Elliptic Curve Cryptography and Applications
Siddharth Singal
3/3/2014
Abstract
In this paper, we will explore cryptography based on a group created by elliptic curves.
Cryptography in the past had been based on math operations like taught in grade school such as
multiplication and exponentiation. Elliptic curves redefine addition and multiplication as new
operations called point addition and point multiplication. Solving elliptic curve based equations
prove to be much more complex and provide increased security, speed, and memory. Elliptic
curves are widely used in cryptography and are applied in various ways, including key exchange
and digital signature algorithms.
1
Introduction
Cryptography is needed to securely and
secretly send and receive messages, provide
integrity
to
messages,
etc.
Early
cryptography was based on two parties
predetermining keys or algorithms for
encryption/decryption.
Third
party
knowledge of these keys or algorithms
would compromise the security of the
message in hand, which had been a huge
issue because of the unreliability for the two
parties to agree on keys without anyone
eavesdropping on the keys. Public key
cryptography was created so two parties can
publicly reveal keys to everybody. However,
these public keys are only useful to the two
parties and no one else.
Ron Rivest, Adi Shamir, and Leonard
Adleman developed the RSA algorithm in
1977. RSA is most widely used public key
cryptography system in current day because
it proves to be very difficult to find the two
prime numbers that divide a larger number
(which is sometimes hundreds or thousands
of bits long).
1.1
History of Elliptic Curves
Elliptic curve cryptography (ECC) is a more
up and coming cryptographic system which
also provides the public key system.
Diophantus first studied the cubic equations
that formed these elliptic curves (EC) in the
3rd century and found that a secant line
intersecting the cubic equation at two points
will generally intersect a third point at the
curve. ECs were studied occasionally,
including Karl Weierstrass who defined EC
equations in the 1800s. ECC was first
suggested by Neal Koblitz and Victor S.
Miller in 1985. It entered commercial use in
the late 1990s, and started to become
widely used around 20042005.
1.2
and say that
Why use EC
Early cryptographic systems, including
RSA, are hard to crack because of the large
amount of computation required to factor a
number which is the product of two huge
prime numbers. However, finding the
discrete logarithm of a random elliptic curve
element with a publicly known base point is
considered infeasible.
Because ECC takes much longer to crack,
smaller key sizes are needed. A 256bit ECC
key has the same strength as a 3072bit RSA
key. Smaller keys mean less storage space
required and less transmission requirements.
This paper mentioned that RSA is the most
widely used public cryptography system,
which is considered true because it came
first and became more established.
However, ECC is becoming more widely
used as time passes.
then we get a simplified Weierstrass
equation
Testing out some values of values of and
, we can get the curves as shown below in
Figure 1.
Figure 1: Plots of simplified Weierstrass
equations for different values of and .
2.1
2
Point Addition
Elliptic Curve Math
EC equations were defined by
Weierstrass, which take the form of
Karl
where
. However,
suppose we were to do the following change
of variables:
Suppose we have points , , and on an
elliptic curve . Then we can redefine
addition such that
. This is called
point addition and is not to be confused with
normal addition. In order to find , we must
first draw a line intersecting
and .
Generally, the line will intersect the curve at
a third point, which is
. We can find by
simply reflecting the point across the axis.
(Refer to Figure 2 for all the math) In other
words, all we have to do is negate the component of
to get .
which is close to our approximation. We can
also define point addition algebraically so
that we do not have to go through
meaningless geometry every single time in
order to solve for . Suppose that you have
(
)
(
)
(
)
which are points on an elliptic curve
such that
.
Then
(
)
where is the slope of the line created by
the points and . In other words,
Figure 2: How
geometrically
to
calculate
If you look at the value of
The graph shown above in Figure 2 defines
the elliptic curve
,
(
)
and
( ). We can estimate
(
), but to solve this out exactly,
we must first find the slope of the line made
by and
and put it in pointslope form
and do some substitutions.
then
when
, which is indeterminate. This
implies that these formulas and the geometry
used to add two points only exists if
(and later we will see that
in this
scenario as well).
2.2
Point Doubling
If
, point addition is simply redefined
as point doubling. Figure 3 below shows an
(
)(
)(
)
(
Figure 3: How to calculate
geometrically
example of point doubling. Suppose you
wanted to find
, then you have to
draw a tangent line from
and find the
second point the line intersects with. That
second point will be
, and so then we can
find R.
Point doubling can also be described
algebraically. Suppose we have
(
)
(
) which are points on
an elliptic curve
such
that
.
symmetrical across a horizontal line drawn
at
. This means that any vertical line
will have the points
and
. Now, we
must define a new point called , or the
point at infinity, and this point exists on
either end of the line formed by . This
allows us to define the inverse property,
( ) ( )
namely
.
What happens if we draw a tangent line
intersecting a point such that the line only
touches the elliptic curve at one point
(Figure 5 below as an example)
where
2.3
Point Addition Laws
What happens if we draw a vertical line that
intersects the elliptic curve at exactly two
points, and , kind of like in Figure 4.
Figure 5: Tangent line only touching one point
of elliptic curve
This allows us to define the identity
property, namely
. We
can now list some properties of elliptic
curves.
Inverse:
Identity:
Associative: (
Figure 4: Secant line only touching two points of
elliptic curve
First of all, because this is a
simplified
Weierstrass equation, the graph will be
Commutative:
One important thing to note about these four
properties is that they make elliptic curves
Elliptic Curves over
Elliptic curve are not very practical for
calculations in . Because it is an infinite
field, calculations can be very slow, and
computers can create rounding errors.
Because of this, elliptic curve cryptography
is usually done in finite groups, denoted by
, where
is generally either a prime
number or a number in the form of
. Performing these calculations in finite
groups is much faster and more accurate.
The rest of this paper will generally focus on
fields (finite fields with a prime order).
3.1
for
the
equation
in
, ( )
( )( )(
) (
)(
),
giving a total of 24 points. The graph looks
like Figure 6 below.
2
y =x +x in Finite Field of Order 23
25
20
y value
form an Abelian group, making EC a perfect
candidate for cryptography.
15
10
3.2
Before, we had the equation
However, now that we are working in a
finite field
, we need to modify our
equation. We will now have
{(
20
are
in
Modified Formulas
For the point addition

where
This implies that we must include the point
at infinity in our set as well. For example,
25
We must now modify our point addition and
doubling formulas to accommodate for all
the points that we are allowed to use.
Something that is extremely convenient
about adding points on elliptic curves in
finite fields of prime orders is that the point
addition of any two points in the set of all
points in the elliptic curve will always
compute to another point in the same set. In
other words,
(
15
x value
Figure 6: A graph of
Modified Weierstrass
Equation
Given an elliptic curve , the points of
denoted by
10
(
,
).
For the point doubling
elliptic curve point is finding out how many
times the base needs to be added to itself to
get to the given value.
)
5
Elliptic Curve Crypto
where
Elliptic Curve Discrete
Logarithm Problem
We can compare the former discrete
logarithm problem with elliptic curve
discrete logarithm problem (ECDLP) in .
The discrete logarithm problem describes
computations required by a 3rd party cracker
in order to compromise a cryptographic
system.
4.1
DLP
Generally, when Alice is making her key
with DLP, she chooses a public key and a
private key . She then computes another
public key
. If
Eve wanted to compromise this system, she
would have to find
by calculating
, which we say is the DLP because
with a large and , is computationally
hard to calculate.
4.2
Given only point addition and point
doubling, there are very simple algorithms
to calculate
, where
are
the public keys and is the private key.
Intuitively, someone might think to do
additions of to find , but that doesnt use
the doubling formula at all. A much more
efficient method was discovered using a
double and add algorithm.
For
example, let us take
. We can make a table of
variables to track the changes made to and
Time
0
ECDLP
In ECDLP, we have a different discrete
logarithm problem. Alice will have a public
key in the form of an elliptic curve point,
and a private key . Alice will then calculate
public key
.
In order for Eve to compromise this system,
she would have to calculate
.
Note that in this case, the logarithm of an
Figure 8: Tracking variables of doubleadd
algorithm for
We see that in the end,
6
Applications ECDH
Elliptic Curve DiffieHellman (ECDH) is
similar to the original DiffieHellman key
exchange, except for the fact that
computations are done using elliptic curves.
Suppose Alice wants to secretly send a
message to Bob, which will generally be a
symmetric key or something along the same
lines, but Eve is eavesdropping on their
conversation.
6.1
Initialization
Alice and Bob must agree on a couple of
things in order for them to exchange
messages. They must agree on the same
curve parameters ( and of the simplified
Weierstrass equation from above) since
different curves yield different results. They
must also agree on the finite field they are
operating in (
with prime ). They must
agree on
a generator in ( ) and its
order , which is generally the smallest
prime such that
. is generally the
size of a subgroup of ( ), and so we can
calculate
 (
)
, where
is called the
cofactor (and will generally be very small).
The domain parameters are then described
as (
).
6.2
Sharing the Message
Each party will make their own key pair.
This involves Alice choosing a private key
in the interval
and computing a
public key
. Alices key pair will
be (
). Using the same process, Bob
should have a key pair (
). Eve will
know what
and
are, but not
or
. Now Alice can compute
(
) and Bob can compute
(
). It is a fact that
(
)
because
(
)
. This means that
Alice and Bob have successfully shared the
message
.
7
Applications ECDSA
ECDSA describes the Elliptic Curve Digital
Signature Algorithm. Digital signatures
allow people to sign documents digitally,
which is much more secure than signing a
document with a physical pen since digital
signatures are much harder to forge. There
are 3 main reasons to use digital signatures.
Authentication: Verify the source of
the document since everyone will
have their own associated private
key
Integrity: Make sure that the
document was the same from its
transmission to its reception
NonRepudiation: The person who
sent the message cannot refuse
having sent the message after he has
done so
We will now see how Alice can sign a
document and send it to Bob.
7.1
Initialization
As described above in section 6.1,
initialization is done by Alice and Bob
agreeing on the domain parameters
(
).
7.2
Alice
Alice will have to go through a specific
process in order to sign a document she has
before she sends it over to Bill.
1. She will randomly select a private
key
in the interval of
2.
3.
4.
5.
6.
7.
8.
and create her private key
.
She will then select a random from
. She will then compute
(
), and she will make
.
If
,then she will go back to step
1.
She will compute
( ), where
the function ( ) is a hash function
of some message , such as SHA or
MD5.
She will compute
, which is the
bit length of , and she will make
the
leftmost bits of .
(
She can then find
)
.
If
, then Alice will go back to
step 1.
The document
has now been
signed using the signature
,
which has been released into the
public.
7.3
Bob
Bob
has
now
received
the
document/message and now he must verify
the document by using the signature. He is
mainly checking for
authentication,
integrity, and nonrepudiation.
1. Bob must obviously check if and
are in the interval
.
2. He must then compute
( ),
using the same hashing function as
Alice.
3. He will also compute by finding
like Alice did and finding the
leftmost bits of .
4. He will compute
.
5. Bob can find
.
6. Bob will compute
(
).
7. He will compute
.
8. Bob can accept the signature if
.
Bob has now accepted the signature and can
safely read the message that was sent to him.
7.4
Proof of Verification
If you read closely, the math adds up. We
want to verify the signature if
.
(
(
)
)
(Alice5)
(rewritten)
(distribution)
(Bob3)
(Bob5)
(
)
(Pmultiplication)
(distribution)
(Alice1)
(Bob6)
Because is the value of and is the
value of ,
as seen from the last step
of the proof above.
7.5
Eve/Choosing Random
Eve has access to a lot of information now.
She has all the domain parameters
(
), the message , the hashing
algorithm used, public key
, and the
signature
. If she were to know values
such as or even worse, , then she can
modify the document and resign it however
she wants. Bob would still receive a
correctly signed document, and so it is
important to keep those values a secret.
However, if Eve simply changes the
message before Bob receives it, the
calculations will differ greatly and Bob will
not verify the signature since
.
It is extremely important for Alice to always
choose a random . Suppose she had a
constant that she used for every message
she sent Bob. Suppose the same was used
for two different messages sent:
and
.
Knowing the hashing algorithm, Eve can
calculate
and . Message
would be
signed using
, and message
would
be signed using
. Note that the
values are the same because is the value
of
, and
and
are constant in this
example. The
signature will still be
different though. Because of Alices sixth
(
) and
step in the algorithm,
(
). This means that
(
)
(
)
(
)
Alices private key has been calculated, and
now Eve can pretend to be Alice whenever
she feels like it. Eve can sign documents,
and Bob will trust all documents sent by
Eve. It may occur to most people to follow
the algorithms above exactly as written, but
big companies like Sony seemed to fail their
implementation of ECDSA in the
Playstation 3.
Bibliography
Liu, Fuwen. An Introduction On Elliptic
Curve Cryptography.
Hoffstein, Jeffrey, Jill Catherine Pipher, and
Joseph H. Silverman. An
introduction to mathematical
cryptography. New York: Springer,
2008. Print.