IMPLEMENTATION OF SIGNATURE SCHEME WITH PROJECTIVE COORDINATES ON ELLIPTIC CURVE CRYPTOSYSTEM

IMPLEMENTATION OF SIGNATURE SCHEME WITH PROJECTIVE

COORDINATES ON ELLIPTIC CURVE CRYPTOSYSTEM

P. Anuradha Kameswari, L. Praveen Kumar

Department of Mathematics, Andhra University, Visakhapatnam - 530003, Andhra Pradesh, India.

Department of Mathematics, Andhra University, Visakhapatnam - 530003, Andhra Pradesh, India.

ABSTRACT

In this paper we implement a signature scheme on cryptosystem with elliptic curves by using the formulas for the projective coordinates obtained by generalizing the ideas of Montgomery to Weierstrass equation of elliptic curves. This arithmetic with projective coordinates is more efficient and avoid many inversions in the computations. We also propose a fast computing method evaluating the coordinates.

KEYWORDS : Elliptic Curves, Projective Coordinates, Cryptosystem.

INTRODUCTION:

In 1985 Koblitz [1] [2] and Miller [3] independently made use of elliptic curves in cryptography. Later Koyama [4] and Demytko [5] also produced analogue of RSA with elliptic curves to overcome the vulnerabilities like homomorphic nature of RSA, however it was shown that even these non-homomorphic RSA type cryptosystems are not totally free from RSA attacks[6], and it was shown that they are susceptible to chosen message attacks.[7]

In [7] “A New and Optimal Chosen - message Attack on RSA-type Cryptosytems” by Daniel Bleichenbacher, Marc Joye and Jean-Jacques Quisquater, it is show that only one message is needed to mount the attack on Demykto’s system.

for projective coordinates on general Weierstrass equation of elliptic curves, [8][9][10] with these

formulas addition requires four additions, six multiplications and two squarings and doubling requires four additions, six multiplications and three squarings with no inversions. For any point

P on elliptic curve E(K) and for any integer k to compute the point addition kP it requires

only to calculate 2mP and (2m 1)P from mP and (m 1)P and we give a fast computation

method for kP generalizing the ideas given by P.Smith for Lucas sequences to elliptic curves.

2 POINT ADDITION WITH PROJECTIVE COORDINATES:

Let K be a field with Characteristic K  2,3 and consider the elliptic curve E(K) over K in

Weierstrass form E : y2 = x3 Ax  B and for any points P = (x₁,y₁) and

} { \ ) , (

= x₂ y₂ E 

Q  with x₁  x₂ the affine addition P  Q = (x₃, y₃) is given as:[11][12]

,

= 2 _{1 2}

3 m x x

x  

. =

where , ) (

=

1 2

1 2 1

3 1 3

x x

y y m y

x x m y

  



and for P = (x₁,y₁) E the affine addition 2P = (x,y) is given as:

, 2

= m2 x₁

x 

1 2 1 1

3 1

2 3 = where , ) (

=

y A x m y

x x m

y   

Now for any point P = (x,y) E , the projective coordinates are denoted as P = (X,Y,Z) for

Z X x = and

Z Y

y = .

Theorem 1: Let K be a field of characteristic not equal to 2,3 and E be the elliptic curve given

by the equation y2 = x3  Ax  B . If P = (x,y) then for any positive integer k , the projective

coordinates of kP are denoted as (X_k :Y_k :Z_k) and [X_k :Z_k] are given by recursion formulas as

If k = 2m 1,                 . ) ( = , ) ( ) ( 4 = 2 1 1 2 1 1 1 1 1 m m m m k m m m m m m m m m m k Z X Z X Z X Z Z AZ X X Z X Z X Z BZ X

If k = 2m,

       ). ( 4 = , 8 ) ( = 3 2 3 3 2 2 2 m m m m m k m m m m k BZ Z AX X Z Z Z BX AZ X X

Proof: For any point M = (x,y)on E : y2 = x3  Ax  Bwe have

. of s coordinate projective the ) , , ( for = ,

= X Y Z M

Z Y y Z X x . =

Therefore y2 x3  Ax  B

. = that implies Which 3 2 B Z X A Z X Z Y                     P m m E y x

P = ( , )on and any integer 0,we have for (2 1)

fixed a for ar

Inparticul  

                                                                  2 1 1 2 1 1 3 1 1 3 4 = m m m m m m m m m m m m Z X Z X Z X Z X Z X Z X B                                                                             1 1 2 3 1 1 1 1 3 3 1 1 3 4 m m m m m m m m m m m m m m m m Z X Z X A Z X Z X A Z X Z X A Z X Z X                                                              1 1 2 1 1 2 1 1 2 1 1 2 2 2 2 m m m m m m m m m m m m m m m m Z X Z X Z X Z X Z X Z X A Z X Z X A 2 1 1 2 1 1 2 1 1 1 1 4 = _                                             m m m m m m m m m m m m m m m m Z X Z X A Z X Z X Z X Z X Z X Z X B 4 1 1 2 1 1 2 1 1 1 1 1 2 1 2 4 =                                                 m m m m m m m m m m m m m m m m m m Z X Z X Z X Z X Z X A Z X Z X Z X Z X B Z X 2 1 1 1 2 1 1 1 1 1 1 4 =                                 m m m m m m m m m m m m m m m m m m Z Z Z X Z X Z X Z Z Z AZ X X Z Z Z X Z X B    

 2

1 1 2 1 1 1 1 1 4 = m m m m m m m m m m m m m m Z X Z X Z X Z AZ X X Z X Z X Z BZ            

X_2m1;Z_2m1=[4BZ _mZ_m1X_mZ_m1 X_m1Z_m  X_mX_m1 AZ_mZ_m12;

  ]

X_mZ_{m 1} X _{m 1}Z_m 2

Z X



 

                            m m m m m m k k Z X Z Y A Z X Z X m k 2 4 3 = , 2 = For 2 2 2                                            B Z X A Z X Z X B Z X A A Z X m m m m m m m m m m 3 2 2 4 4 8 2 =                                             B Z X A Z X Z X B A Z X m m m m m m m m 3 2 2 4 8 =









                        B Z X A Z X Z Z BX AZ X m m m m m m m m m 3 4 3 2 2 2 4 8 =







3 2 3



3 2 2 2 4 8 = m m m m m m m m m BZ Z AX X Z Z BX AZ X    

 





2 2



2 3



3 2 3





2

2m;Z m = Xm AZm 8BX mZm;4Zm Xm AX mZm BZm

X    

Remark 1: The formulas for computation of [X_k :Z_k] in kP depend only on [X₁:Z₁] for

) , (

= x y

P and X₁ = x,Z₁ =1; i.e., the formulas are polynomials in x(P) and

Theorem 2: Let  be a field of characteristic not equal to 2, 3 and let E be the elliptic curve

given by the equation E(): y2 = x3  Ax  B and also P = (x_m,y_m) and

} { \ ) ( ) , (

= x ₁ y ₁ E  

Q _{m m}  with P  Q . Given the point P Q = (x,y), if y  0 then the y

-coordinate of P satisfies





. 2

) (

) )(

( 2 = = ) (

2 1

y

x x x x x x x A B y

P

y _m    m  m  m  m

Proof: Define D = PQ = (x,y).

. =

wehave ), , ( = =

Since

2

1 1

1 x x

x x

y y x

y x D P

Q _m

m m m

m

m   

  

  

 

 _{  }

) )(

( ) (

= ) (

Then x_m₁ x_m  x 2 y_m  y 2  x_m  x x_m  x 2

) (

2

= y_m2  y2  y_my  x_m3  x3 x_m2x x2x_m

B x x x x A y

y_m ( _m )( _m ) 2

2

=    

B x x x x A x x x y

y_m = _m ( _m ) ( _m )( _m ) 2

2 _1  2    

y

x x x x x x x A B

y_m m m m m

2

) ( )

)( (

2 =

2

1 

  



 _





. 2

) (

) )(

( 2 = Therefore

2 1

y

x x x x x x x A B

y_m    m m   m m 

FAST COMPUTATION METHOD FOR X e AND Ze :

We describe the fast computation method to compute X e and Ze suggested by P. Smith for

ambiguity of adding or doubling at each stage right from [X₁:Z₁] by using the above recursive

formulas.

For any integer e, we have the binary expression given as

0 = 1, = , 2

= ₀

0 =

i i

t

i t

t

x x x

e   or 1, for i  0.

Let k i

i k

i

k x

e =  2 

0 =

, for 0  k t, then e_t = e,e₀ =1.

Theorem 3:

  

 _

 

1. = if 1 2

0 = if 2

=

1 1 1

k k

k k

k

x e

x e

e

Proof: We have = 2 1 1

0 = 1

i k i k

i

k x

e 



 

1 1 1

0 =

2 2

2

=  _i ki  _k k k k

i

x x

1 0

= 2 2

=  _i ki  _k

k

i

x x

= 2e_k  x_k1.

  

 _

 

1. = if 1 2

0 = if 2

= Therefore

1 1 1

k k

k k

k

x e

x e

e

Remark 2:

  

  

  

1. = if 1) 2(

0 = if 1 2 = 1

1 1 1

k k

k k

k

x e

x e

e

  

1= 2 1 if  = 0

k k 1

x e

Remark 3: [X_e:Z_e] are computed by evaluating [ : ]

k e k

e Z

X for k = 0,1,..., t by using recursive

formulas for [ _{2 1}: _{2 1}]

k e k

e Z

X and [ ₂ : ₂ ]

k e k

e Z

X .

Remark 4: For any point M E(_n) where n = pq , we have the point

) mod , mod (

= M p M q

M as E( _pq) E( _p) E(_q) and we have the formulas in Theorems

1 and 3 are valid for M on E( _pq) . [1][4][11]

Notation: For any point M  E(_n) we write as M = (M _x,M _y) and for any integer k , X_k

the point kM is written as kM = (M _k,x,M _k,y) .

4 SIGNATURE SCHEME ON CRYPTOSYSTEM WITH ELLIPTIC CURVES:

Let message be a point M = (M _x,M _y) on an elliptic curve E(_n):y2 = x3  Ax  B mod n , where

pq

n = and let #E(_n) = N_n, (e,N_n)=1 with d such that ed 1mod N_n and (M ,n,e) is public.

The aim of cryptanalyst is to obtain signature dM = (M _d,x,M _d,y).

The cryptanalyst adapts the following steps in the signature scheme :

Let k be an integer such that (k,e)=1 and (k,N_n) =1, then there exist r,s such that kr es =1.

Let M = kM = k(M _x,M _y) = (M _k,x,M _k,y) and M may be evaluated using point addition with

projective coordinates.

Obtain the signature on M  as follows:

dM  = (M d,x,M d,y)mo d n and let C = dM mod n;

Evaluate the point rC and sM using the point addition with projective coordinates.

The cryptanalyst obtains dM as follows:

We have

1 = es kr 

d eds

n N d

s

krd   mod

. integer some

for )

(

= krd s N t t

d   _n

] ) [(

= addition

point the

Therefore dM krd  s  N_nt M

= (k r d s)M

= krdM sM

= r(dM )sM .

= rC sM _.

Using step 4 point dM is obtained by affine addition of rCsM .

Example: Let n = pq =143 and M = (1,122) be a point on Elliptic curve

143 mod 8 3 = : )

( ₁₄₃ y2 x3  x 

E  and for N_n =# E(₁₄₃)=144 , take e = 5, as (5,144) =1.

Then we have (M ,n,e) , the public key and d the secrete exponent such that

n N

ed 1mod .

The cryptanalyst obtain the signature dM as follows:

Let k = 7 be an integer such that (k,e) = (7,5) =1, then there exist integers r = 2,s = 3

such that kr es =1.

Consider M = kM = 7M and M is evaluated by using point addition with projective

coordinates as follows:

0 1 2

2 1 2 1 2 1 = 7

    

1; = 1, =

0

0 e

e Z

X

83, = 8

) (

= 3

0 0 2

2 0 2

0 0

2e Xe AZe BX e Ze

X  

48; = ) (

4

= 3 2 3

2e Ze Xe AX e Ze BZe



 



2 1 0 0 1 0 0 0

1 0 1 0 0 1 0 0 1

0 2 1

4 =

= _{e }  _{e e  e e }  _{e  e}  _{e e }  _{e e }

e X BZ Z X Z X Z X X AZ Z

X

131 =





= 81.

=

= 2

0 1 0 1 0 0 1

0 2

1 e e e e e

e X Z X Z

Z X Z

Z _{ }  _





8 =131.

=

= 3 ₁

0 1 0 2

2 1 0 2

1 0 1) 0 2( 1

1     



 _{e e e}

e e

e X X AZ BX Z

X





= 64.

4 =

= 3 ₁

0 2

1 0 1 0 3

1 0 1 0 1)

0 2( 1

1      



 _{e e e}

e e e

e Z Z X AX Z BZ

Z



 



2

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

1 2 2

4 =

= _{e }  _{e e  e e}  _{e  e}  _{e e }  _{e e }

e X BZ Z X Z X Z X X AZ Z

X

58. =





= 3.

=

= 2

1 1 1 1 1 1 1

1 2

2 e e e e e

e X Z X Z

Z X Z

Z _{ }  _

143. mod 67 = 3 58 = = ) (7 Therefore

2 2

e e

Z X M x

: follows as ) (7

Torecover y M





8 = 79.

=

= 3

1 1 2

2 1 2

1 1 2 1

2 e e e e e

e X X AZ BX Z

X _  





=16.

4 =

= 3

1 2

1 1 3

1 1 1

2 1

2 e e e e e e

e Z Z X AX Z BZ

Z _  

143. mod 139 = 16 79 = =

) (6

1 2

1 2

 

e e

Z X M x

139. = ) (6 = and

67 = ) (7 = 1, = ) ( =

Forx x M x_m x M x_m₁ x M



2 (  )(  ) (  )2



T h e r e f o r eM = 7M = ( 6 7 ,2 3 )= ( 6 7 , 1 2 0 ) .

Cryptanalyst obtain the signature on M  as

(129,37). = ) , ( =

= dM M _d,x M _d,y

C   

Now the cryptanalyst computes rC,sM  as follows:

2(129,37).

= 



C r

1. = and 129 =

0

0 e

e Z

X





8 =107.

=

= 3

0 0 2

2 0 2

0 0 2

1 e e e e e

e X X aZ bX Z

X  





= 42.

4 =

= 3

0 2

0 0 3

0 0 0

2

1 e e e e e e

e Z Z X aX Z bZ

Z  

40. = 42 107 = =

1 1

e e

Z X x

have we 1, = and 1 = 40, =

For x_m x x_m1





47. = 2

) ( )

)( (

2 =

2 1

y

x x x x x x x A B

y_m    m m   m m 

(40,47). =

Therefore rC

3(1,122). =

3

= M

sM

1. = 1, =

0

0 e

e Z

X





8 = 83.

=

= 3

0 0 2

2 0 2

0 0 2 1

0 e e e e e

e X X aZ bX Z

X _  





= 48.

4 =

= 3

0 2

0 0 3

0 0 0

2 1

0 e e e e e e

e Z Z X aX Z bZ

Z _  



 



2

4 =

= X bZ Z X Z X Z X X aZ Z

131. =





= 81.

=

= ₁ 2

0 0 0 1 0 1

0 2

1   

 _{e e}

e e e

e X Z X Z

Z X Z

Z

143. mod 74 = 81 131 = =

1 1

e e

Z X x

have we 106, = 48 83 = and

1 = 74, =

For x_m x x_m1





59. = 2

) ( )

)( (

2 =

2 1

y

x x x x x x x A B

y_m    m m   m m 

(74,59). =

Therefore sM

The cryptanalyst obtain dM = rCsM as follows:

By using point addition with affine coordinates,

rC sM = (40,47) (74,59) = ( 4 1 , 6 2 ).

Therefore the cryptanalyst retrieve the signature as (41,62) .

CONCLUSION:

In the signature scheme on Cryptosystem with elliptic curves implemented by point addition with

projective coordinates for P = (x,y) with projective coordinates (X₁,Y₁,Z₁) it requires only four

additions, six multiplications and two squarings with no inversions in the computations of

] :

[X _k Z_k at each consecutive addition leading to the projective coordinates (X_k :Y_k :Z_k) and the

k k

Z X kP

x( ) = is obtained with one inversion and the corresponding y-coordinate is recovered with

leads to the computation of [X _k :Z_k] with no ambiguity of adding or doubling at each stage right

from [X₁:Z₁] by using the recursive formulas.

REFERENCES:

Journal Papers:

1. Neal Koblitz “ Elliptic Curve Cryptosystems" Mathematics of Computation, 48: 203-209, 1987.

Books:

2. Neal Koblitz “A course in number theory and cryptography ISBN 3-578071-8,SPIN 10893308 ".

Chapters in Books:

3. V.S. Miller “ Use of Elliptic Curves in Cryptography". In H.C. Williams, editor Advances in Cryptology - CRYPTO 85, Volume 218 of Lecture notes in Computer Science, 417-426, Springer-Verlag, 1986.

4. K. Koyama, U.M. Maurer, T. Okamoto and S.A. Vanstone “ New public-key Schemes based on elliptic curves over the ring n.’’ In J. Feigenbaum, editor

Advances in Cryptology - CRYPTO 91, Volume 576 of Lecture notes in Computer Science, 252-266, Springer-Verlag, 1991.

5. N. Demytko “ A new elliptic curve based analogue of RSA". In T. Helleseth, editor Advances in Cryptology - EUROCRYPTO 93, Volume 765 of Lecture notes in Computer Science, 40-49, Springer-Verlag, 1994.

Books:

6. J. Buchmann“Introduction to cryptography" , Springer-Verlag 2001.

Chapters in Books:

(ICICS’97), vol.1334 of Lecture Notes in Computer Science, pp.302-313, Springer-Verlag, 1997.

Books:

8. J. H. Silverman. The Arithmetic of Elliptic Curves, volume 106 of Graduate Texts in Mathematics. Springer-Verlag, New York, 1986.

Journals:

9. J. H. Silverman. Elliptic curves and cryptography. In Public-Key Cryptography, volume 62 of Proc. Sympos. Appl. Math., pages 91-112. Amer. Math. Soc.,

Providence, RI, 2005.

Books:

10. J. H. Silverman and J. Tate. Rational Points on Elliptic Curves. Undergraduate Texts in Mathematics. Springer-Verlag, New York, 1992.

11. Lawrence C. Washington “Elliptic Curves Number Theory and Cryptography" 2nd edition, CRC press.

12. Jeffery Hoftstein, Jill Pipher, Joseph H. Silverman, “ An Introduction to

Mathematical Cryptography", Springer.

Jornals:

13. P.Smith, “LUC Public-key encryption”, Dr. Dobb’s Journal(Jan 1993), 44-49.