Software Implementation of Elliptic Curve Encryption over Binary Field *

Software Implementation of Elliptic Curve

Encryption over Binary Field

*

ZHANG Xianfeng QIN Zhiguang ZHOU Shijie LIU Jinde

(School of Computer Science and Engineering, UESTC Chengdu 610054 China)

Abstract The mathematical theory for elliptic curve encryption based on optimal normal basis

(ONB) over F2 m

is introduced. Then an elliptic curve cryptography(ECC) based encryption scheme is analyzed and designed. The mechanism for key exchange based on Diffie-Hellman is described in details for further applications. Based on these theoretic foundations, the software based on ECC is developed and an application is provided. The software is characterized by excellent security as well as high efficiency.

Key words network security; elliptic curve cryptography(ECC); encryption software; binary field

Received 2003-03-11

* Supported by National 863 Plan Project (No. 2002AA142040)

Currently, elliptic curve cryptography (ECC) is regarded as an attractive cryptography that can provide greater strength, higher speed and smaller keys than other cryptography systems . A vast amount of research has been done on its secure and efficient implementation. ECC has received increased commercial acceptance and is adopted by accredited standards organizations such as ANSI (American National Standards Institute), IEEE (Institute of Electrical and Electronics Engineers), ISO (International Standards Organization), and NIST (National Institute of Standards and Technology).

] 6 ~ 1 [

In the practical applications based on ECC, elliptic curves groups are usually made up of elliptic curves over underlying fields of Fp or F2m (where p is a

prime). Generally, elements over field Fpare denoted

by polynomial basis representations, a n d e l e me n t s o v e r f i e l d F2

m

can be denoted by normal basis representations. Although the description of the field

F2mis complicated, the field F2m is extremely useful

because its computations can be done efficiently in hardware [7] . For field F2m, normal basis

representations have the computational advantage that squaring an element can be done very efficiently. Multiplying distinct elements, on the other hand, can be cumbersome in general. For this reason, it is

common to specialize a class of normal bases, called Gaussian normal bases, for which multiplication is both simpler and more efficient. Gaussian normal bases for F2

m

exist whenever m is not divisible by 8. They include the optimal normal bases (ONB), which have the most efficient multiplication possible in a normal basis[8,9].

In 1999, Tatsuaki Okamoto, Eiichiro Fujisaki and Hikaru Moritaan described a provably elliptic curve encryption scheme using the elliptic curve ElGamal trapdoor function, random function (hash function) and a symmetric-key encryption . In 2000, a study of the software implementation on workstations of the NIST-recommended elliptic curves over binary fields was presented . In 2001, M. Brown, D. Hankerson and J. Lopez presented an extensive studyof the software implementation on workstations of the NIST-recommended elliptic curves over prime fields . ] 10 [ ] 11 [ ] 12 [

In this paper, we design and implement complete elliptic curve encryption software based on ONB presentation over F2m and Diffie-Hellman key

agreement scheme. It is designed to be both semantically secure and plaintext-aware, in the presence of an adversary capable of launching chosen-plaintext and chosen-ciphertext attacks. The

test result proves that our encryption software can be comparable with those schemes presented in Refs. [10～12].

1 ONB Presentation and Field

Mathematic Rules over Field F2

m

1.1 ONB presentation

Every finite field F2

m

has a normal basis. But not all finite fields have an ONB. Moreover, there are only 2 types of ONB for field F2

m

if exist. If >1 is not divisible by 8，the following algorithm tests for the existence of an ONB for field F

m

2

m

of given type[8]. Input: an integer

m

>1 not divisible by 8; a positive integer T=1 or 2.

Output: if a type T ONB for field F2

m

exists, the message “True”, otherwise “False.”

Set p=Tm+1;

If p is not prime then output “False” and stop; Compute

k

that satisfies 2k≡1(mod p); Set h=Tm/k;

Compute d:=GCD(h,m) ， where GCD(h,m) deno-tes the greatest common divisor of h and m;

If d =1 then output “True”; else output “False”. If field F2mhas a type 1 ONB then set the field

polynomial = + + + + + 1 ；if F ( ) p t tm tm−1 _L t2 t 2 m

has a type 2 ONB then compute = using the following recursive formulae

( ) p t ( ) m p t 0 1 1 1 ( ) 1 ( ) 1 ( ) ( ) ( ) 1, , i i i p t p t t p₊ t tp t p₋ t i m = ⎧ ⎪ _{= +} ⎨ ⎪ _{= + −} ⎩ L

At each stage, the coefficients of the polynomials are reduced modulo 2; hence is a polynomial of degree with coefficients in F

( ) i

p t p t( )

m

2 .

1.2 Computing Rules Based ONB for Filed F2m Let ONB for field F2

m be {t，t ，t ， ， t }(t F 2 2^2 L ) 1 ( ^ 2 m−

∈

2 m ), field element a=(a₀ a₁ a ), b=(b L m−1 0b1Lbm−1), then ONB is the presentation of

= and b= .

a

1 2^i 0 m i i a t − = ∑ 1 2^ 0 m i i i b t − = ∑

1.2.1 Addition and Subtraction

The addition of element a and b over F2

m

is defined as: a+b=(c0 ，c1，L，cm−1), where ci = (ai+bi)

mod 2.

The subtraction a−b can be calculated by a+(−b),

where (−b) is the addition reverse of b, and

–b =(2−b0,2−b1, … ,2−bm−1) mod 2.

1.2.2 Squaring and Square Root

For field element

a

= 1 2^ , squaring and the 0 m i i i a t − = ∑

calculation of square root are linear operations in F2

m as follows： (

a

) =(2 1 2^ )2= = 0 m i i i a t − = ∑ 1 2^( 1) 0 m i i i a t − ₊ = ∑ =( a a 1 2^ (( 1) mod 0 m i i m i a t − − = ∑ _{m−1 0} a₁La_m−2) (

a

)2 1 =( ) 1 2^ 0 m i i i a t − = ∑ 2 1 = = 1 2^( 1) 0 m i i i a t − ₋ = ∑ 1 _{(( 1) mod} 2^ =( a₁ a a ) 0 m i i m i a t − + = ∑ _L m−1 0

Hence squaring or the calculation of square root of a finite field element is a simple rotation of the vector representation.

1.2.3 Multiplication and Division When elements over F2

m

are presented based on ONB, the multiplication rule for two elements is depicted in Ref.[12].

The division is the reverse calculation of the multiplication. Thus, a/b can be computed by a

×

b−1, where b−1 is the multiplicative reverse of b that will be computed next.

1.2.4 Multiplicative Inverse

Because the field elements over F2m can be

denoted by polynomials over F2, the multiplicative

inverse of elements can be calculated via the Extended Euclidean Algorithm .

Meanwhile, because the bit string presentation of is equal to the bit string (a₀

m

a

2 a₁ a ) with m

times of circular left shift operation, or a=a

L m−1 2m

, the multiplicative reverse of a is computed via a−1 = 2m 2

a − . Additionally, because 2m−2 is equal to 2m−1+ 2m−2 +…+2, a−1 can be calculated by … . So via (m−1) times of squaring and multiplication operation, , which equals , can be computed.

1 2m− a 2m−2 a a2 2 2m− a a−1

2 The Elliptic Curves and Point

fffff.

Operations

2.1 The Elliptic Curves over Field F2

m

According to standard specifications for Public Key Cryprography, an elliptic curve can be denoted by a septuplet: T=(m, f(x),a,b,G,n,h), consisting of an

integer

m

specifying the finite field F2

m_，

an irreducible binary polynomial f x( ) of degree m

specifying the representation of F2m, two elements

, F

a b

∈

2

m

specifying the elliptic curve E(F2

m

) defined by the equation: y2+xy= 3 2

x +ax +bin F2 m , a base point G=(xG,yG) on E(F2 m ), a prime which is the order of G, and an integer which is the cofactor

=# E(F

n

h

h

2m)/

n

(where # E(F2m)is the number of points

on E(F2

m

)).

Elliptic curve E(F2

m

) consists of the set of points

P

=(

x

,

y

) (

x

,

y

∈

F2

m

). All points in P together with the point at infinity, denoted by O, form an Abel group (elliptic curve group). All points on an elliptic curve can be determined by an irreducible non-zero field or normal polynomial of degree m.

The desired security level is controlled by m. In practice, requirements on security and efficiency determine the selection of m. Usually m is selected from the integer set {113, 131, 163, 193, 233, 239, 283, 409, 571}[8].

2.2 Point Operations in F2

m

2.2.1 Point Addition and Subtraction Set point P=(x_P, yP)

∈

E(F2

m

), then the point

−P=( , + ) is the reverse of P. For every point P

x

x

_P

y

_P P

∈

E(F2 m ), P+(−P)= O, P+O= O+P=

P. Set point Q =(x_Q, y_Q)

∈

E(F2m), where Q

≠

−P,

and let P+Q=R=(

x

_R,

y

_R), then If P=Q (self-addition), then R x = 2 ₂ P P x b x + R y =xP2+ R P P P x x y x ) ( + +xR IfP

≠

Q (addition), then R x = 2 ) ( Q P Q P x x y y + + +( ) Q P Q P x x y y + + +xP+xQ+

a

R y =( ) Q P Q P x x y y + + ) (xP +xR +

x

R+yP

The subtraction of P and Q over F2 m

is computed via P −Q=P+（−Q）.

2.2.2 Scalar Multiplication Set a point P over E(F2

m

) with an order n(nP=O), the scalar multiplication of P can be denoted by Q=

k

P,

where Q

∈

E(F2

m

), 1≤ ≤

k

n

.

By the definition of the point addition, P can be calculated by adding P to itself times. Because

k

k

k

∈

F2m, can be denoted by = ,where

and are integers, 1≤h≤m and

k

k

1 0 2 h i i i k − = ∑

h

i

k

_i

∈

{0,1}. Thus P can be computed as

k

P= = 2( + 2( +…2( +2( +2 )…)+ .This

k

1 0 2 h i i i k P − = ∑ k P1 2 k P kh−3P kh−2P kh−1P k P0

approach requires h self-additions and (wk−1) additions,

where is the number of ones of the binary representation of k.

k

w

2.2.3 Finding a Point on An Elliptic Curve

The base point and public keys according to ECC are all points on E(F2

m

). The

x

-coordinate and

y

-coordinate are all elements over filed F2

m

. To generate these points, a common approach is to appoint a field element (

x

-coordinate) first, then the corresponding

y

-coordinate can be calculated by the equation of E(F2 m ). Set E(F2 m ): y2 +xy= 3 x + + , the corresponding 2 2 a x 6

a

y

-coordinate can be computed

by the following steps[5]. 1) Appoint

x

(

∈

F2

m

), compute the value of polynomial

x

3+

a

₂

x

2+

a

₆, set

b

= 3+ + .

x

a

₂

x

2

a

₆

2) Compute the equation

y

2+

xy

= , this is equivalent to compute the equation +

b

2

y

xy

+

b

=0. 3) Set

y

=

x

z

, then

y

2 +

xy

+ =0 is transformed to +

z

+ / =0. In F

b

2

z

b

2

x

2 m , + + / =0 is equivalent to = +

b

/ , that is = ( ) +(( / )) ) .For two elements and

over F 2

z

z

b

2

x

z

2

z

x

2

z

2 2 / 1

z

2

b

2

x

1/2 2

u

v

2m , equation (

u

+ ) = +

v

holds. So the equation =( ) +(( / ) ) is equivalent to = +( / ) . Hence = +( / ) .

v

2

u

2 2 2

z

z

1/2 2

b

x

2 1/2 2

z

z

1/2

b

2

x

1/2

z

1/2

z

b

2

x

1/2 4) Assume =( … ) and =( / ) =( … ), equation = +( / ) is equivalent to ( … )=( … )+( … ).

z

z

0

z

1

z

m−1

k

b

2

x

1/2

k

0

k

1

k

m−1 2 / 1

z

z

b

2

x

1/2

z

_m−1

z

₀

z

₁

z

_m−2

z

₀ 1

z

z

_m−1

k

_m−1

k

₀

k

₁

k

_m−2

Therefore, when one bit of is determined, the other bits can be determined by the equation

( )=( )+( ). Furthermore,

z

1 − m

z

z

0

z

1L

z

m−2

z

0

z

1L

z

m−1

k

m−1

k

0

k

1L 2 − m

k

y

is computed.

Of course, a random field element over F2

m

may not be the

x

-coordinate of a point on E(F2m). In that

prime). We also assume that the communicating parties are C and S. C’s public-private key pair is

（QC,dC） a n d S’s k e y p a i r i s （QS,dS）. At the

end of the protocol, the communicating parties end up with the same value K which is a point on the curve. A part of K (such as

x

-coordinate of K ) can be used as a secret key to a symmetric key encryption algorithm. The Diffie-Hellman protocol based on ECC is illustrated in Tab 1.

case, we can increase the random field element by 1 and check whether the new element is the

x

-coordinate of a point on E(F2m). The procedure is

repeated until the desired element is found.

3 Analysis and Design

3.1 Choosing the Elliptic Curve

To obtain a desired security level, the parameter should be about 160. All binary fields F

m

2m have the

property that m is prime, which can resist recent attacks on elliptic curves defined over m where m is composite. According to Standard specifications for Public Key Cryptography, we appoint m=163 for F2

m

. 163 can provide excellent security and high efficiency as well. And we select elliptic curve equation:

y2+xy=x3+ax2+b in F2

m

by generating the coefficient and randomly. However, to avoid supersingular elliptic curves and anomalous elliptic curves which have security vulnerability, we must also check the elliptic curve we generate. A method to check generated elliptic curve can be referred to Ref. [8].

a

b

Tab. 1 The diffie-hellman protocol based on ECC

User C User S Choose dC∈[2,

n

－2] Choose dS∈[2,

n

－2] QC= dC×G QS = dS×G Send QC Receive Receive QS Send K =dC×QS K =dS×QC

If an attacker can only get public key QC, QSand

the base point G, he can not compromise the point K. This is equivalent to get private key dC o r dS from QC, QS and G, which is an elliptic curve discrete logarithm

problem (ECDLP).

3.2 Key Exchange Protocol Based on ECC _{3.3 The Encryption Scheme}

To establish a shared key between two parties efficiently, the Diffie-Hellman key exchange protocol based on ECC is selected . We assume that the underlying field F

] 13 [

2mand the elliptic curve equation E

（F2

m_）

: y2+xy=x3+ax2+b is selected. And the base point G is set up, whose order is n (n is a

Based on the description and analysis above, an encryption scheme is presented in the following. To elaborate our scheme explicitly, we assume the communicating parties are a client and a server. The

ncryption scheme can be illustrated in Fig. 1. e

Send the cipher text

Client Choose field F2m

Generate the elliptic curve and the base point, choose a symmetric encryption

scheme

Send the choices

Exchange the public Generate the public and private key

pair of server

Generate the shared key by the Diffie-Hellman protocol based on ECC

Generate the shared key by the Diffie-Hellman protocol based on ECC

Decrypt the cipher text by the symmetric encryption scheme, and check the MAC

to recover the plain text .

Encrypt the plain text by the symmetric encryption scheme, and generate MAC. Server

Receive the parameters

Generate the public and private key pair of client

Firstly, the server should determine the underlying filed F2m, the elliptic curve, a base point

and the symmetric encryption scheme to be used, then send these choices to the client. After the two communicating parties generate their own key pair, they send their respective public keys to each other and negotiate the shared key by the Diffie-Hellman Protocol based on ECC. Now two parties can conduct encryption and decryption via the symmetric key schemes (such as bitwise exclusive-or encryption algorithm, IDEA, 3DES, AES, etc.). To ensure the integrity of the cipher-text, some message authentication code (MAC) scheme is taken.

4 Implementation and Application

In the implementation of the encryption software, we choose the exclusive-or encryption algorithm as the symmetric encryption algorithm. The byte length of encrypted data packet is set to be 1 024. HMAC_SHA-1_160 is selected as the is selected as the MAC scheme. These choices can ensure desirable security. ] 15 , 14 [

The efficiency of the encryption software is determined by the calculation operations of field elements and elliptic curve points based on ONB for filed F2m and the conversions between the elliptic

curve points and the field elements.

To make our code more concise, efficient and reusable, we choose Turbo C 2.0 as the development tool, and encapsulate all the underlying functions in a dynamic link library (DLL) file. The performance results of the encryption software are tested on a platform Pentium Ⅲ 733. Tab. 2 shows the time for encryption and decryption operations.

Tab. 2 Time for ECC operations over F2163

Operation Random curve over F2 163

Encryption 3.96 milliseconds Decryption 2.58 milliseconds

We have applied the toolkit (DLL file) to a project (named User Identity Identification) of Cheng Dian Unead software Limit Corporation. The main technologies include: at client, a thermo-sensitive sensor obtains the user’s live fingerprint; The data of live fingerprint are processed, then encrypted by the

encryption toolkit and transmitted to the server; At server, Encrypted data are decrypted and the pattern recognition operation is conducted. Finally the purpose of identifying the user’s identity is achieved. The practical function and performance test of the system shows that the toolkit is characterized by efficient security and high efficiency[16].

5 Conclusions

RSA has been in public key systems for over two decades, but ECC offers an alternative. ECC is exciting because of the potential to provide similar levels of security compared to RSA but with significantly reduced key sizes. ECC presumably offers faster processing, and lower demands on memory and bandwidth, which are critical in the space of mobile solutions . Currently, the research on the threshold cryptography develops fast . However, the threshold cryptography technologies based on ECC deserve great attention.

] 17 , 3 [ ] 18 [ References

[1] Xu Qiuliang, Li Daxing. Elliptic curve cryptosystems[J]. Journal of Computer Research and Development, 1999, 36(11): 1282 (in chinese)

[2] Wang Hanqiang, Wei Qingfu. A public key cryptosystem based on elliptic curves over Z/nZ[J]. Journal of China Institute of Communications, 1999, 20(7):16 (in chinese) [3] Zhang Xianfeng, Qin Zhiguang, Liu Jinde. An analysis of

the security and efficiency on elliptic curve cryptosystems[J]. Journal of University of Electronic Science and Technology of China, 2001, 30(2):144 (in Chinese)

[4] Certicom Corp. Current Public-key Cryptographic System[DB/OL]. A Ceiticom Whitepaper, Canada, 2000. http://www.certicom.com/resources/download/EccWhite2. pdf

[5] Certicom Corp. Remarks on the security of the elliptic curve cryptosystem[DB/OL]. A Ceiticom Whitepaper, Canada, 2000. http://www.certicom.com/resources/download/ Ecc White3.pdf

[6] Lopez J, Dahab R. An Overview of Elliptic Curve Cryptography[DB/OL]. http://citeseer.nj.nec.com/333066. html 2000.

[7] Certicom Corp. Math. Canada[DB/OL]. http://www. certicom.com/resources/ecc/math7.html 2003

[8] IEEE Standards Department[S]. IEEE P1363/D13 (Draft Version 13), Standard Specifications for Public Key Cryptography, 1999. 92-105, 112

[9] Agnew G B, Mullin R C, Vanstone S A．An implementation of elliptic curve cryptosystems over F2155[J]. IEEE journal on selecte.d areas in commun- ications, 1993, 11(5):804 ~ 813

[10] Tatsuaki Okamoto, Eiichiro Fujisaki, Hikaru Morita. PSEC: Provably Secure Elliptic Curve Encryption Scheme [DB/OL]. 1999. http://grouper.ieee.org/groups/ 1363/ P1363a/co-ntributions/psec.pdf

[11] Hankerson D, Julio Lopez, Menezes A. Software implementation of Elliptic Curve Cryptography Over Binary Fields[DB/OL]. 2000. http://palms.ee. princeton. edu/ fiskiran/ reposito-ry/ CHES/ hankerson00 software. pdf

[12] Brown M, Hankerson D, Lopez J. Software implementation of the NIST Elliptic Curve Over Prime Fields[DB/OL]. 2001. http://www.eng.auburn. edu/users/ hamilton/secu-rity/pubs/Software_Implementation_of_ the_NIST_ Elliptic. pdf

[13] Aydos M, Sava E C. Implementing Network Security Protocols based on Elliptic Curve Cryptography[DB/OL]. http://i-slab.oregonstate.edu/papers/ c16nsecc.pdf, 2001-07-05

[14] ANSI X9.71-199x. Keyed Hash Message Authentication code[A]. Working Draft. 1998

[15] Krawcyzk H, Bellare M, Canetti R. HMAC: Keyed Hashing for Message Authentication[DB/OL]. Internet

RFC 2104, 1997. http://www.ietf.org

[16] Chengdian Unead software limit corp[R]. The test report of UID, 2001. 25

[17] Christopher M K, Curtis E D, Osmanoglu T. Security Architecture: Design, Deployment and Operations[M]. Sydney: Osborne/McGraw-Hill, 2001, 192

[18] Desmedt Y. Some Recent Research Aspects of Threshold Cryptography[DB/OL]. http://citeseer.nj.nec. com/desme dt97some html, 1997

Brief Introduction to Author(s)

ZHANG Xianfeng(张险峰)was born in 1973. He is now pursuing Ph.D. degree in UESTC. His research interests include: information security, cryptograph technology. E-mail: [email protected]

QIN Zhiguang(秦志光)was born in 1957. He is now a Professor, and Doctoral Advisor in UESTC. His research interests include: information security, ITS and middleware E-mail: [email protected]

ZHOU Shijie(周 世 杰)was born in 1971. He is now pursuing Ph.D. degree in UESTC. His research interests include:P2P computing, information security, and distributed computing. E-mail: [email protected]

LIU Jinde(刘 锦 德)was born in 1930. He is now a Professor and Doctoral Advisor in UESTC. His research interests include: opening distributed computing and middleware technology, mobile agent technology. E-mail: [email protected]

--- (Continued from page 14)

4 Conclusions

From the analysis above, the expression of coupling ratio k2 is obtained. The equivalent circuit of the coupling between the microstrip and DR is analyzed and the components’ expression is obtained.

References

[1] Li Ying. Theory and Application of Electromagnetic DR[M]. Beijing: Publishing House of Electronics Industry, 1988. (in Chinese)

[2] Virdee B S, Parsons A J, Meadows R G. Commercial computer-aided design software optimises DRO Circuit Design[J]. Microwave Conference/Brazil, 1993, SBMO International, 1993, 2 (5): 457-462

[3] Lou Renhai, Fu Guoxing, Yuan Jinghong. Electromagnetic

Theory[M]. Chengdu: Publishing House of UESTC, 1996. (in Chinese)

Brief Introduction to Author(s)

LIAO Juan(廖娟)was born in Sichuan, China, in 1977. She received B.S degree in E.E. in 2000 and M.S degree in Circuits any Systems in 2002 from UESTC. After graduation from UESTC, She is now engaged as an engineer of mobile communication by the Communication Company of China. LIU Guanghu(刘光祜)was born in Sichuan, China, in 1946. He graduated from E.E. Dept. of Harbin Engineering University in 1968. As a senior visiting scholar, He used to be invited to University of Nevada-Reno in USA to do research from 1989 to 1992. He is now a Professor and the Chief Lecturer of UESTC and Head Engineer of Chengdu Sine Science and Technology CO. Ltd. of UESTC. His research interests include: RF and microwave circuits and systems.