Cryptanalysis

Lecture 8: Lattices and Elliptic Curves

John Manferdelli
[email protected]
[email protected]

2004-2008, John L. Manferdelli.

This material is provided without warranty of any kind including, without limitation, warranty of non-infringement or suitability
for any purpose. This material is not guaranteed to be error free and is intended for instructional use only.
1
jlm20090204
 Lattices

Definition: Let <v1, , vk> be linearly independent

vectors in Kn. K is often the real numbers or complex
numbers. The lattice, L is L= {v: v= a1v1++ akvk}, where
aiZ.

Area parallel-piped formed by <v1, , vn> is

|det(v1, , vn)|.

Shortest vector problem: Given the lattice L, find the

shortest non-zero v, ||v||=, vL.

JLM 20081102 2
 Reduced Basis

<v1 , v2> is reduced if

||v2||||v1||; and,
-1/2||v1||2 (v1 , v2) 1/2||v1||2 .

v2 v2

v1| v1|

Reduced Not
JLM 20081102 3
 Gauss again
Let <v1 , v2> be a basis for a two dimensional lattice L in R2. The
following algorithm produces a reduced basis.

for(;;) {
if(||v1||||v2||)
swap v1 and v2;
t= [(v1, v2)/(v1, v1)]; // [] is the closest integer function
if(t==0)
return;
v2 = v2-tv1;
}

<v1 , v2> is now a reduced basis and v1 is a shortest vector in the lattice.

JLM 20081102 4
 LLL

Definition: B= {b1, , bn}, L in Rn. i,j= (bi, bj*)/(bj*, bj*).

bi*= bi- j=1i-1 i,j bj*. B is reduced if

1. |i,j |1/2; 1j<in

2. ||bi*||2(3/4-i,i-12) ||bi-1*||2 .

Note b1*=b1.

JLM 20081102 5
 LLL algorithm
b1*= b1; k= 2;
for(i=2; in; i++) {
bi*= bi;
for(j=1; j<i; j++) RED(k, k-1)
{ i,j= (bi , bj*)/Bj;
bi*= bi- i,jbj*;Bi= (bi*, bi*);} if(| k,l|)> 1/2) {
} r= 1/2+ k,l;
for(;;) { bk= bk -r bl;
RED(k, k-1);
for(j=1; j<l;j++) {
if(Bk<(3/4 k,k-12)Bk-1) {
k,j= k,j-r l,j;
= k,k-1; B= Bk+ Bk-1; k,k-1 = Bk-1/B;
k,l = k,l-r;
Bk= Bk-1Bk/B; Bk-1= B; swap(bk, bk-1);
if(k>2) swap(bk, bk-1); }
for(i=k+1; in;i++) }
{ t= i,k;; i,k;= i,k-1-t;
i,k-1=t+ k,k-1 i,k; }
k= max(2, k-1);
if(k>n) return(b1, , bn);
}
JLM 20081102 6
 LLL Theorem

Let L be the n-dimensional lattice generated by <v1, ,

vn> andthe length of the shortest vector in L. The
LLL algorithm produces a reduced basis <b1, , bn> of
L.

1. ||b1|| 2(n-1)/4 D1/n.

2. ||b1|| 2(n-1)/2 .
3. ||b1|| ||b2|| ||bn|| 2n(n-1)/4 D.

If ||bi||2C algorithm takes O(n4 lg(C)) .

JLM 20081102 7
 Attack on RSA using LLL

Attack applies to messages of the form "M xxx" where

only "xxx" varies (e.g.- "The key is xxx") and xxx is
small.
From now on, assume M(x)=B+x where B is fixed
|x|<Y.
Not that E(M(x))=c= (B+x)3 (mod n)
f(x)= (B+x)3-c= x3 + a2x2 + a1x + a0 (mod n).
We want to find x: f(x)=0 (mod n), a solution to this, m,
will be the corresponding plaintext.

JLM 20081102 8
 Attack on RSA using LLL

To apply LLL, let:

v1= (n, 0, 0, 0),
v2= (0, Yn, 0, 0),
v3= (0, 0, Y2n, 0),
v4= (a0 , a1 Y, a2Y2, a3 Y3)
When we apply LLL, we get a vector, b1:
||b1|| 2(3/4) |det(v1, v2, v3, v4)| = 2(3/4) n(3/4) Y(3/2) . Equation 1.
Let b1= c1 v1 + + c4 v4= (e0 , Y e1 , Y2 e2, Y3 e3). Then:
e 0 = c 1 n + c4 a 0
e 1 = c 2 n + c4 a 1
e2= c3 n + c4 a2
e3 = c 4

JLM 20081102 9
 Attack on RSA using LLL

Now set g(x)= e3x3 + e2x2 + e1x + e0.

From the definition of the ei, c4 f(x)= g(x) (mod n), so if m
is a solution of f(x) (mod n), g(m)= c4 f(m)= 0 (mod n).
The trick is to regard g as being defined over the real
numbers, then the solution can be calculated using an
iterative solver.
If Y<2(7/6)n(1/6), |g(x)|2||b1||.
So, using the Cauchy-Schwartz inequality, ||b1||2-1n.
Thus |g(x)|<n and g(x)=0 yielding 3 candidates for x.

Coppersmith extended this to small solutions of polynomials of

degree d using a d+1 dimensional lattice by examining the monic
polynomial f(T)= 0 (mod n) of degree d when |x|n1/d.
JLM 20081102 10
 Example attack on RSA using LLL

p= 757285757575769, q= 2545724696579693.
n= 1927841055428697487157594258917.
B= 200805000114192305180009190000.
c= (B+m)3, 0m<100.
f(x)= (B+x)3-c= x3 + a2x2 + a1x + a0 (mod n).
a2= 602415000342576915540027570000
a1= 1123549124004247469362171467964
a0= 587324114445679876954457927616
v1= (n,0,0,0)
v2= (0,100n,0,0)
v3= (0,0,104n,0)
v4= (a0, a1100, a2104,106)

JLM 20081102 11
 Example attack on RSA using LLL

Apply LLL, b1=

308331465484476402v1 + 589837092377839611v2 +
316253828707108264v3 + (-1012071602751202635)v4 =
(246073430665887186108474, -577816087453534232385300,
405848565585194400880000, -1012071602751202635000000)
g(x)= (-1012071602751202635) t3 + 40584856558519440088 t2 +
(-57781608745353442323853) t +
246073430665887186108474.

Roots of g(x) are 42.0000000, (-.949676.0796i)

The answer is 42.

JLM 20081102 12
 Elliptic Curves

Motivation:
Full employment act for mathematicians
Elliptic curves over finite fields have an arithmetic operation
Index calculus doesnt work on elliptic curves.
Even for large elliptic curves, field size is relatively modest so
arithmetic is faster
.
Use this operation to define a discrete log problem.
To do this we need to:
Define point addition and multiplication on an elliptic curve
Find an elliptic curve whose arithmetic gives rise to large finite
groups with elements of high order
Figure out how to embed a message in a point multiplication.
Figure out how to pick good curves.
JLM 20081102 13
 Rational Points

Bezout
Linear equations
x2+5y2=1
y2=x3-ax-b
Disconnected: y2= 4x3-4x +1
Connected: a= 7, b=-10
Troublesome: a=3, b=-2
Arithmetic
D= 4a3-27b2
Genus, rational point for g>1
Mordell
Zn1 x Zn2, n2|n1, n2|(p-1)
JLM 20081102 14
Equation solving in the rational numbers
Linear case: solve ax+by=c or, find the rational points on the curve C:
f(x,y)= ax+by-c=0.
Clearing the fractions in x and y, this is equivalent to solving the equation in
the integers. Suppose (a,b)=d, there are x, yZ: ax+by=d. If d|c, say
c=dd, a(dx)+b(dy)=dd=c and we have a solution. If d does not divide c,
there isnt any. We can homogenize the equation to get ax+by=cz and
extend this procedure, here, because of z, there is always a solution.
Quadratic (conic) case: solve x2+5y2=1 or find the rational points on the
curve C: g(x,y)= x2+5y2-1=0.
(-1,0)C. Let (x,y) be another rational point and join the two by a line: y=
m(x+1). Note m is rational. Then x2+5(m(x+1))2=1 and (5m2+1) x2 + 2
(5m2)x + (5m2-1)= 0 x2 + 2 [(5m2)/(5m2+1)] x + [(5m2-1)/ (5m2+1) ]= 0.
Completing the square and simplifying we get (x+(5m2)/(5m2+1)) 2= [25m4
(25m4 -1)]/(5m2+1)2= 1/(5m2+1)2. So x= (1-5m2)/(5m2+1) and substituting
in the linear equation, y= (2m)/(5m2+1). These are all the solutions.
Cubic case is more interesting!

JLM 20081102 15
 Bezouts Theorem
Let deg(f(x,y,z))=m and deg(g(x,y,z))=n be homogeneous
polynomials over C, the complex numbers and C1 and C2
be the curves in CP2, the projective plane, defined by:
C1 = {(x,y,z): f(x,y,z)=0}; and,
C2 = {(x,y,z): g(x,y,z)=0}.
If f and g have no common components and D=C 1C2, then
xD I(C1C2,x)=mn.

I is the intersection multiplicity. This is a fancy way of saying that

(multiple points aside), there are mn points of intersection between C1
and C2. There is a nice proof in Silverman and Tate, Rational Points
on Elliptic Curves, pp 242-251. The entire book is a must read.
A consequence of this theorem is that two cubic curves intersect in
nine points.

JLM 20081102 16
 Elliptic Curve Preliminaries -1

Let K be a field. char(K) is the characteristic of K which is either 0 or

pn for some prime p, n>0.
F(x,y)= y2+axy+by+cx3+dx2+ex+f is a general cubic.
F(x,y) is non-singular if Fx(x,y) or Fy(x,y) 0.
If char(K)2,3, F(x,y)=0 is equivalent to y2= x3+ax+b which is denoted
by EK(a, b) and is called the Weierstrass equation.
Note that the intersection of a line (y=mx+d) and a cubic, E K(a,b) is 1,
2 or 3 points.
Idea is: given 2 points, P,Q on a cubic, the line between P and Q
generally identifies a third point on the cubic, R.
Two identical points on a cubic generally identify another point which
is the intersection of the tangent line to the cubic at the given point
with the cubic.
The last observation is the motivation for defining a binary operation
(addition) on points of a cubic.

JLM 20050710 17
 Elliptic Curve Preliminaries - 2

We are most interested in cubics with a finite number of points.

Cubics over finite fields have a finite number of points (duh).
EK(a,b) is an elliptic equation over the affine plane.

It is often easier to work with elliptic equations over the projective

plane. The projective plane consists of the points (a,b,c) (not all 0)
and (a,b,c) and (ad,bd,cd) represent the same point.
The map (x,y,1)(xz,yz,z) sets up a 1-1 correspondence between
the affine plane (plus the infinities) and the projective plane.
EK(a,b) is zy2= x3+axz2+bz3. Note these are homogeneous
equations.
The points (x,y,0) are called the line at infinity.
The point at infinity, (0,1,0) is the natural identity element O and
its introduction is less ad hoc.

JLM 20050710 18
 Elliptic Curves
A non-singular Elliptic Curve is a curve, having no multiple roots,
satisfying the equation: y2=x3+ax+b.

The points of interest on the

curve are those with rational
coordinates which can be combined
using the addition operation.
These are called rational points.

Graphic by Richard Spillman

JLM 20050710 19
 Multiple roots

Here is the condition that the elliptic curve, ER(a, b):

y2=x3+ax+b, does not have multiple roots.

Set f(x,y)= y2-x3-ax-b=0.

At a double point, fx(x,y)=fy(x,y)=0; so fx(x,y)= -(3x2+a), fy(x,y)=2y.
Thus y=0=x3+ax+b and 0=(3x2+a) have a common zero.
Substituting a= -3x2, we get 0=x3-3x3+b, b= 2x3, b2=4x6. Cubing,
a= -3x2, we get a3= -27x6. So b2/4=a3/(-27) or 27b2+4a3=0.
Thus, if 27b2+4a30, then ER(a, b) does not have multiple roots.

We define the discriminant as = -16(27b2+4a3).

JLM 20081102 20
 Elliptic curve addition
The addition operator on a non-singular elliptic curve maps two
points, P and Q, into a third P+Q. Heres how we construct
P+Q when PQ .
Construct straight line through P and Q which hits E at R.

P+Q is the point which is

the reflection of R across R
the x-axis.

Q
P

P+Q
Graphic by Richard Spillman

JLM 20050710 21
 Addition for points P, Q in ER(a, b) - 1
Suppose we want to add two distinct points P and Q lying on the
curve ER(a, b): y2=x3+ax+b, where P=(x1, y1) and Q=(x2, y2) with PQ,
then P+Q=R=(x3, y3).

Suppose x1x2, here is the computation: Join P and Q by the line

y=mx+u. m=(y2-y1)/(x2-x1). u= (mx1-y1)= (mx2-y2). Substituting for
y(=mx+u) into ER(a, b), we get (mx+u)2= y2=x3+ax+b; so 0= x3-m2x+(a-
2mu)x+b-u2. x1, x2, x3 are the roots of this equations so m2= x1+x2+x3.
and x3= m2-x1-x2. P*Q= (x3, -y3) and substituting back into the linear
equation, we get: , -y3= m(x3)+u. So y3= -mx3 u= -m(x3) -(mx1 -y1)=
m(x1 x3) y1.

To summarize, if PQ (and x1x2):

x 3 = m 2 x1 x 2
y3= m(x1 x3) y1
m= (y2-y1)/(x2-x1)

JLM 20050710 22
 Multiples in Elliptic Curves 1

P+P (or 2P) is defined in terms of the tangent to the cubic at P.

Construct tangent to P and
reflect the point in y at
which it intercepts the
curve (R) to obtain 2P.
P+P= 2P
P can be added to itself
k times resulting in a
point Q = kP.

Graphic by Richard Spillman

JLM 20081104 23
 Addition for points P, Q in ER(a, b) - 2

Suppose we want to add two distinct points P and Q lying on the

curve ER(a, b): y2=x3+ax+b, where P=(x1, y1) and Q=(x2, y2) and
x1=x2.

Case 1, y1y2: In this case, y1=-y2 and the line between P and Q
meet at infinity, this is the point we called O and we get P+Q=O.
Note Q=-P so (x,y)=(x,-y).

Case 2, y1=y2 so P=Q: The slope of the tangent line to ER(a, b) at

(x1, y1) is m. Differentiating y2=x3+ax+b, we get 2y y= 3x2+a, so
m=(3x12+a)/(2y1). The addition formulas on the previous page still
hold.

JLM 20050710 24
 Addition in ER(a, b) - summary

Given two points P and Q lying on the curve ER(a, b): y2=x3+ax+b,
where P=(x1, y1) and Q=(x2, y2) with PQ, then P+Q=R=(x3, y3)
where:

If x1x2, m=(y2-y1)/(x2-x1), and

x3 =m2 x1 x2
y3 =m(x1 x3) y1
If x1=x2 and y1y2, then y1=-y2 and P+Q=O, Q= -P
If x1=x2 and y1=y2, then P=Q, R=2P, m=(3x12+a)/(2y1), and
x3 =m2 x1x2
y3 =m(x1 x3)y1

JLM 20050710 25
 Point multiplication in ER(a, b)

By using the doubling operation just defined, we

can easily calculate P, 2P, 4P, 8P ,, 2 eP and by
adding appropriate multiples calculate nP for any n.

If nP=O, and n is the smallest positive integer with

this property, we say P has order n.

Example:
The order of P=(2,3) on ER(0,1) is 6.
2P=(0,1), 4P= (0,-1), 6P=O.

JLM 20050710 26
Example of Addition and Element Order

E(-36,0): y2=x3-36x. P=(-3, 9), Q=(-2,8).

P + Q = (2-x1-x2, (x1-x3)-y1)
= (y2-y1)/(x2-x1), if PQ.
= (3x12+a)/2y1, if P=Q.
P+Q= (x3,y3)=(6,0)
2P=(25/4,-35/8)
Note growth of denominators

JLM 20050710 27
 Proof of group laws

From the formulas and definitions it is easy to see the

operation + is commutative, O acts like an identity
and if P=(x,y), -P = (x,-y) with P + (-P)= O.

Associativity is the only law thats hard to verify. We

could use the formulas to prove it but thats pretty
ugly.
There is a shorter poof that uses the following result: Let C,
C1, C2 be three cubic curves. Suppose C goes through eight
of the nine intersection points of C1C2, then C also goes
through the ninth intersection point.

JLM 20081102 28
 Associativity
If P and Q are points on an elliptic curve, E, let P*Q denote the third point of
intersection of the line PQ and E.

Now let P, Q, R be points on an elliptic curve E. We want to prove (P+Q)+R=P+

(Q+R). To get (P+Q), form P*Q and find the intersection point, between P*Q and
E and the vertical line through P*Q; this latter operation is the same as finding the
intersection of P*Q, O (the point at infinity) and E. To get (P+Q)+R, find (P+Q)*R
and the vertical line, the other intersection point with E is (P+Q)+R. A similar
calculation applies to P+(Q+R) and it suffices to show (P+Q)*R=P*(Q+R). O,P,Q,R,
P*Q, P+Q, Q*R, Q+R and the intersection of the line between (P+Q), R and E lie
on the two cubics:
C1: Product of the lines [(P,Q), (R,P+Q), (Q+R, O)]
C2: Product of the lines [(P,Q+R), (P+Q,O), (R,Q)]
The original curve E goes through eight of these points, so it must go through the
ninth [ (P+Q)*R]. Thus the intersection of the two lines lies on E and (P+Q)*R=
P*(Q+R).

This proof will seem more natural if youve taken projective geometry. You could
just slog out the algebra though.

JLM 20081102 29
 Mordell and Mazur

Mordell: Let E be the elliptic curve given by the

equation E: y2=x3 + ax2 + bx +c and suppose that
(E)=-4a3c+a2b2-4b3-27c2+18abc0. There exist r
points P1, P2, , Pr such that all rational points on E
are of the form a1P1 + + arPr where ai Z.

Mazur: Let C be a non-singular rational cubic curve

and C(Q) contain a point of order m, then 1m or
m=12. In fact, the order of the group of finite order
points is either cyclic or a product of a group of order
2 with a cyclic group of order less than or equal to 4.

JLM 20081102 30
 Fermats Last Theorem

xn + yn = zn has no non-trivial solutions in Z for n>2.

It is sufficient to prove this for n=p, where p is an odd
prime.

Proof (full version will be on HW):

1. Suppose Ap+Bp=Cp, (A,B,C)=1.
2. EAB: y2 = x(x+Ap)(x+Bp)
3. Wiles: EAB is modular.
4. Ribet: EAB is too weird to be modular.
5. Fermat was right.

JLM 20081102 31
Why elliptic curves might be valuable in
crypto
Consider E: y2= x3+17. Let Pn=(An/Bn, Cn/Dn) be a rational point
on E. Define ht(Pn)= max(|An|, |Bn|).

Define P1= (2,3), P2= (-1,4) and Pn+1= Pn + P1.

n ht(Pn) n ht(Pn)
1 2 8 76271
2 1 9 9776276
3 4 10 3497742218
4 2 20 8309471981636130322638066614339972215969861310
5 4
6 106 In fact, ht(Pn)1.574ns, ns=n2.
7 2228
Example from Silverman, A Friendly Introduction to Number Theo

JLM 20081102 32
 Points on elliptic curves over Fq
The number of points N on Eq(a,b) is the number of solutions of
y2=x3+ax+b.
For each of q xs there are up to 2 square roots plus O, giving a
maximum of 2q+1. However, not every number in Fq has a square
root. In fact, N= q+1+ x(x3+ax+b), where is the quadratic
character of Fq.
Hasses Theorem: |N(q+1)|2q where N is the number of points
Eq(a,b) is supersingular if N= (q+1)-t, t= 0,q, 2q, 3q or 4q.
The abelian group formed by addition in Eq(a,b) does not need to be
cyclic, although it often is; it can always be decomposed into cyclic
groups. In fact, if G is the Elliptic group for Eq(a,b). Theorem: G=p
Z/Zp x Z/Zp.
Example: E71(-1,0). N= 72, G is of type (2,4,9).

JLM 20050710 33
 E71(-1, 0) Spot the Group
There are 72 points on the curve. Can you spot (2, 4, 9). Points:

Order Point Order Point Order Point Order Point

[ 1] O [ 18] (14, 48) [ 12] (40, 29) [ 18] (53, 24)
[ 2] ( 0, 0) [ 3] (19, 38) [ 36] (41, 62) [ 36] (54, 28)
[ 2] ( 1, 0) [ 3] (19, 33) [ 36] (41, 9) [ 36] (54, 43)
[ 9] ( 2, 19) [ 36] (21, 62) [ 18] (42, 8) [ 12] (55, 31)
[ 9] ( 2, 52) [ 36] (21, 9) [ 18] (42, 63) [ 12] (55, 40)
[ 18] ( 3, 38) [ 18] (23, 28) [ 36] (43, 21) [ 6] (56, 41)
[ 18] ( 3, 33) [ 18] (23, 43) [ 36] (43, 50) [ 6] (56, 30)
[ 9] ( 4, 42) [ 36] (27, 42) [ 36] (45, 49) [ 4] (60, 10)
[ 9] ( 4, 29) [ 36] (27, 29) [ 36] (45, 22) [ 4] (60, 61)
[ 18] ( 5, 7) [ 12] (32, 54) [ 36] (46, 37) [ 36] (61, 2)
[ 18] ( 5, 64) [ 12] (32, 17) [ 36] (46, 34) [ 36] (61, 69)
[ 6] ( 9, 62) [ 36] (33, 7) [ 18] (47, 51) [ 6] (63, 8)
[ 6] ( 9, 9) [ 36] (33, 64) [ 18] (47, 20) [ 6] (63, 63)
[ 36] (12, 56) [ 18] (35, 58) [ 18] (49, 38) [ 36] (64, 27)
[ 36] (12, 15) [ 18] (35, 13) [ 18] (49, 33) [ 36] (64, 44)
[ 4] (13, 14) [ 9] (37, 8) [ 12] (51, 16) [ 36] (65, 28)
[ 4] (13, 57) [ 9] (37, 63) [ 12] (51, 55) [ 36] (65, 43)
[ 18] (14, 23) [ 12] (40, 42) [ 18] (53, 47) [ 2] (70, 0)

JLM 20081102 34
 Addition for points P, Q in Ep(a, b)

1. P+O=P
2. If P=(x, y), then P+(x, -y)=O. The point (x, -y) is the
negative of P, denoted as P.
3. If P=(x1, y1) and Q=(x2, y2) with PQ, then P+Q=(x3,
y3) is determined by the following rules:
x3 =2 x1 x2 (mod p)
y3 =( x1 x3) y1 (mod p)
=(y2-y1)/(x2-x1) (mod p) if PQ
=(3(x1)2+a)/(2y1) (mod p) if P=Q
4. The order of P is the smallest positive number n:
nP=O

JLM 20050710 35
 Point multiplication in Ep(a, b)

E: y2= x3+17 (mod 101) or E101(0,17)

Note:
x3 =m2 x1 x2 (mod p)
932= 233+17=64 (101)
y3 =m( x1 x3) y1 (mod p) 742= 543+17=22 (101)
m=(y2-y1)/(x2-x1) (mod p) if PQ 412= 293+17=65 (101)
372= 413+17=56 (101)
m=(3(x1)2+a)/(2y1) (mod p) if P=Q
882= 353+17=64 (101)

(23,93)+(54,74)= (29, 41)

m= (74-93)/(54-23) = -19/31= 82 x 88 = 45
x3 = 452-23-54= 29 (101)
y3 =45 x (23-29)-93)= 41

2 x (41, 37)= (35, 88)

m= (3 x 412 + 0)/(2 x 37)= 94/74=94 x 86 =4
x3 = 42- 82= 35
y3 =4 x (41-35)-37= -13= 88 (101)
JLM 20050710 36
 Elliptic Curve (Characteristic = 2)

For K of characteristic 2, define j(E) =

(a1)1/2/ If j(E) = 0:
If j(E) 0: -P = (x1, y1 + c)
-P = (x1, y1 + x1) P+Q = (x3, y3)
P+Q = (x3, y3) PQ
PQ x3= ((y1+y2)/(x1+x2))2 + x1+x2
x3= ((y1+y2)/(x1+x2))2 + (y1+y2)/ y3 = ((y1+y2)/(x1+x2))(x1+x3) + c
(x1+x2)+ x1+x2 + a, + y1
P=Q
y3 = ((y1+y2)/(x1+x2))(x1+x3) + x3
x3 = (x14 + a2)/ c2, P = Q
+ y1
y3 = ((x12 + a)/c)(x1+x3) + c + y1
P=Q
x3 = x12 + b/ x12,
y3 = x12 + (x1 + y1/x1)x3 + x3

JLM 20050710 37
 Structure of the Elliptic Curve Group
on Ep(a,b) - 1
E11(1, 6)[ y2= x3 + 1 x + 6 (mod 11)]. D: -7, 2 is primitive (mod 11). D=4a3+27b2
(mod p). 13 points on curve; G, cyclic.
Powers
Order Point ( 1) ( 5, 2)
[ 1] O ( 2) (10, -9)
[13] ( 2, 4) ( 3) ( 7, 9)
[13] ( 2, 7) ( 4) ( 3, 5)
[13] ( 3, 5) ( 5) ( 8, 8)
[13] ( 3, 6) ( 6) ( 2, 4)
[13] ( 5, 2) ( 7) ( 2, 7)
[13] ( 5, 9) ( 8) ( 8, 3)
[13] ( 7, 2) ( 9) ( 3, 6)
[13] ( 7, 9) (10) ( 7, 2)
[13] ( 8, 8) (11) (10, 9)
[13] ( 8, 3) (12) ( 5, 9)
[13] (10, 2) (13) O
[13] (10, 9)

JLM 20081102 38
Structure of the Elliptic Curve Group on
Ep(a,b) - 2
E31(1, 6). D: -23, 3 is primitive (31). 32 points on curve. Not cyclic!
Order Point Order Point
[ 1] O [16] (19, 8)
[16] ( 1, 16) [16] (19, 23)
[16] ( 1, 15)
[ 4] (20, 20)
[ 8] ( 2, 27)
[ 4] (20, 11)
[ 8] ( 2, 4)
[16] (21, 9)
[ 4] ( 3, 25)
[16] (21, 22)
[ 4] ( 3, 6)
[16] (24, 20)
[ 2] ( 9, 0)
[16] (24, 11)
[16] (12, 17)
[16] (25, 30)
[16] (12, 14)
[16] (25, 1)
[ 8] (14, 25)
[ 8] (14, 6) [ 2] (26, 0)
[16] (17, 10) [ 2] (27, 0)
[16] (17, 21) [ 8] (28, 10)
[16] (18, 20) [ 8] (28, 21)
[16] (18, 11) [ 8] (30, 29)
[ 8] (30, 2)
JLM 20081102 39
 Structure of the Elliptic Curve Group
on Ep(a,b) - 3

Ep(a, b) y2= x3 + ax + b (mod p). D= 4a3+27b2 (mod p).

Cyclic
E29(0, 17). D: -3, <2> (29). 30 points. G: ( 2,24).
E31(0, 17). D: -11. <3> (31). 43 points. G: ( 1, 24).
E101(0, 17). D: -12. <2> (101). 102, points. G: ( 4, 9).
E311(0, 17). D: -137. <17> (311). 312 points. G: (14, 133).
E29(1, 6). D: -14. <2> (29). 38 points. G: ( 2, 4).
E47(1, 6). D: -12. <5> (47). 52 points. G: ( 0, 10).
E101(1, 6). D: -62. <2> (101). 112 points. G: ( 0, 39).
E1217(0, 17). D: -714. <3> (1217). 1218 points. G: ( 2, 5).

Not cyclic
E31(1, 6). D: -23. <3>(31). 32 points. (1, 6) has order 16.
JLM 20081102 40
 Endomorphisms

Endomorphisms are homomorphisms from E(K)

E(K) that can be represented by rational functions.
If (x,y)=(r1(x), r2(x)y), r1(x)= p(x)/q(x). deg()= max(deg(p),
deg(q)).
The endomorphism, , is separable, if r(x)0.
If is separable deg()= #ker().
If is not separable deg()> #ker().

If p is the Frobenius map, it is an endomorphism of

degree p and p is not separable.
ker(p-1)=#Ep. p-1 is a separable endomorphism.
Let E be an elliptic curve over Fp, a= q+1-#Ep= q+1-
deg(ker(p-1)). p2-ap+q=0.

JLM 20081102 41
 Endomorphisms continued
Endomorphism are maps that preserve the addition
operation between an elliptic curve group and itself.
That is (P+Q)= (P) + (Q). We care about
endomorphisms that preserve O: (O)= O. These are
called isogonies.

There are two very important endomophisms:

Frobenius: (x,y)= (xp, yp)
Point multiplication: (x,y)= [n](x,y).

For EK(a,b), define = (-16)(4a3+27b2). (For singular

curves =0) and define the j-invariant Ep(a,b), j(E)=
1728/.
JLM 20081102 42
 Isomorphic Curves and the j-invariant

Let K be a field and K* its algebraic closure. EK(a,b) and EK(a,b) are
isomorphic if r,s,tK, uK*: the transformations (x,y) (x,y) given
by x=u2x+r, y= u3y+su2x+t, take EK(a,b) to EK(a,b).

Recall = (-16)(4a3+27b2). (For singular curves =0) and define the j-

invariant Ep(a,b), j(E)= 1728/.

Theorem: Let E1=EK(a,b) and E2=EK(a,b) be two ellliptic curves.

1. If E1 and E2 are isomorphic, they have the same j-invariant.
2. If j(E1)=j(E2), there is a : a2=4a1, b2=6b1.
3. If two curves have the same j-invariant, they are isomorphic
over the algebraic closure, K*.

JLM 20081102 43
 The Division Polynomials

[m] (x,y)= (m(x,y)/m(x,y)2, m(x,y)/(x,y)3)

We can calculate these polynomials recursively:
0(x,y)= 0; 1(x,y)= 0.
then 2m+1(x,y)= m+2(x,y)m3 +m-1(x,y)m+13.
m=xm2-m+1m-1
m= 1/(4y)(m+2m-12 m-2m+12)

Let E be an elliptic curve, the endomorphism of E given

by multiplication by n has degree n2.

(x,y)=PE[m] is the subgroup of torsion points whose

order divides m: [m]P=0.
JLM 20081102 44
 Group order and Hasse

#Eq(a,b)= q+1-t
2-[t]+q=0
|t| 2q

G(Ep(a,b)) = Zn x Zm, n|m, n|p-1. Used proving

endomorphisms.
Let E be an elliptic curve over K and n a positive integer.
If char(K) does not divided n or is 0, then E[n]= ZnZn .

Twist: m: a2= m2a1, b2= m3b1.

#Ep(a1,b1)+ #Ep(a2,b2) = p+2

JLM 20081102 45
 Point counting

Group order calculations are critical for curve selection and

algorithm safety. The number of points on the curve is the
size of the group so counting points is important. There are
several methods:

1. Baby Step Giant Step: Explained in next slide.

2. Schoof: O(lg8(p)). Beyond the scope of this lecture.
Determines t (mod l) for l, prime and llmax, where l l >4p.
3. SEA: Schoof-Elkies-Atkins. Further beyond the scope of this
lecture.

JLM 20081102 46
 Shanks and Menstre

Input: Eq(a,b), #Eq(a,b)=q+1-t, |t|4q.

Output: Bound on t. O(q1/4+).
1. Pick random point P on E q(a,b), |P|>4q.
2. Q=[q+1]P
3. Q1= Q+ floor[2q] P
4. t= t+ floor[2q], note 0t4q
5. m= ceiling(2q1/4)
6. Baby step: [j]P
7. Giant step: Q1-[i][m]P
8. t= im+j, i,j<m. This bounds #E q(a,b).
Menstre: either a curve or its twist has a point with order
>4q

JLM 20081110 47
 Elliptic Curve Discrete Log Problem

Let C be an elliptic curve, E(a,b): y2=x3+ax+b, over a

finite field K with elliptic group, G. Given P, Q in the
group with P=nQ, find n.
Elliptic Curve crypto system is precisely analogous to
discrete log systems using arithmetic over finite fields.
Discovered by Koblitz and Miller
Note in computing kP over Ep(a,b), we can write k as
powers of 2 and multiply P by k in lg(k)lg(p)3 time. For
example, 40P= (25+23)P

JLM 20081120 48
 Baby step, giant step

Want to find m: Q= [m]P. There is a general attack

just like in DLP called the Baby Step Giant Step
Attack. It takes O(n) where n is the order of the
group.

The attack:
1. M=ceiling(n). m=a M+b is the order of P.
2. To find a, b note (Q-[b]P)=[a][M]P.
3. Baby step: Rb= Q-[b]P
4. Giant step: Sa= [a][M]P.

JLM 20081110 49
Special Attacks on discrete log in Eq(a,b)
MOV Attack (Menezes, Okamoto, Vanstone).
Anomolous Attack.
Both work by mapping the ECDLP to the DLP.

In the case of MOV, if n is the order of a point (hence it divides the

number of points on the curve) and (n,q)=1, the ECDLP can be mapped
into the DLP in GF(ql), where ql = 1 (mod n).
Let k= [lg(q)]. To avoid this attack, we need to make sure the DLP
in GF(ql) is as hard as the ECDLP in Eq(a,b). This is guarenteed to
happen of l>k2/(lg(k)2), so we can avoid this attack if the smallest l:
ql=1 (mod n) satisfies l>k2/(lg(k)2).

An anomolous curve satisfies #Eq(a,b)=q. This group is cyclic and

allows an easy embedding in the DLP problem in the additive group of
Fq. To avoid this, make sure the number of points on the elliptic curve is
not q.
JLM 20081102 50
 Diffie Hellman over ECC

Alice and Bob chose a finite field Fq and an elliptic curve E

The key will be taken from a random point P over the elliptic curve
(e.g. - the x coordinate).

Alice and Bob choose a point B that does not need to be secret
B must have a very large order

Alice chooses a random a and compute aB E

Bob chooses a random b and compute bB E
Alice and Bob exchange the computed values

Alice, from bB and a can compute P = abB

Bob, from aB and b can compute P = abB

JLM 20081110 51
 Elliptic curve El Gamal

There are several ways in which the ECDLP can be

embedded in a cipher system.
One method begins by selecting an Elliptic Curve, E p(a,b), a point
G on the curve and a secret number k which will be the private key.
The public key is G and PA where PA = kG. Think of G as the
generator in the discrete log problem.
A message is encrypted by converting the plaintext into a number
m, selecting a random number r, and finding a point on the curve
Pm corresponding to m. We explain how to do this in the next slide.
The ciphertext consists of two points on the curve {rG, P m+r PA}
To decipher, multiply the first point by k and subtract the result from
the second point: Pm+rPAk(rG)= Pm+r(kG)k(rG)= Pm.

JLM 20081110 52
 Embedding m in Eq(a,b)

There is no deterministic way

Assume q= pr and we want to embed with a probability
of failure not to exceed 2-
Message is m and 0 m <M. q>M.
For ar-1pr-1+.. +a1p +a0=a= m+j, associate a point Xa=
ajXj.
For j= 0, try to solve y2=Xa3+aXa+b. Can do this with
probability . If this succeed, use it. Otherwise try j=1 ,

Given a, we can recover m by writing a=m+j and
discarding j.

JLM 20050710 53
 Putting it all together: EC El Gamal

Curve: E8831(3,45)
G=(4,11),a=3, A=aG=(413,1808)
b=8, B=bG= (5415, 6321)
P= (5, 1743)
Bob sends Alice:
[B, P+ 8A]= [ (5415,6321), (6626,3576)]
Alice decrypts as:
3 (5415, 6321)= (673, 146)
P= (6626,3576)-(673,146)= (6626,3576)+(673,-146)= (5, 1743)

JLM 20050710 54
 Putting it all together: ECDH

Curve: E7311(1,7206)
G=(3,5)
Alice picks a=12 sends aG= (1794,6375)
Bob picks b= 23, sends bG= (3861,1242)
Bob computes 23(1794, 6375)= (1472, 2098)
Alice computes 12 (3861,1242)= (1472, 2098)

JLM 20050710 55
 Picking Curves

Curves are selected at random subject to resistance to

known attacks like Hellman-Pohlig-Silver and Pollard rho.
1. #E(Fq) should be divisible by a large prime, n.
2. #E(Fq) should not be q
3. n should not divide qk-1
Method of selecting curves
Select a,b at random with (4a3+27b2)0
Calculate N= #E(Fq).
Factor N and verify 1, 2, 3 above.
If the coefficients are selected at random, the order of the curves
are uniformly distributed (Lenstra).

JLM 20081110 56
 Curve selection

Given p and a parameter S, generate an acceptable E.

1. Generate random a,bFp.

2. If =0 go to 1.
3. Determine N= #Ep(a,b)
4. If Ep(a,b) is anomolous (p=N), go to 1.
5. If Ep(a,b) is subject to MOV attack (there is an l<lg(p)2/(lg(lg(p))2:
pl=1 (mod N), go to 1.
6. Factor N, if it takes too long, go to 1.
7. If N=sxr, sS return Ep(a,b)
8. Go to 1.

JLM 20081110 57
 ECC Point Operation Costs and
modular operations
Parameters
I= inverse cost in GF(p).
S= square cost GF(p).
M= multiply cost GF(p)

Op Cost Modular Op Cost

2P I+2S+2M Add, Sub O(lg(n))
P+Q I + S+ 2M Multiply O(lg(n)2)
2P+Q 2I + 2S + 2M Invert O(lg(n)2)
P+Q, P-Q I+2S+4M Exp O(lg(n)3)

JLM 20081110 58
 ECC vs RSA performance analysis

n= [lg(p)] (for EC), N= [lg(p)] for DLP.

The cost to break DLP with best known algorithm (IC) is

cDLP(N)= exp(c0 N1/3 ln(N ln(2))2/3).
The cost to break ECDLP with best known algorithm (IC) is
cECDLP(n)= 2n/2.

n= (N1/3) ln(N(ln(2))2/3, =2c0/ln(2)2/3~4.91

The number of key bits (for equivalent security) in the DLP case
grows as the cube of the number of bits for the ECDLP case.
This has a key size and performance implication.

JLM 20081110 59
 Pollard Rho Method for ECC vs.
Factoring by Number Field Sieve

Key size MIPS-Years Key size MIPS-Years

150 bits 3.8x1010 512 bits 3x104
205 bits 7.1x1018 768 bits 2x108
234 bits 1.6x1028 1024 bits 3x1011
1280 bits 3x1014
1536 bits 3x1016
Elliptic Curve Logarithms 2048 bits 3x1020
Using Pollard Rho Method
Integer Factoring Using
Number Field Sieve

This slide came from someone else

60
JLM 20050710
 Observations on ECC

Asymmetry between encryption and decryption is

reduced (4:1)
NIST recommendations for key size to provide
equivalent security (bits in key).

ECC RSA AES

163 1024
256 3072 128
384 7680 192
521 15360 256

JLM 20081110 61
 NIST Curves

Use prime fields Fp with p=2192-264-1, p=2224-296+1,

p=2256-2224+2192+296-1, p= 2384-2128- 296+232-1, p=2521-1 or
binary fields Fq with q= 2163, 2233, 2283, 2409, 2571.
#Ep(a,b)=q+1-t, |t|2q and t is called the trace of E.
Eq(a,b) has rank 1 or 2, that is: Eq(a,b) ~ Zn1xZn2 and n2 |
n1, n2 | (q-1).
If n2 =1, Eq(a,b) ~ Zn1= {kP: 0<k<n1} and P is a
generator.
Eq(a1, b1) ~ Eq (a2, b2) if a1= u4a2 and b1= u4b2.
Eq, q= pn is supersingular if p|t. Field represented as
polynomial or normal basis.

JLM 20091110 62
 El Gamal Signature

Bob has a private key x and a public key <g,X>: X= gx

in a group G. To sign m, given a map f: G Z|G|:
1. Bob generates a random a: 1a<|G|. A= ga.
2. Bob computes BZ|G|: m=xf(A)+Ba (mod |G|).
3. SigBob(m)= (A,B)

To verify check that the signature is right, verify that

Xf(A)AB=gm.

JLM 20081110 63
 Preliminary DSA

Bob has a private key x and a public key <g,X>: X= gx

in a group G. To sign m, given a map f: G Z|G|:
1. Bob generates a random a: 1a<|G|. A= ga.
2. Bob computes BZ|G|: m= -xf(A)+Ba (mod |G|).
3. SigBob(m)= (A,B)

To verify compute u= mB-1 (mod |G|), v=f(A)B-1 (mod |

G|) and w=guXv. Verify that w=A.

JLM 20081110 64
 EC El Gamal Signature

Bob has a private key x and a public key <g,X>: X= gx

in a group G. To sign m, given a map f: G Z|G|:
1. Bob generates a random a: 1a<|G|. A= ga.
2. Bob computes BZ|G|: m=xf(A)+Ba (mod |G|).
3. SigBob(m)= (A,B)

To verify check that the signature is right, verify that

Xf(A)AB=gm.

JLM 20081110 65
 ECDSA
D=(q, a,b,P,n,h). nh= #E q(a,b). Private key d, message m. Signature (r,s)
1. Select k [1,n-1]
2. Compute kP=(x1, y1). Convert x1 to integer 1.
3. Compute r= 1 (mod n). If r=0 goto 1.
4. Compute e=H(m).
5. s= k-1(e+dr) (mod n). If s=0, goto 1.

Verify
1. Check r,s [1,n-1]. Compute e=H(m).
2. Compute w= s-1 (mod n). u1= ew (mod n). u2= rw (mod n).
3. Compute X= u1 P+ u2 Q. If X= O, reject.
4. Convert x1 of X to integer 1. Compute v= 1 (mod n).
5. If (v=r) accept signature.

JLM 20081110 66
 ECIES

Input D=(q, a, b, P, n, h), public key Q, plaintext m.

ENC, MAC, DEC are standard symmetric key functions.
KDF is key derivation function (also standard).

1. Pick k[1, n-1].

2. Compute R= kP, Z=hkQ. If Z=O, go to 1.
3. (k1, k2) = KDF(xZ, R).
4. c= ENCk1(m), t= MACk2(c).
5. return (R, c, t)

JLM 20081110 67
 Factoring using Elliptic Curves

Let En(a,b) be an elliptic curve with (4a 3+27b2, n)=1 and let P1, P2 be two
rational points whose denominators are prime to n. Then O P1+P2E
has denominators prime to n iff there is no prime p|n such that P 1+P2 =
O (mod p).

Lenstras Algorithm. Choose 2 bounds B, K.

1. (n,6)=1, nmr
2. Choose random b, x1, y1 between 1 and n
3. c= y12+ x13-bx1 (mod n)
4. (n,4b3+27c2)=1
5. k= LCM(1,2,,K)
6. Compute kP=(ak/dk2,bk/dk3), if at any point cant
succeed, n is composite.
7. D=(dk,n). If D==1, go to 5 and bump K or go to 2
and select new curve.

JLM 20081009 68
Factoring using elliptic curves - example

Factor n=4453.
Use E: y2 = x3+10x-2 (mod m).
Initial point: P1= (1,3).
2P=(4332, 3230).
To calculate 3P:
m=(3230-3)/(4332-1)=3227/4331.
(4331, 4453)=61.
4453= 61x73.

JLM 20081009 69
Factoring using elliptic curves - example

Factor m=1938796243.
Use E: y2 = x3Ax+A (mod p). A= 1,2,
Initial point: P1= (1,1), Pn+1= (n+1)Pn.
For A=7, (w16,m)= 37409. m= 37409 x 51827.
ai= a(r1 r2 ri), gi=(an-1,m).

JLM 20081009 70
 Topics

1. Full Linear cryptanalysis of DES. [Taken]

2. Full Differential cryptanalysis of DES.
3. Full Linear and differential cryptanalysis of FEAL.
4. Dobbertins attack on MD4.
5. Chinese (Wang et. al) attack on SHA-1.
6. Full Re-estimation attack.
7. An algebraic cryptanalysis.
8. Full factoring attack.
9. Elliptic Curve attack (MOV) [Taken]
10. Full Discrete Log attack.
11. Intro Algebraic cryptanalysis (including SFLASH) John.
12. Random number analysis.
13. NIST Hash analysis.
14. Full Stream cipher analysis.
15. Quantum Cryptography

JLM 20081111 71
 End

JLM 20081102 72