The document provides detailed insight into elliptic curve cryptography (ECC), including its mathematical foundations, advantages, and cryptosystems. It covers the elliptic curve structure, scalar multiplication, methods for secure key pair generation, as well as various applications such as signature schemes and encryption protocols. Additionally, it discusses standardization efforts across different organizations to ensure the broad adoption and implementation of ECC in secure communications.

1. THETECHNOLOGYSTREAM
Elliptic Curve Cryptography
Burt Kaliski
Chief Scientist and Director
RSA Laboratories

2. THETECHNOLOGYSTREAM
Outline
I. Elliptic curves
II. Elliptic curve cryptosystems
III. Advantages and disadvantages
IV. Standardization efforts

3. THETECHNOLOGYSTREAM
Notation
• GF(q) or Fq: finite field with q
elements
– typically, q = p where p is prime, or 2m
• E(Fq): elliptic curve over Fq
• (x, y): point on E(Fq)
• O: point at infinity

4. THETECHNOLOGYSTREAM
Acronyms
• EC = Elliptic Curve
– as in EC Digital Signature Algorithm
• ECC = Elliptic Curve Cryptography

5. THETECHNOLOGYSTREAM
Part I: Elliptic Curves

6. THETECHNOLOGYSTREAM
Elliptic Curves
• An elliptic curve is the set of solutions
(x, y) to an equation of the form
y2
= x3
+ ax + b
where 4a3
+ 27b2
≠ 0, together with a
point at infinity denoted O
• Originally developed to measure
circumference of an ellipse

7. THETECHNOLOGYSTREAM
An Example Curve
• Over the reals, the
solutions form a
curve with one or
two components
• Example:
y2
= x3
-x

8. THETECHNOLOGYSTREAM
Elliptic Curve Arithmetic
• A group law may
be defined where
the sum of two
points is the
reflection across
the x-axis of the
third point on the
same line
• “Chords and
tangents”

9. THETECHNOLOGYSTREAM
Group Law Axioms
• Closure
• Identity:
P + O = O + P = P
• Inverse:
(x, y) + (x, -y) = O
• Associativity
• Commutativity

10. THETECHNOLOGYSTREAM
Addition Formulae
• Let P1 = (x1, y1) and P2 = (x2, y2) be
non-inverses
• Then P1 + P2 = (x3, y3) where
x3 = λ2
- x1 - x2
y3 = λ (x1 - x3) - y1
and λ is the slope of the line:
λ = (3x1
2
+a)/2y1 if x1 = x2
λ = (y2-y1)/(x2-x1) otherwise

11. THETECHNOLOGYSTREAM
Elliptic Curves over Finite
Fields
• An elliptic curve may be defined over
any finite field GF(q)
• For GF(2m
), the curve has a different
form:
y2
+ xy = x3
+ ax2
+ b
where b ≠ 0
• Addition formulae are similar to those
over the reals

12. THETECHNOLOGYSTREAM
Group Properties
• Let #E(Fq) denote the number of
points on an elliptic curve E(Fq),
including O
• Hasse bound: #E(Fq) = q+1-t, where
|t| ≤ 2 sqrt(q)
• The group of points is either cyclic or
a product of two cyclic groups

13. THETECHNOLOGYSTREAM
Scalar Multiplication
• Scalar multiplication is repeated
group addition:
cP = P + ··· + P (c times)
where c is an integer
• For all P ∈ E(Fq),
nP = O
where n = #E(Fq)

14. THETECHNOLOGYSTREAM
Elliptic Curve Research
Areas
• EC over finite fields has been an
increasing focus of research
1. Efficient elliptic curve arithmetic,
scalar multiplication
– including finite field arithmetic
2. Efficient curve generation
3. Cryptographic properties

15. THETECHNOLOGYSTREAM
Some Interesting
Applications
• Factoring (Lenstra 1985)
– running time of Elliptic Curve Method
(ECM) depends on size of prime factors
of a number, ideal for “smooth” numbers
• Primality proving (Goldwasser-Kilian 1986)
– under number-theory assumptions,
method for proving primality in random
polynomial time
• Fermat’s Last Theorem

16. THETECHNOLOGYSTREAM
Analogy with Multiplicative
Groups
Elliptic Curve
Group
Multiplicative
Group
point addition multiplication
scalar
multiplication
exponentiation
elliptic curve
discrete logarithm
discrete logarithm

17. THETECHNOLOGYSTREAM
Part II: Elliptic Curve
Cryptosystems

18. THETECHNOLOGYSTREAM
Elliptic Curve
Cryptosystems
• EC discrete logarithm problem
• Domain parameters
• Key pairs
• Cryptographic schemes

19. THETECHNOLOGYSTREAM
EC Discrete Logarithm
Problem
• Problem: Given two points W, G,
find s such that W = sG
– first suggested by Miller 1985, Koblitz 1987
• With appropriate cryptographic
restrictions, this is believed to take
exponential time
– O(sqrt(r)) time, where r is the order of W

20. THETECHNOLOGYSTREAM
EC Discrete Logarithm
Problem (cont’d)
• By comparison, factoring and
ordinary discrete logarithms can be
solved in subexponential time
• ECC thus offers much shorter key
sizes than other public-key
cryptosystems

21. THETECHNOLOGYSTREAM
Typical Cryptographic
Restrictions
• #E(Fq) = kr for large prime r
– k is cofactor
• GCD (k, r) = 1
• “Anomalous” condition: r ≠ q
• MOV condition: r does not divide qi
-1
for small i

22. THETECHNOLOGYSTREAM
Domain Parameters
• Common values shared by a group
of users from which key pairs may be
generated
• User or trusted party may generate
domain parameters
• Anyone may validate domain
parameters

23. THETECHNOLOGYSTREAM
EC Domain Parameters
• Finite field Fq
• Elliptic curve E(Fq) with cryptographic
restrictions
• Prime divisor r of #E(Fq)
• Cofactor k
• Base point G ∈ E(Fq) of order r

24. THETECHNOLOGYSTREAM
Generating EC Domain
Parameters
1. Select a prime power q
2. Select an elliptic cuve E over Fq with
cryptographic restrictions
– order #E(Fq) = kr
3. Generate a point G of order r
4. Output Fq, E(Fq), r, k, G

25. THETECHNOLOGYSTREAM
Selecting an Elliptic Curve
• Random method
• Complex multiplication method
• Subfield method
• Methods provide tradeoff between
speed, “structure” in curves
– less structure = more conservative in
assumptions about security

26. THETECHNOLOGYSTREAM
Random Method
1. Generate a random curve
2. Count the number of points #E(Fq)
3. If restrictions not met, goto 1
• No structure, but step 2 may be slow
• (Schoof 1985, etc.)

27. THETECHNOLOGYSTREAM
Complex Multiplication
Method
1. Generate a curve order n with a
small CM discriminant D
2. If restrictions not met, goto 1
3. Given D, find a curve with n points
• Fast, some structure, but complex
• (Atkin-Morain 1991, Lay-Zimmer 1994)

28. THETECHNOLOGYSTREAM
Subfield Method
• For q = 2m
with m composite
1. Generate a curve over a subfield
2. Count the number of points
3. Apply formula to compute #E(Fq)
4. If restrictions not met, goto 1
• Fast, but significant structure
• (Koblitz)

29. THETECHNOLOGYSTREAM
Generating a Point of
Order r
1. Generate a point H ∈ E(Fq)
2. Compute G = kH
3. If G = O, goto 1
4. Output G

30. THETECHNOLOGYSTREAM
Validating EC Domain
Parameters
1. Check that q is a prime power
2. Check that E is an elliptic curve over
Fq with cryptographic restrictions
– order #E(Fq) = kr, where r is prime
3. Check that G is a point on E(Fq) of
order r
4. Output valid if all checks pass,
invalid otherwise

31. THETECHNOLOGYSTREAM
Key Pairs
• Pairs of public, private values with
which users may perform
cryptographic operations
• User or trusted third party may
generate key pair
• Anyone may validate public key

32. THETECHNOLOGYSTREAM
EC Key Pairs
• Public key W ∈ E(Fq)
• Private key s ∈ [1, r-1]
– where W = sG

33. THETECHNOLOGYSTREAM
Generating an EC Key
Pair
1. Randomly generate s ∈ [1, n-1]
2. Compute W = sG
3. Output (W, s)

34. THETECHNOLOGYSTREAM
Validating an EC Public
Key
• Assume valid domain parameters
1. Check that W is a point on E(Fq) of
order r
2. Output valid if so, invalid otherwise

35. THETECHNOLOGYSTREAM
Cryptographic Schemes
• Following general model from IEEE
P1363, a scheme is a set of related
operations providing the building
blocks for a protocol
• Examples:
– key agreement
– signature with appendix
– encryption

36. THETECHNOLOGYSTREAM
Scheme Operations
• Depending on the scheme, related
operations may include:
– domain parameter generation, validation
– key pair generation, public-key
validation
– one or more scheme-specific operations

37. THETECHNOLOGYSTREAM
Key Agreement Scheme
• Key agreement operation derives a
shared secret key from a private key,
another’s public key, and key
derivation parameters
• Multiple secret keys can be obtained
by varying parameters

38. THETECHNOLOGYSTREAM
Elliptic Curve Diffie-
Hellman
• Key agreement scheme based on
Diffie-Hellman protocol
• In IEEE P1363, ECKAS-DH1 with
ECSDVP-DH primitive
• Underlying function:
– KDF: key derivation function

39. THETECHNOLOGYSTREAM
ECDH Key Agreement
• Input: private key s, other’s public
key W*, key derivation parameters P
• Output: shared secret key K
1. Compute Z = sW*
2. Compute K = KDF (Z, P)
3. Output K

40. THETECHNOLOGYSTREAM
Key Agreement Modes
• Each key pair may be ephemeral,
authenticated, or a combination,
depending on security goals
• Examples of protocol modes:
– anonymous
– static-static
– signed ephemeral-ephemeral
– ephemeral-static

41. THETECHNOLOGYSTREAM
Signature Scheme
• Signature generation operation
computes a signature on a message
with a private key
• Signature verification operation
verifies a signature with a public key

42. THETECHNOLOGYSTREAM
Elliptic Curve Digital
Signature Algorithm
• Signature scheme based on NIST
FIPS 186-1 DSA
• In IEEE P1363, ECSSA with
ECSP/VP-DSA primitives
• Underlying function
– Hash: collision-resistant hash function

43. THETECHNOLOGYSTREAM
ECDSA Signature
Generation
• Input: private key s, message M
• Output: signature (c,d)
1. Compute f = Hash (M)
2. Generate a one-time key pair (u, V)
3. Compute c = int (xV) mod r
4. Compute d = u-1
(f + sc) mod r
5. If c = 0 or d = 0, goto 2
6. Output (c,d)

44. THETECHNOLOGYSTREAM
ECDSA Signature
Verification
• Input: signer’s public key W,
message M, signature (c,d)
• Output: valid or invalid
1. Compute f = Hash (M)
2. Check that 1 ≤ c,d ≤ r-1
3. Compute h = d-1
mod r
4. Compute P = fhG + chW
(cont’d)

45. THETECHNOLOGYSTREAM
ECDSA Signature
Verification (cont’d)
5. Check that P ≠ O
6. Check that c = int (xP) mod r
7. If all checks pass, output valid,
otherwise output invalid

46. THETECHNOLOGYSTREAM
Encryption Scheme
• Encryption operation computes a
ciphertext from a message with a
public key
• Decryption operation recovers a
message from a ciphertext with a
private key
• Augmented encryption scheme also
binds control information to message

47. THETECHNOLOGYSTREAM
Elliptic Curve Augmented
Encryption Scheme
• Augmented encryption scheme
based on DHAES (Bellare-Rogaway 1998)
• In ANSI X9.63 draft
• Underlying functions:
– KDF: key derivation function
– Encrypt: symmetric encryption
– MAC: message authentication code

48. THETECHNOLOGYSTREAM
ECAES Encryption
• Input: recipient’s public key W,
message M, control information P
• Output: ciphertext (V,C,T)
1. Generate a one-time key pair (u,V)
2. Compute Z = uW
3. Compute (K1,K2) = KDF (Z)
(cont’d)

49. THETECHNOLOGYSTREAM
ECAES Encryption
(cont’d)
4. Compute C = Encrypt (K1,M)
5. Compute T = MAC (K2,C || P)
6. Output (V,C,T)
Note: Steps 1–3 are like ECDH
ephemeral-static

50. THETECHNOLOGYSTREAM
ECAES Decryption
Input: private key s, ciphertext (V,C,T),
control information P
Output: message M or invalid
1. Compute Z = sV
2. Compute (K1,K2) = KDF (Z)
(cont’d)

51. THETECHNOLOGYSTREAM
ECAES Decryption
(cont’d)
3. Compute M = Decrypt (K1,C)
4. Check that T = MAC (K2,C || P)
5. If the check passes, output M,
otherwise output invalid

52. THETECHNOLOGYSTREAM
Some Observations
• In these schemes, only one or two
steps are EC operations, some are
modular arithmetic, the rest are
Hash, KDF, Encrypt, MAC
– the additional operations help provide
provable security
• Schemes are readily adapated to
multiplicative groups

53. THETECHNOLOGYSTREAM
Part III: Advantages and
Disadvantages

54. THETECHNOLOGYSTREAM
Advantages and
Disadvantages
• Three families
• Key size comparison
• Advantages
• Disadvantages

55. THETECHNOLOGYSTREAM
Three Families
• Today, three families of public-key
techniques are prominent
• Following P1363, named according
to the hard problem:
– DL: (ordinary) discrete logarithms
– EC: elliptic curve discrete logarithms
– IF: integer factorization
• Each has its own advantages

56. THETECHNOLOGYSTREAM
Key Size Comparison
• Key size is length in bits of:
– DL: field order q
• also consider group order r
– EC: group order r
– IF: modulus n
• Key sizes can be compared based
on running time for solving hard
problem with current methods
– other factors to consider

57. THETECHNOLOGYSTREAM
Comparable Key Sizes
(Based on Running Time)
EC DL, IF Symmetric
112 512 56
160 1024 80
224 2048 112

58. THETECHNOLOGYSTREAM
Advantages
• Alternative hard problem
• Speed
• Data size
• New types of schemes
• Many options

59. THETECHNOLOGYSTREAM
Alternative Hard Problem
• EC Discrete Logarithm Problem is
very different than DL, IF hard
problems
– does not appear feasible to apply DL, IF
approaches to solve it
• Thus, it is an effective alternative
against advances in methods for
other problems

60. THETECHNOLOGYSTREAM
Speed
• EC operations are generally faster
than DL, IF counterparts at
comparable key sizes
– GF(2m
) arithmetic affords further
speedups
• Key pair generation is much faster
than for IF

61. THETECHNOLOGYSTREAM
Data Size
• EC data are shorter than DL, IF
counterparts
• Intermediate values are shorter
• Keys are shorter
– benefit depends on certificate content
• Signatures with appendix are same
size as for DL, shorter than IF

62. THETECHNOLOGYSTREAM
New Types of Schemes
• EC family, like DL, has great flexibility
due to the availability of common
domain parameters
• Multiple schemes can be combined
efficiently, e.g.:
– signature + encryption
– signature / key agreement + certification
– (Zheng 1997, Arazi 1998, Vanstone)

63. THETECHNOLOGYSTREAM
Many Options
• EC family affords many choices:
– field type, size, representation
– curve formula
– group order
– base point
– cryptographic scheme
• Appropriate choices can meet
varying security and implementation
objectives

64. THETECHNOLOGYSTREAM
Disadvantages
• Alternative hard problem
• Curve generation
• Many options

65. THETECHNOLOGYSTREAM
Alternative Hard Problem
• ECDLP has not been studied as long
as DL, IF hard problems, and even a
modest improvement in methods
could have great impact
• However, the focus on this area has
grown considerably over the past few
years, with increased confidence

66. THETECHNOLOGYSTREAM
Curve Generation
• EC curve generation is complex, not
readily implemented
• However, implementers can rely on
third parties for curves, which can be
validated
– e.g., NIST curves

67. THETECHNOLOGYSTREAM
Many Options
• ECC affords many options, so
interoperability is challenging:
– no conversion between GF(2m
), GF(p)
– hardware optimizations may be specific
to one set of domain parameters
• However, much of this will be settled
by standards and industry practice

68. THETECHNOLOGYSTREAM
Part IV: Standardization
Efforts

69. THETECHNOLOGYSTREAM
Standardization Efforts
• Elliptic curves are parts of standards
being developed by several groups:
– ANSI X9F1
– IEEE P1363
– ISO JTC1 SC27
– SECG
– U.S. NIST
• Generally, all three families are
being developed together

70. THETECHNOLOGYSTREAM
ANSI X9F1
• Cryptographic techniques for U.S.
financial services industry
• ANSI X9.62 specifies ECDSA
• ANSI X9.63 (draft) specifies ECDH,
ECAES and more
• Technical Guideline on elliptic curve
mathematics
• www.x9.org

71. THETECHNOLOGYSTREAM
IEEE P1363
• Public-key cryptography
specifications, transnational
• Specifies ECDH, ECDSA and much
more (including other families)
– framework for ANSI X9F1 work
• ECAES proposed for addendum
• grouper.ieee.org/groups/1363

72. THETECHNOLOGYSTREAM
ISO SC27
• IT security techniques, international
• ISO/IEC DIS 14888-3 includes
ECDSA
– aligned with ANSI X9.62
• ISO/IEC CD 15946 covers elliptic
curve techniques including digital
signatures, key establishment
• www.iso.ch/meme/JTC1SC27.html

73. THETECHNOLOGYSTREAM
SECG
• Standards for Efficient Cryptography
Group
• Industry implementers agreements,
intended to profile other standards
• www.secg.org

74. THETECHNOLOGYSTREAM
U.S. NIST
• Information processing for U.S.
government
• FIPS 186 (Digital Signature
Standard) to add support for ANSI
X9.62
• Eventual ANSI X9.63 support likely
• Reference elliptic curves published
• csrc.nist.gov/fips

75. THETECHNOLOGYSTREAM
Summary

76. THETECHNOLOGYSTREAM
Summary
• ECC offers an attractive alternative to
other public-key cryptosystems
– new hard problem
– smaller key size
• Many standards are emerging
• Number theory continues to be useful