Public Key Cryptography

Topic: Elliptic Curve Cryptography

School of CSE 1
Diffie-Hellman Key Exchange
• Invented by Williamson (GCHQ) and,
independently, by D and H (Stanford)
• A “key exchange” algorithm
– Used to establish a shared symmetric key
– Not for encrypting or signing
• Based on discrete log problem
– Given: g, p, and gk mod p
– Find: exponent k

School of CSE 2
Diffie-Hellman
• Let p be prime, let g be a generator (primitive root of
p)
– For any x  {1,2,…,p-1} there is n such that x = gn mod p
Eg. g1 mod p, gn mod p, - - - - gP-1 mod p results in values of
{1, 2, 3, - - - , p-1} Ex. p=7, g=3
• Alice selects her Private Key a < p
• Bob selects his Private Key b < p
• Alice generates public key :
Ya= ga mod p and sends to Bob
• Bob generates public key
Yb=gb mod p and sends to Alice

School of CSE 3
Diffie-Hellman
• Alice computes shared secret as
K= (Yb)a mod p
= (gb)a mod p
= gba mod p
• Bob computes shared secret as
K= (Ya)b mod p
= (ga)b mod p
= gab mod p
• Shared secret can be used as symmetric key

School of CSE 4
Diffie-Hellman
• Public: g and p
• Private: Alice’s exponent a, Bob’s exponent b

Ya=ga mod p

Yb=gb mod p

• Alice computes K= (Yb)a =(gb)a = gba mod p

• Bob computes K= (Ya)b =(ga)b = gab mod p

School of CSE 5
Diffie-Hellman Example
• Users Alice & Bob who wish to agree on shared key
• Agree on prime p=353 and g=3
• Select private keys:
– Alice chooses a=97, Bob chooses b=233
• Compute respective public keys:
97
– yA=3 mod 353 = 40 (Alice)
233
– yB=3 mod 353 = 248 (Bob)
• Compute shared key as:
a 97
– K= yB mod 353 = 248 = 160 (Alice)
b 233
– K= yA mod 353 = 40 = 160 (Bob)

School of CSE 6
Diffie-Hellman Example
• Users Alice & Bob wish to agree on keys:
• Agree on prime p=11 and g=2
• Select private keys:
– Alice chooses a=8, Bob chooses b=4
• Compute respective public keys:
8
– yA=2 mod 11 = 3(Alice)
4
– yB=2 mod 11 = 5 (Bob)
• Compute shared key as:
8
– K= yBa mod 11 = 5 = 4 (Alice)
4
– = yAB mod 11 = 3 = 4 (Bob)

School of CSE 7
Security of Diffie-Hellman
• Suppose Bob and Alice use Diffie-Hellman to
determine symmetric key K = gab mod p
• Trudy can see ga mod p and gb mod p
– But… ga gb mod p = ga+b mod p  gab mod p
• If Trudy can find a or b, she gets K
• If Trudy can solve discrete log problem, she can find a
or b
• Suppose p is a prime of around 300 digits, and a and b
at least 100 digits each.
• Discovering the shared secret would take longer than
the lifetime of the universe, using the best known
algorithm.

School of CSE 8
 Security of Diffie-Hellman
• Subject to man-in-the-middle (MiM) attack

ga mod p gt mod p

gt mod p gb mod p

Alice, a Trudy, t Bob, b

• Trudy shares secret gat mod p with Alice

• Trudy shares secret gbt mod p with Bob
• Alice and Bob don’t know Trudy is MiM
School of CSE 9
Diffie-Hellman
• How to prevent MiM attack?
– Encrypt DH exchange with symmetric key
– Encrypt DH exchange with public key
– Sign DH values with private key
– Other?
• You MUST be aware of MiM attack on Diffie-
Hellman

School of CSE 10
Elliptic Curve Cryptography

School of CSE 11
Elliptic Curve Crypto (ECC)
• “Elliptic curve” is not a cryptosystem
• Elliptic curves provide different way to do
the math in public key system
• Elliptic curve versions of DH, RSA, …
• Elliptic curves are more efficient
– Fewer bits needed for same security
– But the operations are more complex, yet it
is a big “win” overall

School of CSE 12
What is an Elliptic Curve?
• An elliptic curve E is the graph of an
equation of the form
y2 = x3 + ax + b
• Also includes a “point at infinity”
• What do elliptic curves look like?
• See the next slide!

School of CSE 13
 Elliptic Curve Picture

y • Consider elliptic curve

E: y2 = x3 - x + 1
P2 • If P1 and P2 are on E, we
P1 can define addition,
x P3 = P1 + P2
P3 as shown in picture
• Addition is all we need…

School of CSE 14
Points on Elliptic Curve
• Consider y2 = x3 + 2x + 3 (mod 5)
x = 0  y2 = 3  no solution (mod 5)
x = 1  y2 = 6 = 1  y = 1,4 (mod 5)
x = 2  y2 = 15 = 0  y = 0 (mod 5)
x = 3  y2 = 36 = 1  y = 1,4 (mod 5)
x = 4  y2 = 75 = 0  y = 0 (mod 5)
• Then points on the elliptic curve are
(1,1) (1,4) (2,0) (3,1) (3,4) (4,0) and the point at
infinity: 

School of CSE 15
Elliptic Curve Math
• Addition on: y2 = x3 + ax + b (mod p)
P1=(x1,y1), P2=(x2,y2)
P1 + P2 = P3 = (x3,y3) where
x3 = m2 - x1 - x2 (mod p)
y3 = m(x1 - x3) - y1 (mod p)
And m = (y2-y1)(x2-x1)-1 mod p, if P1P2
m = (3x12+a)(2y1)-1 mod p, if P1 = P2
Special cases: If m is infinite, P3 = , and
 + P = P for all P

School of CSE 16
Elliptic Curve Addition
• Consider y2 = x3 + 2x + 3 (mod 5). Points
on the curve are (1,1) (1,4) (2,0) (3,1)
(3,4) (4,0) and 
• What is (1,4) + (3,1) = P3 = (x3,y3)?
m = (1-4)(3-1)-1 = -32-1 (ax
= 1 mod n)
= 2(3) = 6 = 1 (mod 5)
x3 = 1 - 1 - 3 = 2 (mod 5)
y3 = 1(1-2) - 4 = 0 (mod 5)
• On this curve, (1,4) + (3,1) = (2,0)

School of CSE 17
Elliptic Curve Addition
• Consider y2 = x3 + 2x + 3 (mod 5). Points on
the curve are (1,1) (1,4) (2,0) (3,1)
(3,4) (4,0) and 
• What is (1,1) + (4,0) = P3 = (x3,y3)
m = (0-1)(4-1)-1 = -13-1
= -1(2) = -2 = 3 (mod 5)
x3 = 9 - 1 - 4 = 4 (mod 5)
y3 = 3(1-4) - 1 = 3(-3)-1=0 (mod 5)
• P3 = (x3,y3) =(4,0)
• Consider point (1,4). Find 2P
• M= 0, (x3,y3)=(3,1)

School of CSE 18
ECC Diffie-Hellman
• Public: Elliptic curve and point (x,y) on curve
• Private: Alice’s A and Bob’s B

A(x,y)

B(x,y)

Alice, A Bob, B

• Alice computes A(B(x,y))

• Bob computes B(A(x,y))
• These are the same since AB = BA

School of CSE 19
ECC Diffie-Hellman
• Public: Curve y2 = x3 + 7x + b (mod 37) and point
(2,5)  b = 3
• Alice’s private: A = 4
• Bob’s private: B = 7
• Alice sends Bob: 4(2,5) = (7,32)
• Bob sends Alice: 7(2,5) = (18,35)
• Alice computes: 4(18,35) = (22,1)
• Bob computes: 7(7,32) = (22,1)

School of CSE 20
ECC Diffie-Hellman – Example 2
• Consider the value of (x,y) as (1, 4) with a=2 and
modulus as 5. If Alice’s private key is 2 and
Bob’s private key is 2, what is the value which is
sent from Alice to Bob and from Bob to Alice??
Show that both share the same key after
exchange of values.
• Alice’s private: A = 2
• Bob’s private: B = 2
• Alice sends Bob: 2(1,4) = (3,1)
• Bob sends Alice: 2(1,4) = (3,1)
• Alice computes: 2(3,1) = (3,4)
• Bob computes: 2(3,1) = (3,4)

School of CSE 21
Larger ECC Example
• Example from Certicom ECCp-109
– Challenge problem, solved in 2002
• Curve E: y2 = x3 + ax + b (mod p)
• Where
p = 564538252084441556247016902735257
a = 321094768129147601892514872825668
b = 430782315140218274262276694323197
• Now what?

School of CSE 22
ECC Example
• The following point P is on the curve E
(x,y) = (97339010987059066523156133908935,
149670372846169285760682371978898)
• Let k = 281183840311601949668207954530684
• The kP is given by
(x,y) = (44646769697405861057630861884284,
522968098895785888047540374779097)
• And this point is also on the curve E

School of CSE 23
Really Big Numbers!
• Numbers are big, but not big enough
– ECCp-109 bit (32 digit) solved in 2002
• Today, ECC DH needs bigger numbers
• But RSA needs way bigger numbers
– Minimum RSA modulus today is 1024 bits
– That is, more than 300 decimal digits
– That’s about 10x the size in ECC example

School of CSE 24