This document discusses elliptic curve cryptography and its underlying mathematics. It begins by providing historical context on the development of cryptography and highlights elliptic curves being suggested in 1985 as an encryption system. It then covers key mathematical concepts such as Weierstrass elliptic curve equations, properties of elliptic curves like point addition and doubling, and how elliptic curves form algebraic groups. Finally, it introduces the concepts of prime moduli, rings, and fields which are important for implementing elliptic curve cryptography in practice.
This presentation contains the contents pertaining to the undergraduate course on Cryptography and Network Security (UITC203) at Sri Ramakrishna Institute of Technology. This covers the Elliptic Curve Cryptography and the basis of elliptic curve arithmetics.
This Presentation Elliptical Curve Cryptography give a brief explain about this topic, it will use to enrich your knowledge on this topic. Use this ppt for your reference purpose and if you have any queries you'll ask questions.
Enumeration methods are very important in a variety of settings, both mathematical and applications. For many problems there is actually no real hope to do the enumeration in reasonable time since the number of solutions is so big. This talk is about how to compute at the limit.
The talk is decomposed into:
(a) Regular enumeration procedure where one uses computerized case distinction.
(b) Use of symmetry groups for isomorphism checks.
(c) The augmentation scheme that allows to enumerate object up to isomorphism without keeping the full list in memory.
(d) The homomorphism principle that allows to map a complex problem to a simpler one.
The following slides explains about elliptic curves, their interpretation over Gallois finite fields, algorithms that reduces arithmetic computational requirements and primarly applications of the ECC.
Mathematics (from Greek Ī¼Ī¬ĪøĪ·Ī¼Ī± mĆ”thÄma, āknowledge, study, learningā) is the study of topics such as quantity (numbers), structure, space, and change. There is a range of views among mathematicians and philosophers as to the exact scope and definition of mathematics
This presentation contains the contents pertaining to the undergraduate course on Cryptography and Network Security (UITC203) at Sri Ramakrishna Institute of Technology. This covers the Elliptic Curve Cryptography and the basis of elliptic curve arithmetics.
This Presentation Elliptical Curve Cryptography give a brief explain about this topic, it will use to enrich your knowledge on this topic. Use this ppt for your reference purpose and if you have any queries you'll ask questions.
Enumeration methods are very important in a variety of settings, both mathematical and applications. For many problems there is actually no real hope to do the enumeration in reasonable time since the number of solutions is so big. This talk is about how to compute at the limit.
The talk is decomposed into:
(a) Regular enumeration procedure where one uses computerized case distinction.
(b) Use of symmetry groups for isomorphism checks.
(c) The augmentation scheme that allows to enumerate object up to isomorphism without keeping the full list in memory.
(d) The homomorphism principle that allows to map a complex problem to a simpler one.
The following slides explains about elliptic curves, their interpretation over Gallois finite fields, algorithms that reduces arithmetic computational requirements and primarly applications of the ECC.
Mathematics (from Greek Ī¼Ī¬ĪøĪ·Ī¼Ī± mĆ”thÄma, āknowledge, study, learningā) is the study of topics such as quantity (numbers), structure, space, and change. There is a range of views among mathematicians and philosophers as to the exact scope and definition of mathematics
Gives a basic idea of Finite field theory and its uses in Elliptic cure cryptography. ECDLP and Diffie Helman key exchange and Elgamal Encryption with ECC.
Elliptic Curve Cryptography for those who are afraid of mathsMartijn Grooten
Ā
A low level introduction into elliptic curve cryptography, as presented at BSides San Francisco 2016.
NB don't be put off by the 100 slides; every transition is on its own slide.
Dynamic Programming design technique is one of the fundamental algorithm design techniques, and possibly one of the ones that are hardest to master for those who did not study it formally. In these slides (which are continuation of part 1 slides), we cover two problems: maximum value contiguous subarray, and maximum increasing subsequence.
Euclid's Algorithm for Greatest Common Divisor - Time Complexity AnalysisAmrinder Arora
Ā
Euclid's algorithm for finding greatest common divisor is an elegant algorithm that can be written iteratively as well as recursively. The time complexity of this algorithm is O(log^2 n) where n is the larger of the two inputs.
Gives a basic idea of Finite field theory and its uses in Elliptic cure cryptography. ECDLP and Diffie Helman key exchange and Elgamal Encryption with ECC.
Elliptic Curve Cryptography for those who are afraid of mathsMartijn Grooten
Ā
A low level introduction into elliptic curve cryptography, as presented at BSides San Francisco 2016.
NB don't be put off by the 100 slides; every transition is on its own slide.
Dynamic Programming design technique is one of the fundamental algorithm design techniques, and possibly one of the ones that are hardest to master for those who did not study it formally. In these slides (which are continuation of part 1 slides), we cover two problems: maximum value contiguous subarray, and maximum increasing subsequence.
Euclid's Algorithm for Greatest Common Divisor - Time Complexity AnalysisAmrinder Arora
Ā
Euclid's algorithm for finding greatest common divisor is an elegant algorithm that can be written iteratively as well as recursively. The time complexity of this algorithm is O(log^2 n) where n is the larger of the two inputs.
An investigation of the mathematics of casino gaming particularly how quantities like house advantage, expected value, win, hold, drop, and hold percentage are used by casinos.
This topic provides a basic introduction to casino mathematics and discusses key formulas that define all casino games. Factors that control or provide avenues for casino revenue management as covered in basic form. This is suitable for new all casino workers who need a quick introduction to the topic.
Elliptic Curves as Tool for Public Key Cryptographyinventy
Ā
Research Inventy : International Journal of Engineering and Science is published by the group of young academic and industrial researchers with 12 Issues per year. It is an online as well as print version open access journal that provides rapid publication (monthly) of articles in all areas of the subject such as: civil, mechanical, chemical, electronic and computer engineering as well as production and information technology. The Journal welcomes the submission of manuscripts that meet the general criteria of significance and scientific excellence. Papers will be published by rapid process within 20 days after acceptance and peer review process takes only 7 days. All articles published in Research Inventy will be peer-reviewed.
Low Power FPGA Based Elliptical Curve CryptographyIOSR Journals
Ā
Abstract: Cryptography is the study of techniques for ensuring the secrecy and authentication of the information. The development of public-key cryptography is the greatest and perhaps the only true revolution in the entire history of cryptography. Elliptic Curve Cryptography is one of the public-key cryptosystem showing up in standardization efforts, including the IEEE P1363 Standard. The principal attraction of elliptic curve cryptography compared to RSA is that it offers equal security for a smaller key-size, thereby reducing the processing overhead. As a Public-Key Cryptosystem, ECC has many advantages such as fast speed, high security and short key. It is suitable for the hardware of implementation, so ECC has been more and more focused in recent years. The hardware implementation of ECC on FPGA uses the arithmetic unit that has small area, small storage unit and fast speed, and it is an extremely suitable system which has limited computation ability and storage space.[1][2] The modular arithmetic division operations are carried out using conditional successive subtractions, thereby reducing the area. The system is implemented on Vertex-Pro XCV1000 FPGA. Index Terms ā VHDL, FSM, FPGA, Elliptic Curve Cryptography.
Low Power FPGA Based Elliptical Curve CryptographyIOSR Journals
Ā
Cryptography is the study of techniques for ensuring the secrecy and authentication of the
information. The development of public-key cryptography is the greatest and perhaps the only true revolution in
the entire history of cryptography. Elliptic Curve Cryptography is one of the public-key cryptosystem showing
up in standardization efforts, including the IEEE P1363 Standard. The principal attraction of elliptic curve
cryptography compared to RSA is that it offers equal security for a smaller key-size, thereby reducing the
processing overhead. As a Public-Key Cryptosystem, ECC has many advantages such as fast speed, high
security and short key. It is suitable for the hardware of implementation, so ECC has been more and more
focused in recent years. The hardware implementation of ECC on FPGA uses the arithmetic unit that has small
area, small storage unit and fast speed, and it is an extremely suitable system which has limited computation
ability and storage space.[1][2] The modular arithmetic division operations are carried out using conditional
successive subtractions, thereby reducing the area. The system is implemented on Vertex-Pro XCV1000 FPGA
Objective: The main target of this project is to study the Baby-Step Giant-Step algorithm and propose an approach for the betterment of the algorithm for solving Elliptic Curve Discrete Logarithmic Problem.
A SURVEY ON ELLIPTIC CURVE DIGITAL SIGNATURE ALGORITHM AND ITS VARIANTScsandit
Ā
The Elliptic Curve Digital Signature Algorithm (ECDSA) is an elliptic curve variant of the
Digital Signature Algorithm (DSA). It gives cryptographically strong digital signatures making
use of Elliptic curve discrete logarithmic problem. It uses arithmetic with much smaller
numbers 160/256 bits instead of 1024/2048 bits in RSA and DSA and provides the same level of
security. The ECDSA was accepted in 1999 as an ANSI standard, and was accepted in 2000 as
IEEE and NIST standards. It was also accepted in 1998 as an ISO standard. Many cryptologist
have studied security aspects of ECDSA and proposed different variants. In this paper, we
discuss a detailed analysis of the original ECDSA and all its available variants in terms of the
security level and execution time of all the phases. To the best of our knowledge, this is a unique
attempt to juxtapose and compare the ECDSA with all of its variants.
Ijcatr03051008Implementation of Matrix based Mapping Method Using Elliptic Cu...Editor IJCATR
Ā
Elliptic Curve Cryptography (ECC) gained a lot of attention in industry. The key attraction of ECC over RSA is that it
offers equal security even for smaller bit size, thus reducing the processing complexity. ECC Encryption and Decryption methods can
only perform encrypt and decrypt operations on the curve but not on the message. This paper presents a fast mapping method based on
matrix approach for ECC, which offers high security for the encrypted message. First, the alphabetic message is mapped on to the
points on an elliptic curve. Later encode those points using Elgamal encryption method with the use of a non-singular matrix. And the
encoded message can be decrypted by Elgamal decryption technique and to get back the original message, the matrix obtained from
decoding is multiplied with the inverse of non-singular matrix. The coding is done using Verilog. The design is simulated and
synthesized using FPGA.
Elliptic curve cryptography is additional powerful than different methodology that gains countless attention within the industry and plays vital role within the world of CRYPTOGRAPHY. This paper explains the strategy of elliptic curve cryptography victimization matrix scrambling method. during this methodology of cryptography we have a tendency to initial rework the plain text to elliptic curve so victimization matrix scrambling methodology we have a tendency to encrypt/decrypt the message. This method keeps information safe from unwanted attack to our information.
1. Elliptic Curves: Modern Cryptography
Eric Seifert
May 4, 2014
Abstract
This paper explains the mathematics behind elliptic curve cryptography, its
various protocols, and the importance of elliptic curve encryption systems. Math-
ematical topics include group theory, rings, and modular arithmetic. Additionally,
we discuss elliptic curves as intellectual property and their legal ramiļ¬cations.
1 Introduction
The concept of transmitting information to a third party via a secure network has been
of interest since antiquity. Over time technology advancements changed the methods of
encrypting information. Methods for transmitting information were not strictly reliant
on transposition or substitution ciphers. Much of the increased need for cryptography
was due in part to World War I and the later World War II [3].
The spark of the computer age of the latter half of the 20th century caused the
use of cryptography to accelerate. The power and capabilities of the computer allowed
cryptography to become even more sophisticated. American cryptographers Whitļ¬eld
Diļ¬e and Martin Hellmanās paper in 1976 [3] was a signiļ¬cant step in the development
of what is now known as public key cryptography. In 1977, American cryptographers
Ronald Rivest, Adi Shamir, and Len Adleman used Diļ¬e and Hellmanās ļ¬ndings to
develop a practical encryption system known as the RSA algorithm [15].
However, booming technological advancements caused a demand for more secure en-
cryption systems. In the 1980s, computers started seeing improvements in computational
speeds, improving their ability to compute more complex mathematical problems faster.
There was a growing need for more computationally diļ¬cult encryption systems.
In 1985 Neal Koblitz [9] and Victor S. Miller [11] independently suggested the use
of elliptic curves as an encryption system. In 2004, elliptic curves entered wide use.
This was due largely in part to the lack of technology available to handle such complex
calculations as those of elliptic curves. The computationally intractable mathematics of
elliptic curves allows them to utilize more eļ¬cient key sizes while oļ¬ering the same level
of security as their RSA counterparts. This complexity is magniļ¬ed by the types of time
algorithms used to solve them. The three main types are polynomial, sub-exponential,
and exponential. The names stem from their algebraic properties. For example, an
elliptic curve time algorithm is a varient of an exponential time algorithm.
In this paper we will discuss the underlying abstract mathematics used in elliptic curve
algorithms, present current protocols, and ļ¬nally end with a discussion about patents and
current issues surrounding elliptic curve cryptography. Speciļ¬cally, in Section 2 we will
introduce the elliptic curve over the real numbers and deļ¬ne the associated algebraic
1
2. properties. Then in Section 3 we introduce the algrebraic properties of rings. Section 4
will introduce non-elliptic curve encryption protocols. Then Section 5 introduces two
main elliptic curve encryption systems. Finally, Section 6 concludes with a discussion of
patenting elliptic curves for use and various legal ramiļ¬cations.
2 Elliptic Curves over the Real Numbers
An elliptic curve is a cubic curve with genus one deļ¬ned over some set of numbers. A
genus refers to the largest number of nonintersecting closed curves that can be drawn on
a surface without seperation.
In practice, elliptic curve encryption systems utilize 19th Century German mathemati-
cian Karl Weierstrassās elliptic curve equation. This stems from the Weierstrass Elliptic
Function (notably documented as ā). Much of Weierstrassās work centered around Cal-
culus, but his work on elliptic curves inļ¬uenced much of modern cryptography [8].
Weierstrass equations are commonly used for their accessibility over any set of num-
bers. A Weierstrass equation is any equation of the following
y2
+ ay = x3
+ bx2
+ cxy + dx + e where a, b, c, d, e ā R
Though the coeļ¬cients of the Weierstrass equation above are deļ¬ned over R, they
could also be deļ¬ned over other sets, which we will discuss later. A commonly used
Weierstrass equation is as follows
y2
= x3
+ dx + e where d, e ā R, and a = b = c = 0
In practice and for eļ¬ciency reasons, the National Institute of Standards and Tech-
nology recommends elliptic encryption systems to use the above equation with d = ā3
[13]. One can also consider other variants of cubic curves such as the general cubic curve
ax3
+ b2
y + cxy2
+ dy3
+ ex2
+ fxy + gy2
+ hx + iy + j = 0
Here a, b, c, d, e, f, g, h, i, j ā S, where S is a ļ¬eld, which we will discuss below. We
will focus on the Weierstrass equation since it is most commonly used in practice.
2.1 Elliptic Curve Properties
We now explain some important properties of an elliptic curve by deļ¬ning an algebraic
structure on a collection of points on a ļ¬xed elliptic curve. These properties are vital to
the use of elliptic curves in cryptography.
2.1.1 Point Addition
We deļ¬ne elliptic curve addition as follows:
Deļ¬nition 2.1. Let P, R and Q be points on the elliptic curve E. Then P + Q ā” R,
where R is Rā1
reļ¬ected over the x-axis and Rā1
is the point of intersection between the
elliptic curve and the line that contains P and Q. Figure 1 illustrates this concept.
2
3. 1
ā1
ā2
1ā1ā2
ā¢P
ā¢
Rā1
ā¢
Q
ā¢R
Figure 1: Graph showing elliptic curve point addition
We use this deļ¬nition of addition because, due to a special property of elliptic curves,
it will allow us to have additive inverses. Furthermore, in order to understand why we
reļ¬ect the point R in Deļ¬nition 2.1 we need to deļ¬ne the identity of an elliptic curve.
Deļ¬nition 2.2. Let P be a point on the elliptic curve E, and O be the point at inļ¬nity,
then P + O = O + P = P. Figure 2 illustrates this concept.
1
ā1
ā2
1ā1ā2
ā¢P
ā¢
Pā1
ā¢O
Figure 2: Graph showing the identity at inļ¬nity
3
4. Deļ¬nition 2.1 implies that P + Pā1
= O, where Pā1
is sometimes denoted as āP.
Graphically, the line created between P and O is assumed to be a vertical line, intersecting
the curve at Pā1
. This implies the point at inļ¬nity is the identity element.
2.1.2 Point Doubling
Rather than computing repeated sums, most encryption algorithms use point doubling
to reduce run time. Instead of considering two points on the curve we will consider one
point P on the elliptic curve E. If we add P to itself this is equivalent to drawing a
tangent line through P. This line intersects the curve at point (2P)ā1
. After reļ¬ection
we see that P + P = 2P. Figure 3 illustrates this concept.
1
ā1
ā2
1ā1ā2
ā¢
P
ā¢
ā¢
(2P)ā1
2P
Figure 3: Graph showing elliptic curve point doubling
Example 2.1. Instead of calculating 15P = P + P + Ā· Ā· Ā· + P
15 times
, we can more eļ¬ciently
calculate this using point doubling. Namely, 15P = P +2(P +2(P +2P)). This eļ¬ectively
reduces the number of operations from 15 to six [16].
To actually evaluate 2P depends on the type of elliptic curve. There are speciļ¬c
formulae that solve for the point doubling value. For example, the interested reader can
verify that for the elliptic curve y2
= x3
+ ax + b, 2P = R, where P = (Px, Py) and
R = (Rx, Ry). The point R is calculated as follows
Rx = s2
ā 2Px and Ry = s(Px ā Rx) ā Py where s = (3P2
x + a)/(2Py) (1)
Multiple point doubling is one of the main reasons that makes Elliptic Curve algo-
rithms so eļ¬ective.
4
5. 2.2 Group Deļ¬nition
In conjunction with the property of elliptic curve addition, elliptic curves form an alge-
braic structure known as a group.
Deļ¬nition 2.3. A group (G, ā¦) consists of a set of elements G and a binary operation ā¦
that satisfy the following axioms as deļ¬ned from Judson [7]:
ā¢ (Associativitiy) a ā¦ (b ā¦ c) = (a ā¦ b) ā¦ c for all a, b, c ā G.
ā¢ (Identity) There exists an element e ā G such that a ā¦ e = e + a = a for all a ā G.
ā¢ (Inverse) For each a ā G, there exists and element aā1
ā G, such that a ā¦ aā1
=
aā1
ā¦ a = e.
Now we can deļ¬ne a group (E, +) based on the elliptic curve E. This is known as
the elliptic group. Elliptic curve addition is associative since P + (Q + R) = (P + Q) + R
for all P, Q, R ā E. Every element of the elliptic group contains an identity element we
call O. Finally, inverses exists since by deļ¬nition P + Pā1
= O. For these reasons, the
elliptic group is indeed a group.
3 Prime Modulus and Binary Fields
In the previous section we discussed elliptic curves over R. However in practice, com-
puters have a diļ¬cult time working with an inļ¬nite set of numbers. For this reason,
early encryption systems such as RSA rely heavily on a basic concept of number theory:
modular arithmetic. Mathematically, modular arithmetic is deļ¬ned as follows
Deļ¬nition 3.1. Let a and b be two integers and suppose that n ā N then a is congruent
to b modulo n if a ā b is divisible by n; that is, a ā b = nk for some k ā Z. We denote
by Zn the set of equivalence classes of the integers mod n, as deļ¬ned from Judson [7].
3.1 Rings
Though we deļ¬ned Zn as the set of equivalence class of the integers mod n, we can also
deļ¬ne it as a set with two binary operations, addition and multiplication.
Theorem 3.1. Let a1 ā” b1 mod n and a2 ā” b2 mod n. Then a1 + a2 ā” (b1 + b2) mod n.
Furthermore, a1a2 ā” (b1b2) mod n.
The resulting system has a nice algebraic structure called a ring, which is deļ¬ned as
follows
Deļ¬nition 3.2. A nonempty set R is a ring if it has two closed binary operations,
addition and multiplication, satisfying the following conditions.
ā¢ (Commutativity in Addition) a + b = b + a for a, b ā R.
ā¢ (Associativity in Addition) (a + b) + c = a + (b + c) for a, b, c ā R.
ā¢ (Additive Identity) There exists an element 0 in R such that a+0 = a for all a ā R.
5
6. ā¢ (Additive Inverse) For every element a ā R, there exists an element āa ā R such
that a + (āa) = 0.
ā¢ (Associativity in Multiplication) (ab)c = a(bc) for a, b, c ā R.
ā¢ (Distributivity) For a, b, c ā R, a(b + c) = ab + ac and (a + b)c = ac + bc.
Notice that in a ring every element has an addiditive inverse. A special type of ring
is a ļ¬eld.
Deļ¬nition 3.3. A ļ¬eld is a ring for which ab = ba for all a, b ā R, there exists a nonzero
element 1 ā R such 1a = a1 = a for every a ā R, and any nonzero element a in R has a
unique element aā1
such that aā1
a = aā1
a = 1.
Notice that in a ļ¬eld every element has both an addiditive and multiplicative inverse.
We have already seen an example of a ļ¬eld.
Example 3.1. We can see that Z3 is a ļ¬eld because every element has a multiplicative
inverse, there exists an identity element, and it is commutative. However, Z6 is not a
ļ¬eld because not every element has a multiplicative inverse. For example consider the
element 2. We see that 2 multiplied by any other element of Z6 yields only 0, 2 or 4.
When deļ¬ning the types of ļ¬elds used in elliptic curve cryptography, we must deļ¬ne
the following theorem that explains the connection between a ļ¬eld and the ring Zn.
Theorem 3.2. If p is prime then every element of Zp has a multiplicative inverse. Fur-
thermore, Zp is a ļ¬eld.
Proof. Commutativity of addition and multiplication follow from Theorem 3.1. We want
to show that any element x of Zp has a multiplicative inverse. Let x be some integer such
that 0 < x < p. Then gcd(x, p) = 1. By the Eucilidean Algorithm there exists integers a
and b such that ap + bx = 1. Then bx = 1 ā ap = 1 mod p, which implies bx = 1. Thus
any element x ā Zp has a multiplicative inverse. Therefore Zp is a ļ¬eld.
The characteristic p of ļ¬eld F is the smallest positive integer such that for every
nonzero element Ī± ā F, pĪ± = 0.
Proposition 3.1. If F is a ļ¬nite ļ¬eld of characteristic p, then the order of F is pn
for
some n ā N.
As an example, see Judson [7].
3.2 The Galois Field
Fundamentally, all ļ¬elds of order pn
, where p is prime, are the same in structure to one
another. Therefore, there exists only one ļ¬eld of order pn
we call the Galois Field; written
as Fpn or GF(pn
). The Galois Field is a ļ¬nite ļ¬eld whose order is a prime power. Notice
that when p is prime, Zp is the Galois Field Fp. When p = 2, the Galois Field is known as
a binary ļ¬eld because the elements of the ļ¬eld are the same in structure to the integers
modulo 2.
Example 3.2. We can clearly see that when n = 1 the binary ļ¬eld is simply F2, which
is the same in structure to the integers modulo 2.
6
8. 4.1 RSA Encryption
A notable encryption system that is an example of public key encryption is called RSA;
where its name stems from its 1977 inventors Ronald Rivest, Adi Shamir, and Len Adle-
man [15]. Algorithm 1 illustrates the RSA algorithm considering parties A and B.
Algorithm 1 RSA Encryption
INPUT: A picks picks two large prime numbers p and q.
OUTPUT: Shared Bās message with A.
Step 1: A computes n = pq.
Step 2: A computes Ļ(n) = (p ā 1)(q ā 1).
Step 3: A computes her d = eā1
mod Ļ(n), for some e such that gcd(e, Ļ(n)) = 1.
Step 4: B encrypts message m by computing me
mod n, publicly sending it to A.
Step 5: A receives the encrypted message c = me
mod n.
Step 6: A decrypts the encrypted message by computing cd
mod n = m.
In the above algorithm e and n are the public keys and d is the private key. In order to
prove the RSA algorithm we need to deļ¬ne the following theorem proven by 18th century
mathematician Leonhard Euler:
Theorem 4.1 (Eulerās Theorem). Let a and n be integers such that n > 0 and
gcd(a, n) = 1. Then aĻ(n)
ā” 1 mod n.
Proof that RSA works. We need to show (me
)d
mod n = m. We know that ed = 1 mod
Ļ(n). This implies that Ļ(n)|(ed ā 1). Therefore there exists some integer k such that
ed = 1 + kĻ(n). Then (me
)d
ā” med
ā” m1+kĻ(n)
ā” m Ā· (mĻ(n)
)k
ā” m Ā· 1k
ā” m mod
n = m.
The security of RSA encyrption is magniļ¬ed by the diļ¬culty of factoring the product
of two large prime numbers pq. Namely, it is diļ¬cult to determine prime numbers a and
b given only ab. In practice, computers may take months in order to ļ¬nd a and b. An
RSA algorithm complexity has a subexponential time algorithm. Namely, the amount of
time needed to ļ¬nd a and b increases roughly exponentially as mentioned by Hankerson,
Vanstone, and Menezes in [5]. This may seem like a lot of time but as we will see, elliptic
curve algorithms require exponentially greater amount of time to crack.
4.2 The Diļ¬e-Hellman Key Exchange
One of the more important problems that pertains to elliptic curve cryptography is the
discrete logarithm problem. The idea of the problem centers around the formula y = gx
.
On its own, y is easy to calculate if given g and x. However, solving for x when given y and
g proves to be much more diļ¬cult. For that reason cryptographers have been interested
in desigining encyrption systems that center around the discrete logarithm problem.
Cryptographers Whitļ¬eld Diļ¬e and Martin Hellman published one of the earliest
algorithms which centered around the discrete logarithm problem; notably called the
Diļ¬e-Hellman Key Exchange [3]. This algorithm allows two parties with no prior knowl-
edge of one another to decide upon a secure key over a third party (i.e. an attacker).
The algorithm involves solving for x given y = gx
mod p, where p is prime, and g and y
are non-negative integers. However, given only g, p, and y it is often extremely diļ¬cult
8
9. to solve for x where x = logg y mod p. Algorithm 2 illustrates the Diļ¬e-Hellman Key
Exchange algorithm again assuming parties A and B.
Algorithm 2 Diļ¬e-Hellman Key Exchange
INPUT: prime number p, element g from the group Zp.
OUTPUT: Shared secret over a third party.
Step 1: A picks a natural number a and computes ga
mod p and sends it to B.
Step 2: B picks a natural number b and computes gb
mod p and sends it to A.
Step 3: A computes (gb
)a
mod p.
Step 4: B computes (ga
)b
mod p.
In conclusion, A and B successfully shared the secret gab
over a third party. The
mathematical idea here centers around the fact that (ga
)b
mod p = (gb
)a
mod p proven
by Diļ¬e and Hellman in [3]. The algorithm focuses on the diļ¬culty ļ¬nding gab
given
public keys ga
, gb
, g, and p. This is known as the Diļ¬e-Hellman Problem.
A similar problem can be applied to elliptic curves. We call this the elliptic curve
discrete logarithm problem. The idea is to ļ¬nd an integer n only given the point P and
the end result nP. Again the diļ¬culty here is solving for n given limited information.
We will revist this topic in Section 5.2.
4.3 Digital Signature Algorithm
A Digital Signature is often an eļ¬ective way at verifying that information sent to another
party has not been altered during transit and by verifying that the recipient is certain of
the originatorsā identity. Unlike the previous algorithms, the digital signature algorithm
acts as a means to verify someoneās identity. The algorithm is two-fold. The ļ¬rst party
generates the signature, which is then verifed by the second party. This helps insure the
validity of the ļ¬rst partyās signature. The idea of a digital signature was ļ¬rst mentioned
by Whitļ¬eld Diļ¬e and Martin Hellman in their 1976 paper āNew Directions in Cryp-
tographyā [3] and further developed in 1995 by cryptographers Shaļ¬ Goldwasser, Silvio
Micali and Ronald Rivest [4]. The actual algorithm was proposed in 1991 by the National
Institute of Standards and Technology (NIST). The algorithm is currently attributed to
former NSA employee David W. Krause and is covered by a United States patent [10].
The algorithm stems from the discrete logarithm problem. Algorithm 3 illustrates the
algorithm for signature generation and Algorithm 4 illustrates the algorithm for signature
verļ¬cation.
9
10. Algorithm 3 Digital Signature: Signature Generation
INPUT: Message m.
OUTPUT: Signature (r, s).
Step 1: Choose a prime number q less than or equal to the output length of Secure
Hash Algorithm (H(Ā·))āalgorithm that maps data of arbitrary length to data of ļ¬xed
length; typically a bit string to a ļ¬xed hexidecimal representation.
Step 2: Choose a prime number p such that p ā 1 is a multiple of q.
Step 3: Choose an element x and k at random from [0, q ā 1].
Step 4: Choose an element h at random from [0, p ā 1].
Step 5: Compute g = h(pā1)/q
mod p.
Step 6: Compute y = gx
mod p.
Step 7: Compute r = (gk
mod p) mod q.
Step 8: Compute s = (kā1
(H(m) + xr)) mod q.
Algorithm 4 Digital Signature: Signature Veriļ¬cation
INPUT: Public key (p, q, g, y), private key (m, x), signature (r, s).
OUTPUT: Signature (r, s).
Step 1: Hash function H computes H(m) = e.
Step 2: Compute w = sā1
mod q.
Step 3: Compute u1 = ew mod q.
Step 4: Compute u2 = rsā1
mod q.
Step 5: Compute v = (gu1
yu2
mod p) mod q.
Step 6: If v = r then return(āAccept the Signatureā); Else return(āReject Signatureā).
We will not prove that the algorithm works, but the interested reader can consult the
proof in the NIST report on Digital Security Standards [12]. The idea purpose of the
algorithm is to make sure that the person who sent the signature is actually the correct
person. If v Ģø= r then the signature was not constructed by the signature generation
algorithm. This tells the verifying party that the signature created was not a correct
signature based on the input parameters.
Overall, the digital signature algorithmās security relies on the complexity of the
discrete logarithm problem mod an integer. Furthermore, a brief introduction is necessary
for comparison with the elliptic curve digital signature algorithm mentioned in the next
section.
5 Elliptic Curve Protocols
In order to discuss the various elliptic curve protocols, we need to ļ¬rst illustrate how one
can prepare all of the necessary parameters for implementing a protocol.
5.1 Preparing for an Elliptic Curve Algorithm
Developing an algorithm based on an elliptic curve has many parameters to consider.
Currently and as of 1999, The National Institue of Standards and Technology (NIST)
documents ļ¬fteen elliptic curves and their various recommended parameters. We list the
parameter considerations.
10
11. 1. Choice of Key Length
The key length is represented through a combination of a speciļ¬c based point G on
the elliptic curve E and the elliptic curve itself. We choose a base point G that has
large prime order r, where the order r of a point G is the smallest integer such that
rG = G + G + Ā· Ā· Ā· + G
r times
= O. The number of points on the curve is n = fr where
f is an integer such that f is not divisble by r. NIST recommends that the value
for f should be no smaller than 1 to optimize eļ¬ciency [13]. We are now gathering
more information to describe the curve.
2. Choice of Field
We focused our attention on prime characteristic ļ¬elds because they are the two
choices of underlying ļ¬elds recommended by NIST. The following table lists the
order of p followed by a ļ¬eld degree m (i.e. the degree of the polynomial represen-
tation of the ļ¬eld). Here ā„pā„ refers to the length of the binary expansion of the
integer p.
Prime Field Binary Field
ā„pā„ = 192 m = 163
ā„pā„ = 224 m = 233
ā„pā„ = 256 m = 283
ā„pā„ = 384 m = 401
ā„pā„ = 521 m = 571
Table 1: NIST Recommended Field Sizes [13]
For example, P-192 refers to a binary expansion of prime ļ¬eld ā„pā„ = 192 and is
p = 6277101735386680763835789423207666416083908700390324961279.
Additionally, Curve K-163 refers to binary ļ¬eld m = 163 with a polynomial repre-
sentation degree of 163 and is as follows
p(t) = t163
+ t7
+ t6
+ t3
+ 1
where p(t) is the ļ¬eld polynomial representation of GF(2163
).
3. Choice of Basis
When using a binary ļ¬eld we use a basis to help interpret a bit string. NIST
recommends using either a polynomial basis or a normal basis. We explained a
polynomial basis in Example 3.4 but will not explain a normal basis. The interested
reader should consult [13] for more information about a normal basis.
4. Choice of Curve
An elliptic curve is either supersingular or non-supersinglar. An elliptic curve is
supersingular if its trace t is divisible by its characteristic p of Fq [6].
Supersingular curves satisfy
11
12. y2
+ ay = x3
+ bx + c where a, b, c ā R
while non-supersingular curves satisfy
y2
+ axy = x3
+ bx2
+ c where a, b, c ā R.
Supersingluar curves are not suitable for cryptography because of their ability to
reduce the discrete logarithm problem to one that is much easier to attack, according
to Rosing in [16]. For that reason, elliptic curve cryptography focuses on non-
supersingular curves.
NIST recommends either pseudo-random or special curves. Psuedo-random curves
are the most common and have coeļ¬cients generated by a speciļ¬c cryptographic
hash algorithm. Special curves are curves that have selected coeļ¬cients from un-
derlying ļ¬elds in order to optimize eļ¬ciency of the elliptic curve operations. These
types of curves deļ¬ned over F2n are also called Koblitz Curves, whose name stems
from mathematician Neal Koblitz, a prominent ļ¬gure in the ļ¬eld of elliptic curve
cryptography.
As documented in [13], there are currently 15 elliptic curves used in practice. The
ļ¬rst ļ¬ve curves are deļ¬ned over ļ¬ve diļ¬erent prime ļ¬elds Fp with ļ¬ve diļ¬erent
prime orders r and satisfy the following formula
y2
ā” x3
ā 3x + b mod p
where for eļ¬ciency reasons a = ā3 and b satisļ¬es b2
c ā” ā27 mod p, where c is the
output of the SHA-1 algorithm.
The last 10 curves are deļ¬ned over the binary ļ¬eld Fpn with 10 diļ¬erent ļ¬eld degrees
m and are deļ¬ned as
y2
+ xy = x3
+ ax2
+ b where a, b ā R (2)
The psuedo-random curves satisfy Equation 2 with a = 1, while the Koblitz curves
satisfy Equation 2 with b = 1 and a = 0 or 1 (dependent on the key length variable
f).
5. Choice of Base Point
NIST also provides a base point G = (Gx, Gy) with order r as a general way to
follow their speciļ¬c computations. The base point ultimately acts like a seed when
computing the coeļ¬cients of the curve. It is private information and for that reason,
one should not use the provided base point in [13] but generate their own.
12
13. 5.2 Elliptic Curve Diļ¬e-Hellman Key Exchange
Now that we have provided the foundations of the mathematics and the requirements
of preparing an elliptic curve algorithm, we begin discussing the Elliptic Curve Diļ¬e-
Hellman Key Exchange. Algorithm 5 illustrates the Elliptic Curve Diļ¬e-Hellman Algo-
rithm again assuming parties A and B.
Algorithm 5 Elliptic Curve Diļ¬e-Hellman
INPUT: E(Fpn ), point P with order r
OUTPUT: Shared secret over a third party
Step 1: A and B choose a private key nA and nB in the interval [1, r ā 1] respectively
Step 2: A and B compute and trade QA = nAP ā E(Fpn ) and QB = nBP ā E(Fpn )
respectively
Step 3: A and B compute nAQB ā E(Fpn ) and nBQA ā E(Fpn ) respectively
In conclusion, nAQB = nBQA which means A and B have successfully decided upon
a shared secret key over a third party.
In general, the concept behind the algorithm is the same as in Algorithm 2. An
attacker would have to ļ¬nd nAnBP when only given nAP, nBP, and P making it dif-
ļ¬cult to calculate the secret. The diļ¬erence lies with the eļ¬ciency of the elliptic curve
calculations. According to the National Security Agency it generally would take 2k ā 1
operations to attack an algorithm with a k-bit key size [1]. Ideally, a secure public key
algorithm should use parameters that require at least 2k ā 1 operations to attack. Ta-
ble 2 illustrates a comparison between RSA and Diļ¬e-Hellman key sizes and those using
elliptic curves.
As with all elliptic curve encryption systems, the mathematically diļ¬cult aspect cen-
ters around the Elliptic Curve Discrete Logarithm Problem. The problem is similar to
the non-elliptic curve previously mentioned. However instead it relies on elliptic curve
point multiplication and the diļ¬culty it is to solve for n given Q = nP, where P is a
point on the elliptic curve E.
It becomes increasingly diļ¬cult to ļ¬nd n only given Q and P since in order to ļ¬nd n
one would have to continually test diļ¬erent n values, each time computing the associate
mutliple point doublings. Given the complexity of only one point doubling as stated in
Equation 1, this task can easily become time consuming. For this reason, elliptic curves
require an exponential time algorithm to crack. Because the operations are more complex
to crack than its non-elliptic counterparts, the size of the private key can be much lower
as illustrated in Table 2.
Non-Elliptic Curve Elliptic Curve
Key Size (Bits) Key Size (Bits)
1024 160
2048 224
3072 256
7680 384
15360 521
Table 2: NIST Recommended Key Sizes [1]
13
14. 5.3 Elliptic Curve Digital Signature Algorithm
A more common algorithm used in practice is the Elliptic Curve Digital Signature Al-
gorithm. The algorithm of Elliptic Curve Digital Signature is similar to the non-elliptic
curve algorithm. Algorithm 6 illustrates the algorithm for signature generation and Al-
gorithm 7 illustrates the algorithm for signature verļ¬cation as published by Johnson,
Menezes, and Vanstone in [6].
Algorithm 6 Elliptic Curve Digital Signature: Signature Generation
INPUT: E(Fpn ), point P, integer n, private key d, message m.
OUTPUT: Signature (r, s).
Step 1: Choose an element k at random from [1, n ā 1].
Step 2: Compute kP = (x1, y1).
Step 3: Compute r = x1 mod n. If r = 0 then go to step 1.
Step 4: Hash function H computes H(m) = e.
Step 5: Compute s = kā1
(e + dr) mod n. If s = 0 then go to step 1.
Step 6: Return (r, s).
Algorithm 7 Elliptic Curve Digital Signature: Signature Veriļ¬cation
INPUT: E(Fpn ), point P, integer n, public key Q = dP, message m, signature (r, s).
OUTPUT: Acceptance or rejection of the signature.
Step 1: Verify that r and s are integers in the interval [1, n ā 1]. If veriļ¬cation fails
return(āReject Signatureā).
Step 2: Hash function H computes H(m) = e.
Step 3: Compute w = sā1
mod n.
Step 4: Compute u1 = ew mod n and u2 = rw mod n.
Step 5: Compute X = u1P + u2Q = (x1, y1)
Step 6: If X = O return(āReject Signatureā)
Step 7: Compute v = x1 mod n.
Step 8: If v = r then return(āAccept the Signatureā); Else return(āReject Signatureā).
The digital signature algorithm and the elliptic curve digital signature algorithm are
conceptually the same with the diļ¬erence centering on how their signature is calculated.
We provide the proof of signature veriļ¬cation.
Proof. We need to verify that the steps in the algorithm lead to the conclusion v = r.
We know from the signature generation that s = kā1
(e + dr). Rearranging we see
sā1
= k(e + dr)ā1
. Then w = k(e + dr)ā1
mod n which implies X = (ek(e + dr)ā1
mod
n + drk(e + dr)ā1
mod n)P since dP = Q. Furthermore, X = kP mod n. But v = x1
mod n = r. Therefore the conclusion veriļ¬es the signatureās validity.
The security of the hash algorithm is another important aspect of the algorithm. An
insecure hash algorithm could cause an attacker to forge a signature. For example, a
third party E selects an integer l and computes the x coordinate of Q+lP mod n setting
it equal to r. E then can set s = r and compute e = rl mod n. In the event E ļ¬nds a
message m such that e = H(m), then (r, s) becomes a valid signature for m [5].
For elliptic curves, the algorithms necessary to crack require greater amount of com-
plexity. The current fastest algorithm known for solving the the elliptic curve discrete
14
15. logarithm problem is called the Pollardās rho algorithm. The algorithmās run time is based
on a probabilistic method for factoring a composite number N. For more information
consult Hankerson, Menezes, and Vanstoneās result in [5].
6 Elliptic Curve Cryptography in Practice
In practice, acquiring elliptic curves to use for encrypting can be diļ¬cult due to patent
laws. Above all, elliptic curves are intellectual property and thus come with many legal
considerations.
6.1 Intellectual Property
Despite the high security with using an elliptic curve algorithm, elliptic curves are in-
tellectual property and are patented formulas. Canadian company Certicom holds over
130 elliptic curve patents. However, this protection limits the use of elliptic curves in
academia and other venues [1]. For this reason, the National Security Administration
purchased licenses for all of Certicomās intellectual property with the stipulation that
the property would only be used under NSA permission. Additionally, the license only
applies to prime ļ¬eld curves with a prime greater than 2255. This applies to only three
out of the 15 NIST approved curves. Other non-governmental vendors may receive a
license from the NSA to use their curves or negotiate a seperate license agreement with
Certicom [1]. As of 2009, Certicom is a wholly owned subsidary of BlackBerry Limited
previously known as Research in Motion.
However, the numerous Certicom patents poses a debate on patenting mathematics,
speciļ¬cally elliptic curves. Alone, an elliptic curve cannot legally be patented. Instead,
the elliptic curve must serve as a tool producing a tangible result. From Certicomās
standpoint, they are patenting the mathematical process of using the elliptic curve in
a way that enhances previous known encryption systems. For that reason it is legal to
patent the actual curve since they use the curve in an algorithm to produce a tangible
result. Ultimately, they hope to proļ¬t oļ¬ their monopolized ļ¬ndings [14].
On May 30th, 2007 Certicom ļ¬led a lawsuit against Sony Corporation for patent
infringement. Certain Sony technologies such as Blue-ray DVD players and Playstation 3
were found utilizing elliptic curve technologies without a license. Considering BlackBerry
Limited acquired Certicom for $106 million, shows the increasing value of this type of
technology. Furthermore, the NSA has urged a shift for elliptic curve cryptography for
its greater security and improved performance cabilities according to former Certicom
Director John Callahan in [2].
6.2 Future of Elliptic Curve Cryptography
In the future, elliptic curve cryptography could expand into the use of hyperelliptic
curves [16]. A hyperelliptic curve is simply an extension of an elliptic curve following
y2
= f(x) where f(x) is some polynomial with degree greater than 3. Naturally, the
number of operations to compute multiple point doublings would be higher allowing for
even greater security than with normal elliptic curves. However, technological advance-
ments have not yet discarded the security of elliptic curves to make hyperelliptic curves
more appealing. Unfortunately, the structure of hyperelliptic curves may make them
15
16. more attackable, according to Rosing in [16]. However, much of this area of cryptography
has not been explored for this statement to be valid.
7 Conclusion
The fundamentals of elliptic curve cryptography have stemed from decades of work from
notable cryptographers such as Diļ¬e, Hellman, Koblitz, Miller, Rivest, Shamir, and
Adleman. The continued growth of computer technology has enable us to re-develop
previous algorithms using the more complex mathematics of elliptic curves. The core
success is due to the diļ¬culty of solving the elliptic curve discrete logarithm problem
and the extremely diļ¬cult task it is for a third party attacker to gain access to private
information. The beneļ¬ts of elliptic curve cryptography are simple: eļ¬ciency. With
something more complex, comes something more simple and eļ¬cient to encrypt. The
only thing now is to see how the future of technology shapes elliptic curve cryptography.
16
17. References
[1] National Security Agency. The Case for Elliptic Curve Cryptography. http://www.
nsa.gov/business/programs/elliptic_curve.shtml, January 2009.
[2] John Callahan. Certicom Files Suit Against Sony for Patent Infringement. Certicom
Corporation: https://www.certicom.com/index.php/2007-press-releases/
20-certicom-files-suit-against-sony-for-patent-infringement, May 2007.
[3] Whitļ¬eld Diļ¬e and Martin Hellman. New Directions in Cryptography. IEEE Trans-
actions on Information Theory, IT-22(6), November 1976.
[4] Shaļ¬ Goldwasser, Silvio Micali, and Ronald L Rivest. A digital signature scheme
secure against adaptive chosen message attacks. SIAM Journal on Computing,
17(2):281ā308, 1988.
[5] Darrel Hankerson, Scott Vanstone, and Alfred J. Menezes. Guide to Elliptic Curve
Cryptography. Springer Professional Computing. Springer, 2004.
[6] Don Johnson, Alfred Menezes, and Scott Vanstone. The Elliptic Curve Digital Signa-
ture Algorithm (ECDSA). International Journal of Information Security, 1(1):36ā63,
2001.
[7] Thomas W. Judson. Abstract Algebra: Theory and Applications. http://
abstract.ups.edu/, 2009. Accessed: 2014-05-04.
[8] Israel Kleiner. Excursions in the History of Mathematics: The State Space Method.
Operator theory, advances and applications. BirkhĀØauser, 2012.
[9] Neal Koblitz, Alfred Menezes, and Scott Vanstone. The State of Elliptic Curve
Cryptography. Number 19, pages 173ā193. November 2000.
[10] D.W. Kravitz. Digital signature algorithm, July 1993. US Patent 5,231,668.
[11] Victor S. Miller. Use of elliptic curves in cryptography. In Hugh C. Williams, editor,
Advances in Cryptology CRYPTO 85 Proceedings, volume 218 of Lecture Notes in
Computer Science, pages 417ā426. Springer Berlin Heidelberg, 1986.
[12] U.S. Department of Commerce, National Institute of Standards, and Technology.
Digital Security Standard (DSS). Technical Report 186-4, Federal Information Pro-
cessing Standards Publication, December 2013.
[13] National Institute of Standards and Technology. Recommended Elliptic Curves for
Federal Government Use. July 1999.
[14] Teresa Riordan. Patents; An appeals court says a mathematical formula can be
patented, if it is a moneymaker. New York Times, August 1998.
[15] Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman. A Method for Obtaining
Digital Signatures and Public-Key Cryptosystems. Commun. ACM, 21(2):120ā126,
1978.
[16] Michael Rosing. Implementing Elliptic Curve Cryptography. Manning Pubs Co
Series. Manning Publications Company, 1999.
17