UNIT - V

Number Theory and Algebraic Geometry:

Elliptic Curves:
– Basic Facts of Elliptic Curve 5a ←
– Elliptic Curve Cryptosystems 5b
– Elliptic Curve Primality Test 5c
– Elliptic Curve Factorization 5d

1
Introduction to Elliptic Curves (EC)

2
 Graphical Representation of EC

Y - axis

X - axis

Figure 1. Elliptic Curve

It is a single curve.
Curves of this nature are called ELLIPTIC CURVES.

3
 Graphical Representation of EC

• An Elliptic Curve (EC) is a plane curve defined by an Y - axis

equation of the form
𝒚𝟐 = 𝒙𝟑 + 𝒂𝒙 + 𝒃, where 𝟒𝒂𝟐 + 𝟐𝟕𝒃𝟐 ≠ 𝟎. X - axis

Figure 1. Elliptic Curve

For different (𝑎, 𝑏) of values, we get different ECs.

(𝑎 = 0, 𝑏 = −1) (𝑎 = 0, 𝑏 = 1) (𝑎 = −3, 𝑏 = 3) (𝑎 = −4, 𝑏 = 0) (𝑎 = −1, 𝑏 = 0)

Figure 2. Examples of Elliptic Curves
4
 Elliptic Curves in Cryptography

• Elliptic Curve (EC) systems to cryptography were first proposed in 1985

independently by
• Neal Koblitz, and
• Victor Miller.

• The Discrete Logarithm problem on EC groups is believed to be more difficult

than the corresponding problem in the finite field Fq* (the multiplicative group of
nonzero elements).

5
 Introduction to ECC

History of ECC
• In 1985, Neal Koblitz and Victor Miller independently proposed ECs to design
public key cryptosystems.
• In the late 1990’s, ECC was standardized by a number of organizations and it
started receiving commercial acceptance.
• Nowadays, ECC is mainly used in the resource constrained environments, such as
• ad-hoc wireless networks, and
• mobile networks.
• There is a trend that conventional public key cryptosystems are being replaced
with ECC systems.

6
 Introduction to ECC

Motivation
Public (or asymmetric) key cryptography algorithms play an important role in
providing security services:
• Key management
• User authentication
• Signature
• Certificate
Public key cryptography systems are constructed by relying on the hardness of
mathematical problems:
• RSA - based on the Integer Factorization Problem
• DH - based on the Discrete Logarithm Problem

7
 Introduction to ECC

Motivation …
The main problem of conventional public key cryptography systems
• The key size has to be sufficiently large in order to meet high-level security
requirement.
• This results in consumption of more bandwidth and lower speed.
Solution: Elliptic Curve Cryptography system.

8
 Introduction to ECC

• Elliptic Curve Cryptography (ECC) is a public key cryptosystem

• In public key cryptography, each user has a pair of keys:
– A public key,
– A private key
• A set of operations associated with the keys are used for the cryptographic
operations.

9
 Introduction to ECC

• The mathematical operations of ECC is defined over the elliptic curve Y - axis

𝒚𝟐 = 𝒙𝟑 + 𝒂𝒙 + 𝒃, where 𝟒𝒂𝟐 + 𝟐𝟕𝒃𝟐 ≠ 𝟎. … (A)

X - axis

• Each (a, b) gives a different EC.

Figure 1. Elliptic Curve
• All points (x, y) which satisfies the above equation (A) lies on the EC,
plus a point at infinity is considered for EC operations.
• The public key is a point on the EC, and
• The private key is a random number, which is not on the EC.

10
 Introduction to ECC

• One main advantage of ECC is its small key size.

• A 163-bit key in ECC is considered to be as secured as 1024-bit key in RSA.
No. of bits in Key
ECC 163 256 384 512
RSA 1024 3072 7680 15360
Ratio 1:6 1:12 1:20 1:30

11
 Introduction to ECC

• Why ECC?
• Sub-exponential algorithms are available for factoring or solving DLP.
• But for ECC, the breaking of sub-exponential algorithm has not been found.
• That is, ECC is more secured than RSA, ElGamal
• Using much smaller key size of ECC can achieve the same security as RSA
or ElGamal with larger key size, so it is more efficient.

12
 Elliptic Curve Cryptosystem (ECC)

Discrete Logarithm Problem (DLP) 𝒚𝟐 = 𝒙𝟑 + 𝒂𝒙 + 𝒃, where 𝟒𝒂𝟐 + 𝟐𝟕𝒃𝟐 ≠ 𝟎. … (A)

• The security of ECC depends on the difficulty of Elliptic Curve Discrete Logarithm
Problem.
• If P and Q are any two points on an EC and 𝑘 is any scalar such that 𝑘𝑃 = Q.
• If P and Q are given, it is computationally infeasible to obtain 𝑘, if 𝑘 is sufficiently
large.
• Finding 𝑘 is the discrete logarithm of Q to the base P.
• The main operation involved in ECC is point multiplication.
• i.e., multiplication of a scalar 𝑘 with any point P on the curve to obtain another
point Q on the same curve, i.e., 𝑘P = Q.

13
 Elliptic Curves

• Elliptic curves can be defined over any field K.

• The field K is usually taken to be a field

• C of complex numbers,
• R of real numbers
• Q of rational numbers, or
• Fq a finite field of q = pr elements.

14
 Elliptic Curves

• For cryptography, we use the following fields of real numbers:

• Fp - called Prime Field, where p > 3 is a prime, and
• F2m - called Binary Field, a binary representation with 2m elements.

15
 Elliptic Curves
y
• Elliptic Curve over any field K is
𝐸𝐶(𝐾) = *∞+ U *(𝑥, 𝑦) ∈ 𝐾 × 𝐾 | 𝑦2 = 𝑥3 + 𝑎𝑥 + 𝑏+ x

Point at Infinity (O)

• It is useful to add or consider the point at infinity Elliptic Curve

• The point at infinity is sitting at the top of the y-axis and any vertical line is said
to pass through the point at infinity.
• The point at infinity is both at the top and bottom of the y-axis.

• One important fact: the set of points on an EC form an abelian group.

16
 Elliptic Curves (EC)
y

Definition: EC x

• If K is a field of characteristic ≠ 2, ≠ 3, and a & b  K.

Elliptic Curve

• Let a, b  K and let x3 + ax + b be a cubic polynomial with no multiple roots.

• An Elliptic Curve (EC) over K is the set of points (x, y) with x, y  K which satisfy
the equation
y2 = x3 + ax + b ……. (1)
together with a single element, called point at infinity, denoted as O.

17
 Elliptic Curves (EC)

Definition: EC

• If K is a field of characteristic 2

• The EC over K is the set of points together with a point at infinity O satisfying an
equation of type either
y2 + cy = x3 + ax + b …. (2a)
or
y2 + xy = x3 + ax2 + b …. (2b)

(Here we do not care whether or not the cubic polynomial on the right has
multiple root)

18
 Elliptic Curves (EC)

Definition: EC

• If K is a field of characteristic 3

• The EC over K is the set of points together with a point at infinity O satisfying the
equation
y2 = x3 + ax2 + bx + c .……. . (3)
• (Here the cubic polynomial on the right has no multiple roots)

19
 Elliptic Curves (EC)

Definition

• Let E be an EC over the real numbers, and let P and Q be two points on E.
• We define the negative of P and the sum of P + Q y

• If P is the point at infinity, O, then

x
–P to be O, and
P + Q = Q, where Q is any point on E Elliptic Curve

• The point at infinity, O serves as the additive identity (or zero element) of the
group points.

20
 Elliptic Curves (EC)

The Negative of P
y

• The negative of P is represented as –P.

x
• If P = (x, y), then
– P = – (x, y)
= (x, –y) Elliptic Curve

• (x, –y) is on the same elliptic curve where (x, y) is.

21
 General Form of EC

• An Elliptic Curve is a plane curve defined by an equation of the form

𝒚𝟐 = 𝒙𝟑 + 𝒂𝒙 + 𝒃

• For different values of a and b, we get different ECs.

Examples of EC

(𝑎, 𝑏): (0, -1) (0, 1) (-3, 3) (-4, 0) (-1, 0)

22
 Elliptic Curve Group over Real Numbers

• 𝑦2 = 𝑥3 + 𝑎𝑥 + 𝑏, where 𝑥, 𝑦, 𝑎 and 𝑏 are real numbers,

where 4a3 + 27b2  0. x

• All points (𝑥, 𝑦) satisfying the above equation and with the Elliptic Curve
point at infinity O, the addition operation forms a group.

23
 Elliptic Curves

Addition Laws of EC points

• Addition laws of EC has the following properties:

Identity: P + O = O + P = P, ∀ P ∈ E
Inverse: P + (– P) = (– P) + P = O, ∀ P ∈ E
Commutative: P + Q = Q + P, ∀ P, Q ∈ E
Associative: (P + Q) + R = P + (Q + R), ∀ P, Q, R ∈ E

• The addition laws make the points of EC to be an abelian group.

24
Elliptic Curve - Example

(𝑎, 𝑏) = (-4, 0.67)

25
 Elliptic Curves

• An EC is a curve that is also naturally a group

• The group law is constructed geometrically
• ECs have (almost) nothing to do with ellipses
• ECs appear in many diverse areas of mathematics, ranging from number
theory to complex analysis, and from cryptography to mathematical physics
• ECs have been studied as algebraic/geometric entities/structures extensively
for the past 150 year
• Many cryptosystems often require the use of algebraic groups.
• Elliptic curves may be used to form elliptic curve groups.

26
 Elliptic Curves

• A group is a set of elements with custom-defined arithmetic operations on those

elements.
• We can use geometry to make the points of an EC into a group.
• For EC groups, these specific operations are defined geometrically.
• To introduce more stringent properties to the elements of a group, such as limiting
the number of points on such a curve, creates an underlying field for an elliptic
curve group.

27
Elliptic Curves

28
 Elliptic Curves

The Equation of an Elliptic Curve

• An elliptic curve is a curve given by an equation of the form
y2 = x3 + ax + b

• The requirement for the EC is that it must satisfy the discriminant

4a3 + 27b2 ≠ 0.

29
 Elliptic Curves

Basic Operations on EC

1. Addition of two points: P & Q

2. Doubling a point P
3. Scalar Multiplication P with 𝒌, (i.e.) 𝒌P.

30
 Elliptic Curves

Elliptic Curve Groups over Real Numbers

• An EC over real numbers may be defined as the set of points (𝑥, 𝑦) which satisfy
an EC equation of the form:
𝒚𝟐 = 𝒙𝟑 + 𝒂𝒙 + 𝒃, where 𝒙, 𝒚, 𝒂 & 𝒃 are real numbers,
with 4𝑎3 + 27𝑏 2 ≠ 0.

• For different values of (a, b), we get different ECs.

31
 Elliptic Curves

Elliptic Curve over Real Numbers…

One important fact about the set of points on an EC is that it forms an abelian
group.
To explain that how does it work, assume that K = R.
i.e., the EC is an ordinary curve in the plane plus a point O ‘point at infinity’.

32
 Elliptic Curves

Elliptic Curve Groups over Real Numbers… y2 = x3 + ax + b

• For example, a = -4 and b = 0.67 gives the EC with

equation y2 = x3 - 4x + 0.67. The graph of this curve
is shown in the Figure.

• If x3 + ax + b contains no repeated factors, or

4a3 + 27b2 ≠ 0, then the EC y2 = x3 + ax + b can be
used to form a group.

• An EC group over real numbers consists of the

points on the corresponding EC, together with a
special point O called the point at infinity.

33
 Elliptic Curves
y
Addition of two points in EC

• P + Q = R is the additive property defined geometrically. x

• EC groups are additive groups; that is, their basic function is addition. Elliptic Curve
The addition of two points on an EC is defined geometrically.
• The negative of a point P = (xP, yP) is its reflection in the x-axis:
the point −P is (xP, −yP).

Notice that for each point P on an EC, the point −P is also on the same EC.
• We define P + (−P) = O

• If P = (x, 0), then P + P = O (a vertical line).

34
 Elliptic Curves

Adding two distinct points P and Q (A Geometric Approach)

• Suppose P & Q are two distinct points on an EC, and P ≠ −Q.

Procedure to add 2 points P & Q:

• A line is drawn through the two points P and Q.
• This line will intersect the EC in exactly one more point, −R.
• The point −R is reflected on the x-axis to the point R. The R
is P + Q. =P+Q

• The law for addition in an elliptic curve group is P + Q = R.

35
Elliptic Curve

36
 The Geometry of Elliptic Curves

Adding two points (A Geometry Approach)

Consider an elliptic curve E.

37
 The Geometry of Elliptic Curves

Adding two points (A Geometry Approach)

Let P and Q be any two points on the elliptic curve E.

Q
⋅
P ⋅

38
 The Geometry of Elliptic Curves

Adding two points (A Geometry Approach)

Draw a line connecting P and Q and extend the line. It meets on a third point on the
elliptic curve E.

Q
⋅
P ⋅

39
 The Geometry of Elliptic Curves

Adding two points (A Geometry Approach)

Draw a line connecting P and Q and extend the line. It meets on a third point on the
elliptic curve E.

Q ⋅
⋅
P ⋅

40
 The Geometry of Elliptic Curves

Adding two points (A Geometry Approach)

The third point on the elliptic curve E is named as –R.

Q ⋅ -R
⋅
P ⋅

41
 The Geometry of Elliptic Curves

Adding two points (A Geometry Approach)

Reflect the third point –R onto the x-axis.

Q ⋅ -R
⋅
P ⋅
⋅ E

42
 The Geometry of Elliptic Curves

Adding two points (A Geometry Approach)

The reflected point on the x-axis is called R.

Q ⋅ -R
⋅
P ⋅
⋅ RE

43
 The Geometry of Elliptic Curves

Adding two points (A Geometry Approach)

The reflected point on the x-axis is R = P+Q.

Q ⋅ -R
⋅
P ⋅
⋅ R E= P + Q

44
 Elliptic Curves
Adding the points P and –P (A Geometry Approach)

• The line through P and -P is a vertical line which does not

intersect the EC at a third point.
• Thus the points P and -P cannot be added.
• It is for this reason that the elliptic curve group includes
the point at infinity O.

• By definition, P + (-P) = O.
• As a result, P + O = O + P = P in the EC group.
• O is called the additive identity of the EC group.
• All ECs have an additive identity.

45
 Elliptic Curves

Doubling a point P (A Geometry Approach)

• To add a point P to itself, a tangent line to the

curve is drawn at the point P.
• If yP ≠ 0, then the tangent line intersects the EC at
exactly one other point, -R.
• -R is reflected to the x-axis at R.
• This operation is called doubling the point P;

• The law for doubling a point on an EC group is defined by: P + P = 2P = R.

46
Point Doubling on EC

47
 The Geometry of Elliptic Curves

Doubling a point P (A Geometry Approach)

Let P be a point on the EC E.

⋅P

48
 The Geometry of Elliptic Curves

Doubling a point P (A Geometry Approach)

Let P be a point on the EC E.
Draw a tangent L at the point P.

⋅P

49
 The Geometry of Elliptic Curves

Doubling a point P (A Geometry Approach)

Let P be a point on the EC E.
Draw a tangent L at the point P.
L
⋅P

50
 The Geometry of Elliptic Curves

Doubling a point P (A Geometry Approach)

Let P be a point on the EC E.
Draw a tangent L at the point P.
It meets at another point –R.
⋅P
L
⋅ -R

51
 The Geometry of Elliptic Curves

Doubling a point P (A Geometry Approach)

Let P be a point on the EC E.
Draw a tangent L at the point P.
It meets at another point –R.
Reflect the point –R on the x-axis. ⋅P
L
⋅ -R

⋅ E

52
 The Geometry of Elliptic Curves

Doubling a point P (A Geometry Approach)

Let P be a point on the EC E.
Draw a tangent L at the point P.
It meets at another point –R.
Reflect the point –R on the x-axis. ⋅P
L
⋅ -R
The reflected point R is 2P.

⋅ R E= 2P

53
 Elliptic Curves
Doubling the point P if yP = 0

• The tangent at P is always vertical if yP = 0.

• If a point P is such that yP = 0, then the tangent line
to the EC at P is vertical and does not intersect the EC
at any other point.
• By definition, 2P = O for such a point P if yP = 0.

• To find 3P in this situation, one can add 2P + P. This becomes O + P = P.

• Thus 3P = P, 4P = O, 5P = P, 6P = O, 7P = P, etc.

54
 The Geometry of Elliptic Curves

Vertical line and an extra point “at infinity”

Let P be a point on the EC E.

P ⋅

55
 The Geometry of Elliptic Curves

Vertical line and an extra point “at infinity”

We denote the reflected point −P on the EC E.

P ⋅

⋅
E

56
 The Geometry of Elliptic Curves

Vertical line and an extra point “at infinity”

We denote the reflected point −P on the EC E.

P ⋅

⋅
Q = −P
E

57
 The Geometry of Elliptic Curves

Vertical line and an extra point “at infinity”

Draw a line connecting P and –P, the reflection point on the EC E. Since there is no
Third point to meet, we create or use the point at infinity O.
L
P ⋅

Q = -P
⋅
E

58
 Algebra of Elliptic Curves

Elliptic Curve Addition: An Algebraic Approach

• Although the previous geometric descriptions of ECs provide an excellent method

of illustrating EC arithmetic,
But, it is not a practical way to implement arithmetic computations.
• So, algebraic formulae are required/constructed to efficiently compute the
geometric arithmetic.

59
 Algebra of Elliptic Curves

Definition: Set of Points on EC

• Let p > 3 be a prime. The set of points on the EC y2 = x3 + ax + b over Zp, is the
solutions (x, y) ϵ Zp × Zp to the congruence
y2 ≡ x3 + ax + b (mod p) .… (5.1)
• where a, b ϵ Zp are constants such that 4a3 + 27b2 ≠ 0 (mod p), together with a
special point O called the point at infinity.1

1Equation (5.1) can be used to define an elliptic curve over any field GF(pn), for p > 3 prime.
An elliptic curve over GF(2n) or GF(3n) is defined by a slightly different equation.

60
 Elliptic Curve

Definition: Ep(a, b) - Elliptic Group mod p

• Choose two non-negative integers a and b less than p (> 3) such that
4a3 + 27b2 (mod p) ≠ 0.
• Then Ep(a, b) denotes the elliptic group mod p, whose elements (x, y) are pairs of
non-negative integers less than p satisfying
y2 ≡ x3 + ax + b (mod p) …… (5.1)
together with the point at infinity O.

61
 Algebra of Elliptic Curves

Algebraic Addition of two points P and Q

• Let (x1, y1), (x2, y2) and (x3, y3) denote the coordinates of P, Q and P + Q,
respectively.
• (x3, y3) ← (x1, y1) + (x2, y2)
• The x3 and y3 can be expressed in terms of x1, y1, x2, y2.

62
 Elliptic Curve

(x1, y1)
Elliptic Curve: Algebraic Addition of two Points P ⋅
• Suppose P = (x1, y1) and Q = (x2, y2) are two points on E.
• If x2 = x1 and y2 = -y1, then P + Q = O, otherwise
Q = -P
⋅(x , y )
2 2

P + Q = (x3, y3), where E

x3 = λ2 – x1 – x2 & y3 = λ(x1 – x3) – y1 Geometric Approach
𝑦2 − 𝑦1
, 𝑖𝑓 𝑃 ≠ 𝑄 Q ⋅ -R
where 𝜆 =
𝑥2 − 𝑥1
3𝑥12 + 𝑎
⋅
2𝑦1
, 𝑖𝑓 𝑃 = 𝑄 P ⋅
𝑃 + 𝑂 = 𝑂 + 𝑃, for all 𝑃 𝜖 𝐸, ⋅ R E= P + Q
63
 Elliptic Curve

EC Addition of two Points (Algebraic Approach)

• Suppose 𝑃 = (𝑥1, 𝑦1) and 𝑄 = (𝑥2, 𝑦2) are two different points on 𝐸. Then
𝑷 + 𝑸 = 𝑥1, 𝑦1 + (𝑥2, 𝑦2)
Geometric Approach
= (𝒙𝟑, 𝒚𝟑),
where Q ⋅ -R

2 ⋅
𝑥3 =
𝑦2 ; 𝑦1
𝑥2 ; 𝑥1
− 𝑥1 − 𝑥2 ; P ⋅
𝑦2 ; 𝑦1
𝑦3 = −𝑦1 + 𝑥1 − 𝑥3 . … (4)
𝑥2 ; 𝑥1
⋅ R E= P + Q

64
 Elliptic Curve

Elliptic Curve – Doubling a Point (Algebraic Approach)

• Suppose P = (x1, y1) is a point on EC, then 2P is a points on EC, defined as

2P = (x3, y3), Geometric Approach

where
⋅
L
⋅ -R
2
3𝑥12 :𝑎
𝑥3 = − 2𝑥1 ;
2𝑦1
3𝑥12 : 𝑎
𝑦3 = −𝑦1 + 𝑥1 − 𝑥3 . …. (5)
2𝑦1
E
⋅ R = 2P

With the above definition of addition, it can be shown that E is an abelian group
with identity element O.

65
 Elliptic Curve

Example 2: On the EC y2 = x3 – 36x, let P = (-3, 9) and Q = (-2, 8). Find P + Q and 2P.
Solution: 𝒚𝟐 = 𝒙𝟑 + 𝒂𝒙 + 𝒃
𝑦2 ; 𝑦1 2 For P + Q 2 For 2P
𝑥3 = − 𝑥1 − 𝑥2 3𝑥12 + 𝑎
𝑥2 ; 𝑥1 𝑥3 = − 2𝑥1 …. (5)
… (4) 2𝑦1
𝑦2 ; 𝑦1 3𝑥12 : 𝑎
𝑦3 = −𝑦1 + 𝑥1 − 𝑥3 . 𝑦3 = −𝑦1 + 𝑥1 − 𝑥3 .
𝑥2 ; 𝑥1 2𝑦1

P+Q: Given that P = (-3, 9) and Q = (-2, 8) and 𝑎 = -36 and 𝑏 = 0.

Substituting x1 = -3, y1 = 9, x2 = -2, y2 = 8 in the 1st equation of (4), it gives x3 = 6.
Substituting in the second equation of (4), it gives y3 = 0. i.e., P + Q = (x3, y3) = (6, 0).
2P: Substituting x1 = -3, y1 = 9, a = -36, in the first equation in (5), it gives x3 = 25/4 of 2P.
Substituting in the second equation of (5), it gives -35/8 for the y-coordinates of 2P.
i.e., 2P = (x3, y3) = (25/4, -35/8).

66
 Elliptic Curve

Example 5.7
• Let E be an elliptic curve y2  x3 + x + 6 over Z11. 𝒚𝟐 = 𝒙𝟑 + 𝒂𝒙 + 𝒃

• Computation of the points on E: Quadratic Residue

a is called a quadratic residue modulo m if
For each x ϵ Z11, x2  a mod m ... (4.1)
• Compute y from y2  x3 + x + 6 mod 11. has a solution (i.e., if a is a “perfect square
modulo m”).
𝑎 = 1, 𝑏 = 6, 𝑝 = 11

For a given x, we can test to see if z  x3 + x + 6 mod 11 is a quadratic residue by applying

Euler’s criterion. Recall that there is an explicit formula to compute square roots of quadratic
residues modulo p for primes p  3 (mod 4). Applying this formula, we have the square roots
of a quadratic residue z that are ± z(11 + 1)/4 mod 11  ± z3 mod 11.

67
 Elliptic Curve
Elliptic Curve Points Quadratic Residue mod 11

y2  x3 + x + 6 over Z11 x x2 x2 mod 11

0 0 0
Quadratic Residue 1 1 1
a is called a quadratic residue modulo m if the congruence 2 4 4
x2  a mod m ... (4.1) 3 9 9
has a solution (i.e., if a is a “perfect square modulo m”).
4 16 5

𝑥 mod 11 = *0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10+ 5 25 3

6 36 3
7 49 5
From the table, {1, 3, 4, 5, 9} are quadratic residue 8 64 9
modulo 11. 9 81 4
10 100 1

68
 Elliptic Curve
Elliptic Curve Points
Table 5.2 Points on the EC y2  x3 + x + 6 over Z11 {1, 3, 4, 5, 9} are QR modulo 11.
x 𝑦 2  x3 + x + 6 mod 11 Is y2 QR(11)? y a is called a quadratic residue modulo m if
0 6 no the congruence
x2  a mod m ... (4.1)
1 8 no
has a solution (i.e., if a is a “perfect square
2 5 yes 4, 7 modulo m”).
3 3 yes 5, 6 Calculation of y from x
4 8 no For x = 2,
𝑦 2 ≡ 23 + 2 + 6 mod 11
5 4 yes 2, 9 ≡ 16 mod 11
6 8 no ≡ 5 mod 11
5
To check for , we have
7 4 yes 2, 9 11
42 ≡ 5 mod 11 => y = 4
8 9 yes 3, 8 72 ≡ 5 mod 11 => y = 7
9 7 no So, for x = 2, the coordinates are {(2, 4), (2, 7)}.

10 4 yes 2, 9 lllly, we have to compute for other values of x.

69
 Elliptic Curve
Elliptic Curve Points
Table 5.2 Points on the EC y2  x3 + x + 6 over Z11
x 𝑦 2  x3 + x + 6 mod 11 is QR(11)? y {1, 3, 4, 5, 9} are quadratic
0 6 no residue modulo 11.
1 8 no
2 5 yes 4, 7 E11(1, 6) = {(2, 4), (2, 7), (3, 5), (3, 6), (5, 2),
→ (5, 9), (7, 2), (7, 9), (8, 3), (8, 8),
3 3 yes 5, 6 (10, 2), (10, 9), O}
4 8 no
5 4 yes 2, 9
6 8 no
7 4 yes 2, 9
8 9 yes 3, 8
9 7 no
10 4 yes 2, 9

70
 Elliptic Curve
Elliptic Curve Points y2  x3 + x + 6 over Z11
Table 5.2 Points on the EC y2 = x3 + x + 6 over Z11
E11(1, 6) = {(2, 4), (2, 7), (3, 5), (3, 6), (5, 2), (5, 9), (7, 2), x 𝑦 2  x3
+x+6 in y
(7, 9), (8, 3), (8, 8), (10, 2), (10, 9), O} mod 11 QR(11)?
0 6 No
• E has 13 points on it. 1 8 No
2 5 yes 4, 7
• Since any group of prime order is cyclic, it follows that E
3 3 yes 5, 6
is isomorphic to Z13, and any point other than the point
4 8 no
at infinity is a generator of E.
5 4 yes 2, 9
6 8 no
• Suppose we take the generator α = (2, 7).
7 4 yes 2, 9
• Then we can compute the “powers” of α (which we will 8 9 yes 3, 8
write as multiples of α, since the group operation is 9 7 no

additive). 10 4 yes 2, 9

71
 Elliptic Curve
Elliptic Curve Points E11(1, 6) = {(2, 4), (2, 7), (3, 5), (3, 6), (5, 2), (5, 9), (7, 2),
Let α = (2, 7) be a generator. (7, 9), (8, 3), (8, 8), (10, 2), (10, 9), O}

• Compute 2α = (2, 7) + (2, 7), where α = (2, 7). y2  x3 + 𝑎x + b (mod p) … (5.1)

• Computation of λ y2 ≡ x3 + x + 6 over Z11

λ = (3 × 22 + 1) (2 × 7)-1 mod 11
= 2 × 3-1 mod 11 𝑦2 − 𝑦1
, 𝑖𝑓 𝑃 ≠ 𝑄
= 2 × 4 mod 11 ∵ 3 . 4  1 mod 11 𝑥2 − 𝑥1
𝜆=
3𝑥12 + 𝑎
= 8. , 𝑖𝑓 𝑃 = 𝑄
2𝑦1
• Computation of (x3, y3)
x3 = λ2 – x1 – x2
x3 = 82 – 2 – 2 mod 11 = 5, and
y3 = λ(x1 – x3) – y1
y3 = 8 (2 – 5) – 7 mod 11 = 2.
• (i.e.) 2α = (5, 2).
72
 Elliptic Curve
Elliptic Curve Points
α = (2, 7), 2α = (5, 2) y2  x3 + x + 6 over Z11

• Then 3α = 2α + α = (5, 2) + (2, 7). Again, we begin by computing λ, which in this

situation is done as follows:
E11(1, 6) = {(2, 4), (2, 7), (3, 5), (3, 6), (5, 2), (5, 9), (7, 2),
λ = (7 – 2) (2 – 5)-1
mod 11 (7, 9), (8, 3), (8, 8), (10, 2), (10, 9), O}
= 5 × 8-1 mod 11 𝑦2 − 𝑦1
= 5 × 7 mod 11 ∵ 8 . 7 ≡ 1 mod 11 , 𝑖𝑓 𝑃 ≠ 𝑄
𝑥2 − 𝑥1
= 2. 𝜆=
3𝑥12 + 𝑎
, 𝑖𝑓 𝑃 = 𝑄
2𝑦1
x3 = 22 – 5 – 2 mod 11 = 8, and
y3 = 2 (5 – 8) – 2 mod 11 = 3. x3 = λ2 – x1 – x2
y3 = λ(x1 – x3) – y1
So, 3α = (8, 3).

73
 Elliptic Curve

E11(1, 6) = {(2, 4), (2, 7), (3, 5), (3, 6), (5, 2), (5, 9), (7, 2), (7, 9), (8, 3), (8, 8), (10, 2), (10, 9), O}

Elliptic Curve Cryptography

Table 5.2 Points on the elliptic curve y2 = x3 + x + 6
• The remaining multiples can be computed as: x
over Z11
x3 + x + 6 mod 11 in QR(11)? y
α = (2, 7) 2α = (5, 2) 3α = (8, 3) 0 6 no
4α = (10, 2) 5α = (3, 6) 6α = (7, 9) 1 8 no
7α = (7, 2) 8α = (3, 5) 9α = (10, 9) 2 5 yes 4, 7

10α = (8, 8) 11α = (5, 9) 12α = (2, 4) 3 3 yes 5, 6

4 8 no

• Hence α = (2, 7) is a generator, (i.e.) indeed α is a 5 4 yes 2, 9

6 8 no
primitive element. 7 4 yes 2, 9
Checking other points on EC 8 9 yes 3, 8

Let P = (3, 6) be a point on EC y2 = x3 + x + 6 over Z11. 9 7 no

−P = (3, −6) = (3, −6 + 11 mod 11) = (3, 5). 10 4 yes 2, 9

This (3, 5) is also a point on the EC E11(1, 6).

74
 Elliptic Curve

Example 5.8 Consider the elliptic curve E : y2 = x3 + 3x + 8 over the field F13.
• We can compute the points of E(F13) by substituting all possible values of x = 0, 1, 2, ..., 12
and checking for which x values the quantity x3 + 3x + 8 is a square modulo 13.

Table 5.x Points on the elliptic curve y2 = x3 + 3x + 8 over Z13

x x3 + 3x + 8 mod 13 is y2 QR(13)? y
0
1
2

12

75
 Elliptic Curve

Example 5.8: Consider the elliptic curve E : y2 = x3 + 3x + 8 over the field F13.
• For x = 0, y2 = 8, and 8 is not a square modulo 13.
• Next for x = 1, which gives y2 = 1 + 3 + 8 ≡ 12 mod 13.
• In fact, it has two square roots 5 and 8. ∵ 52 ≡ 12 mod 13 & 82 ≡ 12 mod 13.
• This gives two points (1, 5) and (1, 8) in E(F13).
• The set of EC points
E(F13) = {O, (1, 5), (1, 8), (2, 3), (2, 10), (9, 6), (9, 7), (12, 2), (12, 11)}.
• Thus E(F13) consists of nine points.

76
 Elliptic Curve Cryptography

Example: Let p = 23 and the EC y2 = x3 + x + 1, Compute E23(𝑎, 𝑏).

• For this EC, a = b = 1. 4a3 + 27b2 (mod p) ≠ 0

• We have 4 × 13 + 27 × 12 (mod 23) = 8 ≠ 0.
• This satisfies the condition for an elliptic group mod 23.

• For this elliptic group, we are only interested in the non-negative integers in the
quadrant from (0, 0) to (p, p) that satisfy the equation mod p.
• Table 6.4 lists the points (other than O) that are part of E23(1, 1).

77
 Elliptic Curve Cryptography

Example EC y2 = x3 + x + 1 mod 23
Table 6.4 Points on the Elliptic Curve E23(1, 1)
(0, 1) (6, 4) (12, 19)
(0, 22) (619) (13, 7)
(1, 7) (7, 11) (13, 16)
(1, 16) (7, 12) (17, 3)
(3, 10) (9, 7) (17, 20)
(3, 13) (9, 16) (18, 3)
(4, 0) (11, 3) (18, 20)
(5, 4) (11, 20) (19, 5)
(5, 19) (12, 4) (19, 18)

78
 Elliptic Curve Cryptography
Example: y2 = x3 + x + 1

• For all the points P, Q ϵ E23(1, 1), compute –P and P + Q.

Table 6.4 Points on the Elliptic Curve E23(1, 1)
(0, 1) (6, 4) (12, 19)
Let P = (13, 7). (0, 22) (619) (13, 7)

Then –P = (13, -7). (1, 7) (7, 11) (13, 16)

(1, 16) (7, 12) (17, 3)
But –7 + 23 mod 23 = 16. (3, 10) (9, 7) (17, 20)
(3, 13) (9, 16) (18, 3)
∴ –P = (13, 16) (4, 0) (11, 3) (18, 20)
(5, 4) (11, 20) (19, 5)
That is (13, 16) also in E23(1, 1). (5, 19) (12, 4) (19, 18)

79
 Elliptic Curve Cryptography
Table 6.4 Points on the Elliptic Curve E23(1, 1)
(0, 1) (6, 4) (12, 19)
Example
(0, 22) (619) (13, 7)
(1, 7) (7, 11) (13, 16)
• Let 𝑃 = (3, 10) and 𝑄 = (9, 7), compute 𝑃 + 𝑄. (1, 16) (7, 12) (17, 3)
(3, 10) (9, 7) (17, 20)
(3, 13) (9, 16) (18, 3)
7 − 10 −3 −1
𝜆= = = ≡ 11 mod 23. (4, 0) (11, 3) (18, 20)
9−3 6 2 (5, 4) (11, 20) (19, 5)
(5, 19) (12, 4) (19, 18)

;1 𝑦2 − 𝑦1
mod 23 = −1 . 2;1 mod 23 , 𝑖𝑓 𝑃 ≠ 𝑄
2 𝑥2 − 𝑥1
= 22 . 12 mod 23 𝜆=
3𝑥12 + 𝑎
= 264 mod 23 , 𝑖𝑓 𝑃 = 𝑄
= 11 2𝑦1

x3 = λ2 – x1 – x2
y3 = λ(x1 – x3) – y1

80
 Elliptic Curve Cryptography
𝑦2 − 𝑦1
Example , 𝑖𝑓 𝑃 ≠ 𝑄
𝑥2 − 𝑥1
𝜆=
3𝑥12 + 𝑎
, 𝑖𝑓 𝑃 = 𝑄
• Let 𝑃 = (3, 10) and 𝑄 = (9, 7), compute 𝑃 + 𝑄. 2𝑦1

7 − 10 −3 −1 x3 = λ2 – x1 – x2
𝜆= = = ≡ 11 mod 23. y3 = λ(x1 – x3) – y1
9−3 6 2
Table 6.4 Points on the Elliptic Curve E23(1, 1)
x3 = 112 – 3 – 9 = 109 ≡ 17 mod 23 (0, 1) (6, 4) (12, 19)
(0, 22) (619) (13, 7)
y3 = 11(3 – (-6)) – 10 = 89 ≡ 20 mod 23. (1, 7) (7, 11) (13, 16)
(1, 16) (7, 12) (17, 3)
(3, 10) (9, 7) (17, 20)
So, 𝑃 + 𝑄 = (x3, y3) = (17, 20).
(3, 13) (9, 16) (18, 3)
(4, 0) (11, 3) (18, 20)
(5, 4) (11, 20) (19, 5)
(5, 19) (12, 4) (19, 18)

81
 Elliptic Curve Cryptography
Example …
E23(1, 1)
• To find 2P, P = (3, 10)
3 . 32 + 1 5 1
𝜆= = = ≡ 6 mod 23. 𝑦2 − 𝑦1
2 . 10 20 4 , 𝑖𝑓 𝑃 ≠ 𝑄
𝑥2 − 𝑥1
𝜆=
3𝑥12 + 𝑎
x3 = 62 – 3 – 3 = 30 ≡ 7 mod 23 , 𝑖𝑓 𝑃 = 𝑄
2𝑦1
y3 = 6(3 – 7) – 10 = -34 ≡ 12 mod 23.
x3 = λ2 – x1 – x2
So, 2P = P + P = (7, 12). y3 = λ(x1 – x3) – y1

Similarly, 4P = P + P + P + P = 2P + 2P.
That is, multiplication can be obtained as repeated additions.

82
Algebra of Elliptic Curves

𝑦2 − 𝑦1
, 𝑖𝑓 𝑃 ≠ 𝑄
𝑥2 − 𝑥1
𝜆=
3𝑥12 + 𝑎
, 𝑖𝑓 𝑃 = 𝑄
2𝑦1

x3 = λ2 – x1 – x2
y3 = λ(x1 – x3) – y1

83
 Algebra of Elliptic Curves

7 27 𝑃 = 1, 2
Let 𝑄 = − , − . 7 27
4 8
𝑄 = − ,−
Using the secant line or secant constructions, we can find 4 8
553 11950
3𝑃 = 𝑃 + 𝑄 = ,− .
121 1331
Similarly,
45313 8655103
4𝑃 = ,− .
11664 1259712

84
 Elliptic Curves

Example: A Finite Field

The formulae giving the group law on E are valid if the points have coordinates in
any field, even if the geometric pictures don’t make sense.
Example: The EC E: 𝑦 2 = 𝑥 3 − 5𝑥 + 8 mod 37 contains the points P = (6, 3) and
Q = (9, 10).
𝑦2 ; 𝑦1 2
𝑥3 = − 𝑥1 − 𝑥2 … (4)
Using the addition formulas, we can compute in 𝐸(𝐹37 ). 𝑥2 ; 𝑥1
𝑦2 ; 𝑦1
𝑦3 = −𝑦1 + 𝑥1 − 𝑥3 .
2P = (35, 11), 3P = (34, 25), 4P = (8, 6), 5P = (16, 19) … 𝑥2 ; 𝑥1

P + Q = (11, 10) … 3𝑥12 + 𝑎

2
𝑥3 = − 2𝑥1 …. (5)
2𝑦1
3P + 4Q = (31, 28) … 3𝑥12 : 𝑎
𝑦3 = −𝑦1 + 𝑥1 − 𝑥3 .
2𝑦1

85
 Elliptic Curves

Theorem. Working over a finite field, the group of points 𝐸 𝐹𝑝 is always either
a cycle group or the product of two cyclic groups.

86
Elliptic Curves

87
 Elliptic Curve on a Finite set of Integers

Consider the EC y2 = x3 + 2x + 3 (mod 5) 4a3 + 27b2 ≠ 0

DEFINITION 5.3
• Let p > 3 be prime. The elliptic curve y2 = x3 + ax + b over Zp, is the set of
solutions (x, y)  Zp × Zp to the congruence y2 ≡ x3 + ax + b (mod p) …(5.1)
• where a, b  Zp are constants such that 4a3 + 27b2 ≠ 0 (mod p), together
with a special point O called the point at infinity.

88
 Elliptic Curve on a Finite set of Integers

• Consider the EC y2 = x3 + 2x + 3 (mod 5).

x = 0  y2 = 3  no solution (mod 5) Table 5.2 Points on the elliptic curve
y2 = x3 + 2x + 3 over 5
x = 1  y2 = 6 = 1  y = 1, 4 (mod 5) x x3 + 2x + 3 Is y2 y
x = 2  y2 = 15 = 0  y = 0 (mod 5) mod 5 QR(5)?

x = 3  y2 = 36 = 1  y = 1, 4 (mod 5) 0 3 no
1 1 yes 1, 4
x = 4  y2 = 75 = 0  y = 0 (mod 5)
2 0 no
• Then points on the elliptic curve are 3 1 yes 1, 4
4 0 no
{(1, 1), (1, 4), (3, 1), (3, 4), O}.

89
Elliptic Curves

90
Elliptic Curves

91