problem Domain parameters Key pairs Cryptographic schemes THE TECHNOLOGY STREAM .

G. Koblitz 1987 THE TECHNOLOGY STREAM • With appropriate cryptographic restrictions.EC Discrete Logarithm Problem • Problem: Given two points W. where r is the order of W . this is believed to take exponential time – O(sqrt(r)) time. find s such that W = sG – first suggested by Miller 1985.

EC Discrete Logarithm Problem (cont’d) • By comparison. factoring and ordinary discrete logarithms can be solved in subexponential time • ECC thus offers much shorter key sizes than other public-key cryptosystems THE TECHNOLOGY STREAM .

Typical Cryptographic Restrictions • #E(Fq) = kr for large prime r – k is cofactor THE TECHNOLOGY STREAM • GCD (k. r) = 1 • “Anomalous” condition: r ≠ q • MOV condition: r does not divide qi-1 for small i .

Domain Parameters • Common values shared by a group of users from which key pairs may be generated • User or trusted party may generate domain parameters • Anyone may validate domain parameters THE TECHNOLOGY STREAM .

EC Domain Parameters • Finite field Fq • Elliptic curve E(Fq) with cryptographic restrictions • Prime divisor r of #E(Fq) • Cofactor k • Base point G ∈ E(Fq) of order r THE TECHNOLOGY STREAM .

G . Select a prime power q 2. Output Fq. Generate a point G of order r 4. Select an elliptic cuve E over Fq with cryptographic restrictions – order #E(Fq) = kr THE TECHNOLOGY STREAM 3. E(Fq).Generating EC Domain Parameters 1. r. k.

“structure” in curves – less structure = more conservative in assumptions about security THE TECHNOLOGY STREAM .Selecting an Elliptic Curve • Random method • Complex multiplication method • Subfield method • Methods provide tradeoff between speed.

Random Method 1. Generate a random curve 2. but step 2 may be slow • (Schoof 1985. Count the number of points #E(Fq) 3. If restrictions not met. goto 1 • No structure.) THE TECHNOLOGY STREAM . etc.

Generate a curve order n with a small CM discriminant D 2. Given D. Lay-Zimmer 1994) THE TECHNOLOGY STREAM . some structure. find a curve with n points • Fast. If restrictions not met. but complex • (Atkin-Morain 1991.Complex Multiplication Method 1. goto 1 3.

Apply formula to compute #E(Fq) 4.Subfield Method • For q = 2m with m composite 1. Generate a curve over a subfield 2. If restrictions not met. but significant structure • (Koblitz) THE TECHNOLOGY STREAM . goto 1 • Fast. Count the number of points 3.

If G = O. Generate a point H ∈ E(Fq) 2. Compute G = kH 3. goto 1 4.Generating a Point of Order r 1. Output G THE TECHNOLOGY STREAM .

invalid otherwise . Output valid if all checks pass. Check that E is an elliptic curve over Fq with cryptographic restrictions – order #E(Fq) = kr. where r is prime THE TECHNOLOGY STREAM 3. Check that q is a prime power 2.Validating EC Domain Parameters 1. Check that G is a point on E(Fq) of order r 4.

Key Pairs • Pairs of public. private values with which users may perform cryptographic operations • User or trusted third party may generate key pair • Anyone may validate public key THE TECHNOLOGY STREAM .

r-1] – where W = sG THE TECHNOLOGY STREAM .EC Key Pairs • Public key W ∈ E(Fq) • Private key s ∈ [1.

n-1] 2. Output (W. Randomly generate s ∈ [1.Generating an EC Key Pair 1. Compute W = sG 3. s) THE TECHNOLOGY STREAM .

Output valid if so. Check that W is a point on E(Fq) of order r 2. invalid otherwise THE TECHNOLOGY STREAM .Validating an EC Public Key • Assume valid domain parameters 1.

a scheme is a set of related operations providing the building blocks for a protocol • Examples: – key agreement – signature with appendix – encryption THE TECHNOLOGY STREAM .Cryptographic Schemes • Following general model from IEEE P1363.

related operations may include: – domain parameter generation. validation – key pair generation.Scheme Operations • Depending on the scheme. public-key validation – one or more scheme-specific operations THE TECHNOLOGY STREAM .

Key Agreement Scheme
• Key agreement operation derives a shared secret key from a private key, another’s public key, and key derivation parameters • Multiple secret keys can be obtained by varying parameters


Elliptic Curve DiffieHellman
• Key agreement scheme based on Diffie-Hellman protocol • In IEEE P1363, ECKAS-DH1 with ECSDVP-DH primitive • Underlying function:
– KDF: key derivation function


ECDH Key Agreement
• Input: private key s, other’s public key W*, key derivation parameters P • Output: shared secret key K 1. Compute Z = sW* 2. Compute K = KDF (Z, P) 3. Output K


authenticated. depending on security goals • Examples of protocol modes: – anonymous – static-static – signed ephemeral-ephemeral – ephemeral-static THE TECHNOLOGY STREAM .Key Agreement Modes • Each key pair may be ephemeral. or a combination.

Signature Scheme • Signature generation operation computes a signature on a message with a private key • Signature verification operation verifies a signature with a public key THE TECHNOLOGY STREAM .

Elliptic Curve Digital Signature Algorithm • Signature scheme based on NIST FIPS 186-1 DSA • In IEEE P1363. ECSSA with ECSP/VP-DSA primitives • Underlying function – Hash: collision-resistant hash function THE TECHNOLOGY STREAM .

Compute c = int (xV) mod r 4. message M • Output: signature (c. goto 2 6. Generate a one-time key pair (u. If c = 0 or d = 0. Compute f = Hash (M) 2. Compute d = u-1 (f + sc) mod r 5.d) THE TECHNOLOGY STREAM .d) 1. V) 3. Output (c.ECDSA Signature Generation • Input: private key s.

d) • Output: valid or invalid 1. Compute h = d-1 mod r 4. Compute f = Hash (M) 2. Check that 1 ≤ c. signature (c. Compute P = fhG + chW (cont’d) THE TECHNOLOGY STREAM .d ≤ r-1 3. message M.ECDSA Signature Verification • Input: signer’s public key W.

otherwise output invalid THE TECHNOLOGY STREAM . Check that P ≠ O 6.ECDSA Signature Verification (cont’d) 5. Check that c = int (xP) mod r 7. If all checks pass. output valid.

Encryption Scheme • Encryption operation computes a ciphertext from a message with a public key • Decryption operation recovers a message from a ciphertext with a private key • Augmented encryption scheme also binds control information to message THE TECHNOLOGY STREAM .

Elliptic Curve Augmented Encryption Scheme • Augmented encryption scheme based on DHAES (Bellare-Rogaway 1998) • In ANSI X9.63 draft • Underlying functions: – KDF: key derivation function – Encrypt: symmetric encryption – MAC: message authentication code THE TECHNOLOGY STREAM .

control information P • Output: ciphertext (V.C. Compute (K1. message M.ECAES Encryption • Input: recipient’s public key W. Generate a one-time key pair (u.V) 2. Compute Z = uW 3.T) 1.K2) = KDF (Z) (cont’d) THE TECHNOLOGY STREAM .

C || P) 6.M) 5. Output (V. Compute C = Encrypt (K1.ECAES Encryption (cont’d) 4.C.T) Note: Steps 1–3 are like ECDH ephemeral-static THE TECHNOLOGY STREAM . Compute T = MAC (K2.

Compute (K1.C.ECAES Decryption Input: private key s. control information P Output: message M or invalid 1.T). Compute Z = sV 2. ciphertext (V.K2) = KDF (Z) (cont’d) THE TECHNOLOGY STREAM .

ECAES Decryption (cont’d) 3. otherwise output invalid THE TECHNOLOGY STREAM . output M. If the check passes. Compute M = Decrypt (K1.C) 4. Check that T = MAC (K2.C || P) 5.

KDF. Encrypt. MAC – the additional operations help provide provable security THE TECHNOLOGY STREAM • Schemes are readily adapated to multiplicative groups . some are modular arithmetic. only one or two steps are EC operations. the rest are Hash.Some Observations • In these schemes.

THE TECHNOLOGY STREAM Part III: Advantages and Disadvantages .

Advantages and Disadvantages • • • • Three families Key size comparison Advantages Disadvantages THE TECHNOLOGY STREAM .

Three Families • Today. three families of public-key techniques are prominent • Following P1363. named according to the hard problem: – DL: (ordinary) discrete logarithms – EC: elliptic curve discrete logarithms – IF: integer factorization THE TECHNOLOGY STREAM • Each has its own advantages .

Key Size Comparison • Key size is length in bits of: – DL: field order q • also consider group order r THE TECHNOLOGY STREAM – EC: group order r – IF: modulus n • Key sizes can be compared based on running time for solving hard problem with current methods – other factors to consider .

IF 512 1024 2048 Symmetric 56 80 112 THE TECHNOLOGY STREAM .Comparable Key Sizes (Based on Running Time) EC 112 160 224 DL.

Advantages • • • • • Alternative hard problem Speed Data size New types of schemes Many options THE TECHNOLOGY STREAM .

it is an effective alternative against advances in methods for other problems .Alternative Hard Problem • EC Discrete Logarithm Problem is very different than DL. IF approaches to solve it THE TECHNOLOGY STREAM • Thus. IF hard problems – does not appear feasible to apply DL.

Speed • EC operations are generally faster than DL. IF counterparts at comparable key sizes – GF(2m) arithmetic affords further speedups THE TECHNOLOGY STREAM • Key pair generation is much faster than for IF .

Data Size • EC data are shorter than DL. IF counterparts • Intermediate values are shorter • Keys are shorter – benefit depends on certificate content THE TECHNOLOGY STREAM • Signatures with appendix are same size as for DL. shorter than IF .

: – signature + encryption – signature / key agreement + certification – (Zheng 1997.g. Arazi 1998. Vanstone) THE TECHNOLOGY STREAM . e. like DL.New Types of Schemes • EC family. has great flexibility due to the availability of common domain parameters • Multiple schemes can be combined efficiently.

Many Options • EC family affords many choices: – field type. size. representation – curve formula – group order – base point – cryptographic scheme THE TECHNOLOGY STREAM • Appropriate choices can meet varying security and implementation objectives .

Disadvantages • Alternative hard problem • Curve generation • Many options THE TECHNOLOGY STREAM .

with increased confidence THE TECHNOLOGY STREAM . and even a modest improvement in methods could have great impact • However. the focus on this area has grown considerably over the past few years.Alternative Hard Problem • ECDLP has not been studied as long as DL. IF hard problems.

NIST curves THE TECHNOLOGY STREAM .Curve Generation • EC curve generation is complex. not readily implemented • However. which can be validated – e.g. implementers can rely on third parties for curves..

Many Options • ECC affords many options. much of this will be settled by standards and industry practice . so interoperability is challenging: – no conversion between GF(2m). GF(p) – hardware optimizations may be specific to one set of domain parameters THE TECHNOLOGY STREAM • However.

THE TECHNOLOGY STREAM Part IV: Standardization Efforts .

NIST THE TECHNOLOGY STREAM • Generally. all three families are being developed together .Standardization Efforts • Elliptic curves are parts of standards being developed by several groups: – ANSI X9F1 – IEEE P1363 – ISO JTC1 SC27 – SECG – U.S.

financial services industry • ANSI X9.63 (draft) specifies ECDH.62 specifies ECDSA • ANSI THE TECHNOLOGY STREAM .S. ECAES and more • Technical Guideline on elliptic curve mathematics • www.ANSI X9F1 • Cryptographic techniques for U.

ieee.IEEE P1363 • Public-key cryptography specifications. transnational • Specifies . ECDSA and much more (including other families) – framework for ANSI X9F1 work THE TECHNOLOGY STREAM • ECAES proposed for addendum • grouper.

ISO SC27 • IT security .62 THE TECHNOLOGY STREAM • ISO/IEC CD 15946 covers elliptic curve techniques including digital signatures. key establishment • www. international • ISO/IEC DIS 14888-3 includes ECDSA – aligned with ANSI X9.iso.

secg.SECG • Standards for Efficient Cryptography Group • Industry implementers THE TECHNOLOGY STREAM . intended to profile other standards • www.

S.63 support likely • Reference elliptic curves published • csrc.S.nist. NIST • Information processing for U.62 • Eventual ANSI THE TECHNOLOGY STREAM . government • FIPS 186 (Digital Signature Standard) to add support for ANSI X9.U.


Summary • ECC offers an attractive alternative to other public-key cryptosystems – new hard problem – smaller key size THE TECHNOLOGY STREAM • Many standards are emerging • Number theory continues to be useful .

Sign up to vote on this title
UsefulNot useful