Inroduction

Elliptic Curve Cryptography

By
V.Madhu Viswanatham
Sets and Groups
Examples
A group we like to use
Rings
 Rings

• Set of integers Z is not a group under

multiplication:
– Closure: yes
– Id. element: yes, 1
– Associativity: yes
– Inverse element: no
– However, Z is a ring (char. 0) under addition and multiplication
Sets, Rings, Fields
Some Fields
Some fields we like to use
• ECC was introduced by Victor Miller and Neal Koblitz in 1985 in 1985
• ECC provides same level of security with smaller key sizes.
• A 256 bit ECC public key provides comparable security to a 3072 bit RSA
public key. The primary advantage of using ECC based cryptography is
reduced key size hence speed.
• Elliptic curves have nothing to do with ellipses. Ellipses are formed by
quadratic curves.(x2 ).Elliptic curves are always cubic (x3 )
• Block chain implementations such as Bitcoin or Ethereum uses the Elliptic
curves to generate public and private keys
 Standards for efficient
cryptography group
• The Standards for Efficient Cryptography Group (SECG) is an international
consortium to develop commercial standards for efficient and
interoperable cryptography based on elliptic curve cryptography
• The SECG has published a document with a recommended set of Elliptic
curve domain parameters referred by the letters p,a,b,G,n,h. This data set
{ p,a,b,G,n,h} collectively referred to as Elliptic curve domain parameters.
• These parameters have been given nick names to enable them to be easily
identified. For example secp256 kl set of elliptic curve parameters 256 key
key length
parameters Elliptic curve key RSA key length
length
secp192kl 192 1536
secp224kl 224 2048

secp256kl 256 3072

secp384kl 384 7680

secp512kl 512 15360

Bitcoin and ethereum both uses same secp256kl

elliptic curve domain parameters
 Discrete Logarithms
in Finite Fields
F={1,2,3,…,p-1}
Pick secret, random
Pick secret, random Y from F
X from F
gx mod p
gy mod p
Alice Bob
Compute k=(gy)x=gxy mod p
Compute k=(gx)y=gxy mod p
Eve has to compute gxy from gx and gy without knowing x and y…
She faces the Discrete Logarithm Problem in finite fields
 Elliptic Curve on a finite set of
Integers
• Consider y2 = x3 + 2x + 3 (mod 5)
x = 0  y2 = 3  no solution (mod 5)
x = 1  y2 = 6 = 1  y = 1,4 (mod 5)
x = 2  y2 = 15 = 0  y = 0 (mod 5)
x = 3  y2 = 36 = 1  y = 1,4 (mod 5)
x = 4  y2 = 75 = 0  y = 0 (mod 5)
• Then points on the elliptic curve are
(1,1) (1,4) (2,0) (3,1) (3,4) (4,0)
and the point at infinity: 
Using the finite fields we can form an Elliptic Curve Group
where we also have a DLP problem which is harder to solve…
Elliptic Curves
• An elliptic curve is the set of solutions (x, y) to
an equation of the form
y2 = x3 + ax + b
• If 4a3 + 27b2  0-------Nonsingular elliptic curve
• Singular elliptic curve
Examples
 Group

• A group is an algebric system consisting of a set G together with a binary

operation
1. Closure : for all x,y in G we have x * y  G
2. Associativity : for all x,y and z in G we have ( x* y) * z = x * (y * z)
3. Identity : there exists an e in G such that x * e = e * x = x for all x
4. Inverse : for all x in G there exists y in G such that
x*y=y*x=e

• In addition if for x, y in G we have x * y = y * x

then we say that group G is abelian.
 Example
Figure shows two elliptic curves with equations y2 = x3 − 4x and y2
= x3 − 1. Both are nonsingular. However, the first has three real
roots (x = −2, x = 0, and x = 2), but the second has only one real
root (x = 1) and two imaginary ones.

Two elliptic curves over a real field

10.19
 Figure Three adding cases in an elliptic curve

10.20
 Group Law Axioms

•Closure
•Identity:
P+O=O+P=P
•Inverse:
(x, y) + (x, -y) = O
•Associativity
•Commutativity
Group Structures
 Recall: Groups

Q: What is my operation on ECs?

For example, the points
P=(2.0,0.0),Q=(0.0,0.0),R=(-2.0,0.0),S=(10.0,30.98) and T=(10.0,-30.98)…
are all points on the curve y2 = x3-4x
 Addition Formulae
• Let P1 = (x1, y1) and P2 = (x2, y2) be non-inverses
• Then P1 + P2 = (x3, y3) where
x3 = 2 - x1 - x2
y3 =  (x1 - x3) - y1
and  is the slope of the line:
1.  = (3x12+a)/2y1 if x1 = x2 i.e. if P = Q
2.  = (y2-y1)/(x2-x1) otherwise i.e. if P ≠ Q
If the two points are additive inverses of each other
P1 = (x1, y1) and P2 = (x1, - y1 )
The line connecting the two points does not intercept the curve at a third
point
But, mathematicians say that the intercepting point is at infinity. They
define a point O as the point at infinity or zero point,which is additive
identity of the group
If P≠ Q
 If P=Q i.e R=P+P=2P
P+P = 2P
 If P=-Q i.e R=P+q=0
Point at infinity O

As a result of the above case P=O+P

O is called the additive identity of the
elliptic curve group.
Hence all elliptic curves have an additive
identity O
 Finite Field

• A finite field is an algebric system consisting of a set F together with a

binary operations + and * defined on F satisfying the following axioms :

1. F is an abelian group with respect to +.

2. F \ {0} is an abelian group with respect to *.
3. For all x, y and z in F we have
x * ( y + z) = (x * y) + (x * z)
(x + y) * z = (x * z) + (y * z)

The order of the finite field is the number of elements in the field
 Elliptic Curves over Galois Field GF(p)

• It is a finite field and it consists of a set of integers {0,1,2,3….p-1} where p is a

prime number. Additionally it satisfies the following arithmetic operations:

1. Addition : if a, b  GF(p), then a + b = r where r is the remainder of

the division of a + b by p and 0<= r <= p-1. This operation is called
addition modulo p.
2. Multiplication : if a, b  GF(p), then a . b = s where s is the remainder
of the division of a . b by p and 0<= s <= p-1. This operation is called
multiplication modulo p.
We defined an elliptic curve group with an addition operation,but the
operation on the coordinates of the point are over GF(p) field with p>3.
The resulting elliptic curve Ep(a,b)
 Elliptic Curve over GF(p)

• P and Q be two points on E(a,b)(GF(p)) and O is the point at

infinity.

• P+O = O+P = P
• If P = (x1,y1) then -P = (x1 ,-y1)
and P + (-P) = O.

• If P = (x1,y1) and Q = (x2,y2), and P and Q are not O.

then P +Q = (x3 ,y3) where
x 3 = 2 - x 1 - x 2
y3 = (x1 - x3) - y1
and  = (y2-y1)/(x2-x1) if P ≠ Q
 = (3x12+a)/ 2y1 if P = Q
If P≠ Q
 If P=Q i.e R=P+P=2P
P+P = 2P
 If P=-Q i.e R=P+q=0
Point at infinity O

As a result of the above case P=O+P

O is called the additive identity of the
elliptic curve group.
Hence all elliptic curves have an additive
identity O
• Finding an inverse
The inverse of a point (x,y) is (x,-y) where –y
is the additive inverse of y.

For example ,if p=13,the inverse of (4,2) is (4,11)

Finding the points over the curve
elliptiCurve_points(P,a,b) //p is the modulus
{
x=0
while(x<P)
{
w  (x3 + ax +b) mod p // w is y2
if (w is perfect square in ZP) output (x,√w)(x,- √w)
x=x+1
}
}
 Example
• Define an elliptic curve E13(1,1).points on the curve can be
found as shown

(0,1) (0,12)

(1,4) (1,9)

(4,2) (4,11)

(5,1) (5,12)

(7,0) (7,0)

(8,1) (8,12)

(10,6) (10,7)

(11,2) (11,11)
• Adding Two points:
Let us add two points in the prevoius example,R=P+Q where
P=(4,2) and Q= (10,6)
a. =(6-2) × (10-4)-1 mod 13=4 × 6-1 mod 13=5 mod 13
b. x=11
c. y=2
R=(11,2) which is a point on the curve
• Multiplying a point by a constant:(Scalar Multiplication)

• Scalar multiplication is repeated group

addition:
cP = P + ··· + P (c times)
where c is an integer
Analogy with Multiplicative Groups

Elliptic Curve Multiplicative

Group Group
point addition multiplication
scalar
exponentiation
multiplication
elliptic curve
discrete logarithm
discrete logarithm
A Galois field, GF(pn), is a finite field with pn elements.

GF(p) Fields

When n = 1, we have GF(p) field. This field can be the set Zp, {0,
1, …, p − 1}, with two arithmetic operations.
 ElGamal cryptosystem

Key generation, encryption, and decryption in ElGamal

C2

10.42
Key Generation

10.43
10.44
10.45
 Proof of ElGamal Cryptosystem
d 1
[C2  (C1 ) ] mod p
rd 1
 [(e2  P)  (e1 ) ] mod p
r

rd 1
 (e1 )  P  (e1 )  P
rd

10.46
 ECC Elgamal
Generating public and private keys:
1.Bob chooses E(a,b) with an elliptic curve over GF(p) or Gf (2n).
2.Bob chooses a point on the curve,e1(x1,y1)
3.Bob chooses an integer,d
4.Bob calculates e2(x2,y2)=d × e1(x1,y1) //multiple addition of points
5.Bob announces E(a,b),e1(x1,y1) and e2( x2,y2) as his public key;he keeps
d as private key
Encryption:
c1=r× e1 c2=P+r × e1

Decryption:
P= c2-(d × C1) // The minus sign here means adding with the inverse
• ECC is based on elliptic curves. We can defined a group GF(p) or GF(2n) in
which the elements are points on an elliptic curve. ECC simulates the idea
of ElGamal using the above-mentioned groups.

– The one-way function in ECC is the idea of multiplying an integer by a

point to get a new point on the curve. If the original point is given, the
new point can be calculated with polynomial complexity. If the new
point is given, it is very hard to calculate the original point without
knowing the trapdoor.

– The trapdoor is the value of d that enables Bob to calculate the

original point on the curve using an algorithm with polynomial
complexity.

– The public key is (e1, e2, and E) in which e1 and e2 are two points on the
curve E. The private key is d.

– The security of ECC is based on the difficulty of solving elliptic curve

loga-rithms.
In the elliptic curve E(1,2) over the GF(11) field:
a.Find the equation of the curve
b.Find all points on the curve
c. Generate public and private keys for B
d.choose a point on the curve as a plain text for A
e. Create ciphertext correponding to the plaintext in part d for A
f. Decrypt the ciphertext for B to find the plaintext sent by A
 a. E(1, 2) means that a = 1 and b = 2 in the equation y2 = x3 + ax + b. The
equation of the curve is then y2 = x3 + x + 2.

b.
P −P
(1, 2) (1, 9)
(2, 1) (2, 10)
(4, 2) (4, 9)
(5, 0) (5, 0)
(6, 2) (6, 9)
(7, 0) (7, 0)
(8, 4) (8, 7)
(9, 5) (9, 6)
(10, 0) (10, 0)
Points
c. Bob chooses e1 = (2, 1) and d = 3, then e2 = 3 × (2, 1) =
(4, 9). Public key is E11(1, 2), e1, and e2. The private key is
d.
d. Assume Alice has the plaintext P = (4, 2) to send to
Bob.

e.Alice choose r = 6 and calculate the two points of the

ciphertext

• C1 = r × e1 = 6 × (2, 1) = (8, 7)
• C2 = (4, 2) + 6 × (4, 9) = (4, 2) + (8, 4) = (2, 10)
• f. Bob receives C1 and C2. Bob calculates the
plaintext as to get the P.

P = C2 − (d × C1) = (2, 10) − 3 × (8, 7) = (2, 10) − (8, 4) = (2, 10) + (8, 7) = (4, 2)
In the elliptic curve E(g4 ,1) over the GF(24 ) field:
a.Find the equation of the curve
b.Find all points on the curve
c. Generate public and private keys for B
d.choose a point on the curve as a plain text for A
e. Create ciphertext correponding to the
plaintext in part d for A
f. Decrypt the ciphertext for B to find the
plaintext sent by A
a. E(g4, 1) means that a = g4 and b = 1. The equation of the curve
is
y2 + xy = x3 + g4x2 + 1

b. Assume that the irreducible polynomial is x4 + x + 1

P −P

(0, 1) (0, 1)
(1, g6) (1, g13)
(g3, g8) (g3, g13)

(g5, g3) (g5, g11)

(g6, g8) (g6, g14)

(g9, g10) (g9, g13)
(g10, g) (g10, g8)
(g12, 0) (g12, g12)
Points
C.Bob chooses e1 = (g3, g8) and d = 2. Then e2 = d × e1 = (g5, g3).
The public key is the combination of e1, e2, and E(g4, 1). The
private key is d.

d.Alice chooses P = (g10, g) and r = 3.

e.Alice calculates C1 = r × e1 = (g9, g10) and C2 = P + r × e2 = (1, g6).
f.Bob decrypt the message P = C2 − (d × C1) = (g10, g) = P
Example
Let us define a GF(22) field in which the set has four 2-bit words:
{00, 01, 10, 11}. We can redefine addition and multiplication for
this field in such a way that all properties of these operations are
satisfied, as shown in Figure 4.8.

Figure 4.8 An example of GF(22) field

4.56
 Polynomials

A polynomial of degree n − 1 is an expression

of the form

where xi is called the ith term and ai is called coefficient

of the ith term.

4.57
 Example

Figure 4.9 show how we can represent the 8-bit word (10011001)
using a polynomials.

Figure 4.9 Representation of an 8-bit word by a polynomial

4.58
 Continued
Example

To find the 8-bit word related to the polynomial x5 + x2 + x, we

first supply the omitted terms. Since n = 8, it means the
polynomial is of degree 7. The expanded polynomial is

This is related to the 8-bit word 00100110.

4.59
 Continued
GF(2n) Fields

Polynomials representing n-bit words

use two fields: GF(2) and GF(2n).

4.60
 Continued
Modulus
For the sets of polynomials in GF(2n), a group of
polynomials of degree n is defined as the modulus. Such
polynomials are referred to as irreducible polynomials.

List of irreducible polynomials

4.61
 Continued
Addition

Addition and subtraction operations on

polynomials are the same operation.

4.62
 Continued
Example

Let us do (x5 + x2 + x)  (x3 + x2 + 1) in GF(28). We use the symbol

 to show that we mean polynomial addition. The following shows
the procedure:

4.63
 Continued
Example

There is also another short cut. Because the addition in GF(2)

means the exclusive-or (XOR) operation. So we can exclusive-or
the two words, bits by bits, to get the result. In the previous
example, x5 + x2 + x is 00100110 and x3 + x2 + 1 is 00001101. The
result is 00101011 or in polynomial notation x5 + x3 + x + 1.

4.64
 Multliplication

1. The coefficient multiplication is done in GF(2).

2. The multiplying xi by xj results in xi+j.

3. The multiplication may create terms with degree more

than n − 1, which means the result needs to be reduced
using a modulus polynomial.

4.65
 Example 4.19

Find the result of (x5 + x2 + x) ⊗ (x7 + x4 + x3 + x2 + x) in GF(28)

with irreducible polynomial (x8 + x4 + x3 + x + 1). Note that we use
the symbol ⊗ to show the multiplication of two polynomials.

Solution

To find the final result, divide the polynomial of degree 12 by the

polynomial of degree 8 (the modulus) and keep only the
remainder. The next Figure shows the process of division.
4.66
 Polynomial division with coefficients in GF(2)

4.67
 Example
In GF (24), find the inverse of (x2 + 1) modulo (x4 + x + 1).

Solution (Extended Euclidean algorithm)

The answer is (x3 + x + 1) as shown in Table

Table Euclidean algorithm for Exercise 4.20

4.68
 Example
In GF(28), find the inverse of (x5) modulo (x8 + x4 + x3 + x + 1).

Solution
The answer is (x5 + x4 + x3 + x) as shown in Table 4.6.

Table 4.6 Euclidean algorithm for Exercise 4.21

4.69
 Multliplication Using Computer

The computer implementation uses a better algorithm,

repeatedly multiplying a reduced polynomial by x.

4.70
 Example

Find the result of multiplying P1 = (x5 + x2 + x) by P2 = (x7 + x4 + x3

+ x2 + x) in GF(28) with irreducible polynomial (x8 + x4 + x3 + x +
1) using the algorithm described above.
Solution
The process is shown in Table 4.7. We first find the partial result
of multiplying x0, x1, x2, x3, x4, and x5 by P2. Note that although
only three terms are needed, the product of xm ⊗ P2 for m from 0
to 5 because each calculation depends on the previous result.

4.71
 Example

Table 4.7 An efficient algorithm (Example 4.22)

4.72
 Example
Repeat Example 4.22 using bit patterns of size 8.
Solution
We have P1 = 000100110, P2 = 10011110, modulus = 100011010
(nine bits). We show the exclusive or operation by .

Table 4.8 An efficient algorithm for multiplication using n-bit words

4.73
 Example

The GF(23) field has 8 elements. We use the irreducible

polynomial (x3 + x2 + 1) and show the addition and multiplication
tables for this field. We show both 3-bit words and the
polynomials. Note that there are two irreducible polynomials for
degree 3. The other one, (x3 + x + 1), yields a totally different table
for multiplication.

4.74
 Example Continued
Table 4.9 Addition table for GF(23)

4.75
 Example

Table 4.10 Multiplication table for GF(23)

4.76
Sometimes it is easier to define the elements of the
GF(2n) field using a generator.

4.77
 Example

Generate the elements of the field GF(24) using the irreducible

polynomial ƒ(x) = x4 + x + 1.

Solution
The elements 0, g0, g1, g2, and g3 can be easily generated, because
they are the 4-bit representations of 0, 1, x2, and x3. Elements g4
through g14, which represent x4 though x14 need to be divided by
the irreducible polynomial. To avoid the polynomial division, the
relation ƒ(g) = g4 + g + 1 = 0 can be used (See next slide).

4.78
 Example

4.79
 Example

The following show the results of addition and subtraction

operations:

4.80
 Example

The following show the result of multiplication and division

operations:.

4.81
 Summay

The finite field GF(2n) can be used to define four

operations of addition, subtraction, multiplication and
division over n-bit words. The only restriction is that
division by zero is not defined.

4.82
 Elliptic Curves over in GF(Galois
Field GF(2n)
The elements of the set in this field are n-bit words that can be
interpreted as polynomials with coefficients in GF(2).
To define Elliptic curve over GF(2n ),The common equation is
y2 +xy= x3 + ax2 +b
Where b≠0.The values of x,y,a and b are polinomials representing
n-bit words.

• Finding an inverse
If P=(x,y) then –P=(x, x+y)
Finding points on the curve
need to use an algorithm to find the points on the curve using
generators for polynomials
 Selecting an Elliptic Curve
• Random method
• Complex multiplication method
• Subfield method

• Methods provide tradeoff between speed,

“structure” in curves
– less structure = more conservative in assumptions
about security
 Random Method
1. Generate a random curve
2. Count the number of points #E(Fq)
3. If restrictions not met, goto 1

• No structure, but step 2 may be slow

• (Schoof 1985, etc.)
 Complex Multiplication Method
1.Generate a curve order n with a small CM
discriminant D
2. If restrictions not met, goto 1
3. Given D, find a curve with n points

• Fast, some structure, but complex

• (Atkin-Morain 1991, Lay-Zimmer 1994)
 Subfield Method
• For q = 2m with m composite
1. Generate a curve over a subfield
2. Count the number of points
3. Apply formula to compute #E(Fq)
4. If restrictions not met, goto 1

• Fast, but significant structure

• (Koblitz)
 Generic Procedures of ECC
• Both parties agree to some publicly-known data items
– The elliptic curve equation
• values of a and b
• prime, p
– The elliptic group computed from the elliptic curve equation
– A base point, B, taken from the elliptic group
• Similar to the generator used in current cryptosystems
• Each user generates their public/private key pair
– Private Key = an integer, x, selected from the interval [1, p-1]
– Public Key = product, Q, of private key and base point
• (Q = x*B)
Elliptic Curve Cryptosystem Analog to
El Gamal
• Suppose Alice wants to send to Bob an encrypted
message.
• Generating Public and Private keys.
 Bob chooses E(a,b) with an elliptic curve over GF(p)
 Bob chooses a point on the curve,e1(x1, y1)
 Bob chooses an integer d.
 Bob calculates e2(x2,y2)=d × e1(x1,y1)
 public key={E(a,b),e1(x1,y1),e2(x2,y2)}
 privte key=d

– Alice takes plaintext message, M, and encodes it onto a point, P

from the elliptic group
Elliptic Curve Cryptosystem Analog to
El Gamal
– To Encrypt
– Alice chooses another random integer, k from the interval
[1, p-1]
– The ciphertext is a pair of points
C1=r×e1 C2= P+r×e2
– To decrypt,
– Bob computes plaintext with his private key, d
P=C2 – (d × C1)
The minus sign here means adding with the inverse
 Proof
• P + r × e2 – (d × r × e1)
=P + ( r × d × e1) – (r × d ×e1)
=P + 0
=P
 Example
• Bob selects E67(2,3) as elliptic curve over GF(P)
• Bob selects e1=(2,22) and d=4.
• Bob calculates e2=(13,45), where e2=d × e1.
• Bob publicly announces the tuple( E,e1,e2)
• Alice wants to send the plaintext P=(24,26) to Bob. Alice selects r=2.
• Alice finds the point C1=(35,1),where C1 = r × e1.
• Alice finds the point C2=(21,44),where c2=P + r × e2.
• Bob receives C1 and C2.He uses 2 × C1(35,1) to get (23,25)
• Bob inverts the point (23,25) to get the point (23,42)
• Bob adds (23,42) with C2=(21,44) to get the original plaintext P=(24,26).
 Security of ECC
• The security of ECC depends on the difficulty
of solving the elliptic curve logarithm
problem.
 ECC Diffie-Hellman
• Public: Elliptic curve and point B=(x,y) on curve
• Secret: Alice’s a and Bob’s b

a(x,y)

b(x,y)

Alice, A

• Alice computes a(b(x,y))

• Bob computes b(a(x,y))
• These are the same since ab = ba
 Example – Elliptic Curve
Diffie-Hellman Exchange
• Alice and Bob want to agree on a shared key.
– Alice and Bob compute their public and private keys.
• Alice
» Private Key = a
» Public Key = PA = a * B
• Bob
» Private Key = b
» Public Key = PB = b * B
– Alice and Bob send each other their public keys.
– Both take the product of their private key and the other user’s public
key.
• Alice  KAB = a(bB)
• Bob  KAB = b(aB)
• Shared Secret Key = KAB = abB
 – RSA Key Size: 3072 bits
– ECC Key Size: 256 bits
• How do we strengthen RSA?
– Increase the key length
• Impractical?
 Applications of ECC
• Many devices are small and have limited storage and
computational power
• Where can we apply ECC?
– Wireless communication devices
– Smart cards
– Web servers that need to handle many encryption sessions
– Any application where security is needed but lacks the
power, storage and computational power that is
necessary for our current cryptosystems
 Benefits of ECC
• Same benefits of the other cryptosystems:
confidentiality, integrity, authentication and
non-repudiation but…
• Shorter key lengths
– Encryption, Decryption and Signature Verification
speed up
– Storage and bandwidth savings
 Summary
• Hard problem” analogous to discrete log
– Q=kP, where Q,P belong to a prime curve
given k,P  “easy” to compute Q
given Q,P  “hard” to find k
– known as the elliptic curve logarithm problem
• k must be large enough

• ECC security relies on elliptic curve logarithm

problem
– compared to factoring, can use much smaller key sizes than with RSA etc
 for similar security ECC offers significant
computational advantages
ThanQ