Internet.Security

The square of the integers in Z13 for modulo 13 is computed as:

{12, 22, 32, . . . , 112, 122} (mod 13) = {1, 3, 4, 9, 10, 12}

Hence the quadratic nonresidues modulo 13 are {2, 5, 6, 7, 8, 11}. Now you can see that the set Z13 = {1, 2, 3, . . . , 12} is equally divided into quadratic residues and nonresidues. In general, there are precisely (p − 1)/2 quadratic residues and (p − 1)/2 quadratic nonresidues of p.

Euler’s criterion

Let p be an odd prime and gcd(z, p) = 1. Using Fermat’s theorem zp−1 ≡ 1 (mod p), or − 1 ≡ 0 (mod p), it gives (z(p−1)/2 − 1)(z(p−1)/2 + 1) ≡ 0 (mod p) from which z is a quadratic residue of p if z(p−1)/2 ≡ 1 (mod p); and a quadratic nonresidue of p if and

only if z(p−1)/2 ≡ −1 (mod p).

Legendre symbol (z/p)

If p > 2 is a prime, 0 < z < p, and gcd(z, p) = 1, the Legendre symbol (z/p) is a characteristic function of the set of quadratic residues modulo p as follows:

is a quadratic residue for a given value of x. If z is a quadratic residue, then y can be computed by solving y2 ≡ z (mod 17).

For x = 0, then z = 5. Hence 5(p−1)/2 (mod z) ≡ 58 (mod 17) ≡ 16 (mod 17) ≡ −1 (quadratic nonresidue)

For x = 1, then z = 12. Hence 128 (mod 17) ≡ 16 (mod 17) ≡ −1 (quadratic nonresidue) For x = 2, then z = 25. Hence 258 (mod 17) ≡ 1 (quadratic residue)

Then, solving y2 ≡ 25 (mod 17), we obtain y = 5 and y = 12. Two points on the elliptic curve are found as (x, y): (2, 5) and (2, 12).

Check: 52 (mod 17) = 25 (mod 17) ≡ 8 and 122 (mod 17) = 144 (mod 17) ≡ 8. Hence, y = 5 and y = 12 are checked as two solutions.

Continuing in this way, the quadratic residues and the remaining points on the EC can be computed as shown in Table 5.11.

Let EC be an elliptic curve over Zp. Hasse states that the number of points on an elliptic curve, including the point at infinity O, is #EC(Zp) = p + 1 − t where |t| 2√p.

#EC(Zp) is called the order of EC and t is called the trace of EC.

192 INTERNET SECURITY

Table 5.11 Quadratic residues and points on EC y2 = x3 + 6x + 5 = z over Z17

Example 5.17 Let EC be the elliptic curve y2 ≡ x3 + x + 6 over Z11. All points on EC can be determined as:

EC(Z11) = {(2, 4), (2, 7), (3, 5), (3, 6), (5, 2), (5, 9),

(7, 2), (7, 9), (8, 3), (8, 8), (10, 2), (10, 9)} {O}

Any point other than the point at infinity can be a generator G of EC. If we pick G = (8, 3) as the generator, the multiples of G can be computed as follows:

and y3 = −9 + 5 (7 − 10) (mod 11) ≡ 9. Hence 3G = (10, 9).

Continuing in this way, the remaining multiples are computed as shown below:

The generator G = (8, 3) is called a primitive element that generates the multiples.

Elliptic curve over finite field GF(2m)

An elliptic curve over GF(2m) is defined by the following equation:

y2 + xy = x3 + ax 2 + b

of infinite O.

Addition

Adding points on an EC over GF(2m) will give a third EC point. The set of EC points forms a group with O (point of infinity) serving as its identity. The algebraic formula for the sum of two points and the doubling point are defined as follows:

1. If P EC(GF(2m)), then P + (−P ) = O, where P = (x, y) and −P = (x, x + y) are indeed the points on the EC.

2.If P and Q (but P = Q) are the points on the EC(GF(2m)), then P + Q = P (x1, y1) +

Q(x2, y2) = R(x3, y3), where x3 = λ2 + λ + x1 + x2 + a and y3 = λ(x1 + x3) + x3 +

y2 + xy = x3 + α4x2 + 1

Check whether one element (α3, α8) satisfies the EC equation over GF(24).

(α8)2 + (α3)(α8) = (α3)3 + α4(α3)2 + 1

α16 + α11 = α9 + α10 + 1

(0100) + (0111) = (0101) + (1110) + (1000)

(0011) = (0011)

Thus, the points on the EC(GF(24)) are O (point at infinity) and the following 15 elements:

= α12 + α13 + α10 = (1010) = α8

Hence 2P = R(x3, y3) = (α10, α8)

5.6.2Elliptic Curve Cryptosystem Applied to the ElGamal Algorithm

As an application problem to ECC, consider the ElGamal public-key cryptosystem based on the elliptic curve defined over the prime field Zp. The ElGamal crypto-algorithm is based on the discrete logarithm problem. Referring to Table 5.5 for the ElGamal encryption algorithm, choose a prime p such that the discrete logarithm problem in Zp is intractable, and let α be a primitive element of Zp . The values of p, α and y are public, and x is secret.

y ≡ αx (mod p)

Choose a random number k such that gcd(k, p − 1) = 1. Then the encryption process of the message m, 0 m p − 1, is accomplished by the following pair (r, s):

Many public-key algorithms, such as Diffie – Hellman, ElGamal and Schnorr, can be implemented in elliptic curves over finite fields.

Example 5.20 Suppose user B generates a private key eB = 10 and picks a base point G = (8, 3) as a generator on the EC y2 ≡ x3 + x + 6 over Z11. Then B’s public key becomes (G, eBG) = ((8, 3), 10(8, 3)) = ((8, 3), (10, 2)).

User A wishes to send the plaintext X = (2, 4) and chooses a random number k = 5. Compute the ciphertext Y = (x, y), x, y EC

Where x = kG = 5(8, 3) = (5, 2),

y= X + k(eBG) = (2, 4) + 5(10, 2) = (2, 4) + (7, 2) = (7, 9)

Send Y = (x, y) = ((5, 2), (7, 9)) to B.

B receives Y and decrypts it as follows:

X= y − eB x

= (7, 9) − 10(5, 2) = (7, 9) + (7, 9) = (2, 4)

Thus, the correct plaintext X is recovered by decryption.

5.6.3Elliptic Curve Digital Signature Algorithm

The Elliptic Curve Digital Signature Algorithm (ECDSA) was first proposed by Scott Vanstone in 1992 and was accepted in 1999 as an ANSI standard and in 2000 as IEEE and NIST standards. ECDSA is the elliptic curve analogue of DSA (see Section 5.5). Elliptic Curve Cryptosystems (ECCs) are viewed as elliptic curve analogues to the conventional discrete logarithm cryptosystems in which the subgroup of Zp is replaced by the group of points on an elliptic curve over a finite field. The security of elliptic curve cryptosystems is based on the computational intractability of the elliptic curve discrete logarithm problem. The ECDSA signature and verification algorithms are presented in this section.

Procedures for generating and verifying signatures using ECDSA are described in the following.

Domain parameters

The domain parameters for ECDSA consist of a proper elliptic curve, EC, defined over a prime field Zp of characteristic p, or an extension field GF(2m) of characteristic 2 and a base point G EC(Zp). The order of the underline finite field Zp or GF(2m) is p or 2m. A set of EC domain parameters is comprised of:

D = (q, FR, a, b, G, n, λ)

where q: A field size eitherp or 2m

FR: Field representation used for elements of Zp or GF(2m) a, b Zp or GF(2m): Two field elements that define an elliptic curve EC:

y2 = x3 + ax2 + b over Zp, p > 3

y2 + xy = x3 + ax2 + b over GF(2m), p = 2m

G: The base point,G < EC (Zp or GF(2m))

n: The order of the point G, with n > 2160 (ANSI X.9.62) and n > 4√q λ: The cofactor is defined as λ = #EC(Zp or GF(2m))/n.

Generation and verification of a random elliptic curve

The method for verifiably generating an elliptic curve at random is presented here to give some assurance regarding the possible future discovery of new and rare classes of weak elliptic curves.

The Case Zp

Input: A field size p (an odd prime)

Output: A bit string E of length g 160 bits and field elements a, b Zp that define an elliptic curve EC: y2 = x3 + ax 2 + b over Zp.

ALGORITHM

1.Choose an arbitrary bit string E of length g 160 bits.

2.Compute the hash code h = SHA-1(E) and let c0 be the bit stream of length v bits

obtained by taking the v rightmost bits of h, where v = t − 160 × s, t = log2 b and s = (t − 1)/160 .

3.W0 is the v-bit stream taken by setting the leftmost bit of c0 to zero.

4.The integer z whose binary expansion is the g-bit stream E.

5.For i from 1 to s: Let si be the g-bit string of the integer (z + i) mod 2g . Compute Wi = SHA-1(si ).

6.W is the bit string obtained by concatenation: W = W0||W1|| . . . ||Ws .

7.r is the integer whose binary expansion is W .

8.If r = 0 or 4r + 27 ≡ 0 (mod p), then go to step 1.

9.Choose a = 0, b = 0 Zp such that rb2 ≡ a3 (mod p). If this condition is met, then accept; otherwise reject.

10.Output (E, a, b).

11. If the bit string is W = W0||W1|| . . . ||Ws and r is the integer whose binary expansion

ALGORITHM

1.Choose an arbitrary bit string E of length g 160 bits.

2.Compute the hash code h = SHA-1(E) and let b0 be the bit string of length v bits obtained by taking the v rightmost bits of h.

3.Let z be the integer whose binary expansion is the g-bit stream E.

4. For i from 1 to s: Let si be the g-bit string of the integer (z + i) mod 2g . Compute bi = SHA-1(si ).

Compute the message digest h = SHA-1(m) of the message m and convert this bit string to an integer e.

Compute the following steps:

•w ≡ s−1 (mod n)

•u1 ≡ ew (mod n) and u2 ≡ rw (mod n)

•X = u1G + u2Q.

If X = O, reject the signature. Otherwise, convert the X coordinate x1 of x to an integer x1, and compute v ≡ x1 (mod n). Finally, accept the signature if and only if v = r.

Example 5.21 User A uses the EC y2 ≡ x3 + x+ 6 over Z11. Choose the key pair (d, Q) in which d = 2 (A’s private key), Q = (7, 9) (A’s public key) and k = 5 (a random integer). G = (8, 3). Compute the following steps:

kQ = 5(7, 9) = (10, 2) from which r = x1 = 10.

k−1 = 8 is the multiplicative inverse of k ≡ 5 (mod 13).

Suppose the message digest h = SHA-1(m) = 8 is an converted integer e. Compute s ≡ k−1(e + dr) (mod13)

≡ 8(8 + 2 × 10) (mod 13) ≡ 8(28) (mod 13) ≡ 3

Thus, A’s signature for m is (r, s) = (10, 3).

To verify A’s signature (r, s) on m, the following computations are required: w ≡ s−1 ≡ 3−1 (mod 13) ≡ 9

u1 ≡ ew (mod 13) ≡ 8 × 9 (mod 13) ≡ 7 u2 ≡ rw (mod 13) ≡ 10 × 9 (mod 13) ≡ 12

X = u1G + u2Q = 7(8, 3) + 12(7, 2) = (3, 5) + (2, 7) = (10, 9)

Since v = 10 = r, the signature is accepted.

Section 5.6 has covered the conceptual, but unified, presentation of the elliptic curve cryptosystems. It should be a helpful guide for the beginner to understand what the ECC algorithms are all about.