Attack Experiments on Elliptic Curves of Prime and Binary Fields

At the beginning the paper describes the basic properties of ﬁnite ﬁeld arithmetic and elliptic curve arithmetic over prime and binary ﬁelds. Then it discusses the elliptic curve discrete logarithm problem and its properties. We study the Baby-Step, Giant-Step method, Pollard’s rho method and Pohlig–Hellman method, known as general methods that can exploit the elliptic curve discrete logarithm problem, and describe in detail attack experiments using these methods over prime and binary ﬁelds. Finally, the paper discusses the expected running time of these attacks and suggests the strong elliptic curves that are not vulnerable to these attacks.


Introduction
Elliptic Curve Cryptosystem (ECC) is an alternative approach for implementing Public Key Cryptosystem (PKC) in which each entity connecting in the public communication channel generally has a couple of keys, a public key and a private key to perform cryptographic operations such as encryption, decryption, signing, verification, and authentication. The private key must be kept secret but the corresponding public key is distributed to all entities connecting in the public communication channel [1]. ECC can be applied for providing the security services: confidentiality, authentication, data integrity, non-repudiation, and authenticated key exchange.
These days, ECC becomes a major in the industry of information and network security technology. It substitutes other public key cryptosystems such as RSA and DSA. It becomes the industrial standard as a consequence of an increase in speed and a decrease in power consumption during implementation as a result of less memory usage and smaller key sizes. Its security depends on the complexity of solving the Elliptic Curve Discrete Logarithm Problem (ECDLP). Although the ECDLP is thought to be a difficult problem, it has not stopped attackers attempting to attack on ECC. Several attacks have been created, experienced and analyzed by mathematicians over the years, to discover defects in ECC. Some attacks have done partially well, but others have not.
The idea of this paper is to apply the knowledge of the general methods of attacking the ECDLP in attempting to select powerful elliptic curves over prime and binary fields under large integer. The structure of this paper is as follows. The Sect. 2 includes finite field arithmetic over prime and binary fields and their properties. In Sect. 3, we discuss elliptic curve arithmetic over prime and binary fields, its geometric properties, the ECDLP and its properties. The Sect. 4 describes in details the general methods of attacking on the elliptic curve discrete logarithm problem. In Sect. 5 we discuss attack experiments on the ECDLP over prime and binary fields. Finally, in Sect. 6 we conclude our discussion by describing time complexity of the attacking methods and by suggesting powerful elliptic curves for best secure implementation of ECC.

Finite Field Arithmetic
A finite field, generally signified by F, is a field which consists of a finite number of elements. Finite Fields are applied to the rational number system, the real number system and the complex number system. They contain a set of elements together with two arithmetic operations: addition signified by the symbol + and multiplication signified by the symbol, that satisfy the typical arithmetic properties: • (F, +) is an additive group with operation by + and identity element by 0.
• (F\{0},) is a multiplicative group with operation by. and identity element by 1.
• Elements of finite group hold the distributive law: (x + y) · z (x · z) + (y · z) for all x, y, z ∈ F When the number of elements in the field is finite, then the field is said to be finite [2]. Galois open that the elements in the field to be finite and the number of elements should be p m , where p is a prime number called the characteristic of the field and m is a positive integer. The finite fields are generally called Galois fields and also signified by GF(p m ). When m = 1, then the field GF(p) is called a prime field. When m ≥ 2, then the field GF(p m ) is called an extension field. The number of elements in a finite field is called the order of the field. Any two fields are isomorphic when their orders are the same [3].

Field Operations
Finite field F performs two arithmetic operations, addition and multiplication. However, the subtraction of field elements is defined in the expressions of addition operation. For instance, let x, y F, x −y is defined as x +(−y), in this case −y is called additive inverse of b such that y + (−y) = 0. Correspondingly, the division of field elements is defined in the expression of multiplication operation. For instance, let x, y F with y 0, x/y is defined as x · y −1 , in this case y −1 is called the multiplicative inverse of y such that y · y −1 1 [2].
Prime Field. A finite field of prime order p is called prime field signified by GF(p). It contains a set of integer elements modulo p, {0,1,2,…, p − 1} with additive and multiplicative groups performed modulo p. For any integer x, x mod p refers to the integer remainder r that obtained upon dividing x by p. This operation is called reduction modulo p. In this case, the remainder r is the distinct integer element between 0 and p − 1, i.e. 0 ≤ r ≤ p − 1 [2]. The arithmetic operations of elements over GF(p) are performed as the following example (1).
The following examples demonstrate for arithmetic operations of elements in GF(23).
Binary Field. A finite field of order 2 m is called binary field signified by G F(2 m ). It also refers to the finite field with characteristic-two. The elements over G F(2 m ) can be constructed by applying a polynomial basis representation defined by the Eq. (1). In this case, the elements of G F(2 m ) are the binary representation polynomials with degree at most m −1.
G F(2 m ) a m−1 x m−1 + a m−2 x m−2 + · · · + a 2 x 2 + a 1 x + a 0 , a i ∈ {0, 1}. (1) f (x) is defined as an irreducible binary representation polynomial with degree m if f(x) cannot be factored as a product of binary representation polynomials with degree less than m. Let a(x) and b(x) be elements over G F (2 m ). They are the binary representation polynomials with degree at most m −1. Addition of elements in binary field refers to the addition of binary representation polynomials, that is,a(x)⊕b(x). Multiplication of elements in G F(2 m ) refers to refers to the expression and c(x) be an binary representation polynomial with degree more than m. The result of the expression c(x) mod f(x) refers to the unique remainder polynomial r(x) with degree less than m that obtained upon the division of c(x) by f(x); this operation is called reduction modulo f(x). Division of elements in G F(2 m ) refers to refers to the expression a(x)/b(x) mod f (x). In this case, the division of elements in G F(2 m ) is calculated as the expression [2]. The arithmetic operations of elements over GF (2 m ) are performed as the following example (2).
Example (2). (binary field G F(2 m )) The elements of G F(2 m ) generated by the polynomial f (x) x 4 + x + 1 are represented by 16 binary polynomials of degree at most 3 as shown in Table (1).
The followings are some examples of arithmetic operations in G F (2 4 ) with the elements generated by reduction polynomial f (x) x 4 + x + 1.

Elliptic Curve Arithmetic
The elliptic curve over finite field E(GF) is a cubic curve defined by the general Weierstrass equation: y 2 + a 1 x y + a 3 y x 3 + a 2 x 2 + a 4 x + a 6 over GF where a i ∈ G F and GF is a finite field. We study elliptic curves over G F( p) and G F(2 m ).

Elliptic Curve Arithmetic Over Prime Field -GF(P)
Elliptic curves are driven from the general Weierstrass equation. The elliptic curve E(GF(p)) over G F( p) is determined by the Eq. (2) [4]: where p > 3 is a prime and a, b ∈ G F( p) satisfy that 4a 3 + 27b 2 0. (a 1 a 2 a 3 0; a 4 a and a 6 b corresponding to the general Weierstrass equation) Points on E(GF(p)). The elliptic curve E(GF(p)) over GF(p) belongs to a set of points together with a point at infinity signified by symbol O. In this case,{P (x, y)|y 2 Every point on the curve generally has its corresponding inverse. The inverse of a point (x, y) on E(GF(p)) is defined as (x, -y). The number of points on the curve, including a point at infinity, is defined as its order #E. The points on E(GF(p)) are generated by using Algorithm (1). Example (3). Let p 13 and consider the elliptic curve E : y 2 x 3 + 5x + 4 over GF(13) where a =5 and b = 4. Note that 4a 3 + 27b 2 500 + 432 932 mod 13 9, so E is indeed an elliptic curve. The points on the curve and its graph are shown in Fig. (1a and b). The order of the elliptic curve E : y 2 x 3 + 5x + 4 over GF(13) is 17.
Arithmetic Operations on E(GF(p)). Addition of two points on an elliptic curve E(GF(p)) applied the chord-and-tangent rule to find a third point on the curve. The addition operation with the points on E(GF(p)) generates a group with point at infinity O serving as its identity. It is the group of points on E(GF(p)) that is used in the construction of elliptic curve cryptosystems [5]. It is the best way to explain the point addition rule geometrically. Let P (x 1 , y 1 ) and Q (x 2 , y 2 ) be two distinct points on E(GF(p)). Assume that the point R (x 3 , y 3 ) is obtained by addition of P and Q. This point addition is illustrated in Fig. (2a). The line connecting through P and Q intersects the elliptic curve at the point called -R. R is the reflection of -R with respect to the x-axis. Assume that doubling of P is R (x 3 , y 3 ) in the case of P (x 1 , y 1 ). This point doubling is illustrated in Fig. (2b). The tangent line drawing from point P intersects the elliptic curve at the point called -R. R is the reflection of -R with respect to the x-axis as in the case of addition. The geometric description open following algebraic methods for the addition of two points and the doubling of a point [4].

Elliptic Curve Arithmetic Over Binary Field -GF(2 M )
Elements over GF(2 m ) must be firs generated by using a reduction polynomial f(x). These elements are applied to construct an elliptic curve E(GF(2 m )) over GF(2 m ). The curve E(GF(2 m )) is determined by the Eq. (3) [4]: where a, b ∈ G F(2 m ) and b 0.
Points on E(GF(2 m )). The elliptic curve E(GF(2 m )) over GF(2 m ) belongs to a set of points together with a point at infinity signified by symbol O. In this case, Every point on the curve has its corresponding inverse. The inverse of a point (x, y) on E(GF(2 m )) is defined as (x, x ⊕ y). The number of points on the curve, including a point at infinity, is generally called its order #E. The points on E(GF(2 m )) are generated by using Algorithm (2).
Example (5). Let f (x) x 4 + x + 1 be the reduction polynomial. Then binary and polynomial representations for 16 elements of GF(2 4 ) generated by the reduction polynomial f (x) x 4 + x + 1 are shown in Table (2). Table (3) shows the power representations of g and corresponding binary representations for elements of GF(2 4 ) generated by the reduction polynomial f (x) x 4 + x + 1. The element of g (0010) is a generator of GF (2 4 ) and its order is 15 (2 4 -1).
The elliptic curve E : y 2 + x y x 3 + g 11 x + g 13 where a g 11 and b g 13 belongs to the points on the curve, as shown in Fig. (3). The points on the curve and its graph are shown in Fig. (3a and b). The order of the elliptic curve E : y 2 + x y x 3 + g 11 x + g 13 is 22.

Elliptic Curve Discrete Logarithm Problem
The complexity of solving ECDLP determines the security of ECC. Let P and Q be the points on an elliptic curve such that Q = kP, where k is an integer number. k is called the discrete logarithm of Q to the base P. Known two points, P and Q, it is unable to compute k, when the group order of the points is enough large.
Point Multiplication. Point Multiplication is a major operation usually used in ECC. The scalar multiplication operation of a integer scalar k with a point P on the elliptic curve creates another point Q on this curve [1]. The point Q is gotten by performing point addition and point doubling operations according to bit sequence patterns of integer scalar k. The bit sequence patterns of integer k is shown as the Eq. (4) where k n−1 1 and k i ∈ {0, 1}, i 0, 1, 2, . . . , n −1. This operation is based on the binary method which scans the bit sequence patterns of k either from left-to-right or right-to-left [2]. The Algorithm-3 illustrates the scalar multiplication operation of a integer scalar k with a point P on the elliptic curve using binary method. This method can be applied for both elliptic curves over GF(p) and GF(2 m ). Consequently, making less the number of 1 s in bit sequence patterns of integer scalar k will increase the speed of scalar multiplication of a point on elliptic curve [6].
The Order of Point. Let P ∈ E (G F( p)). The order of point P is defined as the smallest positive integer value N such that NP = O. In this case, O is the identity of the group of points on the elliptic curve.
All different values of N must be tried in the range defined in the Eq. (5)

General Methods of Attacking on ECDLP
The complexity of solving the Discrete Logarithm Problem (DLP) is deeply important for the security of PKC. PKC is constructed based on the assumption that the DLP is extremely difficult to compute; the more difficult it is, the more security it supports. Therefore, PKC is constructed on a larger group order under large integer in order to increase the complexity of solving the DLP.
General methods of attacking on the ECDLP can be classified into three groups as following [8]. These methods can solve the ECDLP under small integer.
1. Methods stand on random walks, such as the exhaustive search method and the Baby-Step, Giant-Step method, 2. Methods stand on random walks with special conditions, like Pollard's rho method and Pollard's lambda method, and 3. Methods stand on multiplicative groups, such as the Index Calculus method and Pohlig-Hellman method.
We studied the following general methods of attacking on the ECDLP.

Baby-Step, Giant-Step Method
Let P, Q ∈ E. Assume that we solve an integer scalar k such that Q [k]P and P has prime order N. At first, we must compute the order N of P. This method generally performs about √ N steps and requires about √ N storage. Therefore, this method only works well for memory storage size N. This method follows the procedure below [7].

Fix an integer m such that m
√ N and compute mP. 2. Compute and store a list of iP for 1 ≤ i ≤ m. 3. Compute the points such that Q − jm P for j 0, 1, . . . until one of resulting points matches one from the stored list. 4. If i P Q − jm P, then Q k P with k ≡ i + jm(mod N ).
The list of points i P are calculated by adding P to (i − 1)P. It is the baby-step. The list of points Q − jm P are computed by adding −m P to Q − ( j − 1)m P. It is the giant-step. This method may generally perform about m steps to find a match and its time complexity

Pollard's Rho Method
Let P, Q ∈ E. Assume that we solve an integer scalar k such that Q [k]P where P has prime order N and Q ∈< P >. This method generally find two different pair of integers: (a, b) new pairs a , b uniformly at random such that (a, b) a , b .
The time complexity of this method is O √ π N /2 [7]. The diagram of the sequence of resulting points looks like the Greek letter ρ. Therefore, this method is called the Pollard-Rho method.

Pohlig-Hellman Method
Let P, Q ∈ E. Assume that we solve an integer scalar k such that Q [k]P where P has prime order N.
The main idea of this method is as following: • Compute the order N of P.
• Compute prime factorization of N that satisfied the Eq. (7).
• Compute k(modq e i i ) for each i, • Combine them to obtain k (mod N) using the Chinese Remainder theorem [9].
Let q be a prime, and let q e be the exact power of q dividing N. This method defines k in its base q expansion as the Eq. (8).
where 0 ≤ k i < q. This method evaluates k(modq e i ) by successively determining k 0 , k 1 , k 2 , n, k e−1 . This method follows the procedure below [7]: It is an element of k 1 N q 2 .P of T. 6. If e 2, stop. Otherwise, continue. Assume that we have calculated: Determine k r such that N q r +1 .Q r k r N q .P . 9. If r e − 1, stop. Otherwise, return to step (7).
Then the method computes k ≡ k 0 + k 1 q + n + k e−1 q e−1 (modq e ). Therefore, early we find k 1 . In the same way, the method produces k 2 , k 3,n .We must stop after r e − 1. The time complexity of this method is O √ q [7]. In this case, q is the largest prime divisor of N. In practice this method becomes infeasible as a result of that N has a large prime divisor. Then it becomes difficult to make and store the list T to find matches.

Attack Experiments
We implemented well-known general common attacks such as Baby-Step Giant- Step method, Pollard's rho method and the Pohlig-Hellman method by using our implementations of finite field arithmetic operations [10] and elliptic curve arithmetic operations [11] under java BigInteger class.

Pollard's Rho Attack
Prime Field. Let an elliptic curve be E : y 2 x 3 + 5x + 4 over G F(13), P (0, 2) and Q (6,4). Assume that we solve an integer scalar k such that Q [k]P by using Pollard's rho method. The point P has prime order 17. We choose a, b ∈ [0, 17] uniformly at random, compute R [a]P + [b]Q and keep the triple (a, b, R) in the memory until we meet an another triple (a , b , R ) such that R R or R −R . Table (4) shows computing data used for Pollard's rho attack on E : y 2 x 3 + 5x + 4  Binary Field. Let an elliptic curve be E : y 2 + x y x 3 + g 11 x + g 13 over G F(2 4 ), P (g 9 , 1) and Q (g 6 , g 6 ). Assume that we solve an integer scalar k such that Q [k]P by using Pollard's rho method. The point P has prime order 11. We choose a, b ∈ [0, 11] uniformly at random, compute R [a]P + [b]Q and keep the triple (a, b, R) in the memory until we meet an another triple (a , b , R ) such that R R or R −R . Table (5) shows computing data used for Pollard's rho attack on E : y 2 +x y x 3 +g 11 x +g 13 over G F (2 4  Then k (10−7)(4−5) −1 mod 11; k 3(−1) −1 mod 11; k 3.10 mod 11; Hence k 8. Then we obtain k = 73 using the Chinese Remainder theorem to recombine simultaneous congruences as following:   Binary Field. Let an elliptic curve be E : y 2 + x y x 3 + g 11 x + g 13 over G F(2 4 ), P (g 2 , g 2 ) and Q (g 6 , g 6 ). Assume that we solve an integer scalar k such that Q

Conclusion
The security strong point of ECC relies on the complexity of solving ECDLP for a cryptanalyst to find the secret key k such that Q k P. The Table (6) summarizes time complexity of general methods of attacking on ECDLP. Our research found that these attacking methods can solve ECDLP within the corresponding expected running time when the group order N of the elliptic curve is not enough large and its prime factorization is composed of smooth primes.
When implementing the ECC, the following several classes of elliptic curves should be applied in order to gain the maximum security level of the cryptosystems. The National Institute of Standards and Technology (NIST) issued several classic elliptic curves with larger key sizes for federal government use.
NIST recommends the 15 elliptic curves: five elliptic curves over G F( p) where p equals 192, 224, 256, 384, and 521 bits and five elliptic curves over G F(2 m ) where m equals 163, 233, 283, 409, and 571. For each of the binary fields, one Koblitz curve is recommended [12]. Thus, NIST issue contains a total of five prime curves and ten binary curves. These curves should be selected for best security and implementation efficiency. The group order for each of these curves is enough large and has large prime factors. Therefore, these curves are resistant to the attacking methods we studied in the Sect. 4.