1. Introduction

Curve25519 is an elliptic curve in Montgomery form with base field Fp and p=2255–19. In [1], Bernstein explains its design implementation, which is claimed to be highly secure and efficient. It is, for example, used in the key exchange scheme of TextSecure for Instant Messaging [2]. The advantage of using this curve is that for some point operations, we can use only the x-coordinate, which simplifies the computations and also saves storage.

In previous papers we have presented implementations of elliptic curves in Weierstrass form in a binary field: the implementation of a binary field arithmetic operation algorithm [3, 4] and the implementation of the simplified Elliptic Curve Integrated Encryption Scheme (S-ECIES) in a binary field [5]. In the current paper, we present the implementation of Curve25519 in S-ECIES, thus showing that Curve25519 can also serve other purposes than key exchange.

#### 2. Elliptic curve Montgomery form

Before defining Curve25519, we will give some basic theory on elliptic curves. This paper is only concerned with elliptic curves in Montgomery form, not Weierstrass form. An elliptic curve over Fp in Montgomery form is defined by the equation.

$$By^2 = \mathfrak{x}^3 + A\mathfrak{x}^2 + \mathfrak{x},\tag{1}$$

where <sup>A</sup>(B<sup>2</sup> � 4) 6¼ 0.

On the points of the elliptic curve, we may define point addition, negation, and doubling. We define point negation as follows: let E be an elliptic curve over Fp and point P(x,y) be a point on E. We define point negation of P as –P(x, �y). Let P(x1,y1) and Q(x2,y2) be two distinct points on E. Then the point addition is P+Q (x3 ,y3), where

<sup>x</sup><sup>3</sup> <sup>¼</sup> <sup>λ</sup><sup>2</sup> � <sup>A</sup> � <sup>x</sup><sup>1</sup> � <sup>x</sup><sup>2</sup> � �, y<sup>3</sup> <sup>¼</sup> <sup>λ</sup>ð Þ� <sup>x</sup><sup>1</sup> � <sup>x</sup><sup>3</sup> <sup>y</sup><sup>1</sup> and <sup>λ</sup> <sup>¼</sup> <sup>y</sup><sup>2</sup> � <sup>y</sup><sup>1</sup> � �=ð Þ <sup>x</sup><sup>2</sup> � <sup>x</sup><sup>1</sup> . If P = Q, then the doubling point P + P is 2P(x4,y4), where

$$\boldsymbol{\omega}\_{4} = \left(\boldsymbol{\lambda}^{2} - \boldsymbol{A} - 2\boldsymbol{\omega}\_{1}\right) \boldsymbol{\jmath}\_{4} = \boldsymbol{\lambda}(\boldsymbol{\omega}\_{1} - \boldsymbol{\omega}\_{4}) - \boldsymbol{\jmath}\_{1} \tag{2}$$

(Fp2) <sup>∩</sup> (Fp�Fp)} with size order 8 � (2252 + 277423177773723535358 51937790 883648493) and {O} <sup>∪</sup> {E(Fp2) <sup>∩</sup> (Fp � <sup>√</sup>2Fp)} with size order 4 � (2253–<sup>55484</sup>

S-ECIES is based on the elliptic curve discrete logarithm problem described as follows [8]: let p be a prime number larger than 3. Let E be an elliptic curve over Fp such that E contains a cyclic subgroup H, generated by P, of prime order m. The plaintext space is Fp\* and the ciphertext space is (Fp � F2) � Fp\*. The key space is L = {(E, P, Q, n, m): Q = nP}. Curve E and points P, Q, and m become public keys,

For every a ∈ Fp\* and a secret number k ∈ [1, n � 1], the encryption function is

d Vð Þ¼ ;<sup>c</sup> c xð Þ<sup>0</sup> �<sup>1</sup>

(Fp2) ∩ (Fp � √2Fp)} are finite with group size at 8 � p1 and 4 � p2, respectively, for some primes p1 and p2. Hence, E contains a subgroup with prime order; there-

In this section, we will give several algorithms in Curve25519 for implementation in S-ECIES, i.e., Montgomery ladder, point compression, point decompression, and

An advantage of using an elliptic curve in Montgomery form is that Montgom-

� Fp\*, (11)

, (12)

e að Þ¼ ; k ð Þ Point � Compress kP ð Þ; a:a<sup>0</sup> mod p ∈ Fp � F<sup>2</sup>

For every (V, c) ∈ (Fp � F2) � Fp\*, the decryption function is

where (x0, y0) is the coordinate of Point-Decompress(V).

We know that the groups {O} ∪ {E(Fp2) ∩ (Fp � Fp)} and {O} ∪ {E

63555474470 7071703875581767296995).

DOI: http://dx.doi.org/10.5772/intechopen.88614

Implementation of Elliptic Curve25519 in Cryptography

and n becomes the private key.

4. Implementation

OUTPUT: nP

1.R0 O

2.R1 P

4.if di = 0

7.else

191

others.

where a0 6¼ 0 is the absis of kQ.

fore, Curve25519 can be implemented in ECIES.

ery ladder can be used for scalar point multiplication.

Algorithm 1 Montgomery Ladder.

5. R1 R0+R1(Point Addition)

6. R0 2R0 (Point Doubling)

8. R0 R0+R1 (Point Addition)

9. R1 2R1 (Point Doubling)

INPUT: scalar n, point P

3. for i m down to 0

and λ ¼ 3x1 <sup>2</sup> <sup>þ</sup> 2Ax<sup>1</sup> <sup>þ</sup> <sup>1</sup> � �<sup>=</sup> <sup>2</sup>By<sup>1</sup> � �.

The points on the elliptic curve along with point at infinity O form a commutative group with point addition as its operation.

We define scalar point multiplication as follows: given a positive integer m, scalar point mP is defined by mP = P+P+...+P (m times addition of P).

The advantage of using Montgomery form rather than Weierstrass form is that in Montgomery form, it is possible to operate without y-coordinates.

Elliptic curve operation in Montgomery form without y-coordinates can be done as follows [6]: let (X:Y:Z) be the projective representation of point P(x,y) in E, define nP = (Xn:Yn:Zn), and write (x,y) as (X/Z,Y/Z). It is clear that (m+n)P = mP +nP. If Pm(x1,y1) = mP and Pn(x2,y2) = nP, x<sup>1</sup> = Xm/Zm and x<sup>2</sup> = Xn/Zn, then point addition is Pm+Pn (x3,y3)=(m+n)P, where x<sup>3</sup> = Xm+n/Zm+n and

$$X\_{m+n} = \left[ (X\_m - Z\_m)(X\_n + Z\_n) + (X\_m + Z\_m)(X\_n - Z\_n) \right]^2 \tag{3}$$

$$Z\_{m+n} = \left[ (X\_m - Z\_m)(X\_n + Z\_n) - (X\_m + Z\_m)(X\_n - Z\_n) \right]^2 \tag{4}$$

Point doubling is 2Pn(x4,y4) = 2nP = P2n, where x<sup>4</sup> = X2n/Z2n and

$$X\_{2n} = (X\_n + Z\_n)^2 (X\_n - Z\_n)^2 \tag{5}$$

$$\mathbf{X}\_{2n} = (4\mathbf{X}\_n\mathbf{Z}\_n)\left[ (\mathbf{X}\_n + \mathbf{Z}\_n)^2 + (\mathbf{A} - \mathbf{Z})/4 \* (4\mathbf{X}\_n\mathbf{Z}\_n) \right], \\ 4\mathbf{X}\_n\mathbf{Z}\_n = (\mathbf{X}\_n + \mathbf{Z}\_n)^2 - (\mathbf{X}\_n - \mathbf{Z}\_n)^2 \tag{6}$$

Based on the work by Okeya and Sakurai reported in [7], we can recover the ycoordinate in projective coordinates. Let P(x,y), P1(x1,y1), P2(x2,y2) be points on a Montgomery-form elliptic curve. Express P1 = (X1/Z1,Y1/Z1), P2 = (X2/Z2, Y2/Z2), and define X1 rec, X2 rec, X3 rec as follows:

$$\mathbf{X}\_1^{\rm rec} = 2\mathbf{By}\mathbf{Z}\_1\mathbf{Z}\_2\mathbf{X}\_1\tag{7}$$

$$\mathbf{Y}\_1 \mathbf{r}^{\text{rc}} = \mathbf{Z}\_2 \left[ (\mathbf{X}\_1 + \mathbf{x}\mathbf{Z}\_1 + 2\mathbf{A}\mathbf{Z}\_1)(\mathbf{X}\_1\mathbf{x} + \mathbf{Z}\_1) - 2\mathbf{A}\mathbf{Z}\_1^2 \right] - (\mathbf{X}\_1 - \mathbf{x}\mathbf{Z}\_1)^2 \mathbf{X}\_2 \tag{8}$$

$$Z\_1^{\rm rec} = 2 \text{By} \\ Z\_1 Z\_2 Z\_1 \tag{9}$$

Assuming P2 = P1+P, then in projective coordinates the relation X1 rec : Y1 rec : Z1 rec <sup>ð</sup> Þ ¼ X1 : Y1 ð Þ : Z1 holds.

#### 3. Curve25519 and simplified ECIES

Curve25519 is the elliptic curve of Montgomery form

$$y^2 = x^2 + 4866662x^2 + x \tag{10}$$

on Fp2, where p is the prime number 2255-19. Based on Bernstein's paper [1], there are two subgroups of Curve25519 with large-size order, i.e., {O} ∪ {E

Implementation of Elliptic Curve25519 in Cryptography DOI: http://dx.doi.org/10.5772/intechopen.88614

(Fp2) <sup>∩</sup> (Fp�Fp)} with size order 8 � (2252 + 277423177773723535358 51937790 883648493) and {O} <sup>∪</sup> {E(Fp2) <sup>∩</sup> (Fp � <sup>√</sup>2Fp)} with size order 4 � (2253–<sup>55484</sup> 63555474470 7071703875581767296995).

S-ECIES is based on the elliptic curve discrete logarithm problem described as follows [8]: let p be a prime number larger than 3. Let E be an elliptic curve over Fp such that E contains a cyclic subgroup H, generated by P, of prime order m. The plaintext space is Fp\* and the ciphertext space is (Fp � F2) � Fp\*. The key space is L = {(E, P, Q, n, m): Q = nP}. Curve E and points P, Q, and m become public keys, and n becomes the private key.

For every a ∈ Fp\* and a secret number k ∈ [1, n � 1], the encryption function is

$$\epsilon(a,k) = (\text{Point} - \text{Compress}(\text{kP}), a.a\_0 \bmod p) \in \left(F\_p \times F\_2\right) \times F\_p \text{\*},\tag{11}$$

where a0 6¼ 0 is the absis of kQ.

For every (V, c) ∈ (Fp � F2) � Fp\*, the decryption function is

$$d(V, \mathfrak{c}) = \mathfrak{c}(\mathfrak{x}\_0)^{-1},\tag{12}$$

where (x0, y0) is the coordinate of Point-Decompress(V).

We know that the groups {O} ∪ {E(Fp2) ∩ (Fp � Fp)} and {O} ∪ {E (Fp2) ∩ (Fp � √2Fp)} are finite with group size at 8 � p1 and 4 � p2, respectively, for some primes p1 and p2. Hence, E contains a subgroup with prime order; therefore, Curve25519 can be implemented in ECIES.
