See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/229026452

Elliptic Curve Cryptography

Article · April 2009

CITATIONS READS

5 935

1 author:

Nathan Muyinda
Makerere University
8 PUBLICATIONS 7 CITATIONS

SEE PROFILE

All content following this page was uploaded by Nathan Muyinda on 15 August 2014.

The user has requested enhancement of the downloaded file.

 Elliptic Curve Cryptography

Nathan Muyinda ([email protected])

African Institute for Mathematical Sciences (AIMS)

Supervised by: Professor Barry Green

University of Stellenbosch, South Africa
and
Professor Hans-Georg Rück
Kassel University,Germany

22 May 2009
Submitted in partial fulfillment of a postgraduate diploma at AIMS
Abstract
Since their introduction to cryptography in 1985, elliptic curves have sparked a lot of research and
interest in public key cryptography. In this essay, we present an overview of public key cryptography
based on the discrete logarithm problem of both finite fields and elliptic curves. We discuss one of the
basic and important properties of elliptic curves, the group law, and show that the set of points on the
curve forms an additive abelian group. We show how the order of this abelian group affects the discrete
logarithm problem and hence the security of a public key cryptosystem. We present the Diffie-Hellman
key exchange and ElGamal cryptosystem based on the discrete logarithm problem of finite fields and
also give their analogues in the elliptic curve case. We finally show why elliptic curves are dictating
the future of public key cryptography and what makes them more efficient in constrained and wireless
communications.

Declaration

I, the undersigned, hereby declare that the work contained in this essay is my original work, and that
any work done by others or by myself previously has been acknowledged and referenced accordingly.

Nathan Muyinda, 22 May 2009

i
Contents

Abstract i

1 Introduction 1

2 Introduction to Finite Fields 2

2.1 Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2.2 Finite Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

3 Elliptic Curves 7
3.1 What is an Elliptic Curve? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.2 Affine and Projective Space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.3 Group Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

4 Elliptic Curves over Finite Fields 15

4.1 Group of Rational Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
4.2 Number of Points on an Elliptic Curve . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

5 Public Key Cryptography 18

5.1 Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
5.2 Private Key Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
5.3 Hash Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
5.4 Public Key Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
5.5 Discrete Logarithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
5.6 Diffie-Hellman Key Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
5.7 The ElGamal Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

6 Elliptic Curve Cryptography 23

6.1 Elliptic Curve Discrete Logarithm Problem . . . . . . . . . . . . . . . . . . . . . . . . . 23
6.2 Encoding Plaintexts as Points on an Elliptic Curve . . . . . . . . . . . . . . . . . . . . 23
6.3 Diffie-Hellman Key Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
6.4 ElGamal Public Key Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
6.5 ECIES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

ii
 6.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

References 28

iii
1. Introduction
Elliptic curves have been studied by mathematicians for a very long time. The first instances of elliptic
curves occur in the work of Fermat. They were first introduced to cryptographers by Hendrik Lenstra
in 1985 when he proposed them to factor integers. In the same year, Neal Koblitz and Victor Miller
independently showed how elliptic curves could be used to implement public key protocols, traditionally
implemented using the multiplicative group of a finite field.
Since 1985, much attention has been focused on the use of elliptic curves in public key cryptography.
This is due to the fact that there is no known sub-exponential algorithm to solve the discrete logarithm
problem on a general elliptic curve. In addition, all the cryptosystems which make use of the discrete
logarithm problem in finite fields such as the Diffie-Hellman key exchange, ElGamal encryption and
Digital Signature, all have analogues in the elliptic curve case. Elliptic curve systems have thus come
to be accepted today as the most viable public key technology for high security applications. They are
also most suitable for constrained environments such as those in which smart cards and wireless devices
are typically deployed.
In this essay, we present a brief discussion of this fascinating area of elliptic curve cryptography with
an introduction to the underlying theory of finite fields and elliptic curves. In chapter 1, we give some
basic definitions and properties of general fields. We then give an introduction to finite fields and some
of the basic properties of these fields.
In chapter 2, we introduce elliptic curves defined by the Weierstrass equation y 2 = x3 + ax + b. We
give a brief introduction to projective space so as to introduce a point at infinity on the elliptic curve,
which is very crucial in the derivation of the group law. We then explicitly derive the formulae for the
group law for adding points on the elliptic curve. This is the most important property of elliptic curves
and it is the main focus in this chapter. We end this chapter by showing that the set of rational points
forms an additive abelian group.
In chapter 3, we discuss elliptic curves over finite fields, particularly, some results that are used to
determine the order of the group of rational points on the curve. We state without proof a very
important theorem due to Hasse which gives the bounds for the number of rational points on the elliptic
curve.
In chapter 4, we give an introduction to cryptography and the definition of the basic terms used. We
then introduce the discrete logarithm and public key cryptography and give a discussion of the Diffie-
Hellman and ElGamal public key cryptosystems which rely on the computational difficulty of the discrete
logarithm problem of finite fields.
In chapter 5, we discuss analogues of the Diffie-Hellman and ElGamal protocols based on the discrete
logarithm problem for elliptic curves. We end this chapter with a discussion of a Public key cryptosystem
called ECIES that differs from other elliptic curve public key cryptosystems in that the message to be
sent needs not be expressed as a point on the elliptic curve.

1
2. Introduction to Finite Fields
The theory of finite fields is a classical and important branch of algebra that has come to the forefront
recently because of the computational possibilities of modern computers and also because of its diverse
applications in combinatorics, coding theory, cryptography among others.
In this chapter, we give an introduction to finite fields and some of the basic properties of these fields.
Familiarity with the definition and basic properties of vector spaces is assumed.

2.1 Fields

We begin our discussion with some definitions and properties of general fields.

Definition 2.1.1. A group is a set G equipped with a binary operation ∗ such that the following
properties hold:

1. For all a, b ∈ G, the element a ∗ b is in G; (Closure)

2. For all a, b, c ∈ G,

a ∗ (b ∗ c) = (a ∗ b) ∗ c ; (Associativity)

3. For all a ∈ G, there exists e ∈ G such that

a∗e=e∗a=a; (Existence of identity)

4. For each a ∈ G, there exists an inverse element a−1 ∈ G such that

a ∗ a−1 = a−1 ∗ a = e;

5. If, moreover, the group is such that for all a, b ∈ G, a ∗ b = b ∗ a, then the group is called abelian
(commutative).

Definition 2.1.2. A ring (R, +, ·) is a set R together with two binary operations + and · such that:

1. R is an abelian group with respect to + ;

2. · is associative ;

3. For all a, b, c ∈ R,

a · (b + c) = a · b + a · c and (b + c) · a = b · a + c · a .

Remark 2.1.3.

1. A ring is commutative if · is commutative.

2. A ring is called a division ring if the nonzero elements of R form a group under ·.

2
 Section 2.2. Finite Fields Page 3

3. A commutative division ring is called a field.

Examples of fields: R, Q, C, Zp (the field of integers modulo a prime p).

Let K and L be fields with K ⊆ L. If α ∈ L, we say that α is algebraic over K if there exists a monic
polynomial (a polynomial whose leading coefficient is 1) f (X) = X n + an−1 X n−1 + · · · + a0 with
a0 , · · · , an−1 ∈ K such that f (α) = 0. We say that L is an algebraic extension of K if every element
of L is algebraic over K.
Any extension field L of K is a vector space over K and the dimension of this vector space is called the
degree of L over K. If the vector space is finite dimensional, we say that L is a finite extension of K.
Definition 2.1.4. An algebraic closure of a field K is a field K̄ containing K such that:

1. K̄ is algebraic over K;
2. Every monic polynomial g (X) with coefficients in K̄ has roots in K̄. (This means that K̄ is
algebraically closed.)

It can be shown that every field K has an algebraic closure and that any two algebraic closures of K
are isomorphic.
Definition 2.1.5. The polynomial ring over K denoted by K [X] consists of all finite sums of powers
of X with coefficients in K.

The irreducible polynomials f (X) ∈ K [X] are those that are not divisible by any polynomials of lower
degree except for constants. The polynomial ring has unique factorisation, meaning that, every monic
polynomial can be written in one and only one (except for the order of factors) as a product of monic
irreducible polynomials.
Given any polynomial f (X) ∈ K [X], the smallest field containing K and all the zeros of f (X) is called
the splitting field of f (X) over K. A polynomial f (X) ∈ K [X] is said to have a zero r of multiplicity
m in some extension field L of K if m is the largest positive integer for which (X − r)m | f (X) in
L [X]. The zeros of an irreducible polynomial f (X) ∈ K [X] in the splitting field for f (X) over K are
called conjugates.
If adding the multiplicative identity 1 to itself in K never gives 0, then we say that K has characteristic
0, otherwise, there is a prime number p such that 1 + 1 + · · · 1 (p times) equals 0, and p is called the
characteristic of the field K. When K has characteristic 0, the field Q is contained in K. When K has
characteristic p, the field Fp of integers modulo p is contained in K.

2.2 Finite Fields

We now restrict our attention to finite fields, that is, fields with a finite number of elements. A finite
field cannot contain Q thus cannot have characteristic zero. Let p be the characteristic of Fq . Then Fq
contains the prime field Fp , and therefore is a finite n-dimensional vector space over Fp , and thus has
pn elements.
Let Fq be a finite field with q = pn elements where p is prime. F∗q denotes the set of nonzero elements
of Fq . There are q − 1 nonzero elements in Fq and by the definition of a field, they form an abelian
group with respect to the multiplication. In fact, this abelian group is cyclic.
 Section 2.2. Finite Fields Page 4

Definition 2.2.1. The order of a nonzero element a ∈ F∗q is the least positive integer d for which
ad = 1.
Theorem 2.2.2. If Fq is a field with q = pn elements, then every element satisfies the equation
X q − X = 0 and Fq is the splitting field for X q − X.

Proof. The group F∗q of nonzero elements of Fq forms a group of order q −1 and by Lagrange’s theorem,
the order of any element of F∗q divides q − 1. Hence

X q−1 = 1, 0 6= X ∈ Fq ,
from which we get,
X q = X, X ∈ Fq .

Since X q − X cannot have more than q roots, its roots are precisely the elements of Fq . Thus Fq is the
splitting field of the polynomial X q − X.

Lemma 2.2.3. (a + b)p = ap + bp in any field of characteristic p.

Proof.    
p p p p−1 p p−2 2
(a + b) = a + a b+ a b + · · · + bp .
1 2
 
p
If 1 ≤ j ≤ p − 1, the binomial coefficient has a factor p in its numerator that is not cancelled by
j
 
p
the denominator, so ≡ 0 (mod p). Therefore,
j

(a + b)p = ap + bp .

Proposition 2.2.4. Let q = pn , where p is a prime number. The splitting field of the polynomial
X q − X is then a field of q elements.

Proof. Let K be the splitting field over Fp of the polynomial X q − X. A polynomial f (X) has a
multiple root if and only if f (X) and f 0 (X) have a common root. Since
d
(X q − X) = qX q−1 − 1 = −1,
dX
(since q = pn = 0 in Fp ), the polynomial X q − X has no multiple roots. Thus K must contain at least
q distinct roots of X q − X.
We claim that the set of q roots is a field. We show that given any two roots, the sum and product of
these roots are also roots.
Suppose a, b are roots. Then aq = a, bq = b, implies,

(ab)q = aq bq = ab.

Therefore ab is a root. From Lemma 2.2.3, (a + b)p = ap + bp , which implies that

2 2 2
(a + b)p = (ap + bp )p = ap + bp , · · · , (a + b)q = aq + bq .
 Section 2.2. Finite Fields Page 5

But aq = a and bq = b, so that (a + b)q = a + b. Thus a + b is a root of X q − X. The multiplicative

inverse of a 6= 0;
q
a−1 = (aq )−1 = a−1 .
Therefore, the set of q roots is the smallest field containing the roots of X q − X, hence is equal to K
and has q elements.

Proposition 2.2.5.

1. F∗q is a cyclic group.

2. If g is a generator of F∗q , then g j is also a generator if and only if gcd (j, q − 1) = 1. In particular,
there are exactly ϕ (q − 1) different generators of F∗q .

For the proof of Prop. 2.2.5, we refer to [Was08].

Remark 2.2.6.

1. ϕ (n) is the Euler phi-function and is defined as the number of non negative integers b less than
n which are prime to n.
Y 1

ϕ (n) = | {0 ≤ b < n | gcd (b, n) = 1} |, ϕ (n) = n 1− ,
p
p|n

where p is prime.

2. A generator of a finite field Fq is an element of order q − 1.

We can illustrate the above material by constructing some finite fields.

Example 2.2.7. Construct F9 .

We find a monic irreducible polynomial of degree 2 over F3 . We first list all the monic quadratics in
F3 [X]. These are :

X 2 , X 2 + 1, X 2 + 2, X 2 + X, X 2 + X + 1, X 2 + X + 2, X 2 + 2X, X 2 + 2X + 1, X 2 + 2X + 2.

For each polynomial, we take each in turn and substitute all the field elements 0, 1, 2 for X. If none
of the substitutions evaluates to 0, the polynomial is irreducible. We find that X 2 + 1, X 2 + X + 2
and X 2 + 2X + 2 are the only irreducible monic quadratic polynomials in F3 [X]. The multiplicative
group F∗9 of the field is cyclic with order 8, so we can find a primitive element (a generator of the cyclic
group). The primitive elements are roots of the irreducible polynomials (thus they cannot be in F3 ) and
a primitive element has order 8. For X 2 + 1, i is a root but (i)4 = 1, thus has order 4 rather than 8 so
it cannot be a generator. Let λ be a root of X 2 + X + 2 such that λ2 + λ + 2 = 0 or λ2 = 2λ + 1. We
have:

λ1 = λ, λ2 = 2λ + 1, λ3 = λ (2λ + 1) = 2λ + 2, λ4 = 2, λ5 = 2λ, λ6 = λ + 2, λ7 = λ + 1, λ8 = 1.

We say that the polynomial X 2 + X + 2 is primitive, meaning that any root of the irreducible polynomial
is a generator of F∗9 . There are ϕ (8) = 4 generators of F∗9 . Two of them are roots of X 2 + X + 2,
whereas the other two are roots of X 2 + 2X + 2.
 Section 2.2. Finite Fields Page 6

Theorem 2.2.8. Fpm is a subfield of Fpn if and only if m | n.

Proof. Suppose Fpm is a subfield of Fpn Then, Fpn may be interpreted as a vector space over Fpm with
dimension, say, k. Hence pn = pkm which implies that n = km and m | n.
m
Conversely, suppose m | n, the finite field Fpm is contained in Fpn because any solution of X p =X
n
is also a solution of X p = X. Thus Fpm is a subfield of Fpn .
3. Elliptic Curves
Elliptic curves have a long and glorious history. The problem of computing the arc length of an ellipse
gave rise to elliptic functions that satisfy cubic equations; hence plane cubic curves are called elliptic
curves. Elliptic curves link number theory, algebraic geometry and complex analysis, and have appli-
cations to factorisation of integers, cryptography and coding theory. There are many famous unsolved
problems and conjectures involving elliptic curves and they were also crucial in Andrew Wile’s famous
proof of Fermat’s last theorem.
In this chapter, we discuss some properties of elliptic curves, particularly the fact that there is a way
to add points on the curve so that the set of points becomes a group. We give a brief description of
projective space in order to introduce an operation of addition on the points of an elliptic curve and also
to introduce the point at infinity which is very important in the derivation of the addition (group) law.

3.1 What is an Elliptic Curve?

An elliptic curve is a plane algebraic curve defined by an equation of the form

y 2 = x3 + ax + b, (3.1)

which is non-singular (has no self intersections or cusps). The curve is non-singular if the discriminant
4a3 + 27b2 6= 0. This is called the Weierstrass equation for an elliptic curve. We always take a, b, x and
y to be elements of a field such as R, Q, C or finite field Fq where q = pn with p prime and n ≥ 1 . If
K is a field with a, b ∈ K, then the elliptic curve is said to be defined over K. The point (x, y) on the
elliptic curve with x, y ∈ K is called a K-rational point.
As we shall see later, when the characteristic of the field is 2 or 3, equation (3.1) changes slightly but
it can always be modified to the form of (3.1).
The elliptic curve E : y 2 = x3 + ax + b over R has the following general forms:

For technical reasons, we add a “point at infinity” to an elliptic curve. We shall denote this point by O
sitting at the top and bottom of the y-axis. This will be a formal symbol satisfying certain computational
rules. This will be made clear after we discuss the notion of projective space.

7
 Section 3.2. Affine and Projective Space Page 8

3.2 Affine and Projective Space

Definition 3.2.1. The two dimensional affine space over a field K, often denoted A2 (K), is defined by

A2 (K) := {(x, y) : x, y ∈ K} .

Definition 3.2.2. Two non zero points (x1 , y1 , z1 ) and (x2 , y2 , z2 ) of K 3 are said to be equivalent if
there exists a nonzero number λ ∈ K such that

(x1 , y1 , z1 ) = λ (x2 , y2 , z2 ) .

We write (x1 , y1 , z1 ) ∼ (x2 , y2 , z2 ).

Definition 3.2.3. The two dimensional projective space over K denoted P2 (K) is the set of equivalence
classes of (x, y, z) denoted [x : y : z] with x, y, z ∈ K and at least one non-zero x, y, z.

P2 (K) := {[x : y : z] : x, y, z ∈ K not all zero and

[x1 : y1 : z1 ] = [x : y : z] ⇔ ∃λ ∈ K ∗ : x1 = λx, y1 = λy, z1 = λz} .

[x : y : z] is called a point of P2 (K). The coordinates x, y, z are called homogeneous coordinates.

Remark 3.2.4. An (K) and Pn (K) can be defined in a similar way for any n ∈ N, but focus will be put
on n = 1, 2.
Definition 3.2.5. A polynomial is homogeneous of degree n if it is a sum of terms of the form axi y j z k
with a ∈ K and i + j + k = n.

If a polynomial F is homogeneous of degree n, then F (λx, λy, λz) = λn F (x, y, z) for all λ ∈ K ∗ . It
follows that if F is homogeneous of some degree and (x1 , y1 , z1 ) ∼ (x2 , y2 , z2 ), then F (x1 , y1 , z1 ) = 0
if and only if F (x2 , y2 , z2 ) = 0. Therefore a zero of F in P2 (K) does not depend on the choice of
representative for the equivalence class, so the set of zeros of F in P2 (K) is well defined.
Homogeneous√coordinates
√ √
differ from the usual notion of coordinates in that they are not unique e.g
(1, 1, 1) and 2, 2, 2 are all homogeneous coordinates of the same point in P2 (K).
hx y i
If [x : y : z] is a point in P2 (K) with z 6= 0, then [x : y : z] = : : 1 . These are the “finite” points
z z
in P2 (K). If z = 0, then dividing by z is thought to be giving ∞ in either x or y coordinate and
therefore the points [x : y : 0] are called the “points at infinity” in P2 (K).
Definition 3.2.6. Given a, b, c ∈ K not all zero, the set

p ∈ P2 (K) : p has homogeneous coordinates (x, y, z) with ax + by + cz = 0



is called a projective line of P2 (K) and is isomorphic to a copy of P1 (K) embedded in P2 (K).

P1K = {[x : y] | x, y ∈ K not both zero}.

Remark 3.2.7. If ax+by +cz = 0 holds for one set (x, y, z) of homogeneous coordinates of p ∈ P2 (K),
then it holds for all homogeneous coordinates of p. This is because others can be written λ (x, y, z) =
(λx, λy, λz) , so that
a · λx + b · λy + c · λz = λ (ax + by + cz) = 0.
 Section 3.2. Affine and Projective Space Page 9

The affine space A2 (K) is contained in P2 (K) by the map

A2 (K) −→ P2 (K),
(x, y) 7−→ [x : y : 1] ,

and it can be shown that

P2 (K) \ A2 (K) = {[x : y : 0] | x, y not all zero } ' P1 (K).

This set of points corresponds to the line with equation z = 0, and is called the line at infinity. We use
the notation l∞ for this line which is isomorphic to a copy of P1 (K). Thus there exists a bijection

P2 (K) −→ A2 (K) ∪ P1 (K),

 x y 
 , ∈ A2 (K) if z 6= 0,
[x : y : z] 7−→ z z
[x : y] ∈ P1 (K) if z = 0.

The inverse map is given by

(x, y) ∈ A2 (K) 7−→ [x : y : 1] ∈ P2 (K),

[x : y] ∈ P1 (K) 7−→ [x : y : 0] ∈ P2 (K).

It should be noted that the “finite points” in P2 (K) are the points of A2 (K), and the points on the
line l∞ are the points of P1 (K).
We give two examples of how to compute points at infinity in projective space.

Example 3.2.8. Intuitively, parallel lines meet at infinity. Projective space allows us to make sense out
of this statement. Consider two non vertical parallel lines given by the equations y = mx + b1 and
y = mx + b2 , b1 6= b2 . They have the following homogeneous forms, y = mx + b1 z and y = mx + b2 z.

To find the point of intersection, we have

mx + b1 z = mx + b2 z which implies b1 z = b2 z and so (b1 − b2 ) z = 0 which yields z = 0 and y = mx.

Since we cannot have all x, y, z being 0, we must have x 6= 0. Thus the point of intersection is

[x : mx : 0] = [1 : m : 0] .
 Section 3.2. Affine and Projective Space Page 10

Hence two lines meet at the same point at infinity if and only if they are parallel. If the two lines are
vertical, given by the equations x = c1 and x = c2 , their homogeneous forms are x = c1 z and x = c2 z.
To find the point of intersection, we have

c1 z = c2 z which implies z = 0 and so x = 0.

Therefore the point of intersection is [0 : y : 0] = [0 : 1 : 0]. Note that [0 : 1 : 0] = [0 : −1 : 0]. Thus

the “top” and the “bottom” of the y-axis are the same. Any two vertical lines meet at infinity in
[0 : 1 : 0] .

Example 3.2.9. Consider the hyperbola x2 − y 2 = 1. Its homogeneous form is x2 − y 2 = z 2 .

Put z = 0, then x2 = y 2 and y = ±x, x 6= 0.

Thus there are two points at infinity [x : x : 0] = [1 : 1 : 0] and [x : −x : 0] = [1 : −1 : 0], and these
two points correspond to the points [1 : 1] , [1 : −1] ∈ P1 (K), or equivalently to the directions y = x
and y = −x in A2 (K), which are the asymptotes for the hyperbola.

Given any projective curve C : F (X, Y, Z) = 0, we can write C as a union of its affine part C0 and its
points at infinity. Here C0 is the affine curve given by the equation C0 : f (x, y) = F (x, y, 1) = 0 and
the points at infinity on C are the points with z = 0 which correspond to the limiting directions of the
tangent lines to C0 .
We are now in position to discuss an elliptic curve and its point at infinity in projective space. Consider
the elliptic curve E : y 2 = x3 + ax + b. Its homogeneous form is y 2 z = x3 + axz 2 + bz 3 . This equation
defines a curve Ē in P2 (K) whose affine part is E. Thus

Ē = [x : y : z] ∈ P2 (K) | y 2 z = x3 + axz 2 + bz 3 .


Putting z = 0 in our homogeneous equation gives x3 = 0 ⇒ x = 0 and thus y 6= 0. Therefore, point

at infinity on Ē is [0 : y : 0] = [0 : 1 : 0] and it can be shown that this is the only point at infinity on
the elliptic curve E. Hence Ē = E ∪ {[0 : 1 : 0]} where E ⊂ A2 (K) and [0 : 1 : 0] ∈ l∞ .
Recall that [0 : 1 : 0] lies on every vertical line, so every vertical line intersects E at this point at infinity.
Summarising, we can now define an elliptic curve in the following way:

Definition 3.2.10. Let K be a field with characteristic not equal to 2 and 3, and let x3 + ax + b,
a, b ∈ K, be a cubic polynomial with no multiple roots. An elliptic curve over K in P2 (K) is the set of
points (x, y) ∈ K 2 which satisfy the equation y 2 = x3 + ax + b together with a single element denoted
O called the point at infinity, where O = [0 : 1 : 0].
 Section 3.3. Group Law Page 11

Remark 3.2.11. If K is a field of:

1. characteristic 2, then E satisfies the equation

y 2 + cy = x3 + ax + b, (3.2)

together with a point at infinity O. Here we do not care whether the cubic on the right has
multiple roots;

2. characteristic 3, then E satisfies the equation

y 2 = x3 + ax2 + bx + c, (3.3)

together with a point at infinity O.

3.3 Group Law

One of the most important properties of elliptic curves is the existence of a group law for adding points
on the curve. The group law on the rational points on an elliptic curve is defined using the intersection
of straight lines with the curve. Any line that meets the curve at two rational points also meets it at a
third rational point. In the case of a vertical line, this third point is the point at infinity on the elliptic
curve.
Consider two points P1 = (x1 , y1 ) and P2 = (x2 , y2 ), P1 6= P2 on the elliptic curve E given by
y 2 = x3 + ax + b. Draw a line L through P1 and P2 which intersects E in a third point P30 . Reflect P30
across the x-axis to obtain P3 = (x3 , y3 ) . Define P1 + P2 = P3 .

We want to express x3 and y3 in terms of x1 , y1 , x2 and y2 . Let y = mx+c be the equation of L. Then,
y2 − y1
the gradient, m = (assume x1 6= x2 ) and c = y1 − mx1 . A point on L , that is, (x, mx + c),
x2 − x1
 Section 3.3. Group Law Page 12

lies on E if and only if

(mx + c)2 = x3 + ax + b.

thus, x3 − (mx + c)2 + ax + b = 0,

x3 − m2 x2 + 2mcx + c2 + ax + b = 0,

x3 − m2 x2 + (a − 2mc) x + b − c2 = 0.

x1 and x2 are roots, since P1 and P2 are points on both E and L. Therefore, the sum of the roots is
m2 . Hence,

x3 = m2 − x1 − x2 , and

y3 = − (mx3 + c) .

In terms of x1 , y1 , x2 and y2 , we have,

y2 − y1 2
 
x3 = − x1 − x2 , (3.4)
x2 − x1
 
y2 − y1
y3 = −y1 + (x1 − x3 ) . (3.5)
x2 − x1

Suppose x1 = x2 but y1 6= y2 . Then the line through P1 and P2 is a vertical line.

We know that the point at infinity [0 : 1 : 0] lies on every vertical line and also on E. Thus, the line
through P1 and P2 intersects E at this point. Reflecting this point across the x-axis gives the point
[0 : −1 : 0] = [0 : 1 : 0] = O. Therefore,

P1 + P2 = O.

Consider the case P1 = P2 = P0 = (x0 , y0 ), the line L is a tangent line to E at (x0 , y0 ).

Differentiation gives the gradient,
3x20 + a
m= ; y0 6= 0.
2y0
 Section 3.3. Group Law Page 13

Using a similar argument as in 3.4 and 3.5, we obtain the following formulae for the coordinates of 2P0 :
2
3x20 + a

x3 = − 2x0 , (3.6)
2y0
 2 
3x0 + a
y3 = −y0 + (x0 − x3 ) . (3.7)
2y0

Suppose that P2 = O. The line through P1 and O is a vertical line that intersects E in the point P10
(that is , the reflection of P1 across the x-axis). Reflecting P10 across the x-axis brings us back to P1 .
Therefore P1 + O = P1 for all points P1 on E. Similarly, O + O = O.

Remark 3.3.1. O serves as the additive identity (“zero element”) of the group of points.

We now proceed to give a summary of the group law of points on the elliptic curve as presented in
[Was08].
Let E be an elliptic curve defined by y 2 = x3 +ax+b over a field K. Let P1 = (x1 , y1 ) and P2 = (x2 , y2 )
be points on E with P1 , P2 6= O. Define P1 + P2 = P3 = (x3 , y3 ) as follows:

1. if x1 6= x2 then,
y2 − y1
x3 = m2 − x1 − x2 , y3 = m (x1 − x3 ) − y1 , where m = ;
x2 − x1

2. if x1 = x2 but y1 6= y2 , then P1 + P2 = O;

3. if P1 = P2 = P0 = (x0 , y0 ) and y0 6= 0, then,

3x20 + a
x3 = m2 − 2x0 , y3 = m (x0 − x3 ) − y0 , where m = ;
2y0

4. if P1 = P2 and y0 = 0, then P1 + P2 = O.

Moreover, P + O = P for all points P on E.

Theorem 3.3.2. The addition of points on an elliptic curve E satisfies the following properties:

1. P1 + P2 = P2 + P1 for all P1 , P2 on E; (Commutativity)

 Section 3.3. Group Law Page 14

2. P + O = P for all points P on E; (Existence of identity)

3. Given P on E, there exists P 0 on E with P + P 0 = O. This point P 0 is usually denoted by −P

and if P = (x, y), then −P = (x, −y); (Existence of inverse)

4. (P1 + P2 ) + P3 = P1 + (P2 + P3 ) for all P1 , P2 , P3 on E. (Associativity)

In other words, the points on E form an additive abelian group with O as the identity element.

Proof. We shall prove (1), (2) and (3). Part (4) is harder to prove but for details of the proof, we refer
to [Was08].

1. The line through P1 and P2 is the same as the line through P2 and P1 . Thus P1 + P2 = P2 + P1 .
This can also be seen by replacing x2 by x1 , and y2 by y1 , and vice versa in the formulae for x3
and y3 , and observing that the formulae do not change. Thus P1 + P2 = P2 + P1 .

2. The identity property holds by definition.

3. Let P 0 be the reflection of P across the x-axis. Then P + P 0 = O.

Definition 3.3.3. A point P on an elliptic curve E is said to have order m if

mP = P {z· · · + P} = O,
| +P +
m summands

where m is the smallest positive integer for which this is true.

If such an m exists, then P has finite order; otherwise, it has infinite order.
Consider a point P = (x, y) and let the order of P be 2. Then P + P = 2P = O, which means that
P = −P . But −P = − (x, y) = (x, −y). Thus, points of order 2 are points with y = 0 and they are
Pi = (αi , 0) for i = 1, 2, 3, where αi are the roots of the cubic polynomial x3 + ax + b.
We end this chapter with an example on adding points on an elliptic curve.

Example 3.3.4. Consider the elliptic curve y 2 = x3 + x + 6 defined over F11 . Let P = (2, 4) and
Q = (3, 5) be points of the curve. We now proceed to compute P + Q and 2P . In order to compute
P + Q, we substitute x1 = 2, y1 = 4, x2 = 3 and y2 = 5 in equations 3.4 and 3.5 for x3 and y3 , which
gives, x3 = −4 = 7 ∈ F11 , and y3 = −9 = 2 ∈ F11 . Hence P + Q = (7, 2) . In order to compute
2P , we substitute x0 = 2, y0 = 4, a = 1 in equations 3.6 and 3.7, to get x3 = 8 and y3 = −10 = 1.
Therefore 2P = (8, 1).
4. Elliptic Curves over Finite Fields
We have seen in the previous chapter that the points on an elliptic curve over an arbitrary field form
a group. This was mainly because the group law for addition can be expressed formally by algebraic
equations which can be applied over any field. This group of points is very crucial in the implementation
of the public key cryptosystems presented in the next chapter. Since by the algebraic formulae the group
operations eventually mount to computations in the field where the elliptic curve is defined, one has to
choose a field with an efficiently implementable arithmetic. Basically, this requirement narrows down to
the finite fields. In this chapter, we discuss elliptic curves over finite fields, in particular the results that
are used to determine the order of the group of points on the curve.

4.1 Group of Rational Points

Let Fq be a finite field and let E : F (X, Y ) = 0 be an elliptic curve with coefficients in Fq . A solution
(x, y) of F (X, Y ) is called a point on the elliptic curve E. If the coordinates x and y of the solution
lie in Fq , we call (x, y) an Fq -rational point. We shall denote the set of rational points on E by

E (Fq ) := {(x, y) : x, y ∈ Fq and F (x, y) = 0} ∪ {O} ,

where O is the point at infinity. Since there are only finitely many pairs (x, y) with x, y ∈ Fq , the group
E (Fq ) of rational points on the curve is finite.
Example 4.1.1. Consider the elliptic curve y 2 = x3 + x + 1 over F5 . We can use direct computation
to find the rational points on the curve. Since x and y are supposed to be in F5 , we take each of the
five possibilities of x and compute x3 + x + 1 and see whether the result is a square in F5 .

x x3 + x + 1 y points
0 1 ±1 (0, 1) , (0, 4)
1 3 - -
2 1 ±1 (2, 1), (2, 4)
3 1 ±1 (3, 1), (3, 4)
4 4 ±2 (4, 2), (4, 3)
O O O

Therefore, E (F5 ) = {O, (0, ±1) , (2, ±1) , (3, ±1) , (4, ±2)}. Thus E (F5 ) is an abelian group of order
9. Let P = (0, 1), and using the formulae of the group law, we find that:

2P = (4, 2) , 3P = (2, 1) , 4P = (3, −1) ,

from which it follows that the order of P is strictly greater than 3, and since the order of P should
divide the order of E (F5 ), it follows that E (F5 ) = hP i. Hence E (F5 ) is a cyclic group of order 9.

4.2 Number of Points on an Elliptic Curve

Given an elliptic curve E : y 2 = f (x) = x3 + ax + b defined over the finite field Fq , where q = pn , we
are interested in the number of points on E over Fq (q 6= 2). There are various methods that can be

15
 Section 4.2. Number of Points on an Elliptic Curve Page 16

used to find the number of points on the curve such as the direct computation used in Example 4.1.1.
But we can see that for large fields, it becomes almost impossible to find the number of points on the
curve by just substituting in values of x and then looking for values of y. Nevertheless, it is a very useful
method for computing the group order of points on elliptic curves over small finite fields.
For a finite field Fq , among the nonzero elements of the field, half of them are squares and half of them
are non-squares. When we substitute values of x into y 2 = f (x), if f (x) = 0, there is one solution
y = 0; if f (x) 6= 0, there are two solutions if f (x) is a square and no solutions if f (x) is not a square.
If we assume that f (x) is randomly distributed among the squares and non-squares, each value for x
either yields one solution (if f (x) = 0) or else it has a 50% chance of producing two solutions and a 50%
chance of producing no solutions. So the q possible values of x should give approximately q solutions
and then including the point at infinity O, gives q + 1 solutions. Thus the number of solutions should
look like
#E (Fq ) = q + 1 + (error term),
where we expect the error term to be fairly small compared to q. By a famous and important theorem
due to Hasse, we have the following result.

Theorem 4.2.1 (Hasse). Let E be an elliptic curve over the finite field Fq . Then the order of E (Fq )
satisfies
√
|q + 1 − #E (Fq )| ≤ 2 q.

For the proof of Hasse’s theorem, we refer to [Was08].

The following theorem gives a more general result.

Theorem 4.2.2 (Hasse, Weil). If C is a non-singular irreducible curve of genus g defined over the finite
field Fq , then
√
#C (Fq ) = q + 1 + ε where |ε| ≤ 2g q.

The genus of a curve is a topological invariant defined as the number of holes in the curve when seen
as a compact Riemann surface and is defined over the complex numbers C. The Hasse-Weil theorem is
also called the Riemann hypothesis for curves over finite fields because there is an alternate way to state
it which is analogous to the famous Riemann hypothesis. The theorem was conjectured by E. Artin in
his thesis (1927), was proved by Hasse in the case g = 1 (that is, for elliptic curves) and was proved by
Weil for arbitrary g. An amazingly deep generalisation to higher dimensions was conjectured by Weil
and proved by Deligne in the 1970’s.
Hasse’s theorem gives the bounds for the group of points on an elliptic curve by means of
√ √
q + 1 − 2 q ≤ #E (Fq ) ≤ q + 1 + 2 q.

This result is very useful in many algorithms that are used to determine the order of E (Fq ). For
example, an algorithm called BabyStep-GiantStep determines the order of a point in E (Fq ) and then
uses Lagrange’s theorem and Hasse’s theorem to determine #E (Fq ).

Example 4.2.3. Let E be the elliptic curve y 2 = x3 + 7x + 1 over F101 . It can be shown that the point
(0, 1) has order 116, and by Lagrange’s theorem, the order of E (F101 ) should be a multiple of 116.
Hasse’s theorem says that
√ √
101 + 1 − 2 101 ≤ #E (F101 ) ≤ 101 + 1 + 2 101,
 Section 4.2. Number of Points on an Elliptic Curve Page 17

which means that

82 ≤ #E (F101 ) ≤ 122.
The only multiple of 116 in this range is 116, so

#E (F101 ) = 116.

Since the order of the point (0, 1) is equal to the order of the group E (F101 ), then the group of points
is cyclic generated by (0, 1).

All these algorithms are very slow especially when the field is very large. However, in 1985, Schoof
published an algorithm for computing the number of points on elliptic curves over finite fields Fq that
runs much faster than existing algorithms, at least for very large q. In particular, it requires at most a
1
constant times (log q)8 bit operations, in contrast to the q 4 used in BabyStep-GiantStep, for example.
For the details of Schoof’s algorithm, we refer to [Was08].
5. Public Key Cryptography
5.1 Cryptography

Cryptography is the science of keeping communications private. It is the study of methods of sending
messages in disguised form so that only the intended recipients can remove the disguise and read
the message. Cryptography has a long and fascinating history. For most of its history, cryptography
has been used to conceal military strategies and sensitive diplomatic secrets. While the primary use of
cryptography is still the concealment of data and communications, there are important new applications.
Cryptography now plays an important role in Authentication and Identification, problems which have
become important in an increasingly digital society.
The message that we want to send is called the plaintext and the disguised message is called the
ciphertext. The process of converting a plaintext to a ciphertext is called enciphering or encryption,
and the reverse process is called deciphering or decryption. The plaintext and ciphertext are broken
up into message units. A message unit might be a single letter, a pair of letters (digraph), a triple of
letters (trigraph), or a block of 50 letters.
Definition 5.1.1. An enciphering transformation is a one-to-one map f from the set P of all possible
plaintext message units to the set C of all possible ciphertext message units.

The deciphering transformation is the map f −1 which goes back and recovers the plaintext from the
ciphertext. The situation can be represented schematically by the diagram
f −1
P /C f /P.

Any such set-up is called a cryptosystem. More often, the term cryptosystem is used to refer to a whole
family of enciphering transformations, each corresponding to a choice of parameters.
The enciphering transformation can be described by:

1. an algorithm which is the same for the whole family;

2. the values of the parameters.

The values of the parameters are called the enciphering key. Also one needs an algorithm and a key in
order to decipher, that is, compute f −1 . The key is called the deciphering key.
An example of an enciphering transformation is the affine map: C ≡ aP + b mod N of ZN , where
a and b are fixed integers (a 6= 0) and together, they form the enciphering key. Deciphering is also
accomplished by an affine map, P ≡ a−1 C − a−1 b mod N , provided gcd (a, N ) = 1 so that a−1 exists,
and so the deciphering transformation uses the same algorithm as the enciphering transformation with
a different key. Cryptanalysis is the science of decoding the ciphertext without knowledge of the key.
Example 5.1.2. In the 27-letter alphabet (with blank=26), use the affine enciphering transformation
with key a = 13, b = 9, to encipher the message “HELP ME”.
Using the affine transformation C ≡ aP + b mod N , with a = 13, b = 9 and N = 27, we obtain

7.4.11.15.26.12.4 7−→ 19.7.17.15.23.3.7 = “T HRP XDH 00 .

18
 Section 5.2. Private Key Cryptography Page 19

To decipher the message, one simply solves for P in terms of C, obtaining P ≡ a−1 C − a−1 b mod N .
This only works if gcd(a, N ) = 1.

There are several ways of classifying cryptographic algorithms. Some are based on the number of keys
employed for encryption and decryption and these include:

• Private (secret) key cryptography

• Public key cryptography

• Hash functions

In this chapter, we focus mainly on public key cryptography but before we do that, let us briefly talk
about private key cryptography and hash functions.

5.2 Private Key Cryptography

With secret (private) key cryptography, a single key is used for both encryption and decryption. The
sender uses the key to encrypt the plaintext and sends the ciphertext to the receiver. The receiver
applies the same key to decrypt the message and recover the plaintext. Because a single key is used for
both decryption and encryption, secret key cryptography is also called symmetric encryption. With this
form of cryptography, it is obvious that the key must be known to both the sender and the receiver.

5.3 Hash Functions

One of the most important parts of a message is the signature. A person’s signature lets the recipient
know that the message is really from the person whose name is typed below. A common way to sign a
document is with the help of a hash function.

Definition 5.3.1. A cryptographic hash function H is a computationally efficient function mapping

binary strings of arbitrary lengths (sometimes a message of billions of bits) to binary strings of some
fixed length (e.g 160 bits), called hash-values.

A hash function H has the following properties:

1. Given a message m, the value H(m) can be calculated very quickly.

2. Given y, it is computationally infeasible to find m with H (m) = y.

3. It is computationally infeasible to find two different messages m1 and m2 such that H(m1 ) =
H(m2 ).

For a hash function which outputs n-bit hash-values (e.g., n = 128 or 160) and has the desirable
properties, the probability that a randomly chosen string gets mapped to a particular n-bit hash-value
is 2−n . The basic idea is that a hash-value serves as a compact representative of an input string.
 Section 5.4. Public Key Cryptography Page 20

Suppose Alice sends a message m to Bob. If part of Alice’s signature consists of the hash value H(m),
then Bob can verify not only that the message was sent by Alice but also that it wasn’t tampered with
during transmission, that is, Bob applies the hash function H to his deciphered plaintext from Alice and
checks that the result agrees with the value H(m) in Alice’s signature. By assumption, no tamperer
would be able to change m without changing the value H(m).

5.4 Public Key Cryptography

In private key cryptography, since the same key is used for both encryption and decryption, the two parties
must take great care in exchanging the key so that an eavesdropper does not obtain it. The problem of
key exchange is one of the most difficult in symmetric cryptosystems. Symmetric cryptosystems create
problems of trust, as the same key is held by both users in any sender/receiver pair. In addition to being
cryptanalytically secure, a cryptosystem should satisfy the following:

1. Authentication: The recipient of a message should be able to ascertain its origin.

2. Integrity: The recipient of a message should be able to determine that the message has not been
modified during transit.

3. Non-Repudiability: A sender of a message should not be able to deny later that he sent the
message.

These requirements are impossible to achieve in classical one-key cryptosystems. The breakthrough
came in 1976 with the invention of public key cryptography by Stanford University Professor Martin
Hellman and graduate student W. Diffie.
By definition, a public key cryptosystem has the property that the enciphering function f : P −→ C
is easy to compute once the enciphering key, KE , is known, but it is very hard in practice to compute
the inverse function f −1 : C −→ P, that is, the function f is not invertible (without some additional
information - the deciphering key KD ). Such a function f is called a trapdoor function.

Definition 5.4.1. A trapdoor function f is a function which is easy to compute but whose inverse f −1
is hard to compute without having some additional information beyond what is necessary to compute
f.

The reason for the name “public key” is that the information needed to send secret messages, the
enciphering key, can be made public information without enabling anyone to read the secret messages.
There are a many public key systems, the most famous one is RSA which is based on the difficulty of
factoring integers into primes. A number of other public key cryptosystems are based on the difficulty
of solving what is called the discrete logarithm problem. We discuss the discrete logarithm in the next
section.

5.5 Discrete Logarithm

Suppose we have a finite group F∗q (with the group operation of multiplication). By repeated-squaring,
one can compute bx for large x rather rapidly (in time which is polynomial in log x). But, conversely,
 Section 5.6. Diffie-Hellman Key Exchange Page 21

if we are given an element y which we know to be of the form bx (assuming b is fixed), how can we
find the power of b that gives y, that is, how can we compute x = logb y? This question is called the
“discrete logarithm problem”.
Definition 5.5.1. If G is a finite group, b ∈ G and y is an element of G which is a power of b, then
the discrete logarithm of y to the base b is any integer x such that bx = y.

The discrete logarithm of y is not unique as it can only be found modulo the order of b in G. If G is a
finite cyclic group and b is a generator of G, then |G| = |b|. Let N be the order of G, then

logb y ≡ x (mod N).

All methods√ designed for computing discrete logarithms require exponential time, with the fastest re-
quiring O( N ) time where N is the order of the group. The discrete logarithm problem is important
because of its wide use in cryptography. The problem of computing the discrete logarithm was just a
mathematical curiosity until 1976 when Diffie and Hellman prescribed a method of exchanging crypto-
graphic keys which relies on the difficulty of the discrete logarithm problem for its security. There are
a lot of public key cryptosystems whose security is based on the computational difficulty of solving the
discrete logarithm problem. These include: ElGamal cryptosystem, Massey-Omura cryptosystem and
Digital Signature Standard among others.
In the next two sections, we talk about the Diffie-Hellman key exchange and the ElGamal cryptosystem.

5.6 Diffie-Hellman Key Exchange

Diffie-Hellman key exchange is a cryptographic protocol which allows two parties to agree on a secret
key over an insecure communications channel. This key can then be used to encrypt subsequent
communications using a symmetric key cryptosystem. The scheme was first published publicly by
Whitfield Diffie and Martin Hellman in 1976 although it later emerged that it had been discovered a few
years earlier within the GCHQ (UK Government Communications Headquarters) by Malcolm Williamson
but was kept classified. Below is how the protocol works.
Suppose Alice (A) and Bob (B) want to agree upon a key which they will use to encrypt their subsequent
messages to one another. The key exchange between A and B works as follows:

1. A and B agree on a finite field Fq and a generator g of the cyclic group F∗q .

2. A chooses a random integer a between 1 and q −1, which she keeps secret, and computes g a ∈ Fq ,
which she sends to B.

3. B chooses a random b, computes g b ∈ Fq and sends g b to A. He keeps b secret.

a
4. A computes KA = g b .

5. B computes KB = (g a )b .

KA should be equal to KB and this key is only known to A and B. The secret key they use is then g ab . A
and B can now use this private key to communicate using some cryptographically secure communication
protocol. During this key exchange, the values g a and g b are publicly known.
 Section 5.7. The ElGamal Cryptosystem Page 22

Conjecture 5.6.1 (Diffie-Hellman). It is computationally infeasible to compute g ab from the known

values g a and g b .

If the discrete logarithms were easy to compute, then one would compute a = logg (g a ) and then

a
compute g b . It is not known if there is an easy way to compute g ab from knowledge of g a and g b
without computing the discrete logs a and b.

5.7 The ElGamal Cryptosystem

The original public key system proposed by Diffie and Hellman requires interaction of both the sender
and receiver to calculate a common private key. This becomes difficult when the cryptosystem is applied
to communication channels where both parties are not able to interact due to a number of factors.
Tahar ElGamal (1984) presented a cryptosystem that simplifies the Diffie-Hellman key exchange algo-
rithm by introducing a random exponent k. Below is how the ElGamal cryptosystem works:
Alice (A) wants to send a message to Bob (B). First, B establishes his public key as follows:

1. Fix a very large finite field Fq and an element g ∈ Fq (preferably a generator).

2. Randomly select an integer b in range 0 < b < q − 1. This is the secret deciphering key.

3. He then computes g b and makes public q, g, g b . This is Bob’s public key.

Assuming we are using plaintext message units with numerical equivalents m in Fq , Alice encrypts the
message as follows:

1. Obtain Bob’s public key q, g, g b .

k
2. select a random exponent k and compute g k ∈ Fq and also m g b .

3. Send Bob the pair of elements of Fq ; g k , mg bk .

Now, since Bob knows b, he can recover m from this pair by raising the first element g k to the b-th
power and dividing the result into the second element.
Someone who can solve the discrete logarithm problem in Fq breaks the cryptosystem by finding the
b


secret deciphering key b from the public key g, g . But as we saw in the Diffie-Hellman case, this is
almost impossible.
6. Elliptic Curve Cryptography
Elliptic Curve Cryptography (ECC) was discovered in 1985 by Victor Miller (IBM) and Neal Koblitz
(University of Washington) as an alternative mechanism for implementing public key cryptography.
ECC is emerging as an attractive public key cryptosystem for mobile/wireless environments. Compared
to traditional cryptosystems like RSA, ECC offers equivalent security with smaller key sizes, which results
in faster computations, lower power consumption, as well as memory and bandwidth savings. This is
specially useful for mobile devices which are typically limited in terms of their CPU, power and network
connectivity.
In this chapter, we discuss some cryptosystems based on elliptic curves especially on the discrete loga-
rithm problem for elliptic curves. These cryptosystems are analogous to the cryptosystems discussed in
the previous chapter that are based on the discrete logarithm problem for finite fields.

6.1 Elliptic Curve Discrete Logarithm Problem

The elliptic curve discrete logarithm problem is the foundation of much of present-day ECC. It relies
on the natural group law on a non-singular elliptic curve which allows one to add points on the curve
together.
Definition 6.1.1. Given an elliptic curve E over a finite field Fq , and a point Q on E other than O,
the discrete logarithm problem on E to the base Q is the following: given a point P in E (Fq ) \ {O},
find an integer n such that nQ = P , if such an integer exists.
Example 6.1.2. Let E be an elliptic curve given by y 2 = x3 + x + 1 over F7 . We can show (as in
Chapter 4 Example 4.1.1) that
E (F7 ) = {O, (0, 1) , (0, 6) , (2, 2) , (2, 5)} .
If Q = (2, 2) and P = (0, 6), it can be shown that 3Q = P . Hence n = 3 is a solution to the discrete
logarithm problem.

The discrete logarithm problem on E is computationally difficult unless the curve has a “bad” or
“smooth” number of points over the given field, that is, #E (Fq ) is a product of small primes or E is
“supersingular” in the sense that q | #E (Fq ). The order of E (Fq ) needs not be smooth because, any
abelian group can be decomposed as a direct sum of cyclic subgroups. The discrete logarithm in the
group is then a problem in each of the cyclic subgroups. If all the cyclic subgroups are small (“smooth”),
then the discrete logarithm is easy to handle. Hence we always choose the elliptic curve such that the
order of E (Fq ) is not “smooth”. It is because of these reasons that the subject of counting points on
an elliptic curve is very important in the study of elliptic curves.
Before we discuss the various public key cryptosystems based on the elliptic curve discrete logarithm
problem, let us briefly talk about how to represent a message as a point on an elliptic curve.

6.2 Encoding Plaintexts as Points on an Elliptic Curve

We use a method proposed by Koblitz and presented in [Kob94]. Suppose E is an elliptic curve given
by y 2 = x3 + ax + b over Fq , where q = pr is assumed to be large. Let k be a large enough integer such

23
 Section 6.3. Diffie-Hellman Key Exchange Page 24

that the probability of failing to encode a plaintext message unit m is 1 out of 2k . In practice k = 30
or at worse k = 50 should suffice.
Suppose that our message units m are integers 0 ≤ m < M , and also that the finite field is chosen so
that q > M k. Let xj = mk + j, where 1 ≤ j ≤ k. For each j = 1, 2, · · · , k, compute xj and also the
right side of the equation
yj2 = f (xj ) = x3j + axj + b,
and try to find a square root of f (xj ). If we find a yj such that yj2 = f (xj ), we take Pm = (xj , yj ).
If it turns out that f (xj ) is a non-square, then increment j by 1 and try again with the corresponding
xj , provided we find an xj for which f (xj ) is a square before j gets bigger than k.
hx i xj
j
To recover m from (xj , yj ), simply compute (i.e the greatest integer less than or equal to ).
k k
Since f (xj ) is a square for approximately 50% of all xj , there is only about a 2−k probability that this
method will fail to produce a point Pm .
We now discuss some public key systems based on the discrete logarithm problem on an elliptic curve
E defined over a finite field Fq .

6.3 Diffie-Hellman Key Exchange

Alice and Bob want to agree on a common key that they can use for exchanging data via a symmetric
cryptosystem. They can establish a secret key using the following method:

1. They agree on an elliptic curve E over a finite field Fq such that the discrete logarithm problem
is hard in E (Fq ). They also agree on a point P in E (Fq ) such that the subgroup generated by
P has large order (usually the order is a large prime).

2. Alice chooses a secret integer a, computes aP and sends aP to Bob.

3. Bob chooses a secret integer b, and makes public bP .

4. Both users can then compute the secret key abP which they use.

Without solving the discrete logarithm problem, that is, finding a knowing P and aP , there seems to
be no way to compute abP knowing only aP and bP .

6.4 ElGamal Public Key Encryption

Alice wants to send a message to Bob. First, Bob establishes his public key as follows. He chooses an
elliptic curve E over a finite field Fq such that the discrete logarithm problem is hard for E (Fq ). He
then chooses a point P on E whose order is a large prime. He chooses a secret integer s and computes
sP . The elliptic curve E, the finite field Fq , and the points P and sP are Bob’s public key. His private
key is the integer s.
To send a message to Bob, Alice does the following:

1. Gets Bob’s public key.

 Section 6.5. ECIES Page 25

2. Expresses her message as a point M ∈ E (Fq ).

3. Chooses a random integer k and computes M1 = kP .

4. Computes M2 = M + k(sP ).

5. Sends M1 , M2 to Bob.

To read the message, Bob multiplies M1 by his secret key s and subtracts the result from M2 , that is,

M = M2 − sM1 .

An eavesdropper who can solve the discrete logarithm problem on E can, of course, determine s from
the publicly known information P and sP .

6.5 ECIES

In the previous section, we discussed one public key cryptosystem in which the plaintext message to be
sent was expressed as a point on the elliptic curve. There is no polynomial time (in log q) deterministic
algorithm for encoding a large number of messages as points on an elliptic curve E over Fq . We thus
use probabilistic algorithms for which the chance of failure is very small as we saw in Section 6.2.
In this section, we discuss a public key cryptosystem that has an advantage over the ElGamal in that,
its message needs not be represented as a point on the elliptic curve. This cryptosystem is called the
Elliptic Curve Integrated Encryption Scheme (ECIES) invented by Bellare and Rogaway in 1998. Below
is how ECIES works.
Alice wants to send a message m to Bob. First, Bob establishes his public key as follows.

1. He chooses an elliptic curve E over a finite field Fq such that the discrete logarithm problem is
hard for E (Fq ).

2. He then chooses a point A on E usually of large prime order N.

3. He chooses a secret integer b and computes B = bA.

Bob’s public key is (q, E, N, A, B). His secret key is the integer b. The algorithm also needs two
cryptographic hash functions, H1 and H2 , and a symmetric encryption function Ek (depending on a
key k) that are publicly agreed upon.
To send her message, Alice does the following:

1. Gets Bob’s public key.

2. Chooses a random integer k with 1 ≤ k ≤ N − 1 and compute P = kA and Q = kB.

3. Write the output of H1 (P, Q) as k1 kk2 (that is, k1 followed by k2 ), where k1 and k2 have specified
lengths.

4. Compute C = Ek1 (m) and t = H2 (C, k2 ) and send (P, C, t) to Bob.

 Section 6.6. Conclusion Page 26

To read the message, Bob does the following:

1. Computes Q = bP using his secret key b.

2. Computes H1 (P, Q) and writes the output as k1 kk2 .

3. Computes H2 (C, k2 ). If this result equals not to t, he stops and rejects the ciphertext. Otherwise,
he proceeds.

4. Computes m = Dk1 (C), where Dk1 is the decryption function for Ek1 .

The most important feature of this scheme is the authentication procedure in step 3 of the decryption.
It should be noted that since a keyed symmetric method is used to send the message, the same elliptic
curve can be used for different blocks of the message.

6.6 Conclusion

Elliptic curves have applications in integer factorisation, coding theory, cryptography and many other
areas. In this essay, we have tried to discuss briefly the impact of elliptic curves in cryptography partic-
ularly public key cryptography. Because of time restrictions, the discussions have not been exhaustive,
nevertheless they give an overview of how elliptic curves have influenced the direction of public key
cryptography since their introduction to the subject by Neal Koblitz and Victor Miller in 1985. For a
reader who would be interested in further reading, three very important books [Was08], [Kob94] and
[ST92] will provide a more detailed treatment of the subject.
Elliptic curve public key cryptosystems are increasingly being used by organisations. Most of the studies
made have shown that ECC offers the highest strength-per-key-bit of any known public key system. With
a 160-bit modulus, an elliptic curve system offers the same level of cryptographic security as a 1024-bit
RSA for example. The difference becomes more and more pronounced as security levels increase. For
example, a 384-bit ECC key matches a 7680-bit RSA key for security. The smaller key sizes result in
smaller hardware processors, lower power requirements, bandwidth savings and faster implementations.
ECC has thus come to be accepted as the most excellent choice for public key cryptography in portable,
necessarily constrained devices right now e.g. smart cards. So we believe that ECC is the future of
public key cryptography.
Acknowledgements
I would love to express my sincere gratitude to my supervisors Professor Barry Green and Professor
Hans-Georg Rück for their guidance and advice. Without them I would not have been able to write and
complete this essay. I would like to thank the AIMS founder Professor Neil Turok and the AIMS director
Professor Fritz Hahne for giving me the opportunity to study at this institute. My sincere thanks to my
tutor Miangaly Gaelle, she has been more than helpful throughout the essay period. Thank you all very
much.

27
 References
[CLO96] David Cox, John Little, and Donald O’Shea, Ideals,Varieties And Algorithms: An Introduction
to Computational Algebraic Geometry and Commutative Algebra, Springer, 1996, 349–356.

[Kob94] Neal Koblitz, A Course in Number Theory and Cryptography (second edition), Springer-Verlag,
1994.

[KR98] Ramanujachary Kumanduri and Cristina Romero, Number Theory with Computer Applications,
Prentice Hall, 1998.

[ST92] Joseph H. Silverman and John Tate, Rational Points on Elliptic Curves, Springer-Verlag, 1992.

[Was08] Lawrence C Washington, Elliptic Curves: Number Theory and Cryptography (second edition),
Chapman & Hall/CRC, New York, 2008.

28

View publication stats