MATHEMATICAL BACKGROUND OF ECC - IMPLEMENTATION OF A SECURE MESSAGING APPLICATION USING ELLIPTI

In this Chapter we will discuss the basic mathematical understanding of the theory of elliptic curves [24].

4.1 Elliptic curve

Elliptic curve is not the same as an ellipse. But to be more positive: from school mathematics, we probably know the equation for a circle centered on the (a,b) of radius r, which is [13]:

(x-a) 2 + (y-b) 2 = r2

(4.1) where x, y, a, b and r are real numbers.

An elliptic curve is also defined by an equation, but it has the slightly more complicated form: [13]

y2_{[+ x·y] = x}3_{+ a·x}2_{+ b} _(4.2)

Notation: · means multiplication, y2 means y·y and x3 means x·x·x. The square brackets mean that the term is optional -sometimes it is there, sometimes it isn't! Again x and y are variables, a and b are constants. However, these quantities are not necessarily real numbers, instead they may be values from any field. For cryptographic purposes we always use a "finite" field - that is x, y, a and b are chosen from a finite set of distinct values.

4.2 Group

A group is a set of numbers with a custom-defined arithmetic operation. The unique rules for arithmetic in groups are a source of the hard problems necessary for cryptographic security. Two groups used in cryptography are Zn, the additive group of

integers modulo a number n; and Zp*, the multiplicative group of integers modulo a

prime number p.

The group Zn uses only the integers from 0 to n - 1. Its basic operation is

addition, which ends by reducing the result modulo n; that is, taking the integer remainder when the result is divided by n. One very important feature of arithmetic in a group is that all calculations give numbers which are in the group; this is called closure. Modular reduction by n ensures that all additions result in numbers between 0 and n - 1. The additive group Z15 uses the integers from 0 to 14. Here are some sample

additions in Z15:

(10 + 12) mod 15 = 22 mod 15 = 7 (4 + 11) mod 15 = 15 mod 15 = 0

In Z15, 10 + 12 = 7 and 4 + 11 = 0. Notice that both calculations have answers

between 0 and 14.

4.4 Additive Inverses

Each number x in an additive group has an additive inverse element in the group; that is an integer -x such that x + (-x) = 0 in the group. In Z15, -4 = 11 since

(4+11) mod 15 = 15 mod 15 = 0.

4.5 Other operations

While addition is the main operation in the additive group Zn, other operations can be derived from addition. For example, the subtraction x - y can be performed as the addition x + (-y) mod n. In Z15, 1 - 4 = 1 + (-4) = 1 + 11 mod 15 = 12.

It is also possible to define multiplication in Zn by repeated addition. For example, the multiplication 4(9) in Z15 can be achieved by adding together 9 + 9 + 9 + 9 mod 15 =

36 mod 15 = 6.

4.6 The group Z

*

Cryptosystems using arithmetic in Zp* include the Diffie-Hellman Key

Agreement Protocol and the Digital Signature Algorithm (DSA). The multiplicative group Zp* uses only the integers between 1 and p - 1 (p is a prime number), and its

basic operation is multiplication. Multiplication ends by taking the remainder on division by p; this ensures closure. The multiplicative group Z11* uses the integers

from 1 to 10. Multiplication in Z11* finishes by taking the remainder when the result is

9 * 5 mod 11 = 45 mod 11 = 1.

Thus in Z11*, 4 * 7 = 6 and 9 * 5 = 1. Notice that both the calculations shown have

answers between 1 and 10.

4.7 Multiplicative Inverses

Each number x in a multiplicative group has a multiplicative inverse element in the group; that is an integer x-1_{such that x * x}-1_{= 1 in the group. In Z}

11*, 9-1 = 5

since 9 * 5 mod 11 = 1.

In a multiplicative group, each element must have a multiplicative inverse. Consider the integers modulo the (composite) number 15. It is possible to define multiplication on the numbers from 1 to 14, always finishing with reduction modulo 15. With this system, the number 6 has no inverse, since there is no number y such that 6 * y mod 15 = 1:

4.8 Abelian Groups

An arithmetic operation is said to be commutative if the order of its arguments is insignificant. With ordinary numbers, addition and multiplication are commutative operations; for example, 2*9 = 9*2 and 2 + 9 = 9 + 2. However, subtraction and division are not commutative since 2 - 9 ≠ 9 - 2 and 2 / 9 ≠ 9 / 2.

A group is called abelian if its main operation is commutative. Thus an additive group is abelian if a + b = b + a for all elements a, b in the group. A multiplicative group is abelian if a * b = b * a for all elements a, b in the group. The additive group Zn and the multiplicative group Zp* are both abelian groups.

4.9 Field

A field is a set of elements with two custom-defined arithmetic operations: most commonly, addition and multiplication. The elements of the field are an additive abelian group, and the non-zero elements of the field are a multiplicative abelian group. This means that all elements of the field have an additive inverse, and all non- zero elements have a multiplicative inverse. As is true for groups, other operations can be defined in a field, using its main two operations.

A field is called finite if it has a finite number of elements. The most commonly used finite fields in cryptography are the field Fp (where p is a prime

number) and the field F2m.

4.10 The field F

The finite field Fp (p a prime number) consists of the numbers from 0 to p - 1.

Its operations are addition and multiplication, which are defined as for the groups Zn

and Zp* respectively: all calculations end with reduction modulo p. The restriction

that p be a prime number is necessary so that all non-zero elements have a

multiplicative inverse (see Zp* for details). As with Zn and Zp*, other operations in Fp

(such as division, subtraction and exponentiation) are derived from the definitions of addition and multiplication. Calculations in the field F23 include

10* 4 - 11 mod 23 = 29 mod 23 = 6 7-1 mod 23 = 10 since 7*10 mod 23 = 70 mod 23 = 1 (83_{) / 7 mod 23} = 512 / 7 mod 23 = 6* 7-1_{mod 23} = 6*10 mod 23 = 14.

4.11 The field F

Although the description of the field F2m is complicated, this field is extremely

useful because its computations can be done efficiently when implemented in hardware. Over here arithmetic in F2m; is described by polynomial representation.

The elements of F2m are polynomials of degree less than m, with coefficients in F2; that is, {am-1xm-1 + am-2xm-2 + ... + a2x2 + a1x + a0 | ai = 0 or 1}. These elements

can be written in vector form as (am-1 ... a1 a0). F2m has 2m elements.

The main operations in F2m_{are addition and multiplication. Some computations} involve a polynomial f(x) = xm_{+ f}

m-1xm-1 + fm-2xm-2 + ... + f2x2 + f1x + f0, where each fi is

in F2. The polynomial f(x) must be irreducible [2]; that is, it cannot be factored into two polynomials over F2, each of degree less than m.

4.13 Addition

(am-1 ... a1 a0) + (bm-1 ... b1 b0) = (cm-1 ... c1 c0) where each ci = ai + bi over F2.

Addition is just the componentwise XOR of (am-1 ... a1 a0) and (bm-1 ... b1 b0).

4.14 Subtraction

In the field F2m, each element (am-1 ... a1 a0) is its own additive inverse, since

(am-1 ... a1 a0) + (am-1 ... a1 a0) = (0 ... 0 0), the additive identity. Thus addition and

subtraction are equivalent operations in F2m.

4.15 Multiplication

(am-1 ... a1 a0) (bm-1 ... b1 b0) = (rm-1 ... r1 r0) where rm-1xm-1 + ... + r1x + r0 is the

remainder when the polynomial (am-1xm-1 + ... + a1x + a0) (bm-1xm-1 + ... + b1x + b0) is

divided by the polynomial f(x) over F2. (Note that all polynomial coefficients are reduced modulo 2.)

4.16 Exponentiation

The exponentiation (am-1 ... a1 a0)e is performed by multiplying together e

copies of (am-1 ... a1 a0).

4.17 Multiplicative Inversion

There exists at least one element g in F2m such that all non-zero elements in F2m can be expressed as a power of g. Such an element g is called a generator of F2m. The multiplicative inverse of an element a = gi is a-1 = g(-i) mod (2m-1).

4.18 Example - F

with Polynomial Representation

The elements of F24_{are the 16 vectors:}

(0000) (0001) (0010) (0011) (0100) (0101) (0110) (0111) (1000) (1001) (1010) (1011) (1100) (1101) (1110) (1111).

The irreducible polynomial used will be f(x) = x4 + x + 1. The following are sample calculations. Addition (0110) + (0101) = (0011). Multiplication (1101) (1001) = (x3_{+ x}2_{+ 1) (x}3_{+ 1) mod f(x)} = x6_{+ x}5_{+ 2x}3_{+ x}2_{+ 1 mod f(x)}

= x6_{+ x}5_{+ x}2_{+ 1 mod f(x) (coefficients are reduced modulo 2)}

= ( x4_{+ x + 1)(x}2_{+ x) + (x}3_{+ x}2_{+ x + 1) mod f(x)}

[Note that (x6_{+ x}5_{+ x}2_{+ 1)/( x}4_{+ x + 1) = (-x}3_{- x}2_{- x + 1) ]}

= x3 + x2 + x + 1 = (1111).

Exponentiation

To compute (0010)5, first find (0010)2

= (0010) (0010) = x x mod f(x)

= ( x4 + x + 1)(0) + (x2) mod f(x) [ as x2 can not be divided by ( x4 + x + 1) ] = x2 = (0100). Then (0010)4 = (0010)2 (0010)2 = (0100) (0100) = x2_x2_{mod f(x)} = ( x4_{+ x + 1)(1) + (x + 1) mod f(x) [as (x}4_{)/ ( x}4_{+ x + 1) = -x-1 ]} = x + 1 = (0011).

Finally, (0010)5 = (0010)4 (0010) = (0011) (0010) = (x + 1) (x) mod f(x) = (x2_{+ x) mod f(x)}

= ( x4 + x + 1)(0) + (x2 + x) mod f(x) [because (x2 + x) can not be divided by ( x4 + x + 1) ]

= x2_{+ x} = (0110).

4.19 Multiplicative Inversion

The element g = (0010) is a generator for the field. The powers of g are: g0 = (0001) [20 = 1] g1 = (0010) [21 = 2] g2 = (0100) [22 = 4] g3 = (1000) [23 = 8] g4 = (0011) [24 = 16, 16 = (10000)2 =x4 , (x4)/ ( x4 + x + 1) = -x-1= (0011)] g5 = (0110) g6_{= (1100)} g7 = (1011) g8 = (0101) g9 = (1010) g10_{= (0111)} g11_{= (1110)} g12_{= (1111)} g13_{= (1101)} g14 = (1001) g15 = (0001).

The multiplicative identity for the field is g0_{= (0001). The multiplicative inverse of g}7 = (1011) is given by:

g-7 mod 15 = g8 mod 15 [as 15-7=8] =g8= (0101).

To verify this, see that (1011) (0101) = (x3 + x + 1) (x2 + 1) mod f(x) = x5_{+ x}2_{+ x + 1 mod f(x)} = ( x4_{+ x + 1)(x) + (1) mod f(x)} = 1 = (0001),

which is the multiplicative identity.

4.20 Use of Elliptic Curve

The crucial property of an elliptic curve is that we can define a rule for "adding" two points which are on the curve, to obtain a 3rd point which is also on the curve. This addition rule satisfies the normal properties of addition. The points and the addition law form a finite Abelian group.

Having defined addition of two points, we can also define multiplication k*P where k is a positive integer and P is a point as the sum of k copies of P.

Thus 2*P = P+P 3*P = P+P+P

This is analogous to how we define "powers" in normal arithmetic, where x2 = x.x

x3 = x.x.x

Now we are in a position to do some cryptography!

Alice, Bob, Cathy, David... agree on a (non-secret) elliptic curve and a (non- secret) fixed curve point F. Alice chooses a secret random integer Ak which is her secret key, and publishes the curve point AP = Ak*F as her public key. Bob, Cathy and David do the same.

Ak = secret key of Alice; AP = public key of Alice = Ak*F Bk = secret key of Bob ; BP = Bk*F

Now suppose Alice wishes to send a message to Bob. One method is for Alice to simply compute Ak*BP and use the result as the secret key for a conventional symmetric block cipher (say DES).

The security of the scheme is based on the assumption that it is difficult to compute k given F.

Chapter 5

In document IMPLEMENTATION OF A SECURE MESSAGING APPLICATION USING ELLIPTIC CURVE CRYPTOGRAPHY (Page 38-46)