Elliptic Curve Cryptography

Dr. Modi Chirag N.

Assistant Professor
Computer Engineering Department
National Institute of Technology Goa
cnmodi@[Link]
 ECC
In 1985, Neal Koblitz [2] & Victor Miller [3] independently proposed using
ECs to design public key cryptographic systems.
In the late 1990`s, ECC was standardized by a number of organizations and
it started receiving commercial acceptance.
Nowadays, it is mainly used in the resource constrained environments,
such as ad-hoc wireless networks and mobile networks.
There is a tend that conventional public key cryptographic systems are
gradually replaced with ECC systems.
As computational power evolves, the key size of the conventional systems is
required to be increased dramatically.

03/14/2025 Dr. Chirag N Modi, NIT Goa 2

 EC
Elliptic curves are not ellipses (the name comes
from elliptic integrals)
Circle
x2 + y2 = r2
Ellipsis
a·x2 + b·y2 = c
Elliptic curve
y2 = x3 + a·x + b

03/14/2025 Dr. Chirag N Modi, NIT Goa 3

 EC

03/14/2025 Dr. Chirag N Modi, NIT Goa 4

 EC: Operations- Geometric Approach

03/14/2025 Dr. Chirag N Modi, NIT Goa 5

 EC: Operations- Algebraic Approach
Point Addition (if p ≠ Q) Suppose any point p(x,y)
R=P+Q on EC
s = (yP – yQ) / (xP – xQ) Then –p=(x,-y)
xR = s2 – xP – xQ If Q=O then P+Q=P
yR = -yP + s(xP – xR) If Q=-P then P+Q=O
Point Doubling If Q=P then P+Q=R, where
R = 2·P • s = (3x2p+a)/ 2yp
• xR = s2 – 2xP
s = (3·xP2 + a) / (2·yP)
• yR = -yP + s(xP – xR)
xR = s2 – 2·xP
yR = -yP + s(xP – xR)

03/14/2025 Dr. Chirag N Modi, NIT Goa 6

 ECC
Elliptic curves are used to construct the public key
cryptography system
The private key d is randomly selected from [1,n-1], where n is
integer.
Then the public key Q is computed by dP, where P,Q are points
on the elliptic curve.
Like the conventional cryptosystems, once the key pair (d, Q) is
generated, a variety of cryptosystems such as signature,
encryption/decryption, key management system can be set up.
Computing dP is denoted as scalar multiplication.
It is not only used for the computation of the public key but
also for the signature, encryption, and key agreement in the
ECC system.

03/14/2025 Dr. Chirag N Modi, NIT Goa 7

 Elliptic Curve Deffie-Hellmen (ECDH)
Consistency: K=nAQB=nAnBP=nBQA
Like DH but uses addition instead of exponentiation

03/14/2025 Dr. Chirag N Modi, NIT Goa 8

 Elliptic Curve Digital Signature Algorithm (ECDSA)

ECDSA key pair generation:

1. Entity A selects an elliptic curve E defined over Zp. The number of points
in E(Zp) should be divisible by a large prime I.
2. Select a point P = E(Zp) of order I.
3. Select a statistically unique and unpredictable integer d in the interval
[1, I-1].
4. Compute Q = dP.
5. A’s public key is (E, P, I, Q). A’s private key is d.

03/14/2025 Dr. Chirag N Modi, NIT Goa 9

 Elliptic Curve Digital Signature Algorithm (ECDSA)

Signature Generation:
1. Entity A selects a statistically unique and unpredictable integer k in the interval
[1, I-1].
2. Compute kP = (x, y) and r = x mod I. To avoid a security condition, r should not
equal 0. If r = 0 go to step 1.
3. Compute s = k-1 {h(m) + dr} mod n. h is the Secure Hash Algorithm (SHA-1).
4. If s = 0, then go to Step 1. If s=0, then s-1 mod n does not exist and s-1 is required
in the signature verification process
5. The signature for the message m is the pair of integers (r, s).

03/14/2025 Dr. Chirag N Modi, NIT Goa 10

 Elliptic Curve Digital Signature Algorithm (ECDSA)

Signature Verification
1. Entity B obtains an authentic copy of Entity A’s public key (E, P, I, Q).
2. Verify that r and s are integers in the interval [1, I-1].
A’s public key (E,P,I,Q)
3. Compute w = s-1 mod I and h(m).
4. Compute u1 = h(m)w mod I and u2 = rw mod I.
Verify r,s are in [1,I-1]
5. Compute u1P + u2Q = (x0, y0) and v = x0 mod I.
6. Entity B accepts the signature if and only if v =r. Compute w = s-1 mod I and h(m)

Compute u1 = h(m)w mod I and u2 = rw mod I

Compute u1P + u2Q = (x0, y0) and v = x0 mod I

accepts the signature if and only if v =r

03/14/2025 Dr. Chirag N Modi, NIT Goa 11

 ECC: Security Strength
The discrete logarithm problem for ECC is the inverse of point multiplication
Point multiplication is simply calculating Q=kP, where k is an integer and P is a
point on the curve
Given points P and Q, find a number k such that k·P = Q
P is the base point on a specific, published curve
Q is the public key
k is the private key (very large prime number)
With doubling, we can go from P to 2·P
With addition, we can go from 2·P to 3·P
Determining the point k·P in this way is referred to as the scalar
multiplication of a point
Scalar multiplication is intractable
Elliptic Curve Discrete Logarithm Problem
k is the discrete logarithm of Q to the base P
Brute force attacks range up to 3x1057 operations by a stepping process
Applies to NIST-defined P192 curve

03/14/2025 Dr. Chirag N Modi, NIT Goa 12

 ECC: Security Strength
Implementation allows for a significant reduction in key
size
ECC key of 163 bits is equivalent to RSA key of 1024 bits
ECC key of 256 bits is equivalent to RSA key of 3072 bits
ECC’s main advantage: as key length increases, so does
the difficulty of the inversion process
Smaller key size
Faster than RSA
Good for handhelds and cell phones
NIST recommends p selections of 192,224,256,384,and
521 for use in government applications

03/14/2025 Dr. Chirag N Modi, NIT Goa 13

 ECC Security

03/14/2025 Dr. Chirag N Modi, NIT Goa 14

 Certicom Challenges
Level-I Challenges: 109-bit (Solved in 2004) & 131-bit
(needs more resources)
Level-II Challenges: 163, 191, 239, 259 – bit
All Level II challenges are believed to be computationally
infeasible (
[Link]
llenge
)
The Certicom ECC Challenge was preceded by three
Exercises:
79-bit:SOLVED December 1997
89-bit: SOLVED February 1998
97-bit: SOLVED September 1999
03/14/2025 Dr. Chirag N Modi, NIT Goa 15
 Security Issues
The best algorithm known to date is Pollard rho-method which takes about
 n / 2 steps, where a step is an elliptic curve addition.
Software attacks

1 MIPS-year would be equal to: (1,000,000 instructions/second) •

(86400 seconds/day) • (365 days/year), or approximately
31.5 trillion instructions.
1 MIPS-year is about 0.365 GHz-days, so 1 GHz-day is about 2.74 MIPS-
years
Hardware attacks
Build a hardware for a parallel search using Pollard rho-method.

03/14/2025 Dr. Chirag N Modi, NIT Goa 16

 Advantages & Drawbacks
Advantages of ECC
Equivalent ECC key size is 160 bits as compared to 1024 bit size of
RSA
ECC does not require prime numbers and exponential processing
for encryption.
ECC offers considerable bandwidth savings when being used to
transform short messages
Disadvantage
ECC is mathematically more difficult to explain to client
Confidence level in ECC is not as high as RSA

03/14/2025 Dr. Chirag N Modi, NIT Goa 17

 Applications
Implementations of ECC are particularly beneficial in
applications where bandwidth, processing capacity, power
availability, or storage is constrained.
Such applications include:
Wireless transactions
Handheld computing
Broadcast
Smart card applications
Data Storage in Cloud Computing
Big Data Security Analytics
Privacy Preserving Distributed Mining

03/14/2025 Dr. Chirag N Modi, NIT Goa 18

 Reference Material
Darrel Hankerson, Julio Lopez Hernandez, Alfred Menezes, Software Implementation of
Elliptic Curve Cryptography over Binary Fields, 2000, Available at
[Link]
M. Brown, D. Hankerson, J. Lopez, A. Menezes, Software Implementation of the NIST Elliptic Curves Over
Prime Fields, 2001, Available at [Link]
Certicom, Standards for Efficient Cryptography, SEC 1: Elliptic Curve Cryptography, Version 1.0, September
2000, Available at [Link]
Certicom, Standards for Efficient Cryptography, SEC 2: Recommended Elliptic Curve Domain Parameters,
Version 1.0, September 2000, Available at [Link]
W. Diffie and M. Hellman: New Directions in Cryptography. IEEE Transactions on Information Theory, 22:644-
654,1976.
N. Koblitz. Elliptic curve cryptosystems. Mathematics of Computation, 48:203–209,1987.
V. Miller. Use of elliptic curves in cryptography. Advances in Cryptology—CRYPTO ’85 (LNCS 218) [483], 417–
426, 1986.
G. Faltings (July 1995): The Proof of Fermat's Last Theorem by R. Taylor and A. Wiles. Notices of the AMS 42
(7): 743–746. ISSN 0002-9920. July 1995.
I. Blake, G. Seroussi, and N. Smart: Elliptic Curves in Cryptography. Cambridge, U.K.: Cambridge University
Press, 1999, vol 265. J. Lopez and R. Dahab: Improved algorithms for elliptic curve arithmetic in GF(2n).
Selected Areas in Cryptography—SAC ’98 (LNCS 1556) [457], 201–212, 1999.
A. Fernandes: Elliptic Curve cryptography. Dr. Dobb’s Journal, December 1999.
RSA Laboratory: FAQ. [Link]
D. Hankerson, A. Menezes, and S. Vanstone: Guide to Elliptic Curve Cryptography. Springer, 2004.

03/14/2025 Dr. Chirag N Modi, NIT Goa 19