ELLIPTIC CURVE

CRYPTOSYSTEM
GUIDE
MAJ TS BAINS
BIBOLOGRAPHY

A.J. Menezes, P.C. van Oorschot, and S.A.
Vanstone, "Handbook of Applied Cryptography",
D.R. Stinson, "Cryptography: Theory and
Practice",
D. Johnson and A.J. Menezes, "Elliptic Curve
DSA (ECDSA): An Enhanced DSA", Certicom
whitepaper, March 1997.
Certicom Corp., "An Introduction to Information
Security", Certicom whitepaper, number 1, March
1997.
N. Koblitz, "Elliptic curve cryptosystems",
Mathematics of Computation, number 48, pages
203-209, 1987.

CRYPTOSYSTEM
CONFIDENTIALITY - CONCEALMENT OF DATA
FROM ALL BUT AUTHORIZED PARTIES.
USER AUTHENTICATION - ASSURANCE THAT THE
PARTIES INVOLVED IN A REAL-TIME
TRANSACTION ARE WHO THEY SAY THEY ARE.
DATA ORIGIN AUTHENTICATION - ASSURANCE OF
THE SOURCE OF A MESSAGE.
DATA INTEGRITY - ASSURANCE THE DATA HAS
NOT BEEN MODIFIED BY UNAUTHORIZED
PARTIES.
NON-REPUDIATION - THE BINDING OF AN ENTITY
TO A TRANSACTION IN WHICH IT PARTICIPATES,
SO THAT THE TRANSACTION CANNOT LATER BE
REPUDIATED. THAT IS, THE RECEIVER OF A
TRANSACTION IS ABLE TO DEMONSTRATE TO A
NEUTRAL THIRD PARTY THAT THE CLAIMED
SENDER DID INDEED SEND THE TRANSACTION.
ELLIPTIC CURVE

IN 1985, NEIL KOBLITZ AND VICTOR MILLER
INDEPENDENTLY PROPOSED THE ELLIPTIC CURVE
CRYPTOSYSTEM (ECC),
1997 ACCEPTED.

SECURITY RESTS ON THE DISCRETE LOGARITHM
PROBLEM OVER THE POINTS ON AN ELLIPTIC CURVE.

ECC CAN BE USED TO PROVIDE BOTH A DIGITAL
SIGNATURE SCHEME AND AN ENCRYPTION SCHEME.

AN ELLIPTIC CURVE OVER REAL NUMBERS MAY BE
DEFINED AS THE SET OF POINTS (X ,Y) WHICH SATISFY
AN ELLIPTIC CURVE EQUATION


ELLIPTIC CURVE
AN ELLIPTIC CURVE, DEFINED OVER MODULO
PRIME P, IS THE SET OF SOLUTIONS (X,Y) TO
AN EQUATION OF THE FORM OF A FINITE FD Z
P
y
2
= x
3
+ ax + b (mod p)

FOR TWO NUMBERS a AND b. a,b E Z
(a,b) SHOULD SATISFY 4a
3
+ 27b
2
=0 (mod p)
Let p = 23
elliptic curve E: y
2
= x
3
+ x + 1 defined
over Z
23
.
a = 1 and b = 1 4a
3
+27b
2
= 4 + 4 = 8 , so
E is indeed an elliptic curve.
QR{ 1, 2 ,3 ,4, 6, 8 ,9 ,12,13,16,18}
An Example



The points in E(Z
23
) are and the following:
(0,1) (0, 22) (1, 7) (1, 16)
(3, 10) (3, 13) (4, 0)
(5, 19) (5, 4) (6, 4) (6, 19)
(7, 11) (7, 12) (9, 7) (9, 16)
(11, 3) (11, 20) (12, 19) (12, 4)
(13, 16) (13, 7) (17, 3) (17, 20)
(18, 3) (18, 20) (19, 5) (19, 18)
SUGGESTED SCOPE
ELLIPTIC CURVE
FINITE FD F(P) WHERE P IS PRIME NO
PROBLEM AREAS
RESIDUAL OF POLYNOMIAL
QUADRATIC RATIO OF POLYNOMIAL.
KNOWLEDGE OF C++


TIME SCHEDULE

SCOPE
CHOOSE A ELLIPTIC CURVE OVER
A GALIOS FIELD OF HIGHER ORDER F(2p
150)
DEVP OF SW FOR ADDITION TWO PTS
OVER
EC OF GIVEN MODULO.
DEVP OF SW FOR ENCRYPT & DECRYPT
USING ECC.
GENRATE A PAIR OF PUB & PVT KEY
ENCRYPT A MSG
ECC FOR AUTHENTICATION
ECC
TOPICS TO BE UNDERSTOOD

ELLIPTIC CURVE
DLP
FINITE FD
GALIEOS FIELD
QUDRATIC RATIO
RESIDUAL OF A POLYNOMIAL
DISCREATE ALOG FACTORISATION
ELIPTIC CURVE CRYPTOSYSTEM
C++
ELLIPTIC CURVES:-
An Elliptic curve over a field Zp is the set of points
(x,y) with x,y e Zp which satisfy the equation
Y
2
= x
3
+ ax +b
Together with a single element denoted by 0 and
called the point at infinity.
R
-R = (P + Q)
P
Q
Assumption :-
1. If P is a point at infinity 0,
then P to be 0 and P+Q = Q,
ie 0 is additive identity (zero
element)
2. If P = (x,y), then p = (x-y)
ie. (x, y) = (x, -y)
x same, y -y.
3. If P and Q have different x-coordinates, then
the line PQ intersects the curve exactly at one
more point R, and
P + Q = -R (mirror image = -R)

4. If Q = -P, P +Q =0
(ie. Q has same x but y)
5.
If P=Q, then let l be tangent line to the curve at P
ELLIPTIC CURVES CRYPTOSYSTEM (ECC) :-
Let p > 3 be prime. The elliptic curve y
2
= x
3
+ax +b
Over Zp is the set of solutions (x,y) eZp x Zp to the
congruence
y
2
x
3
+ax +b (mod p)
Where a, b e Zp are constants such that
4a
3
+ 27b
3
= 0 (mod p),
Together with a special point 0 called point at infinity
Let P = (x
1
y
1
), Q = (x
2
y
2
)
P + Q = R = (x
3
, y
3
)
X
3
=
2
- x
1
x
2
Y
3
= (x
1
- x
3
) y
1


= y2 y1
x2 x1
, if P = Q
3x
1
2
+ a
2y
1
, if P = Q
Ex :- Let EC be y
2
= x
3
+x + 6 over Z
11
1. Determine the

points on E, for this by looking
at each possible x e Z
11
computing x
3
+x + 6
mod 11 is a quadratic residue by applying rulers
criterion.
quadratic residue y2 a mod 11
x = 0, y
2
= 6
x = 1 y
2
= 8
x = 2 y
2
= 5
x = 3 y
2
= 3
x = 4 y
2
= 8
x = 5 y
2
= 4 e QR
11

x = 6 y
2
= 8
x = 7 y
2
= 4
x = 8 y
2
= 9

(= 2
3
+ 2 +6 mod 11
= 8+8 mod 11=5)
( = 32 + 3 + 6
= 27 +3 +6 =36)
e QR
11
x = 9 y
2
= 7
x = 10 y
2
= 4 e QR
11


QR (11) = {1, 3, 4, 5, 9}
1
2
= 1 mod 11
2
2
= 4 mod 11
3
2
= 9 mod 11
4
2
= 16 mod 11= 5
5
2
= 25 mod 11= 3
6
2
= 36 mod 11= 3
7
2
= 49 mod 11= 5
8
2
= 64 mod 11= 9
9
2
= 81 mod 11= 4
10
2
= 100 mod 11= 1


QR (11) = { 2, 6 ,7, 8, 10 }
* Explicit formula to compute square roots of
quadratic residue mod p for primes p 3 (mod 4)
* By this formula,
We have square roots of a quadratic residue Z are
= z (11+1)/4 mod11 = z
1 2/4
mod 11
= z
3
mod 11
* Let x =2, y2 = 5 mod 11
y = 5
3
mod 11
= 125 mod 111
= 4 mod 11
+ve = 4
-ve = -4 mod 11 = 7
* Points (x, y) (2,4)
(2,7)
z
(p+1)/4
mod p
x = 3, y
2
= 3 mod 11
y = 3
3
mod 11
= 27 mod 11
= 5
+ve = 5
-ve = -5 mod 11 = 6
Points (x, y) (3, 5), (3, 6)
* Points on the elliptic curve y
2
= x
3
+x + 6
over mod 11. Ie over Z
11
* Remember 4a
3
+ 27b
3
= 0 mod 11
Here a = 1, b = 6
4.1
3
+ 27.6
3
= 0 mod 11
4 + 5.3 = 0 mod 11
* P +1 2 \p s # E s p +1 + 2 \p
# No. of point on EC.
* Any point other than point at infinity is a generator
of E, if it has prime no. of points.
Let
o = (2, 7)
Is this a generators
Ie. 2o, 3o, 4o-------------- must be points on EC
* 2o = (2, 7) + (2, 7)
= 3x
1
2
+ a if P = Q
2y
1

(3.2
2
+1) (12 +1) 2
2.7 14 3
=2 x 4 = 8 (mod11)

2p = p + p
=
= =
2 x 3
-1
22 = (5,2)
X
3
=
2
x
1
- x
2
8
2
2 2 = 5
Y
3
= (x
1
x
2
) y
1
8 (2-5)-7 =2
* Similarly 3o = 2o + o
=(5,2) + (2,7)
P + Q
= y2 y1 if P =Q
x2 x1
X3 = 2 x1 x2
Y3 = (x1- x3) y1
X3 = 22 5 2 mod 11
= 8
Y3 = 2(5-8)-2 mod 11
= 3
3o = 8
1
3
=
7-2
2-5

=
5
-3
= 5 x 8
-1
=5 x 7
=2
x X
2
+x+6mod
11
In QR(11)? Y Points on
EC
0 6 no
1 8 no
2 5 yes 4, 7 (2, 4)
(2,7)
3 3 yes 5, 6 (3, 5) (3,
6)
4 8 no
5 4 yes 2, 9 (5, 2) (5,
9)
6 8 no
7 4 yes 2, 9 (7, 2) (7,
9)
8 9 yes 3, 8 (8, 3) (8,
8)
9 7 no
1
0
4 yes 2, 9 (10,2) (10,
9)
Menezes Vastone ECC(1993):-
* Journal of Cryptology, 6 (1993) pp 209-214
* IEEE Trans. on IT, 39,(1993) pp 1639 - 1646
(1) Let E be an elliptic curve over Zp, P>3 and
prime such that E contains a cyclic subgroup H
in which in which discrete log prob.is
intractible.
(2) Let P = Z
p
*
x Z
p
*

C = E x Z
p
*
x Z
p
*
and
K = {(E, o, a | : | = a o)}
where o e E.
(3) o and | are public and a is secret

(4) For K = ( E, o, a, |), for a secret random
Number k e Z
|H|
and for x = (x1, x2) e Z
p
*
x Z
p
*
(5) Define ek (x
1
k) = (y
0
y
1
y
2
)
|pt.
(6) For a cipher text y
y = (y
0
, y
1
,y
2
)
Define
d
k
(y) = (y
1
c
1
-1
mod p, y
2
c
2
-1
mod p)
Where ay
0
=(C
1
, C
2
)
Note :- (i) x = (x
1
, x
2
) e Z
p
*
x Z
p
*
is not a point on E.
(ii) k a secret random number
Z
|H|


y
0
=k o
(c1, c2) =k | [|=ax]
y
1
=c
1
x
1
mod p
y2 =c
2
x
2
mod p
Menezes Vanstone ECC basd on E1 Gamal
Encryption Scheme
Plaintext x (9,1)
chooses
random (k) = 6
Cipher text y
a secret key (a)
=7
y
0
= (7, 9)
y
1
= 6
y
2
= 3
Y = (y
0
, y
1
,y
2
)
(E, o, |)
| = a o
Bs public key
A
B
SENDER
RECEIVER
X e EC

X = (x
1
, x
2
) point
X e Z
p
*
x Z
p
*
Z
p
*
- field
Prime, p > 3
o = (2, 7)

generator of EC or
Primitive elements of
Computes (y
0
y
1
y
2
)
y
0
= k.o
y
1
= c
1
x
1
mod p
y
2
= c
2
x
2
mod p


Kobnitz (1987)
Miller (1986)
Menzes (1993)
Menzes- vaustone
1993
MOV (1994)
B computes
(c
1
, c
2
) = a y0
Secret of B
(c
1
,c
2
) = a.y
0
(7.9)
y
0
eEC
(--,--)
(8, 3)
c
1
= 8, c
2
= 3
+
X = (y
1
c
1
-1
mod p,
y
2
c
2
-1
mod p)
= (9,1)
(9, 1)
E1 Gamel Encryption using EC:-
Let o = (2, 7) and Bs Secret (key) exponent is
, so | = 7.o = (7, 2)

a = 7
By ECC
7p = kp
Point on
EC
Sender Ax
1
k Receiver B a
1
y
Now A wants to encrypt the plaintext x = (x
1
,x
2
)
= (9,1), where x is not a point on E and chooses the
random value k = 6.
A computes y
0
= ko = 6 (2,7) = (7,9)
and k|= 6 (7,2) = (8,3)
= (c
1
c
2
)
so c
1
= 8 and c
2
= 3
Next A calculates (y
1
) = c
1
x
1
mod p = 8 x 9 mod11
= 6
and (y
2
) = c
2
x
2
mod p = 3 x 1 mod 11
= 3
Thus cipher-text A sends is
y = (y
0
, y
1
, y
2
) = [(7, 9), 6, 3 ]
When B receives the ciphertext y,
B computes (c
1
, c
2
) = a y
0
= 7 (7, 9) = (8, 3)
And then x = (y
1
c
1
-1
mod p, y
2
c
2
-1
mod p)
= (6 x 8
-1
mod 11, 3 x 3
-1
mod 11)
= (6 x 7 mod 11, 3 x 4 mod 11)
= (9, 1)
Hence the decryption yields the correct plaintext.
ELLIPTIC CURVES:-
An Elliptic curve over a field Zp is the set of points
(x,y) with x,y e Zp which satisfy the equation
Y
2
= x
3
+ ax +b
Together with a single element denoted by 0 and
called the point at infinity.
R
-R = (P + Q)
P
Q
Assumption :-
1. If P is a point at infinity 0,
then P to be 0 and P+Q = Q,
ie 0 is additive identity (zero
element)
2. If P = (x,y), then p = (x-y)
ie. (x, y) = (x, -y)
x same, y -y.
3. If P and Q have different x-coordinates, then
the line PQ intersects the curve exactly at one
more point R, and
P + Q = -R (mirror image = -R)

4. If Q = -P, P +Q =0
(ie. Q has same x but y)
5.
If P=Q, then let l be tangent line to the curve at P
ELLIPTIC CURVES CRYPTOSYSTEM (ECC) :-
Let p > 3 be prime. The elliptic curve y
2
= x
3
+ax +b
Over Zp is the set of solutions (x,y) eZp x Zp to the
congruence
y
2
x
3
+ax +b (mod p)
Where a, b e Zp are constants such that
4a
3
+ 27b
3
= 0 (mod p),
Together with a special point 0 called point at infinity
Let P = (x
1
y
1
), Q = (x
2
y
2
)
P + Q = R = (x
3
, y
3
)
X
3
=
2
- x
1
x
2
Y
3
= (x
1
- x
3
) y
1


= y2 y1
x2 x1
, if P = Q
3x
1
2
+ a
2y
1
, if P = Q
Ex :- Let EC be y
2
= x
3
+x + 6 over Z
11
1. Determine the

points on E, for this by looking
at each possible x e Z
11
computing x
3
+x + 6
mod 11 is a quadratic residue by applying rulers
criterion.
quadratic residue y2 a mod 11
x = 0, y
2
= 6
x = 1 y
2
= 8
x = 2 y
2
= 5
x = 3 y
2
= 3
x = 4 y
2
= 8
x = 5 y
2
= 4 e QR
11

x = 6 y
2
= 8
x = 7 y
2
= 4
x = 8 y
2
= 9

(= 2
3
+ 2 +6 mod 11
= 8+8 mod 11=5)
( = 32 + 3 + 6
= 27 +3 +6 =36)
e QR
11
x = 9 y
2
= 7
x = 10 y
2
= 4 e QR
11


QR (11) = {1, 3, 4, 5, 9}
1
2
= 1 mod 11
2
2
= 4 mod 11
3
2
= 9 mod 11
4
2
= 16 mod 11= 5
5
2
= 25 mod 11= 3
6
2
= 36 mod 11= 3
7
2
= 49 mod 11= 5
8
2
= 64 mod 11= 9
9
2
= 81 mod 11= 4
10
2
= 100 mod 11= 1


QR (11) = { 2, 6 ,7, 8, 10 }
* Explicit formula to compute square roots of
quadratic residue mod p for primes p 3 (mod 4)
* By this formula,
We have square roots of a quadratic residue Z are
= z (11+1)/4 mod11 = z
1 2/4
mod 11
= z
3
mod 11
* Let x =2, y2 = 5 mod 11
y = 5
3
mod 11
= 125 mod 111
= 4 mod 11
+ve = 4
-ve = -4 mod 11 = 7
* Points (x, y) (2,4)
(2,7)
z
(p+1)/4
mod p
x = 3, y
2
= 3 mod 11
y = 3
3
mod 11
= 27 mod 11
= 5
+ve = 5
-ve = -5 mod 11 = 6
Points (x, y) (3, 5), (3, 6)
* Points on the elliptic curve y
2
= x
3
+x + 6
over mod 11. Ie over Z
11
* Remember 4a
3
+ 27b
3
= 0 mod 11
Here a = 1, b = 6
4.1
3
+ 27.6
3
= 0 mod 11
4 + 5.3 = 0 mod 11
* P +1 2 \p s # E s p +1 + 2 \p
# No. of point on EC.
* Any point other than point at infinity is a generator
of E, if it has prime no. of points.
Let
o = (2, 7)
Is this a generators
Ie. 2o, 3o, 4o-------------- must be points on EC
* 2o = (2, 7) + (2, 7)
= 3x
1
2
+ a if P = Q
2y
1

(3.2
2
+1) (12 +1) 2
2.7 14 3
=2 x 4 = 8 (mod11)

2p = p + p
=
= =
2 x 3
-1
22 = (5,2)
X
3
=
2
x
1
- x
2
8
2
2 2 = 5
Y
3
= (x
1
x
2
) y
1
8 (2-5)-7 =2
* Similarly 3o = 2o + o
=(5,2) + (2,7)
P + Q
= y2 y1 if P =Q
x2 x1
X3 = 2 x1 x2
Y3 = (x1- x3) y1
X3 = 22 5 2 mod 11
= 8
Y3 = 2(5-8)-2 mod 11
= 3
3o = 8
1
3
=
7-2
2-5

=
5
-3
= 5 x 8
-1
=5 x 7
=2
x X
2
+x+6mod
11
In QR(11)? Y Points on
EC
0 6 no
1 8 no
2 5 yes 4, 7 (2, 4)
(2,7)
3 3 yes 5, 6 (3, 5) (3,
6)
4 8 no
5 4 yes 2, 9 (5, 2) (5,
9)
6 8 no
7 4 yes 2, 9 (7, 2) (7,
9)
8 9 yes 3, 8 (8, 3) (8,
8)
9 7 no
1
0
4 yes 2, 9 (10,2) (10,
9)
Menezes Vastone ECC(1993):-
* Journal of Cryptology, 6 (1993) pp 209-214
* IEEE Trans. on IT, 39,(1993) pp 1639 - 1646
(1) Let E be an elliptic curve over Zp, P>3 and
prime such that E contains a cyclic subgroup H
in which in which discrete log prob.is
intractible.
(2) Let P = Z
p
*
x Z
p
*

C = E x Z
p
*
x Z
p
*
and
K = {(E, o, a | : | = a o)}
where o e E.
(3) o and | are public and a is secret

(4) For K = ( E, o, a, |), for a secret random
Number k e Z
|H|
and for x = (x1, x2) e Z
p
*
x Z
p
*
(5) Define ek (x
1
k) = (y
0
y
1
y
2
)
|pt.
(6) For a cipher text y
y = (y
0
, y
1
,y
2
)
Define
d
k
(y) = (y
1
c
1
-1
mod p, y
2
c
2
-1
mod p)
Where ay
0
=(C
1
, C
2
)
Note :- (i) x = (x
1
, x
2
) e Z
p
*
x Z
p
*
is not a point on E.
(ii) k a secret random number
Z
|H|


y
0
=k o
(c1, c2) =k | [|=ax]
y
1
=c
1
x
1
mod p
y2 =c
2
x
2
mod p
Menezes Vanstone ECC basd on E1 Gamal
Encryption Scheme
Plaintext x (9,1)
chooses
random (k) = 6
Cipher text y
a secret key (a)
=7
y
0
= (7, 9)
y
1
= 6
y
2
= 3
Y = (y
0
, y
1
,y
2
)
(E, o, |)
| = a o
Bs public key
A
B
SENDER
RECEIVER
X e EC

X = (x
1
, x
2
) point
X e Z
p
*
x Z
p
*
Z
p
*
- field
Prime, p > 3
o = (2, 7)

generator of EC or
Primitive elements of
Computes (y
0
y
1
y
2
)
y
0
= k.o
y
1
= c
1
x
1
mod p
y
2
= c
2
x
2
mod p


Kobnitz (1987)
Miller (1986)
Menzes (1993)
Menzes- vaustone
1993
MOV (1994)
B computes
(c
1
, c
2
) = a y0
Secret of B
(c
1
,c
2
) = a.y
0
(7.9)
y
0
eEC
(--,--)
(8, 3)
c
1
= 8, c
2
= 3
+
X = (y
1
c
1
-1
mod p,
y
2
c
2
-1
mod p)
= (9,1)
(9, 1)
E1 Gamel Encryption using EC:-
Let o = (2, 7) and Bs Secret (key) exponent is
, so | = 7.o = (7, 2)

a = 7
By ECC
7p = kp
Point on
EC
Sender Ax
1
k Receiver B a
1
y
Now A wants to encrypt the plaintext x = (x
1
,x
2
)
= (9,1), where x is not a point on E and chooses the
random value k = 6.
A computes y
0
= ko = 6 (2,7) = (7,9)
and k|= 6 (7,2) = (8,3)
= (c
1
c
2
)
so c
1
= 8 and c
2
= 3
Next A calculates (y
1
) = c
1
x
1
mod p = 8 x 9 mod11
= 6
and (y
2
) = c
2
x
2
mod p = 3 x 1 mod 11
= 3
Thus cipher-text A sends is
y = (y
0
, y
1
, y
2
) = [(7, 9), 6, 3 ]
When B receives the ciphertext y,
B computes (c
1
, c
2
) = a y
0
= 7 (7, 9) = (8, 3)
And then x = (y
1
c
1
-1
mod p, y
2
c
2
-1
mod p)
= (6 x 8
-1
mod 11, 3 x 3
-1
mod 11)
= (6 x 7 mod 11, 3 x 4 mod 11)
= (9, 1)
Hence the decryption yields the correct plaintext.