Elliptic Curve Cryptography

 Elliptic Curve over K is the set of points (x,y), with x, y  K, which satisfy
± y2 = x3 + ax + b, together with the point at infinity O, if characteristic of K > 3 and x3 + ax + b has no multiple roots

 If the characteristic of K is 2, than the elliptic curve is:
± y2 + cy = x3 + ax + b (1) ± y2 + xy = x3 + ax2 + b (2), where we don¶t care about multiple roots

y) will have only nonsingular points if ( { 0 .y) has only nonsingular points. F(x. ± Using ( = -16(4a3 + 27b2).Elliptic Curve Cryptography  A nonsingular point in F(x.y) = 0 is a point in which one of the partial derivatives (over x or y) is non-zero  The equation on the elliptic curve x3 + ax + b will not have multiple root if F(x.

Elliptic Curve Cryptography  In fact the elliptic curve is given by the Weierstrass equation ± y2 + a1xy + a3y = x3 + a2x2 + a4x + a6 ± This is specialized with variable changes to the equations initially shown  The equations for K of characteristic 2 come from: ± Define j(E) = (a1)12/( (already specialized) ± Than if j(E) { 0 we get (2) ± If j(E) = 0 we get 1 .

y2)  If the characteristic of K is > 3 than ± -P = (x1.x3) . if P = Q P! .x1. -y1) ± P + Q = (P2 .x1). ± Assume P = (x1.y1)/(x2.Elliptic Curve Cryptography  Now we can show the formulas for adding points. y1) and Q = (x2.x2. if P { Q ± = (3 x12 + a)/2y1.y1) ± P = (y2. P(x1.

P { Q = x12 + (x1 + y1/x1)x3 + x3.Elliptic Curve Cryptography  If the characteristic of K is 2. y1 + x1) P+Q = (x3. than ± If j(E) { 0:       -P = (x1. P = Q . y3) x3= ((y1+y2)/(x1+x2))2 + (y1+y2)/(x1+x2) + x1+x2 + a. P { Q = x12 + b/ x12. P = Q y3 = ((y1+y2)/(x1+x2))(x1+x3) + x3 + y1.

P = Q y3 = ((y1+y2)/(x1+x2))(x1+x3) + c + y1. than ± If j(E) = 0:       -P = (x1. P { Q = ((x12 + a)/c)(x1+x3) + c + y1. P { Q = (x14 + a2)/ c2. y1 + c) P+Q = (x3. y3) x3= ((y1+y2)/(x1+x2))2 + x1+x2. P = Q .Elliptic Curve Cryptography  If the characteristic of K is 2.

Elliptic Curve Cryptography  Elliptic curve of finite field Fq: ± The number of points is given by  q + 1 + §G(x3 + ax + b). G is the quadratic character of Fq ± Hasses¶s Theorem:  | N ± (q+1)|e 2q ± The abelian group over Fq does not need to be cyclic. but it can be decomposed on cyclic groups .

«.Elliptic Curve Cryptography  Extension fields ± If E is defined over Fq. E/ Fq) is defined as § N rT r / r Z (T . it is also defined over Fqr. for r = 1. E / F q )! e . 2. ± Assume that Nr is the number of points on E defined over Fqr ± The generating series Z( T.

E/ Fq) = (1.Elliptic Curve Cryptography  Weil conjecture ± Z(T.aT + qT2)/((1-T)(1-qT)) ± N = N1 = q + 1 ± a ± The inverse roots of the numerator are E and F. 2. complex of absolute value q ± Nr = qr + 1 ± Er ± Fr. r = 1. «. ± Example:  Find Nr for the curve y2 + y = x3 over F2r .

Elliptic Curve Cryptography  The analogy of multiplying two elements in Fq is adding two points in E  So the analogy of raising an element to power k is multiplying a point by k ± Raising to power k can be accomplished in O(log k log3q) bit operations ± Multiplying a point by k can be accomplished in O(log k log3q) .

Elliptic Curve Cryptography  The discrete log problem in elliptic curve is the problem of given P and B find an x such as P = x*B ± There is a way to reduce the log problem over elliptic curve to the log problem over Fqk ± The reduction only works for some special curves that are called supersingular ± Why do you care about this? .

the x coordinate)  Alice and Bob choose a point B that does not need to be secret ± B must have a very large order! .Diffie Hellman over ECC  Alice and Bob chose a finite field Fq and an elliptic curve E  The key will be taken from a random point P over the elliptic curve (e.g.

from bB and a can compute P = abB  Bob.Diffie Hellman over ECC  Alice chooses a random a and compute aB E  Bob chooses a random b and compute bB  E  Alice and Bob exchange the computed values  Alice. from aB and b can compute P = abB .