Ecc Simple

8/13/2019 Ecc Simple

1/27

Simple Tutorial on Elliptic Curve Cryptography

Last updated in December 2004


2/27

1

Preface

For the complexity of elliptic curve theory, it is not easy to fully understand the theo-rems while reading the papers or books about Elliptic Curve Cryptography (ECC). Butwith the development of ECC and for its advantage over other cryptosystems on niteelds, more and more people express their interests in this eld. This simple tutorial is just for those who want to quickly refer to the basic knowledge, especially the availablecryptography schemes in this eld. The whole tutorial is organised as follows. Chapter 1introduces some preliminaries of elliptic curves. How to use elliptic curves in cryptosys-tems is described in Chapter 2. The nal part includes some basic notions.

The whole tutorial is based on Julio Lopez and Ricardo Dahabys work An Overviewof Elliptic Curve Cryptography with some extensions. Many paragraphs are just liftedfrom the referred papers and books. Hence, I do NOT claim any right of this report. Andsome important subjects are still missing, including the algorithms of group operationsand the recent progress on the pairing-based cryptography, etc.

Caveat. Many included schemes in this tutorial in fact cannot meet the stringent securityrequirement of encryption or signature and have been broken by some means in theliterature. It is not recommended to use a scheme presented in the tutorial withoutconsulting other resource for security consideration.

Late update was on December 1, 2004, with correcting many errors.

Zhaohui [email protected]


3/27

Contents

1 Basic Conception 4

1.1 Discrete Mathematics Fundament . . . . . . . . . . . . . . . . . . . . . . 41.1.1 Group Fundament . . . . . . . . . . . . . . . . . . . . . . . . . . 4

1.1.2 Field Fundament . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

1.1.3 Finite Field F p . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

1.1.4 Finite Field F 2m . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

1.2 General Elliptic Curves . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

1.3 E (F ) Forms an Abelian Group Under Addition Operation . . . . . . . . 7

1.4 Elliptic Curves Over F p

. . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

1.5 Elliptic Curves Over F 2m . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

1.6 Addition Operation on E (F p) and E (F 2m ) . . . . . . . . . . . . . . . . . 9

1.7 Some Basic Concepts and Facts . . . . . . . . . . . . . . . . . . . . . . . 9

1.7.1 Some Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

1.7.2 Some Basic Facts . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

1.8 Discrete Logarithm Problem on Elliptic Curves . . . . . . . . . . . . . . 10

1.9 Approaches to Look for a Curve of Nearly Prime Order . . . . . . . . . . 11

2 ECC in Practice 12

2.1 ECC Domain Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

2.2 ECC System Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

2.3 Key Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

2.4 Public Key Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

2.5 ECC Key Agreement Protocol . . . . . . . . . . . . . . . . . . . . . . . . 14

2.5.1 Static ECDH Key Agreement Protocol . . . . . . . . . . . . . . . 14

2


4/27

CONTENTS 3

2.5.2 ECMQV Key Agreement Protocol . . . . . . . . . . . . . . . . . . 15

2.6 EC Public Key Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . 15

2.6.1 Basic Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

2.6.2 EC-KEM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

2.6.3 ElGamal Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . 16

2.6.4 EC ElGamal Cryptosystem . . . . . . . . . . . . . . . . . . . . . 17

2.6.5 Massey-Omura Cryptosystem . . . . . . . . . . . . . . . . . . . . 17

2.6.6 Menezes-Vanstone Cryptosystem . . . . . . . . . . . . . . . . . . 18

2.6.7 RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

2.6.8 ECRSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182.7 EC Signature Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

2.7.1 DSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

2.7.2 ECDSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

2.7.3 ElGamal Digital Signature Scheme . . . . . . . . . . . . . . . . . 21

2.7.4 EC ElGamal Signature Scheme . . . . . . . . . . . . . . . . . . . 22

2.7.5 Schnorr Signature Scheme . . . . . . . . . . . . . . . . . . . . . . 22

2.7.6 EC Schnorr Signature Scheme . . . . . . . . . . . . . . . . . . . . 232.8 Point Compression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

2.9 Message Embedding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24


5/27

Chapter 1

Basic Conception

1.1 Discrete Mathematics Fundament

1.1.1 Group Fundament

Group is an algebraic system dened on a set G with a binary operation satisfying thefollowing:

closure: x, y G, x y G; associativity: x (y z ) = ( x y) z ; identity: e G, x G : x e = e x = x; inverse: x G, y G : x y = y x = e;

Abelian Group: Group satises commutativity : x, y G, x y = y x.

1.1.2 Field Fundament

Field is an algebraic system dened on a set F with two binary operations + , satisfyingthe following:

(F, +) is an Abelian group; (F \ {0}, ) is an Abelian group, where {0} is the identity of addition and zero of multiplication; distributivity: x,y,z F : x (y + z ) = x y + x z ; (x + y) z = x z + y z

Characteristic of a eld F , denoted by char (F ), is the least positive integer n satisfyingni=1 I = 0, where I is the identity of eld multiplication.

4


6/27

CHAPTER 1. BASIC CONCEPTION 5

1.1.3 Finite Field F p

Denition: F p for prime p, is dened on the number set F = {0, 1, . . . , p 1} with twooperations:

Addition: a, b F p, r a + bmodp; Multiplication: a, b F p, r a bmodp.

Quick modulo computation: Both operations need modulo operation. For specialprime numbers, the modulo operation can be done quickly. For example, for a prime p = 2192 264 1, if n < p 2, then n can be rewritten as n =

5 j =0 A j 264 j . Thenn

T + S 1 + S 2 + S 3 modp where

T = A2 2128+ A1 264+ A0S 1 = A3 264+ A3S 2 = A4 2128+ A4 264S 3 = A5 2128+ A5 264+ A5This type of prime p is called a generalized Mersene number introduced by Solinas.

1.1.4 Finite Field F 2 m

The elements in F 2m can be represented in three ways.

Using polynomial basis

Every element in the eld F 2m can be expressed as a polynomial with degree less than m( a F 2m , m numbers ai {0, 1}, a = am 1xm 1 + . . . + a1x + a0 = ( am 1 a0). Theoperations are dened as follows:

Addition: a, b F 2m , a + b = c = ( cm 1 c0), ci = ai + bi mod 2 = ai bi Multiplication: a, b F 2m , a b = c, c = ( m 1 j =0 a j x j ) ( m 1 j =0 b j x j ) modf (x),

where f (x) = xm + m 1 j =0 f j x j is an irreducible polynomial with degree m.

Note: The irreducible polynomial can be trinomial xm + xk + 1 or pentanomial xm +xk3 + xk2 + xk1 + 1. Selecting the polynomial in the above forms with middle terms withminimal degree can speed the reduction modulo operation.


7/27


Using normal basis

Normal basis of F 2m over F 2 is a basis of form {, 2

, 4

, . . . , 2m 1

} where F 2m .Note: This normal basis always exists. The Gaussian Normal Basis(GNB) can speedup the multiplication operation. If 8 m, GNB exists. If 8|m and the type of GNB T is positive, then GNB exists if and only if p = T m + 1 is prime and gcd(Tm/k,m ) = 1where k is the multiplicative order of 2 modulo p.

Every element in F 2m can be expressed as the basis linear combination, which meansa F 2m , m numbers a i {0, 1}, a = m 1 j =0 a j 2

j= ( a0 am 1). The operations withGNB are dened as follow:

Addition:

a, b

F 2m , a + b = c = ( c0

cm 1), ci = ai bi

Multiplication: a, b F 2m a b = c = ( c0 . . . cm 1), where

cl = Al if T is evenB l if T is odd

where T is the type of GNB and

Al = p 2k=1 aF (k+1)+ lbF ( p k)+ lB l =

m/ 2k=1 (ak+ l 1bm/ 2+ k+ l 1 + am/ 2+ k+ l lbk+ l 1) + Al

with p = T m + 1 and F (1) . . . F ( p 1) dened by F (2iu j modp) = i for 0 i m 1, 0 j T 1 and u F p has order T .

Using subeld basis

When m = m1m2, we can regard F 2m as an extension of degree m2 of F 2m 1 , and we canrepresent the elements in F 2m using the basis of the form { i j : 0 i < m 1, 0 j < m 2},where 0, . . . , m 2 1 form a basis of F 2m over F 2m 1 , and 0, . . . , m 1 1 form a basis of F 2m 1over F 2. So the arithmetic operations can be done in two stages, with the outer sectiondoing the operations on elements of F 2m as vectors of symbols from F 2m 1 ; and an innersection performing the operations on the symbols as binary words. Any combination of bases can be used, for example, normal basis for the outer section, and polynomial basisfor the inner one.

When m1 is large enough (4-16), m2 is relatively small, which will benet the operationspeed. For example, if using polynomial basis, the polynomial is much shorter, and innersection operations can be nished by looking up tables.

For the inverse operation based on repeated multiplication can also be made more efficient.For any non-zero F 2m , write 1 =

s 1

s with s = 2m 12m 1 1 . As

s is in the subeldF 2m 1 , s 1 has an optimized addition chain.


8/27


1.2 General Elliptic Curves

Elliptic Curves: Let ai F , where F is a nite eld. F is the algebraic closure of F .Let E be a cubic curve dened by (the general Weierstrass equation) y2 + a1xy + a3y =x3 + a2x2 + a4x + a6 over F , that is E = {(x, y) F

2: y2 + a1xy + a3y = x3 + a2x2 +

a4x + a6} {}, denoted by E ( F ).Note: Every cubic can be transformed into Weierstrass Equation by affine projectivity.

b2 = a21 + 4 a2,b4 = a1a3 + 2 a4,b6 = a23 + 4 a6,b8 = a21a6 a1a3a4 + 4 a2a6 + a2a23 a24,c4 = b

22 24b4,c6 = b32 + 36b2b4 216b6, = b22b8 8b34 27b26 + 9 b2b4b6,k = 2y + a1x + a3,

4b8 = b2b6 b24,1728 = c34 c26, j = c34/ = 1728 + c26/ .weight of x = 2weight of y = 3weight of ai = i

Note: In the above denition, E is a set of points, whose both coordinates are in F ,which means E is the solution set for the equation on F , but not F .

Rational Points: Let L be the algebraic extension of F (F L). If both the coordinatesof P E lie in L, or P = , we say P is L-rational. The set of L-rational points of E is denoted by E (L).

1.3 E (F ) Forms an Abelian Group Under AdditionOperation

Denition: Addition in E (F )

is the special point to denote innity. The addition operation is specied as follows:adding two points u, v E (F ).1. draw a line though u and v which intersects with the curve at the third point w,

2. draw a vertical line through w which intersects with the curve at point z .

And dene u + v = z . If u = v = then the line in step 1, is the tangent line of thecurve through u. u adding means, the line drawn in step 1 is the vertical line passing


9/27


through u, because is innitely far, and the vertical line in step 2 is the same as theline in step 1, which intersects the curve at the same point u. So u + = u. plus is still , which means is the identity of the group. The inverse of u, donatedby u, requires u + (u) = . According to the addition rule, we can nd the uniqueu that satises the requirement. The formal denition of addition in E (F ) is as follow.Suppose P = ( x1, y1) and Q = ( x2, y2) are points on E other than . If x1 = x2 andy1 + y2 + a1x2 + a3 = 0, then P + Q = . Otherwise P + Q = ( x3, y3),where

x3 = 2 + a1 a2 x1 x2,y3 = ( + a1)x3 a3,

= y2 y1x 2 x 1 ifP = Q,3x 21 +2 a 2 x 1 + a 4 a 1 y1

2y1 + a 1 x 1 + a 3 ifP = Q,

= y1 x 2 y2 x 1

x 2 x 1 ifP = Q, x 31 + a 4 x 1 +2 a 6 a 3 y12y1 + a 1 x 1 + a 3 ifP = Q,

Note: is the tangent rate if P = Q,which can be computed from the differentialcoefficient (2 yy + a1 yx + a1 xy + a3 y = 3 xx2 + 2 a2 xx + a4 x ).

Torsion point: For P E , if nP = , P is called an n-torsion point. The set of n-torsion points forms a subgroup of E , denoted by E [n]

1.4 Elliptic Curves Over F p

Let p > 3 be a prime, a, b F p (eld F s characteristic is > 3) satisfy that the discriminant = 4a3 + 27 b2 = 0 (a1 = a2 = a3 = 0, a4 = a and a6 = b corresponding to the generalWeierstrass equation), which denes the elliptic curves without singularity. The curve isof a simple form: y2 = x3 + ax + b with a, b F p. Then an elliptic curve E (F p) over F pconsists of a set of points {P = ( x, y)|y2 = x3 + ax + b,x, y,a, b F p} together with (innity).

1.5 Elliptic Curves Over F 2m

A (non-singular) elliptic curve E (F 2m ) over F 2m dened by y2+ xy = x3+ ax 2+ b with a, b F 2m and b = 0, consists of a set of points {P = ( x, y)|y2 + xy = x3 + ax 2 + b,x,y F 2m }together with (innity). (The curve could be of another form y2 + a3y = x3 + a4x + a6with a3, a4, a6 F 2m and a3 = 0.)


10/27


1.6 Addition Operation on E (F p) and E (F 2m )

The formal denition of addition in E (F ) as follow:

P + = P , P = ( x, y)s inverse is

P = ( x, y) if P E (F p)P = ( x, x y) if P E (F 2m )

P + (P ) = For P (x1, y1) + Q(x2, y2) = ( x3, y3),where P = Q, x1 = x2.

x3 = 2 x1 x2, y3 = (x1 x3) y1 where = y2 y1x 2 x 1 P, Q E (F p)x3 = 2 + + x1 + x2 + a, y3 = (x1 + x3) + x3 + y1 where = y2 + y1x 2 + x 1 P, Q E (F 2m )

For P (x1, y1), y1 = 0, 2P = P + P = ( x3, y3). If y1 = 0, 2P = x3 = 2 2x1, y3 = (x1 x3) y1 where =

3x 21 + a2y1 P, Q E (F p)

x3 = 2 + + a, y3 = (x1 + x3) + x3 + y1 where = x1 + x1y1 P, Q E (F 2m )

1.7 Some Basic Concepts and Facts

1.7.1 Some Concepts

Order of point P E (F q), where q = p or q = 2m , is the smallest integer r such thatrP = Order of the curve, is the number of points of E (F ), donated by # E (F ).Note: Curve order can be computed by Schoofs algorithm or its improvements, which isneeded if one selects a random curve. And normally choosing a and b to make the curveorder have a large prime factor can improve the cryptography schemes security. So thisis an important parameter of the scheme to determine the systems security.

1.7.2 Some Basic Facts

Hasse Theorem: # E (F q) = q + 1 t, where | t | 2 q If q is power of 2, then # E (F q) is even. Specically, # E (F q) 0 mod 4, if T r(a) =0; # E (F q) 2mod 4, if T r(a) = 1 . T r() is the linear map from F 2m to F 2.

T r(a) =m 1

i=0 a2i

.


11/27


E (F q) is Abelian group of rank 1 or 2, which means E (F q) is isomorphic to Z n 1 Z n 2 ,where n1 divides n2 and q 1. If q is the power of 2, P = ( x, y) E (F q) has odd order, then the x-coordinate of kP for all integer k has the same trace as coefficient a (T r(kP x ) = T r(a)). This

property can be used to compress the presentation of points.

1.8 Discrete Logarithm Problem on Elliptic Curves

ECDLP : Given two points P, Q E (F q) on an elliptic curve, ECDLP determines theinteger k, satisfying Q = kP , where P has order n, provided that such 0 k n 1exists.Note: Because Pohlig-Hellman algorithm reduces the computation of k to the problemof computing k modulo each prime factor of n. So if n is a large prime, the ECDLP becomes harder. In practice, one must select an elliptic curve has some points (base pointG) which has large prime order n, and # E (F q) = n h, where h is a small integer.Note: To date, the most efficient general algorithm to resolve the ECDLP is Pollard-,which has the running time n/ (2r ), where r is the parallel processor number.Special curves have faster algorithms for ECDLP

Supersingular elliptic curves : The MOV attack on elliptic curves shows that ECDLP can be reduced to the classical discrete logarithm problem on some extension eldF qk , for some integer k (k is called the embedding degree or MOV degree). TheMOV attack is only practical when k is small. For supersingular elliptic curves,k 6.Note: Normally, randomly selected elliptic curves have k > log2q . But to avoidthe MOV attack, one should check n, the largest prime factor of curve order doesntdivide q k 1 for all small k for which the discrete logarithm problem is tractablein F qk . In practice, this checking is done for all k, 1 k 30. On the other hand,by sacricing the speed of the group operation, we can use supersingular curvesof larger q but small k to achieve the required security, for example, with a 512-bit prime q and k = 2. The recently developed pairing-based cryptosystems makeuse of the properties of supersingular curves, at the same time meet the securityrequirement.

Prime-eld anomalous curves : If # E (F p) = p, there is polynomial algorithm solvingthe ECDLP by lifting the curve and points to Z . Binary composite nite elds : Suppose that E is an elliptic curve dened over thecomposite nite eld F 2m , where m = r s. The complexity of ECDLP is smallerthan Pollard- algorithm on signicant portion of elliptic curves over F 24 s . But this

attack doesnt apply to F 2m , where m is prime.


12/27


1.9 Approaches to Look for a Curve of Nearly PrimeOrder

Because # E (F q) has the great impact on the elliptic curve crytosystems security, it isimportant to nd approaches to determine the curve order. We can use complex multi-plication to dynamically generate curves, and use Schoofs algorithm or its descendent todetermine the curve order.


13/27

Chapter 2

ECC in Practice

2.1 ECC Domain Parameters

Elliptic curve parameters over the nite eld F p or F 2m can be described by one septuple:

T = ( q,FR,a,b,G,n,h )

q : the prime p or 2m that denes the eld and at the same time decides the curveform; F R: the eld representation, i.e., using which method to represent the elements inthe eld (polynomial basis or normal basis or subeld basis for F 2m , Montgomery

residue for F p);

a, b: the curve coefficient, depending on the security requirement; G: the base point, G = ( Gx , Gy), one element in E (F q), which has the largest ordern; n: the order of G, large prime. N = # E (F q) is divisible by n;

h: # E (F q)/n .

2.2 ECC System Setup

Setting up an elliptic curve cryptosystem requires some basic choices as followed:

An underlying eld F q, where q = p, q = 2m or q = pm where p is prime and greaterthan 3;

12


14/27

CHAPTER 2. ECC IN PRACTICE 13

A representation of the nite eld elements (polynomial basis or normal basis orsubeld basis for F 2m , Montgomery residue for F p); Algorithms implementing the operations in the eld; An appropriate elliptic curve (selecting a and b); Algorithm for implementing the elliptic curve operations i.e., point addition, pointscalar, inverse. (windows methods in affine or projective coordinates); Elliptic Curve Cryptography protocol ( ECDSA,ECDH ... ).

There are some other requirements on the parameters to defend some types of attack

# E (F q) should have a sufficiently large prime factor n to resist the parallelizedPollard -attack; # E (F q) = q to resist Semaev, Smart and Satoh-Araki attacks on anomalous curves; n doesnt divide q k 1 for 1 k 30, to resit the MOV attack. This requirementis not inevitable. We can choose a larger q instead of large k to achieve security as

well. However, a large q will slow down the speed of group operations.

If choosing F 2m , m should be prime to resist some attacks on elliptic curve basedon F 2m where m is composite. (subeld basis)

2.3 Key Generation

For the public key scheme, the rst step is to generate the public and private key pair.Key generation : With the domain parameters ( q,FR,a,b,G,n,h ), to generate key pair,the entity does the following:

1. Select a random integer d from the interval [1, n 1];

2. Compute Q = dG;d is the private key, and Q is the public key.

2.4 Public Key Validation

When receiving others public key, the entity needs to take the following steps to validatethe public keys legitimacy.

1. Check that Q = ;


15/27


2. Check that Qx , Qy F q, where Qx and Qy denote the x-coordinate and y-coordinateof point Q;3. Check that Q lies on the elliptic curve dened by a and b;

4. Check that nQ = (nQ = ndG = dnG = d = , because Gs order is n).The public key validation without Step is called the partial public-key validation. With-out Step 4, the entity could be attacked. However, we can carefully select h to reducethe threat.

2.5 ECC Key Agreement Protocol

2.5.1 Static ECDH Key Agreement Protocol

In the elliptic curve Diffie-Hellman key agreement scheme, entity A does the followingcomputation:

1. Compute P = dAQB ;

2. Check that P = (very unlikely).

The shared secret is xP . For entity B, P = dB QA = dB dAG = dAdB G = dAQB .Note: Step 1 can also compute P as P = hdAQB , which can resist the attacks on smallsubgroup.

Note: This scheme is a key pre-distribution (or a non-interactive key agreement). The re-sulting key is completely determined a priori by the initial keying material. The dynamic key distribution scheme can possibly be established as following:

1. A B : rA;2. B A : rB ;3. A computes P = rAr B dAQB ;

4. B computes P = rAr B dB QA ;

5. Check that P = .Note: Obviously, the adversary can choose rB such that rAr B 1 modn to force entityA to establish P = dAdB G. Instead, in step 3 (resp. step 4), entity A (resp. entity B)can compute H (r A r B ; dAQB ) (resp. H (r A r B ; dB QA)). There are many other authenti-cated key establishment protocols in the literature. One of the most famous protocols is

ECMQV.


16/27


2.5.2 ECMQV Key Agreement Protocol

1. A B : X = rAP ;2. B A : Y = rB P ;3. A computes S A = ( r A + X xdA) modn and establishes key K = hS A(Y + Y xQB );

4. B computes S B = ( r B + Y xdB ) modn and establishes key K = hS B (X + X xQA);

where X x is the rst L bits of X x with L = [ [log2 n ]+12 ], similar to Y x .

Note: ECMQV has some desirable security attributes including key-compromise imper-sonation resilience and unknown key-share resilience (the unknown key-share resilienceproperty has been demonstrated unachievable in this version of the protocol). The com-putation and communication overhead of the scheme are low.

2.6 EC Public Key Cryptosystem

In the following elliptic curve cryptosystems, we assume that entity A wants to send amessage m to entity B securely.

2.6.1 Basic Method

Key generation: Entity B selects a random integer dB from the interval [1, n 1] asprivate key, and publishes QB = dB G as the public key. Encryption:Entity A selects a random integer k, sends ciphertext ( kG, (kQB )x + m) to B.

Decryption:Entity B decrypts the message by computing m + ( kQB )x dB kGx = m + ( kdB G)x (dB kG)x = m.

2.6.2 EC-KEM

Key generation: Entity B selects a random integer dB from the interval [1, n 1] ashis private key, and publishes QB = dB G as the public key. Encryption

1. Select a random integer r from interval [1, n 1];


17/27


2. Compute R = rG;

3. Compute K = hrQ B = ( K x , K y), check that K

=

;

4. Compute k1 k2 = KDF (K x );

5. Compute c = ENC k1 (m);

6. Compute t = M AC k2 (c).

(R,c,t ) is the cipertext to B.

Decryption 1. Perform a partial key validation on R;

2. Compute K = hdB R = hrd B G = hrQ B , and check that R = ;3. Compute k1 k2 = KDF (K x );

4. Verify that t = M AC k2 (c);

5. Compute m = ENC 1k1 (c).

Note: Random r introduces the randomness to the secret key K . h is used to resistsmall group attacks and R enables the entity B to recover the secret key.Note: This is a key-encryption-message scheme. The used encryption algorithm ENCand message authentication code generator MAC could be any algorithm satisfying thesecurity requirement, such as AES-128 and SHA-1 separately. KDF is a key derivationfunction implemented using a hash function. Some KEM computes k1 k2 = KDF (R K x )instead. The whole scheme achieves very strong security (IND-CCA2). For more details,please refer to [4]. Another advantage of this scheme is that the message embedding isnot required.

2.6.3 ElGamal Cryptosystem

Key generation: a prime p and a generator g of Z p , the private key dB and public keyyB = gdB modp for B. Encryption

1. Select a random integer k from the interval [1 , p 1], and compute r = gk modp;2. Compute c = mykB mod p.

(r, c ) is the ciphertext to B.

Decryption 1. m = cr dB modp, because cr dB = mykB r dB = mgdB kg dB k modp = m mod p.

Note: The message m Z p.


18/27


2.6.4 EC ElGamal Cryptosystem

Key generation: Entity B selects a random integer dB from the interval [1, n 1] ashis private key, and publishes QB = dB G as the public key. Encryption

1. Represent the message m as a point M E (F q);2. Select a random integer r from interval [1, n 1] and compute C 1 = rG;3. Compute C 2 = rQB + M .

(C 1, C 2) is the ciphertext is to B .

Decryption

1. M = C 2 dB C 1, because C 2 dB C 1 = rQB + M dB rG = rdB G + M dB rG .2. Recover the message m from the point M .

Note: This scheme uses Q = rG to map the element in Z n \{0} to the element in E (F q).In fact we can use other group isomorphism f : Z n \{0} E (F q) instead. We also needan injective map I : {0, 1}|m | E (F q) and I 1 to map the message m to and from apoint M in the eld E (F q) (the message embedding algorithm).

2.6.5 Massey-Omura Cryptosystem

Key generation: This scheme only needs two entities to agree on an elliptic curve E over a nite eld F q. Entities need not to publish their public keys. Encryption

1. A represents the message m as a point M E (F q);2. A chooses a secret integer rA with gcd(r A , N ) = 1, computes M 1 = rAM , and sends

M 1 to B; (N = # E (F q))

3. B chooses a secret integer rB with gcd(r B , N ) = 1, computes M 2 = rB M 1, and

sends M 2 to A;4. A computes r 1A Z N , M 3 = r 1A M 2, and sends M 3 to B;

Decryption 1. B computes r 1B M 3 = r

1B r

1A rB r AM = M .

2. B recover the message m from the point M .

Note: The scheme needs to map the message to the point on the curve.Note: Strictly speaking, this scheme is more like a key exchange protocol. The receiver

has to be online to receive a message. Without assumption, the scheme is not secure.


19/27


20/27


1. A represents the message m as a pair of integer (m1, m 2) modn and regards it as apoint M on the elliptic curve E given by y2 = x3+ bmodn, where b = m22m31 modn.(A doesnt need to compute b, because the encryption operation doesnt involve b.);

2. A adds M to itself eB times on E to obtain C = ( c1, c2) = eB M

C = ( c1, c2) is the ciphertext of message m to B .

Decryption B computes dB C = M on E to obtain M .

Note: First, an element ( x, y) in E (Z n ) can be represented as a pair ( x p, y p), (xq, yq) onE (F p) and E (F q) respectively by Chinese Remainder Theorem. Second, the operation on

E (Z n ) is computed by the corresponding operation on E (F p) and E (F q) respectively, i.e.,d(x, y) = ( d(x p, y p), d(xq, yq)). Because of the choice of p and q , we have # E (F p) = p + 1and # E (F q) = q + 1. So, dB C = dB eB M = (1 + k( p + 1)) M = M + k( p + 1)M =M + = M on the curve over F p, for some k 1. Similarly on the curve over F q, wehave dB C = M . So dB C = M on the curve over Z n .

2.7 EC Signature Protocol

In the following elliptic curve signature schemes, we assume that entity A wants to sign

a message m.

2.7.1 DSA

Key generation : primes q, p satisfying q | ( p 1), the generator of the unique cyclicsubgroup of Z p (satisfying u Z p , = u( p 1)/q modp, but = 1). As private key dA isa random integer from the interval [1 , q 1] and As public key is yA = dA modp. Signing scheme

1. Select a random integer k from interval [1, q 1];2. Compute k 1 modq ;

3. Compute r = ( k modp) modq ;

4. Compute s = k 1{h(m) + dAr}modq . h is the hash function implemented usingSHA-1: {0, 1} F q.(r, s ) is As signature of message m;

Verifying scheme


21/27


1. Verify that 1 r q 1 and 1 s q 1 ;2. Compute h(m) and w = s 1 modq ;

3. Compute u1 = h(m) wmodq and u2 = r wmodq ;4. Compute v = ( u 1 yu 2A modp) modq

5. Accept if and only if v = r .

Consistency h(m) = ( ks dAr ) modq ; h(m) w = ( k dArw ) modq ; u1 + dAu2 = ( k dArw ) + dArw =kmodq ; ( u 1 yu 2A modp) modq = ( u 1 + dA u 2 modp) modq = ( k modp) modq, because theway of choosing p, q and .Note: Some suggest using h(r, m ) in place of h(m) and h(r, m ) is the hash function:F q {0, 1} F q.

2.7.2 ECDSA

Key generation: Entity A selects a random integer dA from the interval [1, n 1] as theprivate key, and publishes QA = dAG as the public key.

Signing scheme

1. Select a random integer k from interval [1, n 1];2. Compute kG = ( x1, y1) and r = x1 modn. If r = 0 goto step 1;

3. Compute k 1 modn;

4. Compute e = h(m), where h is a hash function implemented using SHA-1: {0, 1} F n ;5. Compute s = k 1{e + dAr}modn . If s = 0 goto step 1.

(r, s ) is As signature of message m.

Verifying scheme 1. Verify that r and s are integers in [1, n 1];2. Compute e = h(m);

3. Compute w = s 1 modn ;

4. Compute u1 = ew mod n and u2 = rw mod n ;


22/27


5. Compute u1G + u2QA = ( x1, y1);

6. Compute v = x1modn ;

7. Accept the signature if and only if v = r .

Consistency u1G + u2QA = u1G + u2dAG = ( u1 + u2dA)G. If (u1 + u2dA) = k mod n then the schemeis correct, because n is the order of G. e = ks dArmodn ; u1 + dAu2 = ew + dArw =es 1 + dArw = k dArw + dArw = k mod n.Note: Some suggest using h(r, m ) in place of h(m) and h(r, m ) is the hash function:F n {0, 1} F n .

2.7.3 ElGamal Digital Signature Scheme

Key generation : the prime p, a generator g of eld Z p , As private key dA is a randominteger from the interval [1 , p 1] and her public key is yA = gdA modp. Signing scheme

1. Select a random integer k from interval [1, p 1], satisfying gcd(k, p 1) = 1;

2. Compute k 1

mod ( p1);3. Compute r = gk modp;4. Compute s = k 1{h(m) dAr}mod ( p1). h is the hash function:{0, 1} Z p.

(r, s ) is As signature of message m.

Verifying scheme 1. Verify that 1 r p 1;2. Compute v1 = yrAr s modp;3. Compute h(m) and v2 = gh(m ) ;

4. Accept if and only if v1 = v2.

Verifying theorem yrAr s modp = gdA r gks modp = gks + dA r modp = gh(m ) modp, because s = k 1{h(m) dAr}mod ( p 1) h(m) = ks + dAr mod ( p 1). This is based on the theorem a j ak modp, where j k mod ( p1).


23/27


2.7.4 EC ElGamal Signature Scheme

Key generation: Entity A selects a random integer dA from the interval [1, n 1] as herprivate key, and publishes QA = dAG as her public key. Signing scheme

1. Select random integer k from the interval [1 , n 1];2. Compute R = kG = ( x1, y1), r = x1 modn ; if r = 0 then goto step 1;

3. Compute e = h(m), where h is a hash function {0, 1} F n ;4. Compute s = k 1{e + dAr}modn . If s = 0 then goto step 1.

(R, s ) is As signature of message m.

Verifying scheme 1. Verify that s is an integer in [1, n 1] and R = ( x1, y1) E (F q).2. Compute V 1 = sR ;

3. Compute V 2 = h(m)G + rQ A , where r = x1.

4. Accept if and only if V 1 = V 2.

Consistency V 1 = sR = skG = {{h(m) + dAr}modn}G; V 2 = h(m)G + rQ A = {h(m) + rd A}G. Andbecause Gs order is n, kG = jG where j k mod n. So V 1 = V 2.Note: It looks that the signing algorithm of ElGamal signature scheme is very muchsimilar to ECDSA. However, in ECDSA, r is part of the signature, while in ElGamalsignature scheme R is part of the signature and it is not possibly to recover R from r if q = n. Hence, two verifying algorithms are signicantly different from each other.Note: Some suggest using h(r, m ) in place of h(m) and h(r, m ) is the hash function:

F n {0, 1} F n .2.7.5 Schnorr Signature Scheme

Key generation : primes q, p, satisfying q | ( p1), the generator of the unique cyclicsubgroup of Z p (satisfying u Z p , = u( p 1)/q modp,but = 1). As private key dA isa random integer from the interval [1 , q 1], and her public key is yA = dA modp. Signing scheme

1. Select a random integer k from interval [1, q 1];


24/27


2. Compute r = k modp, e = h(m r ) and s = dAe + kmodq . h is the hash function:

{0, 1} Z q.(s, e ) is As signature of message m.

Verifying scheme 1. Compute v = s y eA modp and e = h(m v);

2. Accept if and only if e = e .

Consistency v = sy eA modp = de+ k de = k modp = r .

2.7.6 EC Schnorr Signature Scheme

Key generation: Entity A selects a random integer dA from the interval [1, n 1] as herprivate key, and publishes QA = dAG as her public key. Signing scheme

1. Select a random integer k from interval [1, n 1];2. Compute R = kG = ( x1, y1), r = x1 modn and e = h(r, m ), where h(r, m ) is hash

function: F q {0, 1}|m | F n . If e = 0 then goto step 1;3. Compute w = k + dAemodn , if w = 0 then goto step 1.

(e, w) is As signature of message m.

Verifying scheme 1. Verify that e, w are in the interval [1 , n 1]2. Compute V = wG + eQA = ( x1, y1), r = x1 modn (r = x1) and e = h(r , m);3. Accept if and only if e = e .

Consistency V = wG + eQA = ( k + dAe)G + e(dA)G = kG = R.


25/27


2.8 Point Compression

How to present one point P = ( x, y)?

1. Drop y coordinate. This creates ambiguity as it is a 2:1 map

2. Drop x coordinate. This creates ambiguity as it is a 3:1 map

3. Represent P as (x, 0) if y {0, 1, . . . , q 12 1}, otherwise as (x, 1). Only when P isa 2-torsion point, the presentation introduces ambiguity.Note: Using this type of presentation, the system needs to compute y every time withextra complexity.

2.9 Message Embedding

The method proposed by Koblitz represents a message as a point on an elliptic curve.Suppose E is an elliptic curve given by y2 = x3 + Ax + B over a eld F q where q is alarge prime. Using the following steps to map a message m to a point on the curve.

1. Treat m as an element in F q and let x have the value of m.

2. Compute = x3 + Ax + Bmodq .

3. Find the square root of mod q .

(a) Compute = (q 1)/ 2 modq .

(b) If = 1, set x = x + 1, goto Step 2.(c) Compute the square root using one of the following methods.

i. If q 3 mod 4, compute u = ( q 3)/ 4 and set = u modq .ii. If q 5mod 8, compute u = ( q 5)/ 8, = (2 )u modq , i = 2 2 modq

and set = (i 1) modq .iii. If q 1 mod 4, please refer to [1].4. If the right-most bit of equals to x mod 2, then set y = . Otherwise, set y = q .5. Output the point ( x, y).

Note: For other curves, please refer to [1] for details.


26/27


27/27

Ecc Simple

Documents

Transcript of Ecc Simple