Professional Documents
Culture Documents
1 Elliptic Curves
An elliptic curve, E, is the set of all points that are solutions to y 2 = x3 + ax + b, including a point
O at infinity.
joshua.schneider@sheridancollege.ca page 1
MATH36206 Advanced Cryptology Week 1
When we add (−1, −2) to (2, 4) we get to the point (3, 6) which we flip to (3, −6).
So for this particular curve we have that (−1, −2) + (2, 4) = (3, −6).
−2−4
The line shown is described by the equation y = λx + v, with a slope of λ = −1−2 = 2, and
a y-intercept of v = 4 − 2(2) = 0
joshua.schneider@sheridancollege.ca page 2
MATH36206 Advanced Cryptology Week 1
When we add (2, 4) to itself we get to the point (−1.359, −1.459) which we flip to (−1.359, 1.459).
So for this particular curve we have that (2, 4) + (2, 4) ≈ (−1.359, 1.459).
13
The line shown is described by the equation y = λx + v, with a slope of λ = 8 , and a y-intercept
of v = 4 − 13
8 (2) = 0.75
The slope is obtained by taking the derivative (wait what... calculus in crypto?) of y 2 = x3 + x + 6
at x = 2 and y = 4:
y 2 = x3 + x + 6
2y 1 y ′ = 3x2 + 1 + 0
3x2 + 1
y′ =
2y
3(2)2 + 1
y′ =
2(4)
13
y′ =
8
joshua.schneider@sheridancollege.ca page 3
MATH36206 Advanced Cryptology Week 1
y 2 = x3 + ax + b (1)
y = λx + v (2)
y2 − y1
P ̸= Q
x2 − x1
λ= (3)
3x2 + a
1 P =Q
2y1
x3 = λ2 − x2 − x1 (4)
y3 = −λ(x3 − x1 ) − y1 (5)
1.5 P + Q example; P ̸= Q
Adding P = (−1, −2) to Q = (2, 4):
4 − (−2)
λ= =2
2 − (−1)
x3 = (2)2 − 2 − (−1) = 3
y3 = −2(3 − (−1)) − (−2) = −6
3(2)2 + 1 13
λ= =
2(4) 8
13 2
x3 = ( ) − 2 − 2 = −1.359375
8
13
y3 = − (−1.359375 − (2)) − (4) ≈ 1.458984375...
8
We get R = (−1.359375, 1.458984375...).
−4 − (4)
λ= is undefined
2 − (2)
joshua.schneider@sheridancollege.ca page 4
MATH36206 Advanced Cryptology Week 1
We can see that (−1, −2) ≡ (10, 9) mod 11 ∈ E and that (2, 4) ∈ E. We can’t see the point O
(because it’s at infinity) but we still count it to determine the number of points in E:
|E| = 12 + 1 = 13
Before when we added these points on the real curve (by determining the line and finding the
other point) we got (−1, −2) + (2, 4) = (3, −6). We can still add these points but now we will get
(10, 9) + (2, 4) = (3, 5). This is done by ditching the geometrical interpretation (because there is
no “line” anymore!) and using equations (3), (4), (5), all mod p:
−1 mod p
(y2 − y1 )(x2 − x1 )
P ̸= Q
λ=
(3x1 + a)(2y1 )−1 mod p
2
P =Q
x3 = λ2 − x2 − x1 mod p
y3 = −λ(x3 − x1 ) − y1 mod p
joshua.schneider@sheridancollege.ca page 5
MATH36206 Advanced Cryptology Week 1
x3 = 22 − 2 − 10 mod 11
= −8 mod 11
=3
joshua.schneider@sheridancollege.ca page 6
MATH36206 Advanced Cryptology Week 1
Exercises
1.1 For the elliptic curve, E, described by y 2 = x3 + x + 6:
a) Is (−1, 2) ∈ E?
√
b) Is (0, 6) ∈ E?
c) Is (4, 2) ∈ E?
√
d) Is (5, 136) ∈ E?
e) Evaluate P + Q if P = (3, −6) and Q = (−1, 2) by manually computing the slope, the
equation of the line, and the result, R.
f) Evaluate P + Q if P = Q = (3, −6) by manually computing the slope, the equation of
the line, and the result, R.
a) Is (2, 0) ∈ E?
√
b) Is (0, 2) ∈ E?
√ √
c) Evaluate P + Q if P = (0, 2) and Q = (2, 2) by manually computing the slope, the
equation of the line, and the result, R.
√
d) Evaluate P + Q if P = Q = (−0.5, 3.875) by manually computing the slope, the
equation of the line, and the result, R.
1.3 For the elliptic curve, E, over Z11 described by y 2 = x3 + x + 6 mod 11:
a) Evaluate P + Q if P = (8, 8) and Q = (2, 7) by manually computing the slope and the
result.
b) Evaluate 3P if P = (10, 9) by manually computing all slopes and results.
a) Evaluate P + Q if P = (4, 1) and Q = (2, 3) by manually computing the slope and the
result.
b) Evaluate 8P if P = (0, 3) by manually computing all slopes and results.
joshua.schneider@sheridancollege.ca page 7
MATH36206 Advanced Cryptology Week 1
1.12 DSA
Let α and β be integers in Zp where α has order q and:
β = αa mod p
• 0 ≤ a ≤ q − 1, and q divides p − 1
sig(x, k) = (γ, δ)
• e1 = h(x)δ −1 mod q
• e2 = γδ −1 mod q
joshua.schneider@sheridancollege.ca page 8
MATH36206 Advanced Cryptology Week 1
1.16 ECDSA
Let A and B be points on an elliptic curve E where A has prime order q and:
B = mA
• 0≤m≤q−1
sig(x, k) = (r, s)
• kA = (u, v)
• r = u mod q
• i = h(x)s−1 mod q
• j = r · s−1 mod q
• (u, v) = iA + jB
joshua.schneider@sheridancollege.ca page 9
MATH36206 Advanced Cryptology Week 1
kA = 5(8, 8) = (5, 9)
r=5 mod 13
=5
s = (2 + 7(5))(5)−1 mod 13
= (37)8 mod 13
= 10
joshua.schneider@sheridancollege.ca page 10
MATH36206 Advanced Cryptology Week 1
i = 2(10−1 ) mod 13
= 2(4) mod 13
=8
j = 5 · 10−1 mod 13
=5·4 mod 13
= 20 mod 13
=7
joshua.schneider@sheridancollege.ca page 11
MATH36206 Advanced Cryptology Week 1
Exercises
1.5 Use the elliptic curve, E, over Z11 described by y 2 = x3 + x + 6 mod 11 to sign a message
x with hash h(x) = 4 using the public key (A = (2, 7), B = (7, 2), E, q = 13), random k = 3,
and private key m = 7.
1.6 Determine the values for i and j needed to verify the signature from the previous question.
iA + jB mod q = kA mod q
joshua.schneider@sheridancollege.ca page 12
MATH36206 Advanced Cryptology Week 1
Answers
1.1 yes
yes
no
yes
λ = −2, y = −2x + 0, R = (2, 4)
λ = − 73 , y = − 37 x + 1, R = (− 95 , − 62
27 )
1.2 no
yes √ √
λ = 0, y = 0x + 2, R = (−2, − 2)
λ ≈ −0.82550, y = λx + 1.55575, R ≈ (1.68145, −0.16771)
1.3 λ = 2, P + Q = (5, 9)
λ = 10 and 2P = (3, 6), λ = 2 and 2P + P = (2, 7)
1.4 λ = 6, P + Q = (2, 4)
λ = 4 and 2P = (2, 3), λ = 6 and 2P + 2P = (4, 6), λ = 6 and 4P + 4P = (0, 4)
1.6 i = 8
j=3
1.7 3
6
2
1.8 2A = O
λ = 1 and 2A = (5, 5), 2A + A = 3A = O
λ = 4 and 2A = (5, 5), λ = 5 and 2A + A = 3A = (4, 0), 3A + 3A = 6A = O
joshua.schneider@sheridancollege.ca page 13