Post on 05-Dec-2014
description
Elliptic Curve Cryptography - An Introduction
Marisa Paryasto3320700227 October 2011
1Friday, October 28, 2011
What is Elliptic Curve Cryptography?
‣ Originally proposed by Victor Miller and Neal Koblitz independently from one another in 1985
‣ ECC proposed an alterna@ve to other public-‐key encryp@on algorithms, such as RSA
2Friday, October 28, 2011
Elliptic Curve
Called “ellip@c” because of its rela@onship with ellip@c integrals, which are natural expressions for the arc length of an ellipse
y2 = x3 + ax + b
Ellip@c curve is not an ellipse!
3Friday, October 28, 2011
y2 = x3 - x
4Friday, October 28, 2011
y2 = x3
5Friday, October 28, 2011
y2 = x3 - 4/3x + 16/27
6Friday, October 28, 2011
y2 = x3 - 1/2x + 1/2
7Friday, October 28, 2011
Elliptic Curve Cryptography
‣ Point mul@plica@on Q = kP
‣ Repeated point addi@on and doubling:9P = 2(2(2P)) + P
‣ Public key opera@on: Q(x,y) = kP(x,y) Q = public key P = base point (curve parameter) k = private key n = order of P
‣ Ellip@c curve discrete logarithm Given public key kP, find private key k
8Friday, October 28, 2011
Elliptic Curve Addition
P+Q
P
Q
9Friday, October 28, 2011
Multiplying 3P in Elliptic Curve (1)
P+P = 2P
P
10Friday, October 28, 2011
Multiplying 3P in Elliptic Curve (2)
3P P
P+P = 2P
Notes: 3P = 2P + P -> draw a line that crosses point 2P and P
11Friday, October 28, 2011
Encryption Process
!"#$$%&
'%($)!
*+,-,.,/,/&,01*22,0&
21,/,3**&4******&&
!"#$%&'(&
*+&,-,.,/,/&,01*22,0&
21,/,3**&4******5&
*+&,6,1,7,3&212.,6,1&
,.,7,3,1&2127,.,2
89:
)$*+$%&'*', (-.+/-!0$%&+
12"&$!"$3#&$0%+
0%+32,4'
*+&2/-;#.,6&.<-467<2&
7-21##6*&6*7<-;665&
*+&-7327-16&<3*;))37&
-7;3-73*&1;1;7-71
(5.+/5
30%4',6$0%+
&0+
%21)',
'1)'7+
&0+
32,4'
'%3,/!&'7+
7#&#+
8!0$%&9
12Friday, October 28, 2011
Decryption Process
!"#$$%&
'%($)!
*+,-,.,/,/&,01*22,0&
21,/,3**&4******&&
!"#$%&'(&
*+&,-,.,/,/&,01*22,0&
21,/,3**&4******5&
*+&,6,1,7,3&212.,6,1&
,.,7,3,1&2127,.,2
)&8&9
)$*+$%&'*',(-.+/-!0$%&+
12"&$!"$3#&$0%+
0%+32,4'
5'3,/!&$0%+
!,03'66*+&2/-:#.,6&.;-467;2&
7-21##6*&6*7;-:665&
*+&-7327-16&;3*:))37&
-7:3-73*&1:1:7-71
7+8+9(:.+/:;
13Friday, October 28, 2011
Elliptic Curve y2 = x3 + x + 6 is defined over Z11
0
1
2
3
4
5
6
7
8
9
10
0 2 4 6 8 10 12
Z11
14Friday, October 28, 2011
An elliptic curve E: y2 = x3 + x + 6 is defined over Z11
15Friday, October 28, 2011
Calculating Quadratic Residue
16Friday, October 28, 2011
Points on Curve
17Friday, October 28, 2011
‣ There are 12 points lying on the ellip@c curve. Together with the point O at infinity, the points on the ellip@c curve form a group with n = 13 elements.
‣ n is called the order of the ellip@c curve group and depends on the choice of the curve parameters a and b.
18Friday, October 28, 2011
Point Addition
m =y2 − y1x2 − x1
=9− 4
5− 2=
5
3= 5 · 4 = 20 = 9
x3 = m2 − x1 − x2 = (9)2 − 2− 5 = 81− 7 = 74 = 8
y3 = m(x1 − x3)− y1 = 9(2− 8)− 4 = 9(−6)− 4 = −54− 4 = −58 = 8
P3 = (x3, y3) = (8, 8)
P1 = (2, 4) P2 = (5, 9)
P1 + P2 = P3 = (x3, y3)
19Friday, October 28, 2011
Point Doubling
‣ Iterate the point (7, 2) lying on y_2 = x_3 + x + 6 mod 11
‣ Compute P2 = P * P by doubling the point P
m =dy
dx=
x12 + b
2y1=
3(7)2 + 1
2(2)=
147 + 1
4=
148
4= 148 · 3 = 53̇ = 15 = 4
x2 = m2 − 2x1 = (4)2 − 2(7) = 16− 14 = 2
y2 = m(x1 − x2)− y1 = 4(7− 2)− 2 = 4(5)− 2 = 20− 2 = 18 = 7
P 2 = P ∗ P = (x2, y2) = (2, 7)
20Friday, October 28, 2011
More point doubling
Compute P3 = P2 * P
P 2 = (2, 7)
P = (7, 2)
m =y2 − y1x2 − x1
=2− 7
7− 2=
−5
5=
6
5= 6 · 9 = 54 = 10
x3 = m2 − x1 − x2 = (10)2 − 2− 7 = 100− 9 = 91 = 3
y3 = m(x1 − x3)− y1 = 10(2− 3)− 7 = 10(−1)− 7 = −10− 7 = −17 = 5
P 2 = P ∗ P = (x3, y3) = (3, 5)
21Friday, October 28, 2011
Representing plaintext
‣ Let
‣ Message m (representated as a number) will be embedded in the x-coordinate of a point
‣ Adjoin a few bits at the end of m and adjust until we get a number x such that x3 + bx + c is square mod p
E : y2 ≡ x3 + bx+ c(mod p)
22Friday, October 28, 2011
Representing plaintext (example)
‣ Let p = 179 and
‣ If failure rate of then we may take K = 10
‣ We need , we need
‣ Suppose our message is m = 5. We consider x of the form
‣ The possible choices for x are 50, 51, .., 59. For x = 51 we get
‣ Thus, we represent the message m = 5 by the point (insert encryption process)
‣ The message m can be recovered by
E : y2 = x3 + 2x+ 7
1
210
m.K +K < 179 0 ≤ m ≤ 16
m.K + j = 50 + j
x3 + 2x+ 7 ≡ 121(mod 179) 112 = 121(mod 179)
Pm = (51, 11)
m =�5110
�= 5
23Friday, October 28, 2011
Basic ElGamal
ElGamal Encryption
INPUT: Elliptic curve domain parameters ,public key , plaintext
OUTPUT: Ciphertext
1.Represent the message as a point in
2.Select3.Compute4.Compute5.Return
(p,E, P, n)
Q m
(C1, C2)
m
M E(Fp)
k ∈R [1, n− 1]
C1 = kP
C2 = M + kQ
(C1, C2)
ElGamal Decryption
INPUT: Domain parameters, private key , ciphertext
OUTPUT: Plaintext
1. Compute , and extract from
2. Return( )
(p,E, P, n)(C1, C2)d
m
m
M = C2 − dC1
m M
24Friday, October 28, 2011
poly_prime = 80000000 3 NUMBITS = 63NUMWORD = 1setting up curve
the curve after setting up: form: 1a2: 0 2 a6: 0 1
counter = 0inc = 1Base pointx: 2e7cf965 63323eab y: 730a0498 5b456f7d
create side 2's private key
Side 2 secret:10fc68f8 254d4d11
Generate side 2's public key
Side 2 public keyx: 47a20fe7 9afa870f y: 3c871ef9 9f291729 data = 0 123
Hide data on curve and send from side 1 to side 2
curve before send_elgamal: form: 1a2: 0 2 a6: 0 1
Their_public before send_elgamal: x: 47a20fe7 9afa870f y: 3c871ef9 9f291729
Time of execution: 0.013889 seconds=====IN send_elgamal=====data (in send_gamal function) : 0 123 Base pointx: 2e7cf965 63323eab y: 730a0498 5b456f7d Base curveform: 1a2: 0 2 a6: 0 1
random value: 52d518f2 9979dd24 Random point C1x: 5458cfc 12efc03c y: 52d6eb3 a6af454b counter = 0inc = 0raw point M (after poly_embed)x: 0 123 y: 628f64a8 105671e3 Their_public: x: 47a20fe7 9afa870f y: 3c871ef9 9f291729 hidden point (after poly_elptic_mul)x: 3e2ca01d e1b52870 y: 523fa9bd ab463883 Hidden data (C2): x: 23f5fe99 de42125d y: 68420248 dfab3f44 Random point (C1): x: 5458cfc 12efc03c y: 52d6eb3 a6af454b =====OUT send_elgamal
25Friday, October 28, 2011
AFTER send_elgamalcurve after send_elgamal: form: 1a2: 0 2 a6: 0 1
Hidden data (C2)x: 23f5fe99 de42125d y: 68420248 dfab3f44 Random point (C1)x: 5458cfc 12efc03c y: 52d6eb3 a6af454b
Recover transmitted message
IN receive_elgamalBase curve in receive_elgamalform: 1a2: 0 2 a6: 0 1
Hidden_data (in receive_elgamal) : x: 23f5fe99 de42125d y: 68420248 dfab3f44 Random pointx: 5458cfc 12efc03c y: 52d6eb3 a6af454b hidden_point (d*C1): x: 3e2ca01d e1b52870 y: 523fa9bd ab463883 &raw_point:
x: 0 123 y: 628f64a8 105671e3 raw_point.x 0 123 &raw_data (point): x: bffff5ac bffff5e8 y: 8fe018b1 0 raw_data (point): x: 0 123 y: 0 123 &raw_data (field): bffff5ac bffff5e8 raw_data (field): 0 123 =====OUT receive elgamal
sent data 0 123 received data (field) 0 123
26Friday, October 28, 2011