Prime Numbers

8.1 Cryptography 395
where in the latter case we take the governing cubic for E ′ to be −y 2 =
x 3 + ax + b.
This theorem is readily proved via the same twist algebra that we encountered
in Theorem 7.5.2 and Exercise 7.16, and leads to the following algorithm for
direct-embedding encryption:
Algorithm 8.1.10 (Direct-embedding ECC encryption). This algorithm
allows encryption/decryption using exclusively elliptic algebra, i.e., with no intermediary
cipher, via the direct embedding of plaintext onto curves. We assume
that Alice and Bob have agreed upon a public curve Ea,b(Fp) with its twist curve
E ′ , on which lie respectively public points P, P ′ . In addition, it is assumed that
Bob has generated respective public keys PB =[KB]P, P ′ B =[KB]P ′ ,asinAlgorithm
8.1.6. We denote by X a parcel of plaintext (an integer in [0,...,p− 1])
that Alice wishes to encrypt for Bob.
1. [Alice embeds plaintext X]
Alice determines the curve E or E ′ on which X is a valid x-coordinate (and,
if y-coordinates are relevant, computes such number Y ) via Theorem
8.1.9, taking the curve to be E if X is on both curves;
// See Exercise 8.5.
Depending respectively on which curve E,E ′ is in force, Alice sets
respectively:
d =0or 1; // Curve-selecting bit.
Q = P or P ′ ;
QB = PB or P ′ B .
Alice chooses random r ∈ [2,p− 2];
U =[r]QB +(X, Y ); // Elliptic add, to obfuscate plaintext.
C =[r]Q; // The “clue” for undoing the obfuscation.
Alice transmits a parcel (encrypted message, clue, bit) as (U, C, d);
2. [Bob decrypts to get plaintext X]
Bob inspects d to determine on which curve elliptic algebra will proceed;
(X, Y )=U − [KB]C; // Private key applied with elliptic subtract.
Bob now recovers the plaintext as the x-coordinate X;
This method will be recognized as an El Gamal embedding scheme, where
we have made some improvements over previous renditions [Koblitz 1987],
[Kaliski 1988]. Note that the last part of Theorem 8.1.9 allows Algorithm
8.1.10 to proceed efficiently when the field characteristic has p ≡ 3 (mod 4).
In practical implementations of Algorithm 8.1.10, there are two further
substantial improvements one may invoke. First, the y-coordinates are not
needed if one uses Montgomery coordinates (Algorithm 7.2.7) throughout
and carefully applies Algorithm 7.2.8 at the right junctures. Second, the
“clue” point C of the algorithm effectively doubles the transmitted data size.
This, too, can be avoided by carefully setting up a random number exchange
protocol, so that the random number r itself is deterministically kept in
synchrony by the two parties. (The authors are indebted to B. Garst for