Elliptic Curve Cryptography and Applications

Siddharth Singal
3/3/2014

Abstract
In this paper, we will explore cryptography based on a group created by elliptic curves.
Cryptography in the past had been based on math operations like taught in grade school such as
multiplication and exponentiation. Elliptic curves redefine addition and multiplication as new
operations called point addition and point multiplication. Solving elliptic curve based equations
prove to be much more complex and provide increased security, speed, and memory. Elliptic
curves are widely used in cryptography and are applied in various ways, including key exchange
and digital signature algorithms.
1

Introduction

Cryptography is needed to securely and

secretly send and receive messages, provide
integrity
to
messages,
etc.
Early
cryptography was based on two parties
predetermining keys or algorithms for
encryption/decryption.
Third
party
knowledge of these keys or algorithms
would compromise the security of the
message in hand, which had been a huge
issue because of the unreliability for the two
parties to agree on keys without anyone
eavesdropping on the keys. Public key
cryptography was created so two parties can
publicly reveal keys to everybody. However,
these public keys are only useful to the two
parties and no one else.

Ron Rivest, Adi Shamir, and Leonard

Adleman developed the RSA algorithm in
1977. RSA is most widely used public key
cryptography system in current day because
it proves to be very difficult to find the two
prime numbers that divide a larger number
(which is sometimes hundreds or thousands
of bits long).
1.1

History of Elliptic Curves

Elliptic curve cryptography (ECC) is a more

up and coming cryptographic system which
also provides the public key system.
Diophantus first studied the cubic equations
that formed these elliptic curves (EC) in the
3rd century and found that a secant line
intersecting the cubic equation at two points
will generally intersect a third point at the

curve. ECs were studied occasionally,

including Karl Weierstrass who defined EC
equations in the 1800s. ECC was first
suggested by Neal Koblitz and Victor S.
Miller in 1985. It entered commercial use in
the late 1990s, and started to become
widely used around 2004-2005.
1.2

and say that

Why use EC

Early cryptographic systems, including

RSA, are hard to crack because of the large
amount of computation required to factor a
number which is the product of two huge
prime numbers. However, finding the
discrete logarithm of a random elliptic curve
element with a publicly known base point is
considered infeasible.
Because ECC takes much longer to crack,
smaller key sizes are needed. A 256-bit ECC
key has the same strength as a 3072-bit RSA
key. Smaller keys mean less storage space
required and less transmission requirements.
This paper mentioned that RSA is the most
widely used public cryptography system,
which is considered true because it came
first and became more established.
However, ECC is becoming more widely
used as time passes.

then we get a simplified Weierstrass

equation

Testing out some values of values of and

, we can get the curves as shown below in
Figure 1.

Figure 1: Plots of simplified Weierstrass

equations for different values of and .

2.1
2

Point Addition

Elliptic Curve Math

EC equations were defined by

Weierstrass, which take the form of

Karl

where
. However,
suppose we were to do the following change
of variables:

Suppose we have points , , and on an

elliptic curve . Then we can redefine
addition such that
. This is called
point addition and is not to be confused with
normal addition. In order to find , we must
first draw a line intersecting
and .
Generally, the line will intersect the curve at
a third point, which is
. We can find by
simply reflecting the point across the -axis.

(Refer to Figure 2 for all the math) In other

words, all we have to do is negate the component of
to get .

which is close to our approximation. We can

also define point addition algebraically so
that we do not have to go through
meaningless geometry every single time in
order to solve for . Suppose that you have
(
)
(
)
(
)
which are points on an elliptic curve
such that
.
Then
(
)
where is the slope of the line created by
the points and . In other words,

Figure 2: How
geometrically

to

calculate

If you look at the value of

The graph shown above in Figure 2 defines

the elliptic curve
,
(
)
and
( ). We can estimate
(
), but to solve this out exactly,
we must first find the slope of the line made
by and
and put it in point-slope form
and do some substitutions.

then

when

, which is indeterminate. This

implies that these formulas and the geometry

used to add two points only exists if
(and later we will see that
in this
scenario as well).
2.2

Point Doubling

If
, point addition is simply redefined
as point doubling. Figure 3 below shows an
(

)(

)(

)
(

Figure 3: How to calculate

geometrically

example of point doubling. Suppose you

wanted to find
, then you have to
draw a tangent line from
and find the
second point the line intersects with. That
second point will be
, and so then we can
find R.
Point doubling can also be described
algebraically. Suppose we have
(
)
(
) which are points on
an elliptic curve
such
that
.

symmetrical across a horizontal line drawn

at
. This means that any vertical line
will have the points
and
. Now, we
must define a new point called , or the
point at infinity, and this point exists on
either end of the line formed by . This
allows us to define the inverse property,
( ) ( )
namely
.
What happens if we draw a tangent line
intersecting a point such that the line only
touches the elliptic curve at one point
(Figure 5 below as an example)

where

2.3

Point Addition Laws

What happens if we draw a vertical line that

intersects the elliptic curve at exactly two
points, and , kind of like in Figure 4.
Figure 5: Tangent line only touching one point
of elliptic curve

This allows us to define the identity

property, namely
. We
can now list some properties of elliptic
curves.
Inverse:

Identity:
Associative: (
Figure 4: Secant line only touching two points of
elliptic curve

First of all, because this is a

simplified
Weierstrass equation, the graph will be

Commutative:
One important thing to note about these four
properties is that they make elliptic curves

Elliptic Curves over

Elliptic curve are not very practical for

calculations in . Because it is an infinite
field, calculations can be very slow, and
computers can create rounding errors.
Because of this, elliptic curve cryptography
is usually done in finite groups, denoted by
, where
is generally either a prime
number or a number in the form of
. Performing these calculations in finite
groups is much faster and more accurate.
The rest of this paper will generally focus on
fields (finite fields with a prime order).
3.1

for

the
equation
in
, ( )
( )( )(
) (
)(
),
giving a total of 24 points. The graph looks
like Figure 6 below.
2

y =x +x in Finite Field of Order 23

25

20

y value

form an Abelian group, making EC a perfect

candidate for cryptography.

15

10

3.2

Before, we had the equation

However, now that we are working in a

finite field
, we need to modify our
equation. We will now have

{(

20

are

in

Modified Formulas

For the point addition

|
where

This implies that we must include the point

at infinity in our set as well. For example,

25

We must now modify our point addition and

doubling formulas to accommodate for all
the points that we are allowed to use.
Something that is extremely convenient
about adding points on elliptic curves in
finite fields of prime orders is that the point
addition of any two points in the set of all
points in the elliptic curve will always
compute to another point in the same set. In
other words,
(

15

x value

Figure 6: A graph of

Modified Weierstrass
Equation

Given an elliptic curve , the points of

denoted by

10

(
,

).

For the point doubling

elliptic curve point is finding out how many

times the base needs to be added to itself to
get to the given value.

)
5

Elliptic Curve Crypto

where

Elliptic Curve Discrete

Logarithm Problem

We can compare the former discrete

logarithm problem with elliptic curve
discrete logarithm problem (ECDLP) in .
The discrete logarithm problem describes
computations required by a 3rd party cracker
in order to compromise a cryptographic
system.
4.1

DLP

Generally, when Alice is making her key

with DLP, she chooses a public key and a
private key . She then computes another
public key
. If
Eve wanted to compromise this system, she
would have to find
by calculating
, which we say is the DLP because
with a large and , is computationally
hard to calculate.
4.2

Given only point addition and point

doubling, there are very simple algorithms
to calculate
, where
are
the public keys and is the private key.
Intuitively, someone might think to do
additions of to find , but that doesnt use
the doubling formula at all. A much more
efficient method was discovered using a
double and add algorithm.

For

example, let us take

. We can make a table of
variables to track the changes made to and

Time
0

ECDLP

In ECDLP, we have a different discrete

logarithm problem. Alice will have a public
key in the form of an elliptic curve point,
and a private key . Alice will then calculate
public key
.
In order for Eve to compromise this system,
she would have to calculate
.
Note that in this case, the logarithm of an

Figure 8: Tracking variables of double-add

algorithm for

We see that in the end,

6

Applications ECDH

Elliptic Curve Diffie-Hellman (ECDH) is

similar to the original Diffie-Hellman key
exchange, except for the fact that

computations are done using elliptic curves.

Suppose Alice wants to secretly send a
message to Bob, which will generally be a
symmetric key or something along the same
lines, but Eve is eavesdropping on their
conversation.
6.1

Initialization

Alice and Bob must agree on a couple of

things in order for them to exchange
messages. They must agree on the same
curve parameters ( and of the simplified
Weierstrass equation from above) since
different curves yield different results. They
must also agree on the finite field they are
operating in (
with prime ). They must
agree on
a generator in ( ) and its
order , which is generally the smallest
prime such that
. is generally the
size of a subgroup of ( ), and so we can
calculate

| (

)|

, where

is called the

cofactor (and will generally be very small).

The domain parameters are then described
as (
).
6.2

Sharing the Message

Each party will make their own key pair.

This involves Alice choosing a private key
in the interval
and computing a
public key
. Alices key pair will
be (
). Using the same process, Bob
should have a key pair (
). Eve will
know what
and
are, but not
or
. Now Alice can compute
(
) and Bob can compute
(
). It is a fact that
(
)
because
(
)
. This means that

Alice and Bob have successfully shared the

message
.
7

Applications ECDSA

ECDSA describes the Elliptic Curve Digital

Signature Algorithm. Digital signatures
allow people to sign documents digitally,
which is much more secure than signing a
document with a physical pen since digital
signatures are much harder to forge. There
are 3 main reasons to use digital signatures.

Authentication: Verify the source of

the document since everyone will
have their own associated private
key
Integrity: Make sure that the
document was the same from its
transmission to its reception
Non-Repudiation: The person who
sent the message cannot refuse
having sent the message after he has
done so

We will now see how Alice can sign a

document and send it to Bob.
7.1

Initialization

As described above in section 6.1,

initialization is done by Alice and Bob
agreeing on the domain parameters
(
).
7.2

Alice

Alice will have to go through a specific

process in order to sign a document she has
before she sends it over to Bill.
1. She will randomly select a private
key
in the interval of

2.

3.
4.

5.

6.
7.
8.

and create her private key

.
She will then select a random from
. She will then compute
(
), and she will make
.
If
,then she will go back to step
1.
She will compute
( ), where
the function ( ) is a hash function
of some message , such as SHA or
MD5.
She will compute
, which is the
bit length of , and she will make
the
leftmost bits of .
(
She can then find
)
.
If
, then Alice will go back to
step 1.
The document
has now been
signed using the signature
,
which has been released into the
public.
7.3

Bob

Bob
has
now
received
the
document/message and now he must verify
the document by using the signature. He is
mainly checking for
authentication,
integrity, and non-repudiation.
1. Bob must obviously check if and
are in the interval
.
2. He must then compute
( ),
using the same hashing function as
Alice.
3. He will also compute by finding
like Alice did and finding the
leftmost bits of .
4. He will compute
.

5. Bob can find

.
6. Bob will compute
(
).
7. He will compute
.
8. Bob can accept the signature if
.
Bob has now accepted the signature and can
safely read the message that was sent to him.
7.4

Proof of Verification

If you read closely, the math adds up. We

want to verify the signature if
.
(
(

)
)

(Alice-5)
(rewritten)
(distribution)
(Bob-3)
(Bob-5)
(
)
(P-multiplication)
(distribution)
(Alice-1)
(Bob-6)
Because is the value of and is the
value of ,
as seen from the last step
of the proof above.
7.5

Eve/Choosing Random

Eve has access to a lot of information now.

She has all the domain parameters
(
), the message , the hashing
algorithm used, public key
, and the
signature
. If she were to know values
such as or even worse, , then she can
modify the document and resign it however
she wants. Bob would still receive a
correctly signed document, and so it is
important to keep those values a secret.
However, if Eve simply changes the

message before Bob receives it, the

calculations will differ greatly and Bob will
not verify the signature since
.
It is extremely important for Alice to always
choose a random . Suppose she had a
constant that she used for every message
she sent Bob. Suppose the same was used
for two different messages sent:
and
.
Knowing the hashing algorithm, Eve can
calculate
and . Message
would be
signed using
, and message
would
be signed using
. Note that the
values are the same because is the value
of
, and
and
are constant in this
example. The
signature will still be
different though. Because of Alices sixth
(
) and
step in the algorithm,
(
). This means that
(
)
(
)
(
)

Alices private key has been calculated, and

now Eve can pretend to be Alice whenever
she feels like it. Eve can sign documents,
and Bob will trust all documents sent by
Eve. It may occur to most people to follow
the algorithms above exactly as written, but
big companies like Sony seemed to fail their
implementation of ECDSA in the
Playstation 3.

Bibliography

Liu, Fuwen. An Introduction On Elliptic

Curve Cryptography.
Hoffstein, Jeffrey, Jill Catherine Pipher, and
Joseph H. Silverman. An
introduction to mathematical
cryptography. New York: Springer,
2008. Print.