4. Implementation

On the points of the elliptic curve, we may define point addition, negation, and doubling. We define point negation as follows: let E be an elliptic curve over Fp and point P(x,y) be a point on E. We define point negation of P as –P(x, �y). Let P(x1,y1) and Q(x2,y2) be two distinct points on E. Then the point addition is P+Q

The points on the elliptic curve along with point at infinity O form a commuta-

The advantage of using Montgomery form rather than Weierstrass form is that

Elliptic curve operation in Montgomery form without y-coordinates can be done

Xmþ<sup>n</sup> <sup>¼</sup> ½ � ð Þ Xm � Zm ð Þþ Xn <sup>þ</sup> Zn ð Þ Xm <sup>þ</sup> Zm ð Þ Xn � Zn <sup>2</sup> (3) Zmþ<sup>n</sup> <sup>¼</sup> ½ � ð Þ Xm � Zm ð Þ� Xn <sup>þ</sup> Zn ð Þ Xm <sup>þ</sup> Zm ð Þ Xn � Zn <sup>2</sup> (4)

We define scalar point multiplication as follows: given a positive integer m,

as follows [6]: let (X:Y:Z) be the projective representation of point P(x,y) in E, define nP = (Xn:Yn:Zn), and write (x,y) as (X/Z,Y/Z). It is clear that (m+n)P = mP +nP. If Pm(x1,y1) = mP and Pn(x2,y2) = nP, x<sup>1</sup> = Xm/Zm and x<sup>2</sup> = Xn/Zn, then point

� �=ð Þ <sup>x</sup><sup>2</sup> � <sup>x</sup><sup>1</sup> . If

ð Þ Xn � Zn <sup>2</sup> (5)

, <sup>4</sup>XnZn <sup>¼</sup> ð Þ Xn <sup>þ</sup> Zn <sup>2</sup> � ð Þ Xn � Zn <sup>2</sup> (6)

2

X<sup>2</sup> (8)

rec <sup>¼</sup> 2ByZ1Z2X<sup>1</sup> (7)

rec <sup>¼</sup> 2ByZ1Z2Z<sup>1</sup> (9)

<sup>y</sup><sup>2</sup> <sup>¼</sup> <sup>x</sup><sup>2</sup> <sup>þ</sup> <sup>486662</sup> <sup>x</sup><sup>2</sup> <sup>þ</sup> <sup>x</sup> (10)

� �, y<sup>4</sup> <sup>¼</sup> <sup>λ</sup>ð Þ� <sup>x</sup><sup>1</sup> � <sup>x</sup><sup>4</sup> <sup>y</sup><sup>1</sup> (2)

� �, y<sup>3</sup> <sup>¼</sup> <sup>λ</sup>ð Þ� <sup>x</sup><sup>1</sup> � <sup>x</sup><sup>3</sup> <sup>y</sup><sup>1</sup> and <sup>λ</sup> <sup>¼</sup> <sup>y</sup><sup>2</sup> � <sup>y</sup><sup>1</sup>

P = Q, then the doubling point P + P is 2P(x4,y4), where

<sup>2</sup> <sup>þ</sup> 2Ax<sup>1</sup> <sup>þ</sup> <sup>1</sup> � �<sup>=</sup> <sup>2</sup>By<sup>1</sup>

Theorizing STEM Education in the 21st Century

tive group with point addition as its operation.

<sup>Z</sup>2<sup>n</sup> <sup>¼</sup> ð Þ 4XnZn ð Þ Xn <sup>þ</sup> Zn <sup>2</sup> <sup>þ</sup> ð Þ <sup>A</sup> � <sup>2</sup> <sup>=</sup><sup>4</sup> <sup>∗</sup> ð Þ <sup>4</sup>XnZn

rec, X3

rec <sup>ð</sup> Þ ¼ X1 : Y1 ð Þ : Z1 holds.

3. Curve25519 and simplified ECIES

rec, X2

rec : Z1

<sup>x</sup><sup>4</sup> <sup>¼</sup> <sup>λ</sup><sup>2</sup> � <sup>A</sup> � <sup>2</sup>x<sup>1</sup>

� �.

scalar point mP is defined by mP = P+P+...+P (m times addition of P).

in Montgomery form, it is possible to operate without y-coordinates.

Point doubling is 2Pn(x4,y4) = 2nP = P2n, where x<sup>4</sup> = X2n/Z2n and

<sup>X</sup>2<sup>n</sup> <sup>¼</sup> ð Þ Xn <sup>þ</sup> Zn <sup>2</sup>

Based on the work by Okeya and Sakurai reported in [7], we can recover the ycoordinate in projective coordinates. Let P(x,y), P1(x1,y1), P2(x2,y2) be points on a Montgomery-form elliptic curve. Express P1 = (X1/Z1,Y1/Z1), P2 = (X2/Z2, Y2/Z2),

<sup>2</sup> � � � ð Þ <sup>X</sup><sup>1</sup> � xZ<sup>1</sup>

on Fp2, where p is the prime number 2255-19. Based on Bernstein's paper [1],

there are two subgroups of Curve25519 with large-size order, i.e., {O} ∪ {E

addition is Pm+Pn (x3,y3)=(m+n)P, where x<sup>3</sup> = Xm+n/Zm+n and

h i

rec as follows:

rec <sup>¼</sup> <sup>Z</sup><sup>2</sup> ð Þ <sup>X</sup><sup>1</sup> <sup>þ</sup> xZ<sup>1</sup> <sup>þ</sup> 2AZ<sup>1</sup> ð Þ� <sup>X</sup>1<sup>x</sup> <sup>þ</sup> <sup>Z</sup><sup>1</sup> 2AZ<sup>1</sup>

Curve25519 is the elliptic curve of Montgomery form

X1

Z1

Assuming P2 = P1+P, then in projective coordinates the relation

(x3 ,y3), where

and λ ¼ 3x1

and define X1

Y1

X1 rec : Y1

190

<sup>x</sup><sup>3</sup> <sup>¼</sup> <sup>λ</sup><sup>2</sup> � <sup>A</sup> � <sup>x</sup><sup>1</sup> � <sup>x</sup><sup>2</sup>

In this section, we will give several algorithms in Curve25519 for implementation in S-ECIES, i.e., Montgomery ladder, point compression, point decompression, and others.

An advantage of using an elliptic curve in Montgomery form is that Montgomery ladder can be used for scalar point multiplication.

Algorithm 1 Montgomery Ladder. INPUT: scalar n, point P OUTPUT: nP

```
1.R0 O
```
2.R1 P

3. for i m down to 0

4.if di = 0

5. R1 R0+R1(Point Addition)

6. R0 2R0 (Point Doubling)

7.else

8. R0 R0+R1 (Point Addition)

9. R1 2R1 (Point Doubling)

191

10.end if

11.end for

12. return(R0)

Now, we can talk about point compression and point decompression in Curve25519. The algorithm for point compression is straightforward from the existence of two points with the same x-coordinate on an elliptic curve, but with a different y-coordinate, i.e., point (x,y) and point (x,-y), which is equal to point (x,p-y). Because p is odd prime, if y is an odd number, then p-y is an even number and vice versa. Hence, we can compress point (x,y) by (x, y mod 2), of which the possible result is (x,0) or (x,1).

6.else

8.end

9.else

14.else

16.end

17.end

following algorithm:

INPUT: Plaintext a

1.k random([1,n-1])

3.Q(x2,z2) R(x1,y1)+P

2.R(x1,z1) (k-1)P

5.U(x3,y3) R+P

7.V(x4,y4) kQ

9. return(V(x3,y3),y)

8.y x0.a

193

OUPUT: Ciphertext (V(x1,y1),c)

10.z z/2 mod p

11.y √z mod p

12.if y=i mod 2 then

13. return (x,y√2)

15. return(x,(p-y)√2)

Montgomery form, because we need it in ECIES.

Algorithm 4. Encryption in Simplified ECIES

4.R(y1) Recovery-Y(P,R(x1,z1),Q(x2,z2))

6.V(x3,y3) Point-Compression(U(x3,y3))

This command is based on Okeya and Sakurai [7].

The next algorithms are used to recover the y-coordinate in elliptic curve

Now we can give the algorithms for encryption and decryption. For a point generator P in Curve25519 that has a prime order n, if Alice sends message x to Bob with private key m so Q = mP, then Alice encrypts the message with the

Note that in the above algorithm in line 4, there is the command "Recovery-Y."

7. return(x,p-y)

Implementation of Elliptic Curve25519 in Cryptography

DOI: http://dx.doi.org/10.5772/intechopen.88614

Remember that in Curve25519 the y-coordinate is defined when y is not a quadratic residue or (x,y√2). By the same argument, if (x,y√2) is on E, then (x-(p-y) √2) is also on E. However, before we can compress a point with form (x,y√2), we have to divide the y-coordinate with √2 to avoid problems in real computation. Then, the possible result when we compress the point with form (x,y√2) is also (x,0) or (x, 1).

Algorithm 2. Point Compression INPUT: Point(x,y). OUTPUT: Point(x,i)

1.if y quadratic residue modulo p then

2.i y mod 2

3. return (x,i)

4.else

5.y y/√2.

6.i y mod 2

7. return (x,i)

8.end if

The inverse algorithm for point compression is point decompression, i.e., recalling the "real" y-coordinate from point compression.

Algorithm 3. Point Decompression. INPUT Point (x,i). OUTPUT Point (x,y)

1.<sup>z</sup> <sup>x</sup><sup>3</sup> +486662x2 +x

2.if z quadratic residue modulo p then

3.y √z mod p

4.if y=i mod 2 then

5. return (x,y)

Implementation of Elliptic Curve25519 in Cryptography DOI: http://dx.doi.org/10.5772/intechopen.88614

6.else 7. return(x,p-y) 8.end 9.else 10.z z/2 mod p 11.y √z mod p 12.if y=i mod 2 then 13. return (x,y√2) 14.else 15. return(x,(p-y)√2) 16.end 17.end

10.end if

11.end for

(x,0) or (x, 1).

INPUT: Point(x,y). OUTPUT: Point(x,i)

2.i y mod 2

3. return (x,i)

5.y y/√2.

6.i y mod 2

7. return (x,i)

INPUT Point (x,i). OUTPUT Point (x,y)

3.y √z mod p

4.if y=i mod 2 then

5. return (x,y)

8.end if

1.<sup>z</sup> <sup>x</sup><sup>3</sup>

192

4.else

12. return(R0)

possible result is (x,0) or (x,1).

Algorithm 2. Point Compression

Theorizing STEM Education in the 21st Century

1.if y quadratic residue modulo p then

Now, we can talk about point compression and point decompression in Curve25519. The algorithm for point compression is straightforward from the existence of two points with the same x-coordinate on an elliptic curve, but with a different y-coordinate, i.e., point (x,y) and point (x,-y), which is equal to point (x,p-y). Because p is odd prime, if y is an odd number, then p-y is an even number and vice versa. Hence, we can compress point (x,y) by (x, y mod 2), of which the

Remember that in Curve25519 the y-coordinate is defined when y is not a quadratic residue or (x,y√2). By the same argument, if (x,y√2) is on E, then (x-(p-y) √2) is also on E. However, before we can compress a point with form (x,y√2), we have to divide the y-coordinate with √2 to avoid problems in real computation. Then, the possible result when we compress the point with form (x,y√2) is also

The inverse algorithm for point compression is point decompression, i.e.,

recalling the "real" y-coordinate from point compression.

Algorithm 3. Point Decompression.

+x

2.if z quadratic residue modulo p then

+486662x2

The next algorithms are used to recover the y-coordinate in elliptic curve Montgomery form, because we need it in ECIES.

Now we can give the algorithms for encryption and decryption. For a point generator P in Curve25519 that has a prime order n, if Alice sends message x to Bob with private key m so Q = mP, then Alice encrypts the message with the following algorithm:

Algorithm 4. Encryption in Simplified ECIES INPUT: Plaintext a OUPUT: Ciphertext (V(x1,y1),c)

1.k random([1,n-1])

2.R(x1,z1) (k-1)P

3.Q(x2,z2) R(x1,y1)+P

4.R(y1) Recovery-Y(P,R(x1,z1),Q(x2,z2))

5.U(x3,y3) R+P

6.V(x3,y3) Point-Compression(U(x3,y3))

7.V(x4,y4) kQ

8.y x0.a

9. return(V(x3,y3),y)

Note that in the above algorithm in line 4, there is the command "Recovery-Y." This command is based on Okeya and Sakurai [7].

If Bob wants to read the actual message from Alice, then Bob decrypts Alice's message using the following algorithm:

5.if a = 0 mod 2 then

Implementation of Elliptic Curve25519 in Cryptography

DOI: http://dx.doi.org/10.5772/intechopen.88614

6. p p-26

7. ka 26

9. p p-25

10. ka 25

14.sum ZEROS(1,a)

16. for i 1 to p do

17.if d(i)=1 then

18. sum(a) sum(a)+2ka

21. for i a-1 downto 0 do

23. for j p+1 to p+ki do

24. if d(j)=1 then

26. end

27. l l-1

28.end

30.end

195

29.p p+ki

32.Return g(x)

25. sum(i) sum(i)+2<sup>l</sup>

31. <sup>g</sup>(x) (sum(0)+...+sum(a)x<sup>a</sup>

)

8.else

11.end

13.end

12.a a+1

15.ka p-1

19.end

20.end

22.l ki-1

Algorithm 5. Decryption in Simplified ECIES. INPUT: Ciphertext(y1,y2) OUTPUT: Plaintext a

1.(x0,y0) mPoint-Decompress(y1)

2.a x0 �1

3.b y2a

4.return b

Since this elliptic curve contains a cyclic subgroup of prime order, it is possible to apply S-ECIES. For example, fix base point P(X:Y:Z) with X = 9, Z = 1 (because in Curve25519, z1 always has a value of 1), and the y-coordinate can be chosen randomly between odd and even integers that satisfy y <sup>2</sup> = x3 + 486662x<sup>2</sup> + x. The chosen base point P has prime point order, with point order m = 2<sup>252</sup> + 2774231 777737235353585 937790883648493. Hence, the curve can be implemented in S-ECIES.

Then, we choose a random integer, k, between 1 and m-1. Then, scalar multiplication of k with point x=9 by using the Montgomery ladder algorithm produces kP(Xk::Zk), and by using a y-coordinate recovery algorithm we can get kP(Xk:Yk:Zk). After that, we convert the projective coordinates to affine coordinates to get kP (Xk/Zk,Yk/Zk), and we use Point-Compress(kP). Then the y-coordinate of ciphertext is the multiplication of plaintext x with x3, where we get x3 from kQ = (x3,y3). Since we only use the x-coordinate of kQ, we can use Montgomery ladder with scalar k and point Q = nP.

For decryption, we first decompress V(x1,y1) and then use private key n to get scalar multiplication nV, using only the Montgomery ladder algorithm. The last step is multiplying the y-coordinate of ciphertext with the inverse of the x-coordinate of nV to get the plaintext x. This inverse exists, because we are working in a prime field and the x-coordinate of V is not zero.

Now, we discuss arithmetic in Fp with p = 2255–19. There are two operations in Fp, addition and multiplication. However, in Fp with p = 2255–19, it is not that easy. Bernstein [1] used radix 225.5, which is a polynomial with form Pαixi with i is a number between 0 and 9 and α<sup>i</sup> is a multiple of 2[25.5i] (where [x] is the smallest integer that is larger than <sup>x</sup>) and <sup>α</sup>i/2[25.5i] is an integer between �225 and 225. With the restriction that if <sup>i</sup> is an odd number then <sup>α</sup>i/2[25.5i] is between �224 and 224, while if <sup>i</sup> is an even number then <sup>α</sup>i/2[25.5i] is between �225 and 225, therefore, every element in Fp with p = 2255–19 can be converted in radix polynomial form. The following algorithm converts integers to radix as follows:

Algorithm 6. Integers to radix 225.5 INPUT: n OUTPUT: R(x) 1.d BINARY(n) 2.p LENGTH(d) 3.a 0 4.while p > 26 do

Implementation of Elliptic Curve25519 in Cryptography DOI: http://dx.doi.org/10.5772/intechopen.88614

If Bob wants to read the actual message from Alice, then Bob decrypts Alice's

Since this elliptic curve contains a cyclic subgroup of prime order, it is possible to apply S-ECIES. For example, fix base point P(X:Y:Z) with X = 9, Z = 1 (because in Curve25519, z1 always has a value of 1), and the y-coordinate can be chosen

The chosen base point P has prime point order, with point order m = 2<sup>252</sup> + 2774231 777737235353585 937790883648493. Hence, the curve can be implemented in

Then, we choose a random integer, k, between 1 and m-1. Then, scalar multiplication of k with point x=9 by using the Montgomery ladder algorithm produces kP(Xk::Zk), and by using a y-coordinate recovery algorithm we can get kP(Xk:Yk:Zk). After that, we convert the projective coordinates to affine coordinates to get kP (Xk/Zk,Yk/Zk), and we use Point-Compress(kP). Then the y-coordinate of ciphertext is the multiplication of plaintext x with x3, where we get x3 from kQ = (x3,y3). Since we only use the x-coordinate of kQ, we can use Montgomery ladder with scalar

For decryption, we first decompress V(x1,y1) and then use private key n to get scalar multiplication nV, using only the Montgomery ladder algorithm. The last step is multiplying the y-coordinate of ciphertext with the inverse of the x-coordinate of nV to get the plaintext x. This inverse exists, because we are working in a prime

Now, we discuss arithmetic in Fp with p = 2255–19. There are two operations in Fp, addition and multiplication. However, in Fp with p = 2255–19, it is not that easy. Bernstein [1] used radix 225.5, which is a polynomial with form Pαixi with i is a number between 0 and 9 and α<sup>i</sup> is a multiple of 2[25.5i] (where [x] is the smallest integer that is larger than <sup>x</sup>) and <sup>α</sup>i/2[25.5i] is an integer between �225 and 225. With the restriction that if <sup>i</sup> is an odd number then <sup>α</sup>i/2[25.5i] is between �224 and 224, while if <sup>i</sup> is an even number then <sup>α</sup>i/2[25.5i] is between �225 and 225, therefore, every element in Fp with p = 2255–19 can be converted in radix polynomial form. The

<sup>2</sup> = x3 + 486662x<sup>2</sup> + x.

message using the following algorithm:

Theorizing STEM Education in the 21st Century

1.(x0,y0) mPoint-Decompress(y1)

INPUT: Ciphertext(y1,y2) OUTPUT: Plaintext a

2.a x0

3.b y2a

4.return b

S-ECIES.

k and point Q = nP.

INPUT: n OUTPUT: R(x)

3.a 0

194

1.d BINARY(n)

2.p LENGTH(d)

4.while p > 26 do

field and the x-coordinate of V is not zero.

Algorithm 6. Integers to radix 225.5

following algorithm converts integers to radix as follows:

�1

Algorithm 5. Decryption in Simplified ECIES.

randomly between odd and even integers that satisfy y


)

From the above algorithm, first convert the integer to binary representation, and then from the right partition every 26,25,26,25,...,k, with 0 ≤ k ≤ 25, as an example of an integer with length of binary representation is 231, then partition from the right 26,25,26,25,26,25,26,25,26,1. Every partition states the value sum of d(i)2<sup>i</sup><sup>1</sup> , with d(i) is the value of the order of the binary representation that is either 0 or 1. Also, the j-th partition is the coefficient of x<sup>j</sup><sup>1</sup> .

In this research we develop efficient algorithms for elliptic curve cryptography

Several algorithms have been established for the implementation of Curve25519 in simplified ECIES: Montgomery ladder for scalar point multiplication, point compression and point decompression, encryption and decryption in simplified ECIES,

In a future research, implementation of Curve25519 in Elliptic Curve Digital

using Curve25519 which is implemented in security of instant messaging.

and the algorithm integer to radix for the arithmetic in Fp with p=2255–19.

This research is funded by Hibah Riset KK ITB 2017.

Intan Muchtadi-Alamsyah\* and Yanuar Bhakti Wira Tama

\*Address all correspondence to: ntan@math.itb.ac.id

provided the original work is properly cited.

Algebra Research Group, Faculty of Mathematics and Natural Sciences, Institut

© 2019 The Author(s). Licensee IntechOpen. This chapter is distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/ by/3.0), which permits unrestricted use, distribution, and reproduction in any medium,

Signature Algorithm may be attempted.

Implementation of Elliptic Curve25519 in Cryptography

DOI: http://dx.doi.org/10.5772/intechopen.88614

Acknowledgements

Author details

197

Teknologi Bandung, Indonesia

Example: Suppose we have a 15-digit number, 325606250916557, which has binary representation "1001010000010001100 01110 01110 11000 01010 10110 01101." For integers, 325606250916557 has two partitions, i.e., 00111011000010101011001101 and 10010100000100011000111. Therefore, the coefficient of x0 is 0.225 + 0.224 + 1.223 + ... + 0.21 + 1.20 , which if we calculated would be the value 15477453. In the same way, coefficient x1 would be the value 4851911. Thus, the number 325606250916557 represented by radix 225.5 would be 4851911x + 15477453. Also, we can use.

addition and multiplication in radix 225.5.

After we have converted any integer, there is an additional problem when the coefficient of radix 225.5 exceeds our definition. For this problem, Bernstein [1] has already provided a solution.

#### 5. Applications

Communication systems in the future are expected to interact between diverse types of devices. This allows the user to construct a personal distributed environment using a combination of different communication technologies. The security of transmitted data between these devices is a very important aspect.

Nowadays instant messaging is popular for personal and business communications instead of short messages (SMS) on mobile devices. However, most mobile messaging applications do not protect confidentiality or message integrity. Supervision over private communications conducted by the NSA motivates many people to use alternative messaging solutions for security and privacy of communication on the Internet. A messaging app that claims to be secure instant messaging and has attracted a lot of attention is TextSecure.

Elliptic curve cryptosystem (ECC) is a public-key cryptography suitable for use in environments with limited resources such as mobile devices and smart cards. In cryptography, Curve25519 is an elliptic curve that offers 128 security bits and is designed for use in the Elliptic Curve Diffie-Hellman (ECDH) key agreement key design scheme. This curve is one of the fastest ECC curves and more resistant to the weak number random generator.

In the TextSecure application, Curve25519 is used for key exchanges and authentication. However, in this paper we show that Curve25519 can also be implemented in simplified Elliptic Curve Integrated Encryption Scheme (S-ECIES). Therefore Curve25519 serves for key exchange, authentication, encryption, and decryption. As Curve25519 is built in such a way as to avoid potential attacks on implementation and avoid side channel attacks and random number generator issues, one may expect more secure communication systems.

### 6. Conclusion

The curve being used in this paper is y <sup>2</sup> = x<sup>3</sup> + 48666x<sup>2</sup> + x, a Montgomery curve, over the prime field 2255–19. This protocol uses elliptic point compression (only the X-abscissa), allowing for efficient use of Montgomery ladder for ECDH, which uses only XZ coordinates.

Implementation of Elliptic Curve25519 in Cryptography DOI: http://dx.doi.org/10.5772/intechopen.88614

In this research we develop efficient algorithms for elliptic curve cryptography using Curve25519 which is implemented in security of instant messaging.

Several algorithms have been established for the implementation of Curve25519 in simplified ECIES: Montgomery ladder for scalar point multiplication, point compression and point decompression, encryption and decryption in simplified ECIES, and the algorithm integer to radix for the arithmetic in Fp with p=2255–19.

In a future research, implementation of Curve25519 in Elliptic Curve Digital Signature Algorithm may be attempted.
