Title:

Kind
Code:

A1

Abstract:

The XZ-elliptic curve cryptography system and method provides a computerized method that allows for the encryption of messages through elliptic polynomial cryptography and, particularly, with the embedding of either a symmetric secret key or a public key in the message bit string. The method of performing XZ-elliptic polynomial cryptography is based on the elliptic polynomial discrete logarithm problem. It is well known that an elliptic polynomial discrete logarithm problem is a computationally “difficult” or “hard” problem.

Inventors:

Ghouti, Lahouari (DHAHRAN, SA)

Ibrahim, Mohammad K. (LEICESTER, GB)

Al-khoraidly, Abdulaziz M. (ONAIZAH, SA)

Ibrahim, Mohammad K. (LEICESTER, GB)

Al-khoraidly, Abdulaziz M. (ONAIZAH, SA)

Application Number:

12/958273

Publication Date:

08/08/2013

Filing Date:

12/01/2010

Export Citation:

Assignee:

KING FAHD UNIVERSITY OF PETROLEUM AND MINERALS (DHAHRAN, SA)

Primary Class:

International Classes:

View Patent Images:

Related US Applications:

20090217054 | SECURE SOFTWARE AND HARDWARE ASSOCIATION TECHNIQUE | August, 2009 | Haider et al. |

20030012386 | Forward-secure commercial key escrow systems and escrowing methods thereof | January, 2003 | Kim et al. |

20040076293 | Random number generator using compression | April, 2004 | Smeets et al. |

20100054466 | METHOD OF GENERATING ARBITRARY NUMBERS GIVEN A SEED | March, 2010 | Kerins et al. |

20020064278 | High speed RSA public key cryptographic apparatus and method | May, 2002 | Lim et al. |

20100091984 | SECURE LOGICAL VECTOR CLOCKS | April, 2010 | Kerschbaum et al. |

20090129591 | Techniques for Securing Document Content in Print and Electronic Form | May, 2009 | Hayes et al. |

20020021806 | Content reproduction apparatus | February, 2002 | Nara et al. |

20070291944 | METHODS AND SYSTEMS FOR BLACKOUT PROVISIONING IN A DISTRIBUTION NETWORK | December, 2007 | Wingert et al. |

20080279379 | Conditional Access Video Signal Distribution | November, 2008 | Muijen |

20060140407 | Optical machine locking method and system | June, 2006 | Selinfreund |

Primary Examiner:

AMBAYE, SAMUEL

Attorney, Agent or Firm:

Richard C. Litman (112 S. West Street Alexandria VA 22314)

Claims:

We claim:

1. A computerized method of performing XZ-elliptic curve cryptography, comprising the steps of: (a) a sending correspondent and a receiving correspondent selecting and agreeing upon an elliptic curve set EC^{3}; (b) the sending correspondent and the receiving correspondent further agreeing upon a random scalar k and a random shared secret key for communication E_{s}, and agreeing upon a base point (X_{B},Y_{B},Z_{B})εEC^{3}; the sending correspondent then performs the following steps: (c) embedding a first secret message bit string into an elliptic curve message point (X_{m},Y_{m},Z_{m}); (d) computing a scalar multiplication between the base point (X_{B},Y_{B},Z_{B}) and the scalar k as (X_{Bk}, Y_{Bk},Z_{Bk})=k(X_{B},Y_{B},Z_{B}); (e) computing a cipher point (X_{c},Y_{c},Z_{c}) as (X_{c}, Y_{c},Z_{c})=(X_{m},Y_{m},Z_{m})+k(X_{B},Y_{B},Z_{B}); (f) embedding a second secret message bit string into a data transformation index E_{m}; (g) transforming the cipher point coordinates X_{c }and Z_{c }as {circumflex over (X)}_{C}=X_{C}E_{s }and {circumflex over (Z)}_{C}=Z_{C}E_{m}, respectively; (h) calculating a cipher transformation index E_{c }as ${E}_{c}=\frac{{E}_{s}}{{E}_{m}};$ (i) sending a set of appropriate bits of {circumflex over (X)}_{c}, {circumflex over (Z)}_{c }and E_{c }to the receiving correspondent; the receiving correspondent then performs the following steps: (j) calculating the data transformation index E_{m }as ${E}_{m}=\frac{{E}_{s}}{{E}_{c}};$ (k) calculating the cipher point coordinates X_{c }and Z_{c }as X_{C}={circumflex over (X)}_{C}E_{s}^{−1 }and Z_{C}={circumflex over (Z)}_{C}E_{m}^{−1}, respectively; (l) computing a scalar multiplication between the base point (X_{B},Y_{B},Z_{B}) and the scalar k as (X_{Bk}, Y_{Bk},Z_{Bk})=k(X_{b}, Y_{B},Z_{B}); (m) computing the elliptic curve message point (X_{m},Y_{m},Z_{m}) as (X_{m},Y_{m},Z_{m})=(X_{c},Y_{c},Z_{c})−k(X_{B},Y_{B},Z_{B}); and (n) retrieving the first secret message bit string from the elliptic curve message point (X_{m},Y_{m},Z_{m}).

2. The computerized method of performing XZ-elliptic curve cryptography as recited in claim 1, wherein each said step of embedding includes the steps of: (a) defining the respective message bit string as an M-bit string, wherein M is an integer such that (3N−L)>M>(2N−L), where L is an integer, N represents a number of bits used to represent F(p) elements, F(p) representing a finite field containing the elliptic curve set EC^{3}, wherein p represents a set of points on EC^{3}; (b) dividing the respective message bit string into three strings m_{1}, m_{2 }and m_{3}, wherein the length of string m, is less than or equal to (N−L) bits, the length of string m_{2 }is less than or equal to (N−1) bits, and the length of string mg is less than or equal to N bits; (c) assigning the value of the bit string m_{3 }to E_{m}; (d) assigning the value of the bit string m_{2 }to Z_{m }by first assigning the value of the bit string m_{2 }to R_{m}, then using a Legendre test to determine if R_{m }has a square root, and then, if R_{m }has a square root, setting Z_{m}=R_{m }and if R_{m }does not have a square root, then setting Z_{m}=gR_{m}, wherein g is non-quadratic residue in F(p); (e) computing aZ_{m}^{2 }and bZ_{m}^{3}, wherein a and b are selected scalars; (f) assigning the value of the bit string m_{1 }to X_{m}; (g) computing a value T as T=X_{m}^{3}+(aZ_{m}^{2})X_{m}+(bZ_{m}^{3}) and using a Legendre test to determine if T has a square root; and (h) assigning the square root of T to Y_{m }if T has a square root, and incrementally increasing X_{m }and returning to step (g) if T does not have a square root.

3. The computerized method of performing XZ-elliptic curve cryptography as recited in claim 2, wherein p is selected prior to encryption.

4. The computerized method of performing XZ-elliptic curve cryptography as recited in claim 3, wherein g is selected to be −1 if p≡3 mod 4 or p≡1 mod 4.

5. The computerized method of performing XZ-elliptic curve cryptography as recited in claim 4, wherein the shared secret key for communication E_{s }and the data transformation index E_{m }are selected to be powers of a common base μ.

6. The computerized method of performing XZ-elliptic curve cryptography as recited in claim 5, wherein the common base μ is selected to be a power of two.

7. A computerized method of performing XZ-elliptic curve cryptography with a public key, comprising the steps of: (a) a sending correspondent and a receiving correspondent selecting and agreeing upon an elliptic curve set EC^{3}, the sending correspondent further establishing a private key pair (k_{SPr},e_{SPr}); (b) the sending correspondent and the receiving correspondent further agreeing upon a base point (X_{B},Y_{B},Z_{B})εEC^{3 }and sharing a public key pair (k_{SPr}(X_{B},Y_{B}, Z_{B}),E_{b}^{e}^{SPr}); the sending correspondent then performs the following steps: (c) calculating a shared key as (k_{SPr}k_{RPr}(X_{B},Y_{B},Z_{B})), (E_{b}^{e}^{RPr})^{e}^{SPr}); (d) embedding a first secret message bit string into an elliptic curve message point (X_{m},Y_{m},Z_{m}); (e) computing a cipher point (X_{c},Y_{c},Z_{c}) as (X_{c},Y_{c},Z_{c})=(X_{m},Y_{m},Z_{m})+k_{SPr}(k_{RPr}(X_{B},Y_{B},Z_{B})); (f) embedding a second secret message bit string into a data transformation index E_{m}; (g) transforming the cipher point coordinates X_{c }and Z_{c }as {circumflex over (X)}_{C}=X_{C}(E_{b}^{e}^{RPr})^{e}^{SPr }and {circumflex over (Z)}_{C}=Z_{C}E_{m}, respectively; (h) calculating a cipher transformation index E_{c }as ${E}_{c}=\frac{{\left({E}_{b}^{{e}_{\mathrm{RPr}}}\right)}^{{e}_{\mathrm{SPr}}}}{{E}_{m}};$ (i) sending a set of appropriate bits of {circumflex over (X)}_{c}, {circumflex over (Z)}_{c }and E_{c }to the receiving correspondent; the receiving correspondent then performs the following steps: (j) calculating the shared key as (k_{RPr }(k_{SPr}(X_{B},Y_{B},Z_{B})),(E_{b}^{e}^{SPr})^{e}^{RPr}); (k) calculating the data transformation index E_{m }as ${E}_{m}=\frac{{\left({E}_{b}^{{e}_{\mathrm{RPr}}}\right)}^{{e}_{\mathrm{SPr}}}}{{E}_{c}};$ (l) calculating the cipher point coordinates X_{c }and Z_{c }as X_{C}={circumflex over (X)}_{C}((E_{b}^{e}^{RPr})^{e}^{SPr})^{−1 }and Z_{C}={circumflex over (Z)}_{C}E_{m}^{−1}, respectively; (m) computing the elliptic curve message point (X_{m},Y_{m},Z_{m}) as (X_{m},Y_{m},Z_{m})=(X_{c},Y_{c},Z_{c})−k_{RPr}(k_{SPr}(X_{B},Y_{B},Z_{B})); and (n) retrieving the first secret message bit string from the elliptic curve message point (X_{m},Y_{m},Z_{m}).

8. The computerized method of performing XZ-elliptic curve cryptography with a public key as recited in claim 7, wherein the step of embedding includes the steps of: (a) defining the respective message bit string as an M-bit string, wherein M is an integer such that (3N−L)>M>(2N−L), where L is an integer, N represents a number of bits used to represent F(p) elements, F(p) representing a finite field containing the elliptic curve set EC^{3}, wherein p represents a set of points on EC^{3}; (b) dividing the respective message bit string into three strings m_{1}, m_{2 }and m_{3}, wherein the length of string m_{1 }is less than or equal to (N−L) bits, the length of string m_{2 }is less than or equal to (N−1) bits, and the length of string m_{3 }is less than or equal to N bits; (c) assigning the value of the bit string m_{3 }to E_{m}; (d) assigning the value of the bit string m_{2 }to Z_{m }by first assigning the value of the bit string m_{2 }to R_{m}, then using a Legendre test to determine if R_{m }has a square root, and then, if R_{m }has a square root, setting Z_{m}=R_{m }and if R_{m }does not have a square root, then setting Z_{m}=gR_{m}, wherein g is non-quadratic residue in F(p); (e) computing aZ_{m}^{2 }and bZ_{m}^{3}, wherein a and b are selected scalars; (f) assigning the value of the bit string m_{1 }to X_{m}; (g) computing a value T as T=X_{m}^{3}+(aZ_{m}^{2})X_{m}+(bZ_{m}^{3}) and using a Legendre test to determine if Thas a square root; and (h) assigning the square root of T to Y_{m }if T has a square root, and incrementally increasing X_{m }and returning to step (g) if T does not have a square root.

9. The computerized method of performing XZ-elliptic curve cryptography with a public key as recited in claim 8, wherein p is selected prior to encryption.

10. The computerized method of performing XZ-elliptic curve cryptography with a public key as recited in claim 9, wherein g is selected to be −1 if p≡3 mod 4 or p≡1 mod 4.

11. The computerized method of performing XZ-elliptic curve cryptography with a public key as recited in claim 10, wherein the shared number E_{b }and the data transformation index E_{m }are selected to be powers of a common base μ.

12. The computerized method of performing XZ-elliptic curve cryptography with a public key as recited in claim 11, wherein the common base μ is selected to be a power of two.

13. A system for performing XZ-elliptic curve cryptography, wherein a sending correspondent and a receiving correspondent select and agree upon an elliptic curve set EC^{3}, wherein the sending correspondent further establishes a private key pair (k_{SPr},e_{SPr}), the sending correspondent and the receiving correspondent further agreeing upon a base point (X_{B},Y_{B},Z_{B})εEC^{3 }and sharing a public key pair (k_{SPr}(X_{B},Y_{B},Z_{B}),E_{b}^{e}^{SPr}), the system comprising: a processor; computer readable memory coupled to the processor; a user interface coupled to the processor; a display coupled to the processor; software stored in the memory and executable by the processor, the software having: means for calculating a shared key as (k_{SPr}(k_{RPr}(X_{B},Y_{B},Z_{B})),(E_{b}^{e}^{RPr})^{es}^{SPr}) at the sending correspondent; means for embedding a first secret message bit string into an elliptic curve message point (X_{m},Y_{m},Z_{m}) at the sending correspondent; means for computing a cipher point (X_{c},Y_{c},Z_{c}) as (X_{c},Y_{c},Z_{c})=(X_{m}Y_{m},Z_{m})+k_{SPr}(k_{RPr}(X_{B},Y_{B},Z_{B})) at the sending correspondent; means for embedding a second secret message bit string into a data transformation index E_{m }at the sending correspondent; means for transforming the cipher point coordinates X_{c }and Z_{c }as {circumflex over (X)}_{C}=X_{C}(E_{b}^{e}^{RPr})^{e}^{SPr }and {circumflex over (Z)}_{C}=Z_{C}E_{m}, respectively, at the sending correspondent; means for calculating a cipher transformation index E_{c }as ${E}_{c}=\frac{{\left({E}_{b}^{{e}_{\mathrm{RPr}}}\right)}^{{e}_{\mathrm{SPr}}}}{{E}_{m}}$ at the sending correspondent; means for sending a set of appropriate bits of {circumflex over (X)}_{c}, {circumflex over (Z)}_{c }and E_{c }to the receiving correspondent; means for calculating the shared key as (k_{RPr}(k_{SPr}(X_{B},Y_{B},Z_{B})),(E_{b}^{e}^{SPr})^{e}^{RPr}) at the receiving correspondent; means for calculating the data transformation index E_{m }as ${E}_{m}=\frac{{\left({E}_{b}^{{e}_{\mathrm{RPr}}}\right)}^{{e}_{\mathrm{SPr}}}}{{E}_{c}}$ at the receiving correspondent; means for calculating the cipher point coordinates X_{c }and Z_{c }as X_{C}={circumflex over (X)}_{C}((E_{b}^{e}^{RPr})^{e}^{SPr})^{−} and Z_{C}={circumflex over (Z)}_{C}E_{m}^{−1}, respectively, at the receiving correspondent; means for computing the elliptic curve message point (X_{m},Y_{m},Z_{m}) as (X_{m}, Y_{m},Z_{m})=(X_{c},Y_{c},Z_{c})−k_{Rpr}(k_{SPr}(X_{B},Y_{B},Z_{B})) at the receiving correspondent; and means for retrieving the first secret message bit string from the elliptic curve message point (X_{m},Y_{m},Z_{m}).

1. A computerized method of performing XZ-elliptic curve cryptography, comprising the steps of: (a) a sending correspondent and a receiving correspondent selecting and agreeing upon an elliptic curve set EC

2. The computerized method of performing XZ-elliptic curve cryptography as recited in claim 1, wherein each said step of embedding includes the steps of: (a) defining the respective message bit string as an M-bit string, wherein M is an integer such that (3N−L)>M>(2N−L), where L is an integer, N represents a number of bits used to represent F(p) elements, F(p) representing a finite field containing the elliptic curve set EC

3. The computerized method of performing XZ-elliptic curve cryptography as recited in claim 2, wherein p is selected prior to encryption.

4. The computerized method of performing XZ-elliptic curve cryptography as recited in claim 3, wherein g is selected to be −1 if p≡3 mod 4 or p≡1 mod 4.

5. The computerized method of performing XZ-elliptic curve cryptography as recited in claim 4, wherein the shared secret key for communication E

6. The computerized method of performing XZ-elliptic curve cryptography as recited in claim 5, wherein the common base μ is selected to be a power of two.

7. A computerized method of performing XZ-elliptic curve cryptography with a public key, comprising the steps of: (a) a sending correspondent and a receiving correspondent selecting and agreeing upon an elliptic curve set EC

8. The computerized method of performing XZ-elliptic curve cryptography with a public key as recited in claim 7, wherein the step of embedding includes the steps of: (a) defining the respective message bit string as an M-bit string, wherein M is an integer such that (3N−L)>M>(2N−L), where L is an integer, N represents a number of bits used to represent F(p) elements, F(p) representing a finite field containing the elliptic curve set EC

9. The computerized method of performing XZ-elliptic curve cryptography with a public key as recited in claim 8, wherein p is selected prior to encryption.

10. The computerized method of performing XZ-elliptic curve cryptography with a public key as recited in claim 9, wherein g is selected to be −1 if p≡3 mod 4 or p≡1 mod 4.

11. The computerized method of performing XZ-elliptic curve cryptography with a public key as recited in claim 10, wherein the shared number E

12. The computerized method of performing XZ-elliptic curve cryptography with a public key as recited in claim 11, wherein the common base μ is selected to be a power of two.

13. A system for performing XZ-elliptic curve cryptography, wherein a sending correspondent and a receiving correspondent select and agree upon an elliptic curve set EC

Description:

1. Field of the Invention

The present invention relates to computerized cryptographic systems and methods for encrypting communications in a computer network or electronic communications system, and particularly to a computerized method of performing XZ-elliptic curve cryptography and cryptographic devices incorporating the method.

2. Description of the Related Art

In recent years, the Internet community has experienced explosive and exponential growth. Given the vast and increasing magnitude of this community, both in terms of the number of individual users and web sites, and the sharply reduced costs associated with electronically communicating information, such as e-mail messages and electronic files, between one user and another, as well as between any individual client computer and a web server, electronic communication, rather than more traditional postal mail, is rapidly becoming a medium of choice for communicating information. The Internet, however, is a publicly accessible network, and is thus not secure. The Internet has been, and increasingly continues to be, a target of a wide variety of attacks from various individuals and organizations intent on eavesdropping, intercepting and/or otherwise compromising or even corrupting message traffic flowing on the Internet, or further illicitly penetrating sites connected to the Internet.

Encryption by itself provides no guarantee that an enciphered message cannot or has not been compromised during transmission or storage by a third party. Encryption does not assure integrity due to the fact that an encrypted message could be intercepted and changed, even though it may be, in any instance, practically impossible, to cryptanalyze. In this regard, the third party could intercept, or otherwise improperly access, a ciphertext message, then substitute a predefined illicit ciphertext block(s), which that party, or someone else acting in concert with that party, has specifically devised for a corresponding block(s) in the message. The intruding party could thereafter transmit the resulting message with the substituted ciphertext block(s) to the destination, all without the knowledge of the eventual recipient of the message.

The field of detecting altered communication is not confined to Internet messages. With the burgeoning use of stand-alone personal computers, individuals or businesses often store confidential information within the computer, with a desire to safeguard that information from illicit access and alteration by third parties. Password controlled access, which is commonly used to restrict access to a given computer and/or a specific file stored thereon, provides a certain, but rather rudimentary, form of file protection. Once password protection is circumvented, a third party can access a stored file and then change it, with the owner of the file then being completely oblivious to any such change.

Methods of adapting discrete logarithm based algorithms to the setting of elliptic polynomials are known. However, finding discrete logarithms in this kind of group is particularly difficult. Thus, elliptic polynomial-based cryptographic algorithms can be implemented using much smaller numbers than in a finite-field setting of comparable cryptographic strength. Therefore, the use of elliptic polynomial cryptography is an improvement over finite field-based public-key cryptography.

In practice, an elliptic curve group over a finite field F is formed by choosing a pair of a and b coefficients, which are elements within F. The group consists of a finite set of points P(x,y) that satisfy the elliptic curve equation:

*F*(*x,y*)=*y*^{2}*−x*^{3}*−ax−b=*0, 1)

together with a point at infinity, O. The coordinates of the point, x and y, are elements of F represented in N-bit strings. In the following, a point is either written as a capital letter (e.g., point P) or as a pair in terms of the affine coordinates; i.e. (x,y).

The elliptic curve cryptosystem relies upon the difficulty of the elliptic curve discrete logarithm problem (ECDLP) to provide its effectiveness as a cryptosystem. Using multiplicative notation, the problem can be described as: given points B and Q in the group, find a number k such that B^{k}=Q, where k is the discrete logarithm of Q to the base B. Using additive notation, the problem becomes: given two points B and Q in the group, find a number k such that kB=Q.

In an elliptic curve cryptosystem, the large integer k is kept private and is often referred to as the secret key. The point Q and the point B are made public, and are referred to as the public key. The security of the system, thus, relies upon the difficulty of deriving the secret k, knowing the public points B and Q. The main factor that determines the security strength of such a system is the size of its underlying finite field. In a real cryptographic application, the underlying field is made so large that it is computationally infeasible to determine k in a straightforward way by computing all the multiples of B until Q is found.

At the heart of elliptic curve geometric arithmetic is scalar multiplication, which computes kB by adding together k copies of the point B. Scalar multiplication is performed through a combination of point-doubling and point-addition operations. The point-addition operations add two distinct points together, and the point-doubling operations add two copies of a point together. To compute, for example, B=(2×(2×(2B)))+2B=Q, it would take three point-doublings and two point-additions.

Addition of two points on an elliptic curve is calculated as follows. When a straight line is drawn through the two points, the straight line intersects the elliptic curve at a third point. The point symmetric to this third intersecting point with respect to the x-axis is defined as a point resulting from the addition. Doubling a point on an elliptic curve is calculated as follows. When a tangent line is drawn at a point on an elliptic curve, the tangent line intersects the elliptic curve at another point. The point symmetric to this intersecting point with respect to the x-axis is defined as a point resulting from the doubling.

Table 1 illustrates the addition rules for adding two points (x_{1}, y_{1}) and (x_{2}, y_{2}), i.e., (x_{3}, y_{3})=(x_{1}, y_{1})+(x_{2}, y_{2}):

TABLE 1 | ||

Summary of Addition Rules: (x_{3}, y_{3}) = (x_{1}, y_{1}) + (x_{2}, y_{2}) | ||

General Equations | x_{3 }= m^{2 }− x_{2 }− x | |

y_{3 }= m (x_{3 }− x_{1}) + y_{1} | ||

Point Addition | | |

Point Doubling (x_{3}, y_{3}) = 2(x_{1}, y_{1}) | | |

(x_{2}, y_{2}) = −(x_{1}, y_{1}) | (x_{3}, y_{3}) = (x_{1}, y_{1}) + (−(x_{2}, y_{2})) = O | |

(x_{2}, y_{2}) = O | (x_{3}, y_{3}) = (x_{1}, y_{1}) + O = (x_{1}, y_{1}) | |

−(x_{1}, y_{1}) | = (x_{1}, −y_{1}) | |

For elliptic curve encryption and decryption, given a message point (x_{m}, y_{m}), a base point (x_{B}, y_{B}), and a given key, k, the cipher point (x_{C},y_{C}) is obtained using the equation (x_{C},y_{C})=(x_{m},y_{m})+k(x_{B},y_{B}).

There are two basics steps in the computation of the above equations. The first step is to find the scalar multiplication of the base point with the key, k(x_{B},y_{B}). The resulting point is then added to the message point, (x_{m}, y_{m}) to obtain the cipher point. At the receiver, the message point is recovered from the cipher point, which is usually transmitted, along with the shared key and the base point (x_{m},y_{m})=(x_{C},y_{C})−k(x_{B},y_{B}).

As noted above, the x-coordinate, x_{m}, is represented as an N-bit string. However, not all of the N-bits are used to carry information about the data of the secret message. Assuming that the number of bits of the x-coordinate, x_{m}, that do not carry data is L, then the extra bits L are used to ensure that message data, when embedded into the x-coordinate, will lead to an x_{m }value that satisfies the elliptic curve equation (1). Typically, if the first guess of x_{m }is not on a curve, then the second or third try will be.

Thus, the number of bits used to carry the bits of the message data is (N−L). If the secret data is a K-bit string, then the number of elliptic curve points needed to encrypt the K-bit data is

It is important to note that the y-coordinate, y_{m}, of the message point carries no data bits.

An attack method, referred to as power analysis, exists in which the secret information is decrypted on the basis of leaked information. An attack method in which change in voltage is measured in cryptographic processing using secret information, such as DES (Data Encryption Standard) or the like, such that the process of the cryptographic processing is obtained, and the secret information is inferred on the basis of the obtained process, is known.

As one of the measures against power analysis attack on elliptic curve cryptosystems, a method using randomized projective coordinates, is known. This is a measure against an attack method of observing whether a specific value appears or not in scalar multiplication calculations, and inferring a scalar value from the observed result. By multiplication with a random value, the appearance of such a specific value is prevented from being inferred.

In the above-described elliptic curve cryptosystem, attack by power analysis, such as DPA or the like, was not taken into consideration. Therefore, in order to relieve an attack by power analysis, extra calculation has to be carried out using secret information in order to weaken the dependence of the process of the cryptographic processing and the secret information on each other. Thus, time required for the cryptographic processing increases so that cryptographic processing efficiency is lowered.

With the development of information communication networks, cryptographic techniques have been indispensable elements for the concealment or authentication of electronic information. Efficiency in terms of computation time is a necessary consideration, along with the security of the cryptographic techniques. The elliptic curve discrete logarithm problem is so difficult that elliptic curve cryptosystems can make key lengths shorter than that in Rivest-Shamir-Adleman (RSA) cryptosystems, basing their security on the difficulty of factorization into prime factors. Thus, elliptic curve cryptosystems offer comparatively high-speed cryptographic processing with optimal security. However, the processing speed is not always high enough to satisfy smart cards, for example, which have restricted throughput or servers that have to carry out large volumes of cryptographic processing.

The pair of equations for m in Table 1 are referred to as “slope equations”. Computation of a slope equation in finite fields requires one finite field division. Alternatively, the slope computation can be computed using one finite field inversion and one finite field multiplication. Finite field division and finite field inversion are costly in terms of computational time because they require extensive CPU cycles for the manipulation of two elements of a finite field with a large order. Presently, it is commonly accepted that a point-doubling and a point-addition operation each require one inversion, two multiplications, a square, and several additions. At present, there are techniques to compute finite field division and finite field inversion, and techniques to trade time-intensive inversions for multiplications through performance of the operations in projective coordinates.

In cases where field inversions are significantly more time intensive than multiplication, it is efficient to utilize projective coordinates. An elliptic curve projective point (X,Y,Z) in conventional projective (or homogeneous) coordinates satisfies the homogeneous Weierstrass equation:

*{tilde over (F)}*(*X,Y,Z*)=*Y*^{2}*Z−X*^{3}*−aXZ*^{2}*−bZ*^{3}=0, (2)

and, when Z≠0, it corresponds to the affine point

Other projective representations lead to more efficient implementations of the group operation, such as the jacobian representations, where the triplets (X,Y,Z) correspond to the affine coordinates

whenever Z≠0. This is equivalent to using a jacobian elliptic curve equation that is of the form:

*{tilde over (F)}*_{j}(*X,Y,Z*)=*Y*^{2}*−X*^{3}*−aXZ*^{4}*−bz*^{6}=0. (3)

Another commonly used projection is the Chudnovsky-jacobian coordinate projection. In general terms, the relationship between the affine coordinates and the projection coordinates can be written as

where the values of i and j depend on the choice of the projective coordinates. For example, for homogeneous coordinates, i=1 and j=1.

The use of projective coordinates circumvents the need for division in the computation of each point addition and point doubling during the calculation of scalar multiplication. Thus, finite field division can be avoided in the calculation of scalar multiplication,

when using projective coordinates.

The last addition for the computation of the cipher point,

i.e., the addition of the two points

can also be carried out in the chosen projection coordinate:

It should be noted that Z_{m}=1.

However, one division (or one inversion and one multiplication) must still be carried out in order to calculate

since only the affine x-coordinate of the cipher point, x_{C}, is sent by the sender.

Thus, the encryption of (N−L) bits of the secret message using elliptic curve encryption requires at least one division when using projective coordinates. Similarly, the decryption of a single message encrypted using elliptic curve cryptography also requires at least one division when using projective coordinates.

Thus, an XZ-elliptic curve cryptography system and method solving the aforementioned problems is desired.

The XZ-elliptic curve cryptography system and method provides for improved secure communication over an insecure channel using elliptic curve cryptography. The method utilizes three stages of coordinate projections. In the first of the three stages, a projective coordinate is used to embed extra message data bits in the Z-coordinate as well as the X-coordinate. In the second stage, a projective coordinate is used to remove a division operation at each iteration (and also for randomizing the computation) in order to provide a countermeasure against differential power analysis. Once a cipher point is obtained from the first two stages, the third stage exploits the isomorphism between projected elliptic curves to embed extra message data bits by transforming the cipher point obtained from the first two stages to an isomorphic curve whose parameters are also protected by a secret key. The key of the third stage may be either symmetric or may be generated through a public-key cryptosystem.

The method of performing symmetric, enhanced XZ elliptic curve cryptography includes the following steps: (a) a sending correspondent and a receiving correspondent selecting and agreeing upon an elliptic curve set EC^{3}; (b) the sending correspondent and the receiving correspondent further agreeing upon a random scalar k and a random shared secret key for communication E_{s}, and agreeing upon a base point (X_{B},Y_{B},Z_{B})εEC^{3}.

The sending correspondent then performs the following steps: (c) embedding a first secret message bit string into an elliptic curve message point (X_{m},Y_{m},Z_{m}); (d) computing a scalar multiplication between the base point (X_{B},Y_{B},Z_{B}) and the scalar k as (X_{Bk}, Y_{Bk},Z_{Bk})=k(X_{B},Y_{B}, Z_{B}); (e) computing a cipher point (X_{c}, Y_{c}, Z_{c}) as (X_{c},Y_{c},Z_{c})=(X_{m},Y_{m},Z_{m})+k(X_{B},Y_{B},Z_{B}); (f) embedding a second secret message bit string into a data transformation index E_{m}; (g) transforming the cipher point coordinates X_{c }and Z_{c }as {circumflex over (X)}_{C}=X_{C}E_{s }and {circumflex over (Z)}_{C}=Z_{C}E_{m}, respectively; (h) calculating a cipher transformation index E_{c }as

and (i) sending a set of appropriate bits of {circumflex over (X)}_{c}, {circumflex over (Z)}_{c}, and E_{c }to the receiving correspondent.

The receiving correspondent then performs the following steps: (j) calculating the data transformation index E_{m }as

(k) calculating the cipher point coordinates X_{c }and Z_{c }as X_{C}={circumflex over (X)}_{C}E_{s}^{−1 }and Z_{C}={circumflex over (Z)}_{C}E_{m}^{−1}, respectively; (l) computing a scalar multiplication between the base point (X_{B},Y_{B},Z_{B}) and the scalar k as (X_{Bk},Y_{Bk},Z_{Bk})=(X_{B},Y_{B},Z_{B}); (m) computing the elliptic curve message point (X_{m},Y_{m},Z_{m}) as (X_{m},Y_{m},Z_{m})=(X_{c},Y_{c},Z_{c})−k(X_{B},Y_{B},Z_{B}); and (n) retrieving the first secret message bit string from the elliptic curve message point (X_{m},Y_{m}, Z_{m}).

Preferably, the shared secret key for communication E_{s }and the data transformation index E_{m }are selected to be powers of a common base μ, i.e., E_{s}=μ^{e}^{s }and E_{m}=μ^{3}^{m}. Thus, E_{c}=μ^{e}^{c }where e_{s }is shared, e_{m }is used for embedding the message, and e_{c }is sent. Preferably, μ is a power of two.

In an alternative embodiment for performing public key cryptography, the sending and the receiving entities use two keys, i.e., a private key and a public key. While the pair of public and private keys that is used to obtain the cipher point (X_{c},Y_{c},Z_{c}) are generated in a conventional way, the pair of public and private keys that is used to obtain the cipher transformation index E_{c }can be generated using any suitable public key system, i.e., it can be generated using RSA, an elliptic curve method or the like.

The alternative method of performing symmetric, enhanced XZ elliptic curve cryptography with a public key includes the following steps: (a) a sending correspondent and a receiving correspondent selecting and agreeing upon an elliptic curve set EC^{3}, the sending correspondent further establishing a private key pair (k_{SPr},e_{SPr}); and (b) the sending correspondent and the receiving correspondent further agreeing upon a base point (Y_{B},Y_{B},Z_{B})εEC^{3 }and sharing a public key pair (k_{SPr}(X_{B},Y_{B},Z_{B}),E_{b}^{e}^{Spr}).

The sending correspondent then performs the following steps: (c) calculating a shared key as (k_{SPr}(k_{RPr}(X_{B},Y_{B},Z_{B})), (E_{b}^{e}^{RPr})^{e}^{SPr}); (d) embedding a first secret message bit string into an elliptic curve message point (X_{m},Y_{m},Z_{m}); (e) computing a cipher point (X_{c},Y_{c},Z_{c}) as (X_{c},Y_{c},Z_{c})=(X_{m},Y_{m}Z_{m})+k_{Spr}(k_{Rpr}(X_{B},Y_{B},Z_{B})); (f) embedding a second secret message bit string into a data transformation index E_{m}; (g) transforming the cipher point coordinates X_{c }and Z_{c }as {circumflex over (X)}_{C}=X_{C }(E_{b}^{e}^{RPr})^{e}^{SPr }and {circumflex over (Z)}_{C}=Z_{C}E_{m }respectively; (h) calculating a cipher transformation index E_{c }as

and (i) sending a set of appropriate bits of {circumflex over (X)}_{c}, {circumflex over (Z)}_{c }and E_{c }to the receiving correspondent.

The receiving correspondent then performs the following steps: (j) calculating the shared key as (k_{Rpr}(k_{Spr}(X_{B},Y_{B},Z_{B})), (E_{b}^{e}^{Spr})^{e}^{RPr}); (k) calculating the data transformation index E_{m }as

(l) calculating the cipher point coordinates X_{c }and Z_{c }as X_{c}={circumflex over (X)}_{C }((E_{b}^{e}^{RPr})^{e}^{SPr})^{−1 }and Z_{C}={circumflex over (Z)}_{C}E_{m}^{−1}, respectively; (m) computing the elliptic curve message point (X_{m},Y_{m},Z_{m}) as (X_{m},Y_{m},Z_{m})=(X_{c},Y_{c},Z_{c})−k_{Rpr}(k_{SPr}(X_{B},Y_{B},Z_{B})); and (n) retrieving the first secret message bit string from the elliptic curve message point (X_{m},Y_{m},Z_{m}).

As in the previous embodiment, preferably, the shared number E_{b }and the data transformation index E_{m }are selected to be powers of a common base μ, i.e., E_{b}=μ^{e}^{b }and E_{m}=μ^{e}^{m}. Thus, E_{c}=μ^{e}^{c }where e_{m }is used for embedding the message and e_{c }is sent. Preferably, μ is a power of two.

In conventional elliptic curve cryptography, encryption and decryption, the message data bits are embedded in only the affine x-coordinate x_{m }of the elliptic curve points. Further, given an elliptic curve defined over F(p) that needs N bits for the representation of its elements, each x-coordinate x_{m }carries only (N−L) bits of the message data bits. Thus, at least one inversion or division over F(p) (i.e., one modulo p inversion or division) is needed per (N−L)-bit encryption.

In the present method, the encryption of more than (2N−L) bits of the message data is achieved per one inversion or division over F(p), i.e., per one modulo p inversion or division. This is achieved by first defining an elliptic curve group over addition in projective coordinates, which allows the embedding of one part of the message data bit-string in both the X-coordinate and the Z-coordinate of the elliptic curve points, where X and Z are elements of F(p) represented in N-bit strings; and secondly, transforming the cipher point to an isomorphic curve which is determined by the second part of the message data bit-string. In the present method, the relevant bits of both the X- and Z-coordinates of the transformed cipher point, as well as the bits of the ciphered transformation index E_{C}, are sent to the receiver.

At the receiving entity, the message bits are recovered from X- and Z-coordinates of the cipher point, as well as the bits of the ciphered transformation index E_{C}, which is achieved using one inversion or division over F(p) (i.e., one modulo p inversion or division).

Further, in the present method, an additional projective coordinate is used at the sending and receiving entities to eliminate the inversion or division during each addition and doubling operation of the scalar multiplication. Thus, up to (3N−L) bits of the message data can be encrypted (and subsequently decrypted) using one inversion or division.

The use of embedding in the X- and Z-coordinates of an elliptic curve point, combined with the embedding in the transformation index, increases the number of points that satisfy an elliptic curve equation, which can then be used in the corresponding cryptosystem, such that the number of points is proportional to p^{3 }rather than p. Thus, for the same number of embedded bits, a smaller p can be used when embedding in the X- and Z-coordinates, as well as the transformation index, than when embedding only in the x-coordinate. This results in faster implementations and reduced power consumption.

These and other features of the present invention will become readily apparent upon further review of the following specification and drawings.

The sole drawing Figure is a block diagram illustrating system components for an XZ-elliptic curve cryptography system and method according to the present invention.

The XZ-elliptic curve cryptography system and method provides for improved secure communication over an insecure channel using elliptic curve cryptography. The method utilizes three stages of coordinate projections. In the first of the three stages, a projective coordinate is used to embed extra message data bits in the Z-coordinate as well as the X-coordinate. In the second stage, a projective coordinate is used to remove a division operation at each iteration (and also for randomizing the computation) in order to provide a countermeasure against differential power analysis. Once a cipher point is obtained from the first two stages, the third stage exploits the isomorphism between projected elliptic curves to embed extra message data bits by transforming the cipher point obtained from the first two stages to an isomorphic curve whose parameters are also protected by a secret key. The key of the third stage may be either symmetric or may be generated through a public-key cryptosystem.

The method begins by defining a set of elliptic curve points represented in projective coordinates as a group over addition. Given a field F(p), and defining a&bεF(p), where the symbol E denotes set membership, EC^{2 }is defined as the set of points (x,y) that satisfy the elliptic curve equation in affine coordinates (i.e., F(x,y)=y^{2}−x^{3}−ax−b=0), where x& yεF (p), together with a point at infinity.

It is known that using the addition rules defined above for the set of points EC^{2}, the set EC^{2 }forms an abelian group over addition, denoted as (EC^{2}, +). The present method utilizes a projection (X,Y,Z), which is related to the affine coordinates as:

Substitution of equations (5) and (6) into the elliptic curve equation yields:

It should be noted that if F(x,y) is non-singular (i.e., 4a^{2}+27b^{3}≠0), then {tilde over (F)}(X,Y,Z) is also non-singular. In the following, it is assumed that the elliptic curve equations are non-singular.

The set of points EC^{3 }is defined as the triplets (X,Y,Z), where X,Y & ZεF(p), that satisfy equation (6), along with a point at infinity (X_{l},Y_{l},Z_{l}), and excluding the point at the origin (0,0,0). It should be noted that EC^{3 }is in projective coordinates, while EC^{2 }is in affine coordinates. The addition rules for the group (EC^{2}, +) can be adopted to define an additive binary operation, denoted as “+”, over EC^{3}. For all (X_{1},Y_{1}Z_{1})εEC^{3 }and (X_{2},Y_{2},Z_{2})εC^{3}, the sum (X_{3},Y_{3},Z_{3})=(X_{1}Y_{1}Z_{1})+(X_{2},Y_{2}, Z_{2}) is also (X_{3},Y_{3},Z_{3})εEC^{3}.

It can be seen that (EC^{3}, +) also forms a group over addition that satisfies the following axioms: (i) There exists (X_{1},Y_{1},Z_{1})εEC^{3 }such that (X,Y,Z)+(X_{1},Y_{1},Z_{1})=(X,Y,Z) for all (X,Y,Z)εEC(K^{3}); (ii) for every (X,Y,Z)εEC^{3}, there exists −(X,Y,Z)εEC^{3 }such that (X,Y,Z)−(X,Y,Z)=(X_{1},Y_{1},Z_{1}); (iii) the additive binary operation is commutative; and (iv) the additive binary operation is associative.

With regard to the addition rules for the group (EC^{3}, +), the addition of two points on an elliptic curve in projective coordinate EC^{3 }is calculated as follows. When a straight line is drawn through two points of EC^{3}, the straight line intersects the elliptic curve in projective coordinates at a third point. The point symmetric to this third intersecting point, with respect to the X-axis, is defined as a point resulting from the addition.

A straight-line equation in projective coordinates is given by:

The basic addition rule can be formulated as follows: Draw the line that joins the two points to be added in the set EC^{3}. Denoting the third point of intersection as (X′_{3},Y′_{3},Z′_{3}), the sum point is defined as (X_{3},Y_{3},Z_{3})=(X′_{3}−Y′_{3},Z′_{3}). It follows from the above definition that the addition over EC^{3 }is commutative, that is:

(*X*_{1}*,Y*_{1}*,Z*_{1})+(*X*_{2}*,Y*_{2}*,Z*_{2})=(*X*_{2}*,Y*_{2}*,Z*_{2})+(*X*_{1}*Y*_{1}*,Z*_{1})

for all (X_{1}, Y_{1},Z_{1})εE(K^{3}) and (X_{2},Y_{2},Z_{2})εE(K^{3}). This satisfies axiom (iii) above.

There are four main cases that need to be considered for the computation of addition for (EC^{3}, +):

(A) X_{1}≠X_{2};

(B) X_{1}=X_{2 }and Z_{1}≠Z_{2};

(C) (X_{1}Y_{1},Z_{1})=(X_{2}Y_{2},Z_{2}) (i.e., point doubling); and

(D) X_{1}=X_{2 }and Z_{1}=Z_{2 }

For case (A) where X_{1}≠X_{2}, we have:

Substituting equation (8) for Y′_{3 }and equation (9) for Z′_{3 }into equation (6) yields:

(*Y*_{1}*+m*_{y}(*X−X*_{1}))^{2}*−X*^{3}*−aX*(*Z*_{1}*+m*_{z}(*X−X*_{1}))^{2}*−b*(*Z*_{1}*+m*_{z}(*X−X*_{1}))^{3}=0 (12)

Expanding the terms between parentheses and grouping the terms with the same powers of X gives:

*X*^{3}*+am*_{z}^{2}*X*^{3}*+bm*_{z}^{3}*X*^{3}*−m*_{y}^{2}*X*^{2}+2*am*_{z}*Z*_{1}*X*^{2}−2*am*_{z}^{2}*X*^{2}*X*_{1}*+bm*_{z}^{2}*Z*_{1}*X*^{2}+2*bm*_{z}^{2}*Z*_{1}*X*^{2}−2*bm*^{3}_{z}*X*^{2}*X*_{1}*−bm*_{z}^{3}*X*^{2}*X*_{1}−2*m*_{y}*Y*_{1}*X+*2*m*_{y}^{2}*XX*_{1}*+aXZ*_{1}^{2}−2*am*_{z}*Z*_{1}*XX*_{1}*+am*_{z}^{2}*XX*_{1}^{2}+2*bm*_{z}*Z*_{1}^{2}*X−*2*XX*_{1}*bm*_{z}^{2}*Z*_{1}*+bm*_{z}*XZ*_{1}^{2}−4*bm*_{z}^{2}*Z*_{1}*XX*_{1}*+bm*_{z}^{3}*XX*_{1}^{2}+2*bm*^{3}_{z}*XX*_{1}^{2}*−Y*_{1}^{2}+2*m*_{y}*Y*_{1}*X*_{1}*−m*_{y}^{2}*X*_{1}^{2}*+bZ*_{1}^{3}−2*bm*_{z}*Z*_{1}^{2}*X*_{1}*++bX*_{1}^{2}*m*_{z}^{2}*Z*_{1}*−bm*_{z}*X*_{1}*Z*_{1}^{2}+2*bm*_{z}^{3}*Z*_{1}*X*_{1}*−bm*_{2}^{3}*X*_{1}^{3}=0. (13)

In order to solve the above, it is recognized that any cubic equation has three roots, such that

(*X−X*_{1})(*X−X*_{2})(*X−X′*_{3})=0, (14)

and scaling the coefficient of the term X^{3 }to 1 in equation (13), and equating the coefficient of the term X^{2 }in equations (13) and (14), yields:

After grouping terms to reduce the number of computations, one obtains:

where

*c=*1*+am*_{z}^{2}*+bm*_{z}^{3}. (18).

Substituting the solution of X′_{3}, which is given in equation (17), into equation (8) yields the solution for Y′_{3}. Similarly, substituting the solution of X′_{3}, which is given in equation (17), into equation (9) produces the solution for Z′_{3}.

For case (B), where X_{1}=X_{2 }and Z_{1}≠Z_{2}, we let X_{o}=X_{1}=X_{2}. In this case, X_{3}=X_{1}=X_{2}=X_{o}, since the straight line is in the YZ-plane X_{o}. Thus, one can write:

*Y′*_{3}*=Y*_{1}*+n*_{y}(*Z′*_{3}*−Z*_{1}), (19)

where

Substituting equation (19) into equation (6) (and noting that X=X_{0}) yields:

(*Y*_{1}*+n*_{y}(*Z−Z*_{1}))^{2}*−X*_{o}^{3}*−aX*_{o}*Z*^{2}*−bZ*^{3}=0. (20)

Expanding the terms between parentheses and grouping the terms with the same powers of Z, one obtains:

In order to solve the above, it is recognized that any cubic equation has three roots, such that:

(*Z−Z*_{1})(*Z−Z*_{2})(*Z−Z′*_{3})=0 (22).

Equating the coefficient of the term Z^{2 }in equations (21) and (22), one obtains:

and substituting the solution of Z′_{3 }into equation (19) produces the solution for Y′_{3}.

For case (C), which involves point doubling, (X_{1},Y_{1},Z_{1})=(X_{2},Y_{2},Z_{2}). Letting (X_{o},Y_{o},Z_{o})=(X_{1},Y_{1},Z_{1})=(X_{2},Y_{2},Z_{2}), then (X_{3},Y_{3},Z_{3})=2(X_{o},Y_{o},Z_{o}). Doubling a point on an elliptic curve in projective coordinates can be defined in several ways. In the first case (C.1), when a tangent line in an XV-plane is drawn at a point on an elliptic curve, the tangent line intersects the elliptic curve in the projective coordinates EC^{3 }at another point. The point symmetric to this intersecting point with respect to the X-axis is defined as a point resulting from the doubling. It should be noted that in this case, Z′_{3}=Z_{o}.

In the second case (C.2), when a tangent line in a YZ-plane is drawn at a point on an elliptic curve, the tangent line intersects the elliptic curve in the projective coordinates EC^{3 }at another point. The point symmetric to this intersecting point with respect to the X-axis is defined as a point resulting from the doubling. It should be noted that in this case, X′_{3}=X_{o}.

In a third case (C.3), some form of a combination of rules (C.1) and (C.2) may be used. The simplest combination is to perform doubling using rule (C.1) followed by another doubling using rule (C.2). Another combination involves using the gradients in (C.1) and (C.2) simultaneously.

For case (C.1), Z_{3}=Z_{1}=Z_{2}=Z_{o}. The gradient of the tangent of the point (X_{o},Y_{o},Z_{o}) of the elliptic curve in projective coordinates in an XY-plane is given by:

Substituting equation (24) for m_{y }in the equation for X′_{3}, and noting that m_{z}=0 in this case, one obtains the solution for X′_{3}:

*X′*_{3}*=m*^{2}_{y}*−X*_{1}*−X*_{2}. (25)

One may similarly obtain the solution for Y′_{3 }from case (A) above.

For case (C.2), X_{3}=X_{1}=X_{2}=X_{o}. The gradient of the tangent of the point (X_{o},Y_{o},Z_{o}) of the elliptic curve in projective coordinates in a YZ-plane is given by:

Substituting equation (26) for n_{y }in equation (23), one obtains a solution for Z′_{3}:

Similarly, substituting the solution of Z′_{3 }into equation (19), one obtains the solution for Y′_{3}.

For case (D), X_{1}=X_{2 }and Z_{1}=Z_{2}. Letting X_{o}=X_{1}=X_{2 }and Z_{o}=Z_{1}=Z_{2 }allows for substitution of these values directly into equation (6), thus producing a quadratic equation for the Y-coordinate:

*Y*^{2}*=X*_{o}^{3}*+aX*_{o}*Z*_{o}^{2}*Z*_{o}^{2}*+bZ*_{o}^{3}, (28)

where Y_{o }represents one of the solutions. The other solution must be −Y_{o}.

Therefore, a line perpendicular to the XZ-plane intersects EC^{3 }at only two points: (X,Y,Z) and (X,−Y,Z)εEC^{3}. This clearly shows the symmetry of EC^{3 }about the X-axis and the Z-axis. Furthermore, every (X,Y,Z)εEC^{3 }has a unique mirror image point (X,−Y,Z)εEC^{3}. Thus, since a line joining such pairs (X,Y,Z) and (X,−Y,Z)εEC^{3 }does not intersect with EC^{3 }at a third finite point, such lines are assumed to intersect with EC^{3 }at the point of infinity (X_{1},Y_{1},Z_{1}). This point at infinity is used to define both the inverse of a point in EC^{3 }and the identity point. According to the addition rule defined above, one can write:

(*X,Y,Z*)+(*X,−Y,Z*)=(*X*_{I}*,Y*_{I}*,Z*_{I}), (29)

since the third point of intersection of such lines is the point at infinity. This equation therefore defines a unique inverse for any point (X,Y,Z)εEC^{3},

−(*X,Y,Z*)=(*X,−Y,Z*). (30)

Thus, equation (29) can be written as:

(*X,Y,Z*)−(*X,Y,Z*)=(*X*_{I}*,Y*_{I}*,Z*_{I}). (31)

Additionally, a line joining the point at infinity and any point (X,Y,Z)εEC will intersect with EC^{3 }at (X,−Y,Z). Therefore, from the addition rule defined above, one may also write:

(*X,Y,Z*)+(*X*_{I}*,Y*_{I}*,Z*_{I})=(*X,Y,Z*). (32)

Equation (31) satisfies axiom (ii) while equation (32) satisfies axiom (i) of the group (EC^{3},+).

With regard to the second projective coordinate, each of the equations for point addition and point doubling derived for the cases (A), (B) and (C) above require one modular inversion or division. In cases where field inversions or divisions are significantly more expensive than multiplication (in terms of time and computational power), a second projective coordinate is used to remove the requirement for field inversion or division from these equations. As shown below, the number of operations needed for EC^{3 }point doubling and point addition when performed in the second projective coordinate are comparable to those needed in EC^{2}. It should be noted that several projective coordinates can be used. In the present method, the homogenous projection is used as an example:

Using this projection in the elliptic curve equation given by equation (6), one obtains a homogeneous elliptic curve equation:

where an elliptic curve projective point (X,Y,Z,V) using homogenous projective coordinates satisfies the homogenous elliptic curve equation (36).

When V≠0, the homogenous projected point (X,Y,Z,V)

corresponds to the projected point

Using homogenous projective coordinates, the equation for point addition can be written as:

In the following, it is shown how the homogenous projective coordinates can be used to remove the need for modular inversion or division from the equations given above for cases (A), (B) and (C). Starting with case (A), substitution for X, Y and Z in terms of the projective coordinates in equations (33), (34) and (35) into the equation given above for X_{3}′, and noting that c=1+am_{z}^{2}+bm_{z}^{3}, yields:

where

λ_{xv}=(*X*_{2}*V*_{1}*−X*_{1}*V*_{2}) (39)

λ_{yv}=(*Y*_{2}*V*_{1}*−Y*_{1}*V*_{2}) (40)

λ_{zv}=(*Z*_{2}*V*_{1}*−Z*_{1}*V*_{2}) (41)

λ_{xzv}=(λ_{xv}^{3}*+aλ*_{xv}λ_{zv}^{2}*++bλ*_{zv}^{3}). (42)

Letting

*V*_{3}*=V*_{1}*V*_{2}λ_{xv}λ_{xzv} (43)

and substituting equation (43) for V_{3 }in equation (38), one obtains

*X′*_{3}=λ_{xv}*A*_{x3}, (44)

where

*A*_{x3}={λ_{yv}^{2}λ_{xv}*V*_{2}−λ_{zv}(2*aλ*_{xv}+3*bλ*_{zv})(λ_{xv}*Z*_{1}*V*_{2}−λ_{zv}*X*_{1}*V*_{2})−λ_{xzv}(*V*_{2}*X*_{1}*+V*_{1}*X*_{2})}. (45)

Substituting for X and Yin terms of the projective coordinates in equations (33) and (34) into the equation given above for Y_{3}′, and following simplification, gives:

Substituting equations (43) and (44) for V_{3 }and X′_{3 }into equation (46) produces

*Y′*_{3}*=V*_{2}λ_{xv}λ_{xzv}*Y*_{1}+λ_{yv}(*A*_{x3}*−V*_{2}λ_{xzv}*X*_{1}) (47)

and substituting X and Z in terms of the projective coordinates in equations (33) and (35) into the equation given above for Z_{3}′, and following simplification, gives:

Substituting equations (43) and (44) for V_{3 }and X′_{3 }into equation (48) produces

*Z′*_{3}*=V*_{2}λ_{xv}λ_{xzv}*Z*_{1}+λ_{zv}(*A*_{x3}*−V*_{2}λ_{xzv}*X*_{1}). (49)

The number of field operations needed in equations (44), (47) and (49) are 24 multiplications, three squaring operations, and ten addition operations. When using mixed coordinates, the number of multiplications can be reduced to twenty multiplications.

For case (B), substituting X, Y and Z in terms of the heterogeneous projective coordinate into the equation given above for Z′_{3}, and noting that X_{3}=X_{1}=X_{2}=X_{o}, one obtains:

and letting

*V*_{3}*=V*_{1}^{2}*V*_{2}^{2}(*Z*_{2}*V*_{1}*−Z*_{1}*V*_{2})^{3}, (51)

allows for the substitution of equation (51) for V_{3 }into equation (50), yielding:

Substituting Y and Z in terms of the projective coordinates in equations (40) and (41) into the equation for Y_{3}′ produces:

and substituting equations (51) and (52) for V_{3 }and Z′_{3 }into equation (54) gives

The number of field operations needed in equations (52) and (55) are sixteen multiplication operations, two squaring operations, and seven addition operations.

For case (C.1), substituting X, Y and Z in terms of the projective coordinates in equations (39), (40) and (41) into the equation for X′_{3 }produces

and letting

*V*_{3}=8*V*_{o}^{3}*Y*_{o}^{3} (57)

allows for the substitution of equation (57) into equation (56), yielding:

*X′*_{3}=2*V*_{o}*Y*_{o}*D*_{3x}, (58)

where

*D*_{3x}={(3*X*_{o}^{2}*+aZ*_{o}^{2})^{2}−8*V*_{o}*Y*_{o}^{2}*X*_{o}}. (59)

Substituting X, Y and Z in terms of the projective coordinates in equations in equations (39), (40) and (41) into the equation for Y_{3}′, and using the gradient, produces

and substituting equations (57), (58) and (59) for V_{3}, X′_{3 }and D_{3x }gives:

*Y′*_{3}=8*v*_{o}^{2}*Y*_{o}^{4}+3*X*_{o}^{2}*+az*_{o}^{2}((3*X*_{o}^{2}*+az*_{o}^{2})^{2}−12*V*_{o}*Y*_{o}^{2}*X*_{o}). (61)

The number of field operations needed in equations (58) and (61) are six multiplication operations, four squaring operations, and five addition operations.

For case (C.1), substituting X, Yand Z in terms of the projective coordinates in equations (39), (40) and (41) into the equation for Z′_{3 }produces

and letting

*V*_{3}=8*V*_{o}^{3}*Y*_{o}^{3} (63)

allows for the substitution of equation (63) into equation (62), yielding:

*Z′*_{3}=2*V*_{o}*Y*_{o}*D*_{3z}, (64)

where

and substituting X, Y and Z in terms of the projective coordinate in equations (39), (40) and (41) into the equation for Y′_{3}, and using the gradient, gives:

Substituting equations (63) and (64) for V_{3 }and Z′_{3 }into equation (66) produces

*Y′*_{3}=8*V*_{o}^{2}*Y*_{o}^{3}*Y*_{o}+(2*aX*_{o}*Z*_{o}+3*bZ*_{o}^{2})(*D*_{3z}−4*V*_{o}*Y*_{o}^{2}*Z*_{o}). (67)

The number of field operations needed in equations (64) and (67) are ten multiplication operations, three squaring operations, and five addition operations.

A third projection is applied to equation (6) in order to produce the present enhanced XZ elliptic curve system. Letting a secret transformation index E_{s }be used to project equation (6) yields:

*{tilde over (F)}*(*X,Y,Z,E*_{s})=*E*_{s}^{3}*F*(*X,Y,Z*)=*E*_{s}^{3}(*Y*^{2}*−X*^{3}*−aXZ*^{2}*−bZ*^{3})=0 (68)

By introducing a data transformation index E_{m}, and the cipher transformation index E_{c}, such that E_{s}=E_{m}E_{c}, produces:

*{tilde over (F)}*(*X,Y,Z,E*_{s})=*Y*^{2}*E*_{s}^{3}*−X*^{3}*E*_{s}^{3}*−aXZ*^{2}*E*_{s}*E*_{m}^{2}*E*_{c}^{2}*−bZ*^{3}*E*_{m}^{2}*E*_{c}^{3}=0. (69)

The following substitutions may then be applied:

*Ŷ=YE*_{s}^{3/2}*, {circumflex over (X)}=XE*_{s}*, {circumflex over (Z)}=ZE*_{m}*, â=aE*_{c}^{2}*, {circumflex over (b)}=bE*_{c}^{3}, (70)

to produce:

*{tilde over (F)}*(*X,Y,Z,E*_{s})=*Ŷ*_{2}*−{circumflex over (X)}*_{3}*−â{circumflex over (X)}{circumflex over (Z)}*^{2}*−{circumflex over (b)}{circumflex over (Z)}*^{3}={tilde over (F)}(*{circumflex over (X)},Ŷ,{circumflex over (Z)}*)=0 (71)

Thus, any point on the curve {tilde over (F)}(X,Y,Z) can be transformed using the values E_{s}, E_{m }and E_{c }to the isomorphic curve {tilde over (F)}({circumflex over (X)},Ŷ,{circumflex over (Z)}). Due to the relationship between E_{s}, E_{m }and E_{c}, the knowledge of two of them is necessary to know the third. Otherwise, the original curve cannot be retrieved.

The multiplicative relationship between E_{s}, E_{m }and E_{c }indicates that a field division is required when computing E_{m }or E_{c}. The need for this division operation can be relieved if E_{s}, E_{m }and E_{c }are chosen to be powers of a common base μεF(p), i.e., when E_{s}=μ^{e}^{s}, E_{m}=μ^{e}^{m }and E_{c}=μ^{e}^{c}. In this case, e_{s}=e_{m}+e_{c }and equation (69) becomes:

*{tilde over (F)}*(*X,Y,Z,μ*^{e}^{s})=*Y*^{2}μ^{3e}^{s}*−X*^{3}μ^{3e}^{s}*−aXZ*^{2}μ^{e}^{s}^{2(e}^{m}^{+e}^{c})−*bZ*^{3}μ^{3(e}^{m}^{e}^{c}^{)}=0. (72)

Then, the following substitutions can be applied:

*Ŷ=Yμ*^{3/2e}^{s}*, {circumflex over (X)}=Xμ*^{e}^{x}*,{circumflex over (Z)}=Zμ*^{e}^{m}*, â=aμ*^{2e}^{c}*, {circumflex over (b)}=bμ*^{3e}^{c}, (73)

in order to produce:

*{tilde over (F)}*(*X,Y,Z,μ*^{e}^{s})=*Ŷ*^{2}*−{circumflex over (X)}*^{3}*â{circumflex over (X)}{circumflex over (Z)}*^{2}*={circumflex over (b)}{circumflex over (Z)}*^{3}*={tilde over (F)}*(*{circumflex over (X)},Ŷ,{circumflex over (Z)}*)=0 (74)

Again, it is necessary to know two of the exponents e_{s}, e_{m }and e_{c }to know the third.

It should be noted that choosing μ as a power of two makes this transformation very efficient, since both multiplication and division operations can be implemented through a shift-and-reduce operation. Further, a special choice of the value of μ would allow the transformation of a point from or to the twist of the curve. In particular, if the value of μ is a quadratic non-residue in GF(p), then an odd value of e_{s }transforms the point to the twist of the curve, since Y will be multiplied by μ^{3/2e}^{s}.

The present method of performing symmetric, enhanced XZ elliptic curve cryptography includes the following steps: (a) a sending correspondent and a receiving correspondent selecting and agreeing upon an elliptic curve set EC^{3}; and (b) the sending correspondent and the receiving correspondent further agreeing upon a random scalar k and a random shared secret key for communication E_{s}, and agreeing upon a base point (X_{B},Y_{B},Z_{B})εEC^{3}.

The sending correspondent then performs the following steps: (c) embedding a first secret message bit string into an elliptic curve message point (X_{m},Y_{m},Z_{m}); (d) computing a scalar multiplication between the base point (X_{B},Y_{B},Z_{B}) and the scalar k as (X_{Bk},Y_{Bk},Z_{Bk})=k(X_{B},Y_{B},Z_{B}); (e) computing a cipher point (X_{c},Y_{c},Z_{c}) as (X_{c},Y_{c},Z_{c})=(X_{m},Y_{m},Z_{m})+k(X_{B},Y_{B},Z_{B}); (f) embedding a second secret message bit string into a data transformation index E_{m}; (g) transforming the cipher point coordinates X_{c }and Z_{c }as {circumflex over (X)}_{C}=X_{C}E_{s }and {circumflex over (Z)}_{C}=Z_{C}E_{m}, respectively; (h) calculating a cipher transformation index E_{c }as

and (i) sending a set of appropriate bits of {circumflex over (X)}_{c}, {circumflex over (Z)}_{c }and Ê_{c }to the receiving correspondent.

The receiving correspondent then performs the following steps: (j) calculating the data transformation index E_{m }as

(k) calculating the cipher point coordinates X_{c }and Z_{c }as X_{C}={circumflex over (X)}_{C}E_{s}^{−1 }and Z_{C}={circumflex over (Z)}_{C}E_{m}^{−1}, respectively; (l) computing a scalar multiplication between the base point (X_{B},Y_{B},Z_{B}) and the scalar k as (X_{Bk},Y_{Bk},Z_{Bk})=k(X_{B},Y_{B},Z_{B}); (m) computing the elliptic curve message point (X_{m},Y_{m},Z_{m}) as (X_{m},Y_{m},Z_{m})=(X_{c},Y_{c},Z_{c})−k(X_{B},Y_{B},Z_{B}); and (n) retrieving the first secret message bit string from the elliptic curve message point (X_{m},Y_{m},Z_{m}).

Preferably, the shared secret key for communication E_{s }and the data transformation index E_{m }are selected so be powers of a common base μ, i.e., E_{s}=μ^{e}^{s }and E_{m}=μ^{e}^{m}. Thus, E_{c}=μ^{e}^{c }where e_{s }is shared, e_{m }is used for embedding the message, and e_{c }is sent. Preferably, μ is a power of two.

In an alternative embodiment for performing public key cryptography, the sending and the receiving entities use two keys, i.e., a private key and a public key. While the pair of public and private keys that is used to obtain the cipher point (X_{c}, Y_{c},Z_{c}) are generated in a conventional way, the pair of public and private keys that is used to obtain the cipher transformation index E, can be generated using any suitable public key system, i.e., it can be generated using RSA, an elliptic curve method or the like.

The alternative method of performing symmetric, enhanced XZ elliptic curve cryptography with a public key includes the following steps: (a) a sending correspondent and a receiving correspondent selecting and agreeing upon an elliptic curve set EC^{3}, the sending correspondent further establishing a private key pair (k_{SPr},e_{SPr}); and (b) the sending correspondent and the receiving correspondent further agreeing upon a base point (X_{B},Y_{B},Z_{B})εEC^{3 }and sharing a public key pair (k_{SPr}(X_{B},Y_{B},Z_{B}),E_{b}^{e}^{SPr}).

The sending correspondent then performs the following steps: (c) calculating a shared key as (k_{SPr}(k_{RPr}(X_{B},Y_{B},Z_{B})),E_{b}^{e}^{RPr})^{e}^{SPr}); (d) embedding a first secret message bit string into an elliptic curve message point (X_{m},Y_{m},Z_{m}) (e) computing a cipher point (X_{c},Y_{c},Z_{c}) as (X_{c},Y_{c},Z_{c})=(X_{m},Y_{m},Z_{m})+k_{SPr}(k_{RPr}(X_{B},Y_{B},Z_{B})); (f) embedding a second secret message bit string into a data transformation index E_{m}; (g) transforming the cipher point coordinates X_{c }and Z_{c }as {circumflex over (X)}_{C}=X_{C}(E_{b}^{e}^{RPr})^{e}^{sPr }and {circumflex over (Z)}_{C}=Z_{C}E_{m}, respectively; (h) calculating a cipher transformation index E_{c }as

and (i) sending a set of appropriate bits of {circumflex over (X)}_{c}, {circumflex over (Z)}_{c }and E_{c }to the receiving correspondent.

The receiving correspondent then performs the following steps: (j) calculating the shared key as (k_{RPr }(k_{SPr }(X_{B}, Y_{B},Z_{B})),(E_{b}^{e}^{SPr})^{e}^{RPr}); (k) calculating the data transformation index E_{m }as

(l) calculating the cipher point coordinates X_{c }and Z_{c }as X_{C}={circumflex over (X)}_{C}((E_{b}^{e}^{RPr})^{e}^{SPr})^{−1 }and Z_{C}={circumflex over (Z)}_{C}E_{m}^{−1}, respectively; (m) computing the elliptic curve message point (X_{m},Y_{m},Z_{m}) as (X_{m},Y_{m},Z_{m})=(X_{c},Y_{c},Z_{c})−k_{RPr}(k_{SPr}(X_{B}, Y_{B}, Z_{B})); and (n) retrieving the first secret message bit string from the elliptic curve message point (X_{m},Y_{m},Z_{m}).

As in the previous embodiment, preferably, the shared number E_{b }and the data transformation index E_{m }are selected to be powers of a common base μ, i.e., E_{b}=μ^{e}^{b }and E_{m}=μ^{e}^{m}. Thus, E_{c}=μ^{e}^{c }where e_{m }is used for embedding the message and e_{c }is sent. Preferably, μ is a power of two.

In conventional elliptic curve cryptography, encryption and decryption, the message data bits are embedded in only the affine x-coordinate x_{m }of the elliptic curve points. Further, given an elliptic curve defined over F(p) that needs N bits for the representation of its elements, each x-coordinate x, carries only (N−L) bits of the message data bits. Thus, at least one inversion or division over F(p) (i.e., one modulo p inversion or division) is needed per (N−L)-bit encryption.

In the present method, the encryption of more than (2N−L) bits of the message data is achieved per one inversion or division over F(p), i.e., per one modulo p inversion or division. This is achieved by first defining an elliptic curve group over addition in projective coordinates, which allows the embedding of one part of the message data bit-string in both the X-coordinate and the Z-coordinate of the elliptic curve points, where Xand Z are elements of F(p) represented in N-bit strings; and second, transforming the cipher point to an isomorphic curve that is determined by the second part of the message data bit-string. In the present method, the relevant bits of both the X- and Z-coordinates of the transformed cipher point, as well as the bits of the ciphered transformation index E_{C}, are sent to the receiver.

At the receiving entity, the message bits are recovered from X- and Z-coordinates of the cipher point, as well as the bits of the ciphered transformation index E_{C}, which is achieved using one inversion or division over F(p) (i.e., one modulo p inversion or division).

Further, in the present method, an additional projective coordinate is used at the sending and receiving entities to eliminate the inversion or division during each addition and doubling operation of the scalar multiplication. Thus, up to (3N−L) bits of the message data can be encrypted (and subsequently decrypted) using one inversion or division. The use of embedding in the X- and Z-coordinates of an elliptic curve point, combined with the embedding in the transformation index, increases the number of points that satisfy an elliptic curve equation, which can then be used in the corresponding cryptosystem, such that the number of points is proportional to p^{3 }rather than p. Thus, for the same number of embedded bits, a smaller p can be used when embedding in the X- and Z-coordinates, as well as the transformation index, than when embedding only in the x-coordinate. This results in faster implementations and reduced power consumption.

In the method of performing enhanced XZ-elliptic curve cryptography, the steps of embedding include the following steps: (a) defining the respective message bit string as an M-bit string, where M is an integer such that (3N−L)>M>(2N−L), L is an integer, N represents a number of bits used to represent F(p) elements, and F(p) represents a finite field containing the elliptic curve set EC^{3}, where p represents a set of points on EC^{3}; (b) dividing the respective message bit string into three strings m_{1}, m_{2 }and m_{3}, where the length of string m_{1 }is less than or equal to (N−L) bits, the length of string m_{2 }is less than or equal to (N−1) bits, and the length of string m_{3 }is less than or equal to N bits; (c) assigning the value of the bit string m_{3 }to E_{m}; (d) assigning the value of the bit string m_{2 }to Z_{m }by first assigning the value of the bit string m_{2 }to R_{m}, then using a Legendre test to determine if R_{m }has a square root, and then, if R_{m }has a square root, setting Z_{m}=R_{m }and if R_{m }does not have a square root, then setting Z_{m}=gR_{m}, where g is non-quadratic residue in F(p); (e) computing aZ_{m}^{2 }and bZ_{m}^{3}, where a and b are selected scalars; (f) assigning the value of the bit string m_{1 }to X_{m}; (g) computing a value T as T=X_{m}^{3}+(aZ_{m}^{2})X_{m}+(bZ_{m}^{3}) and using a Legendre test to determine if T has a square root; and (h) assigning the square root of T to Y_{m }if T has a square root, and incrementally increasing X_{m }and returning to step (g) if T does not have a square root.

The Legendre Symbol is used to test whether an element of F(p) has a square root or not, i.e., whether an element is quadratic residue or not. The Legendre Symbol and test are as follows. Given an element of a finite field F(p), such as d, the Legendre symbol is defined as

In order to test whether d is quadratic residue or not, the Legendre symbol,

is computed such that:

In the above, it should be noted that p is usually predetermined prior to encryption, thus the value of g can also be predetermined. When using the embedding method given above, the strings m_{1}, m_{2 }and m_{3 }can be recovered directly from X_{m}, Z_{m }and E_{m}, respectively. An extra bit is needed to identify whether R_{m }or gR_{m }is used for Z_{m }at the receiver. Therefore, to encode (N−1) message data bits, one needs to send N bits for the Z values.

Any non-quadratic value in F(p) can be used for g. For efficiency, g is chosen to be −1 for p≡3 mod 4 or when p≡1 mod 4.

At the receiver, the process is reversed. In the case of g=2, a division by 2 is carried out. It should noted that dividing R_{m }by two is computed using one modulo addition, since:

(i) R_{m}/2=((R_{m}−(R_{m}) mod 2)/2)+(R_{m}) mod 2*(½) mod p;

(ii) (R_{m})mod 2 is the least significant bit of R_{m}; and

(iii) (½)mod p=(p+1)/2.

The security of the password protocols depends on the security of the underlying elliptic polynomial cryptography. The security of elliptic polynomial cryptosystems is assessed by both the effect on the solution of the elliptic curve discrete logarithmic problem (ECDLP) and power analysis attacks.

It is well known that the elliptic curve discrete logarithm problem (ECDLP) is apparently intractable for non-singular elliptic curves. The ECDLP problem can be stated as follows: given an elliptic curve defined over Fthat needs N-bits for the representation of its elements, an elliptic curve point (x_{p},y_{p})εEC, defined in affine coordinates, and a point (x_{Q},y_{Q})εEC, defined in affine coordinates, determine the integer k, 0≦S≦#k , such that (x_{Q},y_{Q})=k(x_{P},y_{P}), provided that such an integer exists. In the below, it is assumed that such an integer exists.

Various methods of pre-conditioning the data have been proposed for different requirements. Any scheme which guarantees the uselessness of acquiring a partial message is applicable to the present method. One way to achieve this behavior is through the “All-or-Nothing Transformation” (AONT), which is defined as a keyless transformations that maps a sequence of blocks B_{1 }to another sequence of blocks B_{2 }such that a missing block of B_{2 }will totally prevent reproducing B_{1 }partially or fully, or obtaining any useful information about it.

Another method of achieving this is to multiply the message data as a vector by a matrix T in order to obtain a transformed vector as follows:

* m*

where T is of size S_{t}×S_{r }elements, _{0 }and _{t }are the original and the transformed message data vector, respectively, which are of length S_{t }elements, and where bit length S_{t}≧(3N−L). Then, _{t }would be used for embedding instead of _{o}. With the matrix T chosen properly, the partial knowledge of _{t }is not enough to obtain any useful part of _{o}.

The most well-known attack used against the ECDLP is the Pollard ρ-method, which has a complexity of O(√{square root over (πK)}/2), where K is the order of the underlying group, and the complexity is measured in terms of an elliptic curve point addition.

Since the underlying cryptographic problems used in the above block cipher chaining methods is the discrete logarithm problem, which is a known difficult mathematical problem, it is expected that the security of the above methods are more secure than prior art ciphers which are not based on such a mathematically difficult problem.

Projective coordinates can also be used by the sending correspondent and the receiving correspondent to embed extra message data bits in the projective coordinate, wherein the addition of the corresponding elliptic points is defined in (nx+ny+3) dimensional space where there are (nx+1) x-coordinates, (ny+1) y-coordinates and one projective coordinate.

The equations for the addition rule can be obtained by using the elliptic polynomial equation with (nx+1) x-coordinates and (nx+1) y-coordinates in projective coordinates and substituting a straight line equation to obtain a cubic equation in terms of one of the x-coordinates.

This cubic equation can be used to identify the third point of intersection between a straight line and the elliptic polynomial in (nx+ny+3) dimensions given two other intersection points. This third point of intersection is used to identify the sum of the given two points.

For the present method, the ECDLP in EC^{3 }can be stated as follows: given a point (X_{P},Y_{P},Z_{P})εEC^{3 }and a point (X_{Q},Y_{Q},Z_{Q})εEC^{3 }defined in projective coordinates, find k such that (X_{Q},Y_{Q},Z_{Q})=k(X_{p},Y_{p},Z_{p}). In EC^{3}, the modified Pollard p-method can be formulated as follows. Find two points:

(*X*_{i}*,Y*_{i}*Z*_{i})=*A*_{i}(*X*_{Q}*,Y*_{Q}*,Z*_{Q})+*B*_{i}*k*(*X*_{P}*,Y*_{P}*,Z*_{P}) and

(*X*_{j}*,Y*_{j}*,Z*_{j})=*A*_{j}(*X*_{Q}*,Y*_{Q}*,Z*_{Q})+*B*_{j}*k*(*X*_{P}*,Y*_{P}*,Z*_{P})

such that (X_{i},Y_{i},Z_{i})=(X_{j},Y_{j},Z_{j}), and hence

and given that all the points are members of EC^{3}.

It is clear that the complexity of the Pollard ρ-method in EC^{3 }is not less than the complexity of the Pollard ρ-method in EC^{2 }for the same group order. It should also be noted that since EC^{3 }encryption and EC^{2 }encryption are generated by the same elliptic curve, all the analysis of the security of EC^{2 }cryptography will be applicable to the analysis of the security of EC^{3 }cryptography. Moreover, the introduction of the isomorphic transformation indexed by the three transformation indices has an effect of hiding the original curve on which data has been originally ciphered, which makes cryptanalysis even harder.

The third projection described above can be used to enhance the more general elliptic polynomial cryptography, provided that the first projection has been applied to the polynomial. An alternative form of the elliptic polynomial equation with more than one x-coordinate and one or more y-coordinates is used, with the equation following these conditions: some of the variables (i.e., the y-coordinates) have a maximum degree of two; other variables (i.e., the x-coordinates) have a maximum degree of three; a monomial cannot contain an x-coordinate variable and a y-coordinate variable; all monomials that contain x-coordinates must have a degree of three or less; and all monomials that contain y-coordinates must have a degree of two.

Letting S_{nx }represent the set of numbers between 0 and n in x (i.e., S_{nx}{0, . . . , nx}) and letting S_{ny }represent the set of numbers between 0 and n in y (i.e., S_{ny}={0, . . . , ny}), and letting (nx+ny) be greater than or equal to one, then, given a finite field F, the following equation defined over F is one example of the polynomial equation described above:

where a_{1l},a_{2kl},b_{1l}, b_{2lk},b_{3lkm}, b_{4lk},b_{5l},b_{6}εF.

By applying the first projection, given by

for all i, equation (76) becomes:

Then, the following substitutions can be applied: Ŷ_{i}=Y_{i}E_{s}^{3/2}; {circumflex over (X)}_{i}=X_{i}E_{s}; {circumflex over (Z)}=ZE_{m};{circumflex over (b)}_{4lk}E_{c};{circumflex over (b)}_{5l}=b_{5l}E_{c}^{2};{circumflex over (b)}_{6l}E_{c}^{3}, for all i, l, k, and m, while a_{1l},a_{2kl}b_{1l},b_{2lk},b_{3lkm }remain unchanged. The resulting equation is as follows:

which is isomorphic to the polynomial described above. Thus, any point on one of these curves can be transformed to an isomorphic point on another curve. Symmetric key cryptography, public key cryptography and digital signatures can then be applied in the same manner described above.

It should be understood that the calculations may be performed by any suitable computer system, such as that diagrammatically shown in the sole drawing Figure. Data is entered into system **100** via any suitable type of user interface **116**, and may be stored in memory **112**, which may be any suitable type of computer readable and programmable memory. Calculations are performed by processor **114**, which may be any suitable type of computer processor and may be displayed to the user on display **118**, which may be any suitable type of computer display.

Processor **114** may be associated with, or incorporated into, any suitable type of computing device, for example, a personal computer or a programmable logic controller. The display **118**, the processor **114**, the memory **112** and any associated computer readable recording media are in communication with one another by any suitable type of data bus, as is well known in the art.

Examples of computer-readable recording media include a magnetic recording apparatus, an optical disk, a magneto-optical disk, and/or a semiconductor memory (for example, RAM, ROM, etc.). Examples of magnetic recording apparatus that may be used in addition to memory **112**, or in place of memory **112**, include a hard disk device (HDD), a flexible disk (FD), and a magnetic tape (MT). Examples of the optical disk include a DVD (Digital Versatile Disc), a DVD-RAM, a CD-ROM (Compact Disc-Read Only Memory), and a CD-R (Recordable)/RW.

It is to be understood that the present invention is not limited to the embodiments described above, but encompasses any and all embodiments within the scope of the following claims.