Nonlinearities in Elliptic Curve Authentication

In order to construct the border solutions for nonsupersingular elliptic curve equations, some common used models need to be adapted from linear treated cases for use in particular nonlinear cases. There are some approaches that conclude with these solutions. Optimization in this area means finding the majority of points on the elliptic curve and minimizing the time to compute the solution in contrast with the necessary time to compute the inverse solution. We can compute the positive solution of PDE (partial differential equation) like oscillations of f(s)/s around the principal eigenvalue λ1 of −∆ in H 0 (Ω). Translating mathematics into cryptographic applications will be relevant in everyday life, wherein there are situations in which two parts that communicate need a third part to confirm this process. For example, if two persons want to agree on something they need an impartial person to confirm this agreement, like a notary. This third part does not influence in any way the communication process. It is just a witness to the agreement. We present a system where the communicating parties do not authenticate one another. Each party authenticates itself to a third part who also sends the keys for the encryption/decryption process. Another advantage of such a system is that if someone (sender) wants to transmit messages to more than one person (receivers), he needs only one authentication, unlike the classic systems where he would need to authenticate himself to each receiver. We propose an authentication method based on zero-knowledge and elliptic curves.


Introduction
The system we propose has three components: two parties that communicate and one party that authenticates them and provides the keys for the cryptosystem used.The most common authentication is based on passwords, which help to verify the identity of a user.This method is not secure enough because the passwords are generated from small dictionaries or they are chosen directly by the users who usually make poor selections.In addition, users frequently forget passwords.In such cases, an authentication system needs two authentication modes.The first mode is the primary one, and the second is the emergency one (it is used only when the primary is not available).The most popular emergency mode used on the Internet when a password is forgotten is the e-mail.The password or the instructions to reset it are sent by e-mail.The first password authentication protocol used on a network proven secure was presented by Halevi and Krawczyk [1].Their protocol prevents leakage of information and the server's private key can be verified by the user.If the server's key cannot be verified it is recommended to use strong password authentication protocols.Such protocols were proposed by Bellovin and Merritt [2,3], Jablon [4] and Wu [5], among others.
We propose a zero-knowledge authentication using elliptic curves.A zero-knowledge proof is a proof of some statement that reveals nothing else but the veracity of the statement.In order to give a formal definition for a zero-knowledge proof, we will first define the interactive proof system.Definition 1.An interactive proof system for a set A is a process between a verifier which executes a probabilistic polynomial-time strategy and a prover, which executes a computationally unbounded strategy satisfying: • Completeness: For any a ∈ A, the verifier always accepts the common input a (after interacting with the prover).
• Soundness: For some polynomial p, for any x / ∈ A and any potential strategy S, the verifier rejects the common input a with a probability of at least 1 p(|a|) (after interacting with S).
Therefore, a proof is complete if an honest verifier is always convinced of the veracity of a statement from an honest prover, and it is sound if a cheating prover can convince an honest verifier with a very small probability that a false statement is true.Definition 2. A strategy S is zero-knowledge on the set A if for any feasible strategy B exists a feasible computation C so that the following are computationally indistinguishable: • the output of B after interacting with S on common input a ∈ A • the output of C on input a ∈ A From this definition, any information obtained by interacting with S on some input a, can also be obtained from a without interacting with S [6].In our method, the verifier knows the right answer before communicating with the prover.Therefore, he cannot possibly obtain any new information.This method is called "no-leak" authentication.A formal definition can be obtained from the zero-knowledge definition given above by eliminating "probabilistic polynomial time".This means that whatever the verifier can compute after communicating with the prover, he could already compute before the communicating process.Like the verifier, a passive adversary cannot obtain new information from the prover.

Mathematical Preliminaries
To understand the foundation of the cryptosystem functionality, we have to understand how the secret can be hidden and how it can be revealed ( [7] and [8]).This is pure mathematics, and is based on some function operation intractability.Definition 3. The Waierstrass mathematical model is the basement: where a i ∈ K and K represents the field over which the curve is defined.From this point we have the discriminant: and ∆ = 0.
If we have K = F p where p > 3 is a prime, Equation (1) can be simplified to: and the discriminant: ∆ = −16(4a 3 + 27b 2 ).In case of K = F 2 m we have: and the discriminant: ∆ = b.If the curve E is defined over a prime field F p and we have a point P (x, y) ∈ E then the inverse of it will be −P (x, −y).If we want to compute R(x 3 , y 3 ) = P + Q where P (x 1 , y 1 ) ∈ E and Q(x 2 , y 2 ) ∈ E we have: where λ is given by: For doubling a point 2P (x 3 , y 3 ) we use the formulas: where λ is given by: For the affine coordinates we replace x with x/z and y with y/z, where z = 0 obtaining the equation: To compute P (x 1 , y 1 , z 1 ) + Q(x 2 , y 2 , z 2 ) = R(x 3 , y 3 , z 3 ) we have: For doubling a point 2P (x 3 , y 3 , z 3 ) we use: If the curve E is defined over a binary field F 2 m for a point P (x, y) the inverse will be −P (x, x + y).Addition and doubling are defined in the same way as on the prime curves.
To obtain the projective coordinates we proceed as above.The inverse of a point P (x, y, z) is −P (x, x + y, z).To compute P + Q = R we have: And for doubling a point 2P we have:

. Frontier Points on Elliptic Curves
According with [9], from all points which define an elliptic curve, only a part can be used on applications (cryptography), we can found the special points with properties in this way, called frontier points: (2) l = p.
(3) the order of the prime p in the multiplicative group F × l of F l is at least 2000/ log 2 p .
These three conditions provide a high level of security.There were developed as algorithms for resolving discrete logarithms with running time equal with the square root of the largest prime factor of the group order [10].These algorithms cannot be applied to a cryprosystem, which respects the first condition.[11] describes the anomalous curve attack.This attack consists in resolving the elliptic curve discrete logarithm problem for curves with the group order equal to the order of the finite field.The method uses Hensel's lemma and has low complexity.The second condition presented above makes this kind of attack impossible.In [12] the authors presented an attack which reduces the discrete logarithm problem in E(F p ) to one in a finite extension field F p .The third condition depends on the assumption that the DLP in a finite field which has a cardinal 2000-bit long is intractable.
The efficiency of an elliptic curve cryptosystem is based on the arithmetic in F p .So the efficiency is directly proportional with p.This means that |E(F p )| must be as small as possible.

Nonliniarities on Elliptic Curves
For every elliptic curve cryptosystem we have to declare the domain parameters.We will work with a nonsupersingular elliptic curve E defined over a prime field.The domain parameters will be (F, p, a E , b E , G, n, h) where F p is the prime field, a E , b E define the curve E : is a point of order n (this means that n is the smallest positive number for which nG = O), h = |E(F p )|/n is the co-factor.To meet the above conditions it is recommended for |E(F p )| to be prime or |E(F p )| = h • n where n is a large prime and h ∈ {1, 2, 3, 4} [13].
As is described in [14], starting from an oscillation θ(t)\t around the principal eigenvalue λ 1 of −∆ in H 1 0 (Ω) in one dimensional case will generate infinitely many solutions if θ(t) > 0 in R and where ψ(t) = t 0 θ(ξ)dξ.These conditions, as is proved in [15] can not be replaced by: The results of these conclude in [16] −∆u = θ(x, u) in Ω u = 0 on ∂Ω, where θ : Ω : R → R is a continuous function.In [14] it is stated and it is defined the functional Φ : )dx as generator of infinitely solutions.From these, the space of chosen criteria for cryptographic points is big enough such that can be considered as space of strong points in cryptography.

Counting the Elliptic Curve's Frontier Points
To know the amount of points belonging to the elliptic curve we have to compute |E(F p )|.In 1985 [17] Schoof presented an algorithm for counting the points on an elliptic curve over a large field F p .Schoof's algorithm had a polynomial running time and used Hasse's theorem on elliptic curves.
Theorem 1. Hasse's Theorem If E is an elliptic curve over the finite field F p then: If we define t = p + 1 − |E(F p )| we have to compute t mod N where N > 4 √ p. Schoof's algorithm computes this using small primes l i where l i = N .After computing t mod l i we can find t using the Chinese Remainder Theorem.Knowing t we can then compute |E(F p )| = p + 1 − t.To compute t mod l Schoof used the Frobenius endomorphism φ and division polynomials.
Theorem 2. Frobenius endomorphism The Frobenius endomorphism φ satisfies the following: According to the Theorem 2 we have the equation: φ 2 P + p l P = t l φP where P (x, y) ∈ E(F p ) Here p l = p mod l and t l = t mod l.If we restrict to nontrivial l-torsion points (a tortion subgroup consists of all the elements of an abelian group that have finite order) we obtain: where x is an unique integer such that x = x mod l.The above equation is valid because in a l-tortion subgroup the scalar multiplication has the property pG = pG.Starting from Equation ( 2) and applying division polynomials, Schoof's algorithm computes the value of |E(F p )|.The reader can study the algorithm and its improvements made over time in [18].Another algorithm based on Hasse's theorem was developed by D.Shanks [19].The algorithm is named Baby Steps-Giant Steps and computes a number m ∈ (p + 1 − 2 √ p, p + 1 + 2 √ p) such that mG = O where G is a random point from the curve E : y 2 = x 3 + ax + b.The algorithm is described below: (1) Compute s ≈ 4 √ p (2) Compute G, 2G . . .sG (3) Compute Q = (2s + 1)P and R = (p + 1)P The first three steps are known as baby steps while computing R, R ± Q . . ., R ± tQ is the giant step.From Hasse's theorem we know that R + iQ i = 0, ±1, ±2, . . ., ±t is equal with one from the points computed in second step.For this i we have: R + iQ = jG j ∈ {0, ±1, ±2, . . ., ±t} The number m will be m = p + 1 + (2s + 1)i − j which represents the cardinal of the elliptic curve points set.Variations, improvements and enhancements on this algorithm can be studied in [20].A very important zero-knowledge protocol, which represents the basis for the most popular zero-knowledge protocols, is the Fiat-Shamir Identification Protocol.Important protocols derived from it are Feige-Fiat-Shamir [21] and Guillou-Quisquater.We chose it because it is the simplest protocol which illustrates the most important properties of the modern sophisticated schemes.This protocol is used in cryptography for authenticating a certain person.Suppose Alice has a secret Se known only by her.She will prove her identity to Bob by proving that she possesses Se, of course, without revealing the secret.Because the secret is not revealed to the verifier, no adversary can find it from the prover response.A trusted part is needed for this protocol which generates two secret prime numbers p and q, and computes the public value n = pq.The steps that follow this operation are repeated t times, each time using independent random numbers.If the verifier has repeated the steps t times then he accepts.
The algorithm is described below (see Algorithm 1) and the repeating steps begin with the fifth one.The first two steps are executed by the third trusted part, while the steps three and four are executed by the prover only one time each.The number t is chosen by the verifier, if the verifier is easy to convince, t can be smaller.A detailed explanation on this algorithm can be found in [22].
1: p and q are generated 2: n = pq is made public 3: the prover selects Se co-prime to n such that 1 ≤ Se ≤ n − 1 4: the prover computes v = Se 2 mod n which is his public key 5: the prover chooses r such that 1 ≤ r ≤ n − 1 6: the prover computes x = r 2 mod n and sends it to the verifier 7: the verifier chooses a bit e ∈ {0, 1} and sends it to the prover 8: if e=0 then the prover computes y = rs mod n 12: end if 13: the prover sends y to the verifier 14: the verifier rejects if y = 0 or y 2 = x * v e (mod n) For example p = 5 and q = 11 then n = 55 is made public.Suppose Alice (prover) chooses her secret Se = 14 and computes v = 14 2 mod 55 = 31.Bob is an easy to convince verifier and chose t = 2.The completeness of this protocol is provided by the fact that the prover possessing the secret Se can also compute y = r or y = rs and send it to the verifier.Therefore, an honest verifier will always complete all t iterations and accept with the probability 1.To demonstrate the soundness we suppose the prover does not possess the secret Se.Therefore, on a given round he cannot compute y = r or y = rs.Thus, the probability of rejection will be 1  2 in each round.The zero-knowledge is provided by the fact that the only values made public in one round are x and y.A (x, y) pair can be simulated by choosing a random y and then computing x = y 2 or x = y 2 v .We can observe that such pairs are computationally indistinguishable from the ones computed in the protocol.
A "no-leak" zero-knowledge authentication was presented in [23].Alice's (the prover) private key consists of: (1) a subset S 0 ⊂ S where S is an universal set (2) an efficient test to verify if an element from S does not belong to S 0 (3) a method for distinguishing the subset S 0 to some S 0 while the public key is the pair of sets S 0 , S 1 such that S 0 ∩ S 1 = O.The algorithm has three steps: Algorithm 2 No-leak Authentication Protocol.
1: Bob sends (x 1 , x 2 , . . .x 2m ) to Alice, where x i ∀i is a random element from S 0 or S 1 , and exactly m elements belong to S 0 and m to S 1 .
2: Alice uses her private test to check whether for element x i corresponding to x i does not belong to S 0 , x i / ∈ S 0 .If the test fails, she supposes that x i ∈ S 0 which means that x i ∈ S 0 .She counts how many x i / ∈ S 0 .If the number she obtains is not exactly m then the authentication failed.If she obtains m, she sends to Bob a string with "0" in places corresponding to x i ∈ S 0 and 1 for x i / ∈ S 0 .
3: Bob compares Alice's result with the right value.If they are equal he accepts the authentication.

Our Method
We propose a zero-knowledge authentication based on elliptic curves and on the algorithms described in the previous section.For the use of elliptic curves we have to declare the domain parameters.For a nonsupersingular elliptic curve E defined over a prime field the domain parameters will be (F, p, a E , b E , G, n, h) where F p is the prime field, a E , b E define the curve E : G ∈ E is a point of order n (this means that n is the smallest positive number for which nG = O), h = |E(F p )|/n is the co-factor.To meet the above conditions it is recommended for |E(F p )| to be prime or |E(F p )| = h • n where n is a large prime and h ∈ {1, 2, 3, 4} [13].Not all these parameters are used in a zero-knowledge authentication but they are all used in an elliptic curve cryptosystem.Therefore, defining these parameters provides one less step in the encryption/decryption process which the two communicating parties will use after authentication.
The generalized method uses an universal set S of elliptic curves' points.S 0 represents the points from a specific elliptic curve E. S 0 are elements corresponding to the points from S 0 , while S 1 is a set of points which do not belong to the elliptic curve E. The private key and the public one remain the same with the above specifications.The Algorithm 2 becomes: Algorithm 4 No-leak Elliptic Curve Authentication Protocol.
1: Bob sends (X 1 , X 2 , . . .X 2m ) to Alice, where X i ∀i is a random element from S 0 or S 1 , and exactly m elements belong to S 0 and m to S 1 .
2: Alice uses her private test to check whether for point X i corresponding to X i does not belong to S 0 , X i / ∈ S 0 .If the test fails, she supposes that X i ∈ S 0 which means that X i ∈ S 0 .She counts how many X i / ∈ S 0 .If the number she obtains is not exactly m then the authentication failed.If she obtains m, she sends to Bob a string with "0" in places corresponding to X i ∈ S 0 and 1 for X i / ∈ S 0 .
3: Bob compares Alice's result with the right value.If they are equal he accepts the authentication.
This algorithm represents the generalized method for elliptic curves.We also present a particularized method which replaces the polynomials from the Algorithm 3 with elliptic curve points.Here Alice's keys change: • the private key contains: (1) a tuple (x 1 P, x 2 P, . . .x k P ) where P ∈ E and x i are random scalars (2) a random point Q (replacing the constant c) • the public key contains: (1) a tuple (x 1 M, x 2 M, . . .x k M ) = 2(x 1 P, x 2 P . . .x k P ) − Q where M ∈ E (2) a random tuple (x 1 N, x 2 N, . . ., x k N ) where N ∈ E Using these keys the algorithm becomes: Algorithm 5 No-leak Elliptic Curve Authentication Protocol.
3: Bob compares Alice's result with the right value.If they are equal he accepts the authentication.
The scalar multiplication for elliptic curve points can be done with various methods.To improve the efficiency of such an algorithm, we have to improve the scalar multiplication which represents the most complex operation applied to an elliptic curve point.One of the most popular methods for scalar multiplication was introduced by P. Montgomery in [24].The main idea is to generate q such that c + qp is a multiple of r.The values c, p and r are given, r being a power of 2. Another performance scalar multiplication method for prime fields was presented in [25] and uses the Frobenius endomorphism.Clavier and Jove presented in [26] a new idea to ease the computation of kP .They propose to define k as k 1 + k 2 where k 1 = k − r and k 2 = r, r being a random integer.Therefore, kP becomes k 1 P + k 2 P .This idea is very usefully because the values of k 1 P and k 2 P can be computed simultaneously.This can be applied to almost all the algorithms for computing scalar multiplication.An improvement to this idea was given by Ciet in [27].

Conclusions
Our communication system is made up of two parts: the authentication and the process of communication itself.The communication part implies a cryptosystem for encrypting and decrypting the messages.These two parts can contain only classical methods, elliptic curve methods or a combination of the two.Using the same type of methods for both parts is more efficient mainly because some of the generated values of the authentication are also used in the second part.On the other hand, using different kind of methods implies generating different values for each part.The optimal situation occurs when there is no need to generate additional values in the second part.For the second part, the elliptic curve methods have proved to be the most adequate for encrypting and decrypting messages because they need shorter keys in order to provide the same performance and security level than the classical ones.For the authentication we recommend our method because it is less complicated and it needs less resources than using a classical method for the first part and an elliptic curve one for the second.The authentication process is accomplished by using a third trusted part.This third part has a very important double role: it is an impartial witness to the communication and it also provides the authentication and the keys needed in the second part for the cryptosystem used.All in all, authentication is the first step to an efficient and secure communication system, which can be accomplished by using our elliptic curve method.

( 1 )
|E(F p )| = c • l where l > 2 160 a prime and c a positive integer.|E(F p )| denotes the cardinal of the set of points on E over F p .
From the first condition we have |E(F p )| = c • l where l > 2 160 .So the efficiency depends on the co-factor c.The first condition becomes: • |E(F p )| = c • l where l > 2 160 a prime and c ≤ 4 a positive integer.|E(F p )| denotes the cardinal of the set of points on E over F p .