MATH36206 Advanced Cryptology Week 1

1 Elliptic Curves
An elliptic curve, E, is the set of all points that are solutions to y 2 = x3 + ax + b, including a point
O at infinity.

1.1 example of an elliptic curve

Let a = 1, and b = 6. Then the solutions for y 2 = x3 + x + 6 are illustrated as follows:

We can see that (−1, −2) ∈ E and that (2, 4) ∈ E.

[email protected] page 1
MATH36206 Advanced Cryptology Week 1

1.2 adding points on the curve

Let the addition of any two points, (x1 , y1 ) and (x2 , y2 ) in E be performed by drawing a line be-
tween the points and determining the third point, (x3 , y3 ), where the line intersects the curve... and
then signing the y-coordinate negative (or flip the point about the x-axis).

When we add (−1, −2) to (2, 4) we get to the point (3, 6) which we flip to (3, −6).
So for this particular curve we have that (−1, −2) + (2, 4) = (3, −6).

−2−4
The line shown is described by the equation y = λx + v, with a slope of λ = −1−2 = 2, and
a y-intercept of v = 4 − 2(2) = 0

[email protected] page 2
MATH36206 Advanced Cryptology Week 1

1.3 adding a point to itself on the curve

Adding a point, (x1 , y1 ), to itself in E is be performed by drawing a tangent line and determining
the other point where the tangent line intersects the curve... and then signing the y-coordinate
negative (or flip the point about the x-axis).

When we add (2, 4) to itself we get to the point (−1.359, −1.459) which we flip to (−1.359, 1.459).
So for this particular curve we have that (2, 4) + (2, 4) ≈ (−1.359, 1.459).

13
The line shown is described by the equation y = λx + v, with a slope of λ = 8 , and a y-intercept
of v = 4 − 13
8 (2) = 0.75

The slope is obtained by taking the derivative (wait what... calculus in crypto?) of y 2 = x3 + x + 6
at x = 2 and y = 4:

y 2 = x3 + x + 6
2y 1 y ′ = 3x2 + 1 + 0
3x2 + 1
y′ =
2y
3(2)2 + 1
y′ =
2(4)
13
y′ =
8

[email protected] page 3
MATH36206 Advanced Cryptology Week 1

1.4 elliptic curve equations

Let P = (x1 , y1 ) and Q = (x2 , y2 ) be points in E. Then P + Q = R = (x3 , y3 ) where:

y 2 = x3 + ax + b (1)
y = λx + v (2)
y2 − y1


 P ̸= Q
 x2 − x1


λ= (3)
3x2 + a


 1 P =Q


2y1
x3 = λ2 − x2 − x1 (4)
y3 = −λ(x3 − x1 ) − y1 (5)

1.5 P + Q example; P ̸= Q
Adding P = (−1, −2) to Q = (2, 4):

4 − (−2)
λ= =2
2 − (−1)
x3 = (2)2 − 2 − (−1) = 3
y3 = −2(3 − (−1)) − (−2) = −6

We get R = (3, −6).

1.6 P + Q example; P = Q (in other words, P + P )

Adding P = (2, 4) to Q = (2, 4) (in other words, adding P = (2, 4) to itself):

3(2)2 + 1 13
λ= =
2(4) 8
13 2
x3 = ( ) − 2 − 2 = −1.359375
8
13
y3 = − (−1.359375 − (2)) − (4) ≈ 1.458984375...
8
We get R = (−1.359375, 1.458984375...).

1.7 to infinity (and beyond!)

Adding P = (2, 4) to Q = (2, −4):

−4 − (4)
λ= is undefined
2 − (2)

We get R = O (the point at infinity).

Note that for any point P in E we define P + O = P , and O + P = P .

[email protected] page 4
MATH36206 Advanced Cryptology Week 1

1.8 elliptic curves over Zp

An elliptic curve, E, over Zp is the set of all integer solutions to y 2 ≡ x3 + ax + b mod p, including
a point O at infinity.

1.9 example of an elliptic curve over Zp

Let a = 1, b = 6, and p = 11. Then the solutions for y 2 = x3 + x + 6 mod 11 are illustrated as
follows:

We can see that (−1, −2) ≡ (10, 9) mod 11 ∈ E and that (2, 4) ∈ E. We can’t see the point O
(because it’s at infinity) but we still count it to determine the number of points in E:

|E| = 12 + 1 = 13

Before when we added these points on the real curve (by determining the line and finding the
other point) we got (−1, −2) + (2, 4) = (3, −6). We can still add these points but now we will get
(10, 9) + (2, 4) = (3, 5). This is done by ditching the geometrical interpretation (because there is
no “line” anymore!) and using equations (3), (4), (5), all mod p:

−1 mod p
(y2 − y1 )(x2 − x1 )
 P ̸= Q
λ=

(3x1 + a)(2y1 )−1 mod p
 2
P =Q
x3 = λ2 − x2 − x1 mod p
y3 = −λ(x3 − x1 ) − y1 mod p

[email protected] page 5
MATH36206 Advanced Cryptology Week 1

1.10 P + Q example; P ̸= Q, y 2 = x3 + x + 6 mod 11

Adding P = (10, 9) to Q = (2, 4):

λ = (4 − 9)(2 − 10)−1 mod 11

−1
= (−5)(−8) mod 11
−1
= (6)(3) mod 11
= (6)(4) mod 11 4 is the inverse of 3 mod 11...
= 24 mod 11
=2

x3 = 22 − 2 − 10 mod 11
= −8 mod 11
=3

y3 = −2(3 − 10) − 9 mod 11

=5

We get R = (3, 5).

[email protected] page 6
MATH36206 Advanced Cryptology Week 1

Exercises
1.1 For the elliptic curve, E, described by y 2 = x3 + x + 6:

a) Is (−1, 2) ∈ E?
√
b) Is (0, 6) ∈ E?
c) Is (4, 2) ∈ E?
√
d) Is (5, 136) ∈ E?
e) Evaluate P + Q if P = (3, −6) and Q = (−1, 2) by manually computing the slope, the
equation of the line, and the result, R.
f) Evaluate P + Q if P = Q = (3, −6) by manually computing the slope, the equation of
the line, and the result, R.

1.2 For the elliptic curve, E, described by y 2 = x3 − 4x + 2:

a) Is (2, 0) ∈ E?
√
b) Is (0, 2) ∈ E?
√ √
c) Evaluate P + Q if P = (0, 2) and Q = (2, 2) by manually computing the slope, the
equation of the line, and the result, R.
√
d) Evaluate P + Q if P = Q = (−0.5, 3.875) by manually computing the slope, the
equation of the line, and the result, R.

1.3 For the elliptic curve, E, over Z11 described by y 2 = x3 + x + 6 mod 11:

a) Evaluate P + Q if P = (8, 8) and Q = (2, 7) by manually computing the slope and the
result.
b) Evaluate 3P if P = (10, 9) by manually computing all slopes and results.

1.4 For the elliptic curve, E, over Z7 described by y 2 = x3 − 4x + 2 mod 7:

a) Evaluate P + Q if P = (4, 1) and Q = (2, 3) by manually computing the slope and the
result.
b) Evaluate 8P if P = (0, 3) by manually computing all slopes and results.

[email protected] page 7
MATH36206 Advanced Cryptology Week 1

1.11 Multiplicative Order

The order of an integer α mod n is the smallest positive integer k such that αk ≡ 1 mod n. For
example the order of 3 mod 11 is 5, because 35 ≡ 1 mod 11.

1.12 DSA
Let α and β be integers in Zp where α has order q and:

β = αa mod p

• 0 ≤ a ≤ q − 1, and q divides p − 1

• (β, α, p, q) is the public key

• a is the private key

1.13 DSA Signature

Sign the message x using random integer k where 1 ≤ k ≤ q − 1, and hash function h:

sig(x, k) = (γ, δ)

• γ = (αk mod p) mod q

• δ = (h(x) + aγ)k −1 mod q

1.14 DSA Verification

Verify by computing e1 and e2 and checking if (αe1 β e2 mod p) mod q = γ:

ver(x, (γ, δ)) = true ⇐⇒ (αe1 β e2 mod p) mod q = γ

• e1 = h(x)δ −1 mod q

• e2 = γδ −1 mod q

[email protected] page 8
MATH36206 Advanced Cryptology Week 1

1.15 Order of a point on an elliptic curve

The order of a point P on an elliptic curve E is the smallest positive integer k such that kP = O
(where O is the point at infinity). For example the order of the point A = (8, 8) on the elliptic
curve, E, over Z11 described by y 2 = x3 + x + 6 mod 11 is 13, because 13A = O.

1.16 ECDSA
Let A and B be points on an elliptic curve E where A has prime order q and:

B = mA

• 0≤m≤q−1

• (A, B, E, q) is the public key

• m is the private key

1.17 ECDSA Signature

Sign the message x using random integer k where 1 ≤ k ≤ q − 1, and hash function h:

sig(x, k) = (r, s)

• kA = (u, v)

• r = u mod q

• s = (h(x) + mr)k −1 mod q

1.18 ECDSA Verification

Verify by computing i and j and checking if u mod q = r:

ver(x, (r, s)) = true ⇐⇒ u mod q = r

• i = h(x)s−1 mod q

• j = r · s−1 mod q

• (u, v) = iA + jB

[email protected] page 9
MATH36206 Advanced Cryptology Week 1

1.19 ECDSA example

Use the elliptic curve, E, over Z11 described by y 2 = x3 + x + 6 mod 11 to sign a message x with
hash h(x) = 2 using the public key (A = (8, 8), B = (3, 6), E, q = 13), random k = 5, and private
key m = 7:

kA = 5(8, 8) = 2(8, 8) + 2(8, 8) + 1(8, 8)

(8, 8) + (8, 8) : λ = (3(8)2 + 1)(2(8))−1 mod 11

−1
= (193)(5) mod 11
= (193)(9) mod 11
= 10
x3 = (102 − 8 − 8) mod 11 = 7
y3 = −10(7 − 8) − 8 mod 11 = 2

(7, 2) + (7, 2) : λ = (3(7)2 + 1)(2(2))−1 mod 11

−1
= (148)(4) mod 11
= (148)(3) mod 11
=4
x3 = (42 − 7 − 7) mod 1 = 2
y3 = −4(2 − 7) − 2 mod 11 = 7

(2, 7) + (8, 8) : λ = (8 − 7)(8 − 2)−1 mod 11

= (1)(6)−1 mod 11
= (1)(2) mod 11
=2
x3 = (22 − 8 − 2) mod 11 = 5
y3 = −2(5 − 2) − 7 mod 11 = 9

kA = 5(8, 8) = (5, 9)

r=5 mod 13
=5

s = (2 + 7(5))(5)−1 mod 13
= (37)8 mod 13
= 10

sig(x, k) = (r, s) = (5, 10).

[email protected] page 10
MATH36206 Advanced Cryptology Week 1

Verify sig(x, k) = (r, s) = (5, 10):

i = 2(10−1 ) mod 13
= 2(4) mod 13
=8

j = 5 · 10−1 mod 13
=5·4 mod 13
= 20 mod 13
=7

(u, v) = 8(8, 8) + 7(3, 6)

= (5, 2) + (10, 9)
= (5, 9)

ver(x, (5, 10)) = true because 5 mod 13 = 5

[email protected] page 11
MATH36206 Advanced Cryptology Week 1

Exercises
1.5 Use the elliptic curve, E, over Z11 described by y 2 = x3 + x + 6 mod 11 to sign a message
x with hash h(x) = 4 using the public key (A = (2, 7), B = (7, 2), E, q = 13), random k = 3,
and private key m = 7.

1.6 Determine the values for i and j needed to verify the signature from the previous question.

1.7 Let α be an integer in Z7 :

a) What is the order of α = 2?

b) What is the order of α = 5?
c) What is the order of α = 6?

1.8 Let A be a point in the elliptic curve, E, over Z7 described by y 2 = x3 − x + 3 mod 7:

a) What is the order of A = (4, 0)?

b) What is the order of A = (5, 2)?
c) Show that the order of A = (2, 4) is 6.

1.9 Prove that for the DSA:

(αe1 β e2 mod p) mod q = (αk mod p) mod q

1.10 Prove that for the ECDSA:

iA + jB mod q = kA mod q

[email protected] page 12
MATH36206 Advanced Cryptology Week 1

Answers
1.1 yes
yes
no
yes
λ = −2, y = −2x + 0, R = (2, 4)
λ = − 73 , y = − 37 x + 1, R = (− 95 , − 62
27 )

1.2 no
yes √ √
λ = 0, y = 0x + 2, R = (−2, − 2)
λ ≈ −0.82550, y = λx + 1.55575, R ≈ (1.68145, −0.16771)

1.3 λ = 2, P + Q = (5, 9)
λ = 10 and 2P = (3, 6), λ = 2 and 2P + P = (2, 7)

1.4 λ = 6, P + Q = (2, 4)
λ = 4 and 2P = (2, 3), λ = 6 and 2P + 2P = (4, 6), λ = 6 and 4P + 4P = (0, 4)

1.5 λ = 8 and 2A = (5, 2), λ = 2 and 2A + A = 3A = (8, 3)

r = 8, s = 7, sig(x, k) = (8, 7)

1.6 i = 8
j=3

1.7 3
6
2

1.8 2A = O
λ = 1 and 2A = (5, 5), 2A + A = 3A = O
λ = 4 and 2A = (5, 5), λ = 5 and 2A + A = 3A = (4, 0), 3A + 3A = 6A = O

[email protected] page 13