Академический Документы
Профессиональный Документы
Культура Документы
over G
p
$
6et us consider t&o classes o# Finite #ields F
p
2Prime Field, p is a prime number3 and m
!
F
2/inary #inite #ield3$
4+4+! Prime 5ield 5
#
"he prime #ield F
p
consists o# the set o# integers {D, 1, !, J$$, p C 1}, &ith the #ollo&ing
arithmetic operations de#ined over it$
Addition a, b F
p
, r F
p
, &here r 4 2a E b3 mod p
9$lti#lication a, b F
p
, s F
p
, &here s 4 2a b3 mod p
- 1! -
P11 Elliptic Curve Cryptography
4+4+8 Ginary 5inite 5ield 5
8
m
"he #inite #ield m
!
F
, called a characteristic two finite field or a binary #inite #ield can be vie&ed
as a vector space o# m dimensions over F
!
, &hich consists o# ! elements D and 1$ "here e(ists m
elements
D
,
1
,
!
, J,
m-1
in m
!
F
such that each element m
!
F
can be uni<uely
represented as 4
i
1 m
D i
i
O a
, &here a
i
{D, 1}, D i < m
"he string {
D
,
1
,
!
, J,
m-1
} is called the basis o# m
!
F
over F
!
$ Given such a basis, every #ield
element can be represented as a bit string 2a
D
a
1
a
!
Ja
m-1
3$ Generally t&o 'inds o# basis are used to
represent binary #inite #ields0 polynomial basis and normal basis$
4+4+8+! Polynomial 2asis re#resentation of 5
8
m
6et f(x* + x
m
) f
m!,
x
m!,
) - ) f
.
x
.
) f
,
x ) f
/
, &here f
i
{D, 1}, D i < m, be an irreducible
polynomial o# degree m over F
!
$ f(x* is called the reduction polynomial o# m
!
F
$
"he #inite #ield m
!
F
is comprised o# all polynomials over F! o# degree less than m, i$e$0
m
!
F
4 {a
m!,
x
m!,
) a
m!.
x
m!.
) - ) a
.
x
.
) a
,
x ) a
/
a
i
{D, 1}}$
"he #ield element a
m!,
x
m!,
) a
m!.
x
m!.
) - ) a
.
x
.
) a
,
x ) a
/
is usually represented by the bit string
2a
m-1
a
m-!
Ja
!
a
1
a
D
3 o# length m such that
m
!
F
4 {2a
m-1
a
m-!
-a
!
a
1
a
D
3 a
i
{D, 1}}$
"hus, the elements o# m
!
F
can be represented by the set o# all binary strings o# length m$ "he
multiplicative identity 1 is represented by the bit string 2DDJDD13 and the bit string o# all .eroes
represents the additive identity D$
- 1 -
P11 Elliptic Curve Cryptography
"he #ollo&ing operations are de#ined on the elements o# m
!
F
&hen using f(x* as the reduction
polynomial$
Addition %# a 4 2a
m-1
a
m-!
Ja
!
a
1
a
D
3 and b 4 2b
m-1
b
m-!
Jb
!
b
1
b
D
3 are elements o# m
!
F
, then, c
4 a E b 4 2c
m-1
c
m-!
Jc
!
c
1
c
D
3, &here c
i
4 2a
i
E b
i
3 mod ! 4 a
i
b
i
$
9$lti#lication %# a 4 2a
m-1
a
m-!
Ja
!
a
1
a
D
3 and b 4 2b
m-1
b
m-!
Jb
!
b
1
b
D
3 are elements o# m
!
F
,
then, c 4 a $ b 4 2c
m-1
c
m-!
Jc
!
c
1
c
D
3, &here the polynomial
c
m!,
x
m!,
) c
m!.
x
m!.
) - ) c
.
x
.
) c
,
x ) c
/
is the remainder &hen the polynomial
2a
m!,
x
m!,
) a
m!.
x
m!.
) - ) a
,
x ) a
/
3 2b
m!,
x
m!,
) b
m!.
x
m!.
) - ) b
,
x ) b
/
3 is divided by f(x*
over F
!
$
In%ersion %# a is a non.ero element in m
!
F
, then the inverse o# a, denoted a
C1
, is a
uni<ue element c m
!
F
, &here a$c 4 c$a 4 1
4+4+8+8 Formal 2asis re#resentation of 5
8
m
) normal basis o# m
!
F
over F
!
is a basis o# the #orm {
1 m
!
!
! !
P ,$$$, P , P P,
}, &here m
!
F
$
)ny element a m
!
F
can be &ritten as a 4
i
i
P
1 m
D i
a
, &here a
i
{D, 1}$
.a$ssian Formal Gases ).FG, ) G*/ representation o# m
!
F
e(ists i# there e(ists a positive
integer " such that p 4 "m E 1 is prime and gcd2"m-' , '3 4 1, &here ' is the multiplicative
order o# ! modulo p$ "he G*/ representation is called a +type T 01 for m
.
2
,$
"he #ollo&ing operations are de#ined over m
!
F
&hen using a type " G*/ representation$
Addition %# a 4 2a
m-1
a
m-!
Ja
!
a
1
a
D
3 and b 4 2b
m-1
b
m-!
Jb
!
b
1
b
D
3 are elements o# m
!
F
, then, c
4 a E b 4 2c
m-1
c
m-!
Jc
!
c
1
c
D
3, &here c
i
4 2a
i
E b
i
3 mod ! 4 a
i
b
i
$
- 1= -
P11 Elliptic Curve Cryptography
SI$aring 6et a 4 2a
m-1
a
m-!
Ja
!
a
1
a
D
3 m
!
F
$ S<uaring is a linear operation in m
!
F
$
7ence ( )
! - m ! D 1 - m
1 - m
D i
i
!
1 - i
1 - m
D i
1 i
!
i
!
1 - m
D i
i
!
i
!
P P P a a a a a a a a
,
_
$ 7ence s<uaring
a #ield element is simply a rotation o# the vector representation$
9$lti#lication 6et p 4 "m E 1 and let u F
p
$ 6et us de#ine a se<uence F2D3, F213, J,
F2p - 13 by F2!
i
u
:
mod p3 4 i, #or D i < m, D : < "$
%# a 4 2a
m-1
a
m-!
Ja
!
a
1
a
D
3 and b 4 2b
m-1
b
m-!
Jb
!
b
1
b
D
3 are elements o# m
!
F
, then the product
c 4 a$b 4 2c
m-1
c
m-!
Jc
!
c
1
c
D
3 &here,
'
+ +
+ + + + + + + +
+ +
odd is " %# 3 2
even is " %#
! - m
1 '
! p
1 '
! p
1 '
i '3 - F2p i 13 F2' 1 - i ' 1 - i ' m-! 1 - i ' m-! 1 - i '
i '3 - F2p i 13 F2'
i
b a b a b a
b a
c
#or each i, D i < m, &here indices are reduced modulo m$
In%ersion %# a is a non.ero element in m
!
F
, then the inverse o# a, denoted a
C1
, is a
uni<ue element c m
!
F
, &here a$c 4 c$a 4 1$
4+5 Elli#tic C$r%es
Elliptic curves are not ellipses, instead, they are cubic curves o# the #orm y
3
+ x
3
) ax ) b
Elliptic curves over 9
!
29
!
is the set 9 ( 9, &here 9 4 set o# real numbers3 is de#ined by the set
o# points 2(, y3 &hich satis#y the e<uation y
3
+ x
3
) ax ) b, along &ith a point O, &hich is the
point at in#inity and &hich is the additive identity element$ "he curve is represented as E293$
"he #ollo&ing #igure is an elliptic curve satis#ying the e<uation y
.
+ x
3
4 3x ) 3
- 1> -
P11 Elliptic Curve Cryptography
2igure ,5 Elliptic curve over $
.
5 y
.
+ x
3
4 3x ) 3
4+5+! Elli#tic C$r%es o%er 5inite 5ields
4+5+!+! Elli#tic C$r%es o%er 5
#
)n elliptic curve E2F
p
3 over a #inite #ield F
p
is de#ined by the parameters a, b F
p
2a, b satis#y the
relation =a
E !@b
!
D3, consists o# the set o# points 2(, y3 F
p
, satis#ying the e<uation y
!
4 x
E
ax E b$ "he set o# points on E2F
p
3 also include point O, &hich is the point at in#inity and &hich is
the identity element under addition$
"he )ddition operator is de#ined over E2F
p
3 and it can be seen that E2F
p
3 #orms an abelian group
under addition$
"he addition operation in E2F
p
3 is speci#ied as #ollo&s$
P E O 4 O E P 4 P, P E2F
p
3
%# P 4 2( , y3 E2F
p
3, then 2(, y3 E 2(, C y3 4 O$ 2"he point 2(, C y3 E2F
p
3 and is called
the negative o# P and is denoted CP3
- 1A -
P11 Elliptic Curve Cryptography
%# P 4 2(
1
, y
1
3 E2F
p
3 and Q 4 2(
!
, y
!
3 E2F
p
3 and P Q, then 9 4 P E Q 4 2(
, y
3
E2F
p
3, &here (
4
!
C (
1
C (
!
, y
4 2(
1
C (
3 C y
1
, and 4 2y
!
C y
1
3 - 2(
!
C (
1
3, i$e$ the sum o#
! points can be visuali.ed as the point o# intersection E2F
p
3 and the straight line passing
through both the points$
2igure .5 Addition of . points 6 and 7 on the curve y
.
+ x
3
4 3x ) 3
6et P 4 2(, y3 E2F
p
3$ "hen the point Q 4 P E P 4 !P 4 2(
1
, y
1
3 E2F
p
3,
&here (
1
4
!
C !(, y
1
4 2( C (
1
3 C y, &here 4 2(
!
E a3 - !y$ "his operation is also called
doubling o# a point and can be visuali.ed as the point o# intersection o# the elliptic curve and
the tangent at P$
- 1@ -
P11 Elliptic Curve Cryptography
2igure 35 'oubling of a point 6, $ + .6 on the curve y
.
+ x
3
4 3x ) 3
;e can notice that addition over E2F
p
3 re<uires one inversion, t&o multiplications, one s<uaring
and si( additions$ Similarly, doubling a point on E2F
p
3 re<uires one inversion, t&o multiplication,
t&o s<uaring and eight additions$
Consider the set E2F
p
3 over addition$ ;e can see that
P, Q E2Fp3, i# 9 4 P E Q, then 9 E2F
p
3 2Closure3
P E 2Q E 93 4 2P E Q3 E 9, P, Q, 9 E2F
p
3 2)ssociative3
O E2F
p
3, such that P E2F
p
3, P A O 4 O A P 4 P 2%dentity element3
P E2F
p
3, C P E2F
p
3 such that, P A 2C P3 4 2C P3 A P 4 O$ 2%nverse element3
P, Q E2F
p
3, P A Q 4 Q A P$ 2Commutative3
"hus &e see that E2F
p
3 #orms an abelian group under addition$
4+5+!+8 Elli#tic c$r%es o%er 5
8
m
)n elliptic curve E2 m
!
F
3 over a #inite #ield m
!
F
is de#ined by the parameters a, b m
!
F
2a, b
satis#y the relation =a
E !@b
!
D, b D3, consists o# the set o# points 2(, y3 m
!
F
, satis#ying
- 1L -
P11 Elliptic Curve Cryptography
the e<uation y
!
E xy 4 x
, y
3 E2 m
!
F
3, &here (
4
!
E E (
1
E (
!
E a,
y
4 2(
1
E (
3 E (
E y
1
, and 4 2y
1
E y
!
3 - 2(
1
E (
!
3, i$e$ the sum o# ! points can be
visuali.ed as the point o# intersection E2 m
!
F
3 and the straight line passing through both the
points$
6et P 4 2(, y3 E2 m
!
F
3$ "hen the point Q 4 P E P 4 !P 4 2(
1
, y
1
3 E2 m
!
F
3, &here (
1
4
!
E E a, y
1
4 2( E (
1
3 E (
1
E y, &here 4 ( E 2( - y3$ "his operation is also called
doubling o# a point and can be visuali.ed as the point o# intersection o# the elliptic curve and
the tangent at P$
;e can notice that addition over E2 m
!
F
3 re<uires one inversion, t&o multiplications, one
s<uaring and eight additions$ Similarly, doubling a point on E2 m
!
F
3 re<uires one inversion, t&o
multiplication, one s<uaring and si( additions$
Similar to E2F
p
3, consider addition under E2 m
!
F
3,
P, Q E2 m
!
F
3, i# 9 4 P E Q, then 9 E2 m
!
F
3 2Closure3
P E 2Q E 93 4 2P E Q3 E 9, P, Q, 9 E2 m
!
F
3 2)ssociative3
O E2 m
!
F
3, such that P E2 m
!
F
3, P A O 4 O A P 4 P 2%dentity element3
- 1? -
P11 Elliptic Curve Cryptography
P E2 m
!
F
3, C P E2 m
!
F
3, such that, P A 2C P3 4 2C P3 A P 4 O$ 2%nverse3
P, Q E2 m
!
F
3, P A Q 4 Q A P$ 2Commutative3
"hus &e see that E2 m
!
F
3 #orms an abelian group under addition$
4+5+8 Elli#tic C$r%e Some Definitions
Scalar 9$lti#lication Given an integer ' and a point P on the elliptic curve, the elliptic
scalar multiplication 'P is the result o# adding Point P to itsel# ' times$
:rder 5rder o# a point P on the elliptic curve is the smallest integer r such that
rP 4 O$ Further i# c and d are integers, then cP 4 dP i## c d 2mod r3$
C$r%e :rder "he number o# points on the elliptic curve is called its curve order and is
denoted RE$
5 Elli#tical C$r%e Discrete ;ogarithm Pro2lem
"he strength o# the Elliptic Curve Cryptography lies in the Elliptic Curve 1iscrete 6og Problem
2EC16P3$ "he statement o# EC16P is as #ollo&s$
6et E be an elliptic curve and P E be a point o# order n$ Given a point Q E &ith
- !D -
P11 Elliptic Curve Cryptography
Q 4 mP, #or a certain m {!, , JJ, m C !}$
Find the m #or &hich the above e<uation holds$
;hen E and P are properly chosen, the EC16P is thought to be in#easible$ *ote that m 4 D, 1
and m C 1, Q ta'es the values O, P and C P$ 5ne o# the conditions is that the order o# P i$e$ n be
large so that it is in#easible to chec' all the possibilities o# m$
"he di##erence bet&een EC16P and the 1iscrete 6ogarithm Problem 216P3 is that, 16P though
a hard problem is 'no&n to have a sub e(ponential time solution, and the solution o# the 16P
can be computed #aster than that to the EC16P$ "his property o# Elliptic curves ma'es it
#avorable #or its use in cryptography$
- !1 -
P11 Elliptic Curve Cryptography
< A##lication of Elli#tical C$r%es in (ey E=change
<+! Elli#tic C$r%e Cry#togra#hy )ECC, domain #arameters
"he public 'ey cryptographic systems involves arithmetic operations on Elliptic curve over #inite
#ields &hich is determined by elliptic curve domain parameters$
"he ECC domain parameters over F
<
is de#ined by the septuple as given belo&
D ? )q, FR, a, b, , n, h,, &here
q0 prime po&er, that is < 4 p or < 4 !
m
, &here p is a prime
FR0 #ield representation o# the method used #or representing #ield elements F
<
a, b0 #ield elements, they speci#y the e<uation o# the elliptic curve E over F
<
,
y
!
4 (
E a( E b
0 ) base point represented by G4 2(
g
, y
g
3 on E 2F
<
3
n0 5rder o# point G , that is n is the smallest positive integer such that nG 4 O
h0 co#actor, and is e<ual to the ratio RE2F
<
3-n, &here RE2F
<
3 is the curve order
"he primary security in ECC is the parameter nS there#ore the length o# ECC 'ey is the bit length
o# n$ For comparative length, the security o# ECC 'eys is much more than that o# other
cryptosystems$ "hat is #or e<uivalent security, the 'ey length o# ECC 'ey is much lesser than
other cryptosystems$
<+8 Elli#tic C$r%e #rotocols
Generally in the process o# encryption and decryption, &e have ! entities, the one at the
encryption side and the other at the decryption side$ 6et us assume that )lice is the person &ho is
encrypting and /ob is the person decrypting$
(ey generation )liceBs 2or /obBs3 public and private 'eys are associated &ith a particular set
o# elliptic 'ey domain parameters 2<, F9, a, b, G, n, h3$
)lice generates the public and private 'eys as #ollo&s
1$ Select a random number d, d T1, n C 1U
- !! -
P11 Elliptic Curve Cryptography
!$ Compare Q 4 dG$
$ )liceBs public 'ey is Q and private 'ey is d$
%t should be noted that the public 'ey generated needs to be validated to ensure that it satis#ies
the arithmetic re<uirement o# elliptic curve public 'ey$ ) public 'ey Q 4 2(
<
, y
<
3 associated &ith
the domain parameters 2<, F9, a, b, G, n, h3 is validated using the #ollo&ing procedure
1$ Chec' that Q O
!$ Chec' that (
<
and y
<
are properly represented elements o# F
<
$ Chec' i# Q lies on the elliptic curve de#ined by a and b$
=$ Chec' that nQ 4 O
<+8+! Elli#tic C$r%e DiffieDEelman #rotocol )ECDE,
EC17 is elliptic curve version o# 1i##ie-7ellman 'ey agreement protocol 2re#er section !$1$13$
"he protocol #or generation o# the shared secret using ECC is as described belo&$
)lice ta'es a point Q and generates a random number '
a
)lice computes the point P 4 '
a
Q and sends it to /ob 2%t should be noted that Q, P are
public3
/ob generates a random number '
b
and computes point M 4 '
b
$Q and sends it to )lice
)lice no& computes P
1
4 '
a
M and /ob computes P
!
4 '
b
P
P1 4 P! 4 '
b
'
b
Q, this is used as the shared secret 'ey
)n illustration o# the above steps is represented belo&$
- ! -
P11 Elliptic Curve Cryptography
)lice /ob
Generates '
a
Computes P 4 '
a
Q
Generates '
b
Computes M 4 '
b
Q
Sends P
Sends M
Computes P
1
4 '
a
M Computes P
!
4 '
b
P
Fse this computed
point 2P
1
or P
!
3 as
the shared secret
'ey
2igure 85 Illustration of Elliptic Curve 'iffie!9ellman 6rotocol
<+8+8 Elli#tic C$r%e Digital Signat$re A$thentication )ECDSA,
)lice, &ith domain parameters 1 4 2<, F9, a, b, G, n, h3, public 'ey Q and private 'ey d, does
the #ollo&ing steps to sign the message m
Step 10 Selects a 9andom number ' T1, n C 1U
Step !0 Computes Point 'G 4 2(, y3 and r 4 ( mod n, i# r 4 D then goto Step 1
Step 0 Compute t 4 '
C1
mod n
Step =0 Compute e 4 S7)-12m3, &here S7)-1 denotes the 1AD bit hash #unction
Step >0 Compute s 4 '
C 1
2e E d
a
Hr3 mod n, i# s 4 D goto Step 1
Step A0 "he signature o# message m is the pair 2r, s3
Step @0 )lice sends /ob the message m and her signature 2r, s3
"o veri#y )liceBs signature, /ob does the #ollo&ing 2*ote that /ob 'no&s the domain
parameters 1 and )liceBs public 'ey Q3
Step 10 8eri#y r and s are integers in the range T1, n C 1U
- != -
P11 Elliptic Curve Cryptography
Step !0 Compute e 4 S7)-12m3
Step 0 Compute & 4 s
C1
mod n
Step =0 Compute u
1
4 e$& and u
!
4 r$&
Step >0 Compute Point V 4 2(
1
, y
1
3 4 u
1
G E u
!
Q
Step A0 %# V 4 O, then re:ect the signature
Else compute v 4 (
1
mod n
Step @0 )ccept )liceBs signature i## v 4 r
)n illustration o# the above steps is represented belo&
)lice /ob
Generates '
Computes P 4 ' G 4 2(, y3
8eri#y r and s are integers in
the range T1, n C 1U
Sends P, m
Signat$re of message
m is the Pair P? )rC s,
Compute
r 4 ( mod n
Compute
s 4 '
C 1
2e E d
a
Hr3 mod n
e 4 S7)-12m3
& 4 s
C1
mod n
u
1
4 e$& and u
!
4 r$&
Point V 4 2(
1
, y
1
3 4 u
1
G E u
!
Q
9e:ect
Acce#t AliceKs signat$re if % ? r
%s r 4 D
W
*o
e 4 S7)-12m3
%s s 4 D
W
Xes
*o
Xes
*o
Xes
%s V 4 O
W
2igure :5 Illustration of Elliptic Curve 'igital %ignature Algorithm
- !> -
P11 Elliptic Curve Cryptography
Proof for %erification
%# the message is indeed signed by )lice, then s 4 '
C1
2e E dHr3 mod n$
"hat is, ' 4 s
C1
2e E d$r3 mod n 4 s
C1
e E s
C1
d$r 4 &$e E &$d$r 4 2u
1
E u
!
$d 3 mod n JJT1U
*o& consider u
1
G E u
!
Q 4 u
1
G E u
!
dG 4 2u
1
E u
!
$d3 G 4 'G #rom T1U
%n step > o# the veri#ication process, &e have v 4 (
1
mod n, &here,
Point V 4 2(1, y13 4 u
1
G E u
!
Q$ "hus &e see that v 4 r since r 4 ( mod n and ( is the (
coordinate o# the point 'G and &e have already seen that u
1
G E u
!
Q 4 'G
<+8+" Elli#tic C$r%e A$thentication Encry#tion Scheme )ECAES,
)lice has the domain parameters 1 4 2<, F9, a, b, G, n, h3 and public 'ey Q$ /ob has the domain
parameters 1$ /obBs public 'ey is Q
/
and private 'ey is d
/
$ "he EC)ES mechanism is as
#ollo&s$
)lice per#orms the #ollo&ing steps) does the #ollo&ing
Step 10 Selects a random integer r in T1, n C 1U
Step !0 Computes 9 4 rG
Step 0 Computes K 4 hrQ
/
4 2K
(
, K
y
3, chec's that K O
Step =0 Computes 'eys '
1
NN'
!
4 K1F2K
(
3 &here K1F is a 'ey derivation #unction, &hich
derives cryptographic 'eys #rom a shared secret
Step >0 Computes c 4 E*C
'1
2m3 &here m is the message to be sent and E*C a symmetric
encryption algorithm
Step A0 Compute t 4 M)C
'!
2c3 &here M)C is message authentication code
Step @0 Sends 29, c, t3 to /ob
"o decrypt a cipher te(t, /ob per#orms the #ollo&ing steps
Step 10 Per#orm a partial 'ey validation on 9 2chec' i# 9 O, chec' i# the coordinates o#
9 are properly represented elements in F
<
and chec' i# 9 lies on the elliptic curve
de#ined by a and b3
Step !0 Computes K
/
4 h$d
/
$9 4 2K
(
, K
y
3 , chec' K O
Step 0 Compute '
1
, '
!
4 K1F 2K
(
3
- !A -
P11 Elliptic Curve Cryptography
Step =0 8eri#y that t 4 M)C
'!
2c3
Step >0 Computes m 4
2c3 E*C
1
1
K
1 -
D :
:
:
! '
l
, &here each ': IC1, D, 1K$ "he &eight o# *)F representation o# a number o#
length l is l-$ Given belo& is an algorithm #or #inding *)F o# a number$
FA5)',
Comment 9eturns uTU &hich contains the *)F representation o# '
Gegin
c '
l D
Hhile 2c Y D3
GeginHhile
If 2c is odd3
GeginIf
uTlU ! C 2c mod =3
c c C uTlU
Else
uTlU D
EndIf
c c-!
l l E 1
EndHhile
6et$rn u
- !L -
P11 Elliptic Curve Cryptography
End
Algorithm ,5 Computation of the A2 of a scalar
"he generation o# *)F #or ' 4 @ 4 21113
!
is as sho&n belo&
Fo of iterations c l $
1 @ D -1
! = 1 D
! ! D
= 1 1
2igure <5 Illustration of computation of A2(<*
"here#ore, the value o# @ in *)F #orm is 21 D D C13$ 2*ote that no t&o consecutive digits are non-
.ero3
>+8 Com#le=ity analysis of the Elli#tic Scalar 9$lti#lication algorithms
>+8+! Ginary 9ethod
"he simplest #ormula #or calculating 'P is based on the binary representation o# ', i$e$,
' 4
1 -
D :
:
:
! '
l
, &here '
:
I1,DK, the value 'P can be computed by
'P 4
6 6 6 6
l l
l
$ D ! $ 1
1 -
D :
:
:
' $$$3 3 ' ' ! 2 ! 2$$$ ! $ ! ' + + +
l
4 !2!$P E P3 E 1P
- !? -
P11 Elliptic Curve Cryptography
>+8+8 AdditionDS$2traction method
7ere the number ' is represented in *)F #orm$ "he algorithm per#orms addition or subtraction
depending on the sign o# each digit, scanned #rom le#t to right$
"he algorithm is as given belo&
AdditionDS$2traction ) 'C P,
Comment 9eturn Q 4 'P, &here Point P 4 2(, y3 E2F<3
Gegin
uTU *)F2'3 &= The A2 form of k is stored in u =&
Q O
5or : 4 l C 1 Do0n7o D
Gegin5or
Q !Q
If 2u
:
4 13
7hen
Q Q E P
ElseIf 2u
:
4 C13
7hen
Q Q C P
EndIf
End5or
6et$rn Q
End
Algorithm .5 %calar >ultiplication using the Addition!%ubtraction method
"he algorithm per#orms l doublings and l- additions on an average$
For ' 4 @, the binary method &ould re<uire doublings and additions$
%n case o# )ddition-Subtraction method 2the value o# @ in *)F #orm is 1 D D C13, it &ould
re<uire = doublings and ! additions$
- D -
P11 Elliptic Curve Cryptography
>+8+" 6e#eated do$2ling method
) point on the elliptic curve over F
!m
is represented inn the #orm o# 2(, 3 rather than in the #orm
o# 2(, y3 &hen using the repeated doubling method #or scalar multiplication$ Every point P 4 2(,
y3 E2F
!m
3, &here ( D, P can be represented as the pair 2(, 3, &here 4 ( E y-($
"he algorithm is as given belo&
6e#eatedDdo$2ling)PC i,
Comment 9eturns Q 4 !
i
P
Gegin
( E y-(
5or : 4 1 to i C 1
Gegin5or
(
!
!
E E a
!
!
E a E b-2 (
=
E b3
( (!
!
End5or
(
!
!
E E a
y
!
(
!
E 2 E 13(
!
Q 2(
!
, y
!
3
6et$rn Q
End
Algorithm 35 %calar >ultiplication using $epeated Additions
- 1 -
P11 Elliptic Curve Cryptography
%t can be seen that &e save one #ield multiplication in each o# the iterations$
8 Concl$sion
%n our pro:ect &e perused the concept o# Cryptography including the various schemes o# system
based on the 'ind o# 'ey and a #e& algorithms such as 9S) and 1S)$ ;e studied in detail the
mathematical #oundations #or elliptical curve based systems, basically the concepts o# rings,
#ields, groups, Galois #inite #ields and elliptic curves and their properties$ "he various algorithms
#or the computation o# the scalar product o# a point on the elliptic curve &ere studied and their
comple(ity &ere analy.ed$
"he advantage o# elliptic curve over the other public 'ey systems such as 9S), 1S) etc is the
'ey strength$ "he #ollo&ing table TU summari.es the 'ey strength o# ECC based systems in
comparison to other public 'ey schemes$
6SA/DSA (ey length ECC (ey ;ength for EI$i%alent Sec$rity
1D!= 1AD
!D=L !!=
D@! !>A
@ALD L=
1>AD >1!
2igure ?5 Comparison of the key strengths of $%A&'%A and ECC
From the table it is very clear that elliptic curves o##er a comparable amount o# security o##ered
by the other popular public 'ey #or a much smaller 'ey strength$ "his property o# ECC has made
the scheme <uite popular o# late$
5ver the years, there have been so#t&are implementations o# EC1S) over #inite #ields such as
1>>
!
F
, 1A@
!
F
, 1@A
!
F
, 1?1
!
F
and F
p
2p0 1AD and 1?! bit prime numbers3$ Schroppel et$ )l T1U
mentions an implementation o# an elliptic curve analogue o# the 1i##ie-7ellman 'ey e(change
algorithm over 1>>
!
F
&ith a trinomial basis representation$ "he elliptic curve based public 'ey
- ! -
P11 Elliptic Curve Cryptography
cryptography schemes has been standardi.ed by the %nstitute o# Electrical and Electronic
Engineers 2%EEE 3 and the standard is available as %EEE P1A$
9 6eferences
T1U /$Schneier$ Applied Cryptography$ Zohn ;iley and Sons, second edition, 1??A
T!U Cryptography and Elliptic Curves,
http0--&&&$tcs$hut$#i-[helger-crypto-lin'-public-elliptic-
TU Zulio 6ope. and 9icardo 1ahab, +)n overvie& o# elliptic curve cryptography,, May !DDD$
T=U 8$ Miller, +Fses o# elliptic curves in cryptography,, )dvances in Cryptology - C9XP"5\L>,
6*CS !1L, pp$=1@-=!A, 1?LA$
T>U Ze##rey 6$ 8agle, +) Gentle %ntroduction to Elliptic Curve Cryptography,, //*
"echnologies
TAU Mugino Sae'i, +Elliptic curve cryptosystems,, M$Sc$ thesis, School o# Computer Science,
McGill Fniversity, 1??A$ http0--citeseer$n:$nec$com-sae'i?@elliptic$html
T@U Z$ /orst, +Public 'ey cryptosystems using elliptic curves,, Master\s thesis, Eindhoven
Fniversity o# "echnology, Feb$ 1??@$ http0--citeseer$n:$nec$com-borst?@public$html
TLU http0--&orld$std$com-[#ranl-crypto$html
T?U )le'sandar Zurisic and )l#red Mene.es, +Elliptic Curves and Cryptography,, 1r$ 1obb\s
Zournal, )pril 1??@, pp !A##
T1DU 9obert Milson, +%ntroduction to Public Key Cryptography and Modular )rithmetic,
T11U )le'sandar Zurisic and )l#red Z$ Mene.es, Elliptic Curves and Cryptography
T1!U ;illiam Stallings, Cryptography and *et&or' Security-Principles and Practice second
edition, Prentice 7all publications$
T1U 9$ Schroppel, 7$ 5rman, S$ 5BMalley and 5$ Spatschec', +Fast 'ey e(change &ith elliptic
'ey systems,, )dvances in Cryptography, Proc$ CryptoB?>, 6*CS ?A, pp$ =->A,
Springer-8erlag, 1??>$
- -