# 椭圆曲线密码学

Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. ECC requires smaller keys compared to non-ECC cryptography (based on plain Galois fields) to provide equivalent security

[TOC]

## 椭圆曲线

$$y^2 = x^3 + ax + b$$

## 椭圆曲线群

$$nP = \underbrace{P + P + \cdots + P}_{n\ \text{times}}$$

## 有限域椭圆曲线

$$y^2 = x^3 + ax+ b \bmod{p}$$

### 点与点加法

#### 取模运算

• $(18 +9)\ mod\ 23 =4$
• $(7 - 14)\ mod\ 23 =16$
• $(4 * 7)\ mod\ 23 =5$
• $(9^{-1})\ mod\ 23 =18$

$(99^{-1})\ mod\ 23 = 1 = (918)mod\ 23$

#### 代数方法

$P = (x_p,y_p)$

$Q = (x_q,y_q)$

$R = (x_r,y_r)$

$$P+Q = -R$$

$$x_r = (m^2-x_p-x_q) \bmod{p}$$

$$y_r = [y_p+m(x_r-x_p)]\bmod{p}$$

### 点的数乘

$$nP = \underbrace{P + P + \cdots + P}_{n\ \text{times}}$$

• $0P = O = (\infty,\infty)$
• $1P = P = (3,6)$
• $2P = P + P = (80,10)$
• $3P = 2P +P = (80,87)$
• $4P = 2*2P = (3,91)$
• $5P = O$
• $6P = 5P +P = P$
• $7P = 5P+2P = 2P$
• $8P = 5P +3P =3P$
• $9P = 5P + 4P = 4P$
• ...

Cyclic subgroups are the foundations of ECC and other cryptosystems.

### 子群阶数

#### 定义

the order of is the smallest positive integer $n$ such that $nP = 0$. In fact, if you look at the previous example, our subgroup contained five points, and we had $5P = 0$.

#### 性质

The order of $P$ is linked to the order of the elliptic curve by Lagrange's theorem, which states that the order of a subgroup is a divisor of the order of the parent group.

In other words, if an elliptic curve contains $N$ points and one of its subgroups contains $n$ points, then $n$ is a divisor of $N$, so $N\ mod\ n \equiv 0$

#### 计算

1. 用Schoof's algorithm计算椭圆曲线阶数$N$
2. 找到所有$N$的因子
3. 求每个$N$因子$n$与$P$乘积$nP$
4. 最小的$n$就是子群的阶数

For example, the curve $y^2 = x^3-x+3$ over the field $F_{37}$ has order $N = 42$ . Its subgroups may have order 1,2,3,6,7,14,21 and 42 . If we try $P = (2,3)$ can see that $1P\neq0,2P\neq0,3P\neq0,6P\neq0,7P=0,$ so the order of is 7.

#### 寻找基点

1. 计算椭圆曲线阶数$N$
2. 选择$N$的素因子$n$
3. 计算cofactor $h = N/n$
4. 随机在曲线上选择一个点$P$
5. 计算$G = hP$
6. 如果$G =0$,从第四步从新选择另外点$P$.至此我们找到了以$G$为基点的$n$阶子群

### 离散对数

What makes ECC interesting is that, as of today, the discrete logarithm problem for elliptic curves seems to be "harder" if compared to other similar problems used in cryptography.

ECC问题相比其它几个问题更难以解决。

## ECDH&ECDSA

### 定义参数

Our elliptic curve algorithms will work in a cyclic subgroup of an elliptic curve over a finite field.

• 素数$p$确定有限域
• 参数$a,b$确定椭圆曲线
• 基点$G$生成子群
• 子群阶数$n$
• 子群余因子$h$

ab生成

### 椭圆曲线加密(ECC)

• The private key is a random integer $d$ chosen from ${1,2\cdots n-1}$ (where $n$ is the order of the subgroup).
• The public key is the point $H=dG$ (where $G$ is the base point of the subgroup).

#### ECDH

ECDH是 Diffie-Hellman algorithm的一种变体，更像密钥交换协商而不是加密。应用场景：双方需要安全的交换信息，即使第三方拦截到也无法破译。这是TSL背后的一个原则。

1. Alice and Bob generate their own private and public keys.对于Alice私钥$d_A$公钥$H_A = d_AG$，对于Bob私钥$d_B$公钥$H_B=d_BG$,Alice&Bob使用共同的参数：共同的基点，相同的曲线，相同的有限域。
2. Alice and Bob exchange their public keys $H_A$ and $H_B$ over an insecure channel.即使中间者截获了公钥$H_A&H_B$，除非解决离散对数问题否则不能知道私钥$d_A&d_B$
3. Alice calcuates $S = d_AH_B$,Bob calculates $S=d_BH_A$.注意到他们获得的$S$是相同的。

$$S=d_AH_B=d_A(d_BG)=d_B(d_AG)=d_BH_A$$

##### Playing with ECDH
- $p$=0xffffffff ffffffff ffffffff ffffffff ffffffff ffffffff fffffffe fffffc2f
- $a$=0
- $b$=7
- $x_G$=0x79be667e f9dcbbac 55a06295 ce870b07 029bfcdb 2dce28d9 59f2815b 16f81798
- $y_G$=0x483ada77 26a3c465 5da4fbfc 0e1108a8 fd17b448 a6855419 9c47d08f fb10d4b8
- $n$=0xffffffff ffffffff ffffffff fffffffe baaedce6 af48a03b bfd25e8c d0364141
- $h$=1

Curve: secp256k1
Alice's private key: 0xe32868331fa8ef0138de0de85478346aec5e3912b6029ae71691c384237a3eeb
Alice's public key: (0x86b1aa5120f079594348c67647679e7ac4c365b2c01330db782b0ba611c1d677, 0x5f4376a23eed633657a90f385ba21068ed7e29859a7fab09e953cc5b3e89beba)
Bob's private key: 0xcef147652aa90162e1fff9cf07f2605ea05529ca215a04350a98ecc24aa34342
Bob's public key: (0x4034127647bb7fdab7f1526c7d10be8b28174e2bba35b06ffd8a26fc2c20134a, 0x9e773199edc1ea792b150270ea3317689286c9fe239dd5b9c5cfd9e81b4b632)
Shared secret: (0x3e2ffbc3aa8a2836c1689e55cd169ba638b58a3a18803fcf7de153525b28c3cd, 0x43ca148c92af58ebdb525542488a4fe6397809200fe8c61b41a105449507083)

##### ECDSA数字签名

Alice使用私钥$d_A$签名文件，Bob使用Alice的共钥$H_A$来确认。

ECDSA作用在消息的hash上，而不是直接作用在消息上。Hash函数可以选择密码学安全的。hash需要被截断为和子群阶数$n$所占bit一样的长度，例如前边n是256bit，那么hash也需要是256bit，截断后的hash定义为整数$z$

1. 随机选择$k\in{1,2\cdots,n-1}$,n是子群阶数
2. 计算点$P= kG$ ,G是子群基点
3. 计算$r=x_p\bmod{n}$,其中$x_p$是P的x坐标
4. 如果$r=0$重新选择k
5. 计算$s=k^{-1}(z+rd_A)\bmod{n}$ 其中$d_A$是Alice的私钥
6. 如果$s=0$重新选择k

$(r,s)$ 就是签名。

ECDSA

Alice对hash $z$ 使用私钥 $d_A$ 和随机数 $j$签名。Bob使用Alice的共钥 $H_A$验证。

1. 计算整数 $u_1=(s^{-1}z)\bmod{n}$
2. 计算整数 $u_2=(s^{-1}r)\bmod{n}$
3. 计算点 $P=u_1G+u_2H_A$

###### 证明

$$\begin{array}{rl} P & = u_1 G + u_2 H_A \ & = u_1 G + u_2 d_A G \ & = (u_1 + u_2 d_A) G \end{array}$$

$$\begin{array}{rl} P & = (u_1 + u_2 d_A) G \ & = (s^{-1} z + s^{-1} r d_A) G \ & = s^{-1} (z + r d_A) G \end{array}$$

$$\begin{array}{rl} P & = s^{-1} (z + r d_A) G \ & = k G \end{array}$$

###### k的重要性

1. $r_1=r_2$
2. 根据签名步骤5，考虑 $(s_1-s_2)\bmod{n} = k^{-1}(z_1-z_2)\bmod{n}$
3. 等式两边乘以$k$,得到$k(s_1-s_2)\bmod{n} = (z_1-z_2)\bmod{n}$
4. 两边除以$(s_1-s_2)$得到$k=(z_1-z_2)(s_1-s_2)^{-1}\bmod{n}$

$$s = k^{-1}(z+rd_S)\bmod{n}\Rightarrow d_S = r^{-1}(sk-z)\bmod{n}$$

### 打破安全性

#### Baby-step，giant-step

$$\begin{array}{rl} Q & = xP \ Q & = (am + b) P \ Q & = am P + b P \ Q - am P & = b P \end{array}$$

1. 计算$m=\lceil\sqrt{n}\rceil$
2. 对于每个$b\in{0,1\cdots m}$计算$bP$
3. 对于每个$a\in{0,1\cdots m}$
4. 计算$amP$
5. 计算$Q-amp$
6. 检查是否存在$bP$使得$Q-amp = bP$
7. 如果存在那么就找到了$x=am+b$

#### ECC and RSA

RSA key size （bits） ECC key size （bits）
1024 160
2048 224
3072 256
7680 384
15360 521

### 其它曲线

#### Koblitz curves over binary fields

$y2+xy=x3+ax^2+1$ a为0或1，拥有$2^m$点，其中m为素数

#### Binary curves

$x2+xy=x3+x^2+b$ b是随机生成的整数