CHAPTER 1 INTRODUCTION

In 1976, Whitfield Diffie and Martin Hellman introduced the concept of publickey cryptography (PKC). Since then, many implementations of it have beenproposed, and many of these cryptographic applications base their security onthe intractability of hard mathematical problems, namely the integerfactorization problem (IFP) and the finite field discrete logarithm problem(DLP). Over the years, sub-exponential time algorithms were developed to solvethese problems. As a result, key sizes grew to more than 1000 bits, so as toattain a reasonable level of security. In constrained environments wherecomputing power, storage and bandwidth are limited, carrying out thousand-bitoperations becomes an impractical approach to providing adequate security.This is most evident in hand-held devices such as the mobile phones, pagers andPDAs that have very limited processing power and battery life. Elliptic Curve Cryptography (ECC) is a public key cryptography. In public keycryptography each user or the device taking part in the communication generally have a pair of keys, a public key and a private key, and a set of operations associated with the keys to do the cryptographic operations. Only the particular user knows the private key whereas the public key is distributed to all users taking part in the communication. Some public key algorithm may require a set of predefined constants to be known by all the devices taking part in the communication. Domain parameters in ECC is an example of such constants. Public key cryptography, unlike private key cryptography, does not require any shared secret between the communicating parties but it is much slower than the private key cryptography. Proposed independently by Neal Koblitz and Victor Miller in 1985,elliptic curve cryptography (ECC) has the special characteristic that to date, thebest known algorithm that solves it runs in full exponential time. Its securitycomes from the elliptic curve logarithm, which is the DLP in a group defined bypoints on an elliptic curve over a finite field. This results in a dramatic decreasein key size needed to achieve the same level of security offered in conventionalPKC schemes. This paper aims to examine two aspects of the ECC, namely its securityand efficiency, so as to provide grounds as to why the ECC is most suitable forconstrained environments. We begin
1

by introducing the three mathematicalproblems and the various algorithms that solve them. An overview ofimplementation methods and considerations will be provided, followed bycomparisons in the performance of ECC with other PKC applications. Lastly,there will be a survey of current ECC applications in various mobile devices.

CHAPTER 2 ELLIPTICAL CURVE CRYPTOGRAPHY

2.1 ELLIPTIC CURVE:
Elliptic Curve Cryptography (ECC) is a public key cryptography. In public key cryptography each user or the device taking part in the communication generally have apair of keys, a public key and a private key, and a set of operations associated with thekeys to do the cryptographic operations. Only the particular user knows the privatekey whereas the public key is distributed to all users taking part in the communication.Some public key algorithm may require a set of predefined constants to be knownby all the devices taking part in the communication. Domain parameters in ECC is an example of such constants. Public key cryptography, unlike private key cryptography, does not require any shared secret between the communicating parties but it is much slower than the private key cryptography.

Figure 1: An elliptic curve (corresponding to the equation y2 = x3 - 6x)

2.2 ELLIPTICAL CURVE CRYPTOGRAPHY

Elliptic Curve Cryptography (ECC) is a public key cryptography. In public keycryptography each user or the device taking part in the communication generally have a pair of keys, a public key and a private key, and a set of operations associated with the keys to do the cryptographic operations. Only the particular user knows the private key whereas the public key is distributed to all users taking part in the communication. Some public key algorithm may require a set of predefined constants to be known by all the devices taking part in the communication. Domain parameters in ECC is an example of such constants. Public key cryptography, unlike private key cryptography, does not require any shared secret between the communicating parties but it is much slower than the private key cryptography. The mathematical operations of ECC is defined over the elliptic curve y2 = x3 + ax + b, Each value of the a and b gives a different elliptic curve. Allpoints (x, y) which satisfies the above equation plus a point at infinity lies on the elliptic curve. The public key is a point in the curve and the private key is a random number. The public key is obtained by multiplying the private key with the generator point G in the curve. The generator point G, the curve parameters a and b, together with few more constants constitutes the domain parameter of ECC. One main advantage of ECC is its small key size. A 160-bit key in ECC is considered to be as secured as 1024-bit key in RSA.

2.2.1The Need for Public Key Cryptography Private key cryptography is widely used for the encryption of data due to its speed. The most commonly used today is the Data Encryption Standard (DES). It has an extremely fast encryption speed and this is a very attractive quality in terms of efficiency; however, it has certain short comings that make it unsuitable for use in the m-commerce environment. 1. Key Management Problem: A wireless user should be able to conduct business transactions with not just one party, but with many different ones. Thus, communication on a public network is not restricted to one-on-one, but a large number of users.For a network of n users n(n-1)/2 private keys need to be generated. When n is large, the number of keys becomes un manageable.
4

2.

Key Distribution Problem: With such a large number of keys that needs to be generated on a network, thejob of generating the keys and finding a secure channel to distribute thembecomes a burden.

3.

No digital signatures possible: A digital signature is an electronic analogue of a handwritten signature. If Alice sends an encrypted message to Bob, Bob should be able to verify that thereceived message is indeed from Alice. This can be done with Alices signature;however, private key cryptographydoes not allow such a feature.In contrast, public key cryptography uses two keys. Each user on anetwork publishes a public encryption key that anyone can use to send themmessages, while keeping the private key secret for decryption. On a network of n users, it only needs n public and n private keys. This reduces the number of keys needed from O(n2) to O(n). Furthermore, it allows the use of digital signatures, which ensures nonrepudiation. However, public key cryptographydoes have its drawbacks. Compared to private key cryptography, public key cryptography is orders of magnitude slower. RSA needs at least 1024-bit keys while DES needs only 64 bits. In truth, public and private key cryptograph work best together . Public key cryptography is ideal for key distribution and management, ensuring data integrity, providing authentication and non repudiation, while private key cryptography is ideal for ensuring confidentiality ,such as encrypting data and communication channels. These are the four main objectives in any cryptographic application.

2.2.2 Choice of Public Key Cryptosystem When it comes to choosing which public key cryptosystem to employ in a mobile environment, one has to keep in mind restrictions on bandwidth, memory and battery life. In constrained environments such as mobile phones, wireless pagers or PDAs, these resources are highly limited. Thus, a suitable public key scheme would be one that is efficient in terms of computing costs and key sizes.

To date, the ECC has the highest strength-per-bit compared to other public key cryptosystems. Small key sizes translate into savings in bandwidth, memory and processing power. This makes ECC the obvious choice in this situation. However, there are other aspects that need to be taken into account. In the following section, we will examine the different mathematical problems that underlie the majority of the public key cryptosystems in use today. We will also discuss some of the most efficient algorithms that solve them. This will give us a better understanding of the security on which different types of public key cryptosystems are based.

2.3 Security of Public Key Cryptosystems

As mentioned before, many of the public key cryptosystems base their security on the difficulty of solving a mathematical problem. Today, there are three problems that are believed to be both secure and practical after years of intensive studying. They are the 1) integer factorization problem, 2) finite field discrete logarithm problem and the 3) elliptic curve discrete logarithm problem.(Although there are other cryptographic systems that are lattice based, they will not be discussed in this paper.) While this by no means proves that they are un breakable, it is highly unlikely that anyone will find an efficient algorithm to solve them in the near future. The security of a cryptosystem depends on how hard it is to solve the underlying mathematical problem. The difficulty of a problem is determined by the asymptotic runtime of the algorithms that solve the problem. Typically, in practical cryptographic applications, only two factors are used for the modulus n. A larger number of factors for n does not seem to offer any additional security in the IFP. The best-known public key cryptosystem that bases its security on the difficulty of the IFP is RSA. Named after its inventors: Ron Rivest, Adi Shamiand Len Adleman who developed it at MIT in 1978, it was the first practical implementation of public key cryptography since the introduction of the concept. Another example is the Rabin-Williams cryptosystem. It is similar to RSA, but it uses an even public exponent.

2.4 The ECC Advantage

Much like the RSA challenge, the Certicom ECC challenge offers prize money for finding various key sizes of the ECDLP. The current record was set in November 2002 where a 109-bit encryption key was broken with 10,000 computers running 24 hours a day for 549 days. The Certicom ECC challenge website reports that breaking a 163-bit key, which is the standard applied to most commercial ECC applications that Certicom uses, would be a hundred million times harder than breaking the 109-bit key. It is worthy to note that a 160-bit ECC key has about the same level of security as a 1024-bit RSA key. The most important difference between ECC and other conventional cryptosystems is that for a well-chosen curve, the best method currently known for solving the ECDLP is fully exponential, while sub-exponential algorithms exist for conventional cryptosystems. This difference largely contributes to the 8 huge disparity in their respective running times. It also means that ECC keys have much fewer bits than IFP and DLP based applications. The contrast in key lengths of RSA, DSA and ECC are shown in the graph (Graph 3-i) below. Clearly, ECC keys take much more effort to break compared to RSA and DSA keys. Due to this, many people believe that ECDLP is intrinsically harder than the other two problems. While this deduction might be true, we have no way of proving it. We do not know if a fast and efficient elliptic curve DL algorithm that runs in sub-exponential time will be discovered, say, in the next ten years, or if another class of weak curves will be identified that could compromise the security of elliptic curve cryptosystems. But one thing is certain. After years of intensive study, there is currently no faster way to attack the ECDLP other than fully exponential algorithms.

Figure2 Graph: comparision of security level

CHAPTER 3
3.1 IMPLIMENTATION OF ECC
3.1.1 Prime field algorithms We have implemented a wrapper class for elements of Fp (zp int), complete with arithmetic and comparison operators, as well as standard and Jacobian coordinate classes. We have also imple- mented a class for polynomials over Fp (ModularPolynomial) - again, complete with arithmetic (including GCD). We have implemented the algorithm of Tonelli and Shanks for computing square roots over Fp , and used it to implement an algorithm for finding roots of general polynomials over Fp needed in the complex multiplication method in order to find roots of the Hilbert class polynomial. These algorithms require the computation of Legendre's symbol and so we have implemented the standard eficient algorithm which utilizes the quadratic reciprocity theorem. We have also implemented Cornacchia's algorithm for finding x; y such that x2 + jDjy2 = 4p for given p.. Primality testing was done via GMP's library (which implements Miller-Rabin). 3.1.2 Binary field algorithms We have implemented binary finite field arithmetic in the class GFE.h as two variants. The first one \from scratch", with algorithms for addition, multiplication , the extended Euclidean algorithm for binary finite fields in order to compute the multiplicative inverse, and an algorithm for solving quadratic equations over F2d (see section 3.5). The last algorithm is especially of use in solving the curve-equation (y2 + xy = x3 + ax2 + b) to the y-coordinate. The second variant is actually a wrapper around the same functions provided by the NTL library. For the evaluations however we used in the implementation from scratch. The implementation was done in a way that GFE objects can be used the same way as \primitive" types, with the corresponding operators. The algorithms used for AGM point-counting are de_ned in adicops.h. This contains the AGM algorithm itself, as defined in the Book \Handbook of Elliptic and Hyperelliptic Curve Cryptography" by Cohen and Frey. The p-adic algorithms required for AGM are: square-root computation, inverse square-root computation and inverse element computation.In addition to this, p-adic polynomial-arithmeticcontaining addition, subtraction, multiplication and division (all operations modulo an irreducible polynomial) was implemented in two variants: the FIrst

one from scratch in the wrapper class defined in Poly.h. The second variant used modular polynomials from NTL and is defined in the wrapper class in ModPoly.h.

3.2 Elliptic curve implementation

The implementation of elliptic curves had to be done in such a way that a caller that wants to use its arithmetic doesn't have to distinguish between prime and binary curves. This was achieved by using a stable interface class defined in Elliptic curve.h, which defines the following virtual functions: Point addition Point subtraction Point doubling Point multiplication Get a point from the \compressed format Convert a point to the \compressed format Get a random point on the curve

The concrete implementation of the functions are done in EC Prime.h for prime curves and ECBinary.h for binary curves. In this way, the program can deal with objects of abstract type Ellipticcurve without having to know the underlying implementation. The predefined NISTcurves are all implemented as own subclasses of ECBinary or ECPrime, which simplifies the initialization of those curves. In this case an Ellipticcurve object is simply initialized with the concrete Curve NISTp192 implementation, representing the prime NIST curve over 192 bit. Elliptic curve arithmetic, namely addition and multiplication was implemented according to Menezes' book \Guide to Elliptic Curve Cryptography" 3.2.1 Finding a random point on the curve Another algorithm which is implementation specific is finding a random point on the curve. This is required while generating a random curve suitable for the cryptosystem. Both algorithms for prime and binary curves choose a random x coordinate until a corresponding y coordinate exists. For prime curves y2 = x3 + ax + b, this requires computing a modular square root, and in the binary case for curves y2 + xy = x3 + ax2 + b, a binary quadratic equation must be solved.

10

3.2.2 Compressed format Because we are able to find the y-coordinate for a given x, the full definition of y is actually redundant information. Since there are two solutions for x, the question is only which one was intended. For the purpose of storing and recovering points from text-files, we use the compressed format. This consists of the x-coordinate, preceeded by either \+" or \-" at the beginning, indicating which of the possible y-coordinates has to be chosen.

3.3 Cryptosystem implementation

The elliptic curve ElGamal cryptosystem is implemented in the class de_ned in elgamal.h. To the cryptosystem, an \Ellipticcurve" object must be passed which is used for the elliptic curve operations. ECC ElGamal consists of the following functionality: Plaintext encryption Ciphertext decryption Random key-pair generation

For the corresponding algorithms, se. In addition to this, routines for encoding strings to a point on an elliptic curve (including random padding) and for decoding string from points are implemented. Furthermore, a curve validation function is implemented, which multiplies the curve-point with the curve-order. In a correctly defined curve, the result should be the point at infinity.

3.4 Command-line interface

The command-line interface, used for interpreting the user's parameters is implemented in cmd.h. It parses the switches provided over the command-line, and launches actions like keypair generation, encryption or decryption accordingly. .

3.5 Metrics
The implementation is done in C++ and consists of approximately 7500 lines of code. The codeis distributed in 29 files, containing 34 classes. In total, 53 test-cases are written (using CppUnit) and can be executed at any time.

11

CHAPTER 4 4.1Mathematical Foundations

Use of each of the public-key cryptographic schemes described in this document involves arithmetic operations on an elliptic curve over a finite field.

4.1.1 Finite Fields Abstractly a finite field consists of a finite set of objects called field elements together with the description of two operations addition and multiplication that can be performed on pairs of field elements. These operations must possess certain properties. It turns out that there is a finite field containing q field elements if and only if q is a power of a prime number, and furthermore that in fact for each such q there is precisely one finite field. The finite field containing q elements is denoted by Fq. Here only two types of finite fields Fq are used finite fields F p with q = p, p an odd prime which are called prime finite fields, and finite fields F2m with q = 2m for some m 1 which are called characteristic 2 finite fields. It is necessary to describe these fields concretely in order to precisely specify cryptographic schemes based on ECC. 4.1.2 The Finite Field F p The finite field F p is the prime finite field containing p elements. Although there is only one prime finite field F p for each odd prime p, there are many different ways to represent the elements of F p. Here the elements of F p should be represented by the set of integers with addition and multiplication defined as follows: Addition: If a , b 2 F p, then a+b = r in F p, where r 2 [0; p-1] is the remainder when the integer a+b is divided by p. This is known as addition modulo p and written a+b r (mod p). Multiplication: If a;b 2 F p, then a:b=s in F p, where s 2 [0; p-1] is the remainder when the integer ab is divided by p. This is known as multiplication modulo p and written a:b s (mod p).

12

4.2 Implementation of Elliptic Curve Cryptosystems

There are some important issues that need to be addressed before implementing the elliptic curve cryptosystem. We need to decide whether to use an even or odd characteristic field, and also how to represent the points on the elliptic curve. These choices will not only determine how we implement field arithmetic on elliptic curves, but they will also affect the efficiency of the computations. In parameters, and the last section discusses the NIST recommended curves and guidelines. 4.2.1Even and Odd Characteristic Fields There are two types of characteristics of fields, namely even and odd. The prime field GF(p), where p is a large prime, is of odd characteristic. This field has p elements that are represented by integers modulo p. Field arithmetic on GF(p) is implemented in terms of the arithmetic of integers modulo p. The field GF(2m) is of even characteristic, specifically, of characteristic 2. There are 2m elements in this field, and they are represented as m-dimensional binary vectors over F2, i.e. they are bit-strings of length m. Field addition and subtraction are implemented as component-wise XOR, while implementations of multiplication and inversion (division) depend on the choice of basis. Arithmetic in a prime field is simple; it is just the arithmetic of integers modulo p. For a binary field, the field elements are represented relative to a given basis. There are many choices for a basis. A polynomial basis has the form {1, t, t1, tm-1}, where t is a root of an irreducible polynomial p(t) over F2. An irreducible polynomial is one that cannot be factored as a product of polynomials of lower degree modulo 2. An element of GF(2m) (a0, a1, , am-1), where ai mod p(t), where p(t) is an irreducible polynomial over F2. Field arithmetic is performed as polynomial arithmetic modulo p(t). Addition of field elements in normal basis representation is simply bitwise XOR-ing of the vector elements. Squaring can be achieved by a rotation of the vector elements. This is a cheap operation to perform, thus the cost of squaring is often ignored in analyzing runtime complexities. Multiplication is more complicated, but, with optimization, it comes down to a series of m cyclic shifts of the two vector multiplicands. Inversion (division) is the most complex and expensive operation to perform.

13

4.2.2Point Representation In this section, two types of point representation will be discussed affine and projective coordinates. We will use formulae from point addition in a prime field to illustrate the different costs in performing point arithmetic using the two representations. Refer to Appendix A for formulae on point addition in fields of characteristics 2 and p > 3, using both affine and projective representations. Affine coordinates (x, y) satisfy the affine equation (i) E: y2 = x3 + ax + b, where a, b GF(p). Referring to formula (A-1) in Appendix A, addition of affine

coordinates requires 1 inversion, 2 multiplications and 1 squaring (ignoring the cost of field additions and subtractions), when P1 , P2,. While point doubling (P1 = P2) requires 1 inversion, 2 multiplications and 2 squarings. Conventional projective coordinates (x, y, z) satisfy the homogenous Weierstrass equation E: y2z = x3 + axz2 + bz3, where a, b Fp. When z 0, the projective point (x, y, z) corresponds to the affine point (x/z, y/z). Projective coordinates are used when field inversions are significantly more expensive than field multiplications. With projective coordinates, the need for performing inversions is replaced with multiplication, thus projective addition can be achieve through only the use of field multiplications. There are other types of projective representations that are more efficient than the convention projective representation. In particular, the weighted projective representation (or Jacobian representation) results in a more efficient implementation of group operations. Jacobain coordinates (x, y, z) correspond to the affine coordinates (x/z2, y/z3), and they satisfy the weighted projective curve equation E: y2 = x3 + axz4 + bz6. 4.2.2.1 Point addition Point addition is the addition of two points J and K on an elliptic curve to obtain another point L on the same elliptic curve.

14

Geometrical explanation

Consider two points J and K on an elliptic curve as shown in figure (a). If K -J then a line drawn through the points J and K will intersect the elliptic curve at exactly one more point L. The reflection of the point L with respect to x-axis gives the point L, which is the result of addition of points J and K. Thus on an elliptic curve L = J + K. If K = -J the line through this point intersect at a point at infinity O. Hence J + (-J) = O. This is shown in figure (b). O is the additive identity of the elliptic curve group. A negative of a point is the reflection of that point with respect to x-axis. Analytical explanation Consider two distinct points J and K such that J = (xJ, yJ) and K = (xK, yK) Let L = J + K where L = (xL, yL), then xL = s2 - xJ xK yL = -yJ + s (xJ xL) s = (yJ yK)/(xJ xK), s is the slope of the line through J and K. If K = -J i.e. K = (xJ, -yJ) then J + K = O. where O is the point at infinity. If K = J then J + K = 2J then point doubling equations are used. Also J + K = K + J

15

4.2.2.2 Point doubling Point doubling is the addition of a point J on the elliptic curve to itself to obtain another point L on the same elliptic curve.

To double a point J to get L, i.e. to find L = 2J, consider a point J on an elliptic curve as shown in figure (a). If y coordinate of the point J is not zero then the tangent line at J will intersect the elliptic curve at exactly one more point L. The reflection of the point L with respect to x-axis gives the point L, which is the result of doubling the point J. Thus L = 2J. If y coordinate of the point J is zero then the tangent at this point intersects at a point at infinity O. Hence 2J = O when yJ = 0. This is shown in figure (b). Analytical explanation Consider a point J such that J = (xJ, yJ), where yJ 0 Let L = 2J where L = (xL, yL), Then xL = s2 2xJ yL = -yJ + s(xJ - xL) s = (3xJ2 + a) / (2yJ), s is the tangent at point J and a is one of the parameters chosen with the elliptic curveIf yJ = 0 then 2J = O, where O is the point at infinity.

16

4.3 EC on Prime field Fp The equation of the elliptic curve on a prime field Fp is y2 mod p= x3 + ax + b mod p, where 4a3 + 27b2 mod p 0. Here the elements of the finite field are integers between 0 and p1. All the operations such as addition, substation, division, multiplication involves integers between 0 and p 1. This is modular arithmetic and is defined in session 10.1. The prime number p is chosen such that there is finitely large number of points on the elliptic curve to make the cryptosystem secure. SEC specifies curves with p ranging between 112-521 bits . The graph for this elliptic curve equation is not a smooth curve. Hence the geometrical explanation of point addition and doubling as in real numbers will not work here. However, the algebraic rules for point addition and point doubling can be adapted for elliptic curves over Fp. 4.3.1 Point Addition Consider two distinct points J and K such that J = (xJ, yJ) and K = (xK, yK) Let L = J + K where L = (xL, yL), then xL = s2 - xJ xK mod p yL = -yJ + s (xJ xL) mod p s = (yJ yK)/(xJ xK) mod p, s is the slope of the line through J and K. If K = -J i.e. K = (xJ, -yJ mod p) then J + K = O. where O is the point at infinity. If K = J then J + K = 2J then point doubling equations are used. Also J + K = K + J 4.3.2. Point Subtraction Consider two distinct points J and K such that J = (xJ, yJ) and K = (xK, yK) Then J - K = J + (-K) where -K = (xk, -yk mod p) Point subtraction is used in certain implementation of point multiplication such as NAF [1]. 4.3.3Point Doubling Consider a point J such that J = (xJ, yJ), where yJ 0 Let L = 2J where L = (xL, yL), Then xL = s2 2xJ mod p yL = -yJ + s(xJ - xL) mod p5 s = (3xJ2 + a) / (2yJ) mod p, s is the tangent at point J and a is one of the parameters chosen with the elliptic curve If yJ = 0 then 2J = O, where O is the point at infinity.
17

4.4 EC on Binary field F2 m

The equation of the elliptic curve on a binary field F2 m is y2 + xy = x3 + ax2 + b, whereb 0. Here the elements of the finite field are integers of length at most m bits. These numbers can be considered as a binary polynomial of degree m 1. In binary polynomial the coefficients can only be 0 or 1. All the operation such as addition, substation, division, multiplication involves polynomials of degree m-1 or lesser. The polynomial arithmetic is defined in session 10.2. The m is chosen such that there is finitely large number of points on the elliptic curve to make the cryptosystem secure. SEC specifies curves with m ranging between 113-571 bits . The graph for this equation is not a smooth curve. Hence the geometrical explanation of point addition and doubling as in real numbers will not work here. However, the algebraic rules for point addition and point doubling can be adapted for elliptic curves over F2 m. . 4.4.1. Point Addition Consider two distinct points J and K such that J = (xJ, yJ) and K = (xK, yK) Let L = J + K where L = (xL, yL), then xL = s2 + s + xJ + xK + a yL = s (xJ + xL) + xL + yJ s = (yJ + yK)/(xJ + xK), s is the slope of the line through J and K. If K = -J i.e. K = (xJ, xJ + yJ) then J + K = O. where O is the point at infinity. If K = J then J + K = 2J then point doubling equations are used. Also J + K = K + J 4.4.2. Point Subtraction Consider two distinct points J and K such that J = (xJ, yJ) and K = (xK, yK) Then J - K = J + (-K) where -K = (xk, xk + yk) Point subtraction is used in certain implementation of point multiplication such as NAF [1].

4.4.3 Point Doubling Consider a point J such that J = (xJ, yJ), where xJ 0 Let L = 2J where L = (xL, yL), Then xL = s2 + s + a
18

yL = xJ2 + (s + 1)*xL s = xJ + yJ/ xJ, s is the tangent at point J and a is one of the parameters chosen with the elliptic curve If xJ = 0 then 2J = O, where O is the point at infinity.

.4.5 Data Types and Conversions The schemes specified in this document involve operations using several different data types. This section lists the different data types and describes how to convert one data type to another. Five data types are employed in this document: three types associated with elliptic curve arithmetic -integers, field elements, and elliptic curve points - as well as octet strings which are used to communicate and store information, and bit strings which are used by some of the primitives. Through out this document the above data types are regarded as abstract data types consisting of distinct sets of elements - so that, for example, an octet string is regarded as distinct from a bit string. This formalism helps to clarify the requirements placed on implementations and helps avoid subtle coding errors.Frequently it is necessary to convert one of the data types into another.

19

CHAPTER 5 Cryptographic Components

5.1Elliptic Curve Domain Parameters
The operation of each of the public-key cryptographic schemes described in this document involves arithmetic operations on an elliptic curve over a finite field determined by some elliptic curve domain parameters. Two types of elliptic curve domain parameters may be used: elliptic curve domain parameters over F p, and elliptic curve domain parameters over F2m. 5.1.1 Elliptic Curve Domain Parameters over F p Elliptic curve domain parameters over F p are a sextuple: T = (p;a;b;G;n;h) consisting of an integer p specifying the finite field F p, two elements a;b 2 F p specifying an elliptic curve E(F p) defined by the equation: E : y2 _ x3+a:x+b (mod p); a base point G = (xG;yG) on E(F p), a prime n which is the order of G, and an integer h which is thecofactor h = E(F p)=n. Elliptic curve domain parameters over F p precisely specify an elliptic curve and base point. This isnecessary to precisely define public-key cryptographic schemes based on ECC. 5.1.1.1 Elliptic Curve Domain Parameters over F p Generation Primitive Elliptic curve domain parameters over F p should be generated as follows: Input: The approximate security level in bits required from the elliptic curve domain parameters thismust be an integer . Output: Elliptic curve domain parameters over F p: T = (p;a;b;G;n;h) such that taking logarithms on the associated elliptic curve is believed to require approximately 2t operations. Actions: Generate elliptic curve domain parameters over F p as follows: 1. Select a prime p such that dlog2 pe = 2t if t 6= 256 and such that dlog2 pe = 521 if t = 256 to determine the finite field F p. 2. Select elements a;b 2 F p to determine the elliptic curve E(F p) defined by the equation:
20

E : y2 =x3+a:x+b (mod p); a base point G = (xG;yG) on E(F p), a prime n which is the order of G, and an integer h which is the cofactor h = #E(F p)=n, subject to the following constraints: _ 4:a3+27:b2 6_ 0 (mod p). _ #E(F p) 6= p. _ pB 6_ 1 (mod n) for any 1 _ B < 20. _ h _ 4. 3. Output T = (p;a;b;G;n;h). This primitive allows any of the known curve selection methods to be used for example the methods based on complex multiplication and the methods based on general point counting algorithms. 5.1.1.2 Validation of Elliptic Curve Domain Parameters over F p Frequently it is either necessary or desirable for an entity using elliptic curve domain parameters over F p to receive an assurance that the parameters are validthat is that they satisfy the arithmetic requirements of elliptic curve domain parameterseither to prevent malicious insertion of insecure parameters, or to detect inadvertent coding or transmission errors. There are four acceptable methods for an entity U to receive an assurance that elliptic curve domain parameters over F p are valid. Only one of the methods must be supplied, although in many cases greater security may be obtained by carrying out more than one of the methods. The four acceptable methods are: 1. U performs validation of the elliptic curve domain parameters over F p itself using the validation Primitive. 2. U generates the elliptic curve domain parameters over F p itself using a trusted system using the primitive. 3. U receives assurance in an authentic manner that a party trusted with respect to Us use of the elliptic curve domain parameters over F p has performed validation of the parameters using the validation primitive. 4. U receives assurance in an authentic manner that a party trusted with respect to Us use of the elliptic curve domain parameters over F p generated the parameters using a trusted system using

21

the primitive. Usually when U accepts another partys assurance that elliptic curve domain parameters are valid, the other party is a CA.

5.1.2 Elliptic Curve Domain Parameters over F2m Elliptic curve domain parameters over F2m are a septuple: T = (m; f (x);a;b;G;n;h) consisting of an integer m specifying the finite field F2m, an irreducible binary polynomial f (x) of degree m specifying the representation of F2m, two elements a;b 2 F2m specifying the elliptic curve E(F2m) defined by the equation: y2+x:y = x3+a:x2+b in F2m; a base point G = (xG;yG) on E(F2m), a prime n which is the order of G, and an integer h which is thecofactor h = E(F2m)=n. Elliptic curve domain parameters over F2m precisely specify an elliptic curve and base point. This is necessary to precisely define public-key cryptographic schemes based on ECC.

5.2 Key Generation

The key-pair generation was run with the built-in NIST curves over prime and binary fields. The key sizes are 192, 224, 256, 384 and 521 bits for prime curves and 163, 283, 409 and 571 bits for binary curves. As expected, the time increases about linearly with the key size, while the slope in prime curve is slightly higher than in binary curves.. The operation done is essentially one elliptic curve point multiplication. The timings for all tested curves don't exceed one second and are therefore feasible. The computation in prime curve show a significant advantage over the binary curves. The difference most likely comes from the fact that the binary curve arithmetic uses binary field arithmetic built from scratch while prime field arithmetic was done using GMP. For a definite result, more optimized binary field arithmetic should be used.

22

Figure 2: Key-pair generation, with prime and binary curves.

5.3 Encryption and Decryption

While in the key-generation test the processed data depends on the key-size, in the encryption and decryption test all cases process a file of the same size: 3.3KB. Because a curve with double key size can store the double amount of information on one point, larger key sizes have the theoretical advantage that less ciphertext-points are produced and therefore less operations are done. The first thing we observe is that encryption takes approximately twice as much time as decryption. This is explained with the fact that encryption requires two multiplication while decryption needs only one. We again see a significant advantage of the prime curves, like in curve generation. Furthermore it can be observed that the efficiency of smaller keys is better than of larger keys, even though the total number of processed blocks is higher. The slopes of themeasurement curves is however steeper in key-generation. As a general comment, public-key cryptography is in practice not very often used for actual encryption because of its inferior performance compared to symmetric key cryptography. Instead, it is usually used to establish a symmetric key and the actual encryption is done for example with AES. We can also see in our results that the efficiency of our implementation is not sufficient to encrypt large files in a reasonable time.
23

5.3.1Symmetric Encryption Schemes The symmetric encryption schemes will be used by the Elliptic Curve Integrated Encryption Scheme .Symmetric encryption schemes are designed to be used by two entities a sender U and a recipient V when U wants to send a message M to V confidentially, and V wants to recover M. Here symmetric encryption schemes are described in terms of an encryption operation, a decryption operation, and associated setup and key deployment procedures. U and V should use the scheme as follows when they want to communicate. First U and V should use the setup and key deployment procedures to establish which options to use the scheme with, and to create a shared secret key K to control the encryption and decryption operations. Then each time U wants to send a message M to V, U should apply the encryption operation to M under the shared secret key K to compute the encryption or ciphertext C of M, and convey C to V. Finally when V receives C, V should apply the decryption operation to C under K to recover the message M. .3.8.1 Scheme Setup U and V should perform the following setup procedure to use a symmetric encryption scheme: U and V should establish which of the supported symmetric encryption schemes to use. Let ENC denote the encryption scheme chosen, and enckeylen denote the length in octets of the keys used by the scheme. 3.8.2 Key Deployment U and V should perform the following key deployment procedure to use the symmetric encryption scheme: U and V should establish a shared secret key K of length enckeylen octets. K should be chosen randomly or pseudorandomly. 3.8.3 Encryption Operation U should encrypt messages to send to V using the keys and parameters established during the setup procedure and the key deployment procedure as follows: Input: An octet string M which is the data to be encrypted. Output: An octet string C which is the ciphertext corresponding to M, or invalid.
24

Actions: Compute the ciphertext C as follows: 1. Convert M to a bit string M and K to a bit string K using the conversion routine. 2. Calculate the encryption C of M using the encryption operation of the selected symmetric encryption scheme under the shared secret key K. If the encryption operation outputs invalid, output invalid and stop. 3. Convert C to an octet string C using the conversion routine 4. Output the octet string C. 3.8.4 Decryption Operation V should decrypt ciphertext fromU using the keys and parameters established during the setup procedure and the key deployment procedure as follows: Input: An octet string C which is the ciphertext. Output: An octet string M which is the decryption of C, or invalid. Actions: Decrypt C as follows: 1. Convert C to a bit string C and K to a bit string K using the conversion routine. 2. Calculate the decryption M of C using the decryption operation of the selected symmetric encryption scheme under the shared secret key K. If the decryption operation outputs invalid, output invalid and stop. 3. Convert M to an octet string M using the conversion routine. 4. Output the octet string M.

5.4 Point Counting with AGM

The first attempt with the AGM algorithm was an implementation of the underlying polynomial multiplication and reduction \from scratch". This was identified as the clear bottleneck as the runtime for a key-size of 300 bits was about 30 minutes. We therefore decided to replace those operations with the ones provided by the NTL library, which resulted in a dramatic performance improvement: the runtime for the same key-size was reduced to only a few seconds.

25

Figure 3: Encryption/Decryption results on a 3.3KB file. The initial goal to be able to generate random curves in only a few seconds is attained, looking at the results for key sizes up to about 500 bits. As an additional step for curve
26

generation, an early-abort strategy to skip insecure curves [9] would be needed. As described in the reference, a single point counting run dominates the early-abort step, from which we can of the random curve generation approach with AGM.

5.5 Challenge Solution

For testing the correctness of the implementation we were given a test consisting of the following tasks: 1. Generating an elliptic curve over prime field. 2. Decrypting two messages over prime field. 3. Decrypting two messages over binary field. 4. Deciding which message was forged .

27

Conclusion
After examining the security, implementation and performance of ECC applications on various mobile devices, we can conclude that ECC is the most suitable PKC scheme for use in a constrained environment. Its efficiency and security makes it an attractive alternative to conventional cryptosystems, like RSA and DSA, not just in constrained devices, but also on powerful computers. It is, without a doubt, fast being recognized as a powerful cryptographic scheme. We have implemented the GHS Weil desent attack and the Gaudry- Enge index-calculus method for the HCDLP. We were successful in solving specic discrete logarithm problems in elliptic curves over F262 , F293 and F2124 . Our experiments, though far from being optimized, indicate that ourspecic logarithm problem in F2155 is tractable. The ECDLP instance over F2155 is the rst concreteinstance of the ECDLP which resists all previously known attacks, but which can be solved using the Weil descent attack methodology of Frey. While the GHS attack is only known to apply to an insignicant proportion of all elliptic curves over F2155 , our results provide some evidence that elliptic curves over F2155 should be used with caution and preferably avoided altogether. We emphasize that our computational results cannot be extended to solve cryptographically.

28

REFERANCE
[1] Ieee p1363/d8 annex e, http://grouper.ieee.org/groups/1363/P1363/draft.html, 1998. [2] Ieee p1363/d13 annex a, http://grouper.ieee.org/groups/1363/P1363/draft.html, 1999. [3] Schneier, B. Elliptic Curve Public Key Cryptography. Cryptogram ENewsletter. November 15, 1999 <http://www.counterpane.com/cryptogram- 9911.html#EllipticCurvePublicKeyCryptography> [4] Remarks on the Security of the Elliptic Curve Cryptosystem. Certicom, whitepaper. September 1997. http://www.certicom.com/research/wecc3.html [5]Certicom Press Release. Certicom Announces Elliptic Curve Cryptosystem (ECC) Challenge Winner. November 6, 2002. <http://www.certicom.com/about/pr/02/021106_ecc_winner.html>

29

APPENDIX
List of figure FIG. NO . 1 2 3. 4. NAME OF FIGURE ELLIPTICAL CURVE COMPARISION OF SECURITY LEVEL KEY PAIR GEN. WITH PRIME ND BINARY CURVE ENCRIPTION AND DECRIPTION RESULT PAGE NO. 3 8 23 27

30