Elliptic Curve Cryptography

Dan Boneh
Stanford University

Dan Boneh
 Diophantus (200-300 AD, Alexandria)
Interested in rational points on curves
• rational number: 1/2 , 13/8 , but not sqrt(2)
• rational point: (x, y) where x and y are rational
Example: what are the rational points on the curve
2 2 (0,1)
x +y =1 4 3
5, 5
⇣ ⌘ (-1,0)
s2 1
s rational ⇒ 2s
s2 +1 , s2 +1
on curve
<latexit sha1_base64="hg2e41E33METJHEdsRGoI8KxNXU=">AAACIXicbVDLSgMxFM3UV62vat25CRahopaZumiXRTcuK9gHdGrJpJk2NPMguSOUoT8hrt34K25cKNKd+AN+hulD0NYDIYdzziW5xwkFV2CaH0ZiaXlldS25ntrY3NreSe/u1VQQScqqNBCBbDhEMcF9VgUOgjVCyYjnCFZ3+pdjv37HpOKBfwODkLU80vW5yykBLbXTJVswF3I2tl1JaKxuC2fWcHydWMNTG8/kgvrRdFDybg+O2+msmTcnwIvEmpFsufhwP8h87Vfa6ZHdCWjkMR+oIEo1LTOEVkwkcCrYMGVHioWE9kmXNTX1icdUK55sOMRHWulgN5D6+IAn6u+JmHhKDTxHJz0CPTXvjcX/vGYEbqkVcz+MgPl0+pAbCQwBHteFO1wyCmKgCaGS679i2iO6E9ClpnQJ1vzKi6RWyFvn+cK1lS1foCmS6AAdohyyUBGV0RWqoCqi6BE9o1f0ZjwZL8a7MZpGE8ZsJoP+wPj8BvlopSc=</latexit>

Thm: all rational points are obtained this way [except for (1,0)]
Dan Boneh
 Diophantus (200-300 AD, Alexandria)
Studied many similar problems: find rational points on
x2 + 2y 2 = 11 , 2x2 y2 = 2 , …
Wrote 13 books of arithmetica … six survived (four in Vatican library)

Problem 24 Book IV: find rational points on

2 3
y =x x+9
Examples: (1, ±3) , (0, ±3) , (-1, ±3) are there more?
Dan Boneh
 Elliptic curves
Def: a (rational) elliptic curve is a curve y 2 = x3 + ax + b
where a, b are (rational) constants (and 4a3 + 27b2 6= 0 )

Diophantus’ curve y 2 = x3 x+9 ( a = -1, b = 9 )

Symmetric about x-axis

(x, y) ⇒ (x, -y)

“Why ellipses are not elliptic curves,” A. Rice, E. Brown, 2012 Dan Boneh
 An observation
E: y 2 = x3 + ax + b
R
Fact: if P and Q are rational point on E -S
then so is R Q
P
Gives an algorithm to build rational points:
S
P = (0,-3) , Q = (1,3) ⇒ R = (35 , 207 )
✓ ◆
1259 128211
P , -R ⇒ S= 1225
,
42875 -R
⋮ ⋮ ⋮
“Diophantus and Diophantine Equations,” Bashmakova, 1997 Dan Boneh
 Point addition

Define: P ⊞ Q = -R R

Why define this way? Associativity! Q

P
(P ⊞ Q) ⊞ T = P ⊞ (Q ⊞ T)

⇒ simply write: P ⊞ Q⊞ T
-R = P⊞Q

Dan Boneh
 What if P == Q ?? (point doubling)
E: y 2 = x3 + ax + b
R
How to define P ⊞ P ?? P 3P
e nt
Define P ⊞ P = -R ng
ta

Write: 2P = P ⊞ P
new rational points -R = 2P
3P = P ⊞ P ⊞ P
from one rational point P
4P = P ⊞ P ⊞ P ⊞ P (… not always new)
Dan Boneh
 Last corner case
O
What is P ⊞ (-P) ??

O: the point “at infinity” P

Define: P ⊞ (-P) = O -P

P⊞ O = P

Dan Boneh
 Summary: adding points
E: y 2 = x3 + ax + b
points on E: P = (x1 , y1 ), Q = (x2 , y2 ), R=P Q (not O)

if P = -Q: ⇒ R=O
3x21 +a
else if P = Q: ⇒ k= 2y1
xR = k 2 x1 x2
y2 y 1 yR = y1 k(xR x1 )
else (P ≠ ±Q): ⇒ k= x2 x1

R = (xR , yR )
Dan Boneh
 Back to Diophantus
Rational points on E: y 2 = x3 x+9
17 55 664 17811
P = (1, 3), 2P = 9 , 27 , 3P = 132 , 133 , 4P =( 257299
1652
, 130479157
1653
), ...

1 647
Q = (0, 3), 2Q = 36 , 216 , 3Q = (46584, 10054377)

621 20121 1259 128211

P Q = ( 1, 3), 2P +Q = 289 , 4913 , P +2Q = 352 , 353 , ...

Thm: all rational points on E are obtained as uP + vQ for u, v 2 Z

⇒ “generated” by two points P and Q ⇒ rank(E) = 2

“Elliptic Curves from Mordell to Diophantus and Back,” E. Brown, B. Myers, 2002 Dan Boneh
 Curves modulo primes
Let p be a prime. Let Fp = {0,1,…,p-1}

What are the points (x, y) in Fp × Fp satisfying:

y 2 ⌘ x3 + ax + b (mod p)

Example: nine points on y 2 = x3 x + 9 (mod 7)

O, (1, ±3), (0, ±3), (-1, ±3), (2, ±1)

e.g., the point (2,1): 112 ⌘ 2

153 (mod
2 + 97) (mod 7)
Dan Boneh
 The number of points
Adding points: use addition formulas “mod p”

(-1,3) ⊞ (0,-3) = (2,1) (mod 7)

⇒ addition rule on nine points (mod 7)

Hasse-Weil bound (1949): for all primes p and a,b:

number of points on y 2 ⌘ x3 + ax + b (mod p) is “about” p

We have efficient algorithms to compute exact # of points: time = poly(log p)

Dan Boneh
Why are you telling us all this?

What does this have to do

with secure communication?
Dan Boneh
 Diffie, Hellman, Merkle: 1976
Where do shared secret keys comes from?
A remarkable solution: (basic) Diffie-Hellman
Fix prime p and g ∈ Fp
a
random a A ¬ g (mod p) random b

b
B¬g (mod p)

B a
® b a
(g ) ® gab ¬ a b
(g ) ¬ Ab
Dan Boneh
 Security of Diffie-Hellman (eavesdropping only)

public: p and g
a
random a A ¬ g (mod p) random b

b
B¬g (mod p)

Eavesdropper sees: p, g, A=ga (mod p), and B=gb (mod p)

Can she compute gab (mod p) ??

CDH problem (mod p): given random (g, ga, gb) compute gab (mod p)
Dan Boneh
 How hard is CDH mod p ??
p
Best known algorithm (GNFS): for n-digit prime, time ≈ 2 Õ( 3 n)

⇒ far faster than “exponential” time O(2n )

⇒ World record: 180-digit prime (2014, ≈50 core years)

In practice, 617-digit primes (2048 bits) are used

(for “comparable” security to AES-128)

Dan Boneh
Can we use elliptic curves instead ?? (1985)

Fix prime p,
curve y 2 = x3 + ax + b (mod p)
and point P on curve

random u A ¬ u⋅P (mod p) random v

B ¬ v⋅P (mod p)

u⋅B ® u⋅(v⋅P) ® (uv)⋅P ¬ v⋅(u⋅P) ¬ v⋅A

Dan Boneh
 How hard is CDH on curve?
CDH problem on curve: Taking over the world
P, u⋅P, v⋅P ⇒ (uv)⋅P
Best known algorithm: for n-digit prime p
p
CDH(EC) time is p ⇡ 2O(n)
p
CDH(mod p) time is Õ( 3 n)
2
⇒ same security with smaller prime

In practice 77-digit primes (256 bits) are used

also Bitcoin signatures
• 10x faster than comparable (mod p) security
Dan Boneh
 What curve should we use?
NIST standard (FIPS 186-3 appendix A): y 2 = x3 3x + b (mod p)

p = 2256− 2224 + 2192 + 296 −1

# points mod p ≈ 2256

point P=(Px,Py)

Of the Web sites that support ECDHE … 96.1% use P-256 [HABJ’14]
Dan Boneh
 Where does P-256 come from?
FIPS 186-3 appendix D.1.2.3:

SHA-1
???
P-256 parameters

How hard is CDH on this curve? Unknown …

Alternative curve: Curve25519 (no unexplained constants)

y2 = x3 + 486662⋅x2 + x in 𝔽p where p = 2255-19
Dan Boneh
 Optimizations
Can we make the addition law faster? Ex: Edwards coordinates

Change of coordinates gives: x2 + y 2 = 1 + dx2 y 2

d=-100
A complete addition rule: O

“Faster Addition and Doubling on Elliptic curves,” D. Bernstein and T. Lange, 2007 Dan Boneh
 What does NSA say?
https://www.nsa.gov/business/programs/elliptic_curve.shtml Jan. 2009

Dan Boneh
 What does NSA say?
Then in August 2015:

For those partners and vendors that have not yet made
the transition to Suite B elliptic curve algorithms,
we recommend not making a significant expenditure to
do so at this point but instead to prepare for the upcoming
quantum resistant algorithm transition.

“A Riddle Wrapped in an Enigma,” N. Koblitz, A. Menezes, 2015. Dan Boneh

 Quantum computing fears?
Quantum computers are good at finding periods:
f : ℤn ⟶ S has period π ∈ ℤn if ∀x ∈ ℤn: f (x+π) = f (x)
Fact (Shor’94): a quantum algorithm can find the period π
in time log2(‖π‖2) given an oracle for f .

Discrete-log problem: G group of order q with generator g ∈ G

given g, h ∈ G, find α ∈ ℤ s.t. h = gα
Define: f(x,y) = gx ⋅ hy . Period: f(x,y) = f(x+α, y-1) ⇒ π = (α, -1)
⇒ quantum algorithm can find α in time O(log3 q) !!
Dan Boneh
Additional Structure on elliptic curves:

Pairing-based Cryptography

P
e(P,Q)

Q
Dan Boneh
 A new tool: pairings
A. Weil (1949): a pairing ê(P, Q) on elliptic curves
s.t. for all points P, Q and integers u, v :

u·v
ê(uP, vQ) = ê(P, Q)
curve Fpα

u⋅P
V. Miller (1986): pairing is efficiently e(P,Q)
uv

computable!
v⋅Q
( u, v unknown)
Dan Boneh
 Applications of pairings
Many many applications for pairings:
• New signatures: BLS sigs., group signatures, ring signatures
• Encryption: Identity-based encryption, attribute-based
encryption, searchable encryption, broadcast encryption
• Short non-interactive proofs, adaptive oblivious transfer

Dan Boneh
 Another look at Diffie-Hellman:
non-interactive key exchange
Facebook

ga gb gc gd

Alice Bob Claire David

a b c d ⋯
KAC=gac KAC=gac
Dan Boneh
What about n-way Diffie-Hellman?
Facebook

ga gb gc gd n=4

Alice Bob Claire David

a b c d ⋯
KABCD KABCD KABCD KABCD
Dan Boneh
3-way Diffie-Hellman from pairings
Facebook

ga gb gc gd

Alice Bob Claire David

a b c d ⋯
abd
KABD=e(g,g)
Dan Boneh
3-way Diffie-Hellman from pairings
Facebook

ga gb gc gd

Alice Bob Claire David

a b c d ⋯
a b d
e(gb,gd) = e(ga,gd) = KABD = e(ga,gb)
Dan Boneh
 Practical n-way Diffie-Hellman ??

Open problem: practical n-way DH for n>3

useful for secure group messaging

B-Zhandry’13: Polynomial time, but impractical construction

Dan Boneh
 THE END

Hope you enjoyed the class !!

Dan Boneh