Tutorial 5b: ECC over finite field F[2m]

This ECC is by far the most efficient elliptic curve cryptosystem and it is part of An ECC
standard.
An elliptic curve E over F[2m] is given by
y2 + xy = x3 + ax2 + b modulo M(t).

y2 + xy = x3 + 3x2 + 4

0
-4 -2 0 2 4

-2

-4
Figure 5.1 An example of an algebraic elliptic curve

Let us take x1=2, y1=100+i, where i is the last 2 digits of your matrix number or newly assigned
number. Take a=3, compute b.
We will always compute in a ring modulo M=29910. = 1001010112.

Step 1: Double point

Step 2: Add point
Note: Refer to an inverse table modulo M(t).

Table 5.1 An inverse a1 of a = xy in hexa modulo irreducible polynomial 29910 = M(t) =
t8+t5+t3+t+1 written in hexadecimals.

a1 y
0 1 2 3 4 5 6 7 8 9 A B C D E F
0 00 01 95 E6 DF BB 73 A4 FA 85 C8 55 AC CE 52 69
1 7D 27 D7 F8 64 59 BF A3 56 50 67 9A 29 33 A1 98
2 AB 91 86 E8 FE E1 7C 11 32 1C B9 30 CA 76 C4 3D
3 2B B8 28 1D A6 B1 4D 3F 81 61 8C 5A C5 2F 4C 37
4 C0 F4 DD 44 43 DC 74 FC 7F 8F E5 C6 3E 36 9D DA
5 19 57 0E 68 C9 0B 18 51 65 15 3B 8D 62 97 8B 6F
6 80 39 5C 96 14 58 9B 1A 53 0F CD D9 B3 9E 8A 5F
x 7 D5 F2 A5 06 46 FD 2D CB F7 E2 82 ED 26 10 8E 48
8 60 38 7A EC FB 09 22 E9 B4 C2 6E 5E 3A 5B 7E 49
9 AA 21 D2 B7 E7 02 63 5D 1F A0 1B 66 DB 4E 6D B2
A 99 1E BE 17 07 72 34 B0 F1 EF 90 20 0C CF BD D1
B A7 35 9F 6C 88 C3 D3 93 31 2A DE 05 D0 AE A2 16
C 40 F5 89 B5 2E 3C 4B E4 0A 54 2C 77 D8 6A 0D AD
D BC AF 92 B6 F3 70 F9 12 CC 6B 4F 9C 45 42 BA 04
E FF 25 79 F6 C7 4A 03 94 23 87 EB EA 83 7B F0 A9
F EE A8 71 D4 41 C1 E3 78 13 D6 08 84 47 75 24 E0

Step 0: Choose a base point P1(x1, y1).

Let us take x1= 2 = t = 102, for instance take i = 4210, y1=100+i = 14210 = 8E16 = 100011102.
Take P1(x1, y1) = (02, 8E)
Step 1: Assign parameters, a and b.
Given a = 3 = t + 1 = 112. From an elliptic curve y2 + xy = x3 + ax2 +b,
We need to compute b = y2 + xy – (x3 + ax2)
y12 =1000111010001110

=10001110
10001110
10001110
100011100
=100000001010100
100101011
101010010100
100101011
1111001100
 100101011
110011010
100101011
10110001= B116.

x1 y1 = 1010001110
=100011100
100101011
= 110111 = 3716.

We move to the RHS, we need to compute x3,

x2 = 1010 = t2 = 1002.
100 = 416.

x3 = x  x2 = t  t2 = t3 = 10002.
10100
= 10002 = 0816.

Let us move on to ax2 = 11100

= 100
100
= 1100 = 0C16.
Finally, we can compute b, from y2 + xy = x3 + ax2 +b,
b = y2 + xy  (x3 + ax2)
= 10110001+110111-(1000+1100)

= 10110001
110111
1000
1100
= 10000010 = 8216.

Let us move to Double Point operation on P1(x1, y1) = (0216, 8E16)

Step 2: Double Point

Describe a double point operation given a point on an elliptic curve.
From a basic Point, compute P2(x2, y2) = 2P1(x1, y1)
From an irreducible polynomial 29910 =12B16 =256 +32+8+2+1=M(t) = t8 + t5 +t3 + t +1.

Let (x1, y1) be a point on an elliptic curve E(F2m), and (x1, y1)  (x2, –y2)
then let (x2, y2) = 2(x1, y1) such that
 b y1
x 2 =x21 + and y 2 =x 21 +( 1+ x 1 + )⋅x 2
x 21 x1

From x12 = 1002, refer to Table 5.1 in xy =04, we get an inverse x12 =DF=110111112.
Let us compute
bx12 = 82DF
= 1000001011011111
= 11011111
110111110
110111000111110
100101011
10010011111110
100101011
110011110
100101011
= 10110101=B516

x2 = x12 + bx12 = 100+10110101

= 10110101
100
= 10110001=B116.

From x1 = 102=216, refer to Table 5.1 in xy=02, we get an inverse x11 =9516.
 Let us compute
y1 x11 = 8E95
= 1000111010010101
= 10010101
10010101
10010101
100101010
= 100110101010110
100101011
11110010110
100101011
1100111010
100101011
101101100
100101011
1000111=4716.
1
Next 1 + x1 + y1 x1 = 1+10+1000111
= 1000111
10
+ 1
1000100=4416.

(1 + x1 + y1 x11 ) x2 =100010010110001

10110001
1011000100
10111010000100
100101011
101111100100
100101011
1010111100
100101011
11101010=EA16.

Then we are ready to compute y2 = x12 + (1 + x1 + y1 x11 ) x2

= 100+11101010
= 11101010
100
= 11101110=EE16.
Step 3: Add Point
Compute P3(x3, y3) = P1(x1, y1)  P2(x2, y2) = (0216, 8E16)  (B116, EE16)

Let (x1, y1) and (x2, y2) are two points on an elliptic curve E(F2m), and
(x1, y1)  (x2,  y2)
then let (x3, y3) = (x1, y1)  (x2, y2) such that

( ) ( )
y 2− y 1 2 y 2− y 1 y −y
x 3= + −( x 1 +x 2 )+a and y 3 = 2 1 ( x1 −x 3 )−( x3 + y 1 )
x 2 −x 1 x2 −x 1 x2 −x 1

Let the slope

y − y1
m= 2
x 2 −x 1 of the secant line connecting (x , y ) and (x , y )
1 1 2 2
then
x3 = m2 + m – (x1 + x2) + a and y3 = m(x1 – x3) – (x3 + y1)

Let us start from the denominator

x2 – x1 = B116 – 0216
= 10110001
10
= 10110011 = B316.

Refer to an inverse Table 5.1, from (x2 – x1)1 = 6C16.

Take the numerator y2 – y1 =EE – 8E=6016.

Now we can compute the slope of secant line,

m = (y2 – y1)(x2 – x1)1=606C
= 110000001101100
1101100
110110000000
1011010000000
100101011
10000110000
100101011
10011100=9C16.
2
m =9C9C
=1001110010011100
=10011100
10011100
10011100
1001110000
 =100000101010000
100101011
101110010000
100101011
1011001000
100101011
10011110=9E16.

Now we are ready to get to

x3 = m2 + m – (x1 + x2) + a
= 10011110
10011100
10110011
11
= 10110010=B216.

Then we want to compute,

y3 = m(x1 – x3) – (x3 + y1)

x1 – x3=02 – B2=B016.
x3 + y1=B2 + 8E=3C16.

Let us compute m(x1 – x3) = 9CB0

= 1001110010110000
= 1011000010011100
10011100
10011100
100111000000
101010001000000
100101011
1111010000000
100101011
110000110000
100101011
10101101000
100101011
111000100
100101011
11101111=EF16.

Let us compute first,

x3 + y1 = B2 + 8E
=10110010
 10001110
111100=3C16.

y3 = m(x1 – x3) – (x3 + y1) =EF  3C

= 11101111
111100
= 11010011=D316. walla…

Answer = [2 142 177 238 178 211]

Answer Table for Tutorial 5b in decimals.

i x1 y1 x2 y2 x3 y3 i x1 y1 x2 y2 x3 y3
0 2 100 180 98 59 253 50 2 150 237 242 91 173
1 2 101 254 67 61 196 51 2 151 167 2 89 66
2 2 102 180 214 59 198 52 2 152 255 229 3 62
3 2 103 254 189 61 249 53 2 153 181 193 94 102
4 2 104 166 196 88 133 54 2 154 255 26 3 61
5 2 105 236 123 143 24 55 2 155 181 116 94 56
6 2 106 166 98 88 221 56 2 156 249 181 136 21
7 2 107 236 151 143 151 57 2 157 179 6 102 129
8 2 108 160 29 141 163 58 2 158 249 76 136 157
9 2 109 234 53 182 183 59 2 159 179 181 102 231
1
0 2 110 160 189 141 46 60 2 160 152 66 167 117
1
1 2 111 234 223 182 1 61 2 161 210 201 153 224
1
2 2 112 250 38 156 184 62 2 162 152 218 167 210
1
3 2 113 176 178 45 8 63 2 163 210 27 153 121
1
4 2 114 250 220 156 36 64 2 164 158 148 0 23
1
5 2 115 176 2 45 37 65 2 165 212 136 178 56
1
6 2 116 252 111 236 66 66 2 166 158 10 0 23
1
7 2 117 182 108 251 190 67 2 167 212 92 178 138
1
8 2 118 252 147 236 174 68 2 168 140 244 42 92
1
9 2 119 182 218 251 69 69 2 169 198 118 195 5
2
0 2 120 238 194 210 213 70 2 170 140 120 42 118
2
1 2 121 164 95 96 226 71 2 171 198 176 195 198
2
2 2 122 238 44 210 7 72 2 172 138 18 162 150
2
3 2 123 164 251 96 130 73 2 173 192 7 253 213
2
4 2 124 232 187 42 57 74 2 174 138 152 162 52
2
5 2 125 162 177 113 174 75 2 175 192 199 253 40
2 2 126 232 83 42 19 76 2 176 208 124 88 16
6
2
7 2 127 162 19 113 223 77 2 177 154 213 239 100
2
8 2 128 163 158 233 136 78 2 178 208 172 88 72
2
9 2 129 233 145 44 159 79 2 179 154 79 239 139
3
0 2 130 163 61 233 97 80 2 180 214 10 157 108
3
1 2 131 233 120 44 179 81 2 181 156 52 180 166
3
2 2 132 165 94 234 4 82 2 182 214 220 157 241
3
3 2 133 239 198 100 50 83 2 183 156 168 180 18
3
4 2 134 165 251 234 238 84 2 184 196 97 78 10
3
5 2 135 239 41 100 86 85 2 185 142 193 7 174
3
6 2 136 183 175 183 24 86 2 186 196 165 78 68
3
7 2 137 253 169 3 179 87 2 187 142 79 7 169
3
8 2 138 183 24 183 175 88 2 188 194 39 103 215
3
9 2 139 253 84 3 176 89 2 189 136 16 166 184
4
0 2 140 177 95 178 97 90 2 190 194 229 103 176
4
1 2 141 251 206 117 229 91 2 191 136 152 166 30
4
2 2 142 177 238 178 211 92 2 192 47 220 17 232
4
3 2 143 251 53 117 144 93 2 193 101 141 161 241
4
4 2 144 235 127 154 205 94 2 194 47 243 17 249
4
5 2 145 161 82 212 216 95 2 195 101 232 161 80
4
6 2 146 235 148 154 87 96 2 196 41 239 40 198
4
7 2 147 161 243 212 12 97 2 197 99 41 21 44
4
8 2 148 237 31 91 246 98 2 198 41 198 40 238
4
9 2 149 167 165 89 27 99 2 199 99 74 21 57