Cryptography and Security Services:
Mechanisms and Applications
Manuel Mogollon
m_mogollon@verizon.net
M. Mogollon
–
0
Chapter 8
Elliptic Curve
Cryptography
1
M. Mogollon
–
1
Elliptic Curve
Elliptic Curve Cryptography
Session 6
–
Contents
•
Cryptography Basics
•
Elliptic Curve (EC) Concepts
•
Finite Fields
•
Selecting an Elliptic Curve
•
Cryptography Using EC
•
Digital Signature
2
M. Mogollon
–
2
Elliptic Curve
Elliptic Curve Cryptography
Cryptography Basics
3
M. Mogollon
–
3
Elliptic Curve
Elliptic Curve Cryptography
Security Services Security Mechanisms
Encryption
Hash Functions
Digital Signatures
Security Tokens
Digital Signatures
Non

Repudiation
Access
Authentication
Integrity
Confidentiality
4
M. Mogollon
–
4
Elliptic Curve
Elliptic Curve Cryptography
Types of Crypto Systems
•
Symmetric Cryptography
–
Secret Key
A single key serves as both the encryption and the decryption key.
Initial arrangements need to be made for individuals to share the
secret key.
Stream Ciphers and Block Ciphers (DES, AES)
•
Asymmetric Cryptography
–
Public

Key
One key is used to encipher and another to decipher.
Privacy is achieved without having to keep the enciphering key secret
because a different key is used for deciphering.
Pohlig Hellman, Schnorr, RSA, ElGamal, and Elliptic Curve
Cryptography (ECC) are popular asymmetric crypto systems.
5
M. Mogollon
–
5
Elliptic Curve
Elliptic Curve Cryptography
Symmetric Key Crypto System
•
Security is based on the secret key, not on the encryption algorithm.
•
The sharing of secret keys is necessary.
•
Strengths: Fast, good for encrypting large amounts of data.
•
Weakness: Key delivery.
•
There are two types of symmetric crypto systems: Stream Cipher (RC4) and
Block Ciphers (DES, AES, RC5, CAST, IDEA).
Plaintext
Plaintext
Encryption
Algorithm
Encryption
Algorithm
Ciphertext
Encipher
Decipher
Secret Key
As the market
requirements
for secure
products has
exponentially
increased, our
strategy will be
to ….
Asdfe8i4*(74mjsd(
9&*nng654mKhna
mshy75*72mnasja
dif3%j*j^3cdf(#421
5kndh_!8g,kla/”2a
cd:{qien*38mnap4
*h&fk>0820&ma01
2M
As the market
requirements
for secure
products has
exponentially
increased, our
strategy will be
to ….
6
M. Mogollon
–
6
Elliptic Curve
Elliptic Curve Cryptography
Asymmetric Key Crypto System
(Public Key Algorithm)
•
Public key encryption involves two mathematically related keys.
•
Either key can be used to encipher.
•
One of the keys can be made
public
and the other kept
private
.
•
Strengths: No key delivery issues, can be used for non

repudiation.
•
Weakness: Slow, inefficient for large amounts of data, computationally expensive.
•
Algorithms: RSA, ElGamal, Schnorr, Pohlig

Hellman, Elliptic Curve Cryptography.
•
Used mainly for key exchange or digital signatures.
One Key to Encipher
Another Key to Decipher
Plaintext
Plaintext
Encryption
Algorithm
Encryption
Algorithm
Ciphertext
Encipher
Decipher
As the market
requirements
for secure
products has
exponentially
increased, our
strategy will be
to ….
Asdfe8i4*(74mjsd(
9&*nng654mKhna
mshy75*72mnasja
dif3%j*j^3cdf(#421
5kndh_!8g,kla/”2a
cd:{qien*38mnap4
*h&fk>0820&ma01
2M
As the market
requirements
for secure
products has
exponentially
increased, our
strategy will be
to ….
7
M. Mogollon
–
7
Elliptic Curve
Elliptic Curve Cryptography
Combining Symmetric and Asymmetric
Ciphers
Exchange (wrap / transport ) or agree
(Diffie

Hellman) on a pre

master key.
Symmetric
Encryption
Ciphertext
Block
IV
+
+
Secret Key
IV
+
+
Secret Key
Use a symmetric
algorithm to encipher
and decipher a secure
transaction.
Encipher
Decipher
Client
Web Server
Symmetric
Encryption
Symmetric
Encryption
Symmetric
Encryption
Master Key
Generation
Pre

Master Key
Master Key
Generation
Pre

Master Key
Integrity
(HMAC)
Integrity
(HMAC)
Cleartext
Block
Cleartext
Block
Ciphertext
Block
Cleartext
Block
Cleartext
Block
Ciphertext
Block
Ciphertext
Block
8
M. Mogollon
–
8
Elliptic Curve
Elliptic Curve Cryptography
Types of Public

key Cryptography
•
Exponentiation Ciphers
RSA.
•
Discrete logarithm systems
ElGamal public

key encryption, Digital Signature Algorithm (DSA),
Diffie

Hellman key exchange.
•
Elliptic curve cryptography
9
M. Mogollon
–
9
Elliptic Curve
Elliptic Curve Cryptography
Public Key Encryption
Encipher
Decipher
Alice’s Private
Key
Alice’s Public
Key
Encipher
Decipher
Bob’s Public
Key
Bob’s Private
Key
Encipher
Decipher
Bob’s Private
Key
Bob’s Public
Key
Sender (Alice)
Receiver (Bob)
Non

Repudiation of Origin (Authenticity)
Anyone who has Alice’s public key will be
able to decipher the message. Alice cannot
deny that she sent the message.
Confidentiality
─ Bob will be the only one
able to decipher the message because only he
has his private key.
Enciphering is not possible because Alice
doesn’t have Bob’s private key.
Encipher
Decipher
Alice’s Public
Key
Alice’s Private
Key
Bob will not be able to decipher the message
because he doesn’t have Alice’s private key.
10
M. Mogollon
–
10
Elliptic Curve
Elliptic Curve Cryptography
Elliptic Curve Concepts
11
M. Mogollon
–
11
Elliptic Curve
Elliptic Curve Cryptography
What is Elliptic Curve Cryptography?
•
elliptic curve cryptography
/ (
abbr. ECC
)
(1) an encryption
system that uses the properties of elliptic curve and
provides the same functionality of other public key
cryptosystems; (2) A public key crypto system that
provides, bit

by

bit key size, the highest strength of any
cryptosystem known today.
12
M. Mogollon
–
12
Elliptic Curve
Elliptic Curve Cryptography
•
ECC with 160

bit key size offers the same level of
security as RSA with 1024

bit key size.
•
Smaller key size provides
Storage efficiencies
Bandwidth savings
Computational efficiencies
•
ECC implementation is beneficial in applications where
bandwidth, processing capacity, power availability, or
storage are constrained.
•
ECC includes key distribution, encryption, and digital
signatures.
ECC Applications
•
Which leads to
Higher speeds
Lower power consumptions
Code size reductions
13
M. Mogollon
–
13
Elliptic Curve
Elliptic Curve Cryptography
ECC Applications
•
Applications requiring intensive public

key operations.
Web servers.
•
Applications with limited power, computational power,
speed transfer, memory storage, or bandwidth.
Wireless communications
PDAs
•
Applications rigid constrains on processing power,
parameter storage, and code space.
Smart card and tokens.
14
M. Mogollon
–
14
Elliptic Curve
Elliptic Curve Cryptography
Elliptic Curves
•
Elliptic Curve Cryptography uses plane curves, which
are sets of points satisfying the equation F (x, y) = 0.
•
Examples of plane curves are:
Lines (2x + y = a)
Conic sections (3x
2
+ 5y
2
= a)
Cubic curves (y
2
+ xy = x
3
+ ax
2
+ b), which include elliptic curves.
15
M. Mogollon
–
15
Elliptic Curve
Elliptic Curve Cryptography
Finite Fields
•
Finite fields are fields that are finite.
•
A field is a set
F
in which the usual mathematical operations
(addition, subtraction, multiplication, and division by nonzero
quantities) are possible; these operations follow the usual
commutative, associative, and distributive laws.
•
Rational numbers (fractions), real numbers, and complex numbers
are elements of infinite fields.
•
A discrete logarithm (DL) and elliptic curve (EC) cryptography
schemes are always based on computations in a finite field in which
there are only a finite number of quantities.
•
For cryptography applications, the finite fields that are usually used
are the field of characteristic (congruences).
•
The finite field used in DL and EC are the field of prime
characteristic
F
p
and the field of characteristic two
F
2
m
. The finite
field is also denoted as
GF(q)
.
16
M. Mogollon
–
16
Elliptic Curve
Elliptic Curve Cryptography
Finite Fields
•
Characteristic Prime Finite Fields
The finite field
F
p
is the prime finite field containing
p
elements. If
p
is
an odd prime number, then there is a unique field
F
p
that consists of
the set of integers
{0, 1, 2 ,..., p
–
1}.
•
Characteristic Two Finite Fields
A characteristic two finite field (also known as a binary finite field) is a
finite field whose number of elements is 2
m
. If
m
is a positive integer
greater than 1, the
binary finite field F
2
m
consists of the 2
m
possible bit
strings of length
m
.
For example,
F
2
3
= {000, 001, 010, 011, 100, 101, 110, 111}
17
M. Mogollon
–
17
Elliptic Curve
Elliptic Curve Cryptography
Group Fields in EC
•
There are two essential properties of group fields when
they are used in elliptic curve cryptography:
A group should have a finite number of points. An elliptic curve has
infinite number of points, but an elliptic curve over
F
q
has a finite
number of elements.
The operation that is used should be easy to compute but very difficult
and time consuming to reverse.
•
The scalar integer multiplication of an elliptic curve
point,
P
, which is defined as the repeated addition of the
point with itself,
Q = kP
, is an operation that is easy to
compute but very difficult and time consuming to
reverse.
18
M. Mogollon
–
18
Elliptic Curve
Elliptic Curve Cryptography
Elliptic Curves and Points
•
There are several ways of defining equations for elliptic
curves, but the most common are the Weierstrass
equations.
•
ECC may be implemented over
F
q
,
where
q
is an odd
prime
p
, or 2
m
.
•
If ECC is implemented over
F
p
, the following equation is
used:
•
If ECC is implemented over
F
2
m
, the following equation is
used:
b
ax
x
y
3
2
b
ax
x
xy
y
2
3
2
19
M. Mogollon
–
19
Elliptic Curve
Elliptic Curve Cryptography
Elliptic Curve Arithmetic
Point Addition in
F
p
•
The group law is defined by
P
+
Q
–
R
= 0; therefore,
P
+
Q
=
R,
where the negative
of the point
R(x, y)
is the point
R (x,
–
y).
•
Given two points on the curve
P
and
Q
, the line through them meets the curve at a
third point
–
R
. The reflection of
R
gives the point
R
, which is equal to
P + Q
.
•
The tangent line through
P
gives the point
–
R.
R
Q
P

R
P (0.0, 2.45)
Q (

3.24,

1.17)

R (4.49, 7.47)
R (4.49,

7.49)
P + Q = R = (4.49,

7.49)
E: y
2
= x
3

9x + 6

R
P
R
P (0.0, 2.45)

R (3.38,

3.76)
R (3.38, 3.76)
2P = R = (3.38, 3.76)
E: y
2
= x
3

9x + 6
20
M. Mogollon
–
20
Elliptic Curve
Elliptic Curve Cryptography
Elliptic Curve Arithmetic
•
Doubling a Point in
F
p
Provided that
then,
where
and
λ is the slope of the line through
P(x
P
, y
P
).
0
P
y
)
,
(
)
,
(
)
,
(
R
R
P
P
P
P
y
x
R
y
x
P
y
x
P
p
x
x
P
R
mod
2
2
p
y
x
x
y
P
R
P
R
mod
)
(
p
y
a
x
P
P
mod
)
2
(
)
3
(
2
21
M. Mogollon
–
21
Elliptic Curve
Elliptic Curve Cryptography
Elliptic Curves Arithmetic
•
Point Addition in
F
p
Similar to the addition of two points in plane geometry. For
then,
where
and
λ is the slope of the line through
P(x
P
, y
P
)
and
Q(x
Q
, y
Q
).
Q
P
)
,
(
)
,
(
)
,
(
R
R
Q
Q
P
P
y
x
R
y
x
Q
y
x
P
p
x
x
x
Q
P
R
mod
2
p
y
x
x
y
P
R
P
R
mod
)
(
p
x
x
y
y
P
Q
P
Q
mod
)
(
)
(
22
M. Mogollon
–
22
Elliptic Curve
Elliptic Curve Cryptography
Elliptic Curve Arithmetic
Point Addition in
F
p
•
Adding P to

P
.
P
P (

1.85, 4.05)

P (

1.85,

4.05)
P + (

P) = O, the
point at infinity
E: y
2
= x
3

9x + 6

P
23
M. Mogollon
–
23
Elliptic Curve
Elliptic Curve Cryptography
EC Points
Points in the Elliptic Curve
y^2 = x^3 + x + 1 (mod 23)
0
2
4
6
8
10
12
14
16
18
20
22
24
0
2
4
6
8
10
12
14
16
18
20
•
The points are symmetric because
in elliptic curves, for every point P,
there must exist another point
–
P.
•
The point P(0, 1) generates a
maximal subgroup because it
generates the maximum number of
points, 28 (27 plus the point at
infinity).
•
The curve order is 28 and is
denoted as #E(F
p
).
24
M. Mogollon
–
24
Elliptic Curve
Elliptic Curve Cryptography
Point and Curve Order
Point
Order
Point
Order
Point
Order
Point
Order
(0,1)
28
(9,16)
28
(7,11)
14
(13,16)
7
(0,22)
28
(18,3)
28
(7,12)
14
(17,3)
7
(1,7)
28
(18,20)
28
(12,4)
14
(17,20)
7
(1,16)
28
(19,5)
28
(12,19)
14
(11,3)
4
(3,10)
28
(19,18)
28
(5,4)
7
(11,20)
4
(3,13)
28
(6,4)
14
(5,19)
7
(4,0)
1 (infinity)
(9,7)
28
(6,19)
14
(13,7)
7
•
For any point in
y
2
= x
3
+ x + 1
(mod 23), the value of
k
such that k
P
=
O
is not always the same. The order of points varies; it can be 28, 14, 7 or
4.
•
The maximum point order is the curve order.
See next slide
25
M. Mogollon
–
25
Elliptic Curve
Elliptic Curve Cryptography
Point Order
26
M. Mogollon
–
26
Elliptic Curve
Elliptic Curve Cryptography
Selecting an EC for Cryptography
•
There are several procedures to select an elliptic curve for cryptographic purposes.
The following are some of the criteria:
Select a large prime number, p, to be used as the module.
Select the coefficients
a
and
b
randomly and define
E F
p
:
y2 = x3 + ax + b.
Calculate the curve order
#E(F
q
)
.
Check that
#E(F
q
)
is divisible by a large prime number.
Check that the largest prime divisor of
#E(F
q
)
does not divide
q
v

1
for
v
= 1, 2, 3, ……<large limit>.
•
Another way to select the elliptic curve is by selecting the curve order first:
Select a large prime number, p, to be used as the module.
Select the curve order,
#E(Fp)
, such that
Check that
#E(Fp)
is divisible by a large prime number,
r
.
Check that
r
does not divide
p
v

1
for
v
= 1, 2, 3, ……10.
Use the Atkin

Morain algorithm to find parameters
a
and
b
in
F
p
such that the elliptic curve
E
has an
order of
#E(Fp)
.
p
p
F
E
p
p
q
2
1
)
(
#
2
1
27
M. Mogollon
–
27
Elliptic Curve
Elliptic Curve Cryptography
Selecting a Generator Point
•
Select a random point G on
E(F
p
)
and a large prime
number
n
that divides
#E(F
p
)
.
•
Check that the
nG
=
O
,
n
being
the point order.
The size of the odd prime
modulus in bits is 15
Curve generated using Cryptomathic on line
generator at
http://www.cryptomathic.com/labs/ellipticcurved
emo.html#Key

Generation
28
M. Mogollon
–
28
Elliptic Curve
Elliptic Curve Cryptography
Discrete Logarithmic Problem
•
In the multiplicative group
Zp*
discrete logarithm (Diffie

Hellman,
ElGamal, DSS), the following is the discrete logarithm problem:
Given elements
y
and
x
of the group, and a prime
p
, find a number
k
such
that
y = x
k
mod p
.
For example, if
y = 2
,
x = 8
, and
p = 341
, then find
k
such that 2 ≡ 8
k
mod
341.
In the Diffie

Hellman discrete logarithm,
y
is the public key,
g
is a large
random number,
p
is the modulo, and
k
is the private key that the
cryptanalyst is trying to find out.
Which one is the correct Private Key?
29
M. Mogollon
–
29
Elliptic Curve
Elliptic Curve Cryptography
EC Discrete Logarithmic Problem
•
Given an elliptic curve , a point of an order
n
, and a point , determine the integer
k
,
0≤ k ≥ n

1
, such that
Q = kP
, provided that such
integer
k
exists.
•
Q is the public key and
k
is the private key.
•
The scalar integer multiplication of an elliptic curve
point,
P
is defined as the process of adding
P
to itself
k
times.
Q = kP
is analogous to exponentiation in a
discrete logarithm cryptosystem, i.e., it is an operation
that is easy to compute but very difficult and time
consuming to reverse.
)
(
p
F
E
)
(
p
F
E
P
)
(
p
F
E
Q
30
M. Mogollon
–
30
Elliptic Curve
Elliptic Curve Cryptography
Elliptic Curve Public

Key Cryptography
•
The scalar integer multiplication
of an elliptic curve point, P is
defined as the process of adding
P to itself
k
times. Q =
k
P.
•
When the point (0,1) is added to
itself 13 times the result is the
point (9, 16).
•
Q =
k
P = 13 * (0,1) = (9,16)
•
Select
Q = Public Key = (9,16)
k
= Private Key = 13
31
M. Mogollon
–
31
Elliptic Curve
Elliptic Curve Cryptography
Brute Force Attack
•
There is not a known algorithm
to attack ECC
•
Brute force attack
Starting with point (0,1), add (0,1)
to itself until (9,16) is found
.
Stop when Q = d
P
= (9, 16)
The order of the base point is 28
It would take a system doing a
million addition/sec, 14
microseconds to try 50% of all
possible points.
The size of the odd prime
modulus in bits is 5.
32
M. Mogollon
–
32
Elliptic Curve
Elliptic Curve Cryptography
Brute Force Attack
•
There is not a known algorithm
to attack ECC
•
Brute force attack
Starting with point
P
, add
P
to
itself until
Q
is found
.
Stop when
kP = Q
The order of the base point is
1.73*10
46
It would take a system doing a
million addition/sec (3.15*10
18
additions/year) 10
32
years to try
50% of all possible points.
The size of the odd prime
modulus in bits is 161.
Equivalent to RSA 1024
33
M. Mogollon
–
33
Elliptic Curve
Elliptic Curve Cryptography
Breaking the Code
April 27, 2004
Certicom Corp. (TSX: CIC), the authority for strong,
efficient cryptography, today announced that Chris
Monico, an assistant professor at Texas Tech University,
and his team of mathematicians have successfully
solved the Certicom Elliptic Curve Cryptography (ECC)
109

bit Challenge. The effort required 2600 computers
and took 17 months. For comparison purposes, the
gross CPU time used would be roughly equivalent to
that of an Athlon XP 3200+ working nonstop for about
1200 years.
34
M. Mogollon
–
34
Elliptic Curve
Elliptic Curve Cryptography
Public Key Systems Key Size Comparisons
Security
(Bits)
Symmetric
Encryption
Algorithm
Hash
Algorithm
Minimum Size of Public keys (Bits)
Diffie

Hellman and RSA
Modulus Size
ECC
80
SKIPJACK
SHA

1
1024
1024
160
112
3DES
2048
2048
224
128
AES

128
SHA

256
3072
3072
256
192
AES

192
SHA

384
7680
7680
384
256
AES

256
SHA

512
15360
15360
512
Blake, Seroussi, and Smart (1999, p9)
compared the two algorithms known to
break ECC and discrete algorithms.
Simplifying the formulas and making several
approximations, they arrived at the following
formula comparing key

length for similar
levels of security:
where β ≈ 4.91. The parameters n and N
are the “key sizes” of ECC and DL
cryptosystems.
3
/
2
3
/
1
))
2
log
(
(log
N
N
n
35
M. Mogollon
–
35
Elliptic Curve
Elliptic Curve Cryptography
Elliptic Curve
Cryptography
36
M. Mogollon
–
36
Elliptic Curve
Elliptic Curve Cryptography
Domain Parameters
•
Parties using elliptic curve cryptography need to share certain
parameter, the “Elliptic Curve Domain Parameters”.
•
The EC domain parameters may be public; the security of the system
does not rely on these parameters being secret.
•
The domain consists of six parameters which are calculated differently
for
F
p
and
F
2m
.
It precisely specify an elliptic curve and base point.
•
The six domain parameters are the following:
T = (q; FR; a, b; G; n; h),
in which,
q
Defines the underlying finite field Fq. The field size is defined by the
module, so,
q
=
p
or
q
=
2m
; p>3 should be a prime number.
FR
Field representation of the method used for representing field elements in
, either or .
a, b
The coefficients defining the elliptic curve
E
, elements of
Fq.
G
A distinguished point, G=(xG ,yG), on an elliptic curve called the
base
point
or
generating point
defined by two field elements xG and yG in Fq.
n
The order of the base point
G.
h
Called the cofactor,
h = #E(Fq)/n
, where n is the order of the base point G.
h
is normally a small number.
q
F
)
(
p
F
E
)
(
2
m
F
E
37
M. Mogollon
–
37
Elliptic Curve
Elliptic Curve Cryptography
ECC Cryptography
•
Encryption
EC Integrated Encryption Scheme (ECIES)
–
Variant of ElGamal public

key encryption
–
Proposed by Bellare and Rogaway
–
Variant of ElGamal public

key encryption schme
–
ANSI X9.63, ISO/IEC 15946

3, and IEEE P1363a draft
Provably Secure Encryption Curve (PSEC)
–
Fujisaki and Okamoto
–
Evaluated by NESSIE and CRYPTREC
•
Key Exchange
Station

to

Station Protocol
–
Diffie, van Oorschot, and Wiener
–
Discrete logarithm

base key agreement
–
ANSI X9.63
ECMQV
–
Meneses, Qu, and Vanstone
–
ANSI X9.63, IEEE 1363

2000, and ISO/IEC 15946

3
38
M. Mogollon
–
38
Elliptic Curve
Elliptic Curve Cryptography
ECC Cryptography
•
Digital Signature
Elliptic Curve Digital Signature Algorithm (ECDSA)
–
Analog to the Digital Signature Algorithm (DSA)
–
Secure Hash Algorithm (SHS

1)
–
ANSI X9.62, FIPS 186

2, IEEE1363

2000 and ISO/IEC 15946

2
EC Korean Certificate

based Digital Signature Algorithm (EC

KCDSA)
–
Lim and Lee
–
ISO/IEC 15946

2.
39
M. Mogollon
–
39
Elliptic Curve
Elliptic Curve Cryptography
Key Generation
•
The public and private keys of an entity A are associated with a
particular set of elliptic curve domain parameters
(q; FR; a; b; G; n;
h)
. To generate a key pair, entity Alice does the following:
Selects a random or pseudo

random integer
d
in the interval [1, n

1].
Computes
Q
=
d * G.
Has
Q
as public key,
Pub
A
, and
d
as private key,
Priv
A
.
Checks that x
G
and y
G
are elements of the elliptic curve equation by
calculating or .
•
Example:
For E(F
23
):
y2 = x3 + x + 1, #E(F
23
) =28
. Then, n=7, since
n
should be a prime
factor of 28.
The cofactor
h
is equal to 28 / 7 = 4.
A point with an order of 7 should be selected.
The point G could be (5, 19), one of several points with
n
= 7. The domain
parameter
T = (p; a; b; G; n; h) is T
= [
23; 1; 1; (5,19); 7, 4
].
Select
d
= 4, so
Q
= 4 (5, 19). (13, 16).
Alice’s public key is
Pub
A
=
Q
= (13, 16) and her private key is
Priv
A
= 4.
p
b
ax
x
y
Q
Q
Q
mod
3
2
m
F
in
b
ax
x
y
x
y
Q
Q
Q
Q
Q
2
3
2
40
M. Mogollon
–
40
Elliptic Curve
Elliptic Curve Cryptography
•
Let T = (
p; a; b; G; n; h
) and
be
Alice’s public key.
•
Alice deciphers the message by
Multiplying her private key
Priv
A
by (
Priv
B
. G)
.
Subtracting the above result
from
M + Priv
B
. Pub
A
.
ECC ElGamal Encryption
Alice
Bob
p
G
Priv
Pub
A
A
mod
T and Pub
A
do not
need to be secret.
•
Bob selects a random number
as his private key and generates
his public key using the same
elliptic curve and G point.
•
Bob enciphers the message,
M
,
by doing
C
M
= [{
Priv
B
* G
}
,
{
M + Priv
B
*Pub
A
}]
•
Bob sends his Pub
B
and cipher
message to Alice.
C
M
, Pub
B
C
M
= [{
Priv
B
* G
}
,
{
M + Priv
B
*Pub
A
}]
M
= {
M + Priv
B
* Pub
A
}
–
{
Priv
A
*
Priv
B
* G
}
Since
Pub
A
=
Priv
A
* G
, then,
M
= {
M + Priv
B
* (Priv
A
. G)
}
–
{
Priv
A
* (Priv
B
* G)
}
41
M. Mogollon
–
41
Elliptic Curve
Elliptic Curve Cryptography
•
Let T = [
23; 1; 1; (5,19); 7; 4
]
and select 4 as the Priv
A
,
as the public key.
•
Alice deciphers the message by
Multiplying her private key 4
by
(18,11) = (5, 4).
Subtracting the above result
from (17, 20)
M
= (17,20)
–
(5, 4)
M
= (17,20) + (5,

4) = (8, 20)
ECC ElGamal Encryption
Alice
Bob
T and Pub
A
do not
need to be secret
•
Bob selects 4 as his private key.
•
The message is the point (8,20).
•
Bob enciphers the message by
C
M
= [{5*(5, 19)}, {(8, 20) + 5* (13, 16)}]
•
Bob sends his Pub
B
and cipher
message
C
M
= [(17, 20), (18,11)] to Alice.
C
M
, Pub
B
23
mod
)
16
,
13
(
23
mod
)
19
,
5
(
4
A
A
Pub
Pub
Note: The cofactor h =4 in T is not related
to the Priv
A
, which was selected at random
and happens to be 4, also.
42
M. Mogollon
–
42
Elliptic Curve
Elliptic Curve Cryptography
Diffie

Hellman Key Exchange System
Alice and Bob convert the shared secret value
z
to an octet string
Z
and use
Z
as the shared secret key for symmetric encryption
algorithms to secure their communications.
T = (p; a; b; G; n; h)
Priv
A
= Random large
prime integer
T = (p; a; b; G; n; h),
does
not need to be secret.
Alice
Bob
T = (p; a; b; G; n; h)
Priv
B
= Random large
prime integer
p
G
riv
P
Pub
A
A
mod
p
G
riv
P
Pub
B
B
mod
A
B
Priv
Pub
ZZ
B
A
Priv
Pub
ZZ
Sender and receiver agree on the
same domain parameters.
ubB
P
ubA
P
43
M. Mogollon
–
43
Elliptic Curve
Elliptic Curve Cryptography
Diffie

Hellman Key Exchange System
T =
[
23; 1; 1; (5,19); 7; 4
]
ubB
P
ubA
P
Alice
Bob
T =
[
23; 1; 1; (5,19); 7; 4
]
p
G
riv
P
Pub
A
A
mod
p
G
riv
P
Pub
B
B
mod
A
B
Priv
Pub
z
B
A
Priv
Pub
z
23
mod
)
16
,
13
(
23
mod
)
19
,
5
(
4
A
Pub
23
mod
)
23
,
17
(
23
mod
)
19
,
5
(
2
B
Pub
23
mod
)
19
,
5
(
23
mod
4
)
3
,
17
(
z
23
mod
)
19
,
5
(
23
mod
2
)
16
,
13
(
z
Note: The cofactor h =4 in T is not related
to the Priv
A
, which was selected at random
and happens to be 4, also.
44
M. Mogollon
–
44
Elliptic Curve
Elliptic Curve Cryptography
•
T = (
p; a; b; G; n; h
) and
is Alice’s public key.
•
Selects a random integer
•
Computes
•
Computes
•
Computes
•
The signature for the
message
m
is the pair of
integers
(r, s).
ECCDSA Signature Generation
Alice
Bob
p
G
Priv
Pub
A
A
mod
T and Pub
A
do not
need to be secret.
Verifies Alice’s signature
(
r, s
) on the message m as
follows:
•
Computes
H(m)
and
•
Computes
•
Computes
•
Accepts the signature if
v
=
r
.
]
2
,
2
[
n
k
)
,
(
*
1
1
y
x
G
k
n
s
c
mod
1
n
c
m
H
u
mod
.
)
(
1
n
c
r
u
mod
.
2
n
x
v
mod
0
A
o
Pub
u
G
u
y
x
*
*
)
,
(
2
1
0
n
k
mod
1
n
x
r
mod
1
(r, s)
n
r
Priv
m
H
k
s
A
mod
}
.
)
(
{
1
45
M. Mogollon
–
45
Elliptic Curve
Elliptic Curve Cryptography
•
Let
T =
[
23; 1; 1; (5,19); 7; 4
] and
•
Select
k
=
3
•
Compute
•
Compute
•
Compute
•
The signature for the message
m
is the pair of integers
(r, s), (6, 2).
ECCDSA Signature Generation
Alice
Bob
Bob verifies Alice’s signature
(6
, 2
) on the message
m
as follows:
•
Compute
H(m)
and
•
Compute
•
Compute
•
Compute
•
Accept the signature because
v
=
6 mod 7
=
r
.
n
s
c
mod
1
n
c
m
H
u
mod
.
)
(
1
n
c
r
u
mod
.
2
A
o
Pub
u
G
u
y
x
*
*
)
,
(
2
1
0
23
mod
)
16
,
13
(
23
mod
)
19
,
5
(
4
A
Pub
)
7
,
13
(
)
19
,
5
(
.
3
.
)
,
(
1
1
G
k
y
x
7
mod
5
7
mod
2
7
mod
3
1
7
mod
6
7
mod
13
r
n
k
mod
1
7
mod
2
7
mod
175
7
mod
)
6
.
4
10
(
5
s
7
mod
4
7
mod
3
7
mod
2
1
c
7
mod
5
7
mod
4
.
10
1
u
7
mod
3
7
mod
4
.
6
2
u
7
mod
6
7
mod
13
mod
0
p
x
v
)
7
,
13
(
)
20
,
17
(
)
20
,
17
(
)
,
(
)
16
,
13
(
.
3
)
19
,
5
(
.
5
)
,
(
0
0
o
o
y
x
y
x
n
r
Priv
m
H
k
s
A
mod
}
.
)
(
{
1
46
M. Mogollon
–
46
Elliptic Curve
Elliptic Curve Cryptography
Cipher Suite
•
There are many algorithms that can be used for encryption, key
exchange, message digest, and authentication; the level of security for
each of these algorithms varies. Establishing a connection between two
entities requires that they tell each other what crypto algorithms they
understand. Normally one of the entities involved in the communication
proposes a list of algorithms, and the other entity selects the algorithms
supported by both. The selected algorithms may not have matching
levels of security, reducing the overall security of the communication.
•
A cipher suite is a collection of cryptographic algorithms that matches the
level of security of all the algorithms listed in the cipher suite. To enable
secure communications between two entities, they exchange information
about which cipher suites they have in common, and they then use the
cipher suite that offers the highest level of security.
47
M. Mogollon
–
47
Elliptic Curve
Elliptic Curve Cryptography
To Probe Further
•
Hankerson, D., Meneses, A., Vanstone S. (2004).
Guide to Elliptic Curve Cryptography
. New York:
Springer

Verlag.
•
Blake, I., Seroussi G., Smart, N. (1999).
Elliptic Curves in Cryptography.
Cambridge, United Kingdom:
Cambridge University Press.
•
Rosing, M. (1999).
Implementing Curve Cryptography.
Greenwich, CT: Manning Publications.
•
Lopez, J., Dahab, R.,
An overview of Elliptic Curve Cryptography
, Institute of computting , State
University of Campinas, sao Paulo Brazil, may 2, 2000. (Retrieved September 26, 2003 from
http://citeseer.nj.nec.com/lop00overview.html
)
•
Brown, M., Cheung, D., Hankerson, D., Lopez, J., Kirkup, M., Menezes, A.,
PGP in Constrained Wireless
Devices
, Proceedings of the 9th USENIX Security Symposium, August 2000.
•
Certicom Research,
Standard for Efficient Cryptograph (SEC 1)
:
Elliptic Curve Cryptograph,
September
20, 2000. (Retrieved September 26, 2003 from
http://www.secg.org/secg_docs.htm
)
•
Certicom Research,
Current Public

Key Crypto Systems
, April 1997. (Retrieved on September 20, 2000
from )
•
Cryptomathic,
Ellipt Curve Online Key Generation
at
http://www.cryptomathic.com/labs/ellipticcurvedemo.html#Key

Generation
•
Certicom Elliptic Curve Tutorial at
http://www.certicom.com/index.php?action=ecc,ecc_tutorial
•
IEEE P1363,
Standard Specifications for Public key Cryptography
, draft 2000
Σχόλια 0
Συνδεθείτε για να κοινοποιήσετε σχόλιο