Elliptic
Curv
e
Cryptograph
y
Elaine
Bro
w
,
Decem
b
er
2010
Math
189A:
Algebrai
c
Geometry
1.
Intr
oduction
to
Public
Key
Cr
yptography
T
o
understand
the
motiv
ation
for
elliptic
curv
e
cryptograph
y
,
w
e
m
ust
ﬁrst
understand
the
purp
ose
of
public
key
crypto
gr
aphy
as
a
whole.
T
o
do
this,
w
e
in
tro
duce
a
h
yp
othetic
al
situation
in
v
olving
t
w
o
old
friends
of
c
r
yptographers
ev
erywhere,
Alice
and
Bob.
Example
1.1.
(Alice
and
Bob)
Supp
ose
Alice
and
Bob
w
ould
lik
e
t
o
comm
unicate
secret
messages
to
eac
h
other.
The
only
problem
i
s
,
ev
e
ry
one
kno
ws
that
an
evil
ea
v
esdropp
er
(appropriately
named
Ev
e)
has
acces
s
to
all
comm
unication
b
et
w
een
Alice
and
Bob.
Ho
w
can
they
tell
their
secrets
w
i
thout
Ev
e
hearing
(or
at
least
without
Ev
e
hearing
an
ything
of
signiﬁcance),
and
k
eep
her
from
tamp
erin
g
with
the
information
on
its
w
a
y
from
one
p
erson
to
another?
This
is
where
the
idea
of
public
keys
comes
in.
Alice
and
Bob
eac
h
ha
v
e
a
k
ey
,
some
n
um
b
er
or
mathematical
pro
cedure
that
can
b
e
applied
to
messages,
comp
osed
of
a
public
piece
and
a
priv
ate
p
ie
ce.
The
priv
ate
pieces
of
these
k
eys
are
nev
er
transmitted,
while
the
p
ublic
pieces
are
accessible
to
ev
ery
one,
including
Ev
e.
When
Alice
w
an
ts
to
send
a
message
to
Bob,
she
use
s
the
public
piece
of
Bob’s
k
ey
t
o
encrypt
the
information,
an
d
sends
it
without
w
orrying
at
all
ab
out
who
sees
it.
Then
Bob
uses
the
priv
ate
part
of
his
k
ey
to
decrypt
th
e
information.
Bec
au
s
e
Bob
is
the
only
one
who
has
the
pr
iv
ate
part
of
his
k
ey
,
he
is
the
only
one
who
can
d
e
cryp
t
it.
F
or
additional
securit
y
,
Alice
and
B
ob
ma
y
also
ha
v
e
public
and
priv
ate
signatures,
whic
h
w
ork
similarly
to
the
k
eys.
If
Alice
w
an
ts
Bob
to
kno
w
that
the
message
he
receiv
es
from
her
is
authen
tic,
she’ll
ap
ply
a
priv
ate
signature
to
some
authen
tication
message
b
efore
sending
it;
when
Bob
w
an
ts
to
kno
w
that
it’s
hers,
he’ll
apply
the
easily
accessible
public
part
of
her
signature
to
that,
whic
h
will
return
the
authen
tication.
If
Ev
e
tamp
ers
with
the
signature,
it
will
return
garbled,
and
Bob
will
kno
w
it
is
corrupted.
If
the
mathematical
pub
lic
and
priv
ate
k
eys
don’t
m
ak
e
sense,
just
think
of
the
public
k
eys
as
padlo
c
ks
and
the
priv
ate
k
eys
as
the
k
eys
to
those
lo
c
ks.
Alice
and
Bob
b
oth
pub
licly
distribute
copies
and
copies
of
eac
h
of
their
lo
c
ks,
but
alw
a
ys
k
eep
the
k
ey
safely
with
them.
Then
to
send
Bob
a
message,
Alice
just
has
to
ﬁnd
one
of
Bob’s
pad
lo
c
k
s
,
l
o
c
k
her
message
up
with
it,
and
send
it
to
him.
He
has
the
s
i
ngle
k
ey
to
all
of
his
lo
c
ks,
so
he
is
on
ly
one
who
can
op
en
it.
Notice
that
the
securit
y
of
this
system
d
o
es
not
re
l
y
at
all
on
Alice
and
Bob
ﬁn
ding
a
secure
w
a
y
to
transmit
information,
but
it
relies
v
ery
hea
vily
on
Alice
and
Bob
eac
h
h
a
ving
priv
ate
k
eys
that
are
v
ery
,
v
ery
di!cult
to
retriev
e
using
only
their
public
k
eys.
Ev
e
can
only
b
e
th
w
arted
if
the
information
that
she
can
in
tercept
is
totally
useless.
This
brings
us
to
the
el
liptic
curve
discr
ete
lo
garithm
pr
oble
m
,
whic
h
w
e
will
see
can
b
e
made
su!cien
tly
di!cult
to
giv
e
us
a
useful
pair
of
k
eys.
First
w
e
m
ust
explain
elliptic
curv
es.
1
2
2.
The
Elliptic
Cur
ve
Gr
oup
La
w
Deﬁnition
2.1.
An
el
liptic
curve
is
a
nonsingular
pro
jectiv
e
algebraic
curv
e
o
v
er
some
ﬁeld
k
with
gen
us
1
and
a
sp
eciﬁed
p
oin
t
O
(this
will
b
e
the
“p
oin
t
at
inﬁnit
y”).
So
long
as
k
do
es
not
ha
v
e
c
haracteristic
2
or
3,
this
will
b
e
a
smo
oth
plane
cubi
c
curv
e
with
the
p
oin
t
at
inﬁnit
y
,
and
w
e
can
describ
e
the
curv
e
as
p
oin
ts
satisfying
the
equation
y
2
=
x
3
+
ax
+
b,
with
a
and
b
suc
h
that
the
discriminan
t,
"
=
!
16(4
a
3
+
27
b
2
)
,
is
nonzero
(whic
h
will
giv
e
the
desired
nonsingularit
y).
The
group
la
w
on
an
elliptic
curv
e.
The
op
eration
exploited
for
k
ey
selection
in
elliptic
curv
e
cryptograph
y
comes
from
considering
the
elliptic
curv
e
as
an
ab
elian
group
with
p
oin
ts
as
ele
men
ts.
The
group
la
w
is
p
oin
t
ad
dition;
to
add
t
w
o
p
oin
ts
P
and
Q
,
w
e
will
dra
w
the
line
P
Q
through
them
(or
use
th
e
tangen
t
line
at
P
to
add
it
to
i
ts
elf
),
ﬁnd
the
third
p
oin
t
of
in
tersection
!
R
of
that
line,
and
reﬂect
it
o
v
er
the
axis
of
symmetry
of
the
curv
e.
The
resulting
p
oin
t,
R
,
will
b
e
the
sum
of
P
and
Q
.
F
or
th
e
purp
oses
of
this
addition,
note
that
the
p
oin
t
at
inﬁ
nit
y
O
lies
on
an
y
line
through
a
p
oin
t
and
it’s
opp
osite.
The
formal
prop
erties
of
the
addition
la
w
are
describ
ed
b
elo
w.
Theorem
2.2
The
addition
la
w
on
elli
ptic
curv
e
C
has
the
follo
wing
prop
erties
(where
O
=
!O
is
the
p
oin
t
at
inﬁnit
y
,
and
if
P
=
(
x
0
,
y
0
),
then
!
P
=
(
x
0
,
!
y
0
)):
(i)
F
or
p
oin
t
P
"
C
,
P
+
O
=
P
,
(ii)
F
or
p
oin
ts
P
,
Q
"
C
,
P
+
Q
=
Q
+
P
3
(iii)
F
or
p
oin
t
P
"
C
,
there
is
some
p
oin
t
!
P
suc
h
th
at
P
+
(
!
P
)
=
O
(iv)
F
or
P
,
Q,
R
"
C
,
(
P
+
Q
)
+
R
=
P
+
(
Q
+
R
).
In
short,
the
addition
la
w
giv
es
us
the
group
prop
erties
that
w
e
des
i
re
.
Additi
onally
,
w
e
will
note
that
the
subset
of
p
oin
ts
in
th
is
group
whose
b
oth
co
ordinates
b
e
lon
g
to
a
giv
en
ﬁ
e
l
d
k
,
along
with
the
p
oin
t
at
inﬁnit
y
,
will
form
a
subgroup
of
the
c
u
rv
e
group
C
.
This
will
b
e
imp
ortan
t,
b
ecause
t
he
curv
es
used
in
elliptic
curv
e
cryptograph
y
are
deﬁned
o
v
er
a
ﬁnite
ﬁeld,
and
w
e
need
that
set
to
b
e
closed
under
p
oin
t
addition.
Because
our
goal
no
w
is
not
to
construct
elliptic
curv
e
cryptograp
h
y
,
but
rather
t
o
un
derstand
h
o
w
it
w
orks,
w
e
will
omit
the
formal
pro
of,
but
notice
that
most
of
the
prop
erties
ab
o
v
e
fol
lo
w
directly
from
the
geometric
desc
r
iption
of
p
oin
t
addition.
3.
The
Elliptic
Cur
ve
D
i
s
c
rete
Logarithm
Pr
oblem
No
w
that
w
e
understand
the
prop
erties
of
elliptic
curv
es
as
groups,
w
e
can
approac
h
the
elliptic
curv
e
di
s
crete
logarithm
problem,
from
wh
ic
h
e
ll
iptic
curv
e
cryptosystems
dra
w
their
strength.
Deﬁnition
3.1
The
elliptic
curv
e
discrete
logarithm
problem
(ECDLP)
is
this:
given
an
el
liptic
curve
C
deﬁne
d
over
F
q
and
two
p
oints
P
,
Q
"
C
,
ﬁnd
an
inte
ger
x
such
th
at
Q
=
xP
.
It
can
b
e
understo
o
d
on
a
v
ery
eleme
n
tary
lev
el
wh
y
this
problem
migh
t
b
e
di!cult
to
solv
e.
Imagine
going
through
sev
eral
iterations
of
the
p
oin
t
adding
pro
cess
describ
ed
ab
o
v
e
on
a
curv
e
that
has
man
y
,
man
y
p
oin
ts,
then
e
r
as
in
g
all
of
the
in
termediate
steps.
It
is
not
immediately
apparen
t
h
o
w
to
pro
ceed
when
trying
to
recreate
th
e
pro
ces
s
y
ou
ha
v
e
just
made
in
visib
le
.
In
fact,
n
ob
o
dy
kno
ws
exactly
ho
w
di!cult
this
problem
is
to
solv
e,
b
ecause
no
one
has
come
up
with
an
e!cien
t
algor
ithm
to
solv
e
it.
It
is,
ho
w
ev
er,
b
eliev
ed
to
b
e
more
di!cult
to
solv
e
than
the
general
discrete
logarithm
problem,
an
d
the
v
ariou
s
factorization
problems
that
are
use
d
in
other
cryptosystems
(and
the
b
est
metho
ds
for
crac
king
these
problems
do
not
seem
to
adapt
easily
to
elliptic
curv
e
p
roblems
),
whic
h
suggests
that
elliptic
curv
e
cryptograph
y
is
the
strongest
of
all
th
e
a
v
ailable
cryptographic
systems.
Lo
oking
at
the
required
k
ey
sizes
f
or
m
ultiple
giv
en
lev
els
of
securit
y
(where
“m
or
e
secure”
means
“tak
es
longer
to
break”)
of
elliptic
curv
e
cryptosystems
as
compared
to
other
traditional
c
r
yptosys

tems,
the
required
k
ey
sizes
of
other
syste
ms
rise
exp
onen
tially
as
di!cult
y
increases,
while
the
increase
in
required
k
e
y
size
for
ellip
tic
curv
e
syste
ms
is
relativ
ely
miniscule.
What
th
is
means
is
that
if
w
e
set
up
our
cryptosystems
so
that
they
can
b
e
crac
k
ed
only
b
y
s
olvi
ng
ECDLP
,
Bob
and
Alice’s
messages
will
b
e
extremely
secure.
4.
Examples
of
Elliptic
Cur
ve
Cr
yptos
y
ste
ms
Because
the
ECDLP
tells
us
that
for
Q
=
xP
,
x
is
v
ery
di!cult
to
ﬁnd,
w
e
w
an
t
Q
and
P
to
b
e
the
public
k
ey
in
an
y
c
ry
ptosys
tem
w
e
use
(the
padlo
c
ks)
and
x
to
b
e
the
priv
ate
k
ey
(the
hardtoman
ufacture
k
ey
to
the
padlo
c
ks).
There
are
m
ultiple
w
a
ys
to
construct
cryptosystems
that
op
erate
this
w
a
y
,
so
w
e
will
pro
vide
t
w
o
as
examples.
Both
are
elliptic
4
curv
e
analogues
of
preexisting
cryptosystems
that
w
ere
created
to
use
the
general
discrete
logarithm
problem;
adaptation
is
easy
since
the
structure
of
the
ECDLP
is
s
o
similar
to
that
of
the
original
DLP
.
Both
also
assume
some
existing
system
of
em
b
edding
messages
in
to
p
oi
n
ts
on
the
e
ll
iptic
curv
e.
Th
e
re
are
a
n
um
b
er
of
w
a
ys
to
do
this,
none
of
whic
h
are
sp
eciﬁcally
attac
hed
to
the
giv
e
n
crypt
o
systems,
so
w
e
just
ass
u
m
e
that
w
e
ha
v
e
c
hosen
some
em
b
edding
of
message
m
in
to
p
oin
t
P
m
,
and
that
this
em
b
edding
is
publicly
kno
wn
(so
that
Bob
can
retriev
e
the
em
b
edded
message
once
he
obtains
P
m
).
Our
ﬁrst
e
xample
is
an
adaptation
of
the
ElGamal
public
k
ey
cryptosystem:
Example
4.1
(The
ElGamal
Elliptic
Curv
e
Cryptosystem)
Supp
ose
that
w
e
ha
v
e
some
elliptic
curv
e
C
deﬁned
o
v
er
a
ﬁnite
ﬁeld
F
q
where
q
=
p
n
is
large
(and
p
is
prime).
Supp
ose
that
C
,
q
,
and
a
p
oin
t
G
"
C
are
publicly
kno
wn,
as
is
the
em
b
edding
system
m
#$
P
m
.
When
Alice
w
an
ts
to
comm
u
nicate
secretly
with
Bob,
they
pro
ceed
th
u
s
:
•
Bob
c
ho
oses
a
rand
om
in
te
ger
b
,
and
publishes
the
p
oin
t
bG
(while
b
remains
secret).
•
Alice
c
ho
oses
her
o
wn
random
in
teger
a
and
sends
the
pair
of
p
oin
ts
(
aG,
P
m
+
a
(
bG
))
to
Bob
(while
a
remains
se
cret).
•
T
o
decrypt
the
message,
Bob
calculates
b
(
aG
)
from
the
ﬁrst
part
of
the
pair,
then
subtracts
it
from
the
second
part
to
obtain
P
m
+
a
(
bG
)
!
b
(
aG
)
=
P
m
+
abG
!
abG
=
P
m
,
and
then
rev
erses
th
e
em
b
edding
to
ge
t
bac
k
the
message
m
.
•
Ev
e,
who
can
only
see
bG
,
aG
,
and
P
m
+
a
(
bG
)
m
ust
ﬁnd
a
from
aG
or
b
from
bG
to
mak
e
sense
of
P
m
+
a
(
bG
),
so
her
problem
is
reduced
to
the
ECDLP
,
and
she
is
th
w
arted.
This
is
a
successful
cryptosystem
b
ecause
ev
ery
op
eration
that
Alice
and
Bob
ha
v
e
to
carry
out
(addition
and
subtraction
on
the
curv
e)
is
relativ
ely
e
asy
,
while
the
op
eration
that
Ev
e
w
ould
ha
v
e
to
p
erform
to
crac
k
the
system
is
extremely
di!cult
(or
for
reallife
villains
without
the
prop
er
resources,
p
erhaps
imp
ossible).
Our
next
example,
an
analogue
of
the
MasseyOm
ura
public
k
ey
cryptosyste
m,
op
erates
on
a
similar
bac
kandforth
series
of
ea
sy
problems
for
Alice
and
Bob
that
pro
du
c
es
the
ECDLP
for
Ev
e.
Example
4.2
(The
MasseyOm
ura
Ell
iptic
Curv
e
Cryptosystem)
As
b
efore,
s
u
p
p
ose
that
w
e
ha
v
e
some
elliptic
curv
e
C
deﬁned
o
v
e
r
a
ﬁnite
ﬁeld
F
q
where
q
=
p
n
is
large,
and
N
=

C

.
(W
e
did
not
need
the
n
um
b
er
of
p
oin
ts
on
C
in
the
previous
example,
but
this
information
is
nev
er
relied
on
to
b
e
secret,
b
ec
au
s
e
it
can
b
e
calculated
with
relativ
e
e!ciency
.)
The
em
b
edding
system
m
#$
P
m
,
as
w
ell
as
q
,
C
,
and
N
,
are
publicly
kno
wn.
When
Alice
w
an
ts
to
comm
unicate
s
ecretly
with
Bob,
t
he
y
pro
ceed
th
us:
•
Alice
c
ho
oses
a
random
in
teger
c
suc
h
that
0
<
c
<
N
and
g
cd
(
c,
N
)
=
1,
and
sends
cP
m
to
Bob
(while
k
eeping
c
secret).
•
Bob
then
c
ho
oses
a
random
in
teger
d
with
the
same
p
rop
erties
as
c
,
and
sends
d
(
cP
m
)
bac
k
to
Alice
(while
k
eeping
d
secret).
5
•
Alice
can
ﬁn
d
c
!
from
c
suc
h
that
cc
!
%
1,
and
sends
c
!
(
d
(
cP
m
))
=
dP
m
bac
k
to
Bob.
•
T
o
decrypt
the
message,
Bob
m
ultiplies
d
!
(
dP
m
),
where
dd
!
%
1,
and
retriev
es
P
m
,
and
rev
e
r
s
es
the
em
b
edding
to
get
the
message
m
.
•
Again,
Ev
e’s
problem
reduces
to
the
ECDLP
b
ecause
she
w
ould
n
e
ed
to
retriev
e
c
,
d
,
or
dc
from
cP
m
,
dcP
m
,
or
dP
m
,
etc.,
to
steal
the
message
at
an
y
p
oin
t.
Still,
Alice
and
Bob’s
calculations
are
m
uc
h,
m
uc
h
easier
to
p
erf
orm
t
han
Ev
e’s
ECDLP
,
so
this
cryptosystem
succeeds.
5.
Conclusion
The
examples
t
hat
w
e
ha
v
e
pro
vided
ab
o
v
e
are
conceptually
simple,
b
ut
it
is
imp
ortan
t
to
remem
b
er
that
the
group
s
w
e
are
c
on
s
id
e
r
ing
are
enormous,
the
k
e
ys
are
large
enough
to
b
e
m
easured
in
n
um
b
er
of
bits,
and
th
e
op
erations
that
are
describ
ed
as
“relativ
ely
easy”
are
called
that
b
ecause
v
ery
fast
computers
can
complete
them
in
fairly
reasonable
amoun
ts
of
time
(and
the
“di!cult”
problems
are
then
so
di
!
cult
that
those
same
c
ompu
te
r
s
c
an
not
solv
e
them
in
an
y
reasonable
amoun
t
of
time).
W
e
m
ust
also
remem
b
er
that
not
e
v
ery
c
hoice
of
curv
e,
ﬁn
ite
ﬁeld,
and
p
oin
t
is
created
equal.
In
the
ElGamal
system,
Alice
and
Bob
are
op
erating
not
on
the
en
tire
curv
e,
but
on
the
cyclic
group
generated
b
y
G
,
and
in
the
MasseyOm
ura
system,
that
generated
b
y
P
m
.
These
decisions
m
ust
b
e
made
w
ell,
and
it
w
ould
tak
e
m
uc
h
more
space
than
this
to
explain
ho
w
to
mak
e
them
w
ell.
Ho
w
e
v
er,
with
the
appropriate
c
h
oic
es,
w
e
do
get
to
see
the
p
o
w
er
of
something
that
is
quite
simple,
in
the
elliptic
curv
e
group
la
w.
A
geometric
idea
as
simple
as
connecting
dots
(though
one
dot
do
es
ha
v
e
to
lie
at
inﬁnit
y)
giv
es
us
a
secret
messaging
system
that
has
y
et
to
b
e
crac
k
ed.
References
[1]
Darrel
H
a
nk
erson.
Guide
to
El
liptic
Curve
Crypto
gr
aphy
.
Springer,
2004.
[2]
Neal
Ko
bli
tz.
Elliptic
curv
e
cryptosystems.
Mathematics
of
Computation
,
48:203
–
209,
1987.
[3]
Martin
Lesli
e.
Elliptic
curv
e
cryptograph
y
.
(An
ECC
researc
h
pro
j
e
ct),
2006.
[4]
Miles
Reid.
Under
gr
aduate
A
lgebr
aic
Ge
ometry
.
Cam
bridge
Univ
ersit
y
Press,
1988.
[5]
Matthew
Sim
p
son.
h
ttp://math.rice.edu/
hargis/vigre/.
(Image
so
urce
).
Comments 0
Log in to post a comment