1

Project in Computer Security

Efficient generation of cryptographically strong elliptic

curves

Shahar PapiniMichael Krel Instructor : Barukh

Ziv

2

Preface

The project objective is to provide an efficient algorithm for creation of cryptographically strong elliptic curve for various cryptographical purposes. (Basically anything that uses a group structure and relies on the difficulty of discrete logarithm)

3

Introduction

Public-key cryptography is based on the intractability of certain mathematical problems. Early schemes such as Diffie-Hellman rely on the difficulty of the Discrete Logarithm Problem for a finite field F[p].

Although no known polynomial time algorithms are known for this problem, a few sub-exponential algorithms exist. That’s where Elliptic curves come into the picture.

4

Introduction

Elliptic curve introduce a group structure, where no known sub-exponential algorithms are known for the Discrete Logarithm Problem. Moreover, the basic action on this group is much more complex then in the F[p] case.

For comparison between encryption using F[p] (e.g. RSA), and using EC, to achieve the same level of security we will need 256-bit key size for EC, where RSA will need 3072-bit public keys.

5

Elliptic Curves

An elliptic curve is the locus of points over the field (usually F[p]) which hold the equation :

These points form a group under the following group action (for distinct x values):

BAxxy 32

13112

1221

2

12

122211 )(,),(),( yxx

xx

yyxx

xx

yyyxyx

6

Elliptic Curves

The intuition behind this definition is the following:

7

Strong Elliptic Curves

The strength of an elliptic curve is determined by its order.

Elliptic curve will be called strong if its order is n∙p where p is a large prime and n is a small number (usually less than 10).

Finding the order of an elliptic curve is difficult problem.

The goal of our project is to be able to generate such elliptic curves in an efficient manner.

8

Approaches

There are two main approaches to the problem of generating strong elliptic curves:

Point counting: The idea behind this approach is to randomly generate curves of the desired field, and count its order using Point Counting algorithms(usually slow).

Complex multiplication: Here, we try to anticipate from advanced the desired order of the curve, and using this, generate a curve accordingly. Unlike the former method, we will not be able to generate every possible curve, only curves from some constrained subset.

9

Chosen approach

We chose the Complex Multiplication approach. We had a few reasons:

Point counting algorithms are slower than the CM algorithms and since we want the fastest way to create elliptic curve we must choose the faster method.

We saw that we have more room for exploring the CM algorithm.

10

Project Goals

Generation of strong elliptic curves of 200-300 bit in a few seconds.

Encryption and decryption of data around 3 kilobytes in less than 5 seconds.

11

ImplementationPoint Representation

There are three ways to represent points on the elliptic curve.

1. The standard method is to save the coordinates as they are (X,Y) that they hold the elliptic curve equation:

2. The Jacobian projective coordinates that save three numbers for each point (X,Y,Z) where the standard coordinates are (X/Z²,Y/Z³).

3. The compressed method which saves only sign and X value. From the equation we can calculate Y². There are two corresponding Y values, that differ by sign alone. So, we keep the sign as well.

BAxxy 32

12

ImplementationPoint Representation

We used the jacobian method for all the computations for points on the curve. In this method the calculations are more efficient than in the other methods.

In the encryption the cipher text (represented by group points) we used compressed coordinates in order to reduce the file size.

13

ImplementationComplex Multiplication

General idea: with a given prime P and a negative Discriminant D we seek a solution for the diophantic equation :

If a solution exists, then we can construct two elliptic curves of orders

If one of the orders is cryptographically strong we construct an elliptic curve with such order using a root modulo p of the Hilbert class polynomial corresponding to D.

224 Dvup

up 1

14

ImplementationClass polynomials

Calculating Hilbert class polynomials takes a great amount of time since the coefficients are very big numbers (magnitude of P).

To avoid that problem we constructed Weber class polynomials, found a root modulo P and converted it to a root modulo P of the corresponding Hilbert class polynomial.

Using the Weber polynomials we avoid the coefficients problem since the Weber coefficients are much smaller.

15

ImplementationEncryption & Decryption

We use the El-Gamal algorithm. To generate a key, first find a point P on

an elliptic curve. Then generate a random integer s. (P, s) is the private key. (P, sP) is the public key. To send a message M, one finds a random integer k, and transmits (M+k(sP), kP). To decrypt, we calculate (M+k(sP))–s(kP).

16

Key generation

Pick a random prime p

Pick a proper descriminant Dless than 2000

Solve 4p=u 2-Dv 2

Check if either p-1+u or p-1-uis a strong order

Calculate Weber polynomialof order D, modulo p

Find a root and transform intoa Hilbert polynomial root

Find corresponding curveparameters

Find a point on the curvewith a large order

Out of proper D values

No solution

No

17

ElGamal

18

Results

1 2 3 4 5 6 7 8 9 10 110

1

2

3

4

5

6

7

8

9

2.7

1.6

2.9

3.73.73.3

3.5

7.87.5

0.81.1

0.8

1.4

0.80.90.9

2.1

2.6

0.30.30.20.40.3

0.50.40.60.6

200b300b400b

Max Divisor

Seconds

EC generation time

19

Results

0 500 1000 1500 2000 2500 3000 3500 4000 45000

1

2

3

4

5

6

7

Encryption time

200b300b400b

Message size in bytes

Seconds

20

Results

0 500 1000 1500 2000 2500 3000 3500 4000 45000

0.5

1

1.5

2

2.5

3

3.5

Decryption time

200b300b400b

Message size in bytes

Seconds

21

Platform

The project is designed to work on Windows and we written in C++.

We used two external libraries for cpp: NTL which handles big integers and integers

modulo P. We used this library since we needed to handle with 200-300 bit numbers.

ARPREC which handles big floats with arbitrary precision. This library handles with complex numbers which we use to construct Weber class polynomials.

22

Bibliography

Guide To Elliptic Curve Cryptography – Hankerson Prime numbers a computational perspective -

Crandall Elliptic Curves Number Theory and Cryptography -

Lawrence C. Washington On the Use of Weber Polynomials in Elliptic Curve

Cryptography – Konstantinou, Stamatiou , Zaroliagis Elliptic curves and primality proving – Atkin, Morain A Course in Computational Algebraic Number

Theory - Henri Cohen On the Efficient Generation of Elliptic Curves over

Prime Fields - Konstantinou, Stamatiou , Zaroliagis IEEE P1363 / D13

23

Questions?