Elliptic Curve Cryptography Amit Markel Leonid Nemirovskiy - - PowerPoint PPT Presentation

Elliptic Curve Cryptography

Amit Markel Leonid Nemirovskiy Supervisor: Barukh Ziv

13/05/2013

Introduction to ECC

Technion - Israel Institute of Technology and Science 13/05/2013

• Usage of ECC is becoming more popular hence our attention on

this subject.

• Unlike previous standards which use simple prime fields for

cryptography, elliptic curves with good cryptographic properties surpass the former in terms of security and use much smaller key sizes.

• ECC surely has appropriate attributes for crypto-systems because
• f the impossibility of solving the ECDLP (elliptic curve discrete

logarithm problem) with sub-exponential algorithms – therefore the ability of using keys of smaller size.

What is an EC over a finite field?

Basic EC over finite fields

Technion - Israel Institute of Technology and Science 13/05/2013

• Elliptic curves may be defined over large prime fields or either

binary extension fields.

• Due to performance issues we shall concentrate on Binary

Extension Fields so we can get a simple form of the curve, taking the advantages the way Hardware is built - over the binary field.

• Definition. An elliptic curve E over Fq such that q = 2p (where

we set p to be prime for enhanced security) is defined by the equation: E : y2 + xy = x3 + a2x2 + a6 where a2 ∈ Fq and a6 ∈ F∗

q .

• For better performance we use curves where a2 = 0 (doing so does

not impact any cryptographic quality), hence we get even the simpler form E : y2 + xy = x3 + a6 .

EC-point group

Technion - Israel Institute of Technology and Science 13/05/2013

• Definition. Let E be an EC. The point P = (x, y) ∈ F2

q is

defined to be on E when it satisfies E’s equation.

• In order to build a group of points of the curve, the point of

infinity we must define, marked by O.

• The set of all points on the curve along with O form a group

with O as its zero element.

• Inverse. Let P = (x, y) ∈ E then Q = (x, x + y) = −P.
• Addition. There is also an appropriate definition of an

addition operator which satisfies the group requirements.

• Next we show an example of points on an EC which form a cyclic

group, in which its elements are obtained by multiplies of a generator element.

Example of an EC-point group

Technion - Israel Institute of Technology and Science 13/05/2013

We use a representation of GF (8) as F [ξ] / (ξ3 + ξ + 1), which means polynomials mod ξ3 + ξ + 1. E : Y 2 + XY = X3 + ξ4 #E (GF (8)) = 8 g = (ξ3, ξ) (110, 010) 2g = (ξ, ξ2) (010, 001) 3g = (ξ6, ξ6) (101, 101) 4g = (0, ξ2) (000, 001) 5g = (ξ6, 0) (101, 000) 6g = (ξ, ξ4) (010, 011) 7g = (ξ3, 1) (110, 100) 8g = O O

The projective plane

Technion - Israel Institute of Technology and Science 13/05/2013

• To implement addition of two points represented by standard

affine coordinates, one must use inversions over Fq which greatly halve performance than multiplications and additions.

• We then can use projective coordinates in order to substitute the

mentioned inversions with multiplications and additions.

• Matching affine points to projective coordinates is defined herein

(affixing the additional coordinate, Z = 1), (x, y) → X : Y : 1 .

• Lopez-Dahab’s projective coordinates provide the best results in

terms of performance when used over Binary Fields.

• A point X : Y : Z in Lopez-Dahab coordinates corresponds to

its affine form (X/Z, Y/Z2).

Goals

Goals

Technion - Israel Institute of Technology and Science 13/05/2013

• Implementation of EC arithmetic: Point addition, doubling,

powering.

• Finding a cryptographically strong random curve1:
• Implementation of the SATOH-FGH algorithm for counting

the number of points on a given curve, denoted by #E.

• Checking that #E is divisible by a large prime number q and

finding a point P such that Order (P) = q.

• Using a cyclic group defined by P for ECDH2-oriented

protocols.

• Implementing ECDSA (Elliptic Curve Digital Signature

Algorithm) and if time allows then more.

1a random a6. 2Elliptic Curve Diffie-Hellman.

Secondary Goals

Technion - Israel Institute of Technology and Science 13/05/2013

• Implementing a different counting algorithm such as AGM, and

comparing it to SATOH-FGH, in terms of global result performance times.

• Parallelize the generation of random curves using multiple

processor systems with MPI (Message Passing Interface).

• Comparison between our implementations over Binary Fields and
• thers over Large Prime Characteristic Fields.

Implementation

Used Libraries

Technion - Israel Institute of Technology and Science 13/05/2013

• Language. All is implemented in C++. Compiler. Most recent

stable GCC 4.7.3_0.

• For field operations and large number processing we use the NTL

library, combined with GF2X to improve performance of Polynomial handling, along with GMP for the large number performance tweaking.

• SMALLSHA1 for computing SHA-1 hashes within the

ECDSA protocol implementation.

• These surely should be sufficient for our purpose, although more

libraries could always be potentially added.

First achievements and results

Technion - Israel Institute of Technology and Science 13/05/2013

• We implemented an initially stable version of EC arithmetics.

Average Time Results for 105operations Random curve and point #Bits P + Q 2P random · P 127 0.068s 0.022s 7.41s 239 0.082s 0.029s 18.02s 271 0.098s 0.035s 25.35s 487 0.13s 0.047s 59.65s Order (Point) > 105 0.069s 0.084s 0.10s 0.13s

• It’s easy to see that the third column gives us first performance

results for generating EC DH Key pairs (d, dP).

• The benchmarking had been conducted on an Intel Dual Core i7

2.66 GHz (L2 cache per core: 256 KB, L3 cache: 4 MB) with 8GB RAM.

Thank you.