498-Elliptic Curves and Elliptic

sunflowerplateAI and Robotics

Nov 21, 2013 (3 years and 8 months ago)

80 views

1

498
-
Elliptic Curves and Elliptic
Curve Cryptography

Michael Karls

2

Outline


Groups, Abelian Groups, and Fields


Elliptic Curves Over the Real Numbers


Elliptic Curve Groups


Elliptic Curves Over a Finite Field


An Elliptic Curve Cryptography
Scheme

Diffie
-
Hellman Key
Exchange

3

Group Definition


A
group

is a non
-
empty set G equipped with a
binary operation * that satisfies the following
axioms for all a, b, c in G:

1.
Closure:

a*b in G

2.
Associativity:

(a*b)*c = a*(b*c)

3.
Identity:

There exists an element e in G such that
a*e = a = e*a. We call e the
identity element

of G.

4.
Inverse:

For each a in G, there exists an element
d in G such that a*d = e = d*a. We call d the
inverse

of a.

4

Group Definition (cont.)


If a group G also satisfies the
following axiom for all a, b in G:

5.

Commutativity:

a*b = b*a,


we say G is an
abelian

group.


The
order

of a group G, denoted |G| is
the number of elements in G. If |G| <

, we say G has
finite

order.


5

Group Examples


One example of a group is the set of real numbers with
addition.


The set of 2 x 2 matrices with real number entries and non
-
zero determinant forms a group under matrix multiplication.


Another group can be made from the set of
permutations

on
the set T = {1, 2, … , n}. This group is denoted by S
n
.


Recall that a permutation is a 1
-
1 onto function from T


T.


When n = 3, the set of permutations on T is S
3

= {(1) , (12), (13), (23),
(123), (132)}.


Recall that in
cycle notation
, for


= (12),

(1) = 2,

(2) = 1, and

(3)
= 3.


For permutations


and

, define the
product





to be the
permutation obtained by applying


first, then

.


For example, with


= (13) and


= (12),






= (13)(12) = (132) and




= (12)(13) = (123).

6

Group Examples


Here is the “multiplication”
table for S
3
:


From the table, we see that
S
3

is closed under this
product, the identity
element is (1), each
element has an inverse,
and the product is
associative.


Therefore, S
3

is a group!



We call S
n

the
Symmetric
Group on n elements
.


Which of these examples
are finite?


Which are abelian?

(1)

(12)

(13)

(23)

(123)

(132)

(1)

(1)

(12)

(13)

(23)

(123)

(132)

(12)

(12)

(1)

(123)

(132)

(13)

(23)

(13)

(13)

(132)

(1)

(123)

(23)

(12)

(23)

(23)

(123)

(132)

(1)

(12)

(13)

(123)

(123)

(23)

(12)

(13)

(132)

(1)

(132)

(132)

(13)

(23)

(12)

(1)

(123)

7

Field Definition


A
field

F is a non
-
empty set with two binary
operations, usually denoted + and *, which satisfy
the following axioms for all a, b, c in F:

1.
a+b is in F

2.
(a+b)+c = a+(b+c)

3.
a+b = b+a

4.
There exists 0
F

in F such that a+0
F

= a = 0
F
+a. We
call 0
F
the
additive identity.

5.
For each a in F, there exists an element x in F
such that a+x = 0
F

= x+a. We call x the
additive
inverse

of a and write x =
-
a.

8

Field Definition (cont.)


Field axioms (cont.): For all a, b, c in F,

6.
a*b in F

7.
(a*b)*c = a*(b*c)

8.
a*b = b*a

9.
There exists 1
F

in F, 1
F



0
F
, such that for each a
in F, a*1
F

= a = 1
F
*a. We call 1
F

the
multiplicative
identity.

10.
For each a


0
F

in F, there exists an element y in F
such that a*y = 1
F

= y*a. We call y the
multiplicative inverse

of a and write y = a
-
1
.

11.
a*(b+c) = a*b + a*c and (b+c)*a = b*a + c*a.
(Distributive Law)

9

Field Examples


Note that any field is an abelian group under
+ and the non
-
zero elements of a field form
an abelian group under *.


Some examples of fields:


Real numbers


Z
p
, the set of
integers modulo

p, where p is a prime
number is a
finite

field.


For example,


Z
7
= {0, 1, 2, 3, 4, 5, 6} and Z
23
= {0, 1, 2, 3, … , 22}.

10

Elliptic Curves Over the Real
Numbers


Let a and b be real numbers. An
elliptic curve

E over the field
of real numbers
R

is the set of points (x,y) with x and y in
R
that satisfy the equation




together with a single element

, called the
point at infinity
.


There are other types of elliptic curves, but we’ll only consider
elliptic curves of this form.


If the cubic polynomial x
3
+ax+b has no repeated roots, we say
the elliptic curve is
non
-
singular
.


A necessary and sufficient condition for the cubic polynomial
x
3
+ax+b to have distinct roots is 4a
3

+ 27 b
2



0.


In what follows, we’ll always assume the elliptic curves are
non
-
singular.

11

Examples of Elliptic Curves


y
2
= x
3
-
7x+6


y
2

= x
3
-
2x+4

-3
-2
-1
1
2
3
4
-4
-2
2
4
-2
-1
1
2
3
4
-4
-3
-2
-1
1
2
3
4
12

An Elliptic Curve Lemma


The next result provides a way to turn the
set of points on a non
-
singular elliptic curve
into an abelian group!


Elliptic Curve Lemma:

Any line containing
two points of a non
-
singular elliptic curve
contains a unique third point of the curve,
where


Any vertical line contains

, the point at infinity.


Any tangent line contains the point of tangency
twice.

13

Geometric Elliptic Curve
Addition


Using the Elliptic Curve Lemma, we can
define a way to geometrically “add” points P
and Q on a non
-
singular elliptic curve E!


First, define the point at infinity to be the
additive identity
, i.e. for all P in E,


P +


= P =


+ P.


Next, define the
negative of the point at
infinity

to be
-



=

.

14

Geometric Elliptic Curve
Addition (cont.)


For P = (x
P
,y
P
), define the
negative
of
P to be
-
P = (x
P
,
-
y
P
), the reflection of
P about the x
-
axis.


From the elliptic curve equation,



we see that whenever P is in E,
-
P is
also in E.

15

Geometric Elliptic Curve
Addition (cont.)


In what follows, assume that neither P
nor Q is the point at infinity.


For P = (x
P
,y
P
) and Q = (x
Q
,y
Q
) in E,
there are three cases to consider:

1.
P and Q are distinct points with x
P



x
Q
.

2.
Q =
-
P, so x
P

= x
Q

and y
P

=
-

y
Q
.

3.
Q = P, so x
P
= x
Q

and y
P

= y
Q
.

16

Geometric Case 1: x
P



x
Q


By the Elliptic Curve
Lemma, the line L
through P and Q will
intersect the curve at
one other point.


Call this third point
-
R.


Reflect the point
-
R
about the x
-
axis to
point R.


P+Q = R


y
2
= x
3
-
7x+6

-3
-2
-1
1
2
3
4
-4
-2
2
4
P
Q
R
R
17

Geometric Case 2: x
P

= x
Q

and
y
P

=
-

y
Q


In this case, the line L
through P and Q =
-
P
is vertical.


By the Elliptic Curve
Lemma, L will also
intersect the curve at

.


P+Q = P+(
-
P) =



It follows that the
additive inverse

of P
is
-
P.


y
2
= x
3
-
2x+4

-2
-1
1
2
3
4
-4
-3
-2
-1
1
2
3
4
P
Q
18

Geometric Case 3: x
P
=x
Q

and
y
P

= y
Q


Since P = Q, the line L
through P and Q is tangent
to the curve at P.


If y
P

= 0, then P =
-
P, so
we are in Case 2, and
P+P =

.


For y
P



0, the Elliptic
Curve Lemma says that L
will intersect the curve at
another point,
-
R.


As in Case 1, reflect
-
R
about the x
-
axis to point R.


P+P = R


Notation: 2P = P+P


y
2
= x
3
-
7x+6

-3
-2
-1
1
2
3
4
-4
-2
2
4
P
R
R
19

Geometric Elliptic Curve
Model


For an interactive illustration of how
geometric elliptic addition works, a
great resource is Certicom’s
Geometric Elliptic Curve Model
.


For the elliptic curves y
2
= x
3
-
7x+6 and
y
2

= x
3
-
2x+4, try adding points P and Q
or doubling P (i.e. 2 P = P+P),
graphically.

20

Algebraic Elliptic Curve
Addition


Geometric elliptic curve addition is useful for
illustrating the idea of how to add points on
an elliptic curve.


Using algebra, we can make this definition
more rigorous!


As in the geometric definition, the point at
infinity is the identity,
-



=

, and for any
point P in E,
-
P is the reflection of P about
the x
-
axis.

21

Algebraic Elliptic Curve
Addition (cont.)


In what follows, assume that neither P nor Q
is the point at infinity.


As in the geometric case, for P = (x
P
,y
P
) and
Q = (x
Q
,y
Q
) in E, there are three cases to
consider:

1.
P and Q are distinct points with x
P



x
Q
.

2.
Q =
-
P, so x
P

= x
Q

and y
P

=
-

y
Q
.

3.
Q = P, so x
P
= x
Q

and y
P

= y
Q
.

22

Algebraic Case 1: x
P



x
Q


First we consider the case where P = (x
P
,y
P
) and Q = (x
Q
,y
Q
)
with x
P



x
Q
.


The equation of the line L though P and Q is y =


x+

, where





In order to find the points of intersection of L and E, substitute


x +


for y in the equation for E to obtain the following:




The roots of (2) are the x
-
coordinates of the three points of
intersection.


Expanding (2), we find:

23

Algebraic Case 1: x
P



x
Q
(cont.)




Since a cubic equation over the real numbers has either one
or three real roots, and we know that x
P

and x
Q

are real roots,
it follows that (3) must have a third real root, x
R
.


Writing the cubic on the left
-
hand side of (3) in factored form




we can expand and equate coefficients of like terms to find

24

Algebraic Case 1: x
P



x
Q
(cont.)


We still need to find the y
-
coordinate of the third point,
-
R =
(x
R
,
-
y
R
) on the curve E and line L.


To do this, we can use the fact that the slope of line L is
determined by the points P and
-
R, both of which are on L:




Thus, the sum of P and Q will be the point R = (x
R
, y
R
) with




where


25

Algebraic Case 2: x
P

= x
Q

and
y
P

=
-

y
Q


In this case, the line L through P and
Q =
-
P is vertical, so L contains the
point at infinity.


As in the geometric case, we define
P+Q = P+(
-
P) =

, which makes P
and
-
P additive inverses.

26

Algebraic Case 3: x
P
=x
Q

and
y
P

= y
Q


Finally, we need to look at the case
when Q = P.


If y
P

= 0, then P =
-
P, so we are in
Case 2, and P+P =

.


Therefore, we can assume that y
P



0.


Since P = Q, the line L through P and
Q is the line tangent to the curve at
(x
P
,y
P
).

27

Algebraic Case 3: x
P
=x
Q

and
y
P

= y
Q


The slope of L can be found by implicitly
differentiating the equation y
2

= x
3

+ ax + b
and substituting in the coordinates of P:




Arguing as in Case 1, we find that


P+P = 2P = R, with R = (x
R
,y
R
), where

28

Elliptic Curve Groups


From these definitions of addition on an
elliptic curve, it follows that:

1.
Addition is closed on the set E.

2.
Addition is commutative.

3.



is the identity with respect to addition.

4.
Every point P in E has an inverse with respect to
addition, namely
-
P.


The associative axiom also holds, but is
“hard” to prove.

29

Elliptic Curves Over Finite
Fields


Instead of choosing the field of real numbers, we
can create elliptic curves over other fields!


Let a and b be elements of Z
p

for p prime, p>3. An
elliptic curve

E over Z
p

is the set of points (x,y) with
x and y in Z
p

that satisfy the equation




together with a single element

, called the
point at
infinity
.


As in the real case, to get a non
-
singular elliptic
curve, we’ll require 4a
3

+ 27 b
2

(mod p)


0 (mod p).


Elliptic curves over Z
p

will consist of a
finite

set of
points!

30

Addition on Elliptic Curves
over Z
p


Just as in the real case, we can define
addition of points on an elliptic curve E
over Z
p
, for prime p>3.


This is done in the essentially the
same way as the real case, with
appropriate modifications.

31

Addition on Elliptic Curves
over Z
p

(cont.)


Suppose P and Q are points in E.


Define P +


=


+ P = P for all P in E.


If Q =
-
P (mod p), then P+Q =

.


Otherwise, P+Q = R = (x
R
,y
R
), where

32

Elliptic Curves Over Z
23

Model


Again, Certicom provides a model for
an elliptic curve over a finite field:
Finite Geometric Elliptic Curve Model
.


For the elliptic curves y
2
= x
3
+16x+6
and y
2

= x
3
+21x+4 over the field Z
23
,
try adding points P and Q or doubling
P (i.e. 2P =P+P).

33

Cryptography on an Elliptic
Curve


Using an elliptic curve over a finite
field, we can exchange information
securely!


For example, we can implement a
scheme invented by Whitfield Diffie
and Martin Hellman in 1976 for
exchanging a secret key.

34

Diffie
-
Hellman Key Exchange
via Colors of Paint

1.
Alice and Bob each have a three
-
gallon bucket that
holds paint.

2.
Alice and Bob choose a public color of paint, such
as yellow.

3.
Alice chooses a secret color, red.

4.
Alice mixes one gallon of her secret color, red, with
one gallon of yellow and sends the mixture to Bob.

5.
Bob chooses a secret color, purple.

6.
Bob mixes one gallon of his secret color, purple,
with one gallon of yellow and sends the mixture to
Alice.

35

Diffie
-
Hellman Key Exchange
via Colors of Paint (cont.)

7.
Alice adds one gallon of her secret color, red to the
mixture from Bob. Alice ends up with a bucket of
one gallon each of yellow, purple, and red paint.

8.
Bob adds one gallon of his secret color, purple, to
the mixture from Alice. Bob ends up with a bucket
one gallon each of yellow, red, and purple paint.

9.
Both Alice and Bob will have a bucket of paint with
the same color

this common color is the key!


Note that even if eavesdropper Eve knows that the
common color is yellow, or intercepts the paint
mixtures from Alice or Bob, she will not be able to
figure out Alice’s or Bob’s secret color!

36

Diffie
-
Hellman Key Exchange
via an Elliptic Curve

1.
Alice and Bob publicly
agree on an elliptic curve E
over a finite field Z
p
.

2.
Next Alice and Bob choose
a public
base point

B on
the elliptic curve E.

3.
Alice chooses a random
integer 1<

<|E|, computes
P

=


B, and sends P to
Bob.
Alice keeps her
choice of


secret.

4.
Bob chooses a random
integer 1<

<|E|, computes
Q =


B, and sends Q to
Alice.
Bob keeps his
choice of


secret.

1.
Alice and Bob choose E to
be the curve y
2

= x
3
+x+6
over Z
7
.

2.
Alice and Bob choose the
public base point to be
B=(2,4).

3.
Alice chooses


= 4,
computes P =

B = 4(2,4)
= (6,2), and sends P to
Bob.
Alice keeps


secret.

4.
Bob chooses


= 5,
computes Q =

B = 5(2,4)
= (1,6), and sends Q to
Alice.
Bob keeps


secret.

37

Diffie
-
Hellman Key Exchange
via an Elliptic Curve (cont.)

5.
Alice computes
K
A

=

Q =

(

B).

6.
Bob computes
K
B

=

P =

(

B).

7.
The shared secret key
is K = K
A

= K
B
.


Even if Eve knows the
base point B, or P or
Q, she will not be able
to figure out


or

, so
K remains secret!

5.
Alice computes
K
A
=

Q = 4(1,6) =
(4,2).

6.
Bob computes
K
B

=

P = 5(6,2) =
(4,2).

7.
The shared secret
key is K = (4,2).

38

References


Hungerford, Thomas W.
Abstract Algebra: An
Introduction Second Edition
. New York: Saunders
College Publishing, 1997.


Koblitz, Neal.
Algebraic Aspects of Cryptography
.
Berlin: Springer
-
Verlag, 1999.


“Online ECC Tutorial.” Certicom.
http://www.certicom.com/index.php/10
-
introduction


Stinson, Douglas R.
Cryptography Theory and
Practice Second Edition
. New York: Chapman &
Hall/CRC, 2002.