points of high order on elliptic curves - diva...

!

Points of High Order on Elliptic Curves ECDSA

Independent thesis advanced level (degree of master (two years))

Author: Behnaz Kouchaki Barzi Supervisor: Per-Anders Svensson Examiner: Andrei Khrennikov Date: 2016-11-22 Course Code: 5MA41E Subject: Mathematics Level: Master degree

Department Of Technology

Abstract

This master thesis is about Elliptic Curve Digital Signature Algo-rithm or ECDSA and two of the known attacks on this security system.The purpose of this thesis is to find points that are likely to be points ofhigh order on an elliptic curve. If we have a point P of high order andif Q = mP , then we have a large set of possible values of m. Thereforeit is hard to solve the Elliptic Curve Discrete Logarithm Problemor ECDLP. We have investigated on the time of finding the solution ofECDLP for a certain amount of elliptic curves based on the order of thepoint which is used to create the digital signatures by those elliptic curves.

Method : Algebraic Structure of elliptic curves over finite fields and Dis-crete logarithms. This has been done by two types of attacks namelyBaby Step, Giant Step and Pollard’s Rho and all of the program-ming parts has been done by means of Mathematica.

Conclusion: We have come into a conclusion of having the probable goodpoints which are the points of high order on elliptic curves through thementioned attacks in which solving the ECDLP is harder if these pointshave been used in generating the digital signature. These probable goodpoints can be estimated by means of a function we have come up with.The input of this function is the order of the point and the output is thetime of finding the answer of ECDLP.

Keywords: Digital signature (DS.), Elliptic Curve Digital Signature Algorithm(ECDSA), Elliptic Curve Discrete Logarithm Problem (ECDLP), Baby Step,Giant Step (Bs.Gs.), Pollard’s Rho.

Master Thesis

Acknowledgements

I would like to thank my supervisor, Per-Anders Svensson for an amazing su-pervision. I thank him for his patience and his massive help through this masterthesis.

I also thank my husband for his encouragement and infinite support besides hisunconditional love.

Eventually, I appreciate all of those who has been working on the related subjectand has been trying to improve it.

Behnaz Kouchaki Barzi 2

List of Tables

1 The table of Double-and-Add example. . . . . . . . . . . . . . . . 242 Multiple of the point P . . . . . . . . . . . . . . . . . . . . . . . . 303 List of Q− jmP . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304 The table of Pollard’s Rho example. . . . . . . . . . . . . . . . . 335 Order Of Points Pi. . . . . . . . . . . . . . . . . . . . . . . . . . . 356 Order Of Points Pi. . . . . . . . . . . . . . . . . . . . . . . . . . . 367 The Table of Bs.Gs. for 100 Curves with Only One Q. . . . . . . 37

3

List of Figures

1 The story of sending secret messages . . . . . . . . . . . . . . . . 92 Generation and Verification of Digital Signature [13]. . . . . . . . 163 Addition of Points on an Elliptic Curve[13]. . . . . . . . . . . . . 194 Addition of Points on an Elliptic Curve [13]. . . . . . . . . . . . . 205 Addition of Points on an Elliptic Curve [13]. . . . . . . . . . . . . 216 Baby Step, Giant Step for 30 different Q. . . . . . . . . . . . . . 367 Baby Step, Giant Step for Only One Q. . . . . . . . . . . . . . . 378 Time Limit/ Baby Step, Giant Step. . . . . . . . . . . . . . . . . 399 Time Limit/ Baby Step, Giant Step. . . . . . . . . . . . . . . . . 3910 Time Limit/ Baby Step, Giant Step. . . . . . . . . . . . . . . . . 4011 Time Limit/ Baby Step, Giant Step. . . . . . . . . . . . . . . . . 4012 Final Time Limit/ Baby Step, Giant Step. . . . . . . . . . . . . 4113 The graph of the Bs.Gs. according to the real data. . . . . . . . 4114 The graph of the data according to the function (Bs.Gs). . . . . 4215 The combination of the last two graphs (Bs.Gs). . . . . . . . . . 4216 Time Limit/ Pollard’s Rho. . . . . . . . . . . . . . . . . . . . . . 4317 Time Limit/ Pollard’s Rho. . . . . . . . . . . . . . . . . . . . . . 4418 Final Time Limit/ Pollard’s Rho. . . . . . . . . . . . . . . . . . 4419 The graph of the Pollard’s Rho according to the real data. . . . . 4520 The graph of the data according to the function (Pollard’s Rho). 4521 The combination of the last two graphs (Pollard’s Rho). . . . . . 46

4

Contents1 Introduction 6

2 Background 82.1 A brief history and some Terminology. . . . . . . . . . . . . . . . 82.2 The Discrete Logarithm Problem . . . . . . . . . . . . . . . . . . 112.3 Symmetric and Asymmetric ciphers. . . . . . . . . . . . . . . . . 142.4 Diffie-Hellman key exchange for DLP. . . . . . . . . . . . . . . . 142.5 Digital signature. . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

3 Elliptic Curve. 183.1 Addition of Points on an Elliptic Curve . . . . . . . . . . . . . . 193.2 Elliptic Curve over Finite Fields . . . . . . . . . . . . . . . . . . 223.3 Double-and-Add Algorithm. . . . . . . . . . . . . . . . . . . . . . 23

4 ECDLP & ECDSA. 254.1 The Elliptic Curve Discrete Logarithm Problem or ECDLP. . . . 254.2 The Elliptic Curve Digital Signature Algorithm or ECDSA. . . . 26

5 Attacks on ECDSA. 295.1 Baby Step, Giant Step Attack. . . . . . . . . . . . . . . . . . . . 295.2 Pollard’s Rho Attack. . . . . . . . . . . . . . . . . . . . . . . . . 31

6 Implementation on Baby Step, Giant Step and Pollard’s Rhomethod. 346.1 Baby Step, Giant Step Implementation. . . . . . . . . . . . . . . 346.2 Pollard’s Rho Implementation. . . . . . . . . . . . . . . . . . . . 42

7 Performance Evaluation Of Implementation. 47

8 Appendix. 49

5

Master Thesis

1 Introduction

Security is one of the most controversial concepts in the world. People arecommunicating with each other every single second via their mobile phonesor laptops by sending and receiving e-mails, electronic documents, electronicpayments, financial transactions and so forth. Obviously, there has to be manyways of providing the security of these communications so that people couldtrust them. Digital signature is a form of providing security for some kindsof communications and one of the newest form of security system is EllipticCurve Digital Signature Algorithm (ECDSA).

We all know that there is no form of security which is complete and has 100%reliability, thus there is always a risk of an attack on any security system. Twoof the known attacks on ECDSA are namely Baby Step, Giant Step (Bs.Gs)and Pollard’s Rho.

The Baby Step, Giant Step (Bs.Gs) attack is based on two steps and wewould reach to a solution of Elliptic Curve Discrete Logarithm Problem(ECDLP) if we could have an intersection between those two steps.

The Pollard’s Rho attack is almost similar to the Bs.Gs attack and also theyhave the same running time but there is a quite important difference betweenthem. The difference is that the Bs.Gs. attack requires more storage space thanthe Pollard’s Rho attack.

In this thesis, we have tried to see how these two attacks work together witha hint of how to choose the point on the elliptic curve in a way that the dig-ital signature—generated by it—would be more secure against the mentionedattacks. This more secure way is that we need to find points with high orderand the entire process will be explained within this thesis.

First of all, we need to know about digital signatures in general and then aboutdigital signatures based on elliptic curves. In order to generate a digital sig-nature, asymmetric cryptography is used. We have two keys in asymmetriccryptography namely a Public key and a Private key. The public key isobviously revealed for everybody. However the private key is a key which is notclear at all and if somebody knows it then the digital signature can be forged.Therefore the solution of ECDLP is the private key.

There are known deterministic algorithm of different types of attacks on ECDLP;for more reading, refer to the book [13], or some articles namely [15], [3], [4],[23]. If one uses any of the attacks and is not able to reach to the private keywithin a certain time limit, then one has found a point on the curve which islikely to be a “good point”. A “good point ” means a point with high orderwhich is used in ECDSA and make the digital signature more secure.


Master Thesis

Therefore, we are going to use the algorithm of these two attacks and see if weare able to find a probable good point. The mathematics which is used in thismethod is Algebraic Structure of elliptic curves over finite fields and Discretelogarithms.

We are almost done with the first section (Introduction Section) and the secondsection is devoted to definitions of the cryptography, asymmetric cryptography,The discrete logarithm problem, Diffie and Hellman and digital signatures as abackground. In the section three, we will have a quite complete section aboutelliptic curve and its properties. Section four is all about ECDSA and ECDLPwith some examples. For the fifth section, we will have a quite complete ex-planation of two types of attacks on ECDSA; Baby Step, Giant Step attackand Pollard’s Rho attack. Eventually, in section six, we will have a section ofexplaining what we have done within this thesis and the hint about the pointof high order which was mentioned earlier together with Mathematica codes ofthe entire process. After all, there will be a section of performance evaluationof implementation as the final section; Section seven.


Master Thesis

2 Background

2.1 A brief history and some Terminology.

The word cryptography comes from the Greek words; kryptos and grapheinwhich means hidden and writing [5]. Cryptology is a science which has beenused to help people to communicate with each other hidden and it has pro-vided security for the communications. In other words, the main reason of thisscience is to provide a security for two people or a group of people to communi-cate without letting other people or stranger to know about the details of thatcommunication.

Throughout the history, cryptography has been used and the earliest ones arefrom the ancient Egypt, Greece and Rome. Egyptian used hieroglyphs in orderto communicate hidden. In Greece, they have the idea of wrapping a tapeof paper around a specific stick and then write a message on it and afterwardssend the paper tape to the receiver; On the other hand, the receiver should havehad similar stick in order to wrap the paper tape around it so that he or shecould decrypt the message. The Roman’s idea was Caesar Shift Cipher whichwas named after the Julius Caesar and it is a type of substitution cipher. Inthis method, they simply wrote the message down and shift the letters and thereceiver should have done the shifting backwards in order to read the message[5].

After middle ages, both cryptography and cryptanalysis have improved due toneed of security for communications. This science has been used in World WarI and II. The invention of radio in 1900 made the cryptographic concept changeand improve especially in military and political situations therefore the need ofsuch these security kept increasing until now that the communications are oftenmade digitally with more complicated algorithms thus we are always in urge ofpreparing security [13]. We have barely touched the concept of the history ofthe cryptography so far and for further reading refer to [24] and [16].

Here we explain some useful terminology:

• Plaintext: A message that is not encrypted.

• Ciphertext: A message that has been encrypted.

• Key: A parameter which is used in both encryption and decryption inorder to convert plaintext to ciphertext or contrariwise.


Master Thesis

• Symmetric cipher: In these kinds of algorithms, the same key is usedboth for encryption and decryption.

• Asymmetric cipher: Or Public Key Cryptosystems that differentkeys are used for encryption and decryption.

The story is that for example Alice wants to send Bob a message, without Eveknowing the concept of the message.

Figure 1: The story of sending secret messages

∗ As mentioned earlier, the word cryptology comes from the Greek wordkryptos and it is divided into two categories; Cryptography and Cryptanalysis:

• Cryptography: Designing the cryptosystems or the algorithm of en-cryptions are in the concept of cryptography. We have mainly two typesof ciphers namely substitution ciphers and transposition ciphers.Below, the definition of these two ciphers are respectively explained:

1. Substitution cipher: In this type, each letter (or a group of let-ters) is replaced by another letter (or group of letters).


Master Thesis

2. Transposition cipher: The letters are permuted.

∗ We can mix both substitution cipher and transposition cipher in orderto encrypt.

• Cryptanalysis: In this concept, the problem of breaking the ciphersand finding the keys are discussed in which there are four different typesof attacks based on how much information does Eve know.

1. Ciphertext only: Eve only has the information about the cipher-text.

2. Known plaintext: In addition to the ciphertext, Eve knows theplaintext as well. (So that she can conclude about the key.)

3. Chosen plaintext: Eve can choose her own plaintext and encryptit and she can do this more and more until a conclusion will be derivedabout the nature of the key based on the ciphertext she receives.

4. Chosen ciphertext: Eve can choose her own ciphertext and de-crypt it and get the conclusion about the nature of the key based onthe plaintext she receives.

∗ A secure cryptosystem is a system which is mixed of both substitution andtranspositions ciphers as well as being secure against all of these four mentionedattacks.

∗ When it comes to design a cryptosystem, it is only important to have thekey secret not the algorithm of encryption and decryption; this is called Ker-ckhoff’s principle [13].

In this thesis, we mainly focus on asymmetric cryptography or public key cryp-tosystem in which there are two keys; private key and public key.

Imagine that Alice and Bob want to exchange a message using a symmetriccipher. In order to exchange a message without letting their adversary Eveknows the message, they have to agree on a secret key in advance but whatif there is no secure way of communication so that they can agree on a secretkey?[6].


Master Thesis

2.2 The Discrete Logarithm Problem

In order to explain the discrete logarithm problem, first we need to know somedefinitions and theorems.

Theorem 1. [13].Primitive Root Theorem.

Let p be a prime number and Fp be a finite group. Thus there exists an elementg ∈ F∗p whose powers give every element of F∗p i.e,

F∗p = {1, g, g2, g3, · · · , gp−2}.

Those elements which have this property are called primitive roots of Fp orgenerators of F∗p. They are the elements of F∗p having the order of p− 1.

Theorem 2. [13].Fermat’s little theorem.

If p is a prime number then we have:

gp−1 ≡ 1 (mod p)

for every integer g such that (g, p) = 1.

Now we can define the discrete logarithm problem as the following:

Definition 2.1. [13].The Discrete Logarithm.

Let p be a prime number and g be a primitive root modulo p. The discretelogarithm modulo p of h is the smallest positive integer x satisfying

gx ≡ h (mod p).

And it is written as logg(h) (mod p).

The Discrete Logarithm Problem or DLP.

Before we state the DLP, we need some algebra definitions.


Master Thesis

Definition 2.2. [10].Group.

A set G under a binary operation ∗ is a group 〈G, ∗〉 if the following axiomsare satisfied:

1. Associativity. For all a, b, c ∈ G, we have:

(a ∗ b) ∗ c = a ∗ (b ∗ c).

2. Identity element. There is an element, usually stated as e such thatfor every other element a in G we have:

a ∗ e = e ∗ a = a.

3. Inverse. For every element a in G, there is an element a′ in G such that:

a ∗ a′ = a′ ∗ a = e [3].

.

Definition 2.3. [10].Abelian Group.

Let G be a group with binary operation ∗. If for every element a, b ∈ G wehave:

a ∗ b = b ∗ a

then we say that the group G is Abelian.

Definition 2.4. [10].Order of the group G.

Let G be a group. If G is a finite set, then the order of G is the number ofelements in G and we write o(G) = m, where m is the number of elements inG.


Master Thesis

Definition 2.5. [10].Order of an element a.

Let G be a finite group and a ∈ G. The order of the element a is thesmallest positive integer n such that an = e. It is written:

o(a) = n.

Theorem 3. [10].Let G be a finite group and a ∈ G. The order of the elementa is a divisor of the order of G; i.e.

o(a) | o(G).

Definition 2.6. [10].Cyclic Group.

Let G be a group and a ∈ G. Assume that G is a finite group and o(G) = n.If the order of the element a is the same as the order of the group G; i.e.o(G) = o(a) = n, then the element a is a generator of the group G. We write,G = 〈a〉 and say that G is a cyclic group.

Eventually, we are ready to define the DLP.

Definition 2.7. [13].Discrete Logarithm Problem or DLP.

Let G be a group and g, h ∈ G. The problem of solving the following discretelogarithm gx = h is the so-called Discrete Logarithm Problem or DLP.The solution will be denoted as x = logg h; if there is a solution though.

Remark. [13].If G is a finite group then the element g generates a subgroup

{e, g, g2, · · · , gn−1}

where n is the order of g and besides the solutions to gx = h are calculatedmodulo n.


Master Thesis

2.3 Symmetric and Asymmetric ciphers.

In a symmetric cryptography, we need only one key in order to encrypt anddecrypt. This key is chosen from a set of possible keys K . Let C be the setof all possible ciphertexts and M be the set of all possible plaintexts. In theencryption step we will do as the following function:

e : K ×M → C

and for the decryption step we will have the following function:

d : K × C →M

which satisfies

d(k, e(k,m)) = m ∀k ∈ K ,∀m ∈M .

In an asymmetric cryptography, we use a pair of key as mentioned before; i.e.the key is: k = (kpublic, kprivate). Everybody can do the encryption by thepublic key however, in order to decrypt, one has to know the private key. Inour example, if Alice and Bob wants to use the symmetric cipher, they musthave exchanged their private key before. What will happen if there is no secureway for them to exchange the private key? This has an answer which Diffieand Hellman came up with and it ended up to the new concept which is calledpublic key cryptosystem [6].

Remark. In 1985, Koblitz and Miller has proposed the public key cryptosystembased on elliptic curves over finite fields [17], [11] and afterwards, many peoplehas been putting lots of efforts on the mentioned concept. They have usedelliptic curves over finite fields for several cryptosystems, namely, Diffie-Hellmankey exchange algorithm, elliptic curve digital signature algorithm (ECDLP) [9].

2.4 Diffie-Hellman key exchange for DLP.

Alice and Bob wants to agree on a key through an insecure channel. They cando this according to the following steps without letting Eve get the key [13].

1. Alice and Bob agree on a prime number p and a nonzero integer g modulop .


Master Thesis

2. Alice chooses a secret number a randomly and computes A = ga (mod p)and sends it to Bob.

3. Bob chooses a secret number b randomly and computes B = gb (mod p)and sends it to Alice.

4. Alice computes Ba = gab (mod p) and Bob computes Ab = gab (mod p).This number is their key.

Therefore, according to the above key exchange, Alice and Bob are safe tocommunicate, however this depends on the level of the security which theyhave. The problem for Eve to solve, in order to get the key is the so-called DLPwhich is somehow difficult and this difficulty relies on the numbers which Aliceand Bob has chosen to make the key. Eventually, after Diffie-Hellman’s paper“New Direction in Cryptography” [6], there were several related contribution.To know more about the public key cryptography see [16], [7], [8], [33].

2.5 Digital signature.

A digital signature is a way of proving authentication and therefore, it can in-crease the security of communication. It is not a scanned form of the usualsignature which we do it by paper and ink but an electronic stamp of authen-tication. Digital signatures are generated by cryptography methods thus theyare some encrypted data to indicate the validity of the signer. Here, we haveSamantha as the signer and Victor as the verifier. The story is about Samanthahaving a document and sending it to Victor but she wants Victor to be surethat she has sent the document. She has to use a secure way of signing thedocument so that the signature can not be forged by adversaries. Yes! Digitalsignature is what she is looking for!

Asymmetric cryptography is used to generate the digital signature therefore,there are two keys; public key and private key. Samantha has a documentwhich she wants to sign. She uses her private key to sign the document via aspecial algorithm (which will be explained later on). Then, Victor can verifythe digital signature by the public key according to a specific algorithm.

Some terminology:

• KPri A private signing key.

• KPub A public verification key.

• Dsig Digital signature.


Master Thesis

• D Digital document.

Remark. Hash function

A cryptographic hash function is a function which takes document of arbitrarylength as an input and refers to a number of fixed length as the output. Thementioned hash function has to be quick to calculate as well as being almostimpossible to find the original document from the hash value (output) i.e, a hashfunction has to be a one way function that it is quite hard to invert. In additionto the earlier properties, the hash function is strongly collision-free which meansthat it is almost impossible to find different messages while their hash valuesare the same. For more reading refer to [23], [35].

In order to sign a document, first the signer (Samantha) uses a hash function toget a unique hash result and then by means of a private key one can transformthe hash result into a digital signature. Totally, Samantha sends the digitaldocument, the public key and the information about how to verify the signature(such as a hash algorithm).

To verify a digital signature Victor needs a new hash; this is provided by com-puting a new hash result of the digital document. The new hash result is createdby the same hash function which Samantha has used to generate the digital sig-nature. Therefore by using the public key and the new hash result, one canverify whether the digital signature is valid or not [13].

Figure 2: Generation and Verification of Digital Signature [13].


Master Thesis

In figure 2, the process of generating a digital signature together with the verifi-cation step is shown. In this thesis, we are working with elliptic curves therefore,we will explain the digital signature algorithm based on elliptic curves after weexplained all about elliptic curves and the related properties.


Master Thesis

3 Elliptic Curve.

The concept of elliptic curve is a quite vast topic and we try to only focus onthe part we need and some useful properties for cryptography. There are severalreferences for additional reading related to elliptic curve cryptography namely[2], [18], [22], [27].

An elliptic curve with real coefficients is defined by an equation of the form:

y2 + a1xy + a3y = x3 + a2x2 + a4x+ a5 (1)

where a1, a2, a3, a4, a5 ∈ R. We may assume a1 = a2 = a3 = 0 since the affinechange of variables

x = X − a2112− a2

3

y = Y − a12X +

a3124

+a1a2

6− a3

2

alter (1) to the so-called Weierestrass form as the following:

Y 2 = X3 +AX +B (2)

for some A,B ∈ R.

Definition 3.1. Elliptic Curve.

An elliptic curve over R is a set of all solutions to the equation (2) whereA,B ∈ R and 4A3 + 27B2 6= 0, together with the point at infinity O.


Master Thesis

3.1 Addition of Points on an Elliptic Curve

Let E be an elliptic curve and let P = (x1, y1) and Q = (x2, y2) be two pointson E. There are three cases that we are facing. First, we explain about the casein which x1 6= x2. In this case, the line L through P and Q intersects the curveE at a third point that is called R. Next, we reflect this point in the x−axis, inorder to obtain another point on E which is called R′. The point R′ is definedas the sum of P and Q for the first case, see figure 3, [13].

Figure 3: Addition of Points on an Elliptic Curve[13].

In the second case, assume that x1 = x2 whereas P and Q are different. Theline through the points P and Q is a vertical line and therefore, it does notintersect E in a third point. In the case of P = Q while y coordinate is zero,the same thing as the second case will happen. In these cases, we consider thepoint at infinity O as the sum of P and Q, see figure 4, [13].

Remark. For every point P on E, we have P + O = P since the line through Pand the point at infinity is a vertical line through P .

Remark. We define O + O = O.


Master Thesis

Figure 4: Addition of Points on an Elliptic Curve [13].

Finally the third case. In this case we want to add the point P to itself or i.e.P = Q = (x, y). As we have done for the other cases, we draw a line through theboth points which we want to add together and in this case, it will be the lineL which has to be the tangent of the curve E at the point P and it intersectsthe curve E at the point R. Then we reflect the point R in the x−axis whichyields to the point of R′. Hence we have: P + P = 2P = R′, see figure 5, [13].


Master Thesis

Figure 5: Addition of Points on an Elliptic Curve [13].

Theorem 4. [13].Let E be an elliptic curve then E is an Abelian group withrespect to addition of points on E. In other words

• (P +Q) +R = P + (Q+R) for all P,Q,R ∈ E Associative.

• P +Q = Q+ P for all P,Q ∈ E Commutative.

• P + O = P for all P ∈ E Identity.

• P + (−P ) = O Inverse.

Theorem 5. [13].Elliptic Curve Addition Algorithm.

Let Y 2 = X3 +AX +B be an elliptic curve and let P1 and P2 be points on E.

• If Pi = O for i = 1 or i = 2, then P1 + P2 = P3−i.

• Otherwise, put P1 = (x1, y1) and P2 = (x2, y2). If x1 = x2 and y1 = −y2,then P1 + P2 = O.

• Otherwise, let x3 = λ2 − x1 − x2 and y3 = λ(x1 − x3) − y1 where λ isdefined as


Master Thesis

λ =y2 − y1x2 − x1

if P1 6= P2

and

λ =3x21 +A

2y1if P1 = P2.

Then we have P1 + P2 = (x3, y3).

3.2 Elliptic Curve over Finite Fields

In this section we will study the elliptic curves over finite fields which are quiteuseful and important in cryptography in terms of the order of the curve , theirproperties and so forth [13], [36].

Definition 3.2. Let F = Fp be the finite field of order p where p ≥ 5 (For morereading see the chapter 5.7 of [13]). An elliptic curve over Fp is:

E : Y 2 = X3 +AX +B

where A,B ∈ Fp satisfy 4A3+27B2 6= 0 in Fp. In addition to all of the solutionsof the above equation of E, we have the point at infinity O.

Example 1. Let E : Y 2 = X3 + 3X + 2 be a finite elliptic curve over F5. Inorder to write all of the points on E, we need to solve the above equation for allpossible x in F5 = {0, 1, 2, 3, 4}. Afterwards, we will get

E(F5) = {O, (1, 1), (1, 4), (2, 1), (2, 4)}.

Theorem 6. [36].Let E be a finite elliptic curve over the finite field Fp. Then

E(Fp) ' Zn or Zn1⊕ Zn2

for some integers n ≥ 1, or for some integers n1, n2 ≥ 1 with n1 dividing n2.


Master Thesis

Theorem 7. [13].Hasse’s Inequality.

Let E be an elliptic curve over a finite field of Fp. Then the order of the curvei.e, #E(Fp) satisfies the following inequality:

| p+ 1−#E(Fp) |≤ 2√p.

3.3 Double-and-Add Algorithm.

In this section we explain an efficient way of calculating the multiple of a pointon an elliptic curve which is called double-and-add algorithm. There are severalpapers which have proposed some ways to speed up the above algorithm namely[12], [37], [27].

We would like to compute

nP := P + P + · · ·P︸︷︷︸n terms

.

We use the binary expansion n = Σri=0ni2

i where ni ∈ {0, 1}. Then we computethe sequence Q0, Q1, · · · , Qr in E(Fp) as it is explained below:

Q0 = P, Q1 = 2Q0, Q2 = 2Q1, · · · , Qr = 2Qr−1.

We notice that Qi = 2iP hence:

Σri=0niQi = Σr

i=0(ni2i)P = nP.

The double-and-add algorithm for elliptic curves.[13].

Input. P ∈ E(Fp) and integer n ≥ 1.

1. Set Q = P and R = O.

2. Loop while n > 0.

(a) If n ≡ 1 (mod 2), set R = R+Q.

(b) Set Q = 2Q and n = bn2 c.

3. Return the point R, which equals nP .


Master Thesis

Example 2. Assume that we have an elliptic curve E over a finite field F997.Let P = (36, 88) be a point on the curve. We want to calculate 250P accordingto the double-and-add algorithm. Since

250 = 2 + 23 + 24 + 25 + 26 + 27

we need the multiple of the point P with the above numbers.

i Qi = 2iP

1 21P = 2P = (191, 446)2 22P = 4P = (937, 766)3 23P = 8P = (696, 429)4 24P = 16P = (481, 657)5 25P = 32P = (810, 587)6 26P = 64P = (962, 310)7 27P = 128P = (134, 332)

Table 1: The table of Double-and-Add example.

Now we add the needed Qi in order to get 250P .

250P = Q1 +Q3 +Q4 +Q5 +Q6 +Q7 = (220, 367).


Master Thesis

4 ECDLP & ECDSA.

4.1 The Elliptic Curve Discrete Logarithm Problem orECDLP.

In the section 2.7, we have defined DLP in a group G. In the case of ellipticcurves, we have the group of points on an elliptic curve and the group is E(Fp)where Fp is a finite field. Let P,Q ∈ E(Fp). The elliptic discrete logarithm ofQ with respect to P is the smallest positive integer n satisfying

Q = P + P + · · ·+ P︸︷︷︸n additions on E

.

It is also written as n = logP (Q).

Definition 4.1. ECDLP.

The ECDLP is the problem of finding the answer of n = logP (Q) which is theinteger n such that Q = nP i.e., finding out that how many times P must beadded to itself in order to create Q.

The discrete logarithm problem for elliptic curves is rather difficult in compari-son to the corresponding problem in the multiplicative group of F∗p. One mighthave though that why we use elliptic curves in cryptography and the answer isquite simple; it is very hard to attack the ECDLP. Besides, there is an estimationin [2] that indicates elliptic curve cryptosystem needs less power consumptionand smaller chip size [36].

In the following, we will study the Elliptic Curve Digital Signature Algo-rithm or ECDSA and in the fifth section we will study two types of attackson it namely, Baby Step, Giant Step attack and Pollard’s Rho Method.


Master Thesis

4.2 The Elliptic Curve Digital Signature Algorithm orECDSA.

The Elliptic Curve Digital Signature Algorithm is an analogue of the DigitalSignature Algorithm [15]. DSA method uses the multiplicative group of finitefields whereas ECDSA uses the group of E(Fp) where E is an elliptic curve overa finite field Fp.

The story is about Samantha who wants to sign a document m by means ofECDSA. She uses a hash function in order to refer to the document she wantsto sign, therefore m is an integer. Samantha chooses an elliptic curve E overa finite field Fp where #E(Fp) = fr, where r is a quite large prime and f isa small integer. She also chooses a point P on the curve such that the orderof P is r. Then, Samantha takes a secret number a as her private key andshe computes Q = aP . The following information will be public Fp, E, r, P,Q(f can be also public). Below, there will be the steps of generating the digitalsignature based on elliptic curves.

First, we have the steps for signing the document as the following [36]:

1. Samantha chooses a random integer k where 1 ≤ k < r, then computesR = kP = (x, y).

2. She also computes s = k−1(m+ ax) (mod r).

Remark. . One may wonder that what if k does not have an inverse? Theanswer is that since r is a prime number hence the inverse of k and s do exist.

Hence, the signed document is (m,R, s).

Below comes the steps of verification of the signature [36]; hence, Victor doesthe following:

1. He computes u1 = s−1m (mod r) and u2 = s−1x (mod r).

2. He also computes V = u1P + u2Q.

3. The signature is valid if and only if V = R.

i.e. for verification we have:

V = u1P + u2Q = s−1mP + s−1xQ = s−1(mP + xaP ) = kP = R.

Accordingly, the problem of finding the private key a is the so-called ECDLP.


Master Thesis

Example 3. Samantha wants to sign a document and send it to Victor. First,she uses an arbitrary hash function to get the hash value of the document shewants to sign.

Document −→ Hash Value: m = 1991.

Next, she chooses an elliptic curve over a finite field; such as:

y2 = x3 + 17651x+ 4408 Over the Finite Field F18503.

Then, she chooses a point on the curve such that the order of the point is quitelarge.

P = (5859, 5775), r = o(P ) = 9284.

Samantha chooses a private key a = 17445 and she computes

Q = aP = (12591, 12520).

Generation Step.

1. Samantha chooses a random integer k such that

1 ≤ k < r = 9284 =⇒ k = 6683

and computes

R = kP = (148, 9595) = (x, y)

2. Secondly, she calculates:

s = k−1(m+ ax) (mod r)

=⇒ s = 6683−1(1991 + 17445× 148) = 1805 (mod 9284).

The signed document would be:

(m,R, s) = (1991, (148, 9595), 1805).

Verification Step.


Master Thesis

1. To verify the signature, Victor computes

u1 = s−1m = 1805−1 × 1991 = 6127 (mod 9284)

and also

u2 = s−1x = 1805−1 × 148 = 3976 (mod 9284).

2. Eventually, he computes V = u1P + u2Q = (148, 9595) = R.

Since Victor has V = R, then he verified that the signature is valid.


Master Thesis

5 Attacks on ECDSA.

There are several known attacks on ECDSA so far but we will mention only twoof them here in this section and for more reading refer to [15].

5.1 Baby Step, Giant Step Attack.

This method has been developed by Shanks [30] and it needs approximately√N steps and also

√N storage to be accomplished where N is the order of the

group [36]. Since our main focus is elliptic curves then we always assume thatwe have an elliptic curve E over a finite field Fp and we let P and Q be pointson the curve such that Q = aP where a is the private key.

Since this type of attack needs√N storage to be accomplished then it is not

useful for large elliptic curve groups.

Baby Step, Giant Step Algorithm.

1. Compute d√p+ 1 + 2

√pe and name it m.

2. Make and store a list of iP for 1 ≤ i < m as the Baby Step.

3. Make another list of Q − jmP for j = 0, 1, 2, · · · ,m − 1 until a match isfound with the stored list above; as the Giant Step.

As soon as a match is found then we can find the private key a; i.e.

a = i+mj (mod o(P )).

Example 4. Consider E : Y 2 = X3 + 1150X + 3129 as an elliptic curveover the finite field F3593. Let P = (1049, 1968) and Q = (725, 1836). We haveQ = aP and we want to compute m. The order of P is 1758. Now we startto generate the first list which is the Baby Step by multiplying the point P by

i = 1, 2, · · · ,m− 1 where m is calculated as m = d√

3593 + 1 + 2√

3593e = 61.


Master Thesis

Baby Step.

i iP = (1049, 1968)

1 P = (1049, 1968)2 2P = (2161, 625)3 3P = (1509, 565)... · · ·

37 37P = (384, 744)... · · ·

Table 2: Multiple of the point P .

We also generate the Giant Step as the following:

Giant Step.

j Q− jmP0 Q = (725, 1836)1 Q−mP = (2879, 3415)2 Q− 2mP = (3465, 2958)... · · ·

60 Q− 60mP = (384, 744)... · · ·

Table 3: List of Q− jmP .

Now that we have found a match, we can compute a. Since the position of thematch in the first list is 37 and for the second one is 60, then we have:

a = i+mj = 37 + 60×m = 37 + 61× 60 = 181 (mod 1758).

Therefore, we have found the private key or in other word the integer which ismultiplied by P and gives us Q.

Q = aP ⇒ (725, 1836) = 181× (1049, 1968).


Master Thesis

5.2 Pollard’s Rho Attack.

Pollard’s Rho attack has an advantage in comparison to the Baby Step, GiantStep attack which is about the storage of data. Baby Step, Giant Step methodrequires a storage of

√N however Pollard’s Rho attack needs less storage [36].

There are several papers about Pollard’s Rho method namely, [3], [1], [34],[38]. In the last two mentioned papers, there are some random walks throughthe Pollard’s Rho method in order to speed up the entire process and we willexplain some of it later in this section.

The Pollard’s Rho method is an improvement of the Baby Step, Giant Stepmethod which was first proposed by Pollard [32]. It is called Pollard’s Rhomethod since the shape of the points within its algorithm looks like the Greekletter ρ. First, we explain the Pollard’s Rho method by its original walk thenwe mention a few words about the other iterating functions which is used in thealgorithm [34].

Let E be an elliptic curve over a finite field Fp and write G = E(Fp). Let Pand Q be two points on the curve such that Q = kP where k is the private keyand the order of P is n. We want to find k.

Pollard’s Rho Algorithm.[28].

1. By using a hash function we divide the group of elliptic curve G into threeparts; roughly equal size say S1, S2, S3.

2. Define an iterating function f : G −→ G such that:

Ri+1 = f(Ri) =

Q+Ri, Ri ∈ S1

2Ri, Ri ∈ S2

P +Ri, Ri ∈ S3

3. Put Ri = aiP + biQ and

ai+1 =

ai, Ri ∈ S1

2ai (mod n) Ri ∈ S2

ai + 1, Ri ∈ S3

and

bi+1 =

bi + 1, Ri ∈ S1

2bi (mod n) Ri ∈ S2

bi, Ri ∈ S3


Master Thesis

4. Start by an initial value R1 = P thus a1 = 1 and b1 = 0. Then generatepairs (Ri, R2i) until you find a pair which is a match or Rm = R2m forsome integer m.

5. As soon as a match is found then we can compute the private key k. Wehave:

Rm = amP + bmQ

R2m = a2mP + b2mQ

Since we have Q = kP and also we can have the order of the point P thenwe can do the computation modulo the order of P , hence

amP + bmQ = a2mP + b2mQ

⇒ amP + bmkP = a2mP + b2mkP (mod n).

k =a2m − ambm − b2m

(mod n).

Remark. In order to find a unique answer for k there must be

gcd (bm − b2m, n) = 1

otherwise we will have d answers for it where

gcd (bm − b2m, n) = d.

Remark. There are always a match in the sequences in both Baby Step, GiantStep method and Pollard’s Rho method since there are finitely many points onan elliptic curve thus soon or later we end up in a cycle.


Master Thesis

Example 5. Assume that E : Y 2 = X3 + 101X + 260 is an elliptic curveover the finite field F307. Let P = (159, 207) and Q = (72, 10). We compute theorder of P which is 31. Now, we are ready to start the process of Pollard’s Rhomethod. We will generate two lists however we do not have to store the listssince we always have to only compare the last element of each list to each other;i.e. we have to compare Ri to R2i where Ri is Ri = aiP + biQ.

First, we split E(F307) into three subsets:

• S1 = {R = (x, y) ∈ E(F307) | 0 ≤ x < 3073 }.

• S2 = {R = (x, y) ∈ E(F307) | 3073 ≤ x <2×307

3 }.

• S3 = {R = (x, y) ∈ E(F307) | 2×3073 ≤ x < 307}.

Next step is to generate the lists. We start by the initial value R1 = P thus, a1and b1 = 0 then we will compute Ri = aiP + biQ.

i (αi, βi) Ri

1 (1, 0) R1 = P2 (2, 0) R2 = (153, 204)3 (4, 0) R3 = (295, 156)4 (4, 140) R4 = (270, 165)5 (4, 267) R5 = (168, 214)... · · · · · ·

Table 4: The table of Pollard’s Rho example.

If we keep doing the above process, we will end up having a match which is4P = 16P + 4Q = (295, 156). Now that we know the coefficients, we cancompute the private key k as the following:

k =16− 4

0− 4= 28 (mod 31).

In the above example, we have used the original Pollard’s Rho method in whichwe have the function f in a way that we only add 1 in the definition of thecoefficients ai+1 and bi+1. This function (f) is not random enough since it isfollowing somehow a pattern to generate ai+1 and bi+1 therefore, in order toget a proper result out of Pollard’s Rho method, we need to make it as randomas we can. Teske has worked on this concept in [34] and we will explain oneof the methods that Teske presented, in order to do our implementation withinthe next section.


Master Thesis

6 Implementation on Baby Step, Giant Step andPollard’s Rho method.

The main idea is to find points of high order which seem to be a probable goodpoint in order to generate the digital signature with. A probable good pointon an elliptic curve in our case means a point that increases the security of theECDSA which is made by the mentioned point and by the word“probable”wetry to mention that when we want to find a collision, we do not want to run thealgorithm forever! Therefore we have to abort the program after a while andin that case even if we could not find the collision and we say that the pointis secure to generate the ECDSA, it would happen that after even one secondmore that the program would have run, we would have had the collision. Thisis the reason that we call this point a probable good point.

6.1 Baby Step, Giant Step Implementation.

The problem is to find the private key a when Q = aP . We start to explainthe Baby Step, Giant Step implementation with our Mathematica codes by anexample. We generate 100 elliptic curves and choose 100 points Pi on them suchthat we have one point P on each. Then by random, first, we take 30 points Qij

such that Qij = aPi for j = 1, · · · , 30 for each curve, second, we take only onepoint Qi for each curve i. In the third step, we take eleven different intervals tochoose the prime number pi from and apply the Baby Step, Giant Step attackwith only one point of Qi.

Remark. Since the points Qi are randomly chosen, it might be quite quick tosolve the ECDLP in some cases although the points Pi are the points of highorder; i.e. the private key a can be found quicker as you will see later in thissection.

1. First, we have done our experiment by choosing 30 points of Qi,j forj = 1, 2, · · · , 30 for each curve.

Assume that we have chosen 100 elliptic curves by random and let Pi

be the 100 points on them in a way that was explained above. We willcalculate the order of each Pi by the Mathematica codes we have providedas you can see at the end of this section. The curves have been chosenbetween the primes of 106 and 107 and below you can see the chart of thepoints Pi and their order.


Master Thesis

Pi Order Of Point Pi Pi Order Of Point Pi

P1 11280 P51 129734P2 3326136 P52 1815374P3 4513961 P53 8422195P4 6654312 P54 2942969P5 1013599 P54 659874P6 881302 P56 7512452P6 47982 P57 3650455P7 2770994 P58 8947245P8 490980 P59 89474P9 1089515 P60 3225434P10 303237 P61 432238P11 1680177 P62 5022935P12 669616 P63 7238257P13 827880 P64 7229517P14 3608864 P65 9087670P15 3632326 P66 409474P16 1134552 P67 6634898P17 1671639 P68 4012286P18 5605547 P69 610213P20 4594253 P70 1761199P21 4793355 P71 6063153P22 7668523 P72 9150783P23 858623 P73 9337835P24 8009016 P74 1680577P25 4873845 P75 2695390P26 7786112 P76 964381P27 9700575 P77 1309172P28 2833536 P78 307076P29 211535 P79 403749P30 3511063 P80 2657410P31 6649013 P81 1978487P32 3711454 P82 3719222P33 6068727 P83 4892747P34 3474655 P84 463574P35 7636041 P85 3376649P36 155736 P86 2535308P37 247782 P87 1485781P38 2204550 P88 1781503P39 1233330 P89 7677729P40 1850089 P90 1100338P41 2842411 P91 786681P42 2363399 P92 5492198

Table 5: Order Of Points Pi.


Master Thesis

Pi Order Of Point Pi Pi Order Of Point Pi

P43 1377044 P93 1125645P44 2658625 P94 2282480P45 282405 P95 8610697P46 2361186 P96 4900400P47 900875 P97 503148P48 1668597 P98 749104P49 4892290 P99 1477752P50 1796936 P100 32850

Table 6: Order Of Points Pi.

Now we get 30 randomly chosen points Qij for i = 1, 2, · · · , 100 and j =1, 2, · · · , 30 and for each different Q we solve the ECDLP. The steps weare taking from now on start by fixing the integer m for each curve asit is explained in the section Attacks on ECDSA and the subsection ofBaby Step, Giant Step Attack according to Hasse’s theorem. Then wegenerate the two lists of Baby Step and Giant Step. (All is done by theMathematica codes.)

By means of a command in Mathematica which is called Timing, we cancalculate the time which takes to get an intersection between the two listsof Baby Step and Giant Step. We get the time of intersection for each Qij

i.e. for each Qij = aPi where a is a random integer that plays the role ofthe private key for each turn.

Then we have plotted the graph of the order of the points Pi according tothe times which have taken for each Qij in order to get the intersectionbetween the two lists. For instance, for P1 we have 30 different time dueto 30 different Q1j . For our example, we have plotted the graph as youcan see the figure 6.

2×106 4×106 6×106 8×106Order.Of.Point

2

4

6

8

Time.Of.Intersection

Figure 6: Baby Step, Giant Step for 30 different Q.


Master Thesis

In the above graph, each color presents a same point Pi but differenttimes for different Qij . As we have mentioned it earlier, since the pointsQ are chosen randomly, they might have been multiplied with small in-tegers which is the reason that we get the intersection quickly althoughsometimes the order of the related point P is high.

2. In this part, we generate 100 elliptic curves as we have done for the pre-vious part. Then, we take only one Q randomly for each curve in orderto have Qi = aPi. We calculate the order of each point Pi and computethe time of each intersection. Eventually, we plot the graph of time ofintersection based on the order of point Pi, figure 7.

Pi Order Of Point Pi Point Qi Time Of Intersection

P1 = (34319, 34302) 44250 (8578, 15104) 0.310567P2 = (32692, 3356) 13265 (20732, 21022) 0.295026P3 = (9152, 9119) 7315 (3449, 25209) 0.249222P4 = (8882, 3674) 7407 (15724, 21439) 0.212200P5 = (3141, 4261) 9962 (4269, 2083) 0.129558P6 = (18027, 19771) 19860 (11011, 5070) 0.203546P7 = (35037, 17916) 44615 (38386, 33691) 0.329658P8 = (6396, 6644) 5174 (2246, 7812) 0.133579P9 = (26919, 16796) 14198 (10817, 17379) 0.245280P10 = (30911, 26839) 18675 (19702, 19846) 0.294982

... · · · · · · · · ·

Table 7: The Table of Bs.Gs. for 100 Curves with Only One Q.

We keep finding the time of intersection for all of the 100 curves and thenwe plot the graph as the following, figure 7:

10000 20000 30000 40000 50000OrderofPoint

0.05

0.10

0.15

0.20

0.25

0.30

0.35

TimeOfIntersection

Figure 7: Baby Step, Giant Step for Only One Q.


Master Thesis

By observing the last two graphs, we can say that the time of intersectionincreases as the order of the point P increases. However, we could observethat since we have chosen the points Q randomly, then the choice of agood point of P might be in relation to the point Q as well, since evenif the order of the point P is high enough, we might have had an integerwhich is multiplied by P and we have got a not so good point Q and thisis the reason why some of the intersection times are short although theorder of the point P is high. Nevertheless, we conclude that as long asthe order of the point P increases the time of intersection increases as wellbut how and in which manner? It will be explained later on.

3. In the following we have worked on eleven different intervals in which theelliptic curves are chosen in between them in order to do the Baby Step,Giant Step attack. As we have done before, we choose 100 elliptic curvesover finite fields Fpi

and for each eleven times, these pi are chosen fromone of those eleven different intervals. Then we take only one point Qi foreach Pi ∈ E(Fpi) and apply the Baby Step, Giant Step method. After,we have applied the method, we plot the graph of the time of intersectionof each Pi ∈ E(Fpi

) with Qi. By observing the graph, there is a time foreach graph that there are only a couple of points above it; which meansthat we can stop running the algorithm of Baby Step, Giant Step fromthat certain time and say that we have found a time limit i.e. we alwayscan find the intersection below this time limit and after that, we might beable to find the intersection or might not! It totally depends on the pointQ in this case.

Below comes the graphs of the above process. In figure 8, we have those100 elliptic curves which were chosen among the primes between 50000and 100000 and as we can observe from the graph, we can always find theintersection under 0.5 seconds or else we might not find the intersection i.e,most of the intersections have been found under the time of 0.5 seconds.


Master Thesis

0 20000 40000 60000 80000OrderofPoint

0.35

0.40

0.45

0.50

TimeOfIntersection

Figure 8: Time Limit/ Baby Step, Giant Step.

Here, we will have some more graphs of our investigation and we will seethe final graph of all eleven attempts at the end; the graph 12.

20000 40000 60000 80000 100000120000140000OrderofPoint

0.50

0.55

0.60

0.65

TimeOfIntersection



Master Thesis

0 50000 100000150000200000250000300000350000OrderofPoint

0.7

0.8

0.9

1.0

TimeOfIntersection


0 100000 200000 300000 400000 500000OrderofPoint

1.1

1.2

1.3

1.4

1.5

1.6

TimeOfIntersection


The graph 12 shows that the time limit based on the order of the point Pgrows exponentially.


Master Thesis

2×106 4×106 6×106 8×106 1×107OrderofPoint

2

4

6

8

TimeOfIntersection

Figure 12: Final Time Limit/ Baby Step, Giant Step.

All of the above three items shows that the order of the point increases asthe time of intersection increases and this growth is exponential. By means ofthe FindFit command in Mathematica (which finds numerical values of theparameters that makes the function give a best fit to the data as a function ofvariables) we have found the function with the input of the order of the pointand the output of the time of intersection as an estimation of finding a probablegood point. The function is:

f(x) = 1.44105 log x− 16.5948.

In order to understand the work which has been done, first we will plot thegraph of the data, graph 13 and then the graph of the function that has beenfound according to the data via the FindFit command, graph 14.

2×106 4×106 6×106 8×106 1×107

2

4

6

8

Figure 13: The graph of the Bs.Gs. according to the real data.


Master Thesis

2×106 4×106 6×106 8×106 1×107

2

3

4

5

6

Figure 14: The graph of the data according to the function (Bs.Gs).

Finally, we have combined the both graphs by means of the Show command inMathematica, in order to see that how close they are and in some sense, howaccurate the function is, graph 15.

2×106 4×106 6×106 8×106 1×107

2

4

6

8

Figure 15: The combination of the last two graphs (Bs.Gs).

6.2 Pollard’s Rho Implementation.

Here again, the problem is to find the private key a if we have Q = aP . Forthe Pollard’s Rho implementation, we have also used the same method as for


Master Thesis

the Baby Step and Giant Step but this time only for one point of Q or inother word, we have only applied the item three of the Baby Step and GiantStep Implementation. To apply the Pollard’s Rho method, we need to have theiterating function f as random as possible. Thus, instead of adding 1 to thesequence of ai and bi according to their definitions, we find two random numbert and s and then add it to the sequence ai and bi respectively [34] i.e.,

ai+1 = ai + t and bi+1 = bi + s.

We work with eleven different intervals in which the primes are chosen fromand then we do our implementation for only one point Q to find the time ofintersection. For instance the first interval is between 50000 and 100000. Afterwe have applied the Pollard’s Rho method - in a way that has been explainedfor the third item of Bs.Gs. attack- we will have the following graphs:

20000 40000 60000 80000OrderofPoint

2

4

6

8

10

12

TimeOfIntersection

Figure 16: Time Limit/ Pollard’s Rho.

Moreover, we will have the following graph for the second interval which isbetween 100000 and 150000.


Master Thesis

20000 40000 60000 80000 100000120000140000OrderofPoint

5

10

15

TimeOfIntersection

Figure 17: Time Limit/ Pollard’s Rho.

Likewise, we plot the other ninth graph according to the observation we havefrom the data derived by applying the Pollard’s Rho method and then we willsee the final graph of all eleven attempts we have done at the end; the graph18.

2×106 4×106 6×106 8×106 1×107OrderofPoint

20

40

60

80

100

120

TimeOfIntersection

Figure 18: Final Time Limit/ Pollard’s Rho.

As we see from the above graph, the time of intersection grows exponentiallyas the order of the point grows. It is important to mention that for this in-vestigation, the Pollard’s Rho method we have applied is not random enoughand that is why we have got longer time to catch the intersection in comparisonto Bs.Gs. attack however this process can be applied for sufficiently randomPollard’s Rho method and get some useful result out of it.

Furthermore, we have found the function with the input of the order of the pointand the output of the time of intersection as an estimation of finding a probablegood point which can be used in creating a safe digital signature against the


Master Thesis

Pollard’s Rho attack. In order to find the function, we have done the sameprocess as in Bs.Gs. therefore, we have used the FindFit command again andthen we have found the two parameters a, b which are needed to have a functionin the form of a log x+ b. The function is:

f(x) = 20.3044 log x− 233.99.

Below, there are three graphs namely the graph of the real data, graph 19, thegraph of the data according to the function which has been found, graph 20 andthe last graph is the combination of the first two graphs, graph 21 as we havedone for the Bs.Gs attack as well.

2×106 4×106 6×106 8×106 1×107

20

40

60

80

100

120

Figure 19: The graph of the Pollard’s Rho according to the real data.

2×106 4×106 6×106 8×106 1×107

20

40

60

80

Figure 20: The graph of the data according to the function (Pollard’s Rho).


Master Thesis

2×106 4×106 6×106 8×106 1×107

20

40

60

80

100

120

Figure 21: The combination of the last two graphs (Pollard’s Rho).


Master Thesis

7 Performance Evaluation Of Implementation.

As we have explained so far in this thesis, the time of intersection increases asthe order of the point increases in both types of attacks; Baby Step, Giant Stepand Pollard’s Rho attack. Now the question is if the method which has beenexplained before in order to find a time limit for the mentioned attacks can beapplied to the ECDSA in which there are larger primes as in reality?

In reality, in order to create a digital signature based on elliptic curve we needa quite large prime therefore the primes which have been used in this thesis areconsidered to be very small primes. The result of the thesis shows that the timeof intersection grows exponentially as the order of the prime grows and the largeprimes will most possibly follow the same function.

The main goal of the thesis was to find the probable good point which can beused to create a digital signature based on elliptic curves in a safer way. Thetime limits which has been found by observing the graphs indicates that underthe certain time limit we are able to find the intersection therefore the ECDSAis forged otherwise we might not find the intersection which means that thepoint which has been used for ECDSA is considered to be a good point or asafer point. However, we might find the intersection right after the time limit wehave been expecting, for example the intersection might be found half a secondlater than the time limit. In other words, assume that we have a certain timelimit to see if we can find the intersection. Since we have a certain time limitthen the attack has to be stopped when the time limit is over. Here we havetwo different results. First is the result when the intersection is found withinthe certain time limit we had. Second is the result when the intersection isnot found within the time limit. In the second case we never know the time ofintersection which is obviously later than the time limit we have already had,maybe half a second later than the time limit or even one hour later. That is thereason we say those points are probably good points because if the intersectionis not found within a certain time limit then we do not know that how long doesit take to find the intersection after the time limit, maybe even less than half asecond or maybe one hour after the time limit we have estimated. Therefore, ifan adversary waits just half a second more then he or she may forge the ECDSA.

The above estimation can help us to have a safer ECDSA and have a hint aboutthe point which we better use to create the digital signature we need.

There are deterministic methods of finding the generators of elliptic curves overfinite fields [19], [29], [31]. Therefore one may ask why not using the determin-istic method in order to find the proper elliptic curve which is safe enough forthe cryptography purpose?


Master Thesis

The fact is that, the deterministic methods are practically too slow. The deter-ministic method in [19] computes the group structure of an elliptic curve over a

finite field Fp under the time of O(p12 + o(1)) [31]. Hence we want to speed up

the process as much as possible. The method which has been presented in thisthesis has a benefit in comparison to the deterministic methods. The benefitis that, we can decide about the time limit i.e. we can put a time limit our-selves. Since we put the time limit ourselves, we may save some times in orderto find the proper elliptic curve according to a certain purpose of a cryptographyconcept.

There is only one important fact that it has been already mentioned couple oftimes within the thesis and it is that our Pollard’s Rho attack is not randomenough and therefore in comparison to Bs.Gs. attack it takes more time to beaccomplished however if the Pollard’s Rho method is random enough then ofcourse it takes less time to find the intersection and to forge the ECDSA. Thiswould be as a future work to find out how the function of order of the pointand the time limit will look like with the random enough Pollard’s Rho methodand the assumption is that it will be exponentially as well.

This thesis has the potential of several future works such as working on thelarger primes and do the same process or find a way to estimate how fast thismethod which has been presented within this thesis is. In addition, one canwork on the deterministic methods more and see if we can speed up the process.


Master Thesis

8 Appendix.

Here comes the Mathematica codes which have been used to implement thegoals of the thesis.

• If we want to add two points on an elliptic curve, we use the followingcodes:

addpoints [{ x1 , y1 } , {x2 , y2 } , a , b , p ] :=

Module [ { \ [ Lambda ] , x3 , y3 } ,Quiet [

I f [Mod[ 4 aˆ3 + 27 bˆ2 , p ] == 0 , Pr int [ ” The curve i s s i n g u l a r ! ” ] ;Abort [ ] ] ;

I f [Mod[ y1ˆ2 − x1ˆ3 − a x1 − b , p ] != 0 | |Mod[ y2ˆ2 − x2ˆ3 − a x2 − b , p ] != 0 ,

Pr int [ ” Error : Point ( s ) not on curve ! ” ] ; Abort [ ] ] ;I f [{ x1 , y1} == {\ [ I n f i n i t y ] , \ [ I n f i n i t y ]} , Return [{ x2 , y2 } ] ;Break [ ] ] ;

I f [{ x2 , y2} == {\ [ I n f i n i t y ] , \ [ I n f i n i t y ]} , Return [{ x1 , y1 } ] ;Break [ ] ] ;

I f [ x1 == x2 && y1 == Mod[−y2 , p ] ,Return [ { \ [ I n f i n i t y ] , \ [ I n f i n i t y ] } ] ; Break [ ] ] ;

I f [{ x1 , y1} == {x2 , y2 } , \ [ Lambda ] =Mod[ ( 3 x1ˆ2 + a ) PowerMod [ 2 y1 , −1, p ] , p ] , \ [ Lambda ] =Mod [ ( y2 − y1 ) PowerMod [ x2 − x1 , −1, p ] , p ] ] ;

x3 = Mod [ \ [ Lambda ]ˆ2 − x1 − x2 , p ] ;y3 = Mod [ \ [ Lambda ] ( x1 − x3 ) − y1 , p ] ;{x3 , y3 } ]

]

• In order to multiply a point on an elliptic curve with an integer, we usethe following codes:

multpoint [ n , {x , y } , a , b , p ] :=

Module [{ double , base2 , rounds , x2 , y2 , neg } ,neg = n < 0 ;{x2 , y2} = {x , y } ;


Master Thesis

double = {} ;base2 = Reverse [ I n t e g e r D i g i t s [ Abs [ n ] , 2 ] ] ;Do [

AppendTo [ double , {x2 , y2 } ] ;{x2 , y2} = addpoints [{ x2 , y2 } , {x2 , y2 } , a , b , p ] ,{Length [ base2 ] } ] ;{x2 , y2} = {\ [ I n f i n i t y ] , \ [ I n f i n i t y ] } ;Do [

I f [ base2 [ [ i ] ] == 1 , {x2 , y2} =addpoints [{ x2 , y2 } , double [ [ i ] ] , a , b , p ] ] ,

{ i , Length [ base2 ] } ] ;I f [ neg , Return [{ x2 , p − y2 } ] , Return [{ x2 , y2 } ] ]]

• In order to subtract two points i.e., (x1, y1)− (x2, y2):

s u b t r a c t p o i n t s [{ x1 , y1 } , {x2 , y2 } , a , b , p ] :=Module [{} ,

I f [ x2 == \ [ I n f i n i t y ] , Return [{ x1 , y1 } ] ] ;I f [ x1 == \ [ I n f i n i t y ] , I f [ x2 == \ [ I n f i n i t y ] ,

Return [ { \ [ I n f i n i t y ] , \ [ I n f i n i t y ] } ] ,Return [{ x2 , Mod[−y2 , p ] } ] ] ;

I f [{ x1 , y1} == {x2 , y2 } , Return [ { \ [ I n f i n i t y ] , \ [ I n f i n i t y ] } ] ] ] ;addpoints [{ x1 , y1 } , {x2 , Mod[−y2 , p ]} , a , b , p ]]

• In order to find the order of the curve:

OrderOfCurve [ a , b , p ] :=I f [Mod[ 4 aˆ3 + 27 bˆ2 + b , p ] == 0 , Pr int [ ” The curve i s s i n g u l a r ! ” ] ,p + 1 + Sum[ JacobiSymbol [ xˆ3 + a x + b , p ] , {x , 0 , p − 1 } ] ]

• We can find the order of a point by using the following codes:

OrderOfPoint [{ x , y } , a , b , p ] :=Module [{ cand idate s } ,

I f [Mod[ 4 aˆ3 + 27 bˆ2 , p ] == 0 , Pr int [ ” The curve i s s i n g u l a r ! ” ] ;Abort [ ] ] ;

I f [Mod[ yˆ2 − xˆ3 − a x − b , p ] != 0 ,Pr int [ ” Error : Point not on curve ! ” ] ; Abort [ ] ] ;


Master Thesis

cand idate s = D i v i s o r s [ OrderOfCurve [ a , b , p ] ] ;Do [

I f [ multpoint [ cand idate s [ [ i ] ] , {x , y} , a , b ,p ] == {\ [ I n f i n i t y ] , \ [ I n f i n i t y ]} , Return [ cand idates [ [ i ] ] ] ;

Break [ ] ] ,{ i , Length [ cand idates ] } ]

]

• If we want to find some random elliptic curves which their primes arechosen from an interval such as [A,B] where A,B ∈ N then we will usethe following codes:

RandomEll iptic [ s e ed ] := Module [{p , a , b , x , y , pointP , pointQ } ,SeedRandom [ seed ] ;p = RandomPrime [{A, B} ] ;{a , b} = {0 , 0} ;While [Mod[ 4 aˆ3 + 27 bˆ2 , p ] == 0 ,{a , x , y} = RandomChoice [ Range [ 0 , p − 1 ] , 3 ] ;b = Mod[ yˆ2 − xˆ3 − a x , p ] ] ;

pointP = {x , y } ;pointQ =

multpoint [ RandomInteger [ Floor [ p + 1 − 2 Sqrt [ p ] ] ] , pointP , a , b , p ] ;{a , b , p , pointP , OrderOfPoint [{ x , y} , a , b , p ] , pointQ } ]

• Now we have two more codes; Bs.Gs. and Pollard’s Rho codes respectively:

c u r v e l i s t = Table [ RandomEll iptic [ h ] , {h , 1 , 1 0 0} ] ;l i s t o f r e s u l t 1 = {} ;Do [{ a , b , p , P, order , Q} = c u r v e l i s t [ [ i ] ] ;

m = C e i l i n g [ Sqrt [ Floor [ p + 1 + 2 Sqrt [ p ] ] ] ] ;AppendTo [ l i s t o f r e s u l t 1 ,

Timing [I n t e r s e c t i o n [Table [ multpoint [ l , P, a , b , p ] , { l , 1 , m − 1} ] ,Table [ s u b t r a c t p o i n t s [Q, multpoint [m∗ j , P, a , b , p ] , a , b , p ] ,{ j , 0 , m − 1 } ] ] ]

] ,{ i , 1 0 0} ] ;

AND


Master Thesis

c u r v e l i s t = Table [ RandomEll iptic [ h ] , {h , 1 , 1 0 0} ] ;l i s t o f r e s u l t 1 = {} ;Do [{ a , b , p , P, order , Q} = c u r v e l i s t [ [ i ] ] ;{ t , s } = RandomSample [ Range [ order ] , 2 ] ;AppendTo [ l i s t o f r e s u l t 1 , Timing [ { \ [ Alpha ] , \ [ Beta ]} = {1 , 0} ;

j = 1 ;{\ [ Alpha ] , \ [ Beta ]} =Mod[ nextpo int [ a , b , p , P, Q, {\ [ Alpha ] , \ [ Beta ]} , { t , s } ] ,

o rder ] ;R1 = getpo in t [ { \ [ Alpha ] , \ [ Beta ]} , P, Q, a , b , p ] ;{\ [Gamma] , \ [ Delta ]} =Mod[ nextpo int [ a , b , p , P, Q, {\ [ Alpha ] , \ [ Beta ]} , { t , s } ] ,

o rder ] ;R2 = getpo in t [ { \ [Gamma] , \ [ Delta ]} , P, Q, a , b , p ] ;While [ R1 != R2 && j <= 1000 ,{\ [ Alpha ] , \ [ Beta ]} =Mod[ nextpo int [ a , b , p , P, Q, {\ [ Alpha ] , \ [ Beta ]} , { t , s } ] , o rder ] ;

R1 = getpo in t [ { \ [ Alpha ] , \ [ Beta ]} , P, Q, a , b , p ] ;Do [ { \ [Gamma] , \ [ Delta ]} =

Mod[ nextpo int [ a , b , p , P, Q, {\ [Gamma] , \ [ Delta ]} , { t , s } ] ,o rder ] ;

R2 = getpo in t [ { \ [Gamma] , \ [ Delta ]} , P, Q, a , b , p ] , { 2 } ] ; j ++];I f [ R1 == R2 , {\ [ Alpha ] , \ [ Beta ] , \ [Gamma] , \ [ Delta ] } ] ] ] , { i , 100} ]

where the codes of getpoint and nextpoint are the following:

ge tpo in t [ { \ [ Alpha ] , \ [ Beta ] } , P , Q , a , b , p ] :=addpoints [ multpoint [ \ [ Alpha ] , P, a , b , p ] ,

multpoint [ \ [ Beta ] , Q, a , b , p ] , a , b ,p ] ; ( ∗ computes \ [ Alpha ]P + \ [ Beta ]Q on the curve ∗)

AND

nextpo int [ a , b , p , pointP , pointQ , {m , n } , { t , s } ] :=

Module [{ nextx } ,nextx = F i r s t [ g e tpo in t [{m, n} , pointP , pointQ , a , b , p ] ] ;I f [ nextx == \ [ I n f i n i t y ] , Return [{0 , 0} ] ,Which [ 0 <= nextx < p/3 , Return [{m + t , n } ] , p/3 <= nextx < 2 p/3 ,

Return [{2 m, 2 n } ] , 2 p/3 <= nextx < p , Return [{m, n + s } ] ] ] ]


Master Thesis

References

[1] Bai, S. and Brent, R.P., 2008, January. On the efficiency of Pollard’s rhomethod for discrete logarithms. In Proceedings of the fourteenth symposiumon Computing: the Australasian theory-Volume 77 (pp. 125-131). AustralianComputer Society, Inc.

[2] Blake, I., Seroussi, G. and Smart, N., 1999. Elliptic Curves in Cryptography,volume 265 of London Mathematical Society Lecture Note Series. Vancouver

[3] Blumenfeld, A., 2015. Pollard’s Rho Algorithm for Elliptic Curves.

[4] Brumley, B.B. and Tuveri, N., 2011. Remote timing attacks are still prac-tical. In Computer Security–ESORICS 2011 (pp. 355-371). Springer BerlinHeidelberg.

[5] Damico, T. (2009). A Brief History of Cryptography. Student Pulse, [on-line] 1(11). Available at: http://www.studentpulse.com/articles/41/a-brief-history-of-cryptography [Accessed 29 Apr. 2016].

[6] Diffie, W. and Hellman, M. (1976). New directions in cryptography. IEEETrans. Inform. Theory, 22(6), pp.644-654.

[7] Diffie, W 1992, ’The first ten years of public key cryptology’, ContemporaryCryptology.

[8] Ellis, JH 1999, ’THE HISTORY OF NON-SECRET ENCRYPTION’,Cryptologia, 23, 3, p. 267, Publisher Provided Full Text Searching File.

[9] Fangguo, Z, & Ping, W 2013, ’Speeding up elliptic curve discrete logarithmcomputations with point halving’, Designs, Codes And Cryptography, 67, 2,pp. 197-208.

[10] Fraleigh, J, & Katz, V 2003, A First Course In Abstract Algebra, n.p.:Boston, Mass. : Addison-Wesley, cop. 2003.

[11] Goos, G, Hartmanis, J, Barstow, D, Brauer, W, Brinch Hansen, P, Gries,D, Luckham, D, Moler, C, Pnueli, A, Seegmuller, G, Stoer, J, Wirth, N,Williams, H, & Miller, V 1986, ’Use of Elliptic Curves in Cryptography’,Advances in Cryptology - CRYPTO – 85 Proceedings p. 417 n.p.: Supple-mental Index.

[12] Guajardo, J, & Paar, C 1997, ’Efficient algorithms for elliptic curve cryp-tosystems’, Advances In Cryptology—CRYPTO ’97 (Santa Barbara, CA,1997).

[13] Hoffstein, J, Pipher, J, & Silverman, J 2008, An Introduction To Math-ematical Cryptography. [Electronic Resource], n.p.: New York ; London :Springer, 2008.


Master Thesis

[14] Johnson, D.B. and Menezes, A.J., 1998, January. Elliptic curve DSA(ECDSA): an enhanced DSA. In Proceedings of the 7th conference onUSENIX Security Symposium (Vol. 7, pp. 13-23).

[15] Johnson, D., Menezes, A. and Vanstone, S., 2001. The elliptic curve digitalsignature algorithm (ECDSA). International Journal of Information Secu-rity, 1(1), pp.36-63.

[16] Kahn, D 1967, The Code Breakers: The Story Of Secret Writing, London:Weidenfeld & Nicolson, MLA International Bibliography

[17] Koblitz, N 1987, ’Elliptic Curve Cryptosystems’, Mathematics of Compu-tation, 177, p. 203, JSTOR Journals

[18] Koblitz, N, & Menezes, A 1998, Algebraic Aspects Of Cryptography, n.p.:Berlin : Springer, cop. 1998.

[19] Kohel, D.R. and Shparlinski, I.E., 2000, July. On exponential sums andgroup generators for elliptic curves over finite fields. In International Algo-rithmic Number Theory Symposium (pp. 395-404). Springer Berlin Heidel-berg.

[20] Medwed, M. and Oswald, E., 2008. Template attacks on ECDSA. In Infor-mation Security Applications (pp. 14-27). Springer Berlin Heidelberg.

[21] Menezes, A., Qu, M., Stinson, D. and Wang, Y., 2001. Evaluation of Secu-rity Level of Cryptography: ECDSA Signature Scheme. Certicom Research.January, 15.

[22] Menezes, A.J., 2012. Elliptic curve public key cryptosystems (Vol. 234).Springer Science & Business Media.

[23] Menezes, A.J., Van Oorschot, P.C. and Vanstone, S.A., 1997. Handbook ofApplied Cryptography. Series on discrete mathematics and its applications.

[24] Pagni, D 2007, ’The Code Book: The Science of Secrecy from AncientEgypt to Quantum Cyrptography’, Journal Of Chemical Education, 84, 6, p.916.

[25] Pfitzmann, B. (1996). Digital signature schemes. Berlin: Springer.

[26] Pollard, J.M., 1978. Monte Carlo methods for index computation (mod p).Mathematics of computation, 32(143), pp.918-924.

[27] Rashidi, B, Sayedi, S, & Farashahi, R 2016, ’High-speed hardware archi-tecture of scalar multiplication for binary elliptic curve cryptosystems’, Mi-croelectronics Journal, 52, pp. 49-65.

[28] Seet, M.Z., 2007. ELLIPTIC CURVE CRYPTOGRAPHY (Doctoral dis-sertation, School of Mathematics and Statistics, The University of NewSouth Wales).


Master Thesis

[29] Schoof, R., 1985. Elliptic curves over finite fields and the computation ofsquare roots mod p. Mathematics of computation, 44(170), pp.483-494.

[30] Shanks, D., 1971. Class number, a theory of factorization, and genera. InProc. Symp. Pure Math (Vol. 20, pp. 415-440).

[31] Shparlinski, I.E. and Voloch, J.F., 2011. Generators of elliptic curves overfinite fields. Preprint.

[32] Silverman, J.H., 2005. Elliptic curves and cryptography. In PROCEED-INGS OF SYMPOSIA IN APPLIED MATHEMATICS (Vol. 62, p. 91).

[33] Singh, S., 2011. The code book: the science of secrecy from ancient Egyptto quantum cryptography. Anchor.

[34] Teske, E., 1998. Speeding up Pollard’s rho method for computing discretelogarithms (pp. 541-554). Springer Berlin Heidelberg.

[35] Wang, X., Yin, Y.L. and Yu, H., 2005, August. Finding collisions in thefull SHA-1. In Advances in Cryptology–CRYPTO 2005 (pp. 17-36). SpringerBerlin Heidelberg.

[36] Washington, LC 2008, Elliptic Curves. Number Theory And Cryptography,n.p.: Boca Raton, Fla. [u.a.] CRC Press 2008.

[37] Woei-Jiunn, T, & Chih-Ho, C 2005, ’Efficient algorithms for speeding upthe computations of elliptic curve cryptosystems’, Applied Mathematics AndComputation, 168, 2, pp. 1045-1064.

[38] Zhang, F. and Wang, P., 2013. Speeding up elliptic curve discrete logarithmcomputations with point halving. Designs, codes and cryptography, 67(2),pp.197-208.


!

!

Faculty of Technology SE-391 82 Kalmar | SE-351 95 Växjö Phone +46 (0)772-28 80 00 [email protected] Lnu.se/faculty-of-technology?l=en

points of high order on elliptic curves - diva...

Documents