Elliptic Curve Cryptography

Elliptic Curves
An elliptic curve is a cubic equation of the form:

y 2 + axy + by = x3 + cx2 + dx + e

where a, b, c, d and e are real numbers.

A special addition operation is defined over elliptic curves, and this with the inclusion of a point
O, called point at infinity. If three points are on a line intersect an elliptic curve, the their sum is
equal to this point at infinity O (which acts as the identity element for this addition operation.
Figure 1 shows the elliptic curves y 2 = x3 + 2x + 5 and y 2 = x3 − 2x + 1.
10 10
p1
8 p1 8

6 6

4 4

r
2 2
r
q
0 0
y

q
−2 −2

−4 −4

−6 −6

−p1
−8 −8
−p1
−10 −10
−2 −1 0 1 2 3 4 5 6 −2 −1 0 1 2 3 4 5 6
x x

Figure 1: Elliptic curves y 2 = x3 + 2x + 5 and y 2 = x3 − 2x + 1.

Elliptic Curves over Galois Fields

An elliptic group over the Galois Field Ep (a, b) is obtained by computing x3 + ax + b mod p for
0 ≤ x < p. The constants a and b are non negative integers smaller than the prime number p and
must satify the condition:

4a3 + 27b2 mod p = 0

For each value of x, one needs to determine whether or not in it a quadratic residue. If it is
the case, then there are two values in the elliptic group. If not, then the point is not in the elliptic
group Ep (a, b).

1
Example(construction of an elliptic group):
Let the prime number p = 23 and let the constants a = 1 and b = 1 as well. We first verify
that:

4a3 + 27b2 mod p = 4 × 13 + 27 × 12 mod 23

4a3 + 27b2 mod p = 4 + 27 mod 23 = 31 mod 23
4a3 + 27b2 mod p = 8 = 0

We then determine the quadratic residues Q23 from the reduced set of residues Z23 = {1, 2, 3, . . . , 21, 22}:

x2 mod p (p − x)2 mod p =

12 mod 23 222 mod 23 1
2
2 mod 23 212 mod 23 4
32 mod 23 202 mod 23 9
2
4 mod 23 192 mod 23 16
52 mod 23 182 mod 23 2
2
6 mod 23 172 mod 23 13
72 mod 23 162 mod 23 3
2
8 mod 23 152 mod 23 18
92 mod 23 142 mod 23 12
2
10 mod 23 132 mod 23 8
112 mod 23 122 mod 23 6

Therefore set of p−1

2 = 11 quadratic residues Q23 = {1, 2, 3, 4, 6, 8, 9, 12, 13, 16, 18}.
Now, for 0 ≤ x < p, compute y 2 = x3 + x + 1 mod 23 and determine if y 2 is in the set of
quadratic residues Q23 :

x 0 1 2 3 4 5 6 7 8 9 10 11
y2 1 3 11 8 0 16 16 6 15 3 22 9
y 2 ∈ Q23 ? yes yes no yes no yes yes yes no yes no yes
y1 1 7 10 0 4 4 11 7 3
y2 22 16 13 0 19 19 12 16 20

x 12 13 14 15 16 17 18 19 20 21 22
y2 16 3 22 10 19 9 9 2 17 14 22
y 2 ∈ Q23 ? yes yes no no no yes yes yes no no no
y1 4 7 3 3 5
y2 19 16 20 20 18

2
 The elliptic group Ep (a, b) = E23 (1, 1) thus include the points (including also the additional
single point (4, 0)):

 

 (0, 1) (0, 22) (1, 7) (1, 16) (3, 10) (3, 13) (4, 0) 

 
(5, 4) (5, 19) (6, 4) (6, 19) (7, 11) (7, 12) (9, 7)
E23 (1, 1) =

 (9, 16) (11, 3) (11, 20) (12, 4) (12, 19) (13, 7) (13, 16) 

 
(17, 3) (17, 20) (18, 3) (18, 20) (19, 5) (19, 18)

Figure 2 shows a scatterplot of elliptic group Ep (a, b) = E23 (1, 1).

25

20

15
y

10

0
0 2 4 6 8 10 12 14 16 18 20
x

Figure 2: Scatterplot of elliptic group Ep (a, b) = E23 (1, 1).

3
Addition and multiplication operations over elliptic groups
Let the points P = (x1 , y1 ) and Q = (x2 , y2 ) be in the elliptic group Ep (a, b), and O is the point at
infinity. The rules for addition over the elliptic group Ep (a, b) are:

1. P + O = O + P = P

2. If x2 = x1 and y2 = −y1 , that is P = (x1 , y1 ) and Q = (x2 , y2 ) = (x1 , −y1 ) = −P , then

P + Q = O.

3. If Q = −P , then the sum P + Q = (x3 , y3 ) is given by:

x3 = λ2 − x1 − x2 mod p
y3 = λ(x1 − x3 ) − y1 mod p

where
 y2 −y1
x2 −x1 if P = Q
λ
3x21 +a
2y1 if P = Q

Example(Multiplication over an elliptic curve group):

The multiplication over an elliptic curve group Ep (a, b) is the equivalent of the modular expo-
nentiation in RSA.
Let P = (3, 10) ∈ E23 (1, 1). Then 2P = (x3 , y3 ) is equal to:

2P = P + P = (x1 , y1 ) + (x1 , y1 )

Since P = Q and x2 = x1 , the values of λ, x3 and y3 are given by:

3x21 + a 3 × (32 ) + 1 5
λ = mod p = mod 23 = mod 23 = 4−1 mod 23 = 6
2y1 2 × 10 20
x3 = λ2 − x1 − x2 mod p = 62 − 3 − 3 mod 23 = 30 mod 23 = 7
y3 = λ(x1 − x3 ) − y1 mod p = 6 × (3 − 7) − 10 mod 23 = −34 mod 23 = 12

Therefore 2P = (x3 , y3 ) = (7, 12).

The multiplication kP is obtained by doing the elliptic curve addition operation k times by
following the same additive rules.

4
 y2 −y1
k λ= x2 −x1 (if P = Q) or x3 y3 kP
3x2 +a
λ = 2y1 1 if P = Q λ2 − x1 − x2 mod 23 λ(x1 − x3 ) − y1 mod 23 (x3 , y3 )
1 (3,10)
2 6 7 12 (7,12)
3 12 19 5 (19,5)
4 4 17 3 (17,3)
5 11 9 19 (9,16)
6 1 12 4 (12,4)
7 7 11 3 (11,3)
8 2 13 16 (13,16)
9 19 0 1 (0,1)
10 3 6 4 (6,4)
11 21 18 20 (18,20)
12 16 5 4 (5,4)
13 20 1 7 (1,7)
14 13 4 0 (4,0)
15 13 1 16 (1,16)
16 20 5 19 (5,19)
17 16 18 3 (18,3)
18 21 6 19 (6,19)
19 3 0 22 (0,22)
20 19 13 7 (13,7)
21 2 11 20 (11,20)
22 7 12 19 (12,19)
23 1 9 7 (9,7)
24 11 17 20 (17,20)
25 4 19 18 (19,18)
26 12 7 11 (7,11)
27 6 3 13 (3,13)

5
Elliptic Curve Encryption
Elliptic curve cryptography can be used to encrypt plaintext messages, M , into ciphertexts. The
plaintext message M is encoded into a point PM form the finite set of points in the elliptic group,
Ep (a, b). The first step consists in choosing a generator point, G ∈ Ep (a, b), such that the smallest
value of n such that nG = O is a very large prime number. The elliptic group Ep (a, b) and the
generator point G are made public.
Each user select a private key, nA < n and compute the public key PA as: PA = nA G. To
encrypt the message point PM for Bob (B), Alice (A) choses a random integer k and compute the
ciphertext pair of points PC using Bob’s public key PB :

PC = [(kG), (PM + kPB )]

After receiving the ciphertext pair of points, PC , Bob multiplies the first point, (kG) with his
private key, nB , and then adds the result to the second point in the ciphertext pair of points,
(PM + kPB ):

(PM + kPB ) − [nB (kG)] = (PM + knB G) − [nB (kG)] = PM

which is the plaintext point, corresponding to the plaintext message M . Only Bob, knowing the
private key nB , can remove nB (kG) from the second point of the ciphertext pair of point, i.e.
(PM + kPB ), and hence retrieve the plaintext information PM .

Example(Elliptic curve encryption):

Consider the following elliptic curve:

y 2 = x3 + ax + b mod p
y 2 = x3 − x + 188 mod 751

that is: a = −1, b = 188, and p = 751. The elliptic curve group generated by the above elliptic
curve is then Ep (a, b) = E751 (−1, 188).
Let the generator point G = (0, 376). Then the multiples kG of the generator point G are (for
1 ≤ k ≤ 751):

G = (0, 376) 2G = (1, 376) 3G = (750, 375) 4G = (2, 373)

5G = (188, 657) 6G = (6, 390) 7G = (667, 571) 8G = (121, 39)
9G = (582, 736) 10G = (57, 332) ... 761G = (565, 312)
762G = (328, 569) 763G = (677, 185) 764G = (196, 681) 765G = (417, 320)
766G = (3, 370) 767G = (1, 377) 768G = (0, 375) 769G = O(point at infinity)

If Alice wants to send to Bob the message M which is encoded as the plaintext point PM =
(443, 253) ∈ E751 (−1, 188). She must use Bob public key to encrypt it. Suppose that Bob secret
key is nB = 85, then his public key will be:

PB = nB G = 85(0, 376)
PB = (671, 558)

6
 Alice selects a random number k = 113 and uses Bob’s public key PB = (671, 558) to encrypt
the message point into the ciphertext pair of points:

PC = [(kG), (PM + kPB )]

PC = [113 × (0, 376), (443, 253) + 113 × (671, 558)]
PC = [(34, 633), (443, 253) + (47, 416)]
PC = [(34, 633), (217, 606)]

Upon receiving the ciphertext pair of points, PC = [(34, 633), (217, 606)], Bob uses his private
key, nB = 85, to compute the plaintext point, PM , as follows

(PM + kPB ) − [nB (kG)] = (217, 606) − [85(34, 633)]

(PM + kPB ) − [nB (kG)] = (217, 606) − [(47, 416)]
(PM + kPB ) − [nB (kG)] = (217, 606) + [(47, −416)] (since −P = (x1 , −y1 ))
(PM + kPB ) − [nB (kG)] = (217, 606) + [(47, 335)] (since −416 ≡ 335 (mod 751))
(PM + kPB ) − [nB (kG)] = (443, 253)

and then maps the plaintext point PM = (443, 253) back into the original plaintext message M .

Security of ECC
The cryptographic strength of elliptic curve encryption lies in the difficulty for a cryptanalyst to
determine the secret random number k from kP and P itself. The fastest method to solve this
problem (known as the elliptic curve logarithm problem) is the Pollard ρ factorization method
[Sta99].
The computational complexity for breaking the elliptic curve cryptosystem, using the Pollard ρ
method, is 3.8×1010 MIPS-years (i.e. millions of instructions per second times the required number
of years) or an elliptic curve key size of only 150 bits [Sta99]. For comparison, the fastest method to
break RSA, using the General Number Field Sieve Method to factor the composite interger n into
the two primes p and q, requires 2 × 108 MIPS-years for a 768-bit RSA key and 3 × 1011 MIPS-years
with a RSA key of length 1024.
If the RSA key length is increased to 2048 bits, the General Number Field Sieve Method will
need 3 × 1020 MIPS-years to factor n whereas increasing the elliptic curve key length to only 234
bits will impose a computational complexity of 1.6 × 1028 MIPS-years (still with the Pollard ρ
method).