CSP L7

Outline Elliptic Curves Basics Elliptic Curve Cryptography
CS 302 Computer Security and Privacy
Debayan Gupta
Lecture 7
February 19, 2019
CS 302, Lecture 7 1/57

Elliptic Curves Basics
Elliptic Curve Cryptography

Elliptic Curves Basics

Elliptic Curves
An elliptic curve E over a field K is a set of points (x, y ) with

x, y ∈ K , together with a special point O called the point at
infinity. The (x, y ) points are the roots of a Weierstrass equation
of the form:
E : y 2 + a1 xy + a3 y = x 3 + a2 x 2 + a4 x + a6 ,
where the polynomial on the right hand side has no double roots.
For particular fields K , the Weierstrass equation takes a simpler
form, as we shall see.

EC over Real Numbers
Definition
Let a, b ∈ R be constants such that 4a3 + 27b2 6= 0.
A non-singular elliptic curve is the set E of solutions
(x, y ) ∈ R × R to the equation
y 2 = x 3 + ax + b
together with a special point O called the point at infinity.

The point at infinity is sometimes denoted by ∞.

EC over Real Numbers
The condition 4a3 + 27b 2 6= 0 is necessary and sufficient to ensure

that the elliptic curve equation does not have repeated roots.
If 4a3 + 27b 2 = 0, then corresponding elliptic curve is called a
singular elliptic curve.
Singular elliptic curves are not safe for cryptographic uses.

Example
Each choice of the numbers yields a different elliptic curve.
Image retrieved from http://en.wikipedia.org/wiki/Elliptic_curve

EC Operations
Exactly one of these conditions holds for any pair of points on an

elliptic curve.

EC Operations
“Addition of Points on an Elliptic Curve over the Reals” from the

Wolfram Demonstrations Project.
Contributed by Eric Errthum

EC Modulo a Prime
For prime p, the integers in Zp form a field Fp , so every non-zero
element has a multiplicative inverse modulo p.
Elliptic curves over Fp are defined exactly as they are over real
numbers but with all arithmetic being performed over Fp .
Definition
Let p > 3 be a prime. The elliptic curve y 2 = x 3 + ax + b over Fp
is the set of solutions (x, y ) ∈ Fp × Fp to the congruence
y 2 ≡ x 3 + ax + b (mod p),
together with a special point O called the point at infinity.

a, b ∈ Fp are constants such that 4a3 + 27b 2 6≡ 0 (mod p).
CS 302, Lecture 7 10/57

Example
E : y 2 = x 3 − x over a finite field F61
CS 302, Lecture 7 11/57

Example
A 3D graph of an elliptic curve E : y 2 = x 3 + 673x over F677 .

URL: http://www.youtube.com/watch?v=QFLQWhvdIYU
CS 302, Lecture 7 12/57

Example
Elliptic curves mod p are finite sets of points. These are the elliptic
curves we are interested in.
I How can we find those points?

I How many points are on an elliptic curve?
CS 302, Lecture 7 13/57

Example
E : y 2 ≡ x 3 + 4x + 4 (mod 5) creates the following group:
(0, 2), (0, 3), (1, 2), (1, 3), (2, 0), (4, 2), (4, 3), O
Finding points:
I Substitute each possible value of x = {0, 1, 2, 3, 4} into the
equation and find the values of y that solve the equation.
I For example, x ≡ 0 ⇒ y 2 ≡ 4 ⇒ y ≡ 2, 3 (mod 5), which
gives us two points (0, 2) and (0, 3).
y 0 1 2 3 4
y 2 mod 5 0 1 4 4 1
CS 302, Lecture 7 14/57

Number of Points on a Curve
Theorem (Hasse’s Theorem)

Suppose E mod p has N points. Then
√
|N − (p + 1)| ≤ 2 p.
Hasse’s theorem bounds the number of points on an elliptic curve

over a finite field.
√ √
#E (Fp ) lies in the interval [p + 1 − 2 p, p + 1 + 2 p].
CS 302, Lecture 7 15/57

Adding Points
All arithmetic operations are performed in Fp .

Unfortunately, the addition of points on an elliptic curve over Fp
does not have the nice geometric interpretation that it does on an
elliptic curve over R.
CS 302, Lecture 7 16/57

Adding Points
Let P = (xP , yP ), Q = (xQ , yQ ) and R = (xR , yR ) be points on E .

1. Add the point at infinity to itself.
O+O =O
2. Add the point at infinity to any other point.
P +O =O+P =P
3. Add two points with the same x-coordinates and different (or
equal to 0) y -coordinates: xQ = xP and yQ = −yP .
P +Q =O
CS 302, Lecture 7 17/57

Adding Points
4. Add two points with different x-coordinates.
P +Q =R
xR = λ2 − xP − xQ
yR = λ(xP − xR ) − yP
λ = (yQ − yP )(xQ − xP )−1
CS 302, Lecture 7 18/57

Adding Points
5. Add a point to itself (point doubling).
P +P =R
xR = λ2 − 2xP , yR = λ(xP − xR ) − yP
λ = (3xP2 + a)(2yP )−1
CS 302, Lecture 7 19/57

Why adding points works?

The algebraic formula follows the geometric addition. Here is how
it works.
To add two points, P and Q, we define L to be the line through P
and Q. The line L will intersect E in one further point R 0 . If we
reflect R 0 in the x-axis, then we get a point which we name R.
The equation of L is y = λx + ν, where the slope of L is
yQ − yP
λ=
xQ − xP
and
ν = yP − λxP = yQ − λxQ
CS 302, Lecture 7 20/57

In order to find the points E ∩ L, we substitute y = λx + ν into

the equation E , obtaining the following:
(λx + ν)2 = x 3 + ax + b
which is the same as
x 3 − λ2 x 2 + (a − 2λν)x + b − ν 2 = 0
E ∩ L consists of three points, two of which we already know: P

and Q. The roots of the above equation are the x-coordinates of
the points in E ∩ L, hence, xP and xQ are the two roots.
CS 302, Lecture 7 21/57

Since the equation is cubic, there are three roots. The sum of
three roots must be the negative of the coefficient of the quadratic
term, or λ2 . Therefore:
xR 0 = λ2 − xP − xR
where xR 0 is the x-coordinate of the point R 0 . We will denote the

y -coordinate of R 0 by −yR , so the y -coordinate of R will be yR .
An easy way to compute yR is to use the fact that the slope of L,
namely λ is determined by any two points on L.
CS 302, Lecture 7 22/57

If we use the points (xP , yP ) and (xR , −yR ) to compute this slope,
we get:
−yR − yP
λ=
xR − xP
or
yR = λ(xP − xR ) − yP
Note, that xR 0 = xR . Therefore, we derived a formula for

P + Q = R if P 6= Q. A formula for P + Q = R if Q = P can be
derived in a similar fashion.
CS 302, Lecture 7 23/57

EC Groups
As noted before, elliptic curves mod p are finite sets of points.

The set of points on E forms a group given the + operator. The
group operator is defined using the addition law.
The group is abelian since P + Q = Q + P.
Notation:
E (Fp ) denotes an elliptic curve group over Fp .
#E (Fp ) denotes the order (cardinality) of E (Fp ).
CS 302, Lecture 7 24/57

Why points over an EC form a group?
Definition
A group (G , ◦) is a set G with a binary operation ◦ : G × G → G
such that the following three axioms are satisfied:
Associativity: For all a, b, c ∈ G the equation
(a ◦ b) ◦ c = a ◦ (b ◦ c) holds.
Identity element: There is an element e ∈ G s.t. for all a ∈ G the
equation e ◦ a = a ◦ e = a holds.
Inverse element: For each a ∈ G there exists an element b ∈ G s.t.
a ◦ b = b ◦ a = e.
CS 302, Lecture 7 25/57

Q: Does it really work?
?
Associativity: (P + Q) + Z = P + (Q + Z )
Identity element: What is it?
Inverse element: What is it?
CS 302, Lecture 7 26/57

Associativity: Points can be added in any order.

Identity element: O is an identity with respect to addition.
Inverse element: Every point on E has an inverse with respect to
addition: P + (−P) = O where P = (xP , yp ) and −P = (xP , −yP ).
Therefore, (E , +) is a group.
Additionally, the group operator + is commutative since
P + Q = Q + P. Hence, (E , +) in an abelian group.
CS 302, Lecture 7 27/57

Other Operations
For many of the crypto schemes we need to perform multiplication.

In our case we have the + operator to work with.
Let k be an integer and P a point on E . k × P (or kP)2 is defined
as adding P to itself k times.
Once we calculate k × P, it is extremely difficult to recover k from
k × P. The only way to recover k from k × P is to try every
possible repeated addition of P.
Q: Does it sound familiar?
2
Note that we do not define a multiplication operator over E .
CS 302, Lecture 7 28/57
Elliptic Curve Discrete Logarithm Problem
Let P be a point on E . Compute Q = k × P. Then, ECDLP:

given P and Q compute k.
This allows us to translate crypto schemes based on DLP to
EC-based schemes.
CS 302, Lecture 7 29/57

CS 302, Lecture 7 30/57

Originally independently proposed by Neal Koblitz (University of

Washington) and Victor Miller (IBM) in 1985.
ECC was proposed as an alternative to other public key encryption
algorithms, for example RSA.
All ECC schemes are public key and are based on ECDLP.
CS 302, Lecture 7 31/57

EC Cryptosystems
There are many EC cryptosystems used in practice. We will have a

look at three elliptic curve versions of classical cryptosystems:
1. Diffie-Hellman Key Exchange
2. ElGamal
3. DSA
CS 302, Lecture 7 32/57

Why ECC?
The computational overhead of RSA increases with the key length.

Faster computers and better factorization algorithms force us to
use longer keys.
In case of EC, we are able to use smaller primes, or smaller finite
fields, and achieve a level of security comparable to that for much
larger integers mod p.
This allows for much more efficient cryptosystems!
CS 302, Lecture 7 33/57

Comparison of Key Lengths
Image retrieved from http://www.nsa.gov/business/programs/elliptic_curve.shtml

Note: The above URL no longer works, and I have been unable to find a replacement URL. See Elliptic curve
cryptography: The serpentine course of a paradigm shift for a historical account for how elliptic curve cryptography
gained acceptance over many years.
CS 302, Lecture 7 34/57

Where EC Cryptosystems are used?
EC Cryptosystems can be used wherever classic cryptosystems are

used.
The main advantage of ECC are lower computational
requirements. For this reason, ECC algorithms can be easily
implemented on smart cards, pagers, or mobile devices. Some
smart cards can only work with ECC.
ECC are also well suited for applications that need long term
security requirements at a reasonable computational cost.
CS 302, Lecture 7 35/57

Changing a Classical Cryptosystem into EC System
There is a general procedure for changing a classical system based

on discrete logarithms into one using elliptic curves:
1. Change modular multiplication to addition of points on an

elliptic curve.
2. Change modular exponentiation to “multiplying” a point on
an elliptic curve by an integer.
CS 302, Lecture 7 36/57

Representing Plaintext
In most cryptosystems, we need a way of mapping our message

into a numerical value upon which we can perform mathematical
operations.
To use EC cryptosystems, we need to map a message into a point
on an elliptic curve.
Recall, that we can use a point on the curve and produce another
point on the curve. EC cryptosystems use the plaintext point on E
to yield a new point on E that will serve as a ciphertext.
CS 302, Lecture 7 37/57

Encoding Plaintext
The problem of encoding plaintext is quite difficult since there is

no known polynomial time deterministic algorithm for writing down
points on an arbitrary elliptic curve E mod p.
However, there are fast probabilistic methods for finding points and
these can be used for encoding messages.
These methods have the property that with small probability they
will fail to produce a point, however, by appropriately choosing
parameters, this probability can be made arbitrarily small.
Example: Koblitz’s Method (see 16.2.3 of Trappe & Washington)
CS 302, Lecture 7 38/57

Koblitz’s Method
Main idea: embed a message m represented as a number into the

x-coordinate of a point on E .
Because the probability that m3 + am + b is a square mod p is 12 ,
we add a few bits at the end of m and adjust them until we get a
square.
The probability that we will fail to find a square (and hence fail to
associate m with a point) is about 21k .
CS 302, Lecture 7 39/57

Koblitz’s Method
Encoding
1. Choose an auxiliary base parameter k and verify that m
satisfies (m + 1)k < p.
2. The message m is represented by x = mk + j, where 0 ≤ j ≤ k
3. For j = 0, 1, 2, . . . , k − 1, compute x 3 + ax + b and solve for y .
4. If there is a square root y , then Pm = (x, y ), otherwise,
increment j and try again.
Decoding
1. Compute m0 = x
k and set m to be the greatest integer ≤ m0 .
CS 302, Lecture 7 40/57

Koblitz’s Method Example

Encode
1. Assume that the curve parameters are p = 179, a = 2, b = 7,
k = 10.
2. The message to encode is m = 5.
3. First, check x = mk + 0. If you can’t solve for y , check
x = mk + 1, x = mk + 2, and so on.
x = 5 ∗ 10 = 50, no y exists
x = 5 ∗ 10 + 1 = 51,
y = 513 + 2 ∗ 51 + 7 = 121 = 11 mod 179.
4. Create Pm = (51, 11).
Decode
1. Compute kx = 5110 = 5.1.
2. Return 5 as the original plaintext.
CS 302, Lecture 7 41/57
EC Domain Parameters
EC Domain Parameters yield a set of information for

communication parties to identify a certain elliptic curve group.
The domain parameters comprise:
I finite field Fp
I coefficients a and b of the Weierstrass equation
I base point G ∈ E (Fp )
I order of G
#E (Fp )
I cofactor h = n , where n is the order of G
CS 302, Lecture 7 42/57

Diffie-Hellman
Alice and Bob want to exchange a key. In order to do so, they

agree on a prime p and a generator g .
1. Alice and Bob choose random integers kA and kB respectively.

2. Alice computes A = g kA and sends to Bob.
3. Bob computes B = g kB and sends to Alice.
4. Alice and Bob compute their key:
I Alice: B kA = g kB kA
I Bob: AkB = g kA kB
CS 302, Lecture 7 43/57

EC Diffie-Hellman
Q: What are the rules of changing a classical cryptosystem into EC

System?
CS 302, Lecture 7 44/57

EC Diffie-Hellman
Alice and Bob want to exchange a key. In order to do so, they

agree on an elliptic curve E and a public base point G on E .
1. Alice and Bob choose random integers kA and kB respectively.

2. Alice computes A = kA × G and sends to Bob.
3. Bob computes B = kB × G and sends to Alice.
4. Alice and Bob compute their key as A × B = kA × kB × G
I Alice: kA × B = kA × (kB × G )
I Bob: kB × A = kB × (kA × G )
CS 302, Lecture 7 45/57

ElGamal
Recall non-EC version:

1. Alice wants to send a message m s.t. 0 ≤ m < p to Bob.
2. Bob chooses a large prime p and a primitive root α. He also
chooses a secret integer a and computes β ≡ αa (mod p).
3. Bob makes (p, α, β) his public key and keeps a secret.
4. Alice chooses a random k and computes y1 and y2 , where
y1 ≡ αk and y2 ≡ β k m (mod p).
5. She sends (y1 , y2 ) to Bob, who then decrypts by calculating
m ≡ y2 y1−a (mod p).
CS 302, Lecture 7 46/57

EC ElGamal
1. Alice wants to send a message m to Bob.

2. Bob chooses an elliptic curve E mod p. He chooses a point α
on E and a secret integer a. He computes β = a × α.
3. The points α and β are made public, while a is kept secret.
4. Alice expresses her message as a point M on E . She chooses
a random k, computes Y1 = k × α and Y2 = M + k × β, and
sends the pair (Y1 , Y2 ) to Bob.
5. Bob decrypts by calculating M = Y2 − a × Y1 .
CS 302, Lecture 7 47/57

Difficulties with EC ElGamal
There are some practical difficulties in implementing an EC

ElGamal cryptosystem.
Message expansion: ElGamal has a message expansion factor of
two. The EC version has a message expansion factor of about four
because each ciphertext consists of four elements.
Message encoding: The plaintext space consists of points on the
curve E and there is no convenient method to deterministically
generate points on E . Koblitz’s method is one approach, but it
might fail on some message values.
CS 302, Lecture 7 48/57

A Better Elliptic Curve ElGamal Algorithm
Below is an improved algorithm based on the idea of “blinding” that

allows any message in Z∗p to be encrypted.
CS 302, Lecture 7 49/57

EC ElGamal (improved version)
1. Alice wants to send a message m ∈ Z∗p to Bob.

2. Bob chooses an elliptic curve E mod p. He chooses a point α
on E and a secret integer a. He computes β = a × α.
3. The points α and β are made public, while a is kept secret.
4. Alice chooses a random k and computes γ = k × β. She then
computes Y1 = k × α and Y2 = mx0 mod p, where x0 is the
x-coordinate of γ. She sends the pair (Y1 , Y2 ) to Bob.
5. Bob decrypts by calculating γ = a × Y1 , letting x0 be the
x-coordinate of γ, and then calculating m = Y2 x0−1 mod p.
The green formulas show where this algorithm differs from the one
presented before.
CS 302, Lecture 7 50/57

Use of blinding
Both versions compute a point γ = k × β for a randomly chosen k.

In both versions, γ is used as a blinding factor. The difference is
how it is used.
In the first algorithm, the point M, chosen to represent the real
message m, is blinded by adding the point γ to it, giving
Y2 = M + γ = M + k × β.
In the improved algorithm, the message m is directly blinded with
x0 , which is the x-coordinate of the point γ. This gives
Y2 = mx0 mod p. Note that Y2 is now a number in Z∗p , not a
point on the elliptic curve.
CS 302, Lecture 7 51/57

EC DSA
Alice wants to sign a message m which satisfies 0 ≤ m ≤ n. She

needs to choose a prime p and an elliptic curve E .
Alice computes the number of points n on E and chooses a point
A on E .
Alice chooses her secret integer a s.t. 1 < a ≤ n − 1 and computes
B = a × A.
The public information is (p, E , n, A, B).
CS 302, Lecture 7 52/57

EC DSA: Signing
Alice does the following to sign a message m:
1. Chooses a random integer k with 1 ≤ k < n and computes

R = k × A = (x, y ).
2. Computes s ≡ k −1 (m − ax) (mod n).
3. Sends the signed message (m, R, s) to Bob.
CS 302, Lecture 7 53/57

EC DSA: Verification
Bob verifies the signature as follows:
1. Computes V1 = x × B + s × R and V2 = m × A.
2. Declares the signature valid iff V1 = V2 .
The verification works because
V1 = x × B + s × R
= xa × A + k −1 (m − ax)(k × A)
= xa × A + (m − ax) × A
= m×A
= V2
CS 302, Lecture 7 54/57

Choosing Elliptic Curves
A list of elliptic curves recommended by NIST for cryptographic

uses is specified in FIPS PUB 186-4 (Appendix D).
http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
CS 302, Lecture 7 55/57

NIST Suggested Curve P-192
Prime modulus p
6277101735386680763835789423207666416083908700390324961279
Order n
6277101735386680763835789423176059013767194773182842284081
Coefficient a
64210519 e59c80e7 0fa7e9ab 72243049 feb8deec c146b9b1
Coefficient b
3099d2bb bfcb2538 542dcd5f b078b6ef 5f3d6fe2 c745de65
The base point x coordinate Gx
188da80e b03090f6 7cbf20eb 43a18800 f4ff0afd 82ff1012
The base point y coordinate Gy
07192b95 ffc8da78 631011ed 6b24cdd5 73f977a1 1e794811
CS 302, Lecture 7 56/57

Additional Resources
ECC Tutorial, Certicom.

https://www.certicom.com/content/certicom/en/ecc-tutorial.html
Douglas Stinson, “Cryptography: Theory and Practice”, Second

Edition, 2002.
Wade Trappe and Lawrence C. Washington, “Introduction to
Cryptography with Coding Theory”, Second Edition, 2006.
CS 302, Lecture 7 57/57

CSP L7

Uploaded by

Copyright:

CSP L7

Uploaded by

Document Information

Original Description:

Copyright

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

CSP L7

Uploaded by

Copyright:

Outline Elliptic Curves Basics Elliptic Curve Cryptography

CS 302 Computer Security and Privacy

CS 302, Lecture 7 1/57

Elliptic Curves Basics

Elliptic Curve Cryptography

CS 302, Lecture 7 2/57

Elliptic Curves Basics

CS 302, Lecture 7 3/57

An elliptic curve E over a field K is a set of points (x, y ) with

CS 302, Lecture 7 4/57

EC over Real Numbers

together with a special point O called the point at infinity.

CS 302, Lecture 7 5/57

EC over Real Numbers

The condition 4a3 + 27b 2 6= 0 is necessary and sufficient to ensure

CS 302, Lecture 7 6/57

Image retrieved from http://en.wikipedia.org/wiki/Elliptic_curve

CS 302, Lecture 7 7/57

Exactly one of these conditions holds for any pair of points on an

Image retrieved from http://en.wikipedia.org/wiki/Elliptic_curve

CS 302, Lecture 7 8/57

“Addition of Points on an Elliptic Curve over the Reals” from the

Contributed by Eric Errthum

CS 302, Lecture 7 9/57

together with a special point O called the point at infinity.

CS 302, Lecture 7 10/57

Image retrieved from http://en.wikipedia.org/wiki/Elliptic_curve

CS 302, Lecture 7 11/57

A 3D graph of an elliptic curve E : y 2 = x 3 + 673x over F677 .

CS 302, Lecture 7 12/57

I How can we find those points?

CS 302, Lecture 7 13/57

CS 302, Lecture 7 14/57

Number of Points on a Curve

Theorem (Hasse’s Theorem)

Hasse’s theorem bounds the number of points on an elliptic curve

CS 302, Lecture 7 15/57

All arithmetic operations are performed in Fp .

CS 302, Lecture 7 16/57

Let P = (xP , yP ), Q = (xQ , yQ ) and R = (xR , yR ) be points on E .

CS 302, Lecture 7 17/57

CS 302, Lecture 7 18/57

CS 302, Lecture 7 19/57

Why adding points works?

CS 302, Lecture 7 20/57

Why adding points works?

In order to find the points E ∩ L, we substitute y = λx + ν into

which is the same as

E ∩ L consists of three points, two of which we already know: P

CS 302, Lecture 7 21/57

Why adding points works?

where xR 0 is the x-coordinate of the point R 0 . We will denote the

CS 302, Lecture 7 22/57

Why adding points works?

Note, that xR 0 = xR . Therefore, we derived a formula for

CS 302, Lecture 7 23/57

As noted before, elliptic curves mod p are finite sets of points.

CS 302, Lecture 7 24/57

Why points over an EC form a group?

CS 302, Lecture 7 25/57

Why points over an EC form a group?

Q: Does it really work?

CS 302, Lecture 7 26/57