ECC (ELLIPTIC

CURVE
CRYPTOGRAPHY)
 • As applied to cryptography, elliptic curves were
first proposed in 1985 independently by N.
Koblitz, and V. Miller.
• Elliptic curves as algebraic/geometric entities
have been around since the second half of the
XIX century.
• They are used in devising algorithms for
factoring integers, primality tests, and in public-
INTRODUCTION key cryptography.
• Elliptic curves can be defined over any field, like
real numbers, complex numbers, etc.
• For cryptographic purposes we are only
concern with those over finite fields.
• More specifically we consider prime (GF(p)) and
binary elliptic curves (GF(2m) ).
 § Elliptic Curves are (abelian) groups that have the
following properties:
§ Closure
§ Associativity
§ Have identity element

ELLIPTIC CURVES § Inverse element

Commutativity
OVER FINITE
§

§ For each element of the group.

FIELDS § Its geometric representation is (Weierstrass form):
 • Let p > 3 be a prime. An elliptic curve E
defined over Fp is an equation:
• y2 =x3 + ax + b
ELLIPTIC CURVES • where a, b ∈ Fp satisfy 4a3 + 27b2 ≠ 0.
We write E/Fp to denote the fact that E
OVER FINITE
is defined over Fp.
FIELDS
• The condition 4a3 + 27b2 ≠ 0 ensures
that the equation x3 + ax + b = 0 does
not have a double root. This is needed
to avoid certain degeneracies.
 • The set of points on the curve.
• Let E/Fp be an elliptic curve and let e ≥
1.
• We say that a point (x1, y1), where x1, y1
ELLIPTIC CURVES ∈ Fpe , is a point on the curve E if (x1, y1)
satisfies the previous curve equation .
OVER FINITE
• When e = 1 the point (x1,y1) is defined
FIELDS over the base field Fp. When e > 1 the
point is defined over an extension of Fp.
• The curve includes an additional
“special” point O called the point at
infinity.
 • The identity element is the point to infinity O.
• The inverse of a point P is its symmetric respect
to the x axis.
• The addition is defined over 3 collinear points
that are different from zero and intersect the
OPERATIONS curve P,Q,R, then P+Q+R= 0.
• If there is only two intersection points, i.e., a
tangent line intersect the curve, then, P=Q
therefore, P+P=R or, 2P=R, this called doubled a
point.
• Geometrically speaking we are obtaining −R
 ELLIPTIC
CURVES OVER
FINITE FIELDS
 OPERATIONS
GEOMETRICAL
REPRESENTATION
ADDITION

P+Q+R=0
ADDITION

• P + Q = -R
• This equation, in this form, lets
us derive a geometric method
to compute the sum between
two points P and Q:
• if we draw a line passing
through P and Q, this line will
intersect a third point on the
curve, R (this is implied by the
fact that P, Q and R are aligned).
If we take the inverse of this
point, -R , we have found the
result of P+Q.
 § What if P=0 or Q=0? Certainly, we can’t draw any
line (0 is not on the xy-plane). But given that we
ADDITION have defined 0 as the identity element, P+0=P and
0+Q=Q for any P and Q.
§ What if P=-Q? In this case, the line going through
the two points is vertical, and does not intersect
any third point. But if P is the inverse of Q, then
we have P+Q=P+(-P) =0 from the definition of
inverse.
§ What if P=Q? In this case, there are infinitely
many lines passing through the point. Consider a
point Q’ ≠ P. What happens if we make Q’
approach P, getting closer and closer to it? The
line passing through P and Q’ becomes tangent to
the curve. We can say that P+P=-R, where R is the
point of intersection between the curve and the
line tangent to the curve in P.
SCALAR
MULTIPLICATION

• Other than addition, we can define

another operation: scalar
multiplication, that is:
 ELLIPTIC CURVE CRYPTOSYSTEM CHALLENGE
• Elliptic Curve Discrete Logarithm Problem (ECDLP).
• Problem: Given P, Q in E(Fq), defined in F2m as,

• with ord(P)=n.

• Find an integer k with 1≤ k≤ n-1, such that, Q=kP

 OPERATIONS
NUMERICAL
REPRESENTATION
 THE FIELD F2M
• Let us consider a finite field F=GF(2m) over K=GF(2).
Elements of F: Polynomials of degree less than m, with coefficients in K, such that,

• Fact: The field F has exactly q-1=2m-1 nonzero elements plus the zero element.
 GENERATING POLYNOMIAL AND POLYNOMIAL BASIS

• The finite field F=GF(2m) is completely described by a monic irreducible polynomial, often called
generating polynomial, of the form

• Let α be a primitive root of P(x), i.e., P(α) = 0. Then, we define the polynomial basis of GF(2m) over
GF(2) using the primitive element α and its m first powers.
• {1, α, α2,..., αm-1},
which happen to be linearly independent over GF(2).
 • Using the polynomial basis, we can uniquely
represent any number A ∈ F=GF(2m) as

POLYNOMIAL
REPRESENTATION
• Sometimes, it is more convenient to represent a
field element using the so-called coordinate
representation,
EXAMPLE: NONZERO
ELEMENTS OF GF(24)
WITH DEFINING
POLYNOMIAL:
F(X)=X4+X+ 1
ADDITION
ELLIPTIC CURVE ADDITION
EXAMPLE
ECC - EXAMPLE

¡
ECC - EXAMPLE
¡ Elliptic Curve Addition
¡ Consider the elliptic curve defined in the previous example.
¡ Let P = (3, 10) and Q = (9, 7). Then P + Q = (x3, y3) is computed as follows:

¡ Note that 2-1 = 12 since 2 •12 ≡ 1 (mod 23). Finally,

x3 = 112 - 3 - 9 = 6 -3 - 9 = -6 ≡ 17 (mod 23), and
y3 = 11(3 - (-6)) -10 = 11(9) -10 = 89 ≡ 20 (mod 23).
¡ Hence P + Q = (17, 20).
 ECC - EXAMPLE
• Let P=(3,10). Then 2P = P + P = (x3,y3) is computed as follows:

• Note that 4-1 = 6 since 4 • 6 ≡ 1 (mod 23). Finally,

x3 =62-6=30≡7(mod 23),and
y3 =6(3-7)-10=-24-10=-34≡12(mod 23).
• Hence 2P = (7,12).
 Weierstrass Montgomery
curves. curves.

CURVE TYPES
Twisted
Edwards
Edwards
curves.
curves.
 • Weierstrass curves are the most
widely used type of elliptic curves in
ECC.
• They are defined by an equation of
the form
WEIERSTRASS y2 = x3 + ax + b
CURVES • where a and b are constants different
from 0.
• Weierstrass curves are relatively easy
to implement and offer a good
balance between security and
performance.
 • A Montgomery curve E/Fp in the
variables u and v is written as
Bv2 = u3 + Au2 + u
MONTGOMERY • for some A,B ∈ Fp where B(A2−4) ≠ 0.
CURVES • Montgomery curves offer faster scalar
multiplication than Weierstrass curves
and are often used in high-performance
applications, such as cryptographic
hardware.
 • Another way to describe an elliptic
curve E/Fp is in Edwards form, which
is
x2 + y2 = 1 + dx2y2
EDWARDS • where d ∈ Fp satisfies d ≠ 0,1.
CURVES • Edwards curves offer several security
advantages over Weierstrass curves,
such as resistance to certain types of
attacks and simpler implementation
of some cryptographic operations.
 • Twisted Edwards curves are a
variation of Edwards curves that
offer faster scalar multiplication
and simpler formulas for some
TWISTED cryptographic operations.
EDWARDS • They are defined by an equation of
CURVES the form
ax2 + y2 = 1 + dx2y2
• where a and d are constants
different from 0.
 CURVE TYPES
NIST curves: NIST curves are a set of
elliptic curves recommended by the NIST.
These curves are widely used in ECC and
are available in many programming
libraries. The most commonly used NIST
curves are P-256, P-384, and P-521,
which have prime fields of 256, 384, and
521 bits, respectively.
Brainpool curves: Brainpool curves are a
set of elliptic curves designed by a group
of European cryptographers. These
curves are optimized for performance
and security and are available in many
ECC programming libraries.
 CURVE TYPES
Curve25519: Curve25519 is an
elliptic curve designed by Daniel J.
Bernstein that is optimized for
performance and security. It is
widely used in modern
cryptographic protocols, such as the
Signal protocol and the Tor
anonymity network.
Ed25519: Ed25519 is a digital
signature algorithm based on the
Curve25519 elliptic curve. It is
designed to be fast, secure, and easy
to implement, and is available in
many ECC programming libraries.
 § Two widely used elliptic curves, called secp256r1 and secp256k1,
are specified in a standard called SEC2, where SEC is an acronym
for “standards for efficient cryptography.”
§ Both curves are defined over a 256-bit prime field, hence the
“256” in their names.
§ The ‘r’ in secp256r1 signifies that the curve is a random curve,
meaning that it was generated by a certain sampling procedure.
CURVE TYPES It is called Curve P256 by NIST. Widely used in Internet protocols.
§ The ‘k’ in secp256k1 signifies that the curve is a Koblitz. The
curve secp256r1 is, while secp256k1 is widely used in blockchain
systems (Bitcoin).
§ Curve25519, proposed by Daniel J. Bernstein and specified in
RFC 7748, is a popular curve which is notably used in TLS 1.3 for
key agreement.
ALGORITHM
ECDSA
• ECDSA stands for Elliptic Curve Digital Signature Algorithm, which is a
cryptographic algorithm used for creating digital signatures. ECDSA.
• ECDSA has several advantages over other digital signature algorithms.
• It is computationally efficient, meaning that it can generate and verify signatures
quickly and with relatively low computational resources.
• It offers a high level of security, making it resistant to various attacks, such as
forgery, replay, and key compromise.
• It is widely supported by many cryptographic libraries and is used in many
applications, such as secure communication protocols, electronic voting systems,
and digital certificates.
 Each entity A does the following:
1. Select an elliptic curve E defined over Zp. The
number of points in E(Zp) should be divisible
by a large prime n.
2. Select a point P ∈ E(Zp) of order n.
ECDSA KEY
3. Select a statistically unique and unpredictable
GENERATION integer d in the interval [1, n - 1].
4. Compute Q = dP.
5. A's public key is (E, P, n, Q); A's private key is
d.
 To sign a message m, A does the following:
1. Select a statistically unique and unpredictable
integer k in the interval [1, n - 1]
2. Compute kP = (x1, y1) and r = x1 mod n. (Here x1 is
regarded as an integer, for example by conversion
from its binary representation.) If r = 0, then go to
step 1. (This is a security condition: if r = 0, then the
ECDSA signing equation s = k-1{h(m) + dr} mod n does not
involve the private key d!)
SIGNATURE 3. Compute k-1 mod n.
GENERATION 4. Compute s = k-l {h(m) + dr} mod n, where h is the
Secure Hash Algorithm (SHA-2 or SHA-3).
If s = 0, then go to step 1. (If s = 0, then s-1 mod n
does not exist; s-1 is required in step 2 of signature
verification.)
5. The signature for the message m is the pair of
integers (r, s).
 To verify A's signature (r, s) on m, B should:
1. Obtain an authentic copy of A's public key
(E, P, n, Q). Verify that r and s are integers in
the interval [1, n - 1].
2. Compute w = s-1 mod n and h(m).
ECDSA SIGNATURE
VERIFICATION 3. Compute u1 =h(m)w mod n and u2 =rw mod
n.
4. Compute u1P + u2Q = (x0, y0) and v = x0 mod
n.
5. Accept the signature if and only if v = r.
ELLIPTIC CURVES
 • Security
1024-bit RSA and DSA 160-bit ECC offers
similar levels of security
• Efficiency
SECURITY AND
• Computational overheads
EFFICIENCY
• ECC has shorter system parameters,
keys, signatures
• ECC is bandwidth efficient
 SECURITY AND
EFFICIENCY

Field size (in bits) Size of n (in bits) !n/2 MIPS years
163 160 280 9.6 x 1011
191 186 293 7.9 x 1015
239 234 2117 1.6 x 1023
359 354 2177 1.5 x 1041
431 426 2213 1.0 x 1052
 • Handbook of Applied Cryptography, Menezes, Oorschot,
Vanstone. CRC Press, New York, fifth edition (2001).
REFERENCES • Guide to Elliptic Curve Cryptography, D. Hankerson, A. Menezes,
S. Vanstone, Springer-Verlag, 2004. ISBN 0-387-95273-X