Elliptic Curve Cryptography
Joonatan Saarhelo
December 11, 2016
1
Why is public-key cryptography important?
A message passing through the internet may choose any route the participating
servers see fit. Furthermore, the servers could alter the message to benefit some
third party. This is why encryption should be used on every site, not just
to prevent stealing login credentials. Even this document could be completely
wrong, if someone had systematically altered every source that I downloaded
over HTTP.
To combat this, two tools were devised.
Public key cryptography is used to exchange a key with the second party, which
is then used to encode messages so that only the two can decipher them. Messages encrypted with the public key can only be decrypted by the one who gave
out the key.
To prevent someone else from impersonating the second party, each server has
a cryptographic signature, posession of which can be proven without revealing
the signature.
2
RSA is not future-proof
Functions that are relatively fast to compute compared to their inverse make
cryptography possible. A cryptographic hash function is a function whose inverse can be most efficiently computed by trying out inputs until it yields the
desired output.
Sadly, the most popular functions in use today can be inverted more efficiently.
It would take enough energy to boil the world’s oceans to invert a true 228-bit
cryptographic hash. On the other hand, 242-bit RSA can be broken with the
power required to boil a teaspoon of water. [1]
More importantly, RSA key size scales badly[4], so especially in the future a
lot of computing power can be saved by employing a better encryption method.
This is because there exist fairly efficient algorithms for breaking RSA and
1
because prime number frequency decreases as number size increases. (RSA can
only have prime number keys.) Storing keys as the ordinal of the corresponding
prime number would be too computationally expensive.
Having to receive and process nearly a kilobyte of key just to complete a cryptographic handshake would make a perceptible difference; it could for example
result in having to send multiple packets for a handshake, as the default maximum payload for a UDP packet is 576 bytes (536 for TCP). [5] With multiple
packets problems like one arriving and the other getting lost present themselves.
3
The security of Elliptic Curves
The security of public key cryptography using elliptic curves is comparable to
cryptographic hashes. [4][1] Pollard’s Rho method, the most efficient algorithm
√
as of 2005 for breaking them has a time complexity of O( pq), where q is the
number of possible keys. [4] In practice this is not much better than O(q), as q
is chosen as close to p as possible.
Even if a better algorithm was discovered, elliptic curves can be considered
secure, as the most efficient solution to the Diffie-Hellman problem involves the
√
Elliptic Curve Discrete Logarithm problem, for which a lower bound of O( q)
has been proven. [3]
Performing the encryption and decryption, however, only takes O(log(q)) time.
4
4.1
How does it work?
Elliptic curves
Discrete Elliptic Curves are abelian groups of points on a plane that satisfy
y 2 ≡ x3 + ax + b mod p, where all variables are in the ring of integers modulo
p. To complete the group, O is added as an identity element.
The following statements hold for an elliptic curve over any field, but they are
easiest to imagine with real numbers.
Any line that is not vertical that intersects an elliptic curve at two places also
intersects it in a third. [7] The group operation, written A + B, outputs the
third point on the line crossing A and B, flipping it over the x-axis. Flipping
always succeeds, as the curves are symmetric over the x-axis.
(A + B)x = λ2 − Ax − Bx
(A + B)y = λ(Ax − (A + B)x ) − Ay
λ=
Ay − B y
Ax − B x
2
In the case that A = B, the result is the flipped version of the other point that
the tangent of the curve intersects. [9] Then, the slope looks like this:
λ=
3A2x + a
2Ay
where a is the coefficient of x in the curve equation. [8]
Here you may feel cheated, as the line only intersects at two points. We can
think that the tangent is actually defined by two points very close together.
Then it intuitively follows that if the line between T and E is a tangent at T ,
T + E = −T , where − denotes flipping. This can be trivially derived from
T + T = −E.
Multiplication with an integer is defined as repeatedly applying the group operation known as +. nP = P + P + P... It can be implemented efficiently for
example by representing the factor in binary and summing repeatedly doubled
versions of the original point. Thus log(n) additions are needed. We actually
can’t do any better, as a representation of n has log(n) digits, and therefore
takes log(n) time to read.
4.2
Diffie-Hellman
Discrete Elliptic Curves have the nice property that it is computationally infeasible to find n if nA and A are known. The simplest algorithm for any field
is to sum A until nA is reached, but for other fields there are some powerful
shortcuts. [2] Large integer arithmetic is very commonly done on computers,
which makes it convenient as well.
Two parties begin a cryptographic key exchange by agreeing on a curve and a
starting point P . Then they each choose a random key k1 , k2 ∈ [0, n) where
P = nP . They then broadcast k1 P and k2 P . After multiplying the received
point with their own key, they now both know a point that no-one else knows.
k1 (k2 P ) = k2 (k1 P )
Now that they have a common secret, they can start communicating using a
symmetric encryption method.
4.3
Choice of Curve
Unlike selecting keys, selecting good parameters for a curve is hard, as some
curves make multiplication easy to invert and some starting points make for
a very small amount of possible keys. This is why it is a good idea to use
parameters that have been carefully selected and peer reviewed.
3
For example, the Brainpool curves have been analyzed for weaknesses and were
chosen by a pseudorandom algorithm seeded with digits of pi to make it impractical to include a backdoor. [4]
References
[1] Arjen K. Lenstra with Thorsten Kleinjung and Emmanuel Thom, Universal
security: from bits and mips to pools, lakes and beyond, 2003.
[2] http://www.johannes-bauer.com/compsci/ecc, 10.12.2016.
[3] Steven D. Galbraith and Pierrick Gaudry, Recent progress on the elliptic
curve discrete logarithm problem, 2015.
[4] ECC Brainpool Standard Curves and Curve Generation v. 1.0, 2005.
[5] Network Working Group, RFC 879: The TCP Maximum Segment Size and
Related Topics, 1983. https://tools.ietf.org/html/rfc879
[6] Victor Shoup, Lower Bounds for Discrete Logarithms and Related Problems.
http://www.shoup.net/papers/dlbounds1.pdf
[7] William Stein, Elementary Number Theory, 2011.
[8] http://mathworld.wolfram.com/EllipticCurve.html, 11.12.2016.
[9] http://andrea.corbellini.name/2015/05/17/elliptic-curve-cryptography-agentle-introduction/, 8.12.2016
4