- •Guide to Elliptic Curve Cryptography
- •Contents
- •List of Algorithms
- •List of Tables
- •List of Figures
- •Acronyms
- •Preface
- •1 Introduction and Overview
- •1.1 Cryptography basics
- •1.2.3 Elliptic curve systems
- •1.3 Why elliptic curve cryptography?
- •1.4 Roadmap
- •2 Finite Field Arithmetic
- •2.2.1 Addition and subtraction
- •2.2.2 Integer multiplication
- •2.2.3 Integer squaring
- •2.2.4 Reduction
- •2.2.5 Inversion
- •2.3.1 Addition
- •2.3.2 Multiplication
- •2.3.3 Polynomial multiplication
- •2.3.4 Polynomial squaring
- •2.3.5 Reduction
- •2.4.1 Addition and subtraction
- •2.4.2 Multiplication and reduction
- •2.4.3 Inversion
- •3 Elliptic Curve Arithmetic
- •3.1 Introduction to elliptic curves
- •3.1.2 Group law
- •3.1.3 Group order
- •3.1.4 Group structure
- •3.2.1 Projective coordinates
- •3.3 Point multiplication
- •3.3.1 Unknown point
- •3.3.2 Fixed point
- •3.3.3 Multiple point multiplication
- •3.4 Koblitz curves
- •3.4.1 The Frobenius map and the ring Z[τ ]
- •3.4.2 Point multiplication
- •3.6 Point multiplication using halving
- •3.6.1 Point halving
- •3.6.3 Point multiplication
- •3.7 Point multiplication costs
- •4 Cryptographic Protocols
- •4.1 The elliptic curve discrete logarithm problem
- •4.2.3 Determining the number of points on an elliptic curve
- •4.4 Signature schemes
- •4.4.1 ECDSA
- •4.4.2 EC-KCDSA
- •4.5.1 ECIES
- •4.5.2 PSEC
- •4.6.1 Station-to-station
- •4.6.2 ECMQV
- •5 Implementation Issues
- •5.1 Software implementation
- •5.1.1 Integer arithmetic
- •5.1.5 Timings
- •5.2 Hardware implementation
- •5.3 Secure implementation
- •5.3.1 Power analysis attacks
- •5.3.2 Electromagnetic analysis attacks
- •5.3.4 Fault analysis attacks
- •5.3.5 Timing attacks
- •A.1 Irreducible polynomials
- •A.2 Elliptic curves
- •A.2.2 Random elliptic curves over F2m
- •A.2.3 Koblitz elliptic curves over F2m
- •C.1 General-purpose tools
- •C.2 Libraries
- •Bibliography
- •Index
List of Algorithms
1.1 |
RSA key pair generation . . . . . . . . . . . . . . . . . . . . . . . . . . |
7 |
1.2 |
Basic RSA encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
7 |
1.3 |
Basic RSA decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
7 |
1.4 |
Basic RSA signature generation . . . . . . . . . . . . . . . . . . . . . . |
8 |
1.5 |
Basic RSA signature verification . . . . . . . . . . . . . . . . . . . . . . |
8 |
1.6 |
DL domain parameter generation . . . . . . . . . . . . . . . . . . . . . . |
9 |
1.7 |
DL key pair generation . . . . . . . . . . . . . . . . . . . . . . . . . . . |
9 |
1.8 |
Basic ElGamal encryption . . . . . . . . . . . . . . . . . . . . . . . . . |
10 |
1.9 |
Basic ElGamal decryption . . . . . . . . . . . . . . . . . . . . . . . . . |
10 |
1.10 |
DSA signature generation . . . . . . . . . . . . . . . . . . . . . . . . . . |
11 |
1.11 |
DSA signature verification . . . . . . . . . . . . . . . . . . . . . . . . . |
11 |
1.12 |
Elliptic curve key pair generation . . . . . . . . . . . . . . . . . . . . . . |
14 |
1.13 |
Basic ElGamal elliptic curve encryption . . . . . . . . . . . . . . . . . . |
14 |
1.14 |
Basic ElGamal elliptic curve decryption . . . . . . . . . . . . . . . . . . |
14 |
2.5 |
Multiprecision addition . . . . . . . . . . . . . . . . . . . . . . . . . . . |
30 |
2.6 |
Multiprecision subtraction . . . . . . . . . . . . . . . . . . . . . . . . . |
30 |
2.7 |
Addition in F p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
31 |
2.8 |
Subtraction in F p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
31 |
2.9 |
Integer multiplication (operand scanning form) . . . . . . . . . . . . . . |
31 |
2.10 |
Integer multiplication (product scanning form) . . . . . . . . . . . . . . . |
32 |
2.13 |
Integer squaring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
35 |
2.14 |
Barrett reduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
36 |
2.17 |
Montgomery exponentiation (basic) . . . . . . . . . . . . . . . . . . . . |
38 |
2.19 |
Extended Euclidean algorithm for integers . . . . . . . . . . . . . . . . . |
40 |
2.20 |
Inversion in F p using the extended Euclidean algorithm . . . . . . . . . . |
40 |
2.21 |
Binary gcd algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
41 |
2.22 |
Binary algorithm for inversion in F p . . . . . . . . . . . . . . . . . . . . |
41 |
2.23 |
Partial Montgomery inversion in F p . . . . . . . . . . . . . . . . . . . . |
42 |
x List of Algorithms
2.25 |
Montgomery inversion in F p . . . . . . . . . . . . . . . . . . . . . . . . |
43 |
||||||||||||||||||||||||||||||||||
2.26 |
Simultaneous inversion . . . . . . . . . . . . . . . . . . . . . . . . . . . |
44 |
||||||||||||||||||||||||||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
192 |
|
|
|
64 |
− 1 . . . . . . . . . . . . . . . . |
|
|||||||||||
2.27 |
Fast reduction modulo p192 = 2224 |
− 296 |
45 |
|||||||||||||||||||||||||||||||||
2.28 |
Fast reduction modulo p224 = 2256 |
|
|
|
|
|
|
|
. . . . . . . . . . . . . . . |
45 |
||||||||||||||||||||||||||
− 2224+ 1 .192 |
|
296 |
− |
1 . . . . . . . . |
46 |
|||||||||||||||||||||||||||||||
2.29 |
Fast reduction modulo p256 = 2384 |
− 2128 + 296 |
|
+ 32 |
|
|
|
|||||||||||||||||||||||||||||
2.30 |
Fast reduction modulo p384 = 2521 |
− 2 |
|
|
− 2 |
+ 2 |
− 1 . . . . . . . . . |
46 |
||||||||||||||||||||||||||||
2.31 |
Fast reduction modulo p521 = 2 |
|
|
− 1 . . . . . . . . . . . . . . . . . . . |
46 |
|||||||||||||||||||||||||||||||
2.32 |
Addition in F2m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
47 |
||||||||||||||||||||||||||||||||||
2.33 |
Right-to-left shift-and-add field multiplication in F2m . . . . . . . . . . . |
48 |
||||||||||||||||||||||||||||||||||
2.34 |
Right-to-left comb method for polynomial multiplication . . . . . . . . . |
49 |
||||||||||||||||||||||||||||||||||
2.35 |
Left-to-right comb method for polynomial multiplication . . . . . . . . . |
50 |
||||||||||||||||||||||||||||||||||
2.36 |
Left-to-right comb method with windows of width w . . . . . . . . . . . |
50 |
||||||||||||||||||||||||||||||||||
2.39 |
Polynomial squaring . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
53 |
||||||||||||||||||||||||||||||||||
2.40 |
Modular reduction (one bit at a time) . . . . . . . . . . . . . . . . . . . . |
53 |
||||||||||||||||||||||||||||||||||
|
|
|
|
|
|
|
|
|
|
|
f (z) = z |
163 |
+ z |
7 |
|
6 |
+ z |
3 |
+ 1 . . . . . . . . . . . |
|
||||||||||||||||
2.41 |
Fast reduction modulo |
|
233 |
74+ z |
|
|
55 |
|||||||||||||||||||||||||||||
2.42 |
Fast reduction modulo |
|
f (z) = z |
283 |
+ z |
12 |
+ 17. . .5 . . . . . . . . . . . . . |
55 |
||||||||||||||||||||||||||||
2.43 |
Fast reduction modulo |
|
f (z) = z |
409 |
+ z |
87 |
+ z |
+ z |
+ 1 . . . . . . . . . . |
56 |
||||||||||||||||||||||||||
2.44 |
Fast reduction modulo |
|
f (z) = z |
571 |
+ z |
10 |
+ 15. . .2 . . . . . . . . . . . . . |
56 |
||||||||||||||||||||||||||||
2.45 |
Fast reduction modulo |
|
f (z) = z |
|
|
+ z |
|
|
+ z |
+ z |
+ 1 . . . . . . . . . . |
56 |
||||||||||||||||||||||||
2.47 |
Extended Euclidean algorithm for binary polynomials . . . . . . . . . . . |
58 |
||||||||||||||||||||||||||||||||||
2.48 |
Inversion in F2m using the extended Euclidean algorithm . . . . . . . . . |
58 |
||||||||||||||||||||||||||||||||||
2.49 |
Binary algorithm for inversion in F2m . . . . . . . . . . . . . . . . . . . |
59 |
||||||||||||||||||||||||||||||||||
2.50 |
Almost Inverse Algorithm for inversion in F2m . . . . . . . . . . . . . . . |
60 |
||||||||||||||||||||||||||||||||||
2.54 |
Reduction modulo M = Bn − c . . . . . . . . . . . . . . . . . . . . . . . |
64 |
||||||||||||||||||||||||||||||||||
2.59 |
OEF inversion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
69 |
||||||||||||||||||||||||||||||||||
3.21 |
Point doubling ( |
y2 |
= |
x3 |
− |
3x |
+ |
b, Jacobian coordinates) . . . . . . . . . |
91 |
|||||||||||||||||||||||||||
|
2 |
|
|
3 |
|
x |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
91 |
|||||||||||||
3.22 |
Point addition (y |
|
|
|
= x |
|
|
|
|
|
|
|
b, affine-Jacobian coordinates) . . . . . . |
|||||||||||||||||||||||
|
|
|
|
− 32 |
+ |
3 |
|
3x |
|
|
b, Jacobian coordinates) . . . . . |
93 |
||||||||||||||||||||||||
3.23 |
Repeated point |
doubling (y |
= |
x |
|
2− |
+ |
|||||||||||||||||||||||||||||
|
y |
2 |
|
x y |
|
|
x |
3 |
|
|
|
|
|
0, 1 , LD coordinates) . . . . . |
94 |
|||||||||||||||||||||
3.24 |
Point doubling ( |
|
|
+ |
= |
|
|
ax |
|
+ |
b, a |
|
||||||||||||||||||||||||
|
2 |
|
|
|
|
|
3 + |
|
|
2 |
|
|
|
{ |
|
} |
|
|
|
|
|
|
|
|||||||||||||
3.25 |
Point addition (y |
|
|
+x y=x |
|
+ax |
|
|
+b, a {0, 1}, LD-affine coordinates) . . |
95 |
||||||||||||||||||||||||||
3.26 |
Right-to-left binary method for point multiplication . . . . . . . . . . . . |
96 |
||||||||||||||||||||||||||||||||||
3.27 |
Left-to-right binary method for point multiplication . . . . . . . . . . . . |
97 |
||||||||||||||||||||||||||||||||||
3.30 |
Computing the NAF of a positive integer . . . . . . . . . . . . . . . . . . |
98 |
||||||||||||||||||||||||||||||||||
3.31 |
Binary NAF method for point multiplication . . . . . . . . . . . . . . . . |
99 |
||||||||||||||||||||||||||||||||||
3.35Computing the width-w NAF of a positive integer . . . . . . . . . . . . . 100
3.36Window NAF method for point multiplication . . . . . . . . . . . . . . . 100
3.38Sliding window method for point multiplication . . . . . . . . . . . . . . 101
3.40Montgomery point multiplication (for elliptic curves over F2m ) . . . . . . 103
3.41 |
Fixed-base windowing method for point multiplication . . . . . . . . . . |
104 |
3.42 |
Fixed-base NAF windowing method for point multiplication . . . . . . . |
105 |
3.44 |
Fixed-base comb method for point multiplication . . . . . . . . . . . . . |
106 |
|
|
|
|
List of Algorithms |
xi |
3.45 |
Fixed-base comb method (with two tables) for point multiplication . . . . |
106 |
|||
3.48 |
Simultaneous multiple point multiplication . . . . . . . . . . . . . . . . . |
109 |
|||
3.50 |
Joint sparse form . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
111 |
|||
3.51 |
Interleaving with NAFs . . . . . . . . . . . . . . . . . . . . . . . . . . . |
112 |
|||
3.61 |
Computing the TNAF of an element in Z[τ ] . . . . . . . . . . . . . . . . |
117 |
|||
3.62 |
Division in Z[τ ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
118 |
|||
3.63 |
Rounding off in Z[τ ] . . . . . |
. . . . . . . . . . . . . . . . . . . . . . . |
118 |
||
m |
− 1)/(τ − 1) . . . . . . . . . . . . . . |
|
|||
3.65 |
Partial reduction modulo δ = (τ |
|
119 |
||
3.66 |
TNAF method for point multiplication on Koblitz curves . . . . . . . . . |
119 |
|||
3.69 |
Computing a width-w TNAF of an element in Z[τ ] . . . . . . . . . . . . |
123 |
|||
3.70 |
Window TNAF point multiplication method for Koblitz curves . . . . . . |
123 |
|||
3.74 |
Balanced length-two representation of a multiplier . . . . . . . . . . . . . |
127 |
|||
3.77 |
Point multiplication with efficiently computable endomorphisms . . . . . |
129 |
|||
3.81 |
Point halving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
131 |
|||
|
2 |
+ x = c (basic version) . . . . . . . . . . . . . . . . . . . . . . |
133 |
||
3.85 |
Solve x2 |
||||
3.86 |
Solve x |
+ x = c . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
134 |
||
3.91Halve-and-add w-NAF (right-to-left) point multiplication . . . . . . . . . 138
3.92Halve-and-add w-NAF (left-to-right) point multiplication . . . . . . . . . 139
4.3Pollard’s rho algorithm for the ECDLP (single processor) . . . . . . . . . 159
4.5 Parallelized Pollard’s rho algorithm for the ECDLP . . . . . . . . . . . . 161
4.14Domain parameter generation . . . . . . . . . . . . . . . . . . . . . . . . 174
4.15Explicit domain parameter validation . . . . . . . . . . . . . . . . . . . . 175
4.17 |
Generating a random elliptic curve over a prime field F p . . . . . . . . . |
176 |
4.18 |
Verifying that an elliptic curve over F p was randomly generated . . . . . |
176 |
4.19 |
Generating a random elliptic curve over a binary field F2m . . . . . . . . |
177 |
4.21 |
Verifying that an elliptic curve over F2m was randomly generated . . . . . |
177 |
4.22 |
Generating a random elliptic curve over an OEF F pm . . . . . . . . . . . |
178 |
4.23Verifying that an elliptic curve over F pm was randomly generated . . . . . 178
4.24Key pair generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
4.25 |
Public key validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
181 |
4.26 |
Embedded public key validation . . . . . . . . . . . . . . . . . . . . . . |
181 |
4.29 |
ECDSA signature generation . . . . . . . . . . . . . . . . . . . . . . . . |
184 |
4.30 |
ECDSA signature verification . . . . . . . . . . . . . . . . . . . . . . . |
184 |
4.36 |
EC-KCDSA signature generation . . . . . . . . . . . . . . . . . . . . . . |
187 |
4.37 |
EC-KCDSA signature verification . . . . . . . . . . . . . . . . . . . . . |
187 |
4.42ECIES encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
4.43ECIES decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
4.47 |
PSEC encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
191 |
4.48 |
PSEC decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
191 |
4.50 |
Station-to-station key agreement . . . . . . . . . . . . . . . . . . . . . . |
194 |
4.51 |
ECMQV key agreement . . . . . . . . . . . . . . . . . . . . . . . . . . . |
195 |
xii List of Algorithms
5.3Most significant bit first (MSB) multiplier for F2m . . . . . . . . . . . . . 230
5.4 |
Least significant bit first (LSB) multiplier for F2m . . . . . . . . . . . . . |
231 |
5.5 |
Digit-serial multiplier for F2m . . . . . . . . . . . . . . . . . . . . . . . |
234 |
5.6 |
Inversion in F2m (m odd) . . . . . . . . . . . . . . . . . . . . . . . . . . |
237 |
5.7 |
SPA-resistant left-to-right binary point multiplication . . . . . . . . . . . |
242 |
5.8RSA-OAEP encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
5.9RSA-OAEP decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
A.1 Testing a polynomial for irreducibility . . . . . . . . . . . . . . . . . . . 258