You are on page 1of 5

# Elliptic Curve Computations

(1) View the graph and an elliptic curve Graph the elliptic curve y 2 = x3 x over the
real number field R.
>> v =y^2 - x*(x-1)*(x+1)
v =
y^2 - x*(x-1)*(x+1)
>> ezplot(v, [-1,3,-5,5])
(2) Determine the elements in an elliptic curve over a finite field.
When F = Zp (or more generally, when F is a finite field), the elliptic curves over Zp will
be a finite set. Here we take a = 1 and b = 0 with F = Z17 and consider
E = {(x, y) : y 2 = x3 + x (mod 17)} {O}.
Now we want to know what points are on E.
To do that, we first compute the square table over F , which tells us what element in F can
have a square root. This can be done by using powermod in matlab.
>> Y=[]; for y=[0:16], z=[y; powermod(y,2,17)]; Y=[Y, z]; end, Y,
Y =
0
1
2
3
4
5
6
7
8
9
10
0
1
4
9
16
8
2
15
13
13
15

11
2

12
8

13
16

0
0

1
1

2
4

3
9

4
16

5
8

6
2

7
15

8
13

9
13

10
15

11
2

12
8

13
16

14
9

15
4

16
1

## Then, we compute x = 0, 1, 2, , 16 to solve the equation y 2 = x3 + x in Z17 . Thus

(0, 0) E. For x = 1, y 2 = 1 + 1 and so the square root table gives y = 6. Hence (1, 6) E.
For x = 2, we have y 2 = 8 + 2 = 10. the square root table tell us that there is no solution,
and so we move onto the case x = 3. The following matlab comment computes all the needed
information.
>> X=[]; for x=[0:16], z=[x; mod(x^3+x,17)]; X=[X, z]; end, X,
X =
0
1
2
3
4
5
6
7
8
9
0
2
10
13
0
11
1
10
10
7

10
7

11
16

12
6

## In this way, we have

E = {(0, 0), (1, 6), (3, 8), (4, 0), (6, 1), (11, 4), (13, 0), (14, 2), (16, 7), O}.
(3) Addition Add points (1, 3) + (3, 5) and (1, 3) + O on the curve y 2 = x3 + 24x + 13 (mod
29). (Recall that O represent the infinity).
1

13
0

## >> addell([1,3], [3,5], 24, 13, 29)

ans =
26
1
>> addell([1,3], [inf, inf], 24, 13, 29)
ans =
1
3
>>
Thus on E, (1, 3) + (3, 5) = (26, 1) and (1, 3) + O = (1, 3) (expected)
(4) Scalar multiplication Computing kP . Let E be the elliptic curve y 2 = x3 + 24x + 13
(mod 29). For P = (1, 3) and an integer k > 0, we are to compute kP on E.
If we want to compute k P for one value of k, say k = 7, then we can do the following.
>> multell([1,3], 7, 24, 13, 29)
ans =
15
6
Therefore, 7(1, 3) = (15, 6).
When determining the order of an element, or use brute force to find eliptic curve discrete
log, we might need to compute lP for more values of k. compute k(1, 3) for each value of
k = 1, 2, 3, , 8.
>> multsell([1,3], 8, 24, 13, 29)
ans =
1
3
11
10
23
28
0
10
19
7
18
19
15
6
20
24
Therefore,
2P

= (11, 10)

3P

= (23, 28)

4P

= (0, 10)

5P

= (19, 7)

6P

= (18, 19)

7P

= (15, 6)

8P

= (20, 24)

This can let us to find the order of P = (1, 3) is 19. Try it. This can also solve the discrete
log problem: Find n such that (0, 19) = n(1, 3). (Answer: n = 18).

## (5) Example: What happens when P + P ?

Let us add (1, 3) and (1, 3) on y 2 x3 + 24x + 13 (mod 29).
>> addell([1,3], [1,-3], 24, 13, 29)
ans =
1/0
1/0
Therefore, the answer is O = (inf, inf). Note that the 0 in the denominators is a 0 mod 29.
(For example, the denominator could have been 58, as an integer).
(6) Computing nP by the double-and-add algorithm for the elliptic curve E below over
F = Z1999 :
y 2 = x3 + 1828x + 1675,
with P = (1756, 348) and n = 11.
Initialization: Q = P = (1756, 348) and R = O.
Iteration:
(Step 1) n = 11 is odd, R := R + Q = P + O = P = (1756, 348), Q := 2Q = (1526, 1612).
>> multell([1756,348],2,1828, 1675, 1999)
ans =
1526
1612
Update n := b11/2c = 5.
(Step 2) n = 5 is odd, R := R + Q = (1756, 348) + (1526, 1612) = (1362, 998), Q := 2Q =
(1675, 1579).
>> addell([1756,348], [1526,1612], 1828, 1675, 1999)
ans =
1362
998
>> multell([1526,1612],2,1828, 1675, 1999)
ans =
1657
1579
Update n := b5/2c = 2.
(Step 3) n = 2 is even, Q := 2Q = (1849, 225).
>> multell([1657,1579],2,1828, 1675, 1999)
ans =
1849
225
Update n := b2/2c = 1.
(Step 4) n = 1 is odd, R := R + Q = (1362, 998) + (1849, 225) = (1068, 1540), Q := 2Q.
3

## >> addell([1362,998], [1849,225], 1828, 1675, 1999)

ans =
1068
1540
Update n := b1/2c = 0. (Since we know that n = 1 after the updating, we will stop at the next
step and so there is no need to actually compute 2Q.)
(Step 5) n = 0, stop, and answer that 11 P = R = (1068, 1540).
(7) Elliptic curve Deffie-Hellman Key Exchange
System Parameters: A prime p, and an elliptic curve E = E(Zp ), and a (based) point
P E.
Person/Actions
1
2
3

Alice
Chooses a secret integer nA
& computes QA = nA P
Sends QA to Bob
Computes QAB = nA QB

Bob
Chooses a secret integer
& computes QB = nB P
Sends QB to Alice
Computes QAB = nB QA .

bf Example Alice and Bob uses E: y 2 = x3 + 24x + 13 (mod 29) with a based point P = (1, 3)
to build their common secret.
Alice choose her secret nA = 3 and Bob chooses his secret 8. What will be their common
secret?
>> na=3; nb=8;
>> Qa=multell([1,3], na, 24, 13, 29)
Qa =
23
28
>> K=multell(Qa, nb, 24, 13, 29)
K =
19
7
Alice sends QA = (23, 28) to Bob. Bob computes the common key K = nB QA = (19, 7).
(8) Description of an Elliptic curve ElGamal Cryptosystem
System Parameters: Let p be a prime. The alphabet will be points in E, an elliptic curve
E(Zp ), and a point P E (usually called the base point of the system). Note that the public
is assumed to know E.
Making Keys: Bob chooses his secret number nB (which will be the secret deciphering key),
and he computes and publicizes QB = nB P (his public key).
Encryption and Decryption Process: Alice wants to send Bob a plain text M (which is
a point or a string of points in E). She first pick her secret integer nA , computes QA = nA P
and D = M + nA (QB ), (where QA is the clue and D is the cipher text). Then she sends the
pair (QA , D) to Bob.
4

Bob receives (QA , D). He uses his secret key nB and computes
D + (nB ) QA = M + nA (nB P ) nB (nA P ) = M,
and so he recovers M .
Example: Let p = 8831, and E be the elliptic curve with equation y 2 p x3 + 3x + 45 over Zp .
The base point is P = (4, 11). Bobs secret key is nB = 3. He keeps nB a secret and publishes
QB = 3 P = (413, 1808).
Alice wants to send a message M = (5, 1743) to Bob. She first picks her secret number
nA k = 8. Then she computes QA = nA P = 8 (4, 11) = (5415, 6321), and D = M + nA QB =
(5, 1743) + 8 (413, 1808) = (6626, 3576).
Getting (QA , D) from Alice, Bob computes
(6626, 3576)3(5415, 6321) = (6626, 3576)(617, 146) = (6626, 3576)+(617, 146) = (5, 1743).