ACM Ubiquity, Volume 9, Issue 20 May 20 – 26, 2008

Elliptic Curve Cryptography

Vivek Kapoor Vivek Sonny Abraham

Department of C omputer Engineering Department of C omputer Engineering
Delhi C ollege of Engineering Delhi C ollege of Engineering

Ramesh Singh
National Informatics Centre
Government Of India

Abstract Proof of Delivery The sender should be able to

prove that the recipient received the message.
This paper describes the Elliptic Curve
Cryptography algorithm and its suitability for
smart cards. 2 History
Cryptography has been in use for centuries now, and
1 Information Security the earliest ciphers were either used transposition
or substitution, and messages were encoded and de-
Information security is essential for today’s world coded by hand. However, these schemes satisfied only
since, for profitable and legal trading, confidential- the basic requirement of confidentiality. In more re-
ity, integrity and non-repudiability of the associated cent times, with the invention of processing machines,
information are necessary. This can be done using more robust algorithms were required, as the simple
cryptographic systems. Intgerated cryptographic sys- ciphers were easy to decode using these machines,
tems satisfy all the above-mentioned requirements. and moreover they did not have any of the afore
Desired properties of a secure communication system mentioned properties. Secure data communication
may include any or all of the following[wik, PVO96]: became a necessity in the 20 t h century and a lot of
research was done in this field by government agen-
Confidentiality Only an authorized recipient
cies, during and following the world-wars. The most
should be able to extract the contents of the
famous machine of this time, Enigma was an electro-
encoded data, in part or whole.
mechanical device which was used by the German
Integrity The recipient should be able to establish Army.
if the message has been altered during transmis-
sion. 2.1 Symmetric Algorithms
Authentication The recipient should be able to The first secret key-based cryptographic algorithms
identify the sender, and verify that the pur- worked on the symmetric algorithms. They assumed
ported sender actually sent the message. that both communicating parties shared some secret
information, which was unique to them, much like
Non-Repudiation The sender should not be able the older One Time Pads. Using this secret infor-
to deny sending the message, if he actually did mation, also called a key, the sender encrypted1 the
send it. data, and the recipient was able to decrypt. Suppose
Anti-replay The message should not be allowed Alice wants to send a message m to Bob, and assume
to be sent to multimple recipients, without the 1 encrypt-encipher-encode and decrypt-decipher-decode are

sender’s knowledge. used interchangeably

1
ACM Ubiquity, Volume 9, Issue 20 May 20 – 26, 2008

that they both have already shared a key k. Alice 1. Alice passes the message m and Bob’s public key
encrypts m using the shared key k to get the cipher B
∗∗
to an appropriate encryption algorithm to
text. construct the encrypted message.

C∗ (k,m) = E† k (m) (1) C(ΣB ,m) = EΣB (m) (3)

Bob can then decrypt this message using his copy of
2. Alice transmits the encoded message to Bob.
the key k, and extract the original message m.
3. Bob decrypts the encrypted message received by
D‡ k (C(k,m) ) = Dk (Ek (m)) = m (2) him, using his private key ∆B § and the appro-
This technique though simple and easy to implement, priate decryption algorithm.
has obvious drawbacks, some of which are listed here:
D∆B (C(ΣB ,m) ) = D∆B (EΣB (m)) = m (4)
• A shared secret key must be agreed upon by both
parties. Bob is assured that the data he recieved is not tam-
pered with or leaked, as only his private key can
• If a user has n communicating partners, then decrypt the data. Similarly Bob can send data to
n secret keys must be maintained, one for each Alice using her public key
A . The PKC scheme
partner. also satisfies the Non-Repudiation and Authentic-
• Authenticity of origin or receipt cannot be ity by using innovative techniques such as Digital
proved because the secret key is shared. Signatures[Sch95].

• Management of the symmetric keys becomes

problematic. 3 Smart Cards

2.2 Public Key cryptography 3.1 Basics

A smart card, chip card, or integrated circuit(s)
The concept of Public Key cryptography(PKC) was
card (ICC), is defined as any pocket-sized card with
first introduced by Di e and Hellman in 1976, in
embedded integrated circuits. Although there is a
their seminal paper, New Directions in Cryptography
diverse range of applications, there are two broad
[DH76]. This paper also addressed the issue of key
categories of ICCs. Memory cards contain only
exchange, based on the intractability of the discrete
non-volatile memory storage components, and per-
logarithm problem. In a public key cryptosystem,
haps some specific security logic. Microprocessor
each user has a pair of keys, one published publicly,
cards contain memory and microprocessor compo-
known as the public key, and the other known as a
nents. The standard perception of a smart card
private key, is stored in a secure location. Public
is a microprocessor card of credit-card dimensions
key cryptosystems rely on the existence of a trap-
(or smaller, e.g. the GSM SIM card) with various
door function, which makes decoding possible given
tamper-resistant properties (e.g. a secure crypto-
the knowledge of the private key corresponding to the
processor, secure file system, human-readable fea-
public key for encryption. Considering a case anal-
tures) and is capable of providing security services
ogous to the one described in the case of symmetric
(e.g. confidentiality of information in the memory).
keys, whereby Alice wishes to send a message m to
Not all chip cards contain a microprocessor (eg. the
Bob. the following steps will accomplish the task:
memory cards), therefore not all chip cards are nec-
∗ represents the cipher text corresponding to message m and
essarily also smart cards[wik].
key k
† represents the Encryption function ∗∗ Σ represents the published public key of user χ
χ
‡ represents the Decryption function §∆ represents the secure private key of user τ
τ

2
ACM Ubiquity, Volume 9, Issue 20 May 20 – 26, 2008

3.2 Application of destroying the Card and waiting for a new one to
be shipped to him/her. A typical Java Card device
Smartcards were invented and patented in early
has an 8- or 16-bit CPU running at 5 MHz, with 2K
1970’s, but the first mass use of smartcards was made
of RAM and more than 32K of non-volatile memory
in 1983, in French pay-phones. A major boom in
(EEPROM or Flash). High performance smartcards
Smartcard use came in 1990’s, with their introduc-
come with a separate processor and cryptographic
tion as SIM cards in mobile phones. They are com-
chip and memory for encryption, and some come with
monly in use now. Smartcard technology is an in-
a 32-bit CPU.
dustry standard defined and controlled by the Joint
Technical Committee 1(JCT1) of the International
Standards Organization (ISO) and the International 4 Current technology - RSA
Electronic Committee (IEC). The series of interna-
tional standards ISO/IEC 7816, introduced in 1987 RSA stands for Rivest, Adleman and Shamir, who
with the latest update in 2003, defines various as- devised this algorithm in 1977 at MIT. RSA is the
pects of a smartcard, including physical characteris- most widely used public-key encryption scheme to-
tics, physical contacts, electronic signals and trans-day. The US patent on the RSA algorithm expired
mission protocols, commands, security architecture in 2000, but as the algorithm was already published
etc. Smartcards don’t contain a battery, and become prior to patent application, it precluded patents else-
active only when connected with a card reader. When where.
connected, after a reset sequence, the card remains The security of the RSA cryptosystem is based on
passive, waiting to receive a command request from two mathematical problems: the problem of factoring
a client(host) application. Smartcards can be con- very large numbers, and the RSA problem. Both of
tactless (based on Radio Frequency ID tags), or can these problems are hard, i.e., no e cient algorithm
have a standard 8-pin contact[Ort03]. exists for solving them.
Today smartcards are used for various applica- The RSA problem is defined as the task of taking
tions all over the world including Banking, Medical eth roots modulo a composite n: recovering a value
records, GSM SIM cards, Identification and crypto- m such that me = c (mod n), where (e, n) is the
graphic services. They have storage and processing public key and c is the ciphertext. Currently the most
capability, and are convenient to carry around, and aspromising approach to solving the RSA problem is
the processing power and memory capacity of smart- to factor the modulus n. With the ability to recover
cards improves, their range of applications is expand-prime factors, an attacker can compute the secret
ing as well. exponent d from a public key (e, n), then decrypt c
using the standard procedure. To accomplish this,
3.3 Java Card an attacker factors n into p and q, and computes
(p−1)(q−1) which allows the determination of d from
Java Card technology adapts the Java platform for e. No polynomial-time method for factoring large
use on smart cards and other devices whose environ- integers on a classical computer has yet been found,
ments are highly specialized, and whose memory and but it has not been proven that none exists[wik].
processing constraints are typically more severe than
those of J2ME devices. On a Java Card platform mul-
tiple applications from di erent vendors can co-exist
4.1 Basic Algorithm
securely. Java Cards are capable of running Java byte 4.1.1 Key Generation
codes, and upto 3 applets at once. A major advantage
Suppose Alice and Bob are communicating over an in-
of running downloadable applets is that in case of a
secure (open) transmission medium, and Alice wants
security breach, the user only need to download and
Bob to send her a private (or secure) message [wik].
write a new applet onto his/her Java Card, instead

3
ACM Ubiquity, Volume 9, Issue 20 May 20 – 26, 2008

Using RSA, Alice will take the following steps to gen- 4.1.3 Decrypting Messages
erate a public key and a private key:
Alice receives c from Bob, and knows her private key
1. Choose two large numbers prime numbers p and d. She can recover m from c by the following proce-
q such that p "= q, randomly and independent of dure:
each other. m = cd (mod n) (9)

2. Compute Given m, she can recover the original message M. The

n = pq (5) decryption procedure works because

3. Compute the totient cd ≡ (me )d ≡ med (mod n). (10)

φ(n) = (p − 1)(q − 1) (6) Now, since

ed = 1 (mod p − 1) (11)
4. Choose an integer e such that 1 < e < φ(n)
and
which is coprime to φ(n).
ed = 1 (mod q − 1), (12)
5. Compute d such that Fermat’s little theorem yields
de ≡ 1 (mod φ(n)) (7)
med ≡ m (mod p) (13)
The public key consists of: and
• n, the modulus, and med ≡ m (mod q). (14)

• e, the public exponent (sometimes encrpytion Since p and q are distinct prime numbers, applying
exponent) the Chinese remainder theorem to these two congru-
ences yields
The private key consists of:
med ≡ m (mod pq). (15)
• n, the modulus, and
• e, the private exponent (sometimes decryption Thus,
exponent), which must be kept secret. cd ≡ m (mod n). (16)

Alice transmits the public key to Bob, and keeps

4.2 Issues with RSA
the private key secret. p and q are sensitive since
they are the factors of n, and allow computation of d As of 2005, the largest number factored using general
given e. purpose methods is 663-bits long, using state of the
art distributed methods. Experts feel that 1024-bit
4.1.2 Encrypting Messages keys may become breakable in the near future(though
disputed). 256-bit length keys are breakable in a few
Suppose Bob wishes to send a message M to Alice. hours using a personal computer. The current rec-
He turns M into a number m < n, using some pre- ommended key-length is 2048-bits[wik]. Though this
viously agreed-upon reversible protocol known as a length may be insignificant for most personal com-
padding scheme. Bob now has m, and knows n and puters in use, it causes low processing power portable
e, which Alice has announced. He then computes the devices like smartcards to become ine cient. There
ciphertext c corresponding to m: are constraints on processor word length, available
c = m (mod n)
e
(8) memory and clock speeds in these devices. As the
need for portable and secure identification slowly be-
Bob transmits c to Alice. comes a necessity, and as RSA key sizes will increase

4
ACM Ubiquity, Volume 9, Issue 20 May 20 – 26, 2008

in proportion to the processor power available, there elliptic curves, and their usage is given in the follow-
arises a need to devise a scheme which provies the ing section.
same level of cryptographic security with smaller key
lengths. ECC is one such scheme, described in the 5.1 Basic Algorithm
following section.
5.1.1 Operations on Elliptic Curves

5 ECC The crucial property of an elliptic curve is that we

can define a rule for adding two points which are on
Elliptic Curve Cryptography is an approach to the curve, to obtain a third point which is also on
public-key cryptography, based on elliptic curves over the curve. This addition rule satisfies the normal
finite fields. The technique was first proposed indi- properties of addition. The points and the addition
vidually by Neal Koblitz and Victor Miller in 1985. law form a finite Abelian group.[Bar97]
The ECC is based on the Elliptic Curve Discrete Log- For addition to be well defined for any two points,
arithm problem, which is a known NP-Hard problem. we need to include an extra zero point 0, which does
An elliptic curve is defined by the equation, not satisfy the elliptic curve equation. 0 is taken to
be a point of the curve. The order of the curve is the
y 2 + xy = x3 + ax + b† (17) number of distinct points on the curve, including the
zero point.
A brief introduction to the mathematics required for Having defined addition of two points, we can also
define multiplication kP where k is a positive integer
and P is a point as the sum of k copies of P.

∴ 2P = P + P

5.1.2 Cryptography
Alice, Bob, Cathy, David. . . agree on a (non-secret)
elliptic curve and a (non-secret) fixed curve point F.
Alice chooses a secret random integer Ak which is her
secret key, and publishes the curve point AP = Ak F
as her public key. Bob, Cathy and David do the same.
Now suppose Alice wishes to send a message to Bob.
One method is for Alice to simply compute Ak BP and
use the result as the secret key for a conventional
symmetric block cipher (say DES). Bob can compute
the same number by calculating Bk AP , since

Bk AP = Bk · (Ak F) = Ak · (Bk F) = Ak BP . (18)

Figure 1: Elliptic curve showing the operation P + The security of the scheme is based on the assumption
Q = R. (See Appendix B) that it is di cult to compute k given F and kF.
† can also be used in the form
5.1.3 Choosing the Fixed Curve
y 2 = x3 + ax + b
A finite field is first chosen (see Appendix A). If the
field is GF(p) where p is a large prime, the xy term

5
ACM Ubiquity, Volume 9, Issue 20 May 20 – 26, 2008

is omitted, leaving us with (see Equation 17) ECC has a few attacks on a few particular classes
of curves. These curves can be readily distinguished
y 2 = x3 + ax2 + b, where 4a3 + 27b2 "= 0. (19) and can be avoided. On the other hand, RSA already
has a known sub-exponential attack which works in
If the field is GF(2m ), then we include the xy term
general. Thus, to maintain the same degree of secu-
to get
rity, in view of rising computing power, the number
y 2 + xy = x3 + ax2 + b, where b "= 0. (20) of bits required in the RSA generated key pair will
rise much faster than in the ECC generateed key pair,
Fields GF(pm ) with both p > 2 and m > 1 are not as seen in table 1.
considered here. Menezes and Jurisic, in their paper [JM97], said
that to achieve reasonable security, a 1024-bit mod-
5.1.4 Choosing the Fixed Point ulus would have to be used in a RSA system, while
160-bit modulus should be su cient for ECC.
For any point P on a elliptic curve in the GF(pm ),
Time to break RSA key-size ECC key-size
lim kP → 0. (in MIPS-years) (in bits) (in bits)
k→∞
104
512 106
For some a and b, b > a, we will have aP = bP. This 108 768 132
implies cP = 0 where c = b−a. The least c for which 1011 1024 160
this is true is called the order of the point, and c must 1020 2048 210
divide the order of the curve. 1078 21000 600
For good security, the curve and fixed point are
chosen so that the order of the fixed point F is a Table 1: Comparison of strength of RSA and ECC
large prime number. This is determined from the
order of the curve, which is done from Schoof ’s Algo- Most attacks on ECC are based on attacks on sim-
rithm[IKNY98]. For good security, the order of the ilar discrete logarithm problems, but these work out
fixed point should also satisfy the MOV condition to to be much slower due to the added complexity of
prevent certain possible attacks. point addition. Also, mathods to avoid each of the
As far as is known, with the above provisions, if attacks have already been designed.[Pie00]
the order of the fixed point F is an n-bit prime, then
n
computing k from kF and F takes roughly 2 2 oper-
5.2.2 Space Requirements
ations.
This is what makes the use of elliptic curves attrac- Due to increasing computation required for higher bit
tive – it means that public keys and signatures can be encryption, more transistors are required onboard the
much smaller than with RSA for the same predicted smart card to perform the operation. This leads to
security. an increase in area used for processor. Using ECC,
the number of transistors can be cut back on since
5.2 Advantages over RSA the numbers involved are much smaller than an RSA
system with as similar-level security.
5.2.1 Security Also, the bandwidth requirements for both of the
The main advantage ECC has over RSA is that the systems is the same when the messages to be signed
basic operation in ECC is point addition (see Ap- are long, but ECC is faster when the messages are
pendix B), which is known to be computationally short. This is more relevant, since PKC is used to
very expensive. This is one of the reasons why it transmit mostly short messages, e.g. session ids.
is very unlikely that a general sub-exponential attack
on ECC will be discovered in the near future, though

6
ACM Ubiquity, Volume 9, Issue 20 May 20 – 26, 2008

5.2.3 Efficiency for elliptic curves was only discovered in the process
of finding out new attacks on the RSA system.[Len87]
Both methods can be made faster – in RSA, by using
smaller public exponent, though this holds a greater
security risk and in ECC, some results of the calcula- A Galois Fields
tion can be stored beforehand. Certicom, a Canadian
company, has been studying and promoting the ECC The familiar examples of fields are R, C, Q and Z
system since the early ’80s. Some of their results of (mod p)∀p = prime numbers. The latter is an exam-
fast implementations of ECC compared to RSA are ple of a finite field. The requirements of a field are
given in table 2. the operations of addition and multiplication, plus
the existence of both additive and multiplicative in-
Function ECC 163-bit RSA 1024-bit verses (except that 0 doesn’t have a multiplicative
(in ms) (in ms) inverse). To put it another way, a field has addition,
Key Generation 3.8 4708.3 subtraction, multiplication and division – and these
Sign 2.1(ECNRA) 228.4 operations always produce a result that is in the field,
3.0(ECDSA) with the exception of division by zero, which is un-
Verify 9.9(ECNRA) 12.7 defined.
10.7(ECDSA) Recall that complex numbers can be defined as a +
b · ι with the reduction rule ι2 + 1 = 0. To multiply
Table 2: Comparison of RSA and ECC complex numbers we treat ι as an unknown, collect up
powers of ι, and apply the reduction rule to simplify
the result. It turns out that this construction works
for other reduction rules involving higher powers of ι.
6 Conclusions To avoid confusion, in what follows, t is used instead
of ι.
In the discussion above, we have seen that ECC is
The coe cients of the powers of t can be from any
faster, and occupies less meory space than an equiv-
field – but if we take the field to be the Z (mod p),
alent RSA system. This means that it is suitable for
we get a finite field with pm elements, where m is the
constrained environments, especially in smartcards,
degree of the reduction rule – that is the exponent of
where fast operations are necessary. Though the in-
the highest power of t.
dustry has been excruciatingly slow in adopting the
For example, if we set p = 2, m = 4, and use the
new technique, RSA Security in an article on their
reduction rule t4 + t + 1 = 0, we get a field with
website has implicitly agreed that ECC is the way to
24 = 16 distinct elements: 0, 1, t, t + 1, t2 , t2 + 1, t2 +
the future. The di erence in the key-sizes between
t, t2 + t + 1, t3 , t3 + 1, t3 + t, t3 + t + 1, t3 + t2 , t3 + t2 +
ECC and RSA will grow exponentially to maintain
1, t3 + t2 + t, t3 + t2 + t + 1.
the same relative strength as compared to the aver-
This construction works for all p and m, as long
age computing power available.
as p is prime; in fact every finite field can be con-
The one thing working against ECC is that though
structed in this way; moreover two finite fields with
elliptic curves has been a well-researched field, albeit
the same number of elements are always isomorphic
an esoteric and extremely vast one2 , its cryptographic
– that is there is a 1-1 map between them which pre-
applications have been noticed only recently. This is
serves the addition and multiplication rules. This
the only advantage that RSA has over ECC. RSA
field is called the Galois Field with pm elements, de-
has been well-researched and has been the topic of
noted by GF(pm ).
many seminal theses. In fact, the cryptographic use
2 ”It is possible to write endlessly on elliptic curves. (This

is not a threat.)”– Serge Lang

7
ACM Ubiquity, Volume 9, Issue 20 May 20 – 26, 2008

B Addition of Points in GF(p) [JM97] Aleksandar Jurisic and Alfred J. Menezes.

Elliptic curves and cryptography. Dr.
For elliptic curves, the operation P + Q = R can Dobb’s Journal, 1997.
be carried out by drawing a chord through P and
Q. This chord intersects the ellipitc curve at a third [Len87] H. W. Lenstra. Factoring integers with
point. This point is −R. R is found out by reflecting elliptic curves. Annals of Mathematics,
−R in the x-axis (see Figure 1). 126:649–673, 1987.
The operation is denoted by:
[Ort03] C. Enrique Ortiz. An Introduction to Java
P + Q = R or, Card Technology. 2003.
(xP , yP ) + (xQ , yQ ) = (xR , ym athbf R), where [Pie00] Henna Pietiläinen. Elliptic curve cryptog-
xR = L2 − xP − xQ and, raphy on smart cards. 30 October 2000.
yR = L(xP − xR ) − yP and,
[PVO96] Scott A Vanstone P. Van Oorschot, Alfred
(yP − yQ ) J Menezes. Handbook of Applied Cryptog-
L =
(xQ − xP ) raphy. CRC Press, 1996.
If xP = xQ and yP = yQ we must use instead,
[Sch95] Bruce Schneier. Applied cryptography (2nd
xR = L2 − 2xP ed.): protocols, algorithms, and source
yR = L(xP − xR ) − yP code in C. John Wiley & Sons, Inc., New
York, NY, USA, 1995.
(3x2P + a)
L =
2yP [wik] Wikipedia.
If xP = xQ and yP = −yP then R = 0 and if
either point is 0, then the result is the other point.
If P = Q, then the chord reduces to a tangent. It
can easily be seen that this operation is commutative,
associative and distributive.

References
[Bar97] George Barwood. Elliptic curve cryptog-
raphy faq v1.12. 1997.
[DH76] Whitfield Di e and Martin E. Hellman.
New directions in cryptography. IEEE
Transactions on Information Theory, IT-
22(6):644–654, 1976.
[IKNY98] Tetsuya Izu, Jun Kogure, Masayuki Noro,
and Kazuhiro Yokoyama. E cient imple-
mentation of schoof’s algorithm. In ASI-
ACRYPT ’98: Proceedings of the Interna-
tional Conference on the Theory and Ap-
plications of Cryptology and Information
Security, pages 66–79, London, UK, 1998.
Springer-Verlag.