Elliptic Curve Cryptography

Elliptic Curve Cryptography
Jorge Brayan Villamarin Amezquita

Definition
Elliptic Curves over Finite Fields
• Elliptic Curves over 𝔾𝔽 𝑝
• Example
• Binary Field 𝔾𝔽2 𝑚
• Elliptic Curves over 𝔾𝔽2 𝑚
• Example
Projective Coordinates
Scalar Representations
• Double-and-Add Algorithm
• Recoded Binary Algorithm
• ω-ary non-adjacent form Algorithm
ECDH Key Exchange Algorithm
• Practical Example
ECC Encryption/Decryption
• ECIES Framework
ECDSA
• Sign
• Verify
Contents

 The use of elliptic curves over Galois Field on
cryptography (ECC) was suggested independently by
Neal Koblitz and Victor S. Miller in 1985
 It can be used for data encryption, digital signatures
and key exchange, whereas RSA relies on another
algorithm for key exchange
 The key size of ECC is smaller than RSA given a same
security strength.
 Its hardness assumption relies on finding the discrete
logarithm of a random elliptic curve element with
respect to a publicly known base point is infeasible
The base assumption is that finding the
discrete logarithm of a random elliptic
curve element with respect to a
publicly known base point is infeasible
Definition

 The elliptic curve cryptography (ECC) uses
elliptic curves over the finite field 𝔾𝔽 𝑝
(where 𝑝 is prime and 𝑝 > 3) or
𝔾𝔽2 𝑚 (where the fields size 𝑝 = 2 𝑚)
 This means that the field is a square matrix
of size p x p and the points on the curve are
limited to integer coordinates within the
field only
 All algebraic operations within the field (like
point addition and multiplication) result in
another elliptic curve point within the field
Elliptic Curves over Finite Fields

Elliptic curves over 𝔾𝔽 𝑝 has the following parameters
𝑇 = (𝑝, 𝑎, 𝑏, 𝐺, 𝑟, ℎ)
 An integer 𝑝 specifies the finite field 𝔾𝔽 𝑝
 Two elements 𝑎 and 𝑏 ∈ 𝔾𝔽 𝑝which specifies a curve 𝐸(𝔾𝔽 𝑝) defined
by the following equation
𝐸: 𝑦2
≡ 𝑥3
+ 𝑎𝑥 + 𝑏 (mod 𝑝)
 A base point 𝐺 = (𝑥 𝐺, 𝑦 𝐺) on 𝐸(𝔾𝔽 𝑝)
 A prime 𝑟 which defines the order of the subgroups
 An integer ℎ which is the cofactor ℎ =
#𝐸 𝔾𝔽 𝑝
𝑟
(#𝐸(𝔾𝔽 𝑝) is the
number of points of the given elliptic curve)
Note: The cofactor ℎ specifies the number of non overlapping subgroups
on the curve points
Elliptic Curves over 𝔾𝔽 𝒑

Let T be a set of parameters which
builds an elliptic curve over 𝔾𝔽 𝑝
𝑇 = (𝑝, 𝑎, 𝑏, 𝐺, 𝑟, ℎ)
Then, we get the following equation
𝐸 𝑝: 𝑦2
≡ 𝑥3
+ 4𝑥 + 12 (mod 29)
𝑝 = 29 𝐺 = (8,11)
𝑎 = 4 𝑟 = 38
𝑏 = 12 ℎ = 1
In order to obtain all 𝑥, 𝑦 and Θ ∈ 𝐸 𝑝, we need to perform point multiplication
and point addition operations over 𝐸 𝑝 beginning from G
Elliptic Curves over 𝔾𝔽 𝒑 - Example

In order to perform a point multiplication over 𝐸 𝑝 to get 𝑘𝐺,
point addition and point double operations must be performed
Point Double
2𝐺 = 𝐺 + 𝐺 = 𝑥1, 𝑦1 + 𝑥1, 𝑦1 𝜆 ≡
3𝑥1
2
+ 𝑎
2𝑦1
mod 𝑝
𝑥2 ≡ 𝜆2 − 2𝑥1mod 𝑝 𝑦2 ≡ 𝑥1 − 𝑥2 𝜆 − 𝑦1mod 𝑝
Point Addition
𝑘𝐺 = 𝐺 + 𝑘 − 1 𝐺 = 𝑥1, 𝑦1 + 𝑥2, 𝑦2 𝜆 𝑘 ≡
𝑦2 − 𝑦1
𝑥2 − 𝑥1
mod 𝑝
𝑥3 ≡ 𝜆2 − 𝑥1 − 𝑥2 mod 𝑝 𝑦3 ≡ 𝑥1 − 𝑥2 𝜆 − 𝑦1 mod 𝑝

 Given the following equations to perform point double over 𝐸 𝑝, calculate 2𝐺
𝜆 =
3 ∙ 82 + 4
2 ∙ 11
= 22 ∙ 22−1
= 22 ∙ 4 = 88 mod 29 = 1
𝑥2 = 12 − 2 8 = −15 mod 29 = 14
𝑦2 = 8 − 14 1 − 11 = −17 mod 29 = 1
 Then, perform point addition operations to find 3𝐺 and so over in 𝐸 𝑝
𝜆 =
12 − 11
14 − 8
= 6−1 mod 29 = 5
𝑥3 = 52 − 8 − 14 = 3 mod 29 = 3
𝑦3 = 8 − 3 5 − 11 = 14 mod 29 = 14

 Repeat operations until all points are calculated
𝐸 𝑝 =
(8,11) (14,12) (3,14) (23,27) (7,21)
(27,5) (28,6) (13,12) (15,5) (2,17)
(20,1)
(9,20)
(6,22)
(17,18)
(28,23)
(14,17)
(17,11)
(6,7)
(9,9)
(20,28)
(27,24)
(8,18)
(4,18)
(19,25)
(16,5)
(2,12)
(7,8)
(18,0)
(11,16)
(18,0)
(11,13)
(15,24)
(23,2)
(16,24)
(19,4)
(4,11)
(13,17)
(3,15)

Curve ID Strength Size RSA/DSA
Koblitz or
Random
secp112r1 56 112 512 R
secp112r2 56 112 512 R
secp128r1 64 128 704 R
secp128r2 64 128 704 R
secp160k1 80 160 1024 K
secp160r1 80 160 1024 R
secp160r2 80 160 1024 R
secp192k1 96 192 1536 K
secp192r1 96 192 1536 R
secp224k1 112 224 2048 K
secp224r1 112 224 2048 R
secp256k1 128 256 3072 K
secp256r1 128 256 3072 R
secp384r1 192 384 7680 R
secp521r1 256 521 15360 R
SEC 2 Recommended curves over 𝔾𝔽 𝒑

P-192 96 192 1536
P-224 112 224 2048
P-256 128 256 3072
P-384 192 384 7680
P-521 256 521 15360
NIST Recommended curves over 𝔾𝔽 𝒑

Twisted or
Random
brainpoolP160r1 80 160 1024 R
brainpoolP160t1 80 160 1024 T
brainpoolP512r1 128 256 15360 R
brainpoolP512t1 256 512 15360 T
Brainpool Std Recommended curves over 𝔾𝔽 𝒑

 Let 𝑓(𝑥) be an irreducible polynomial of degree 𝑚 in 𝑍2[𝑥]
 As neither 0 or 1 are the roots of 𝑓 𝑥 , their solution lies outside of the 𝔾𝔽24 field
 By assuming g as one of the root of 𝑓 𝑥 , 𝑓 g = 0. Then, the equation can be
rearranged
g4
+ g + 1 = 0
g4 = g + 1
 In order to obtain all the elements of 𝔾𝔽2 𝑚 = 𝑍2 𝑥
𝑓 𝑥 , we need to perform the
following operation iteratively beginning from g4
g 𝑛+1 = g 𝑛 ∙ g
𝑚 = 4 𝑓 𝑥 = 𝑥4 + 𝑥 + 1
Binary Field 𝔾𝔽 𝟐 𝒎 - Example

Power of 𝜶 (0 to 7) Binary rep Power of 𝜶 (8 to 15) Binary rep
0 0000 g8 = g2 + 1 0101
g1 = g 0010 g9 = g3 + g 1010
g2 = g2 0100 g10 = g2 + g + 1 0111
g3 = g3 1000 g11 = g3 + g2 + g 1110
g4 = g + 1 0011 g12 = g3 + g2 + g + 1 1111
g5 = g2 + g 0110 g13 = g3 + g2 + 1 1101
g6 = g3 + g2 1100 g14 = g3 + 1 1001
g7
= g3
+ g + 1 1011 g15 = 1 0001
Binary Field 𝔾𝔽 𝟐 𝒎 - Example

Field Reduction Polynomials
𝔽2113 𝑓 𝑥 = 𝑥113 + 𝑥9 + 1
𝔽2131 𝑓 𝑥 = 𝑥113 + 𝑥8 + 𝑥3 + 𝑥2 + 1
𝔽2163 𝑓 𝑥 = 𝑥163
+ 𝑥7
+ 𝑥6
+ 𝑥3
+ 1
𝔽2193 𝑓 𝑥 = 𝑥193
+ 𝑥15
+ 1
𝔽2233 𝑓 𝑥 = 𝑥233 + 𝑥74 + 1
𝔽2239 𝑓 𝑥 = 𝑥239
+ 𝑥36
+ 1 or 𝑥239
+ 𝑥158
+ 1
𝔽2283 𝑥 = 𝑥283 + 𝑥12 + 𝑥7 + 𝑥5 + 1
𝔽2409 𝑓 𝑥 = 𝑥409 + 𝑥87 + 1
𝔽2571 𝑓 𝑥 = 𝑥571 + 𝑥10 + 𝑥5 + 𝑥2 + 1
Representations of field 𝔾𝔽 𝟐 𝒎

Elliptic curves over 𝔾𝔽2 𝑚 has the following parameters
𝑇 = (𝑚, 𝑓(𝑥), 𝑎, 𝑏, 𝐺, 𝑟, ℎ)
 An integer 𝑚 specifies the finite field 𝔾𝔽2 𝑚
 An irreducible polynomial 𝑓 𝑥 of degree 𝑚 specifying the basis representation of 𝔾𝔽2 𝑚
 Two elements 𝑎 and 𝑏 ∈ 𝔾𝔽2 𝑚 which specifies a curve 𝐸(𝔾𝔽2 𝑚) defined by the following equation
𝐸: 𝑦2 + 𝑥𝑦 = 𝑥3 + 𝑎𝑥2 + 𝑏 in 𝔽2 𝑚
 A base point
𝐺 = (𝑥 𝐺, 𝑦 𝐺) ∈ 𝐸(𝔾𝔽2 𝑚)
 A prime 𝑟 which is the order of 𝐺
 An integer ℎ which is the cofactor ℎ =
#𝐸 𝔾𝔽2 𝑚
𝑟
(#𝐸(𝔾𝔽2 𝑚) is the number of points of the given
elliptic curve)
Elliptic Curves over 𝔾𝔽 𝟐 𝒎

Let T be a set of parameters which
builds an elliptic curve over 𝔾𝔽2 𝑚
𝑇 = (𝑚, 𝑓(𝑥), 𝑎, 𝑏, 𝐺, 𝑛, ℎ)
Then, we get the following equation
𝐸 𝑏: 𝑦2 + 𝑥𝑦 = 𝑥3 + g4 𝑥2 + g15
𝑚 = 4 𝐺 = (g5, g3)
𝑎 = g4 𝑟 = 16
𝑏 = g15 ℎ = 1
In order to obtain all 𝑥, 𝑦 and Θ ∈ 𝐸 𝑏, we need to perform point addition and
point-multiplication operations over 𝐸 𝑏 beginning from G
Elliptic Curves over 𝔾𝔽 𝟐 𝒎 - Example

In order to perform a point multiplication over 𝐸 𝑏 to get 𝑘𝐺,
point addition and point double operations must be performed
Point Double
2𝐺 = 𝐺 + 𝐺 = 𝑥1, 𝑦1 + 𝑥1, 𝑦1
𝑥2 = 𝑥1
2
+
𝑏
𝑥1
2 𝑦2 = 𝑥1
2
+ 𝑥1 +
𝑦1
𝑥1
𝑥2 + 𝑥2
Point Addition
𝑘𝐺 = 𝐺 + 𝑘 − 1 𝐺 = 𝑥1, 𝑦1 + 𝑥2, 𝑦2 𝜆 =
𝑦2 + 𝑦1
𝑥2 + 𝑥1
𝑥3 = 𝜆2 + 𝜆 + 𝑥1 + 𝑥2 + 𝑎 𝑦3 = 𝑥3 + 𝑥1 𝜆 + 𝑥3 + 𝑦1

 Given the following equations to perform point double over 𝐸 𝑏, calculate 2𝐺
𝑥2 = g5 2
+
g15
g5 2
= g10
+
g15
g10
= g10
+ g5
= 01112 ⊕ 01102 = 0001 = g15
𝑦2 = g5 2 + g5 +
g3
g5
g15 + g15 = g10 + g5 + g−2%15=13 g15 + g15 = g10 + g5 + g13 + g15
= 01112 ⊕ 01102 ⊕ 11012 ⊕ 00012 = 11012 = g13
 Then, perform point addition operations to find 3𝐺 and so over in 𝐸 𝑏
𝜆 =
g13
+ g3
g15 + g5
=
11012 ⊕ 10002
00012 ⊕ 01102
=
01012
01112
=
g8
g10
= g−2%15=13
𝑥3 = g13 2 + g13 + g5 + g15 + g4 = g26%15=11 + g13 + g5 + g15 + g4
= 11102 ⊕ 11012 ⊕ 01102 ⊕ 00012 ⊕ 00112 = 01112 = g10
𝑦3 = g10 + g5 g13 + g10 + g3 = g23%15=8 + g18%15=3 + g10 + g3
= 01012 ⊕ 10002 ⊕ 01112 ⊕ 10002 = 00102 = g1

 Repeat operations until all points are calculated
𝐸 𝑏 =
0, g15 g15, g6
g15, g13 g3, g8 g3, g13
g5
, g3
g5
, g11
g6, g8 g6, g14 g9, g10
g9, g13 g10, g1
g10, g8 g12, 0 g12, g12
 The 𝐸 𝑏 curve can also be expressed in binary notation
𝐸 𝑏 =
00002, 00012 00012, 11002 00012, 11012 10002, 01012 10002, 11012
01102, 10002 01102, 11102 11002, 01012 11002, 10012 10102, 01112
10102, 11012 01112, 00102 01112, 01012 11112, 00002 11112, 11112

Koblitz or
Random
sect113r1 56 113 512 r
sect113r2 56 113 512 r
sect131r1 64 131 704 r
sect131r2 64 131 704 r
sect163k1 80 163 1024 k
sect163r1 80 163 1024 r
sect163r2 80 163 1024 r
sect193k1 96 193 1536 k
sect193r1 96 193 1536 r
sect233k1 112 233 2240 k
sect233r1 112 233 2240 r
sect239k1 115 239 2304 k
secp283k1 128 283 3456 k
secp283r1 128 283 3456 r
sect409k1 192 409 7680 k
sect409r1 192 409 7680 r
sect571k1 256 571 15360 k
sect571r1 256 571 15360 r
SEC 2 Recommended curves over 𝔾𝔽 𝟐 𝒎

K-163 80 163 1024
B-163 80 163 1024
K-233 112 233 2240
B-233 112 233 2240
K-283 128 283 3456
B-283 128 283 3456
K-409 192 409 7680
B-409 192 409 7680
K-571 256 571 15360
B-571 256 571 15360
NIST Recommended curves over 𝔾𝔽 𝟐 𝒎

 In order to add two points, several addition, doubling and inversion operations are required
 There are various proposals about using a new coordinate system avoids the need of use
inversion operations
 By using projective coordinates, the EC can be represented by three coordinates (𝑋, 𝑌, 𝑍)
under the following relation
𝑥 = 𝑋
𝑍 ; 𝑦 = 𝑌
𝑍
 Another coordinate system is the Jacobian, which is also represented by three coordinates,
but uses another relation
𝑥 = 𝑋
𝑍2 ; 𝑦 = 𝑌
𝑍3
 The López-Dahab system also uses three coordinates and the following relation
𝑥 = 𝑋
𝑍 ; 𝑦 = 𝑌
𝑍2
Projective Coordinates

 Finding 𝑘𝐺 point by point double and point
addition iteratively tends to be
computationally inefficient due to
exponential time complexity
𝑚 = log2 𝑘
# 𝑜𝑝𝑠 = 2 𝑚 − 1
𝑂(2 𝑚)
 Another approach is suggested, by using the
Double-and-Add Algorithm, which performs
𝑘𝐺 at lineal time complexity
# 𝑜𝑝𝑠 = 2𝑚
𝑂(𝑚)
Algorithm 1: Double-and-Add
Input: 𝐺 = 𝑋, 𝑌, 𝑍 ∈ 𝐸(𝔽2 𝑚),
𝑘 = (𝑘 𝑚−1, 𝑘 𝑚−2, … , 𝑘1, 𝑘0)2
Output:𝑄 = 𝑘𝐺
Procedure:
1. 𝑄 = 𝐺;
2. for 𝑖 = 𝑚 − 2 downto 0 do:
3. 𝑄 = 2 ∙ 𝑄; #Point Double
4. if 𝑘𝑖 = 1 then:
5. 𝑄 = 𝑄 + 𝐺; #Point Add
6. end if
7. end for
8. return 𝑄;
Double-and-Add Algorithm

 Let 𝑘 = 55. In order to apply Double-and-
Add algorithm, we must convert k into
binary representation
5510 = 1101112
 Then, the algorithm performs double or
double and addition operations depending
on the bit value from MSB to LSB
Bit Operation Result
1 Ignore G
1
Double
Add
2G
3G
0 Double 6G
1
Double
Add
12G
13G
1
Double
Add
26G
27G
1
Double
Add
54G
55G
Double-and-Add Algorithm - Example

 Additive inverses are easy to compute in EC
 A recoded binary method is proposed: By
using the follow identity, a block of 1s can be
collapsed
2𝑖+𝑗−1 + 2𝑖+𝑗−2 + ⋯ + 2𝑖 = 2𝑖+𝑗 − 2𝑖
 A redundant signed-digit representation of
the exponents is given by the set {1,0, 1}
 For example, (0110111) can be recoded as
01101112 = 25 + 24 + 22 + 21 + 20
10010012 = 26 − 23 − 20
Algorithm 2: Recoding Binary Algorithm
Input: 𝐺 = 𝑋, 𝑌, 𝑍 ∈ 𝐸(𝔽2 𝑚),
𝑘 = (𝑘 𝑚−1, 𝑘 𝑚−2, … , 𝑘1, 𝑘0)2 𝑤𝑖𝑡ℎ 𝑘𝑖
∈ {1,0, 1}
Output:𝑄 = 𝑘𝐺
Procedure:
1. 𝑄 = 𝐺;
2. for 𝑖 = 𝑚 − 2 downto 0 do:
3. 𝑄 = 2 ∙ 𝑄; #Point Double
4. if 𝑘𝑖 = 1 then:
5. 𝑄 = 𝑄 + 𝐺; #Point Add
6. else if 𝑘𝑖 = 1 then:
7. 𝑃 = 𝑄 − 𝐺; #Point Sub
8. end if
9. end for
10. return 𝑄;
Recoding Binary Algorithm
Elliptic Curve Cryptography - ECC

 Let 𝑘 = 55. In order to apply Recoding
Binary algorithm, we must convert k into
recoded binary representation
01101112 = 10010012
double and addition operations depending
on the bit value from MSB to LSB
1 Ignore G
0 Double 2G
0 Double 4G
1
Double
Sub
8G
7G
0 Double 14G
0 Double 28G
1
Double
Sub
56G
55G
Recoding Binary Algorithm - Example

 A signed binary representation of an
integer is non-adjacent by having no non-
zero values consecutively
 The NAF representation is unique for
each integer and contain more zeros
than traditional signed binary
representations
 This algorithm requires the
precomputation of the points
1,3,5, ⋯ , 2 𝜔−1 − 1 𝐺 and their
negatives
Algorithm 3: ω-NAF Expansion Algorithm
Input: 𝑘 ∈ ℤ+
Output:𝑈 = 𝜔 − 𝑁𝐴𝐹(𝑘)
Procedure:
1. for {𝑖 = 0;𝑘 > 0;𝑖 + +} do:
2. if 𝑘 𝑖𝑠 𝑜𝑑𝑑 then:
3. 𝑈𝑖 = 𝑘 mods 2 𝜔
4. 𝑘 = 𝑘 − 𝑈𝑖;
5. else:
6. 𝑈𝑖 = 0;
7. end if
8. 𝑘 = 𝑘
2;
9. end for
10. return 𝑼;
ω-ary non-adjacent form (ω-NAF) Algorithm

 Let 𝑘 = 207. The ω-NAF representation
of this value is
0110011112
0110100012
1010100012
double and addition operations
depending on the bit value from MSB to
LSB
1 Ignore G
0 Double 2G
1
Double
Sub
4G
3G
0 Double 6G
1
Double
Add
12G
13G
0 Double 26G
0 Double 52G
0 Double 104G
1
Double
Sub
208G
207G
ω-ary non-adjacent form (ω-NAF) Algorithm - Example

 It is similar to the classical DHKE
(Diffie – Hellman Key Exchange)
 It uses ECC point multiplication
instead of modular
exponentiations
 Based on the following property
of EC points
𝑎 ∙ 𝐺 ∙ 𝑏 = (𝑏 ∙ 𝐺) ∙ 𝑎
 𝑎: Alice private key
 𝑏: Bob private key
 (𝑎 ∙ 𝐺): Alice public key
 (𝑏 ∙ 𝐺): Bob public key
Elliptic Curve Diffie – Hellman Key Exchange

1. Alice and Bob generates their respectively random key pairs
𝐴 𝑠𝑘, 𝐴 𝑝𝑘 = 𝐴 𝑠𝑘 ∙ 𝐺
{𝐵𝑠𝑘, 𝐵 𝑝𝑘 = 𝐵𝑠𝑘 ∙ 𝐺}
2. Alice and Bob exchange their public keys through the insecure channel
3. Alice and Bob calculates the shared key
𝑆𝐻𝐾 == 𝐵 𝑝𝑘 ∙ 𝐴 𝑠𝑘 == 𝐵𝑠𝑘 ∙ 𝐴 𝑝𝑘
Alice Bob
𝑨 𝒔𝒌, 𝑨 𝒑𝒌 = 𝑨 𝒔𝒌 ∙ 𝑮
{𝑩 𝒔𝒌, 𝑩 𝒑𝒌 = 𝑩 𝒔𝒌 ∙ 𝑮}
𝐴 𝑝𝑘 = {𝐴 𝑠𝑘 ∙ 𝐺}
𝐵 𝑝𝑘 = {𝐵𝑠𝑘 ∙ 𝐺}
𝑆𝐻𝐾 = 𝐵 𝑝𝑘 ∙ 𝐴 𝑠𝑘 𝑆𝐻𝐾 = 𝐵𝑠𝑘 ∙ 𝐴 𝑝𝑘
ECDH Key Exchange Algorithm

For all the following examples, we use the elliptic curve called ‘secp192r1’, which holds the following
characteristics
𝐸: 𝑦2 ≡ 𝑥3 + 𝑎𝑥 + 𝑏 (mod 𝑝)
𝑇 = (𝑝, 𝑎, 𝑏, 𝐺, 𝑟, ℎ)
𝑝 = FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFE FFFF FFFF FFFF FFFF
𝑎 = FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFE FFFF FFFF FFFF FFFC
𝑏 = 6421 0519 E59C 80E7 0FA7 E9AB 7224 3049 FEB8 DEEC C146 B9B1
𝐺 𝑢 = (04 188D A80E B030 90F6 7CBF 20EB 43A1 8800 F4FF 0AFD 82FF 1012,
0719 2B95 FFC8 DA78 6310 11ED 6B24 CDD5 73F9 77A1 1E79 4811)
𝐺𝑐 = 03 188D A80E B030 90F6 7CBF 20EB 43A1 8800 F4FF 0AFD 82FF 1012
𝑟 = FFFF FFFF FFFF FFFF FFFF FFFF 99DE F836 146B C9B1 B4D2 2831
ℎ = 1
ECDH Key Exchange Algorithm – Practical Example

 By using the standard curve 'secp192r1’, Alice and Bob perform an ECDH Key
Exchange between them
 At first, Alice and Bob generates their respective key pairs
 Prior to the key interchange, Alice and Bob compress their public keys
𝐴 𝑠𝑘 = 𝐸8𝐸𝐸 3𝐷40 𝐷5𝐸𝐶 𝐶𝐹32 4579 605𝐸 𝐶𝐸𝐶8 518𝐷 𝐵6𝐷1 𝐶46𝐴 6637 6𝐴3𝐴16
𝐴 𝑝𝑘 = (EB0A E3AD A72F 5326 5845 C517 7585 C8C4 8B2C EF49 1FA6 F86C16,
FDA6 C888 F038 4FD3 6D03 E57B 3CCA 4A38 332A 4C90 58D6 9C2416)
𝐵𝑠𝑘 = 𝐵093 499𝐵 8872 𝐸016 40𝐷2 𝐴5𝐶𝐶 𝐷739 6𝐴36 8𝐸17 4430 𝐹411 7𝐵1𝐵16
𝐵 𝑝𝑘 = (4C6D 8F8D F99F 5170 1139 6176 8834 CB73 6754 9558 300A DA6716,
8E1B 4BC5 F137 05FE 8DF6 BE61 71E8 9E82 4570 7914 D328 1F0616)
𝐴 𝑝𝑘 = EB0A E3AD A72F 5326 5845 C517 7585 C8C4 8B2C EF49 1FA6 F86C 016
𝐵 𝑝𝑘 = 4C6D 8F8D F99F 5170 1139 6176 8834 CB73 6754 9558 300A DA67 016

 Now, Alice and Bob interchanges their public keys through an insecure connection
and calculate the shared secret
 As 𝑆𝐻𝐾𝐴𝑙𝑖𝑐𝑒 = 𝑆𝐻𝐾 𝐵𝑜𝑏, the key exchange has done successfully
𝑆𝐻𝐾𝐴𝑙𝑖𝑐𝑒 = EBE2 721D 2B2A 5678 C720 B6D9 811A 746D 0DE0 884D EE98 7182 016
𝑆𝐻𝐾 𝐵𝑜𝑏 = EBE2 721D 2B2A 5678 C720 B6D9 811A 746D 0DE0 884D EE98 7182 016

 The process to encrypt or decrypt by using ECC is non-trivial (unlike RSA)
 Hybrids encryptions schemes are proposed (ECC cryptography, ECDH key exchange and symmetric
encryption algorithm)
 The Elliptic Curve Integrated Encryption Scheme (ECIES) is a framework based on hybrid encryption,
using the above characteristics and a key-derivation function (KDF) which separates MAC key and
symmetric encryption key
Encrypted
Symmetric Key
Encrypted
Symmetric Key
Priv Key
File Symmetric Key Encrypted File Encrypted File Symmetric Key File
Pub KeySymmetric Key
Encrypted file
with encrypted
symmetric key
ECC Encryption/Decryption

1. Alice encrypts the file using a symmetric key. Also, generates an ephemeral public
key by encrypting the symmetric key with Bob’s public key and an authentication tag
(MAC code)
2. Alice sends to Bob the encrypted file, the encrypted symmetric key and the MAC
code through the insecure channel
3. By using his private key, Bob decrypts the encrypted symmetric key, in order to
decrypt the file sent by Alice. But in case of authentication/integrity error, the
framework is capable to detect the problem
Alice Bob
valid/
invalid
ECIES Framework

 This example applies the ECIES framework, by using the standard curve 'secp192r1’ for ECC, AES-GCM
symmetric encryption, and MAC code
 Alice wants to send the following message to Bob
𝑚 = "All your base are belong to us"
𝑚 =
41 6C 6C 20 79 6F 75 72 20 62 61 73 65 20 61
72 65 20 62 65 6C 6F 6E 67 20 74 6F 20 75 7316−ASCII
 Then, encrypts the message, the symmetric key and generates the MAC code
𝑐 =
96F7 745E D040 2762 49C0 93D2 5158
134C 704E 2CE8 E048 63F3 874E 391A 87E316
𝑘 𝑐 = D3A2 D3F3 21AC 952C 500C 8BF7 B62E 9F8D 2F40 F896 02CC C1FA 016
𝑀𝐴𝐶 = 5FB4 79C2 BE04 0AC8 BCF1 7DBD 066F 71E516
 Now, Alice sends the encrypted message and symmetric key, and the MAC code to Bob through an
insecure connection. At last, Bob decrypts the message sent by Alice
𝑚′ = "All your base are belong to us"
ECIES Framework – Practical Example

 It is a cryptographic secure digital signature scheme
 ECDSA sign/verify algorithms relies on elliptic curve point multiplication
 ECDSA key are smaller than RSA signature keys (i.e. 256-bit ECDSA has the same
security strength as 3072-bit RSA signature)
 𝑘 𝑠: private key
(random integer)
 (𝑘 𝑠 ∙ 𝐺): public key
𝑘 𝑝 (EC point)
The public key can be
compressed to one
coordinate + a parity bit
• Takes an input
message and the
private key
previously generated
• Produces a signature
output with two
integers {𝑟,𝑠}
• Takes as input the signed
message + the signature
{𝑟,𝑠} + the public key
previously generated
• Produces a Boolean
output, verifying the
integrity of the message
Key-pair
Generation
Sign Verify
Elliptic Curve Digital Signature Algorithm (ECDSA)

1. Calculate the message hash, using a hash cryptographic function
ℎ = hash 𝑚𝑠𝑔
2. Generate a random number 𝑘 𝑠 in the range [1, 𝑛 − 1]
• For deterministic ECDSA, 𝑘 𝑠 is HMAC derived from ℎ + 𝑑 𝐴
3. Calculate the random point 𝑅 = 𝑘 𝑠 ∙ 𝐺 and take its x-coordinate
𝑟 = 𝑅. 𝑥
4. Calculate the signature proof
𝑠 = 𝑘 𝑠
−1
∙ ℎ + 𝑟 ∙ 𝑑 𝐴 mod 𝑛
• The modular inverse 𝑘−1 (mod 𝑛) is an integer, such that 𝑘 ∙ 𝑘−1 ≡ 1 (mod 𝑛)
5. Return the signature {𝑟,𝑠}
ECDSA signatures are 2x longer tan the signer’s private key for the curved used during the signing
process
ECDSA Sign Algorithm

1. Calculate the message hash, using the same hash cryptographic function used to signing
ℎ = hash(𝑚𝑠𝑔)
2. Calculate the modular inverse of the signature
𝑠1 = 𝑠−1
(mod 𝑛)
3. Recover the random point used during the signing
𝑅′
= ℎ ∙ 𝑠1 ∙ 𝐺 + (𝑟 ∙ 𝑠1) ∙ 𝑘 𝑝
4. Take from 𝑅’ its x-coordinate
𝑟′
= 𝑅′
. x
5. Calculate the signature validation result by comparing whether
𝑟′ == 𝑟
ECDSA Verify Algorithm

 This example uses the standard curve 'secp192r1’ and SHA3-256 as hash function
 Bob expects to get the following message exclusively from Alice
𝑚 = "All your base are belong to us"
a. Sign Process
 Then, Alice generates the key pairs, the message digest and calculate the x-coordinate of the point 𝑅
𝑘 𝑠 = CFAC 09D4 CAE2 C644 DFB9 0F71 5E0B C7EA BB64 1338 4318 472716
𝑘 𝑝 = E32 7CEC 07E9 0F50 3A69 C3C5 2BFB CB96 347A F4FB 1C4D 62FB16,
C866 8915 E474 70D3 4845 0E8E 664B 201B 5523 090E 7F6C 6D6E16
ℎ = B38E 38F0 8BC1 C009 1ED4 B5F0 60FE 13E8
6AA4 1795 7851 3AD1 1A6E 3ABB A006 2F61
𝑟 = B633 5C89 81C9 40E7 0D9D 5966 86E1 373C 1752 2E38 93CC D59316
 Now, Alice calculates the signature proof
𝑠 = 329F 2350 310F 104B 79AF CB68 030B 4328 A187 8845 0E87 CBE516
ECDSA – Practical Example

 At last, Alice sends to Bob the message 𝑚 (usually ciphered during transmission), the signature {𝑟, 𝑠},
the hash digest ℎ and the public key 𝑘 𝑝 through an insecure connection
b. Verify Process
 At first, Bob must authenticate the Alice’s signature by checking the following statements using the
Alice’s public key
 Bob calculates the message digest using the same hash function
ℎ =
B38E 38F0 8BC1 C009 1ED4 B5F0 60FE 13E8
6AA4 1795 7851 3AD1 1A6E 3ABB A006 2F6116
𝑟 = B633 5C89 81C9 40E7 0D9D 5966 86E1 373C 1752 2E38 93CC D59316
 Now, Bob calculates the modular inverse of the signature proof
𝑠−1 = 76D6 C5D4 93C9 5EC0 E178 82CB 0CA7 2A3A 1F76 D6A0 D3C1 855016
𝑘 𝑝 ≠ Θ 𝑘 𝑝 ∈ 𝐸 𝑟 ∙ 𝑘 𝑝 = Θ

 Then, Bob recovers the random point R used during the signing process and extracts the x-coordinate
from it
𝑟′ = B633 5C89 81C9 40E7 0D9D 5966 86E1 373C 1752 2E38 93CC D59316
 At last, Bob verifies that the signature is valid by comparison of 𝑟 and 𝑟′
𝑟 = 𝑟′

Elliptic Curve Cryptography

More Related Content

What's hot (20)

Similar to Elliptic Curve Cryptography (20)

Recently uploaded (20)

Elliptic Curve Cryptography