Вы находитесь на странице: 1из 33

CSE 450/598

Design and Analysis of Algorithms


Project ID P!!"
Elli#tic C$r%e Cry#togra#hy
&i'ram & ($mar )%i'ram%*as$+ed$, -.rad+/
Satish Dorais0amy )satish+d*as$+ed$, -.rad+/
1a2eer 3ain$lla2$deen )4a2eer*as$+ed$, -.rad+/
5inal 6e#ort
A2stract
The idea of information security lead to the evolution of Cryptography. In other words,
Cryptography is the science of keeping information secure. It involves encryption and decryption
of messages. Encryption is the process of converting a plain text into cipher text and decryption
is the process of getting back the original message from the encrypted text. Cryptography, in
addition to providing confidentiality, also provides Authentication, Integrity and on!
repudiation. The crux of cryptography lies in the key involved and the secrecy of the keys used to
encrypt or decrypt. Another important factor is the key strength, i.e. the si"e of the key so that it
is difficult to perform a brute force on the plain and cipher text and retrieve the key. There have
been various cryptographic algorithms suggested. In this pro#ect we study and analy"e the
Elliptic Curve cryptosystems. This system has been proven to be stronger than known algorithms
like $%A&'%A.

(ey0ords
Cryptography, Public Key Systems, Galois Fields, Elliptic Curve, Scalar Multiplication
- 1 -
P11 Elliptic Curve Cryptography
7a2le of Contents
CSE 450/598+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++!
Design and Analysis of Algorithms+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++!
Project ID P!!"++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++!
Elli#tic C$r%e Cry#togra#hy+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++!
5inal 6e#ort+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++!
A2stract++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++!
(ey0ords+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++!
7a2le of Contents++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++8
7a2le of 5ig$res+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++8
7a2le of Algorithms++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
! Introd$ction+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
8 Indi%id$al contri2$tions of the team mem2ers++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++4
" Cry#tosystems and P$2lic 'ey cry#togra#hy+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++5
4 9athematical :%er%ie0+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++!0
5 Elli#tical C$r%e Discrete ;ogarithm Pro2lem+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++80
< A##lication of Elli#tical C$r%es in (ey E=change+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++88
> Algorithms for Elli#tic Scalar 9$lti#lication++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++88
8 Concl$sion+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"8
9 6eferences++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++""
7a2le of 5ig$res
5ig$re !Elli#tic c$r%e o%er 68 y8 ? =" @ "= A "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++!<
5ig$re 8Addition of 8 #oints P and B on the c$r%e y8 ? =" @ "= A "+++++++++++++++++++++++++++++++++++++!>
5ig$re "Do$2ling of a #oint PC 6 ? 8P on the c$r%e y8 ? =" @ "= A "++++++++++++++++++++++++++++++++++++!8
5ig$re 4Ill$stration of Elli#tic C$r%e DiffieDEellman Protocol+++++++++++++++++++++++++++++++++++++++++++++84
5ig$re 5Ill$stration of Elli#tic C$r%e Digital Signat$re Algorithm++++++++++++++++++++++++++++++++++++++85
5ig$re <Ill$stration of Elli#tic C$r%e A$thentication Encry#tion Scheme++++++++++++++++++++++++++8>
5ig$re >Ill$stration of com#$tation of FA5)>,+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++89
5ig$re 8Com#arison of the 'ey strengths of 6SA/DSA and ECC+++++++++++++++++++++++++++++++++++++++++"8
- ! -
P11 Elliptic Curve Cryptography
7a2le of Algorithms
Algorithm !Com#$tation of the FA5 of a scalar++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++89
Algorithm 8Scalar 9$lti#lication $sing the AdditionDS$2traction method+++++++++++++++++++++++++"0
Algorithm "Scalar 9$lti#lication $sing 6e#eated Additions++++++++++++++++++++++++++++++++++++++++++++++++"!
! Introd$ction
"he idea o# in#ormation security lead to the evolution o# Cryptography$ %n other &ords,
Cryptography is the science o# 'eeping in#ormation secure$ %t involves encryption and decryption
o# messages$ Encryption is the process o# converting a plain te(t into cipher te(t and decryption
is the process o# getting bac' the original message #rom the encrypted te(t$ Cryptography, in
addition to providing con#identiality, also provides )uthentication, %ntegrity and *on-
repudiation$
"here have been many 'no&n cryptographic algorithms$ "he cru( o# any cryptographic
algorithm is the +seed, or the +'ey, used #or encrypting-decrypting the in#ormation$ Many o# the
cryptographic algorithms are available publicly, though some organi.ations believe in having the
algorithm a secret$ "he general method is in using a publicly 'no&n algorithm &hile maintaining
the 'ey a secret$
/ased on the 'ey, cryptosystems can be classi#ied into t&o categories0 Symmetric and
)symmetric$ %n Symmetric Key Cryptosystems, &e use the same 'ey #or both Encryption as &ell
as the corresponding decryption$ i$e$ i# K &as the 'ey and M &as the message, then, &e have
1
K
2E
K
2M33 4 M
)symmetric or Public 'ey or shared 'ey cryptosystems use t&o di##erent 'eys$ 5ne is used #or
encryption &hile the other 'ey is used #or decryption$ "he t&o 'eys can be used interchangeably$
5ne o# the 'eys is made public 2shared3 &hile the other 'ey is 'ept a secret$ i$e$ let '1 and '! be
public and private 'eys respectively$ 6et M be the message, then 1
'!
2E
'1
2M33 4 1
'1
2E
'!
2M33 4 M
- -
P11 Elliptic Curve Cryptography
%n general, symmetric 'ey cryptosystems are pre#erred over public 'ey systems due to the
#ollo&ing #actors0
1$ Ease o# computation
!$ Smaller 'ey length providing the same amount o# security as compared to a larger 'ey
in Public 'ey systems$
7ence the common method adopted is to use a public 'ey system to securely transmit a +secret
'ey,$ 5nce &e have securely e(changed the Key, &e then use this 'ey #or encryption and
decryption using a Symmetric Key algorithm$
"he idea o# using Elliptic curves in cryptography &as introduced by 8ictor Miller and *eal
Koblit. as an alternative to established public-'ey systems such as 1S) and 9S)$ "he Elliptical
curve 1iscrete 6og Problem 2EC16P3 ma'es it di##icult to brea' an ECC as compared to 9S)
and 1S) &here the problems o# #actori.ation or the discrete log problem can be solved in sub-
e(ponential time$ "his means that signi#icantly smaller parameters can be used in ECC than in
other competitive systems such as 9S) and 1S)$ "his helps in having smaller 'ey si.e hence
#aster computations$
%n our pro:ect &e study the application o# elliptic curves in the #ield o# cryptography$ ;e study
the property o# #inite #ield and elliptic curves over #inite #ields and also ho& these properties can
be used #or e##icient and secure 'ey e(change$
8 Indi%id$al contri2$tions of the team mem2ers
"his pro:ect has been a study pro:ect, &here &e have studied and learnt the various concepts o#
elliptic curves$ )ll the team members have been actively involved in the #ull length o# this
pro:ect and the contribution #rom all o# us is e<ual$ Since this pro:ect involved a lot o# study,
discussions and analysis &e cannot <uanti#y the percentage o# &or' done by each member as
each one &as e<ually involved in the study o# various individual aspects and the entire learning
involved discussions among us &here each o# us e(plained our learning to the other$
- = -
P11 Elliptic Curve Cryptography
" Cry#tosystems and P$2lic 'ey cry#togra#hy
"he &ord +Cryptography, is derived #rom the Gree' and it literally means +secret &riting,$
Cryptography has been around #or more than a thousand years and the 9oman Empire &as
thought to be the masters o# cryptography as they used simple cipher techni<ues to hide the
meaning o# messages$ Some o# the earlier and popular cryptographic techni<ues &ere Caesar
cipher, Substitution cipher and "ransposition ciphers$ Cryptography is the process o# encrypting
the plain te(t into an incomprehensible cipher te(t by the process o# Encryption and the
conversion bac' to plain te(t by process o# 1ecryption$
Cryptographic systems are generally classi#ied on the #ollo&ing basis0
!+ 7y#e of o#erations $sed to for transforming #lainte=t to ci#her te=t0 Most encryption
algorithms are based on ! general principles,
a$ Substitution, in &hich each element in plain te(t is mapped to some other element
to #orm the cipher te(t
b$ Transposition, in &hich elements in plainte(t are rearranged to #orm cipher te(t$
8+ F$m2er of 'eys $sed0 %# both the sender and the receiver use a same 'ey then such a
system is re#erred to as Symmetric, single-'ey, secret-'ey or conventional encryption$ %# the
sender and receiver use di##erent 'eys, then such a system is called )symmetric, "&o-'ey, or
public-'ey encryption$
"+ Processing of Plain te=t0 ) /loc' cipher processes the input one bloc' at a time,
producing an output bloc' #or each input bloc'$ ) Stream cipher processes the input
elements continuously producing output elements on the #ly$
Most o# the cryptographic algorithms are either symmetric or asymmetric 'ey algorithms$
- > -
P11 Elliptic Curve Cryptography
!+ Secret (ey Cry#togra#hy "his type o# cryptosystem uses the same 'ey #or both
encryption and decryption$ Some o# the advantages o# such a system are
- 8ery #ast relative to public 'ey cryptography
- Considered secure, as long as the 'ey is strong
Symmetric 'ey cryptosystems have some disadvantages too$ E(change and administration o#
the 'ey becomes complicated$ *on-repudiation is not possible$ Some o# the e(amples o#
Symmetric 'ey cryptosystems include 1ES, -1ES, 9C=, 9C> etc$
8+ P$2lic (ey Cry#togra#hy "his type o# cryptosystems uses di##erent 'eys #or
encryption and decryption$ Each user has a public 'ey, &hich is 'no&n to all others, and a
private 'ey, &hich remains a secret$ "he private 'ey and public 'ey are mathematically
lin'ed$ Encryption is per#ormed &ith the public 'ey and the decryption is per#ormed &ith the
private 'ey$ Public 'ey cryptosystems are considered to be very secure and supports *on-
repudiation$ *o e(change o# 'eys is re<uired thus reducing 'ey administration to a minimum$
/ut it is much slo&er than Symmetric 'ey algorithms and the cipher te(t tend to be much
larger than plainte(t$ Some o# the e(amples o# public 'ey cryptosystems include 1i##ie-
7ellman, 9S) and Elliptic Curve Cryptography$
"+! Grief :%er%ie0 of some 'no0n algorithms
"+!+! DiffieDEellman )DE, #$2licD'ey algorithm
1i##ie-7ellman &as the #irst public-'ey algorithm ever invented, &ay bac' in 1?@A$ %t gets its
security #rom calculating discrete logarithms in a #inite #ield$ "he idea behind 1i##ie-7ellman
algorithm is to generate a private 'ey that can later be used #or communication, and sharing it in
a secure #ashion$ "&o people, say )lice and /ob, can use this algorithm to generate a secret 'ey
and #or 'ey distribution$ First )lice and /ob agree on large prime numbers n and g such that g is
primitive mod n$ )lice and /ob could do this over an insecure channel$ )lice and /ob per#orm
the #ollo&ing steps$
1$ )lice chooses a random large integer ( and sends /ob a 4 g
(
mod n
!$ Similarly /ob chooses a random large integer y and sends )lice0 b 4 g
y
mod n
$ )lice computes ' #rom b that /ob sent, ' 4 b
(
mod n
- A -
P11 Elliptic Curve Cryptography
=$ Similarly /ob computes 'B 4 a
y
mod n
/oth ' and 'B are e<ual to g
(y
mod n$ )ny person listening to the conversation &ould only 'no&
n, g, a and b$ "hey cannot recover ( and y because o# the 1iscrete 6ogarithm problem$ "he
security lies on choosing large values o# n and g$ "he 1i##ie-7ellman 'ey e(change protocol can
be easily e(tended to three or more people$
"+!+8 6SA
9S) is a public-'ey cryptosystem that gets its name #rom its inventors C 9ivest, Shamir and
)dleman and &as developed in 1?@@$ %t has since &ithstood years o# e(tensive cryptanalysis$ %t
is used #or electronic commerce and many other secure communications over the %nternet$ 9S)
is a /loc' cipher in &hich the plain te(t and cipher te(t are integers bet&een D and n C 1 #or
some integer n$ 9S) gets its security #rom the di##iculty o# #actoring large numbers$
"+!+8+! Hor'ing of 6SA
Select ! random large prime numbers p and < o# almost e<ual length$ Compute their product n 4
p<$ "he EulerBs "otient #unction 2n3 is computed, i$e$ 2n3 4 2p C 132< C 13$ ;e then choose t&o
'eys a and b such that, a$b 1 2mod 2n33$ 5ne o# the 'eys say a is made public &hile the other
'ey b is 'ept a secret$ )t this point, &e no more re<uire p, < and 2n3$ ;e can discard these
values$
%# &e have a message M, encryption o# M is C 4 M
a
mod n, C is the resultant cipher te(t$
1ecryption o# C is achieved by MB 4 C
b
mod n$
Consider MB 4 M
ab
mod n 4 M
'2n3 E 1
mod n 2Since a$b 1 2mod 2n333
MB 4 M $ M
'2n3
mod n 4 M mod n 2%t can be proved that (
2n3
1 2mod n33
7ence &e see that M 4 MB$ "hus &e have achieved e##icient encryption and decryption using
9S)$
"+!+8+8 Sec$rity of 6SA
"hree possible approaches to attac'ing the 9S) algorithm are as #ollo&s0
Brute Force: "his involves trying out all the possible private 'eys$
- @ -
P11 Elliptic Curve Cryptography
Mathematical attacks: "here are several approaches, all e<uivalent in e##ect to #actoring
the product o# ! primes$
Timing attacks: "hese depend on the running time o# the decryption algorithm$
Choosing large p and < values can prevent such attac's$ Security o# 9S) thus lies in choosing
the value n, &hich ma'es such attac's e(tremely di##icult
"+!+8+" Difference 2et0een 6SA and DiffieDEellman
17 allo&s t&o users )lice and /ob, &ho might have never met be#ore, to &or' together and
establish a secret 'ey in order to communicate securely, even in the presence o# some intruder$ %n
9S) only the 9eceiver needs to per#orm calculations to establish &hat is called a secret 'ey and
a public 'ey$ "he 9eceiver doesnBt have to necessarily 'no& the Sender o# the messages$
"+!+" DSA
1S) &as the #irst digital signature scheme to be accepted as legally binding by FS government$
"he algorithm is a variant o# the Schnorr and ElGamal signature scheme$ %t e(ploits small
subgroups in G
H
p in order to decrease the si.e o# signatures$ "he algorithm ma'es use o# Secure
7ash algorithm$ "he algorithm uses the #ollo&ing parameters0
# a prime number usually >1! to 1D!= bit long and is a multiple o# A=$
I a 1AD-bit prime #actor o# p-1
g 4 h
2p C 13-<
mod p, &here h is any number less than p C 1 such that h
2p C 13-<
mod p is greater
than 1$
(0 a number less than <
y 4 g
(
mod p
1
J
#
4 I1, !, JJ, p C !, p C 1K
E),0 ) secure hash #unction
"he parameters p, < and g are publicly 'no&n and ( is the private 'ey and y is the public 'ey$ "o
sign a message m0
1$ )lice generates a random number, ', less than <$
- L -
P11 Elliptic Curve Cryptography
!$ )lice generates
r 4 2g
'
mod p3 mod <, s 4 22' C 13272m3 E (r33 mod <
"he parameters r and s are )liceBs signature, &hich she sends to /ob$
$ /ob veri#ies )liceBs signature by computing
& 4 2s C 13 mod <, u
1
4 272m3 H &3 mod <
u
!
4 2r&3 mod <, v 4 22
! 1
u u
y g 3 mod p3 mod <
=$ %# v 4 r then the signature is veri#ied$
"he security o# the 1S) lies in the discrete logarithm problem$ "hus given p, <, g and y, #inding
(, &hich is y M g
(
2mod p3 &ould be di##icult$ For larger values o# p, the best-'no&n algorithm is
the Pollard rho method, &hich ta'es about
/2) < 2
steps$ Since < in 1S) is appro(imately
!
1AD
, it is not vulnerable to such types o# attac'$
- ? -
P11 Elliptic Curve Cryptography
4 9athematical :%er%ie0
4+! .ro$#s
) mathematical structure consisting o# a set G and a binary operator on G is a group i#,
a, b G, i# c 4 a b, then c G 2Closure3
a 2b c3 4 2a b3 c, a, b, c G 2)ssociative3
e G, such that a G, a e 4 e a 4 a 2%dentity element3
a G, a G such that, a a 4 a a 4 e$ a is uni<ue #or each a and is called the
inverse o# a$
"he group is represented as G, $ )dditionally, a group is said to be abelian i# it also satis#ies
the commutative property, i$e$, a, b G, i#, a b 4 b a$
4+8 6ings
) 9ing is a set 9 &ith t&o binary operations E and 2)ddition and multiplication3 de#ined on 9
such that the #ollo&ing conditions are satis#ied$
9, E is an )belian group
a 2b c3 4 2a b3 c, a, b, c 9 2)ssociativity o# 3
a 2b E c3 4 2a b3 E 2a c3, a, b, c 9 21istributivity o# over E3
) 9ing, in &hich is commutative is called a commutative ring$ Further, i# the ring contains an
identity element &ith respect to , i$e$ e 9 and a 9, a e 4 e a 4 a, then e is called the
- 1D -
P11 Elliptic Curve Cryptography
identity element or the unity element and is represented by 1$ %# 9 contains a unity element, then
9 is called a Fnitary 9ing$
4+" 5ields and &ector S#aces
) Field F is a commutative and a unitary ring such that, FH 4 {a N a F and a D} is a
multiplicative group$ "he ring G
p
is a Field, i# and only i# p is a prime$
%# F is a #ield$ ) subset K o# F that is also a #ield under the operations o# F 2&ith restriction to K3
is called a sub #ield o# F$ %n this case, F is called an e(tension #ield o# K$ %# K F then K is a
proper sub #ield o# F$ ) #ield is called prime i# it has no proper sub #ield$
%# F is a #ield and 8 is an additive abelian group, then 8 is called the vector space over F, i# an
operation F ( 8 8 is de#ined such that0
a (v ) u* + av ) au
(a ) b* v + av ) bv
a (bv* + (a.b* v
,.v + v
&here, a, b F and u, v 8$
"he elements o# F are called the scalars and the elements o# 8 are called the vectors$
%# v
1
, v
!
, J, v
m
8, and #
1
, #
!
, J, #
m
F, then the vector vB 4 : i
v #
, 1 i, : m, is a linear
combination o# the vectors in 8$ "he set o# all such linear combinations is called the s#an o# 8$
"he vectors v
1
, v
!
, J, v
m
8 are said to be linearly independent over F i# there e(ists no scalars
#
1
, #
!
, J, #
m
F such that : i
v #
D, 1 i, : m$
) set S 4 {u
1
, u
!
, J, u
n
} are said to the basis o# 8 i## all the elements o# S are linearly
independent and span 8$ %# a vector space 8 over a #ield F has a basis o# a #inite number o#
vectors, then this number is called the dimension o# 8 over F$
- 11 -
P11 Elliptic Curve Cryptography
%# F is an e(tension #ield o# a #ield F
p
then, F is a vector space over F
p
$ "he dimension o# F over
F
p
is called the degree o# the e(tension o# F over F
p
$
4+4 5inite 5ields
) #ield o# a #inite number o# elements is denoted F
<
or GF2<3, &here < is the number
o# elements$ "his is also 'no&n as a Galois Field$
"he order o# a Finite #ield F
<
is the number o# elements in F
<
$ Further, there e(ists a #inite #ield F
<
o# order < i## < is a #rime #o0er, i$e$ either < is prime or < 4 p
m
, &here p is prime$ %n the latter
case, p is called the characteristic o# F
<
and m is called the e(tension degree o# F
<
and every
element o# F
<
is a root o# the polynomial
( (
m
p

over G
p
$
6et us consider t&o classes o# Finite #ields F
p
2Prime Field, p is a prime number3 and m
!
F
2/inary #inite #ield3$
4+4+! Prime 5ield 5
#
"he prime #ield F
p
consists o# the set o# integers {D, 1, !, J$$, p C 1}, &ith the #ollo&ing
arithmetic operations de#ined over it$
Addition a, b F
p
, r F
p
, &here r 4 2a E b3 mod p
9$lti#lication a, b F
p
, s F
p
, &here s 4 2a b3 mod p
- 1! -
P11 Elliptic Curve Cryptography
4+4+8 Ginary 5inite 5ield 5
8
m
"he #inite #ield m
!
F
, called a characteristic two finite field or a binary #inite #ield can be vie&ed
as a vector space o# m dimensions over F
!
, &hich consists o# ! elements D and 1$ "here e(ists m
elements
D
,
1
,
!
, J,
m-1
in m
!
F
such that each element m
!
F
can be uni<uely
represented as 4
i
1 m
D i
i
O a

, &here a
i
{D, 1}, D i < m
"he string {
D
,
1
,
!
, J,
m-1
} is called the basis o# m
!
F
over F
!
$ Given such a basis, every #ield
element can be represented as a bit string 2a
D
a
1
a
!
Ja
m-1
3$ Generally t&o 'inds o# basis are used to
represent binary #inite #ields0 polynomial basis and normal basis$
4+4+8+! Polynomial 2asis re#resentation of 5
8
m
6et f(x* + x
m
) f
m!,
x
m!,
) - ) f
.
x
.
) f
,
x ) f
/
, &here f
i
{D, 1}, D i < m, be an irreducible
polynomial o# degree m over F
!
$ f(x* is called the reduction polynomial o# m
!
F
$
"he #inite #ield m
!
F
is comprised o# all polynomials over F! o# degree less than m, i$e$0
m
!
F
4 {a
m!,
x
m!,
) a
m!.
x
m!.
) - ) a
.
x
.
) a
,
x ) a
/
a
i
{D, 1}}$
"he #ield element a
m!,
x
m!,
) a
m!.
x
m!.
) - ) a
.
x
.
) a
,
x ) a
/
is usually represented by the bit string
2a
m-1
a
m-!
Ja
!
a
1
a
D
3 o# length m such that
m
!
F
4 {2a
m-1
a
m-!
-a
!
a
1
a
D
3 a
i
{D, 1}}$
"hus, the elements o# m
!
F
can be represented by the set o# all binary strings o# length m$ "he
multiplicative identity 1 is represented by the bit string 2DDJDD13 and the bit string o# all .eroes
represents the additive identity D$
- 1 -
P11 Elliptic Curve Cryptography
"he #ollo&ing operations are de#ined on the elements o# m
!
F
&hen using f(x* as the reduction
polynomial$
Addition %# a 4 2a
m-1
a
m-!
Ja
!
a
1
a
D
3 and b 4 2b
m-1
b
m-!
Jb
!
b
1
b
D
3 are elements o# m
!
F
, then, c
4 a E b 4 2c
m-1
c
m-!
Jc
!
c
1
c
D
3, &here c
i
4 2a
i
E b
i
3 mod ! 4 a
i
b
i
$
9$lti#lication %# a 4 2a
m-1
a
m-!
Ja
!
a
1
a
D
3 and b 4 2b
m-1
b
m-!
Jb
!
b
1
b
D
3 are elements o# m
!
F
,
then, c 4 a $ b 4 2c
m-1
c
m-!
Jc
!
c
1
c
D
3, &here the polynomial
c
m!,
x
m!,
) c
m!.
x
m!.
) - ) c
.
x
.
) c
,
x ) c
/
is the remainder &hen the polynomial
2a
m!,
x
m!,
) a
m!.
x
m!.
) - ) a
,
x ) a
/
3 2b
m!,
x
m!,
) b
m!.
x
m!.
) - ) b
,
x ) b
/
3 is divided by f(x*
over F
!
$
In%ersion %# a is a non.ero element in m
!
F
, then the inverse o# a, denoted a
C1
, is a
uni<ue element c m
!
F
, &here a$c 4 c$a 4 1
4+4+8+8 Formal 2asis re#resentation of 5
8
m
) normal basis o# m
!
F
over F
!
is a basis o# the #orm {
1 m
!
!
! !
P ,$$$, P , P P,

}, &here m
!
F
$
)ny element a m
!
F
can be &ritten as a 4
i
i
P
1 m
D i

a
, &here a
i
{D, 1}$
.a$ssian Formal Gases ).FG, ) G*/ representation o# m
!
F
e(ists i# there e(ists a positive
integer " such that p 4 "m E 1 is prime and gcd2"m-' , '3 4 1, &here ' is the multiplicative
order o# ! modulo p$ "he G*/ representation is called a +type T 01 for m
.
2
,$
"he #ollo&ing operations are de#ined over m
!
F
&hen using a type " G*/ representation$
Addition %# a 4 2a
m-1
a
m-!
Ja
!
a
1
a
D
3 and b 4 2b
m-1
b
m-!
Jb
!
b
1
b
D
3 are elements o# m
!
F
, then, c
4 a E b 4 2c
m-1
c
m-!
Jc
!
c
1
c
D
3, &here c
i
4 2a
i
E b
i
3 mod ! 4 a
i
b
i
$
- 1= -
P11 Elliptic Curve Cryptography
SI$aring 6et a 4 2a
m-1
a
m-!
Ja
!
a
1
a
D
3 m
!
F
$ S<uaring is a linear operation in m
!
F
$
7ence ( )
! - m ! D 1 - m
1 - m
D i
i
!
1 - i
1 - m
D i
1 i
!
i
!
1 - m
D i
i
!
i
!
P P P a a a a a a a a

,
_

$ 7ence s<uaring
a #ield element is simply a rotation o# the vector representation$
9$lti#lication 6et p 4 "m E 1 and let u F
p
$ 6et us de#ine a se<uence F2D3, F213, J,
F2p - 13 by F2!
i
u
:
mod p3 4 i, #or D i < m, D : < "$
%# a 4 2a
m-1
a
m-!
Ja
!
a
1
a
D
3 and b 4 2b
m-1
b
m-!
Jb
!
b
1
b
D
3 are elements o# m
!
F
, then the product
c 4 a$b 4 2c
m-1
c
m-!
Jc
!
c
1
c
D
3 &here,

'

+ +

+ + + + + + + +
+ +
odd is " %# 3 2
even is " %#

! - m
1 '
! p
1 '
! p
1 '
i '3 - F2p i 13 F2' 1 - i ' 1 - i ' m-! 1 - i ' m-! 1 - i '
i '3 - F2p i 13 F2'
i
b a b a b a
b a
c
#or each i, D i < m, &here indices are reduced modulo m$
In%ersion %# a is a non.ero element in m
!
F
, then the inverse o# a, denoted a
C1
, is a
uni<ue element c m
!
F
, &here a$c 4 c$a 4 1$
4+5 Elli#tic C$r%es
Elliptic curves are not ellipses, instead, they are cubic curves o# the #orm y
3
+ x
3
) ax ) b
Elliptic curves over 9
!
29
!
is the set 9 ( 9, &here 9 4 set o# real numbers3 is de#ined by the set
o# points 2(, y3 &hich satis#y the e<uation y
3
+ x
3
) ax ) b, along &ith a point O, &hich is the
point at in#inity and &hich is the additive identity element$ "he curve is represented as E293$
"he #ollo&ing #igure is an elliptic curve satis#ying the e<uation y
.
+ x
3
4 3x ) 3
- 1> -
P11 Elliptic Curve Cryptography
2igure ,5 Elliptic curve over $
.
5 y
.
+ x
3
4 3x ) 3
4+5+! Elli#tic C$r%es o%er 5inite 5ields
4+5+!+! Elli#tic C$r%es o%er 5
#
)n elliptic curve E2F
p
3 over a #inite #ield F
p
is de#ined by the parameters a, b F
p
2a, b satis#y the
relation =a

E !@b
!
D3, consists o# the set o# points 2(, y3 F
p
, satis#ying the e<uation y
!
4 x

E
ax E b$ "he set o# points on E2F
p
3 also include point O, &hich is the point at in#inity and &hich is
the identity element under addition$
"he )ddition operator is de#ined over E2F
p
3 and it can be seen that E2F
p
3 #orms an abelian group
under addition$
"he addition operation in E2F
p
3 is speci#ied as #ollo&s$
P E O 4 O E P 4 P, P E2F
p
3
%# P 4 2( , y3 E2F
p
3, then 2(, y3 E 2(, C y3 4 O$ 2"he point 2(, C y3 E2F
p
3 and is called
the negative o# P and is denoted CP3
- 1A -
P11 Elliptic Curve Cryptography
%# P 4 2(
1
, y
1
3 E2F
p
3 and Q 4 2(
!
, y
!
3 E2F
p
3 and P Q, then 9 4 P E Q 4 2(

, y

3
E2F
p
3, &here (

4
!
C (
1
C (
!
, y

4 2(
1
C (

3 C y
1
, and 4 2y
!
C y
1
3 - 2(
!
C (
1
3, i$e$ the sum o#
! points can be visuali.ed as the point o# intersection E2F
p
3 and the straight line passing
through both the points$
2igure .5 Addition of . points 6 and 7 on the curve y
.
+ x
3
4 3x ) 3
6et P 4 2(, y3 E2F
p
3$ "hen the point Q 4 P E P 4 !P 4 2(
1
, y
1
3 E2F
p
3,
&here (
1
4
!
C !(, y
1
4 2( C (
1
3 C y, &here 4 2(
!
E a3 - !y$ "his operation is also called
doubling o# a point and can be visuali.ed as the point o# intersection o# the elliptic curve and
the tangent at P$
- 1@ -
P11 Elliptic Curve Cryptography
2igure 35 'oubling of a point 6, $ + .6 on the curve y
.
+ x
3
4 3x ) 3
;e can notice that addition over E2F
p
3 re<uires one inversion, t&o multiplications, one s<uaring
and si( additions$ Similarly, doubling a point on E2F
p
3 re<uires one inversion, t&o multiplication,
t&o s<uaring and eight additions$
Consider the set E2F
p
3 over addition$ ;e can see that
P, Q E2Fp3, i# 9 4 P E Q, then 9 E2F
p
3 2Closure3
P E 2Q E 93 4 2P E Q3 E 9, P, Q, 9 E2F
p
3 2)ssociative3
O E2F
p
3, such that P E2F
p
3, P A O 4 O A P 4 P 2%dentity element3
P E2F
p
3, C P E2F
p
3 such that, P A 2C P3 4 2C P3 A P 4 O$ 2%nverse element3
P, Q E2F
p
3, P A Q 4 Q A P$ 2Commutative3
"hus &e see that E2F
p
3 #orms an abelian group under addition$
4+5+!+8 Elli#tic c$r%es o%er 5
8
m
)n elliptic curve E2 m
!
F
3 over a #inite #ield m
!
F
is de#ined by the parameters a, b m
!
F
2a, b
satis#y the relation =a

E !@b
!
D, b D3, consists o# the set o# points 2(, y3 m
!
F
, satis#ying
- 1L -
P11 Elliptic Curve Cryptography
the e<uation y
!
E xy 4 x

E ax E b$ "he set o# points on E2 m


!
F
3 also include point O, &hich is the
point at in#inity and &hich is the identity element under addition$
Similar to E2F
p
3, addition is de#ined over E2 m
!
F
3 and &e can similarly veri#y that even E2 m
!
F
3
#orms an abelian group under addition$
"he addition operation in E2 m
!
F
3 is speci#ied as #ollo&s$
P E O 4 O E P 4 P, P E2 m
!
F
3
%# P 4 2( , y3 E2 m
!
F
3, then 2(, y3 E 2(, C y3 4 O$ 2"he point 2(, C y3 E2 m
!
F
3 and is
called the negative o# P and is denoted CP3
%# P 4 2(
1
, y
1
3 E2 m
!
F
3 and Q 4 2(
!
, y
!
3 E2 m
!
F
3 and P Q,
then 9 4 P E Q 4 2(

, y

3 E2 m
!
F
3, &here (

4
!
E E (
1
E (
!
E a,
y

4 2(
1
E (

3 E (

E y
1
, and 4 2y
1
E y
!
3 - 2(
1
E (
!
3, i$e$ the sum o# ! points can be
visuali.ed as the point o# intersection E2 m
!
F
3 and the straight line passing through both the
points$
6et P 4 2(, y3 E2 m
!
F
3$ "hen the point Q 4 P E P 4 !P 4 2(
1
, y
1
3 E2 m
!
F
3, &here (
1
4

!
E E a, y
1
4 2( E (
1
3 E (
1
E y, &here 4 ( E 2( - y3$ "his operation is also called
doubling o# a point and can be visuali.ed as the point o# intersection o# the elliptic curve and
the tangent at P$
;e can notice that addition over E2 m
!
F
3 re<uires one inversion, t&o multiplications, one
s<uaring and eight additions$ Similarly, doubling a point on E2 m
!
F
3 re<uires one inversion, t&o
multiplication, one s<uaring and si( additions$
Similar to E2F
p
3, consider addition under E2 m
!
F
3,
P, Q E2 m
!
F
3, i# 9 4 P E Q, then 9 E2 m
!
F
3 2Closure3
P E 2Q E 93 4 2P E Q3 E 9, P, Q, 9 E2 m
!
F
3 2)ssociative3
O E2 m
!
F
3, such that P E2 m
!
F
3, P A O 4 O A P 4 P 2%dentity element3
- 1? -
P11 Elliptic Curve Cryptography
P E2 m
!
F
3, C P E2 m
!
F
3, such that, P A 2C P3 4 2C P3 A P 4 O$ 2%nverse3
P, Q E2 m
!
F
3, P A Q 4 Q A P$ 2Commutative3
"hus &e see that E2 m
!
F
3 #orms an abelian group under addition$
4+5+8 Elli#tic C$r%e Some Definitions
Scalar 9$lti#lication Given an integer ' and a point P on the elliptic curve, the elliptic
scalar multiplication 'P is the result o# adding Point P to itsel# ' times$
:rder 5rder o# a point P on the elliptic curve is the smallest integer r such that
rP 4 O$ Further i# c and d are integers, then cP 4 dP i## c d 2mod r3$
C$r%e :rder "he number o# points on the elliptic curve is called its curve order and is
denoted RE$
5 Elli#tical C$r%e Discrete ;ogarithm Pro2lem
"he strength o# the Elliptic Curve Cryptography lies in the Elliptic Curve 1iscrete 6og Problem
2EC16P3$ "he statement o# EC16P is as #ollo&s$
6et E be an elliptic curve and P E be a point o# order n$ Given a point Q E &ith
- !D -
P11 Elliptic Curve Cryptography
Q 4 mP, #or a certain m {!, , JJ, m C !}$
Find the m #or &hich the above e<uation holds$
;hen E and P are properly chosen, the EC16P is thought to be in#easible$ *ote that m 4 D, 1
and m C 1, Q ta'es the values O, P and C P$ 5ne o# the conditions is that the order o# P i$e$ n be
large so that it is in#easible to chec' all the possibilities o# m$
"he di##erence bet&een EC16P and the 1iscrete 6ogarithm Problem 216P3 is that, 16P though
a hard problem is 'no&n to have a sub e(ponential time solution, and the solution o# the 16P
can be computed #aster than that to the EC16P$ "his property o# Elliptic curves ma'es it
#avorable #or its use in cryptography$
- !1 -
P11 Elliptic Curve Cryptography
< A##lication of Elli#tical C$r%es in (ey E=change
<+! Elli#tic C$r%e Cry#togra#hy )ECC, domain #arameters
"he public 'ey cryptographic systems involves arithmetic operations on Elliptic curve over #inite
#ields &hich is determined by elliptic curve domain parameters$
"he ECC domain parameters over F
<
is de#ined by the septuple as given belo&
D ? )q, FR, a, b, , n, h,, &here
q0 prime po&er, that is < 4 p or < 4 !
m
, &here p is a prime
FR0 #ield representation o# the method used #or representing #ield elements F
<
a, b0 #ield elements, they speci#y the e<uation o# the elliptic curve E over F
<
,
y
!
4 (

E a( E b
0 ) base point represented by G4 2(
g
, y
g
3 on E 2F
<
3
n0 5rder o# point G , that is n is the smallest positive integer such that nG 4 O
h0 co#actor, and is e<ual to the ratio RE2F
<
3-n, &here RE2F
<
3 is the curve order
"he primary security in ECC is the parameter nS there#ore the length o# ECC 'ey is the bit length
o# n$ For comparative length, the security o# ECC 'eys is much more than that o# other
cryptosystems$ "hat is #or e<uivalent security, the 'ey length o# ECC 'ey is much lesser than
other cryptosystems$
<+8 Elli#tic C$r%e #rotocols
Generally in the process o# encryption and decryption, &e have ! entities, the one at the
encryption side and the other at the decryption side$ 6et us assume that )lice is the person &ho is
encrypting and /ob is the person decrypting$
(ey generation )liceBs 2or /obBs3 public and private 'eys are associated &ith a particular set
o# elliptic 'ey domain parameters 2<, F9, a, b, G, n, h3$
)lice generates the public and private 'eys as #ollo&s
1$ Select a random number d, d T1, n C 1U
- !! -
P11 Elliptic Curve Cryptography
!$ Compare Q 4 dG$
$ )liceBs public 'ey is Q and private 'ey is d$
%t should be noted that the public 'ey generated needs to be validated to ensure that it satis#ies
the arithmetic re<uirement o# elliptic curve public 'ey$ ) public 'ey Q 4 2(
<
, y
<
3 associated &ith
the domain parameters 2<, F9, a, b, G, n, h3 is validated using the #ollo&ing procedure
1$ Chec' that Q O
!$ Chec' that (
<
and y
<
are properly represented elements o# F
<
$ Chec' i# Q lies on the elliptic curve de#ined by a and b$
=$ Chec' that nQ 4 O
<+8+! Elli#tic C$r%e DiffieDEelman #rotocol )ECDE,
EC17 is elliptic curve version o# 1i##ie-7ellman 'ey agreement protocol 2re#er section !$1$13$
"he protocol #or generation o# the shared secret using ECC is as described belo&$
)lice ta'es a point Q and generates a random number '
a
)lice computes the point P 4 '
a
Q and sends it to /ob 2%t should be noted that Q, P are
public3
/ob generates a random number '
b
and computes point M 4 '
b
$Q and sends it to )lice
)lice no& computes P
1
4 '
a
M and /ob computes P
!
4 '
b
P
P1 4 P! 4 '
b
'
b
Q, this is used as the shared secret 'ey
)n illustration o# the above steps is represented belo&$
- ! -
P11 Elliptic Curve Cryptography
)lice /ob
Generates '
a

Computes P 4 '
a
Q
Generates '
b

Computes M 4 '
b
Q
Sends P
Sends M
Computes P
1
4 '
a
M Computes P
!
4 '
b
P
Fse this computed
point 2P
1
or P
!
3 as
the shared secret
'ey
2igure 85 Illustration of Elliptic Curve 'iffie!9ellman 6rotocol
<+8+8 Elli#tic C$r%e Digital Signat$re A$thentication )ECDSA,
)lice, &ith domain parameters 1 4 2<, F9, a, b, G, n, h3, public 'ey Q and private 'ey d, does
the #ollo&ing steps to sign the message m
Step 10 Selects a 9andom number ' T1, n C 1U
Step !0 Computes Point 'G 4 2(, y3 and r 4 ( mod n, i# r 4 D then goto Step 1
Step 0 Compute t 4 '
C1
mod n
Step =0 Compute e 4 S7)-12m3, &here S7)-1 denotes the 1AD bit hash #unction
Step >0 Compute s 4 '
C 1
2e E d
a
Hr3 mod n, i# s 4 D goto Step 1
Step A0 "he signature o# message m is the pair 2r, s3
Step @0 )lice sends /ob the message m and her signature 2r, s3
"o veri#y )liceBs signature, /ob does the #ollo&ing 2*ote that /ob 'no&s the domain
parameters 1 and )liceBs public 'ey Q3
Step 10 8eri#y r and s are integers in the range T1, n C 1U
- != -
P11 Elliptic Curve Cryptography
Step !0 Compute e 4 S7)-12m3
Step 0 Compute & 4 s
C1
mod n
Step =0 Compute u
1
4 e$& and u
!
4 r$&
Step >0 Compute Point V 4 2(
1
, y
1
3 4 u
1
G E u
!
Q
Step A0 %# V 4 O, then re:ect the signature
Else compute v 4 (
1
mod n
Step @0 )ccept )liceBs signature i## v 4 r
)n illustration o# the above steps is represented belo&
)lice /ob
Generates '
Computes P 4 ' G 4 2(, y3
8eri#y r and s are integers in
the range T1, n C 1U
Sends P, m
Signat$re of message
m is the Pair P? )rC s,

Compute
r 4 ( mod n
Compute
s 4 '
C 1
2e E d
a
Hr3 mod n
e 4 S7)-12m3
& 4 s
C1
mod n
u
1
4 e$& and u
!
4 r$&
Point V 4 2(
1
, y
1
3 4 u
1
G E u
!
Q
9e:ect
Acce#t AliceKs signat$re if % ? r
%s r 4 D
W
*o
e 4 S7)-12m3
%s s 4 D
W
Xes
*o
Xes
*o
Xes
%s V 4 O
W
2igure :5 Illustration of Elliptic Curve 'igital %ignature Algorithm
- !> -
P11 Elliptic Curve Cryptography
Proof for %erification
%# the message is indeed signed by )lice, then s 4 '
C1
2e E dHr3 mod n$
"hat is, ' 4 s
C1
2e E d$r3 mod n 4 s
C1
e E s
C1
d$r 4 &$e E &$d$r 4 2u
1
E u
!
$d 3 mod n JJT1U
*o& consider u
1
G E u
!
Q 4 u
1
G E u
!
dG 4 2u
1
E u
!
$d3 G 4 'G #rom T1U
%n step > o# the veri#ication process, &e have v 4 (
1
mod n, &here,
Point V 4 2(1, y13 4 u
1
G E u
!
Q$ "hus &e see that v 4 r since r 4 ( mod n and ( is the (
coordinate o# the point 'G and &e have already seen that u
1
G E u
!
Q 4 'G
<+8+" Elli#tic C$r%e A$thentication Encry#tion Scheme )ECAES,
)lice has the domain parameters 1 4 2<, F9, a, b, G, n, h3 and public 'ey Q$ /ob has the domain
parameters 1$ /obBs public 'ey is Q
/
and private 'ey is d
/
$ "he EC)ES mechanism is as
#ollo&s$
)lice per#orms the #ollo&ing steps) does the #ollo&ing
Step 10 Selects a random integer r in T1, n C 1U
Step !0 Computes 9 4 rG
Step 0 Computes K 4 hrQ
/
4 2K
(
, K
y
3, chec's that K O
Step =0 Computes 'eys '
1
NN'
!
4 K1F2K
(
3 &here K1F is a 'ey derivation #unction, &hich
derives cryptographic 'eys #rom a shared secret
Step >0 Computes c 4 E*C
'1
2m3 &here m is the message to be sent and E*C a symmetric
encryption algorithm
Step A0 Compute t 4 M)C
'!
2c3 &here M)C is message authentication code
Step @0 Sends 29, c, t3 to /ob
"o decrypt a cipher te(t, /ob per#orms the #ollo&ing steps
Step 10 Per#orm a partial 'ey validation on 9 2chec' i# 9 O, chec' i# the coordinates o#
9 are properly represented elements in F
<
and chec' i# 9 lies on the elliptic curve
de#ined by a and b3
Step !0 Computes K
/
4 h$d
/
$9 4 2K
(
, K
y
3 , chec' K O
Step 0 Compute '
1
, '
!
4 K1F 2K
(
3
- !A -
P11 Elliptic Curve Cryptography
Step =0 8eri#y that t 4 M)C
'!
2c3
Step >0 Computes m 4
2c3 E*C
1
1
K

;e can see that K 4 K


/
, since K 4 h$r$Q
/
4 h$r$d
/
$G 4 h$d
/
$r$G 4 h$d
/
$9 4 K
/
)lice /ob
Generate random integer r
in T1, n C 1U
Per#orm partial
'ey validation on 9
Sends 29, c, t3
Compute 9 4 rG
Compute
K 4 hrQ
/
4 2K
(
, K
y
3
Compute
'
1
NN'
!
4 K1F2K
(
3
Computes
K
/
4 h$d
/
$9 4 2K
(
, K
y
3
8eri#y that t 4 M)C
'!
2c3
Computes m 4 E*C
'1
C1
2c3
m is the
decry#ted Plain
7e=t message
Compute
c 4 E*C
'1
2m3
Compute
t 4 M)C
'!
2c3
Compute
'
1
NN'
!
4 K1F2K
(
3
2igure ;5 Illustration of Elliptic Curve Authentication Encryption %cheme
- !@ -
P11 Elliptic Curve Cryptography
> Algorithms for Elli#tic Scalar 9$lti#lication
%n all the protocols that &ere discussed 2EC17, EC1S), EC)ES3, the most time consuming
part o# the computations are scalar multiplications$ "hat is the calculations o# the #orm
Q4 ' P 4 P E P E PJ ' times
7ere P is a curve point, ' is an integer in the range o# order o# P 2i$e$ n3$ P is a #i(ed point that
generates a large, prime subgroup o# E2F
<
3, or P is an arbitrary point in such a subgroup$ Elliptic
curves have some properties that allo& optimi.ation o# scalar multiplications$ "he #ollo&ing
sections describe some e##icient algorithms #or computing 'P$
>+! Fon adjacent form )FA5,
"his is a much e##icient method used in the computation o# 'P$ 7ere, the integer ' is represented
as ' 4

1 -
D :
:
:
! '
l
, &here each ': IC1, D, 1K$ "he &eight o# *)F representation o# a number o#
length l is l-$ Given belo& is an algorithm #or #inding *)F o# a number$
FA5)',
Comment 9eturns uTU &hich contains the *)F representation o# '
Gegin
c '
l D
Hhile 2c Y D3
GeginHhile
If 2c is odd3
GeginIf
uTlU ! C 2c mod =3
c c C uTlU
Else
uTlU D
EndIf
c c-!
l l E 1
EndHhile
6et$rn u
- !L -
P11 Elliptic Curve Cryptography
End
Algorithm ,5 Computation of the A2 of a scalar
"he generation o# *)F #or ' 4 @ 4 21113
!
is as sho&n belo&
Fo of iterations c l $
1 @ D -1
! = 1 D
! ! D
= 1 1
2igure <5 Illustration of computation of A2(<*
"here#ore, the value o# @ in *)F #orm is 21 D D C13$ 2*ote that no t&o consecutive digits are non-
.ero3
>+8 Com#le=ity analysis of the Elli#tic Scalar 9$lti#lication algorithms
>+8+! Ginary 9ethod
"he simplest #ormula #or calculating 'P is based on the binary representation o# ', i$e$,
' 4

1 -
D :
:
:
! '
l
, &here '
:
I1,DK, the value 'P can be computed by
'P 4
6 6 6 6
l l
l
$ D ! $ 1
1 -
D :
:
:
' $$$3 3 ' ' ! 2 ! 2$$$ ! $ ! ' + + +

"his method re<uires l doublings and &


'
-1 additions, &here &
'
2the &eight3 is the number o# 1s
in the binary representation o# '$
For ' 4 @ 4 21113
!
, the value o# 'P &ould be
'P 4
P ! '
1 -
D :
:
:

l
4 !2!$P E P3 E 1P
- !? -
P11 Elliptic Curve Cryptography
>+8+8 AdditionDS$2traction method
7ere the number ' is represented in *)F #orm$ "he algorithm per#orms addition or subtraction
depending on the sign o# each digit, scanned #rom le#t to right$
"he algorithm is as given belo&
AdditionDS$2traction ) 'C P,
Comment 9eturn Q 4 'P, &here Point P 4 2(, y3 E2F<3
Gegin
uTU *)F2'3 &= The A2 form of k is stored in u =&
Q O
5or : 4 l C 1 Do0n7o D
Gegin5or
Q !Q
If 2u
:
4 13
7hen
Q Q E P
ElseIf 2u
:
4 C13
7hen
Q Q C P
EndIf
End5or
6et$rn Q
End
Algorithm .5 %calar >ultiplication using the Addition!%ubtraction method
"he algorithm per#orms l doublings and l- additions on an average$
For ' 4 @, the binary method &ould re<uire doublings and additions$
%n case o# )ddition-Subtraction method 2the value o# @ in *)F #orm is 1 D D C13, it &ould
re<uire = doublings and ! additions$
- D -
P11 Elliptic Curve Cryptography
>+8+" 6e#eated do$2ling method
) point on the elliptic curve over F
!m
is represented inn the #orm o# 2(, 3 rather than in the #orm
o# 2(, y3 &hen using the repeated doubling method #or scalar multiplication$ Every point P 4 2(,
y3 E2F
!m
3, &here ( D, P can be represented as the pair 2(, 3, &here 4 ( E y-($
"he algorithm is as given belo&
6e#eatedDdo$2ling)PC i,
Comment 9eturns Q 4 !
i
P
Gegin
( E y-(
5or : 4 1 to i C 1
Gegin5or
(
!

!
E E a

!

!
E a E b-2 (
=
E b3

( (!

!
End5or
(
!

!
E E a
y
!
(
!
E 2 E 13(
!
Q 2(
!
, y
!
3
6et$rn Q
End
Algorithm 35 %calar >ultiplication using $epeated Additions
- 1 -
P11 Elliptic Curve Cryptography
%t can be seen that &e save one #ield multiplication in each o# the iterations$
8 Concl$sion
%n our pro:ect &e perused the concept o# Cryptography including the various schemes o# system
based on the 'ind o# 'ey and a #e& algorithms such as 9S) and 1S)$ ;e studied in detail the
mathematical #oundations #or elliptical curve based systems, basically the concepts o# rings,
#ields, groups, Galois #inite #ields and elliptic curves and their properties$ "he various algorithms
#or the computation o# the scalar product o# a point on the elliptic curve &ere studied and their
comple(ity &ere analy.ed$
"he advantage o# elliptic curve over the other public 'ey systems such as 9S), 1S) etc is the
'ey strength$ "he #ollo&ing table TU summari.es the 'ey strength o# ECC based systems in
comparison to other public 'ey schemes$
6SA/DSA (ey length ECC (ey ;ength for EI$i%alent Sec$rity
1D!= 1AD
!D=L !!=
D@! !>A
@ALD L=
1>AD >1!
2igure ?5 Comparison of the key strengths of $%A&'%A and ECC
From the table it is very clear that elliptic curves o##er a comparable amount o# security o##ered
by the other popular public 'ey #or a much smaller 'ey strength$ "his property o# ECC has made
the scheme <uite popular o# late$
5ver the years, there have been so#t&are implementations o# EC1S) over #inite #ields such as
1>>
!
F
, 1A@
!
F
, 1@A
!
F
, 1?1
!
F
and F
p
2p0 1AD and 1?! bit prime numbers3$ Schroppel et$ )l T1U
mentions an implementation o# an elliptic curve analogue o# the 1i##ie-7ellman 'ey e(change
algorithm over 1>>
!
F
&ith a trinomial basis representation$ "he elliptic curve based public 'ey
- ! -
P11 Elliptic Curve Cryptography
cryptography schemes has been standardi.ed by the %nstitute o# Electrical and Electronic
Engineers 2%EEE 3 and the standard is available as %EEE P1A$
9 6eferences
T1U /$Schneier$ Applied Cryptography$ Zohn ;iley and Sons, second edition, 1??A
T!U Cryptography and Elliptic Curves,
http0--&&&$tcs$hut$#i-[helger-crypto-lin'-public-elliptic-
TU Zulio 6ope. and 9icardo 1ahab, +)n overvie& o# elliptic curve cryptography,, May !DDD$
T=U 8$ Miller, +Fses o# elliptic curves in cryptography,, )dvances in Cryptology - C9XP"5\L>,
6*CS !1L, pp$=1@-=!A, 1?LA$
T>U Ze##rey 6$ 8agle, +) Gentle %ntroduction to Elliptic Curve Cryptography,, //*
"echnologies
TAU Mugino Sae'i, +Elliptic curve cryptosystems,, M$Sc$ thesis, School o# Computer Science,
McGill Fniversity, 1??A$ http0--citeseer$n:$nec$com-sae'i?@elliptic$html
T@U Z$ /orst, +Public 'ey cryptosystems using elliptic curves,, Master\s thesis, Eindhoven
Fniversity o# "echnology, Feb$ 1??@$ http0--citeseer$n:$nec$com-borst?@public$html
TLU http0--&orld$std$com-[#ranl-crypto$html
T?U )le'sandar Zurisic and )l#red Mene.es, +Elliptic Curves and Cryptography,, 1r$ 1obb\s
Zournal, )pril 1??@, pp !A##
T1DU 9obert Milson, +%ntroduction to Public Key Cryptography and Modular )rithmetic,
T11U )le'sandar Zurisic and )l#red Z$ Mene.es, Elliptic Curves and Cryptography
T1!U ;illiam Stallings, Cryptography and *et&or' Security-Principles and Practice second
edition, Prentice 7all publications$
T1U 9$ Schroppel, 7$ 5rman, S$ 5BMalley and 5$ Spatschec', +Fast 'ey e(change &ith elliptic
'ey systems,, )dvances in Cryptography, Proc$ CryptoB?>, 6*CS ?A, pp$ =->A,
Springer-8erlag, 1??>$
- -

Вам также может понравиться