1.2.

3 Elliptic curve systems

The discrete logarithm systems presented in §1.2.2 can be described in the abstract setting of
a finite cyclic group. We introduce some elementary concepts from group theory and explain
this generalization. We then look at elliptic curve groups and show how they can be used to
implement discrete logarithm systems.

Groups
An abelian group (𝐺,∗) consists of a set 𝐺 with a binary operation ∗: 𝐺 × 𝐺 → 𝐺 satisfying the
following properties:
(i) (Associativity) 𝑎 ∗ (𝑏 ∗ 𝑐) = (𝑎 ∗ 𝑏) ∗ 𝑐 for all 𝑎, 𝑏, 𝑐 ∈ 𝐺.
(ii) (Existence of an identity) There exists an element 𝑒 ∈ 𝐺 such that 𝑎 ∗ 𝑒 = 𝑒 ∗ 𝑎 = 𝑎 for all
𝑎 ∈ 𝐺.
(iii) (Existence of inverses) For each 𝑎 ∈ 𝐺, there exists an element 𝑏 ∈ 𝐺, called the inverse
of 𝑎, such that 𝑎 ∗ 𝑏 = 𝑏 ∗ 𝑎 = 𝑒.
(iv) (Commutativity) 𝑎 ∗ 𝑏 = 𝑏 ∗ 𝑎 for all 𝑎, 𝑏 ∈ 𝐺.

The group operation is usually called addition (+) or multiplication (⋅). In the first instance,
the group is called an additive group, the (additive) identity element is usually denoted by 0 ,
and the (additive) inverse of 𝑎 is denoted by −𝑎. In the second instance, the group is called a
multiplicative group, the (multiplicative) identity element is usually denoted by 1 , and the
(multiplicative) inverse of 𝑎 is denoted by 𝑎−1 . The group is finite if 𝐺 is a finite set, in which
case the number of elements in 𝐺 is called the order of 𝐺.

For example, let 𝑝 be a prime number, and let 𝔽 𝑝 = {0,1,2,… , 𝑝 − 1} denote the set of integers
modulo 𝑝. Then ( 𝔽 𝑝 ,+), where the operation + is defined to be addition of integers modulo
𝑝, is a finite additive group of order 𝑝 with (additive) identity element 0 . Also, (𝔽 ∗𝑝 ,⋅), where
𝔽 ∗𝑝 denotes the nonzero elements in 𝔽 𝑝 and the operation ⋅ is defined to be multiplication of
integers modulo 𝑝, is a finite multiplicative group of order 𝑝 − 1 with (multiplicative) identity
element 1 . The triple (𝔽 𝑝 , +,⋅) is a finite field (cf. §2.1), denoted more succinctly as 𝔽 𝑝.

Now, if 𝐺 is a finite multiplicative group of order 𝑛 and 𝑔 ∈ 𝐺, then the smallest positive
integer 𝑡 such that 𝑔 𝑡 = 1 is called the order of 𝑔; such a 𝑡 always exists and is a divisor of 𝑛.
The set ⟨𝑔⟩ = {𝑔 𝑖 :0 ≤ 𝑖 ≤ 𝑡 − 1} of all powers of 𝑔 is itself a group under the same operation
as 𝐺, and is called the cyclic subgroup of 𝐺 generated by 𝑔. Analogous statements are true if
𝐺 is written additively. In that instance, the order of 𝑔 ∈ 𝐺 is the smallest positive divisor 𝑡 of
𝑛 such that 𝑡𝑔 = 0, and ⟨𝑔⟩ = {𝑖𝑔: 0 ≤ 𝑖 ≤ 𝑡 − 1}. Here, tg denotes the element obtained by
adding 𝑡 copies of 𝑔. If 𝐺 has an element 𝑔 of order 𝑛, then 𝐺 is said to be a cyclic group and
𝑔 is called a generator of 𝐺.

For example, with the DL domain parameters (𝑝,𝑞, 𝑔) defined as in §1.2.2, the multiplicative
group (𝔽 ∗𝑝 ,⋅) is a cyclic group of order 𝑝 − 1. Furthermore, ⟨𝑔⟩ is a cyclic subgroup of order 𝑞.

Generalized discrete logarithm problem

Suppose now that (𝐺,⋅) is a multiplicative cyclic group of order 𝑛 with generator 𝑔. Then we
can describe the discrete logarithm systems presented in §1.2.2 in the setting of 𝐺. For
instance, the domain parameters are 𝑔 and 𝑛, the private key is an integer 𝑥 selected
randomly from the interval [1, 𝑛 − 1], and the public key is 𝑦 = 𝑔 𝑥 . The problem of
determining 𝑥 given 𝑔, 𝑛 and 𝑦 is the discrete logarithm problem in 𝐺.
In order for a discrete logarithm system based on 𝐺 to be efficient, fast algorithms should be
known for computing the group operation. For security, the discrete logarithm problem in 𝐺
should be intractable.

Now, any two cyclic groups of the same order 𝑛 are essentially the same; that is, they have
the same structure even though the elements may be written differently. The different
representations of group elements can result in algorithms of varying speeds for computing
the group operation and for solving the discrete logarithm problem.

The most popular groups for implementing discrete logarithm systems are the cyclic
subgroups of the multiplicative group of a finite field (discussed in §1.2.2), and cyclic
subgroups of elliptic curve groups which we introduce next.

Elliptic curve groups

Let 𝑝 be a prime number, and let 𝔽 𝑝 denote the field of integers modulo 𝑝. An elliptic curve 𝐸
over 𝔽 𝑝 is defined by an equation of the form

𝑦 2 = 𝑥 3 + 𝑎𝑥 + 𝑏, (1.4)

where 𝑎, 𝑏 ∈ 𝔽 𝑝 satisfy 4𝑎3 + 27𝑏2 ≢ 0(mod𝑝). A pair (𝑥, 𝑦), where 𝑥, 𝑦 ∈ 𝔽 𝑝, is a point on the
curve if (𝑥, 𝑦) satisfies the equation (1.4). The point at infinity, denoted by ∞, is also said to
be on the curve. The set of all the points on 𝐸 is denoted by 𝐸(𝔽 𝑝 ). For example, if 𝐸 is an
elliptic curve over 𝔽 7 with defining equation

𝑦 2 = 𝑥 3 + 2𝑥 + 4

then the points on 𝐸 are

𝐸(𝔽 7) = {∞, (0,2),(0,5),(1,0),(2,3),(2,4),(3,3),(3,4),(6,1),(6,6)}

Now, there is a well-known method for adding two elliptic curve points (𝑥 1,𝑦1 ) and (𝑥 2,𝑦2 )
to produce a third point on the elliptic curve (see §3.1). The addition rule requires a few
arithmetic operations (addition, subtraction, multiplication and inversion) in 𝔽 𝑝 with the
coordinates 𝑥 1 ,𝑦1 ,𝑥 2 ,𝑦2. With this addition rule, the set of points 𝐸 (𝔽 𝑝 ) forms an (additive)
abelian group with ∞ serving as the identity element. Cyclic subgroups of such elliptic curve
groups can now be used to implement discrete logarithm systems.

We next illustrate the ideas behind elliptic curve cryptography by describing an elliptic curve
analogue of the DL encryption scheme that was introduced in §1.2.2. Such elliptic curve
systems, and the elliptic curve analogue of the DSA signature scheme, are extensively studied
in Chapter 4.

Elliptic curve key generation

Let 𝐸 be an elliptic curve defined over a finite field 𝔽 𝑝. Let 𝑃 be a point in 𝐸(𝔽 𝑝 ), and suppose
that 𝑃 has prime order 𝑛. Then the cyclic subgroup of 𝑬(𝔽 𝒑 ) generated by 𝑷 is

⟨𝑃⟩ = {∞, 𝑃, 2𝑃, 3𝑃,… , (𝑛 − 1)𝑃}

The prime 𝑝, the equation of the elliptic curve 𝐸, and the point 𝑷 and its order 𝒏, are the
public domain parameters. A private key is an integer 𝑑 that is selected uniformly at random
from the interval [1,𝑛 − 1], and the corresponding public key is 𝑄 = 𝑑𝑃.
The problem of determining 𝑑 given the domain parameters and 𝑄 is the elliptic curve
discrete logarithm problem (ECDLP).

Algorithm 1.12 Elliptic curve key pair generation

Input: Elliptic curve domain parameters (𝑝, 𝐸, 𝑃, 𝑛),.
Output: Public key Q and private key d.
1. Select 𝑑 ∈𝑅 [1,𝑛 − 1]].
2. Compute 𝑄 = 𝑑 𝑃 .
3. Return (𝑄, 𝑑) .

Elliptic curve encryption scheme

We present the encryption and decryption procedures for the elliptic curve analogue of the
basic ElGamal encryption scheme as Algorithms 1.13 and 1.14, respectively.

A plaintext 𝒎 is first represented as a point 𝑴, and then encrypted by adding it to 𝑘𝑄

where 𝑘 is a randomly selected integer, and 𝑄 is the intended recipient's public key.

The sender transmits the points 𝐶1 = 𝑘𝑃 and 𝐶2 = 𝑀 + 𝑘𝑄 to the recipient who uses her
private key 𝑑 to compute

𝑑𝐶1 = 𝑑(𝑘𝑃) = 𝑘(𝑑𝑃) = 𝑘𝑄

and thereafter recovers 𝑀 = 𝐶2 − 𝑘𝑄.

An eavesdropper who wishes to recover 𝑀 needs to compute 𝑘𝑄.

This task of computing 𝑘𝑄 from the domain parameters, 𝑄, and 𝐶1 = 𝑘𝑃, is the elliptic curve
analogue of the Diffie-Hellman problem.

Algorithm 1.13 Basic ElGamal elliptic curve encryption

Input: Elliptic curve domain parameters (𝑝, 𝐸, 𝑃, 𝑛), public key 𝑄, plaintext 𝑚.

Output: Ciphertext ( 𝐶1,𝐶2 ).

1. Represent the message 𝑚 as a point 𝑀 in 𝐸( 𝔽 𝑝 ).

2. Select 𝑘 ∈𝑅 [1,𝑛 − 1].
3. Compute 𝐶1 = 𝑘𝑃.
4. Compute 𝐶2 = 𝑀 + 𝑘𝑄.
5. Return (𝐶1,𝐶2 ).

Algorithm 1.14 Basic ElGamal elliptic curve decryption

Input: Domain parameters ( 𝑝, 𝐸, 𝑃, 𝑛 ), private key 𝑑, ciphertext (𝐶1,𝐶2 ).
Output: Plaintext 𝑚.

1. Compute 𝑀 = 𝐶2 − 𝑑𝐶1, and extract 𝑚 from 𝑀.

2. Return (𝑚).
Example

ElGamal EC Encryption
Input: Elliptic curve domain parameters (𝑝, 𝐸, 𝑃, 𝑛) = (97,y 2 = x 3 + 2𝑥 + 3, (3,6),5), public
key 𝑄 = (80,87), plaintext 𝑚 = (76,20).

Output: Ciphertext ( 𝐶1,𝐶2 ).

3. Represent the message 𝑚 as a point 𝑀 in 𝐸( 𝔽 𝑝 ).

4. Select 𝑘 ∈𝑅 [1,𝑛 − 1]. Select k=4.
5. Compute 𝐶1 = 𝑘𝑃 = 4(3,6) = (3,91).
6. Compute 𝐶2 = 𝑀 + 𝑘𝑄 = (76,20) + 4(80,87)
= (76,20) + (80,10)
= (20,34)
Return (𝐶1,𝐶2 ).

ElGamal elliptic curve decryption

Input: Domain parameters (𝑝, 𝐸, 𝑃, 𝑛) = (97,y 2 = x 3 + 2𝑥 + 3, (3,6), 5),, private key 𝑑 = 3,
ciphertext (𝐶1,𝐶2 ) = ((3,91), (20,34))
Output: Plaintext 𝑚.

7. Compute 𝑀 = 𝐶2 − 𝑑𝐶1 = (20,34) − 3(3,91)

= (20,34) − (80,10)
= (20,34) + (80,−10)
= (76,20)

and extract 𝑚 from 𝑀.

8. Return (𝑚).

1.4 Roadmap
Before implementing an elliptic curve system, several selections have to be made concerning
the finite field, elliptic curve, and cryptographic protocol:

1. a finite field, a representation for the field elements, and algorithms for performing
field arithmetic;
2. an elliptic curve, a representation for the elliptic curve points, and algorithms for
performing elliptic curve arithmetic; and
3. a protocol, and algorithms for performing protocol arithmetic.
There are many factors that can influence the choices made. All of these must be considered
simultaneously in order to arrive at the best solution for a particular application. Relevant
factors include security considerations, application platform (software or hardware),
constraints of the particular computing environment (e.g., processing speed, code size
(ROM), memory size (RAM), gate count, power consumption), and constraints of the
particular communications environment (e.g., bandwidth, response time).

Not surprisingly, it is difficult, if not impossible, to decide on a single "best" set of choices.
For example, the optimal choices for a workstation application can be quite different from
the optimal choices for a smart card application. The purpose of this book is to provide
security practitioners with a comprehensive account of the various implementation and
security considerations for elliptic curve cryptography, so that informed decisions of the
most suitable options can be made for particular applications.

The remainder of the book is organized as follows. Chapter 2 gives a brief introduction to
finite fields. It then presents algorithms that are well-suited for software implementation of
the arithmetic operations in three kinds of finite fields—prime fields, binary fields and
optimal extension fields.

Chapter 3 provides a brief introduction to elliptic curves, and presents different methods for
representing points and for performing elliptic curve arithmetic. Also considered are
techniques for accelerating the arithmetic on Koblitz curves and other elliptic curves
admitting efficiently-computable endomorphisms.

Chapter 4 describes elliptic curve protocols for digital signatures, public-key encryption and
key establishment, and considers the generation and validation of domain parameters and
key pairs. The state-of-the-art in algorithms for solving the elliptic curve discrete logarithm
problem are surveyed.

Chapter 5 considers selected engineering aspects of implementing elliptic curve

cryptography in software and hardware. Also examined are side-channel attacks where an
adversary exploits information leaked by cryptographic devices, including electromagnetic
radiation, power consumption, and error messages.

The appendices present some information that may be useful to implementors. Appendix A
presents specific examples of elliptic curve domain parameters that are suitable for
cryptographic use. Appendix B summarizes the important standards that describe elliptic
curve mechanisms. Appendix C lists selected software tools that are available for performing
relevant number-theoretic calculations.

Reference: Guide to ECC