Understanding Cryptography

by Christof Paar and Jan Pelzl

www.crypto-textbook.com

Chapter 9 – Elliptic Curve Cryptography

ver. February 2nd, 2015

These slides were prepared by Tim Güneysu, Christof Paar and Jan Pelzl
 !  Some legal stuff (sorry): Terms of Use

•  The slides can be used free of charge. All copyrights for the slides remain with
Christof Paar and Jan Pelzl.
•  The title of the accompanying book “Understanding Cryptography” by Springer
and the author’s names must remain on each slide.
•  If the slides are modified, appropriate credits to the book authors and the book
title must remain within the slides.
•  It is not permitted to reproduce parts or all of the slides in printed form
whatsoever without written consent by the authors.

2/24 Chapter 9 of Understanding Cryptography by Christof Paar and Jan Pelzl

 !  Content of this Chapter

§  Introduction
§  Computations on Elliptic Curves
§  The Elliptic Curve Diffie-Hellman Protocol
§  Security Aspects
§  Implementation in Software and Hardware

3/24 Chapter 9 of Understanding Cryptography by Christof Paar and Jan Pelzl

 !  Content of this Chapter

§  Introduction
§  Computations on Elliptic Curves
§  The Elliptic Curve Diffie-Hellman Protocol
§  Security Aspects
§  Implementation in Software and Hardware

4/24 Chapter 9 of Understanding Cryptography by Christof Paar and Jan Pelzl

 !  Motivation

§  Problem:
Asymmetric schemes like RSA and Elgamal require exponentiations in integer rings and
fields with parameters of more than 1000 bits.
§  High computational effort on CPUs with 32-bit or 64-bit arithmetic
§  Large parameter sizes critical for storage on small and embedded
§  Motivation:
Smaller field sizes providing equivalent security are desirable
§  Solution:
Elliptic Curve Cryptography uses a group of points (instead of integers) for cryptographic
schemes with coefficient sizes of 160-256 bits, reducing significantly the computational
effort.

5/24 Chapter 9 of Understanding Cryptography by Christof Paar and Jan Pelzl

 !  Content of this Chapter

§  Introduction
§  Computations on Elliptic Curves
§  The Elliptic Curve Diffie-Hellman Protocol
§  Security Aspects
§  Implementation in Software and Hardware

6/24 Chapter 9 of Understanding Cryptography by Christof Paar and Jan Pelzl

 !  Computations on Elliptic Curves

•  Elliptic curves are polynomials that define points

based on the (simplified) Weierstraß equation:

y2 = x3 + ax + b

for parameters a,b that specify the exact shape

of the curve

•  On the real numbers and with parameters

a, b ∈ R, an elliptic curve looks like this à

•  Elliptic curves can not just be defined over the

real numbers R but over many other types of
finite fields.

Example: y2 = x3 −3x+3 over R

7/24 Chapter 9 of Understanding Cryptography by Christof Paar and Jan Pelzl

 !  Computations on Elliptic Curves (ctd.)

§  In cryptography, we are interested in elliptic curves

module a prime p: ∈

Definition: Elliptic Curves over prime fields

The elliptic curve over Zp, p>3 is the set of all

pairs (x,y) ∈ Zp which fulfill
y2 = x3 + ax + b mod p
together with an imaginary point of infinity θ,
where a,b ∈ Zp and the condition
4a3+27b2 ≠ 0 mod p.

§  Note that Zp = {0,1,…, p -1} is a set of integers

with modulo p arithmetic

8/24 Chapter 9 of Understanding Cryptography by Christof Paar and Jan Pelzl

 !  Computations on Elliptic Curves (ctd.)

§  Some special considerations are required to convert

elliptic curves into a group of points ∈

§  In any group, a special element is required to

allow for the identity operation, i.e.,
given P ∈E: P + θ = P = θ + P
§  This identity point (which is not on the curve) is
P
additionally added to the group definition
point at
§  This (infinite) identity point is denoted by θ infinity

θ
§  Elliptic Curve are symmetric along the x-axis
§  Up to two solutions y and -y exist for each
quadratic residue x of the elliptic curve
-P
§  For each point P =(x,y), the inverse or negative
point is defined as -P =(x,-y)

9/24 Chapter 9 of Understanding Cryptography by Christof Paar and Jan Pelzl

 !  Computations on Elliptic Curves (ctd.)

§  Generating a group of points on elliptic curves

based on point addition operation P+Q = R, i.e.,
(xP,yP)+(xQ,yQ) = (xR,yR)
Point Addition
§  Geometric Interpretation of point addition operation
§  Draw straight line through P and Q; if P=Q use
tangent line instead
§  Mirror third intersection point of drawn line with
the elliptic curve along the x-axis
§  Elliptic Curve Point Addition and Doubling Formulas

x3 = s2 −x1−x2 mod p and y3 = s(x1 −x3)−y1 mod p

Point Doubling

where
y 2 − y1
mod p ; if P ≠ Q (point addition)
x 2 − x1
s=
3x12 + a =P+P

mod p ; if P = Q (point doubling)
2 y1

10/24 Chapter 9 of Understanding Cryptography by Christof Paar and Jan Pelzl

 !  Computations on Elliptic Curves (ctd.)

§  Example: Given E: y2 = x3+2x+2 mod 17 and point P=(5,1)

Goal: Compute 2P = P+P = (5,1)+(5,1)= (x3,y3)

3x12 + a
s= = (2 · 1)−1(3 · 52 + 2) = 2−1 · 9 ≡ 9 · 9 ≡ 13 mod 17
2 y1

x3 = s2 − x1 − x2 = 132 − 5 − 5 = 159 ≡ 6 mod 17

y3 = s(x1−x3) − y1 = 13(5 − 6) − 1= −14 ≡ 3 mod 17

Finally 2P = (5,1) + (5,1) = (6,3)

11/24 Chapter 9 of Understanding Cryptography by Christof Paar and Jan Pelzl

 !  Computations on Elliptic Curves (ctd.)

§  The points on an elliptic curve and the point at infinity θ form cyclic subgroups

2P = (5,1)+(5,1) = (6,3) 11P = (13,10)

3P = 2P+P = (10,6) 12P = (0,11)
4P = (3,1) 13P = (16,4)
5P = (9,16) 14P = (9,1)
6P = (16,13) 15P = (3,16)
7P = (0,6) 16P = (10,11)
8P = (13,7) 17P = (6,14)
9P = (7,6) 18P = (5,16)
P
10P = (7,11) 19P = θ
θ

This elliptic curve has order #E = |E| = 19 since it contains

19 points in its cyclic group.

12/24 Chapter 9 of Understanding Cryptography by Christof Paar and Jan Pelzl

 !  Number of Points on an Elliptic Curve

•  How many points can be on an arbitrary elliptic curve?

•  Consider previous example: E: y2 = x3+2x+2 mod 17 has 19 points
•  However, determining the point count on elliptic curves in general is hard
•  But Hasse‘s theorem bounds the number of points to a restricted interval

Definition: Hasse‘s Theorem:

Given an elliptic curve module p, the number of points
on the curve is denoted by #E and is bounded by
p+1-2 p≤ #E ≤ p+1+2 p

•  Interpretation: The number of points is „close to“ the prime p

•  Example: To generate a curve with about 2160 points, a prime with a length of about
160 bits is required

13/24 Chapter 9 of Understanding Cryptography by Christof Paar and Jan Pelzl

 !  Elliptic Curve Discrete Logarithm Problem

§  Cryptosystems rely on the hardness of the Elliptic Curve Discrete

Logarithm Problem (ECDLP)

Definition: Elliptic Curve Discrete Logarithm Problem (ECDLP)

Given a primitive element P and another element T on an elliptic curve E.
The ECDL problem is finding the integer d, where 1 ≤ d ≤ #E such that
P + P +…+ P = dP = T.
d times

§  Cryptosystems are based on the idea that d is large and kept secret and attackers
cannot compute it easily
§  If d is known, an efficient method to compute the point multiplication dP is required
to create a reasonable cryptosystem
§  Known Square-and-Multiply Method can be adapted to Elliptic Curves
§  The method for efficient point multiplication on elliptic curves: Double-and-Add Algorithm

14/24 Chapter 9 of Understanding Cryptography by Christof Paar and Jan Pelzl

 !  Double-and-Add Algorithm for Point Multiplication

§  Double-and-Add Algorithm

Input: Elliptic curve E, an elliptic curve point P and a scalar d with bits di
Output: T = d P
Initialization:
T=P
Example: 26P = (110102)P = (d4d3d2d1d0)2 P.
Algorithm:
Step
FOR i = t −1 DOWNTO 0 #0 P = 1 2P inital setting
#1a P+P = 2P = 102P DOUBLE (bit d3)
T = T +T mod n #1b 2P+P = 3P = 102 P+12P = 112P ADD (bit d3=1)
#2a 3P+3P = 6P = 2(112P) = 1102P DOUBLE (bit d2)
IF di = 1 #2b no ADD (d2 = 0)
#3a 6P+6P = 12P = 2(1102P) = 11002P DOUBLE (bit d1)
T = T +P mod n #3b 12P+P = 13P = 11002P+12 P = 11012P ADD (bit d1=1)
#4a 13P+13P = 26P = 2(11012P) = 110102P DOUBLE (bit d0)
RETURN (T) #4b no ADD (d0 = 0)

15/24 Chapter 9 of Understanding Cryptography by Christof Paar and Jan Pelzl

 !  Content of this Chapter

§  Introduction
§  Computations on Elliptic Curves
§  The Elliptic Curve Diffie-Hellman Protocol
§  Security Aspects
§  Implementation in Software and Hardware

16/24 Chapter 9 of Understanding Cryptography by Christof Paar and Jan Pelzl

 !  The Elliptic Curve Diffie-Hellman Key Exchange (ECDH)

§  Given a prime p, a suitable elliptic curve E and a point P=(xP,yP)

§  The Elliptic Curve Diffie-Hellman Key Exchange is defined by the following protocol:

Alice Bob

Choose kPrA= a ∈ {2, 3,…, #E-1} Choose kPrB= b ∈ {2, 3,…, #E-1}
Compute kPubA= A = aP = (xA,yA) Compute kPubB= B = bP = (xB,yB)
A
B

Compute aB = Tab Compute bA = Tab

§  Joint secret between Alice and Bob: TAB = (xAB, yAB)
§  Proof for correctness:
§  Alice computes aB=a(bP)=abP
§  Bob computes bA=b(aP)=abP since group is associative

§  One of the coordinates of the point TAB (usually the x-coordinate) can be used as session key
(often after applying a hash function)

17/24 Chapter 9 of Understanding Cryptography by Christof Paar and Jan Pelzl

 !  The Elliptic Curve Diffie-Hellman Key Exchange (ECDH) (ctd.)

§  The ECDH is often used to derive session keys for (symmetric) encryption
§  One of the coordinates of the point TAB (usually the x-coordinate) is taken as session key

Alice Bob

Choose kPrA= a ∈ {2, 3,…, #E-1} Choose kPrB= b ∈ {2, 3,…, #E-1}
Compute kPubA= A = aP = (xA,yA) Compute kPubB= B = bP = (xB,yB)

ECDH
A
B

Compute aB = Tab = (xT,yT) Compute bA = Tab= (xT,yT)

encryption/decryption
Define key kAES = xT Define key kAES = xT

Symmetric
Given a message m:
c
Encrypt c = AESkAES(m) Received ciphertext c:
Decrypt m = AES-1kAES(c)

§  In some cases, a hash function (see next chapters) is used to derive the session key

18/24 Chapter 9 of Understanding Cryptography by Christof Paar and Jan Pelzl

 !  Content of this Chapter

§  Introduction
§  Computations on Elliptic Curves
§  The Elliptic Curve Diffie-Hellman Protocol
§  Security Aspects
§  Implementation in Software and Hardware

19/24 Chapter 9 of Understanding Cryptography by Christof Paar and Jan Pelzl

 !  Security Aspects

§  Why are parameters signficantly smaller for elliptic curves (160-256 bit) than for RSA
(1024-3076 bit)?
§  Attacks on groups of elliptic curves are weaker than available factoring algorithms or
integer DL attacks
§  Best known attacks on elliptic curves (chosen according to cryptographic criterions)
are the Baby-Step Giant-Step and Pollard-Rho method
§  Complexity of these methods: on average, roughly p steps are required before the
ECDLP can be successfully solved

§  Implications to practical parameter sizes for elliptic curves:

§  An elliptic curve using a prime p with 160 bit (and roughly 2160 points) provides a
security of 280 steps that required by an attacker (on average)
§  An elliptic curve using a prime p with 256 bit (roughly 2256 points) provides a security of
2128 steps on average

20/24 Chapter 9 of Understanding Cryptography by Christof Paar and Jan Pelzl

 !  Content of this Chapter

§  Introduction
§  Computations on Elliptic Curves
§  The Elliptic Curve Diffie-Hellman Protocol
§  Security Aspects
§  Implementation in Software and Hardware

21/24 Chapter 9 of Understanding Cryptography by Christof Paar and Jan Pelzl

 !  Implementations in Hardware and Software

§  Elliptic curve computations usually regarded as

consisting of four layers:
§  Basic modular arithmetic operations are
computationally most expensive
§  Group operation implements point doubling Protocol
(ECDSA)
and point addition
Point
§  Point multiplication can be implemented Multiplication
using the Double-and-Add method (k·P)
§  Upper layer protocols like ECDH and
Group Operation
ECDSA
P+Q, 2·P

§  Most efforts should go in optimizations of the Modular Arithmetic

modular arithmetic operations, such as ( +, -, x , ÷ )
§  Modular addition and subtraction
§  Modular multiplication
§  Modular inversion

22/24 Chapter 9 of Understanding Cryptography by Christof Paar and Jan Pelzl

 !  Implementations in Hardware and Software

§  Software implementations

§  Optimized 256-bit ECC implementation on
3GHz 64-bit CPU requires about 2 ms per
point multiplication
§  Less powerful microprocessors (e.g, on
SmartCards or cell phones) even take
significantly longer (>10 ms)

§  Hardware implementations

§  High-performance implementations with
256-bit special primes can compute a point
multiplication in a few hundred
microseconds on reconfigurable hardware
§  Dedicated chips for ECC can compute a
point multiplication even in a few ten
microseconds

23/24 Chapter 9 of Understanding Cryptography by Christof Paar and Jan Pelzl

 !  Lessons Learned

§  Elliptic Curve Cryptography (ECC) is based on the discrete logarithm problem.
It requires, for instance, arithmetic modulo a prime.
§  ECC can be used for key exchange, for digital signatures and for encryption.
§  ECC provides the same level of security as RSA or discrete logarithm systems
over Zp with considerably shorter operands (approximately 160–256 bit vs.
1024–3072 bit), which results in shorter ciphertexts and signatures.
§  In many cases ECC has performance advantages over other public-key
algorithms.
§  ECC is slowly gaining popularity in applications, compared to other public-key
schemes, i.e., many new applications, especially on embedded platforms,
make use of elliptic curve cryptography.

24/24 Chapter 9 of Understanding Cryptography by Christof Paar and Jan Pelzl