Elliptic Curve Cryptography

Ms. Swati Mali

[email protected]
Assistant Professor, Department of Computer Engineering
K. J. Somaiya College of Engineering
Somaiya Vidyavihar University

8/26/2022 1
 Why ECC?
• Better security even with shorter key length than
RSA
• less processing overhead
• stronger than RSA for the key size in use today
o typical ECC key size of 256 bits is equivalent to a 3072-
bit RSA key and
o 10,000 times stronger than a 2048-bit RSA key!

8/26/2022 2
 Advantages of ECC

● Very fast key generation.

● Smaller keys, cipher-texts, and signatures.
● Fast signatures.
● Signatures can be computed in two stages, allowing latency much lower.
● Moderately fast encryption and decryption.
● Than inverse throughput.
● Right protocols for authenticated key exchange (FH-ECMQV et al.).
● Better US government support.
● Binary curves are fast in hardware.
● Unique curves with bilinear pairings allow new-fangled crypto
● Signature generation is faster with RSA.

8/26/2022 3
• Elliptic Curve Digital Signature Algorithm or
ECDSA is a cryptographic algorithm used by Bitcoin
• one-way encryption of emails, data and software.
• a standard for encryption that will be used by most
web applications going forward due to its shorter key
length and efficiency.
• Websites make extensive use of ECC to secure
customers’ hypertext transfer protocol connections.
• It is used for encryption by combining the key
agreement with a symmetric encryption scheme.

8/26/2022 4
 • U.S. government uses it to protect internal
communications,
• the Tor project uses it to help assure anonymity,
• it provides signatures in Apple's iMessage service,
• it is used to encrypt DNS information
with DNSCurve,
• preferred method for authentication for secure web
browsing over SSL/TLS.

8/26/2022 5
8/26/2022 6
 • Elliptic curves are geometric objects
• They don’t resemble ellipses in any way,
• and they are not defined by ellipses either.
• Yet, the word “elliptic” is really close to the word
“ellipse”.
• In an ellipse, two lines starting from the center of the
ellipse to two different points on the circumference form
an arc

8/26/2022 7
 Elliptic functions and Elliptic Curve
• the functions those compute length of the are defined
over a particular space,
• these functions have a limited set of possible solutions
in that space.
• these solutions (or points) when plotted, forms a curve
and it looks like the curves
• These curves are called elliptic curves.
• Definition: elliptic curves are the set of points that are
obtained as a result of solving elliptic functions over a
predefined space.

8/26/2022 8
 • Elliptic curves are represented with cubic equations
similar to ellipse circumference equations
• ellipse has cubic equations
• ellipse circumference can also be represented with
cubic equations
• Hence the name elliptical curve cryptography
• Elliptic curve equation: Y2 = x3+ax+b
• the max number of points on curve are bounded by:
• p+1-2 sqrt(p)<=N<=p+1+2 sqrt(p)

8/26/2022 9
 • technically an elliptic curve is the set points
satisfying an equation in two variables with degree
two in one of the variables and three in the other.
• An elliptic curve is not just a pretty picture, it also
has some properties that make it a good setting for
cryptography.
• Horizontal symmetry: Any point on the curve can be
reflected over the x axis and remain the same curve.
• A more interesting property is that any non-vertical
line will intersect the curve in at most three places.

8/26/2022 10
 Why Elliptic curves are symmetric?
• Y2 = x3+ax+b
• ⇒ y = sqrt(x3+ax+b)
• y has +ve and -ve roots/values on graph (+-x)
• when plotted, gives a symmetric curve along y=0

8/26/2022 11
 Types of Elliptic Curves
• Singular Elliptic Curve
o 4a3+27b2=0
o Y2= x3+ax+b 🡺 LHS has degree 2 while RHS has degree
3
o i.e. horizontal line would intersect curve at three points if
roots are real
o But the vertical line can intersect curve at most in 2 points
o Hence, equation does not have 3 distinct roots
• Non-Singular Elliptic curve
o 4a3+27b2!=0
o does have 3 distinct roots of the ECC equation
• only non-singuler EC are used in cryptography

8/26/2022 12
8/26/2022 13
 ECC solution and Abelian Group
• Closure
o For a and b in A, result of a * b is also A
• Associativity
o a*(b*c) = (a*b)*c
• Identity Element
o ∃ e in A, such that ∀ a in A, e*a=a*e=a holds
• Inverse Element
o for each a in A, ∃ an element b in A, such that a*b=b*a=e,
where e is an identity element
• Commutativity
o ∀ a,b in A, a*b=b*a
• A group without a commutative property is a non-
Abelian group

8/26/2022 14
 • Affine points
o points on the EC
• O points
o a point p such that p+(-p) forms an infinity
• ECC is defined as
o EC over Zp, prime curve
o EC over GF(2^m)

8/26/2022 15
 EC over Zp
• prime curve
• equation: y2 mod p = (x^3+ax+b) mod p
• variables and coefficients are restricted to finite field
• values range from 0 to p-1, values beyond p are
taken as value mod p
• curve is focusedin only one quadrant from (0,0)
through(p-1,p-1) with positive integers

8/26/2022 16
 EC over Zp addition
• add two points p and q to give r
p: p(xp,yp)
q:q(xq,yq)
r: r(xr,yr)
• the point r lies on the line connecting p & q and
extending till r
if (p==q)
slope of line λ= (3xp^2+a)/2yp where a comes from Ep
equation:Y2 = x3+ax+b
if (p!=q)
slope of line λ= (yq-yp)/(xq-xp)
8/26/2022 17
r(xr,yr)=p(xp,yp)+q(xq,yq) is computed as:
xr= λ^2-xp-xq
yr=λ(xp-xr)-yp

8/26/2022 18
Find a point in Elliptic curve E11(1,1)
Solution: Ep is prime curve, so all points must be
limited to p
Ep is represented as Ep(a,b)
so, p=11, a=1, b=1
EC is given by the equation: Y2= X3+x+1
if x=0, y=1 & -1
Use diff values of x & y
so, points : (x,y) are (0,1) and (0,-1) and generate more
points

so, for -1 is negative, hence take mod p.

⇒ solution(0,1) (0,10)
Generate more points in range :
p+1-2 sqrt(p)<=N<=p+1+2 sqrt(p)
8/26/2022 19
 Given P(3,10) and Q(9,7),
Find P+Q Assume E23(1,1)
Solution: Let P(xp,yp)+Q(xq,yq)=R(xr,yr)
Computing slope of line connecting P & Q
As, P!=Q
λ= (yq-yp)/(xq-xp) =-3/6 =-½ mod 23 = - 2^-1 mod 23
= (-1*-11) mod 23 = 11
xr=11^2-3-9= 109 mod 23 = 17
yr=11(3-17)-10=-164 mod 23 = 20

P+Q = (17,20)

8/26/2022 20
 Addition operation on the points of
curve

8/26/2022 21
8/26/2022 22
8/26/2022 23
8/26/2022 24
 Abelian Group properties revisited
• Closure: addition of t
o For a and b in A, result of a * b is also A
o addition of two points on curve creates another point on
curve
• Associativity
o a*(b*c) = (a*b)*c or a+(b+c) = (a+b)+c
o (P+Q)+R = P+(Q+R)
• Identity Element
o ∃ e in A, such that ∀ a in A, e*a=a*e=a or e+0 =0+e=e
holds
o P+0 = 0+P = P

8/26/2022 25
 • Inverse Element
o for each a in A, ∃ an element b in A, such that a*b=b*a=e
or a+b=b+a=e, where e is an identity element
o Each point on curve has an inverse
o Inverse of a point is its reflection w.r.t the x-axis
o i.e. P=(x1,y1) and Q=(x1,-y1) are inverses of each other
o Note: identity element is inverse of itself
• Commutativity
o ∀ a,b in A, a*b=b*a or a+b=b+a
• A group without a commutative property is a non-
Abelian group

8/26/2022 26
 A Group and a Field
• The group defines the set of points on elliptic curve
and the addition operation on points
• The field defines addition, subtraction, multiplication
and division using operations on real numbers that
are needed to find the addition of points in the group

8/26/2022 27
 ECC over Zp arithmetic

8/26/2022 28
 ECC over Zp arithmetic

8/26/2022 29
 Example : find matching points on
curve in ECC over Zp
• Given Elliptic curve : E11(1,6)
🡺 p=11, a=1, b=6
Zp ECC is given by y2 mod p = x3+ax+b mod p
🡺 y2 mod 11 = x3+ax+b mod 11
🡺 y2 mod 11 = x3+x+6 mod 11
Range= (0,p-1) 🡺 (0,10)
🡺 Values of x & y can be from 0 to 10
Problem: find values of x’,y’ such that
o LHS=RHS
o Computed point also lies on the elliptic curve

8/26/2022 30
 Matching points

8/26/2022 31
 Negative number and mod operation
• Method 1: Formula : -a mod b = b-(a mod b)
E.g. -3 mod 11 🡺 a=3, b=11
• 🡺 11-(3 mod 11) 🡺 11-3=8
E.G -34 mod 23 🡺 a=34, b=23
🡺 23 –(34 mod 23) = 23 – 11 = 12
• Method 2 : if a<b, subtract a from b
o Else
− Take multiple of b such that it is greater than a
− Subtract a from the multiple
• Method 3: (-a mod b) + b
• Example -157 mod 23 ??
8/26/2022 32
 Compute modulo inverse

8/26/2022 33
 Elliptic Curve Cryptography
• The private keys in the ECC are integers (in the
range of the curve's field size, typically 256-bit
integers).
o Example of 256-bit ECC private key (hex encoded, 32
bytes, 64 hex digits) is:
0x51897b64e85c3f714bba707e867914295a1377a7463a9d
ae8ea6a8b914246319.
• The public keys are points on elliptic curve {x, y}
o Example of ECC public key
0x02f54ba86dc1ccb5bed0224d23f01ed87e4a443c47fc690
d7797a13d41d2340e1a.

8/26/2022 34
 Consequently, in ECC we have:
• Еlliptic curve (EC) over finite field 𝔽p
• G = generator point (fixed constant, a base point on
the EC)
• private key =integer
• public key =point

8/26/2022 35
 Deffie-Hellman Key exchange using
ECC- ECDH
ECC key exchange – similar to DH Key exchange
Global public elements
• Eq(a,b) - Elliptic curve parameters – a,b and q – prime
no. or integer of the form 2m.
• G – point on the elliptic curve

8/26/2022 36
User A key generation
• Select private key nA, such that nA < n
• Calculate public key PA, PA = nA * G

• User B key generation

• Select private key nB, nB < n
• Calculate public key PB, PB = nB * G

• Calculation of secret key by User A, K = nA * PB

• Calculation of secret key by User B, K = nB * PA
8/26/2022 37
we compute some q= k*p where q,p ∈ Ep(a,b)
• Given k & p its easy to compute q
• but, knowing p & q, it's difficult to compute k ⇒
discrete logarithmic problem for EC
o could be little easy with availability of a trapdoor
• in reality, k is very large making brute force
infeasible to acheieve

8/26/2022 38
ECC encryption
Let the message be M
1. encode message M into a point on elliptic curve: Pm
• For encryption: choose a random positive integer K.
• The cipher point will be:
Cm = {KG, Pm + KPB}

• This point will be sent to receiver.

8/26/2022 39
For Decryption:
• multiply x-coordinate with receiver’s secret key : KG
* nB
• Then subtract from coordinate of cipher point;
• Pm + KPB – ( K*G * nB)
• We know that, PB = nB * G
So substitute in above equation and we get,
• Pm + K*PB – K*PB
= Pm
So, receiver gets the same point.
8/26/2022 40
 Modulo arithmetic
• Find equivalent modulo value for a negative number
• find points on the curve
• multiplicative inverse
• Compute -p, given a point p on EC
• addition over Zp
• addition over GF(2m)

8/26/2022 41
 Find equivalent modulo value for a
negative number
• Formula :
-n mod k ≡ k - (n mod k)
e.g. -
• 3 mod 12 = 12 - (3 mod 12) = 12 -3 = 9
• -34 mod 23 = 23 - (34 mod 23) = 23 - 11 = 12

• Hint
• if n < k, compute k-n
• else take multiple of k which is just greater than n,
subtract n from that multiple
e.g. 23 * 2 = 46 > n=34 ⇒ 46-34 = 12
8/26/2022 42
 Find multiplicative inverse using
Extended Euclidean algorithm

Q=A/B A B R= A % B T1 T2 T= T1-Q*T2

0 1

A>B
Q=A/B
R= A%B
T1=0, T2 =1 T= T1-Q*T2

A=B
B=R
T1=T2
T2=T

8/26/2022 43
 Compute -p, given a point p on EC
Given P=(13,7) in E23(1,1), compute -p.

8/26/2022 44
 How do I encrypt text using ECC?

How do I encrypt text using ECC?

Mapping technique convert the plain text into ASCII values and then convert this into
HEXADECIMAL. The converted Hex values are grouped together to form the x and
y coordinates. The converted values are encrypted in reverse order to prevent
security attacks.

8/26/2022 45
 Disadvantages of ECC

● Complicated and tricky to implement securely, mainly the standard

curves.
● Standards aren't state-of-the-art, particularly ECDSA, which is a hack
compared to Schnorr signatures.
● Newer algorithms could theoretically have unknown weaknesses. Binary
curves are slightly scary.
● Signing with a broken or compromised random number generator
compromises the key.
● It still has some patent problems, especially for binary curves. It might be
costly...
● Public key operations (e.g., signature verification, as opposed to signature
generation) are slow with ECC.

8/26/2022 46
 Questions?

8/26/2022 47