Public Key Cryptography

Chapter 9
Module 4-Part 2

Prepared by:
Dr. S V Uma,
Associate Professor,
Dept. of ECE,
RNSIT
 Private-Key Cryptography
Traditional private/secret/single key
cryptography uses one key
Shared by both sender and receiver
If this key is disclosed communications are
compromised
Also if symmetric, parties are equal
Hence does not protect sender from receiver
forging a message & claiming it is sent by sender
 Public-Key Cryptography
•Probably most significant advance in the 3000
year history of cryptography
•Uses two keys – a public & a private key
•Asymmetric since parties are not equal
•Uses clever application of number theoretic
concepts to function
•Complements rather than replaces private key
cryptosystems
 Why Public-Key Cryptography?
•Developed to address two key issues:
•Key distribution – how to have secure
communications in general without having to
trust a KDC with your key
•Digital signatures – how to verify a message
comes intact from the claimed sender
•Public invention due to Whitfield Diffie &
Martin Hellman at Stanford Univ. in 1976
•known earlier in classified community
 Public-Key Cryptography
•Public-key/two-key/asymmetric cryptography
involves the use of two keys:
• A public-key, which may be known by anybody, and
can be used to encrypt messages, and verify
signatures
• A related private-key, known only to the recipient,
used to decrypt messages, and sign (create) signatures
•Infeasible to determine private key from public
•Is asymmetric because
• Those who encrypt messages or verify signatures
cannot decrypt messages or create signatures
A Public-Key Cryptography system
 Public-Key Cryptography Principles
•The use of two keys has consequences in: key
distribution, confidentiality and authentication.
•The scheme has six ingredients
• Plaintext
• Encryption algorithm
• Public and private key
• Ciphertext
• Decryption algorithm
 Applications for Public-Key
Cryptosystems
•Three categories:
• Encryption/decryption: The sender encrypts a
message with the recipient’s public key.

• Digital signature: The sender ”signs” a message with

its private key.

• Key exchange: Two sides cooperate to exchange a

session key.
Encryption using Public-Key
system(Secrecy)

Henric Johnson 9
 Authentication using Public-Key
System(Signature Authentication)
Public-Key Cryptosystems - Both
Authentication and Secrecy
Symmetric vs Public-Key
 Public-Key Applications
•Some algorithms are suitable for all uses,
others are specific to one
 Public-Key Requirements
•Public-Key algorithms rely on two keys where:
• It is computationally infeasible to find decryption key
knowing only algorithm & encryption key
• It is computationally easy to en/decrypt messages
when the relevant (en/decrypt) key is known
• Either of the two related keys can be used for
encryption, with the other used for decryption (for
some algorithms)
• These are formidable requirements which only a few
algorithms have satisfied
 Public-Key Requirements
•Need a trapdoor one-way function
•One-way function has
•Y = f(X) easy
•X = f–1(Y) infeasible
•A trap-door one-way function has
•Y = fk(X) easy, if k and X are known
•X = fk–1(Y) easy, if k and Y are known
•X = fk–1(Y) infeasible, if Y known but k not
known
•A practical public-key scheme depends on a
suitable trap-door one-way function
 Security of Public Key Schemes
Like private key schemes brute force exhaustive
search attack is always theoretically possible
But keys used are too large (>512bits)
Security relies on a large enough difference in
difficulty between easy (en/decrypt) and hard
(cryptanalyse) problems
More generally the hard problem is known, but is
made hard enough to be impractical to break
Requires the use of very large numbers
Hence is slow compared to private key schemes
 RSA
By Rivest, Shamir & Adleman of MIT in 1977
Best known & widely used public-key scheme
Based on exponentiation in a finite (Galois) field
over integers modulo a prime
Exponentiation takes O((log n)3) operations (easy)
Uses large integers (eg. 1024 bits)
Security due to cost of factoring large numbers
Factorization takes O(e log n ) operations (hard)
 RSA En/decryption
•To encrypt a message M the sender:
•Obtains public key of recipient PU={e,n}
•Computes: C = Me mod n, where 0≤M<n
•To decrypt the ciphertext C the receiver:
•Uses their private key PR={d,n}
•Computes: M = Cd mod n
•Note that the message M must be smaller
than the modulus n (block if needed)
 The RSA Algorithm – Key Generation

1. Select p,q p and q both prime

2. Calculate n = p x q
3. Calculate  (n)  ( p  1)(q  1)
4. Select integer e gcd( (n), e)  1; 1  e   (n)
1
5. Calculate d d  e mod (n)
6. Public Key KU = {e,n}
7. Private key KR = {d,n}
Example of RSA Algorithm
The RSA Algorithm - Encryption

•Plaintext: M<n

•Ciphertext: C = Me (mod n)
The RSA Algorithm - Decryption

•Ciphertext: C

•Plaintext: M = Cd (mod n)
 RSA Key Setup
•Each user generates a public/private key pair by:
•Selecting two large primes at random: p, q
•Computing their system modulus n=p.q
•Note that ø(n)=(p-1)(q-1)
•Selecting at random the encryption key e
•Where 1<e<ø(n), gcd(e,ø(n))=1
•Solve following equation to find decryption key d
•e.d=1 mod ø(n) and 0≤d≤n
•Publish their public encryption key: PU={e,n}
•Keep secret private decryption key: PR={d,n}
 Why RSA Works
•Because of Euler's Theorem:
•aø(n)mod n = 1 where gcd(a,n)=1
•In RSA we have:
•n=p.q
•ø(n)=(p-1)(q-1)
•Carefully chose e & d to be inverses mod ø(n)
•Hence e.d=1+k.ø(n) for some k
•Hence :
Cd = Me.d = M1+k.ø(n) = M1.(Mø(n))k
= M1.(1)k = M1 = M mod n
 RSA Example - Key Setup
1. Select primes: p=17 & q=11
2. Calculate n = pq =17 x 11=187
3. Calculate ø(n)=(p–1)(q-1)=
16x10=160
4. Select e: gcd(e,160)=1; choose e=7
5. Determine d: de=1 mod 160 and d <
160 Value is d=23 since 23x7=161=
10x16+1
6. Publish public key PU={7,187}
7. Keep secret private key PR={23,187}
 RSA Example - En/Decryption
Sample RSA encryption/decryption is:
Given message M = 88 ( note 88<187)
Encryption:
C = 887 mod 187 = 11
Decryption:
M = 1123 mod 187 = 88
 Exponentiation
•Can use the Square and Multiply Algorithm
•A fast, efficient algorithm for exponentiation
•Concept is based on repeatedly squaring base
and multiplying in the ones that are needed to
compute the result
•Look at binary representation of exponent
•Only takes O(log2 n) multiples for number n
• eg. 75 = 74.71 = 3.7 = 10 mod 11
• eg. 3129 = 3128.31 = 5.3 = 4 mod 11
 Exponentiation-Square and
b
Multiply Algorithm for a mod n
c = 0; f = 1
for i = k downto 0
do c = 2 x c
f = (f x f) mod n
if bi == 1 then
c = c + 1
f = (f x a) mod n
return f
 Efficient Encryption
•Encryption uses exponentiation to power e
•Hence if e is small, this will be faster
• often choose e=65537 (216-1)
• also see choices of e=3 or e=17
•But if e too small (eg e=3) can attack
• using Chinese remainder theorem & 3 messages
with different modulii
•If e is fixed must ensure gcd(e,ø(n))=1
• i.e reject any p or q not relatively prime to e
 Efficient Decryption
•Decryption uses exponentiation to power d
• this is likely large, insecure if not
•Can use the Chinese Remainder Theorem
(CRT) to compute mod p & q separately, then
combine to get desired answer
• approx 4 times faster than doing directly
•Only owner of private key who knows values
of p & q can use this technique
 RSA Key Generation
•Users of RSA must:
• determine two primes at random - p, q
• select either e or d and compute the other
•Primes p,q must not be easily derived from
modulus n=p.q
• means must be sufficiently large
• typically guess and use probabilistic test
•Exponents e, d are inverses, so use Inverse
algorithm to compute the other
RSA Processing of Multiple blocks
 RSA Security
•Possible approaches to attacking RSA are:
•Brute force key search - infeasible given size
of numbers
•Mathematical attacks - based on difficulty of
computing ø(n), by factoring modulus n
•Timing attacks - on running of decryption
•Chosen ciphertext attacks - given properties
of RSA
Factoring Problem

• Mathematical approach takes 3 forms:

• factor n=p.q, hence compute ø(n) and then d
• determine ø(n) directly and compute d
• find d directly
• Currently believe all equivalent to factoring
• have seen slow improvements over the years
• as of May-05 best is 200 decimal digits (663) bit with LS
• biggest improvement comes from improved algorithm
• cf QS to GHFS to LS
• currently assume 1024-2048 bit RSA is secure
• ensure p, q of similar size and matching other constraints
Progress in Factoring
Progress in
Factoring
Timing Attacks

• Developed by Paul Kocher in mid-1990’s

• Exploit timing variations in operations
• eg. multiplying by small vs large number
• or IF's varying which instructions executed
• Infer operand size based on time taken
• RSA exploits time taken in exponentiation
• countermeasures
• use constant exponentiation time
• add random delays
• blind values used in calculations
 Chosen Ciphertext Attacks

• RSA is vulnerable to a Chosen Ciphertext

Attack (CCA)
• Attackers chooses ciphertexts & gets
decrypted plaintext back
•Choose ciphertext to exploit properties of RSA
to provide info to help cryptanalysis
•Can counter with random pad of plaintext
•or use Optimal Asymmetric Encryption Padding
(OASP)
Summary

•Have considered:
•principles of public-key cryptography
•RSA algorithm, implementation,
security
 KEY MANAGEMENT

• One of the major roles of public-key encryption has

been to address the problem of key distribution.
There are actually two distinct aspects to the use of
public-key cryptography in this regard:

• The distribution of public keys

• The use of public-key encryption to distribute secret

keys
 Diffie-Hellman Key Exchange

 First public-key type scheme proposed

 By Diffie & Hellman in 1976 along with the
exposition of public key concepts
• Note: Now known that Williamson (UK CESG) secretly
proposed the concept in 1970
 Is a practical method for public exchange of a secret
key
 Used in a number of commercial products
 Diffie-Hellman Key Exchange

A public-key distribution scheme

• cannot be used to exchange an arbitrary message
• rather it can establish a common key
• known only to the two participants
Value of key depends on the participants (and their
private and public key information)
Based on exponentiation in a finite (Galois) field
(modulo a prime or a polynomial) - easy
Security relies on the difficulty of computing discrete
logarithms (similar to factoring) – hard
Diffie-Hellman Key exchange Algorithm
 Diffie-Hellman Setup

All users agree on global parameters:

• large prime integer or polynomial q
• a being a primitive root mod q
Each user (eg. A) generates their key
• chooses a secret key (number): xA < q
xA
• compute their public key: yA = a mod q
 Each user makes public that key yA
Diffie-Hellman Key Exchange

Shared session key for users A & B is KAB:

xA.xB
KAB = a mod q
xB
= yA mod q (which B can compute)
xA
= yB mod q (which A can compute)
KAB is used as session key in private-key encryption
scheme between Alice and Bob
If Alice and Bob subsequently communicate, they
will have the same key as before, unless they
choose new public-keys
Attacker needs an x, must solve discrete log
 Diffie-Hellman Example

•1. In aDiffie-Hellman key exchange the two parties

decide on a prime number p=71 and primitive root
α=7.If one party A chooses its private key XA=5, find
its public key? If party B uses a private key XB=12,
find its public key? What is the shared secret key
between A & B?
•2. In a D-H key exchange A and B decide on prime
number p=101 with generator g=3. a chooses at
random the integer 70, while B chooses 87. Find the
common key developed by them.
 Diffie-Hellman Example

• 3.Consider a D-H scheme with a common prime

q=11 and a primitive root α=2.
• A) If user A has public key YA=9, what is A’s private
key?
• B) If user B has public key YB=3, what is the shared
secret key K?
 Diffie-Hellman Example

4.Users Alice & Bob who wish to swap keys:

Agree on prime q=353 and a=3
Select random secret keys:
• A chooses xA=97, B chooses xB=233
Compute respective public keys:
97
• yA=3 mod 353 = 40 (Alice)
233
• yB=3 mod 353 = 248 (Bob)
Compute shared session key as:
xA 97
• KAB= yB mod 353 = 248 = 160 (Alice)
xB 233
• KAB= yA mod 353 = 40 = 160 (Bob)
 Key Exchange Protocols

Users could create random private/public D-H

keys each time they communicate
Users could create a known private/public D-H
key and publish in a directory, then consulted
and used to securely communicate with them
Both of these are vulnerable to a meet-in-the-
Middle Attack
Authentication of the keys is needed
Man in the middle attack
 Man-in-the-Middle Attack
1. Darth prepares by creating two private / public keys
2. Alice transmits her public key to Bob
3. Darth intercepts this and transmits his first public key to Bob.
Darth also calculates a shared key with Alice
4. Bob receives the public key and calculates the shared key (with
Darth instead of Alice)
5. Bob transmits his public key to Alice
6. Darth intercepts this and transmits his second public key to Alice.
Darth calculates a shared key with Bob
7. Alice receives the key and calculates the shared key (with Darth
instead of Bob)
 Darth can then intercept, decrypt, re-encrypt, forward all
messages between Alice & Bob
Elliptic Curve Cryptography
 Elliptic Curve Cryptography (ECC)

•“Elliptic curve” is not a cryptosystem

•Elliptic curves are a different way to do the
math in public key system
•Elliptic curve versions of DH, RSA, etc.
•Elliptic curves may be more efficient
• Fewer bits needed for same security
• But the operations are more complex
 What is an Elliptic Curve?

• An elliptic curve E is the graph of an

equation of the form
y2 = x3 + ax + b
• Also includes a “point at infinity”
• What do elliptic curves look like?
 Elliptic Curves
•Elliptic curves as algebraic/geometric entities
have been studied extensively for the past 150
years, and from these studies has emerged a rich
and deep theory.

•Elliptic curve systems as applied to cryptography

were first proposed in 1985 independently by
Neal Koblitz from the University of Washington,
and Victor Miller, who was then at IBM, Yorktown
Heights.
 Groups
• Many cryptosystems often require the use of algebraic
groups.
• Elliptic curves may be used to form elliptic curve groups. A
group is a set of elements with custom-defined arithmetic
operations on those elements.
• For elliptic curve groups, these specific operations are
defined geometrically.
• Introducing more stringent properties to the elements of a
group, such as limiting the number of points on such a
curve, creates an underlying field for an elliptic curve
group.
• Elliptic curves are first examined over real numbers in
order to illustrate the geometrical properties of elliptic
curve groups. Thereafter, elliptic curves groups are
examined with the underlying fields of Fp (where p is a
prime) and F2m (a binary representation with 2m elements).
 Abelian Group
• An abelian group G, sometimes denoted by {G, • }, is a set
of elements with a binary operation, denoted by •, that
associates to each ordered pair (a, b) of elements in G an
element (a • b) in G, such that the following axioms are
obeyed:
• (A1) Closure: If a and b belong to G, then a • b is also in G.
• (A2) Associative: a • (b • c) = (a • b) • c for all a, b, c in G.
• (A3) Identity element: There is an element e in G such that a
• e = e • a = a for all a in G.
• (A4) Inverse element: For each a in G there is an element a'
in G such that a • a' = a' • a = e.
• (A5) Commutative: a • b = b • a for all a, b in G.
A number of public-key ciphers are based on the use of an
abelian group
 Elliptic Curve Groups over Real Numbers
• An elliptic curve over real numbers may be defined as
the set of points (x,y) which satisfy an elliptic curve
equation of the form:
• y2 = x3 + ax + b, where x, y, a and b are real numbers.
• Each choice of the numbers a and b yields a different
elliptic curve. For example, a = -4 and b = 0.67 gives the
elliptic curve with equation y2 = x3 - 4x + 0.67; the graph
of this curve is shown
• If x3 + ax + b contains no repeated factors, or equivalently
if 4a3 + 27b2 is not 0, then the elliptic curve y2 = x3 + ax +
b can be used to form a group.
• An elliptic curve group over real numbers consists of the
points on the corresponding elliptic curve, together with
a special point O called the point at infinity.
Elliptic Curve Addition: A Geometric Approach

•Elliptic curve groups are additive groups; that

is, their basic function is addition. The
addition of two points in an elliptic curve is
defined geometrically.

•The negative of a point P = (xP,yP) is its

reflection in the x-axis: the point -P is (xP, -yP).
Notice that for each point P on an elliptic
curve, the point -P is also on the curve.
 Adding distinct points P and Q

• Suppose that P and Q are two distinct points on an elliptic

curve, and the P is not -Q.

• To add the points P and Q, a line is drawn through the

two points. This line will intersect the elliptic curve in
exactly one more point, called -R.

• The point -R is reflected in the x-axis to the point R. The

law for addition in an elliptic curve group is P + Q = R. For
example:
 Adding the points P and -P

• The line through P and -P is a vertical line which does

not intersect the elliptic curve at a third point; thus the
points P and -P cannot be added as previously.
• It is for this reason that the elliptic curve group includes
the point at infinity O. By definition, P + (-P) = O.
• As a result of this equation, P + O = P in the elliptic
curve group . O is called the additive identity of the
elliptic curve group; all elliptic curves have an additive
identity.
 Doubling the point P

• To add a point P to itself, a tangent line to the curve is

drawn at the point P.

• If yP is not 0, then the tangent line intersects the elliptic

curve at exactly one other point, -R.

• -R is reflected in the x-axis to R. This operation is called

doubling the point P; the law for doubling a point on an
elliptic curve group is defined by:

P + P = 2P = R.
• The tangent from P is always vertical
if yP = 0.
 Doubling the point P if yP = 0

• If a point P is such that yP = 0, then the tangent line

to the elliptic curve at P is vertical and does not
intersect the elliptic curve at any other point.

• By definition, 2P = O for such a point P.

• If one wanted to find 3P in this situation, one can

add 2P + P. This becomes P + O = P Thus 3P = P.

3P = P, 4P = O, 5P = P, 6P = O, 7P = P, etc.
Elliptic Curve Addition: An Algebraic Approach

•Although the previous geometric

descriptions of elliptic curves provides an
excellent method of illustrating elliptic curve
arithmetic, it is not a practical way to
implement arithmetic computations.

•Algebraic formulae are constructed to

efficiently compute the geometric arithmetic.
 Adding distinct points P and Q

• When P = (xP,yP) and Q = (xQ ,yQ) are not negative

of each other,

P + Q = R where

s = (yP - yQ) / (xP - xQ)

xR = s2 - xP - xQ and yR = -yP + s(xP - xR)

Note that s is the slope of the line through P and

Q.
Doubling the point P

• When yP is not 0,
2P = R where
s = (3xP2 + a) / (2yP )
xR = s2 - 2xP and yR = -yP + s(xP - xR)
Recall that a is one of the parameters chosen with
the elliptic curve and that s is the tangent on the
point P.
 Elliptic Curve Picture

y
• Consider elliptic curve
P2 E: y2 = x3 - x + 1
P1
x • If P1 and P2 are on E, we can
P3 define
P3 = P1 + P2
as shown in picture
• Addition is all we need
 Elliptic Curve Addition
• Consider y2 = x3 - 36x. Points on the curve are P=(-
3.5,9.5) and Q=(-2.5,8.5). Find P+Q and 2P
• R = (x3,y3)?
s = (8.5-9.5)(-2.5+3.5)-1 = -11-1
= -1
x3 = 1 + 3.5 + 2.5 = 7
y3 = -1(-3.5-7) – 9.5 = 1
R = (x3,y3)=(7,1)
S= (3xP2 + a) / (2yP ) = {3(-3.5)2+(-36)}/2(9.5) =

xR = s2 - 2xP = and
yR = -yP + s(xP - xR) =
 Elliptic Curve Groups over Fp
• Calculations over the real numbers are slow and
inaccurate due to round-off error. Cryptographic
applications require fast and precise arithmetic; thus
elliptic curve groups over the finite fields of Fp and F2m
are used in practice.
• Recall that the field Fp uses the numbers from 0 to p - 1,
and computations end by taking the remainder on division
by p. For example, in F23 the field is composed of integers
from 0 to 22, and any operation within this field will result
in an integer also between 0 and 22.
• An elliptic curve with the underlying field of Fp can formed
by choosing the variables a and b within the field of Fp.
The elliptic curve includes all points (x,y) which satisfy the
elliptic curve equation modulo p (where x and y are
numbers in Fp).
• For example: y2 mod p = x3 + ax + b mod p has an
underlying field of Fp if a and b are in Fp.

If x3 + ax + b contains no repeating factors

• (or, equivalently, if 4a3 + 27b2 mod p is not 0), then
the elliptic curve can be used to form a group. An
elliptic curve group over Fp consists of the points on
the corresponding elliptic curve, together with a
special point O called the point at infinity. There are
finitely many points on such an elliptic curve.
 Finding Points on Elliptic Curve

• Consider y2 = x3 + 2x + 3 (mod 5)
x = 0  y2 = 3  no solution (mod 5)
x = 1  y2 = 6 = 1  y = 1,4 (mod 5)
x = 2  y2 = 15 = 0  y = 0 (mod 5)
x = 3  y2 = 36 = 1  y = 1,4 (mod 5)
x = 4  y2 = 75 = 0  y = 0 (mod 5)
• Then points on the elliptic curve are
(1,1) (1,4) (2,0) (3,1) (3,4) (4,0)
and the point at infinity: 
 Example of an Elliptic Curve Group over Fp
• As a very small example, consider an elliptic curve over the field
F23. With a = 1 and b = 0, the elliptic curve equation is y2 = x3 + x.
• The point (9,5) satisfies this equation since:
y2 mod p = x3 + x mod p
25 mod 23 = 729 + 9 mod 23
25 mod 23 = 738 mod 23
2=2
The 23 points which satisfy this equation are:
(0,0) (1,5) (1,18) (9,5) (9,18) (11,10) (11,13) (13,5) (13,18) (15,3)
(15,20) (16,8) (16,15) (17,10) (17,13) (18,10) (18,13) (19,1) (19,22)
(20,4) (20,19) (21,6) (21,17)

• These points may be graphed as below:

• Note that there are two points for every x value.
Even though the graph seems random, there is still
symmetry about y = 11.5. Recall that elliptic curves
over real numbers, there exists a negative point for
each point which is reflected through the x-axis.
Over the field of F23, the negative components in
the y-values are taken modulo 23, resulting in a
positive number as a difference from 23. Here -P =
(xP, (-yP mod 23))

• Note that these rules are exactly the same as those

for elliptic curve groups over real numbers, with
the exception that computations are performed
modulo p.
 Arithmetic in an Elliptic Curve Group over Fp
• There are several major differences between elliptic curve
groups over Fp and over real numbers.
• Elliptic curve groups over Fp have a finite number of
points, which is a desirable property for cryptographic
purposes. Since these curves consist of a few discrete
points, it is not clear how to "connect the dots" to make
their graph look like a curve. It is not clear how geometric
relationships can be applied. As a result, the geometry
used in elliptic curve groups over real numbers cannot be
used for elliptic curve groups over Fp.
• However, the algebraic rules for the arithmetic can be
adapted for elliptic curves over Fp. Unlike elliptic curves
over real numbers, computations over the field of Fp
involve no round off error - an essential property required
for a cryptosystem.
 Adding distinct points P and Q over FP
• When P = (xP,yP) and Q = (xQ ,yQ) are not negative of each
other,

P + Q = R where

s = (yP - yQ) / (xP - xQ) mod P

xR = s2 - xP - xQ mod P and
yR = -yP + s(xP - xR) mod P

Note that s is the slope of the line through P and Q.

 Doubling the point P over FP

• When yP is not 0,
2P = R where
s = (3xP2 + a) / (2yP ) mod P
xR = s2 - 2xP mod P and yR = -yP + s(xP - xR) mod P
Recall that a is one of the parameters chosen with
the elliptic curve and that s is the tangent on the
point P.
 Elliptic Curve Addition

• Consider y2 = x3 + 2x + 3 (mod 5). Points

on the curve are (1,1) (1,4) (2,0) (3,1)
(3,4) (4,0) and 
• What is (1,4) + (3,1) = P3 = (x3,y3)?
s = (1-4)(3-1)-1 = -32-1
= 2(3) = 6 = 1 (mod 5)
x3 = 1 - 1 - 3 = 2 (mod 5)
y3 = 1(1-2) - 4 = 0 (mod 5)
• On this curve, (1,4) + (3,1) = (2,0)
Another example: Find P+Q and 2P
 Elliptic Curve Groups over F2m
• Elements of the field F2m are m-bit strings. The rules for
arithmetic in F2m can be defined by either polynomial
representation or by optimal normal basis representation. Since
F2m operates on bit strings, computers can perform arithmetic in
this field very efficiently.
• An elliptic curve with the underlying field F2m is formed by
choosing the elements a and b within F2m (the only condition is
that b is not 0). As a result of the field F2m having a characteristic
2, the elliptic curve equation is slightly adjusted for binary
representation:
• y2 + xy = x3 + ax2 + b
• The elliptic curve includes all points (x,y) which satisfy the elliptic
curve equation over F2m (where x and y are elements of F2m ).
An elliptic curve group over F2m consists of the points on the
corresponding elliptic curve, together with a point at infinity, O.
There are finitely many points on such an elliptic curve.
 An Example of an Elliptic Curve Group over F2m
• As a very small example, consider the field F24, defined by using
polynomial representation with the irreducible polynomial f(x) = x4 +
x + 1.
The element g = (0010) is a generator for the field . The powers of g
are:
g0 = (0001) g1 = (0010) g2 = (0100) g3 = (1000) g4 = (0011) g5 = (0110)
g6 = (1100) g7 = (1011) g8 = (0101) g9 = (1010) g10 = (0111) g11 = (1110)
g12 = (1111) g13 = (1101) g14 = (1001) g15 = (0001)
In a true cryptographic application, the parameter m must be large
enough to preclude the efficient generation of such a table otherwise
the cryptosystem can be broken. In today's practice, m = 160 is a
suitable choice. The table allows the use of generator notation (ge)
rather than bit string notation, as used in the following example.
Also, using generator notation allows multiplication without
reference to the irreducible polynomial f(x) = x4 + x + 1.
• Consider the elliptic curve y2 + xy = x3 + g4x2 + 1. Here a = g4 and b =
g0 =1. The point (g5, g3) satisfies this equation over F2m :
y2 + xy = x3 + g4x2 + 1
(g3)2 + g5g3 = (g5)3 + g4g10 + 1
g6 + g8 = g15 + g14 + 1
(1100) + (0101) = (0001) + (1001) + (0001)
(1001) = (1001)
The fifteen points which satisfy this equation are:
(1, g13) (g3, g13) (g5, g11) (g6, g14) (g9, g13) (g10, g8) (g12, g12)
(1, g6) (g3, g8) (g5, g3) (g6, g8) (g9, g10) (g10, g) (g12, 0) (0, 1)
These points are graphed below:
Arithmetic in an Elliptic Curve Group over F2m

• Elliptic curve groups over F2m have a finite number

of points, and their arithmetic involves no round off
error. This combined with the binary nature of the
field, F2m arithmetic can be performed very
efficiently by a computer.

The following algebraic rules are applied for

arithmetic over F2m :
 Adding distinct points P and Q
• The negative of the point P = (xP, yP) is the point -P = (xP,
xP + yP). If P and Q are distinct points such that P is not -
Q, then
P + Q = R where
s = (yP + yQ) / (xP + xQ)
xR = s2 + s + xP + xQ + a
• yR = s(xP + xR) + xR + yP
As with elliptic curve groups over real numbers, P + (-P) =
O, the point at infinity. Furthermore, P + O = P for all
points P in the elliptic curve group.
 Doubling the point P
• If xP = 0, then 2P = O
Provided that xP is not 0,
2P = R where
s = xP + (yP / xP)
xR = s2+ s + a
yR = xP2 + (s + 1) * xR
Recall that a is one of the parameters chosen with the
elliptic curve and that s is the slope of the line through
P and Q
 Elliptic Curve groups and the Discrete Logarithm Problem

• At the foundation of every cryptosystem is a hard mathematical

problem that is computationally infeasible to solve. The discrete
logarithm problem is the basis for the security of many
cryptosystems including the Elliptic Curve Cryptosystem. More
specifically, the ECC relies upon the difficulty of the Elliptic Curve
Discrete Logarithm Problem(ECDLP).
Recall that we examined two geometrically defined operations
over certain elliptic curve groups. These two operations were
point addition and point doubling. By selecting a point in a elliptic
curve group, one can double it to obtain the point 2P. After that,
one can add the point P to the point 2P to obtain the point 3P.
The determination of a point nP in this manner is referred to as
Scalar Multiplication of a point. The ECDLP is based upon the
intractability of scalar multiplication products.
 Scalar Multiplication

• The following animation demonstrates scalar

multiplication through the combination of point
doubling and point addition.
While it is customary to use additive notation to
describe an elliptic curve group, some insight is
provided by using multiplicative notation. Specifically,
consider the operation called "scalar multiplication"
under additive notation: that is, computing kP by adding
together k copies of the point P. Using multiplicative
notation, this operation consists of multiplying together
k copies of the point P, yielding the point P*P*P*P*…*P
= Pk.
 The Elliptic Curve Discrete Logarithm Problem

• If the elliptic curve groups is described using multiplicative

notation, then the elliptic curve discrete logarithm problem is:
given points P and Q in the group, find a number that Pk = Q; k is
called the discrete logarithm of Q to the base P. When the elliptic
curve group is described using additive notation, the elliptic
curve discrete logarithm problem is: given points P and Q in the
group, find a number k such that Pk = Q
Example:
In the elliptic curve group defined by
y2 = x3 + 9x + 17 over F23,
What is the discrete logarithm k of Q = (4,5) to the base P =
(16,5)?
• One (naïve) way to find k is to compute multiples of
P until Q is found. The first few multiples of P are:
P = (16,5) 2P = (20,20) 3P = (14,14) 4P = (19,20) 5P =
(13,10) 6P = (7,3) 7P = (8,7) 8P = (12,17) 9P = (4,5)
Since 9P = (4,5) = Q, the discrete logarithm of Q to
the base P is k = 9.
In a real application, k would be large enough such
that it would be infeasible to determine k in this
manner.
 An Example of the Elliptic Curve Discrete Logarithm
Problem

• What is the discrete

logarithm of Q(-
0.35,2.39) to the
base P(-1.65,-2.79)
in the elliptic curve
group y2 = x3 - 5x +
4 over real
numbers?
Diffie-Hellman
 Diffie-Hellman

• Invented by Williamson (GCHQ) and, independently, by D

and H (Stanford)
• A “key exchange” algorithm
•Used to establish a shared symmetric key
• Not for encrypting or signing
• Security rests on difficulty of discrete log problem: given
g, p, and gk mod p find k
 Diffie-Hellman
• Let p be prime, let g be a generator
•For any x  {1,2,…,p-1} there is n s.t. x =
gn mod p
• Alice selects private value a
• Bob selects private value b
• Alice sends ga mod p to Bob
• Bob sends gb mod p to Alice
• Both compute shared secret gab mod p
• Shared secret can be used as symmetric key
 Diffie-Hellman
• Public: g and p
• Private: Alice’s exponent a, Bob’s exponent b

ga mod p
gb mod p

Alice, a Bob, b

• Alice computes (gb)a = gba = gab mod p

• Bob computes (ga)b = gab mod p
• Could use K = gab mod p as symmetric key
 Diffie-Hellman

• Suppose that Bob and Alice use gab mod p as a symmetric key
• Trudy can see ga mod p and gb mod p
• Note ga gb mod p = ga+b mod p  gab mod p
• If Trudy can find a or b, system is broken
• If Trudy can solve discrete log problem, then she can find a or
b
 Diffie-Hellman

• Subject to man-in-the-middle (MiM) attack

ga mod p gt mod p
gt mod p gb mod p

Alice, a Trudy, t Bob, b

• Trudy shares secret gat mod p with Alice

• Trudy shares secret gbt mod p with Bob
• Alice and Bob don’t know Trudy exists!
 Diffie-Hellman

• How to prevent MiM attack?

• Encrypt DH exchange with symmetric key
• Encrypt DH exchange with public key
• Sign DH values with private key
Using Elliptic Curve Cryptography to
avoid MiM attack on DH
 ECC Diffie-Hellman
• Public: Elliptic curve and point (x,y) on curve
• Private: Alice’s A and Bob’s B

A(x,y)
B(x,y)

Alice, A Bob, B

• Alice computes Secret key using A(B(x,y))

• Bob computes Secret key using B(A(x,y))
• These are the same since AB = BA
 ECC Diffie-Hellman

• Public: Curve y2 = x3 + 7x + b (mod 37) and point

(2,5)  b = 3
• Alice’s private key: A = 4
• Bob’s private key: B = 7
• Alice sends Bob: 4(2,5) = (7,32)
• Bob sends Alice: 7(2,5) = (18,35)
• Alice computes: 4(18,35) = (22,1)
• Bob computes: 7(7,32) = (22,1)