THE TECHNOLOGY STREAM

Elliptic Curve Cryptography

Burt Kaliski Chief Scientist and Director RSA Laboratories

Outline
I. Elliptic curves II. Elliptic curve cryptosystems III. Advantages and disadvantages IV. Standardization efforts

THE TECHNOLOGY STREAM

Notation
GF(q) or Fq: finite field with q elements
typically, q = p where p is prime, or 2m

THE TECHNOLOGY STREAM

E(Fq): elliptic curve over Fq (x, y): point on E(Fq) O: point at infinity

Acronyms
EC = Elliptic Curve
as in EC Digital Signature Algorithm

THE TECHNOLOGY STREAM

ECC = Elliptic Curve Cryptography

THE TECHNOLOGY STREAM

Part I: Elliptic Curves

Elliptic Curves
An elliptic curve is the set of solutions (x, y) to an equation of the form y2 = x3 + ax + b where 4a3 + 27b2 0, together with a point at infinity denoted O Originally developed to measure circumference of an ellipse

THE TECHNOLOGY STREAM

An Example Curve
Over the reals, the solutions form a curve with one or two components Example: y2 = x3-x

THE TECHNOLOGY STREAM

Elliptic Curve Arithmetic

A group law may be defined where the sum of two points is the reflection across the x-axis of the third point on the same line Chords and tangents

THE TECHNOLOGY STREAM

Group Law Axioms

Closure Identity: P+O=O+P=P Inverse: (x, y) + (x, -y) = O Associativity Commutativity

THE TECHNOLOGY STREAM

Addition Formulae
Let P1 = (x1, y1) and P2 = (x2, y2) be noninverses Then P1 + P2 = (x3, y3) where x3 =
2

THE TECHNOLOGY STREAM

- x1 - x2

y3 = (x1 - x3) - y1 and is the slope of the line:

= (3x12+a)/2y1 if x1 = x2 = (y2-y1)/(x2-x1) otherwise

Elliptic Curves over Finite Fields

An elliptic curve may be defined over any finite field GF(q) For GF(2m), the curve has a different form: y2 + xy = x3 + ax2 + b where b 0 Addition formulae are similar to those over the reals

THE TECHNOLOGY STREAM

Group Properties
Let #E(Fq) denote the number of points on an elliptic curve E(Fq), including O Hasse bound: #E(Fq) = q+1-t, where |t| 2 sqrt(q) The group of points is either cyclic or a product of two cyclic groups

THE TECHNOLOGY STREAM

Scalar Multiplication
Scalar multiplication is repeated group addition: cP = P + + P (c times) where c is an integer For all P E(Fq), nP = O where n = #E(Fq)

THE TECHNOLOGY STREAM

Elliptic Curve Research Areas

EC over finite fields has been an increasing focus of research 1. Efficient elliptic curve arithmetic, scalar multiplication
including finite field arithmetic

THE TECHNOLOGY STREAM

2. Efficient curve generation 3. Cryptographic properties

Some Interesting Applications

Factoring (Lenstra 1985)
running time of Elliptic Curve Method (ECM) depends on size of prime factors of a number, ideal for smooth numbers

THE TECHNOLOGY STREAM

Primality proving (Goldwasser-Kilian 1986)

under number-theory assumptions, method for proving primality in random polynomial time

Fermats Last Theorem

Analogy with Multiplicative Groups

Elliptic Curve Group point addition scalar multiplication elliptic curve discrete logarithm Multiplicative Group multiplication exponentiation discrete logarithm

THE TECHNOLOGY STREAM

THE TECHNOLOGY STREAM

Part II: Elliptic Curve Cryptosystems

Elliptic Curve Cryptosystems

EC discrete logarithm problem Domain parameters Key pairs Cryptographic schemes

THE TECHNOLOGY STREAM

EC Discrete Logarithm Problem

Problem: Given two points W, G, find s such that W = sG
first suggested by Miller 1985, Koblitz 1987

THE TECHNOLOGY STREAM

With appropriate cryptographic restrictions, this is believed to take exponential time

O(sqrt(r)) time, where r is the order of W

EC Discrete Logarithm Problem (contd)

By comparison, factoring and ordinary discrete logarithms can be solved in subexponential time ECC thus offers much shorter key sizes than other public-key cryptosystems

THE TECHNOLOGY STREAM

Typical Cryptographic Restrictions

#E(Fq) = kr for large prime r
k is cofactor

THE TECHNOLOGY STREAM

GCD (k, r) = 1 Anomalous condition: r q MOV condition: r does not divide qi-1 for small i

Domain Parameters
Common values shared by a group of users from which key pairs may be generated User or trusted party may generate domain parameters Anyone may validate domain parameters

THE TECHNOLOGY STREAM

EC Domain Parameters
Finite field Fq Elliptic curve E(Fq) with cryptographic restrictions Prime divisor r of #E(Fq) Cofactor k Base point G E(Fq) of order r

THE TECHNOLOGY STREAM

Generating EC Domain Parameters

1. Select a prime power q 2. Select an elliptic cuve E over Fq with cryptographic restrictions
order #E(Fq) = kr

THE TECHNOLOGY STREAM

3. Generate a point G of order r 4. Output Fq, E(Fq), r, k, G

Selecting an Elliptic Curve

Random method Complex multiplication method Subfield method Methods provide tradeoff between speed, structure in curves
less structure = more conservative in assumptions about security

THE TECHNOLOGY STREAM

Random Method
1. Generate a random curve 2. Count the number of points #E(Fq) 3. If restrictions not met, goto 1 No structure, but step 2 may be slow
(Schoof 1985, etc.)

THE TECHNOLOGY STREAM

Complex Multiplication Method

1. Generate a curve order n with a small CM discriminant D 2. If restrictions not met, goto 1 3. Given D, find a curve with n points Fast, some structure, but complex
(Atkin-Morain 1991, Lay-Zimmer 1994)

THE TECHNOLOGY STREAM

Subfield Method
For q = 2m with m composite 1. Generate a curve over a subfield 2. Count the number of points 3. Apply formula to compute #E(Fq) 4. If restrictions not met, goto 1 Fast, but significant structure
(Koblitz)

THE TECHNOLOGY STREAM

Generating a Point of Order r

1. Generate a point H E(Fq) 2. Compute G = kH 3. If G = O, goto 1 4. Output G

THE TECHNOLOGY STREAM

Validating EC Domain Parameters

1. Check that q is a prime power 2. Check that E is an elliptic curve over Fq with cryptographic restrictions
order #E(Fq) = kr, where r is prime

THE TECHNOLOGY STREAM

3. Check that G is a point on E(Fq) of order r 4. Output valid if all checks pass, invalid otherwise

Key Pairs
Pairs of public, private values with which users may perform cryptographic operations User or trusted third party may generate key pair Anyone may validate public key

THE TECHNOLOGY STREAM

EC Key Pairs
Public key W E(Fq) Private key s [1, r-1]
where W = sG

THE TECHNOLOGY STREAM

Generating an EC Key Pair

1. Randomly generate s [1, n-1] 2. Compute W = sG 3. Output (W, s)

THE TECHNOLOGY STREAM

Validating an EC Public Key

Assume valid domain parameters 1. Check that W is a point on E(Fq) of order r 2. Output valid if so, invalid otherwise

THE TECHNOLOGY STREAM

Cryptographic Schemes
Following general model from IEEE P1363, a scheme is a set of related operations providing the building blocks for a protocol Examples:
key agreement signature with appendix encryption

THE TECHNOLOGY STREAM

Scheme Operations
Depending on the scheme, related operations may include:
domain parameter generation, validation key pair generation, public-key validation one or more scheme-specific operations

THE TECHNOLOGY STREAM

Key Agreement Scheme

Key agreement operation derives a shared secret key from a private key, anothers public key, and key derivation parameters Multiple secret keys can be obtained by varying parameters

THE TECHNOLOGY STREAM

Elliptic Curve DiffieHellman

Key agreement scheme based on Diffie-Hellman protocol In IEEE P1363, ECKAS-DH1 with ECSDVP-DH primitive Underlying function:
KDF: key derivation function

THE TECHNOLOGY STREAM

ECDH Key Agreement

Input: private key s, others public key W*, key derivation parameters P Output: shared secret key K 1. Compute Z = sW* 2. Compute K = KDF (Z, P) 3. Output K

THE TECHNOLOGY STREAM

Key Agreement Modes

Each key pair may be ephemeral, authenticated, or a combination, depending on security goals Examples of protocol modes:
anonymous static-static signed ephemeral-ephemeral ephemeral-static

THE TECHNOLOGY STREAM

Signature Scheme
Signature generation operation computes a signature on a message with a private key Signature verification operation verifies a signature with a public key

THE TECHNOLOGY STREAM

Elliptic Curve Digital Signature Algorithm

Signature scheme based on NIST FIPS 186-1 DSA In IEEE P1363, ECSSA with ECSP/VP-DSA primitives Underlying function
Hash: collision-resistant hash function

THE TECHNOLOGY STREAM

ECDSA Signature Generation

Input: private key s, message M Output: signature (c,d) 1. Compute f = Hash (M) 2. Generate a one-time key pair (u, V) 3. Compute c = int (xV) mod r 4. Compute d = u-1 (f + sc) mod r 5. If c = 0 or d = 0, goto 2 6. Output (c,d)

THE TECHNOLOGY STREAM

ECDSA Signature Verification

Input: signers public key W, message M, signature (c,d) Output: valid or invalid 1. Compute f = Hash (M) 2. Check that 1 c,d r-1 3. Compute h = d-1 mod r 4. Compute P = fhG + chW
(contd)

THE TECHNOLOGY STREAM

ECDSA Signature Verification (contd)

5. Check that P O 6. Check that c = int (xP) mod r 7. If all checks pass, output valid, otherwise output invalid

THE TECHNOLOGY STREAM

Encryption Scheme
Encryption operation computes a ciphertext from a message with a public key Decryption operation recovers a message from a ciphertext with a private key Augmented encryption scheme also binds control information to message

THE TECHNOLOGY STREAM

Elliptic Curve Augmented Encryption Scheme

Augmented encryption scheme based on DHAES (Bellare-Rogaway 1998) In ANSI X9.63 draft Underlying functions:
KDF: key derivation function Encrypt: symmetric encryption MAC: message authentication code

THE TECHNOLOGY STREAM

ECAES Encryption
Input: recipients public key W, message M, control information P Output: ciphertext (V,C,T) 1. Generate a one-time key pair (u,V) 2. Compute Z = uW 3. Compute (K1,K2) = KDF (Z)
(contd)

THE TECHNOLOGY STREAM

ECAES Encryption (contd)

4. Compute C = Encrypt (K1,M) 5. Compute T = MAC (K2,C || P) 6. Output (V,C,T) Note: Steps 13 are like ECDH ephemeral-static

THE TECHNOLOGY STREAM

ECAES Decryption
Input: private key s, ciphertext (V,C,T), control information P Output: message M or invalid 1. Compute Z = sV 2. Compute (K1,K2) = KDF (Z)
(contd)

THE TECHNOLOGY STREAM

ECAES Decryption (contd)

3. Compute M = Decrypt (K1,C) 4. Check that T = MAC (K2,C || P) 5. If the check passes, output M, otherwise output invalid

THE TECHNOLOGY STREAM

Some Observations
In these schemes, only one or two steps are EC operations, some are modular arithmetic, the rest are Hash, KDF, Encrypt, MAC
the additional operations help provide provable security

THE TECHNOLOGY STREAM

Schemes are readily adapated to multiplicative groups

THE TECHNOLOGY STREAM

Part III: Advantages and Disadvantages

Advantages and Disadvantages

Three families Key size comparison Advantages Disadvantages

THE TECHNOLOGY STREAM

Three Families
Today, three families of public-key techniques are prominent Following P1363, named according to the hard problem:
DL: (ordinary) discrete logarithms EC: elliptic curve discrete logarithms IF: integer factorization

THE TECHNOLOGY STREAM

Each has its own advantages

Key Size Comparison

Key size is length in bits of:
DL: field order q
also consider group order r

THE TECHNOLOGY STREAM

EC: group order r IF: modulus n

Key sizes can be compared based on running time for solving hard problem with current methods
other factors to consider

Comparable Key Sizes

(Based on Running Time)
EC 112 160 224 DL, IF 512 1024 2048 Symmetric 56 80 112

THE TECHNOLOGY STREAM

Advantages
Alternative hard problem Speed Data size New types of schemes Many options

THE TECHNOLOGY STREAM

Alternative Hard Problem

EC Discrete Logarithm Problem is very different than DL, IF hard problems
does not appear feasible to apply DL, IF approaches to solve it

THE TECHNOLOGY STREAM

Thus, it is an effective alternative against advances in methods for other problems

Speed
EC operations are generally faster than DL, IF counterparts at comparable key sizes
GF(2m) arithmetic affords further speedups

THE TECHNOLOGY STREAM

Key pair generation is much faster than for IF

Data Size
EC data are shorter than DL, IF counterparts Intermediate values are shorter Keys are shorter
benefit depends on certificate content

THE TECHNOLOGY STREAM

Signatures with appendix are same size as for DL, shorter than IF

New Types of Schemes

EC family, like DL, has great flexibility due to the availability of common domain parameters Multiple schemes can be combined efficiently, e.g.:
signature + encryption signature / key agreement + certification
(Zheng 1997, Arazi 1998, Vanstone)

THE TECHNOLOGY STREAM

Many Options
EC family affords many choices:
field type, size, representation curve formula group order base point cryptographic scheme

THE TECHNOLOGY STREAM

Appropriate choices can meet varying security and implementation objectives

Disadvantages
Alternative hard problem Curve generation Many options

THE TECHNOLOGY STREAM

Alternative Hard Problem

ECDLP has not been studied as long as DL, IF hard problems, and even a modest improvement in methods could have great impact However, the focus on this area has grown considerably over the past few years, with increased confidence

THE TECHNOLOGY STREAM

Curve Generation
EC curve generation is complex, not readily implemented However, implementers can rely on third parties for curves, which can be validated
e.g., NIST curves

THE TECHNOLOGY STREAM

Many Options
ECC affords many options, so interoperability is challenging:
no conversion between GF(2m), GF(p) hardware optimizations may be specific to one set of domain parameters

THE TECHNOLOGY STREAM

However, much of this will be settled by standards and industry practice

THE TECHNOLOGY STREAM

Part IV: Standardization Efforts

Standardization Efforts
Elliptic curves are parts of standards being developed by several groups:
ANSI X9F1 IEEE P1363 ISO JTC1 SC27 SECG U.S. NIST

THE TECHNOLOGY STREAM

Generally, all three families are being developed together

ANSI X9F1
Cryptographic techniques for U.S. financial services industry ANSI X9.62 specifies ECDSA ANSI X9.63 (draft) specifies ECDH, ECAES and more Technical Guideline on elliptic curve mathematics
www.x9.org

THE TECHNOLOGY STREAM

IEEE P1363
Public-key cryptography specifications, transnational Specifies ECDH, ECDSA and much more (including other families)
framework for ANSI X9F1 work

THE TECHNOLOGY STREAM

ECAES proposed for addendum

grouper.ieee.org/groups/1363

ISO SC27
IT security techniques, international ISO/IEC DIS 14888-3 includes ECDSA
aligned with ANSI X9.62

THE TECHNOLOGY STREAM

ISO/IEC CD 15946 covers elliptic curve techniques including digital signatures, key establishment
www.iso.ch/meme/JTC1SC27.html

SECG
Standards for Efficient Cryptography Group Industry implementers agreements, intended to profile other standards
www.secg.org

THE TECHNOLOGY STREAM

U.S. NIST
Information processing for U.S. government FIPS 186 (Digital Signature Standard) to add support for ANSI X9.62 Eventual ANSI X9.63 support likely Reference elliptic curves published
csrc.nist.gov/fips

THE TECHNOLOGY STREAM

THE TECHNOLOGY STREAM

Summary

Summary
ECC offers an attractive alternative to other public-key cryptosystems
new hard problem smaller key size

THE TECHNOLOGY STREAM

Many standards are emerging Number theory continues to be useful