BCSE309L - Cryptography and Network Security

Module 3 - Elliptic Curve

Cryptography

Dr. Somasundaram S K
Assistant Professor Senior Grade 2
School of Computer Science and
Engineering,
Vellore Institute of Technology,
Vellore – 632 014
Phone No: +91 9843665115
Mail ID: [email protected]
Location: PRP Block – 218D
Elliptic Curve
Cryptography
 Elliptic Curve
Cryptography
• Majority of public-key crypto (RSA, D-H) use either
integer or polynomial arithmetic with very large numbers
/ polynomials
 Imposes a significant load in storing and processing keys &
messages

ECC RSA
• An alternative is to use Elliptic Curves
256 bits 3072
 bits
Appears to offer equal security for a far smaller key size,
384 bits 7680bit
thereby reducing processing overhead s
 Real Elliptic
Curves
• ECC makes use of Elliptic curves
• Elliptic Curve is defined by mathematical
functions – Cubic functions
Eg: y2 = x3 + ax + b [Cubic Equation]
----- (1)
where x, y, a, b are all real numbers
 Symmetric to x-axis and line will intersect at 3
pts (max.)
 Also define point at infinity or zero point, O
 Acts as the identity element in the group of points on the
elliptic curve, meaning adding it to any other point on the
curve results in that same point
 "n" represents the order of the curve, which is the
total number of points on the elliptic curve, including
the "point at infinity"
 ECC – Addition (1)

• Consider set of points E(A,B) that satisfy

eqn. (1)
• Have addition operation for elliptic curve
 Geometrically sum of A+B is reflection of the
ECC – Addition (2)

“POINT
DOUBLING”
ECC – Addition (3)
 Finite Elliptic
Curves
• Elliptic Curve Cryptography uses curves whose
variables & coefficients are finite
• Have two families commonly used:
• Prime curves Ep(a,b) defined over Zp
• Use integers modulo a prime
• Best in software
• Binary curves E2m(a,b) defined over GF(2n)
• Use polynomials with binary coefficients
• Best in hardware
 Elliptic Curve
Cryptography
• ECC repeated addition is analog of modulo
exponentiation
• Need “hard” problem equivalent to discrete log:
• Q = kP, where Q, P belong to a prime curve
• Is “easy” to compute Q given k, P
• But “hard” to find k given Q, P
• Known as the discrete logarithm problem of ECC or a one-
way function or trap door function
Problem (For two distinct points, P≠Q)

• For E29 (16, 14), consider the point P = (5, 25) and Q = (12,
7). Compute the value of P+Q
[E29(16,14) represents an elliptic curve over the finite field 𝔽₂₉ (the field of
integers modulo 29) with the equation: 𝑦2 = 𝑥3 + 16𝑥 + 14 mod 29]
• m = 29, a = 16, b = 14
• P = (5, 25), Q = (12, 7)
• x1 = 5, y1 = 25, x2 = 12, y2 = 7
1. X3 = (λ2 – x1 – x2) mod m
2. Y3 = (λ (x1 – x3) – y1) mod m
3.
𝜆=¿ y2
mod
–y
𝑚
1
X 2 – x1
Calculate λ value
  Xy – –x ymod 𝑚
2 1

2 1

  7 – 25 mod 29
12 – 5

= -18 / 7 mod 29

= -18 (1/7) mod 29

= -18(7-1) mod 29

= -18 x 25 mod 29

= -450 mod 29
14
= 29 – (450 mod 29)

= 29 – 15

= 14
Method to find multiplicative inverse value
(EEA Method)
q a b r t1 t2 t
4 29 7 1 0 1 -4
7 7 1 0 1 -4 28
1 0 -4 28
• Since it is a negative number, we need to find positive number

• Here, moduli is 29 and final t value also a small number than moduli

• So, add - 4 + 29 and we get 25

• If final t value is bigger number than moduli, we can not do this addition
Calculate X3 and Y3 value

• X3 = λ2 – x1 – x2 mod m Y3 = λ (x1 – x3) – y1 mod m

λ = 14, x1 = 5, x2 = 12, m λ = 14, x1 = 5, x3 = 5, y1 = 25,
= 29 m = 29

X3 = 142 – 5 – 12 mod 29 Y3 = 14 (5 – 5) – 25 mod 29

Y3 = – 25 mod 29
X3 = 196 – 17 mod 29
Y3 = 29 - ( 25 mod 29)
X3 = 179 mod 29
Y3 = 29 – 25
X3 = 179 mod 29 Y3 = 4
Checking (x3, y3) lies on the curve E29 (16, 14)

• Y32 (mod m) = x33 + ax3 + b (mod p)

Y3=4, m = 29, x3= 5, a = 16, b = 14

42 mod 29 = 53 + 16 x 5 + 14 (mod 29)

16 mod 29 = 125 + 80 + 14 (mod 29)

16 = 219 mod 29

16 = 16

Hence, P + Q = (x3, y3) = (5, 4)

Problem 2
Solution
Calculate 2G value
Calculate 2G value: X3 value

•
Calculate 2G value: Y3 value
•

Thus, 2G is (5,2)
Calculate 3G value
•

Calculating 3-1 mod 11

3 x ? mod 11 = 1

Possible values are 1 to n-1, so, 1 – 10

3 x 1 mod 11 = 3 != 1
3 x 2 mod 11 = 6 != 1
3 x 3 mod 11 = 9 != 1

After applying values 1,2,3 we can see that

mod value doesn’t give 1.

So, the answer after applying 4:

3 x 4 mod 11 = 12 mod 11 = 1.
Answer is 4.
Calculate 3G value: X3 value

• X3 = λ2 – x1 – x2 mod q
• λ = 2, x1 = 2, y1 = 7, x2 = 5, y2 =2
• X3 = (22 – 2 – 5) mod 11
= (4 – 7) mod 11
= -3 mod 11
= 11 – 3 mod 11
= 11 - 3 = 8
• X3 = 8
Calculate 3G value: Y3 value
•

Thus, 3G is (8,3)
Calculate 4G value
Calculate 4G value: X3 value
Calculate 4G value: Y3 value
•

Thus, 4G is (10,2)
Calculate 5G value
•

Calculating 3-1 mod 11

3 x ? mod 11 = 1

Possible values are 1 to n-1, so, 1 – 10

After applying values 1,2,3 we can see that
mod value doesn’t give 1.

So, the answer after applying 4:

3 x 4 mod 11 = 12 mod 11 = 1.
Answer is 4.
Calculate 5G value: X3 value

• X3 = λ2 – x1 – x2 mod q

• λ = 4, x1 = 5, y1 = 2 and x2 = 8, y2 = 3

• X3 = (42 – 5 – 8) mod 11

= (16 – 13) mod 11

= 3 mod 11 = 3

• X3 = 3
Calculate 5G value: Y3 value

• Y3 = (λ (x1 – x3) – y1) mod q

• λ = 4, x1 = 5, y1 = 2 and x2 = 8, y2 = 3, and x3 = 3

• Y3 = (4*(5 - 3) - 2) mod 11

= (8 – 2) mod 11
Thus, 5G is (3,6)
= 6 mod 11 = 6
Calculate 6G value
Calculate 6G value: X3 value
•
Calculate 6G value: Y3 value

Thus, 6G is (7,9)
Calculate 7G value
•
Calculating -2-1 mod 11
-2 x ? mod 11 = 1

We can first convert -2 mod 11,

= 11 – 2 mod 11 = 9.

So, 9 x ? mod 11 = 1.

Possible values are 1 to n-1, so, 1 – 10

After applying values 1,2… 4 we can
see that mod value doesn’t give 1.

So, the answer after applying 5:

9 x 5 mod 11 = 45 mod 11 = 1.
Answer is 5.
Calculate 7G value: X3 value

• X3 = λ2 – x1 – x2 mod q

• λ = 9, x1 = 5, y1 = 2 and x2 = 3, y2 = 6

• X3 = (92 – 5 – 3) mod 11

= (81– 8) mod 11

= 73 mod 11 = 7

• X3 = 7
Calculate 7G value: Y3 value
• Y3 = (λ (x1 – x3) – y1) mod q

• λ = 9, x1 = 5, y1 = 2 and x2 = 3, y2 = 6 and x3 = 7

• Y3 = (9*(5 - 7) - 2) mod 11

= (-18 – 2) mod 11

= -20 mod 11

= 11 – 20 mod 11 Thus, 7G is (7,2)

Calculate 8G value
•

Calculating 4-1 mod 11

4 x ? mod 11 = 1

Possible values are 1 to n-1, so,

1 – 10
After applying values 1,2 we
can see that mod value doesn’t
give 1.

So, the answer after applying 4:

4 x 3 mod 11 = 12 mod 11 = 1.
Answer is 3.
Calculate 8G value: X3 value

•
Calculate 8G value: Y3 value

Thus, 8G is (3,5)
Calculate 9G value
Calculate 9G value: X3 value

• X3 = λ2 – x1 – x2 mod q

• λ = 0, x1 = 5, y1 = 2 and x2 = 7, y2 = 2

• X3 = (02 – 5 – 7) mod 11
= (-12) mod 11
= 11 - 12 mod 11
= 11 – 1 = 10
• X3 = 10
Calculate 9G value: Y3 value

• Y3 = (λ (x1 – x3) – y1) mod q

• λ = 0, x1 = 5, y1 = 2 and x2 = 7, y2 = 2 and x3 = 10

• Y3 = (0*(5 - 10) - 2) mod 11

= (– 2) mod 11

= 11 – 2 mod 11
Thus, 9G is (10,9)
= 11 – 2 = 9
Calculate 10G value
•

Calculating 3-1 mod 11

3 x ? mod 11 = 1

Possible values are 1 to n-1, so,

1 – 10
After applying values 1,2,3 we
can see that mod value doesn’t
give 1.

So, the answer after applying 4:

3 x 4 mod 11 = 12 mod 11 = 1.
Answer is 4.
Calculate 10G value: X3 value
•
Calculate 10G value: Y3 value
•

Thus, 10G is (8,8)

Calculate 11G value
•

Calculating 5-1 mod 11

5 x ? mod 11 = 1

Possible values are 1 to n-1, so, 1 – 10

After applying values 1,2… 8 we can
see that mod value doesn’t give 1.

So, the answer after applying 9:

5 x 9 mod 11 = 45 mod 11 = 1.
Answer is 9.
Calculate 11G value: X3 value

• X3 = λ2 – x1 – x2 mod q

• λ = 8, x1 = 5, y1 = 2 and x2 = 10, y2 = 9

• X3 = (82 – 5 – 10) mod 11

= (64 – 15) mod 11

= 49 mod 11 = 5

• X3 = 5
Calculate 11G value: Y3 value

• Y3 = (λ (x1 – x3) – y1) mod q

• λ = 8, x1 = 5, y1 = 2 and x2 = 10, y2 = 9 and x3 = 5

• Y3 = (8*(5 - 5) - 2) mod 11

= (0 – 2) mod 11

= 11 – 2 mod 11
Thus, 11G is (5,9)
= 11 – 2 = 9
Calculate 12G value
•

Calculating 9-1 mod 11

9 x ? mod 11 = 1

Possible values are 1 to n-1, so,

1 – 10
After applying values 1,2… 4 we
can see that mod value doesn’t
give 1.

So, the answer after applying 5:

9 x 5 mod 11 = 45 mod 11 = 1.
Answer is 5.
Calculate 12G value: X3 value

•
Calculate 12G value: Y3 value

Thus, 12G is (2,4)

Calculate 13G value
•
Final Solution: (Use for reference once completed)
Multiples of G Calculation Answer
Method
2G G+G (5,2)
3G G+2G (8,3)
4G 2G+2G (10,2)
5G 2G+3G (3,6)
6G 3G+3G (7,9)
7G 2G+5G (7,2)
8G 4G+4G (3,5)
9G 2G+7G (10,9)
10G 5G+5G (8,8)
11G 2G+9G (5,9)
12G 11G+G (2,4)
13G 2G+11G Undef.
Elliptic Curve Diffie-Hellman (ECDH) Key
Exchange
• 1. Global parameters
• Choose an elliptic curve EEE over a finite field Fp​
• Select a public base point GGG (a point on the curve)
• The curve and GGG are publicly known parameters

• 2. Key Generation (for Alice & Bob)

• Each party generates a private-public key pair:
• ✅ Alice:
• Picks a random private key a, where a is a large integer
• Computes her public key: A=aG where A is a point on the curve
• ✅ Bob:
• Picks a random private key b, where b is a large integer
• Computes his public key: B=bG where B is a point on the curve
• Alice and Bob exchange their public keys A and B
Cont…
• 3. Compute Shared Secret
• Each party multiplies the received public key by their own
private key:
• ✅ Alice computes:
• S = aB = a(bG) = (ab)G
• ✅ Bob computes:
• S = bA = b(aG) = (ab)G

• Since both calculations result in the same point S, Alice

and Bob now share a common secret
 ECC
Encryption/Decryption
• Several alternatives, will consider simplest
• Must first encode any message, m as a point on the elliptic
curve, Pm
• Select suitable curve & point G (base point) as in D-H
• Each user chooses private key nA < n and computes public key
P A = nA G

• To encrypt
Pm : Cm= {kG, Pm + kPb}, k random positive integer

• Decrypt Cm compute:
ECC Security

• Relies on elliptic curve logarithm problem

• Fastest method is “Pollard rho method”
• Compared to factoring, can use much smaller key sizes
than with RSA, etc.
• For equivalent key lengths computations are roughly
equivalent.
• Similar security ECC offers significant computational
Comparable Key Sizes for Equivalent
Security
Symmetric ECC-based RSA/DSA
scheme scheme (modulus size
(key size in (size of n in in bits)
bits) bits)
56 112 512
80 160 1024
112 224 2048
128 256 3072
192 384 7680
256 512 15360