 Okay, we'll just continue now with the next thing which is ECC, the introduction to elliptic curve cryptography. So elliptic curve optimization is another area which I work with some of my students. So again, some of this thing a little bit later will get spicy, but let's look at the basics. So we know that there is one public key algorithm, everybody knows about that and that's RSA. However, ECC has shown a lot of promise in terms of both security as well as speed. So you can have much smaller keys and for the same level of security, which means less computation. And as we know before, computation is a big issue with public key cryptography. Roughly 100 to 1000 times more time intensive compared to secret key cryptography. So in this talk, we consider elliptic curves over three different fields. The field of real numbers, the prime fields, and finally binary fields. An elliptic curve over reals includes all points that satisfy the equation. Y square is equal to XQ plus AS plus B, where 4AQ plus 27B square is not equal to 0. Interestingly enough, the elliptic curve also includes a very special point, an abstract point called the point at infinity. We'll just designate it as 0 here. This is an example of an EC over reals, over real fields. All sorts of strange shapes, here it's in two pieces. There are two things that we need to define are unary negation and point addition. So the first thing is simple and I'm talking about elliptic curves over real fields, if the coordinates of a point P are X and Y, then the negative of that point is very simple, just X and minus Y. So the negative corresponds to doing the inverse in groups. So minus P is simply X comma minus Y. Now to add two points on the elliptic curve, let us see how that is done geometrically. So I want to add two points on this curve A and B. What is the sum of these two points? It turns out that the pictorial representation is just connect A and B and then extend that line. It is guaranteed to hit at a third point under most conditions. We'll see where it doesn't. So it hits the elliptic curve at a third point and then just take the mirror image across the X axis and that is the sum of A and B. So this thing, this point over here is the sum of A and B and this point is the negative of that sum. So this is minus C. This is C equals A plus B and this is minus C. So this is a nice geometrical representation of the addition of two points on the EC. Now here are the formulas. So we won't derive it over here, but it's derived in the book. If P is X1, Y1 and Q is X2, Y2, then R, the sum of these two with coordinates X3, Y3 satisfies the following. X3 is equal to S square minus X1 minus X2 and Y3 is equal to this stuff. Where S is basically the slope and we very well know from high school arithmetic that the slope is Y2 minus Y1 divided by X2 minus X1. So this is the slope. So these are given to you and this is what we need to find out. So we find out using these expressions where S is this thing. So this is the operation of addition of two points and the doubling of a point. I want to add A to itself. So what do I do? A to itself, A to B was I connected A and B. Now A to itself means two points over here that are almost the same. Basically that is a tangent at this point. So I draw a tangent at this point A to see where it hits the curve and this thing is minus 2A and as before you take the mirror image and this is actually 2A. So these are the three operations right now that are going to be important in cryptography. Number one is negation, point negation, point addition and point doubling. And there is an expression for this thing, X2 in terms of so if X1 and Y1 are the coordinates of a point then the double of that point has coordinates X2, Y2 given by these equations. What are X1, Y1 and so on these coordinates? They are elements of the field of real numbers. So we are talking about elliptic curves. Initially we are talking about elliptic curves defined over reals. But the field of real numbers is an infinite field. In cryptography we are interested in fields that are finite but of course very very large fields. So now we have to move to elliptic curves over primes. So there are two of them, elliptic curves over prime fields and elliptic curves over binary fields. Both of them are used in cryptography. So now fortunately for us the formulas for addition and doubling are the same. If you are talking about elliptic curves over prime fields, those formulas are the same as those that we derived for elliptic curves over real fields. And the equation is also the same. Y2 is equal to XQ plus AX plus B but only thing here we use modular P. So what is this field? This field has got P elements from 0 to P minus 1. Where 4AQ plus 27B square is not equal to 0. It turns out the number of points on the elliptic curve is order P. Likewise we can define an elliptic curve over binary fields. We consider a small field in the case of AES, GF2 raise to 8. Over here these fields are going to be huge. M would be something like 300 bits. So 300, 2 raise to 300 for example. The equation is slightly different. Y2 plus XY is equal to XQ plus AX square plus B. All the variables and coefficients in the above equation are elements of this field and the calculations are performed. The addition and multiplication are field operations, not just normal arithmetic operations. So with that basic stuff, anybody has any questions before we can continue? So that is the basic theoretical background. Now we need to apply this stuff. It will always intersect. It will always be a third point unless it is a tangent. As we exchange the lines in the curve, suppose the line goes beyond the curve, the data is like that. That is what I am saying. It is guaranteed for these well behaved elliptic curves to intersect at the third point unless the third point is a tangent to one of those two points. I consider the case of the tangent in the book. Always the equation. You mean Y2, what are the coefficients? Those are actually given. There are certain standard things. So this is really in the field of mathematics. What is the value for A and B and so on? So they give us certain values which are known to have good properties and certain values that are about 12 curves which are already given to you. So all elliptic curve cryptography will use those specific curves on those specific fields. So what we do in computer science is we are given those values and now we do all our operations. We implement those operations and we try to implement them efficiently. So the question is how do we use this mathematics for encryption, decryption, signature generation, signature verification and of course also key exchange. Believe it or not, it is very similar to Diffie-Hellman. Why? Multiplication is addition. So everybody sees that. How do I adapt this idea? So first and foremost, the discrete log problem over well-chosen elliptic curves is infeasible. Now what does that statement mean? So this is Diffie-Hellman key exchange over elliptic curve groups. So the first thing that I didn't mention is that the points on an elliptic curve form a group. That's why I defined group before because we can't understand discrete logarithm unless we define a group. So the points on an elliptic curve form a group with the identity element being that special abstract element 0. So I claim that the discrete log problem on elliptic curves on well-chosen elliptic curves is infeasible. For the first question is what is the discrete log problem or the so-called EC discrete log problem, elliptic curve discrete log problem? Somebody had a question. Multiply it with integer. If you get another point, that is a public key. So it is very infeasible to find the integer. Very good. So just like we had seen, it's very analogous to what we had seen before. So we take a base point or a generator. So we have some elliptic curve. The group of these points, together with what operation forms a group, what do you think is the operation? Addition. So addition of two points. I've defined all of that pictorially and with formulas. So addition of two points on the elliptic curve, this thing forms a group. So now we find a generator of this group. And let's say the generator is this thing. Then when I say the discrete log problem is hard, what do I mean? I mean that if I give you this thing, so I give you the generator and I give you this thing, then guess what? It's impossible to find this. It's infeasible to find this. What is the meaning of this BG? It means G plus G plus G B times. The reason I say don't get intimidated is it's very similar to what you know already. What you know already was this group. G star G star G. You remember we computed this G raised to A, mod P equals something. And there we said you know this, you know this, and you know this, and we have to find out that. So you are given this thing, which is this multiplied by this, this mod P. I don't know how many times it's been multiplied. That is the problem. What is that number of times it's been multiplied A? The same thing over here. I'm giving you the point K, which corresponds to adding this G to itself B times. And I'm saying how many times did I add it to get K? So this is the discrete log problem. It's called the EC discrete log. And this is simply called discrete log. So now let's complete Diffie-Hellman for ECs. So given an EC over the field ZP with coefficients A and B, choose a base point G, a very large order. A chooses an integer A, her private key, and computes A times G. Nobody can make out what is A when she gives you G, and she gives you P, and she gives you A times G. There's no way you can find out what is A. Similarly, the other guy, he chooses an integer B, he computes BG, that is G plus G plus G B times, and he'll give you BG, that's his public key, and there's no way you can find out what is that little B. And what is the rest of Diffie-Hellman? So that first person gives the other guy AG, and B gives her BG, and what do you think they do? So he does AG plus AG plus AG B times, and she does BG plus BG plus BG A times. And guess what they get when they do this? A BG. A times B. So A B is a scalar, it's an integer, times that point. So computing that point is time-consuming. Computing the addition of two points, for example, is rather time-consuming, and you have to do this many, many times. So far, any questions? So the first application of elliptic curves, very similar to what you already know, nothing to get worried about. And guess what more you can do with it? You can do cryptography, there is encryption, decryption, signature generation, signature verification, which is just like your El Gamal encryption, which is, again, based on the discrete law. In fact, ECC curve has advantages over RSE in terms of speed. How does it faster than RSE, sir? First and foremost, you use much smaller key sizes. Does anybody know what are the key sizes in ECC? What is the minimum you use for the least amount of security? And then, of course, you can go beyond that. Anybody? 160. 160 or so. So right now, I think even that's a little insecure, so about 200 more or less. So about 200 bits, the least. And what is the least you use in RSE 1024? So the first thing is much smaller key sizes. That doesn't directly translate to computation time, but it's related. So not surprisingly, because public key cryptography in general is rather slow, there has been much effort around the world to try to bring the speed down, to try to increase the speed or to bring the time down. So that's what I'm going to talk to about next for the next five minutes or so. Before that, any questions? Can I proceed? Can we all think about how to do encryption with elliptic curves? Just take El Gamal and apply it over here. Very, very similar to the slide on El Gamal encryption. So you're given a message M represented as a point capital M. A chooses a random integer and computes the pair of points K times G and NM plus K times BG. What is BG? Public key of B. What is K? Random integer. So just very similar to El Gamal in the other case. This is also El Gamal, but on a different field. So you choose a random number K multiplied by the generator and then choose, then take the random number K multiplied by her public key or his public key and then add the point M, which is basically the message represented as a point. And so you get once again two pieces of the ciphertext. And the description is also very straightforward. So B must use his private key. So what does he do? He takes that second part M plus K BG and subtracts from that point. He then uses, he must use his private key. What is his private key? B. So minus B times the first component of the encrypted message. It's all very straightforward and simple. Exactly the same thing as El Gamal encryption. Sir, suppose I want to send my ATM password. So that message I need to convert into point. Yes. Are there any ways to convert? Yes, there are ways to convert it, but however those are time consuming. So what I've done is if you look at the book, you will see a way. It's called extended encryption standard. You look at that thing and you don't need to convert to a point. I'm just not showing you the whole thing because it will take time over here. But you please refer the book. So the question was, isn't this a pain to take the message and convert it into a point? Yes. So there are algorithms to do it, but there is also another algorithm, extended version of this thing that doesn't use this conversion. Just takes the point straight away, does some operations on it and computes the ciphertext. So if you see very carefully both key exchange and so on, there is one thing that occurs very frequently, and that is what's called scalar multiplication. The fact that you have to take some point, maybe the generator point or some other point, some intermediate point and keep adding to itself k times. So can I not speed this thing up? So here are some of the ways of doing it. So we represent this scalar multiplication. Again, I'm repeating the problem. The problem is can you do this fast? Take any point that's given to you on a particular elliptic curve and can you keep adding k times? That operation, this operation over here p plus p plus p k times is represented like this. It's called scalar multiplication. Can I somehow think of a way of speeding this up? So in the case of RSA, we use something called square and multiply. Over here, we use what's called double and add. Suppose we want to compute this thing, instead of computing this, multiply by this, multiply by this so many times, 82 times, this is completely ridiculous. What we do is we compute this thing, square and then the square of that and the square of that thing and so on and so forth and then just compute, since we want to raise it to the power of 82, we see what are the ones in the binary representation of 82, just choose those and simply multiply this. We just choose the right ones from over here. So we've done all the squareings, we just choose a couple of them and only multiply those and then we get this thing. So note that the number of multiplications and or squareings are greatly reduced because we use this strategy called double and add. So by analogy to that, if I've got an n-bit scalar, then the number of doublings would be roughly n minus 1. Suppose I want to do k times p. Then I represent k as a binary number and see how many bits are there in k. Let's suppose the number of bits is n. The number of doublings, everybody can see this, right? The number of doublings will be n minus 1 times d. This is the time for each doubling. I'm looking at the total computation time. So the time for each doubling is d and there are n minus 1 doublings. What are those things? p, 2p, 4p, etc. The number of these things is logarithmic with that scalar k. Logarithmic means number of bits used to represent that scalar k. So n minus 1 times d and how many additions do you require? Wherever there is a 1 in the representation of k, there's an addition. So on the average, half of them will be 0s, half of them will be 1s. So these are the number of additions. This is the time per addition. Then how to speed this up has become a very rich area in terms of research. So there are several ways of speeding it up. Can I decrease the number of additions, for example? And the first method is something called non-adjacent form, representing an integer in non-adjacent form. A very simple new representation will bring down this number on the average from n over 2 to n over 3. So that's the first triumph. It's a very old technique, I mean about 20 years ago. And then the window version of that thing. So as I said, this is a very, very rich area and there's been lots and lots of very bright minds around the world focusing on this. So one solution is to use what's called projective coordinates. And there are different types of these. Standard projective coordinates, Jacobian, and so on. Even before that, can you optimize the speed of field multiplication, squaring, and worst of worst is field inversion? So can you bring down these times? So inversion hurts you very badly. So can you somehow eliminate most of the inversions? That's how researchers thought about using projective coordinates and these are some examples of them. Some are for prime fields, some are for binary fields. Then using some special curves like cobalt's curves and the twisted Edward's curves. Another very creative idea, instead of using point doubling, can use point halving. So for that you need to solve some quadratic equations and fields and so on. Then a couple of years ago, there was some new representation called multi-base representation. Some work is even being done in India on this thing, multi-base representations. And as I said before, you have this NAF representation. It stands for Near Adjacent Form. And it's other version, which is even faster, called Window NAF. So the goal is once again to reduce the number of point additions. So here is one very simple example. Suppose the scalar was this. Then the number of, you can very well see over here. This thing is represented like this, 0 times this and so on. So if I'm talking about the number of doublings, the number of doublings is related to the length of the scalar. So it's like 1, 2, 3, 4, 5, 6, it's 5 doublings. And the number of additions unfortunately is quite large. This one, this one, this one, wherever you see a 1, that's a doubling. But guess what? You can represent the same thing as this number is, so this is 62, right? This number is 31 multiplied by 2, this is 0 here. So this is 62. You can represent it as 64 minus 2. Now what you see is a very interesting thing. Now the number of additions slash subtractions is just 1. Notice this interesting idea. I brought down the number of additions from so many, 1, 2, 3, 4, 5 to just 1. So this is the idea of this non-adjacent form. Now the question is, how do I get this representation? So again, I'm not going to get into the details of this thing. We do this in great detail. NAF and window NAF, this is just as an illustration. In the case of window NAF, you look at a window. Instead of just looking at 2 bits at a time, you look at 3 or 4 bits, etc. And then there is some amount of pre-computation, etc. But still it brings down the computation time even further, despite the pre-computations, which is all this stuff. There are some very interesting characteristics of the WNAF representation. There are at least W minus 1 zeros between 2 non-zeros in the WNAF representation of a scale out, for example. So the question is, how do you convert a normal binary representation to the WNAF representation? And how many zeros exist and so on and so forth? It turns out that in general, the number of additions is reduced drastically from k divided by 2 to k divided by W plus 1, where W is the window size. So again, nothing of our own over here. It's the standard stuff in the literature. Now this is our own idea. What we do is something we call near factorization. So this is what my students and myself worked on. In step 0, so we've got the scalar k. What we do is we represent k as d times q plus r, where d has a hamming weight less than or equal to 3. So d is the divisor, q is the quotient, and r is the remainder. This is given to us the scalar. So you have to perform k times p. So d has hamming weight less than or equal to 3, and the sum of the hamming weights of d, q, and r is minimized. So what we do is the first step is to compute this point q, which is the scalar product of q and this original point p. And then in the second step, now that we've got q, we compute the final result as d times q plus r times p. So we have decomposed this into this form, where the divisor has a very low hamming weight. When you have low hamming weight, everybody knows what is hamming weight? When you have, yeah, number of ones. Number of ones relates to the number of additions. So the less number of additions you have, the better it is. So you iterate over all possible values of this thing with small hamming weight for d. The moment you fix this, these things automatically find their place, correct? You just fix d. You know k. k is equal to this thing. The moment you fix d, you have q and r. So you take different values of d with small hamming weight. And you see where the hamming weight of d, q and r, the total of them is minimized. And you choose that value. And lo and behold, here are the results. If you don't do any NAF stuff, then we took several numbers, several integers. And I think it was 200 or something. 200 integers. And we looked at the hamming weight. And if you don't use NAF, then the hamming weights are this curve over here. And we arranged those numbers in the x-axis so that the hamming weights are monotonically increasing. So the hamming weights are this. NAF is a brilliant idea. And in this case, we used window NAF with w size equal to 2. And then we get the number of ones, the number of additions to be done is this. If you use our strategy, which we call near factorization, we brought it down quite a bit. So there's a fairly dramatic improvement in performance. This performance improvement is across different sizes of the scalar. Because as we said, 200 is what we want to use for minimum security. And then 300. And if you want very high security, the key size is about 400. So every time we see that our stuff gives us much fewer additions compared to just pure WNAF. So there's a substantial improvement if you use our method called near factorization across different window size. So this is for one window size. This is for another window size, et cetera. It's all given over here. And then finally, this is a table which actually shows you the number of the total cost. Again, the cost is a function of the number of additions and the number of doublings. So this is the original NAF. And this is our scheme that uses near factorization plus, so this is window NAF actually. And our scheme, which augments, it's a conjunction of the two, our scheme plus a window NAF. So you can see there's a fairly substantial improvement over just using window NAF. So this is another example of a project that we are doing over here related to elliptic curve optimization. I forgot to include all the students, but these are some of the things that we have been doing over the years. So there are six students, including Naman and Nikhil, who are graduating next month. Unfortunately, I forgot to put their names, but maybe they will talk about what we are doing a little later. So some are BTEX, MTEX, et cetera. So we just had six BTEX graduating right now. Some are working on side channel attacks, some are working on XSS, server side defenses. So there's a lot of exciting stuff. That's what I wanted to bring out in this last one hour. Some of the things that we are doing here in IIT. And if you'd like to partner with our efforts, you're most welcome to do so. But be ready for a lot of sweat. Nothing will come easy in security. It's one of the most difficult subjects that I've ever seen. I've taught about 15 computer science subjects, nothing rival security and difficulty. We even had one student from Ethiopia, a guest student who did some nice work on malware detection. So what you are seeing is a cumulative effect of a lot of hard work put in by lots of these people and these guys and so on. The stuff on electrical optimization is due to these guys. I'm very happy to say this guy was all India number one in the JEE, and this guy was number three. So we are blessed with very good students. So I'm sorry for taking a little extra time. I think we should probably head for lunch. And when we come back, if we have time, I'd just like to show you what they are working on, which is click jacking. It's a new kind of attack made possible due to HTML version five. So they'll just take about 10 minutes for their presentation after lunch and then we'll continue with the rest of the thing.