Elliptic Curve Cryptography

Final report for a project in computer security

Gadi Aleksandrowicz∗ Basil Hess† Supervision: Barukh Ziv

March 22, 2010

1 Introduction

An Elliptic Curve can be roughly described as the set of solutions of an equation of the form
y 2 = x3 + ax + b over some field (e.g. C, R, Q or some finite field Fpn ). The importance of elliptic
curves stems from their rich structure: there is a rather simple addition law definable on elliptic
curves which makes them into an abelian group. Studying the emerging structure of elliptic curves
over various fields has been a major theme in the mathematics of the 20th century, and elliptic
curves were connected to many famous problems and results, most notably the proof of Fermat’s
last theorem. See [12] for an introduction to the subject via the solution of a specific problem (the
congruent number problem). A more detailed and through treatment is presented in [20] which has
become the standard text on the subject.
In the late 70’s, Public-Key Cryptography systems were first publicly described, changing the
face of cryptography. Many of the purposed systems, such as the Diffie-Hellman key exchange
system [7] and the ElGamal encryption system [8], were based on arithmetic in the group Z∗p , but
in theory could be implemented in other groups as well. Groups based on elliptic curves were
a good choice because of their well-developed theory and their high variety. In 1985, both Neal
Koblitz [13] and Victor S. Miller [17] suggested public key cryptosystems based on elliptic curves.
Our goal in the project has been to implement an efficient public key cryptosystem based on
elliptic curves “from scratch”, relying only on large-number arithmetic libraries. In particular, we
have implemented all the elliptic-curve related calculations, and additional related algorithms.

2 Elliptic Curves

Most generally, an elliptic curve E over a field K can be described as the subset of K × K satisfying
the equation
y 2 + a1 xy + a3 y = x3 + a2 x2 + a4 x + a6
∗
Dept. of Computer Science, The Technion—Israel Institute of Technology, Haifa 32000, Israel. E-mail:
gadial@cs.technion.ac.il
†
Dept. of Computer Science, ETH Zurich, 8092 Zurich, Switzerland. E-mail: bhess@ethz.ch. Work done while
visiting the Technion.

1
 Figure 1: An elliptic curve (corresponding to the equation y 2 = x3 − 6x)

for a given a1 , a2 , a3 , a4 , a5 , a6 ∈ K, along with another special point “at infinity” O. An additional
demand is that the curve be “smooth”, which means that the partial derivatives of the curve has
no common zeros. This can be reduced to checking that some invariant value ∆ (the discriminant
of the curve) which is calculated from the coefficients is not zero. Because the nature of the field K
is highly relevant to the structure of E, it is common to write E/K indicating the curve E (usually
given by the equation) is defined over the field K.

2.1 Definition

Depending on the characteristic of K, the above equation can be simplified. There are three cases
to consider:

1. When charK 6= 2, 3 the equation can be simplified to y 2 = x3 + ax + b with a, b ∈ K.

2. When charK = 2 and a1 6= 0, the equation can be simplified to y 2 + xy = x3 + ax2 + b with

a, b ∈ K. This curve is said to be non-supersingular. If a1 = 0, the equation can be simplified
to y 2 + cy = x3 + ax + b with a, b, c ∈ K. This curve is said to be supersingular.

3. When charK = 3 and a21 6= −a2 , the equation can be simplified to y 2 = x3 + ax2 + b with
a, b ∈ K. This curve is said to be non-supersingular. If a21 = −a2 , the equation can be
simplified to y 2 = x3 + ax + b with a, b ∈ K. This curve is said to be supersingular.

2.2 Motivating Example: K = C

A lattice in the complex plane C is a set of the form L = {nω1 +mω2 |n, m ∈ Z} such that ω1 , ω2 ∈ C
are not colinear. Lattices can be used to generalize the notion of “periodic function” to the complex
plane: A meromorphic function f is called elliptic with respect to the lattice L if f (z + l) = f (z)
for all l ∈ L (equivalently, f (z + ω1 ) = f (z + ω2 ) = f (z)). Thus it suffices to know the values of f
of the fundamental parallelogram Π = {aω1 + bω2 |a, b ∈ [0, 1]} in order to know its values on the
complex plane.
In R, the periodic function sin(x) is “special” in the sense that along with its derivative, cos(x).
it can be used to represent all the periodic functions (via Fourier series). There is a parallel “special”
function for elliptic functions, which in some regards is “even better” than its real counterpart.

2
 Figure 2: The group operation ([16])

Given a lattice L, the Weierstrass ℘-function for this lattice is defined as

 
1 X 1 1
℘(z) = 2 −
z (z − l)2 l2
06=l∈L

℘ has the property that every elliptic function (in respect to a given lattice L) can be written as a
rational function in ℘ and ℘0 (as opposed to the infinite sum of sin and cos). Thus ℘ is the most
significant example of an elliptic function.
Let E/C be an elliptic curve given by y 2 = x3 + ax + b. A lattice L can be found such that
the corresponding Weierstrass function satisfies the differential equation (℘0 )2 = ℘3 + a℘ + b. This
means that the map z 7→ (℘(z), ℘0 (z)) maps C to points on the elliptic curve. In particular, ℘ has a
pole in each lattice point and so 0 7→ O (this can be made precise by using projective coordinates).
Moreover, it can be shown that this map is onto, and that z1 , z2 give the same point on the curve
if and only if z1 − z2 ∈ L, and so we have a bijection between E and C/L, the latter set can be
thought of as a torus (since C/L is isomorphic to Π where parallel edges are “glued“ together).
Since C/L can be equipped with an operation of addition modulo L, it forms an abelian group.
This group structure can thus be induced on the isomorphic elliptic curve: Given P1 , P2 on the
curve that emerge from z1 , z2 (i.e. Pi = (℘(zi ), ℘0 (zi ))) we define P1 + P2 = (℘(z1 + z2 ), ℘0 (z1 + z2 ))
(with the addition of z1 + z2 done modulo L). This shown that every elliptic curve over C is an
abelian group.

2.3 The Group Operation

In the previous section we have seen how elliptic curves over C can be naturally induced with a
group operation. There is no similar theory over other fields, but we can still axiomatically define
an operation similar to the one arising in the complex case. A detailed analysis of the complex case
yields the following rough description of the group operation:
First, for the special point O we have P + O = O + P = P , so O is the identity element.
Second, (x, y) + (x, −y) = O (note that if (x, y) ∈ E so is (x, −y) since the in equation defining

3
E is of the form y 2 = x3 + ax + b and so for every x we have two possible values of y, given that
x3 + ax + b has roots at all). So given a point P , its additive inverse −P is simply the same point
with the sign of the y-coordinate flipped.
Third, for every three colinear points on the curve P, Q, R we have P + Q + R = 0, and so
P + Q = −R. We can picture this in the following manner: Given P, Q, to compute their sum draw
a line passing through them, and find the third point where the line crosses the curve (there is
always such one - if it seems the line ”misses“ the curve, it actually intersects it in O; again, using
projective coordinates this can be made precise). After such a point was found, we take its inverse
to be the result of P + Q. This might seem like an arbitrary definition, and so it is worthwhile to
remember that it is actually a result of the non-arbitrary operation induced in C.
We also need to describe what is P + P . In this case we cannot pass a single line ”between P
and itself“, but we have a similar notion: Since the curve is smooth, it has exactly one tangent line
in each point. Therefore we have that P + P is the additive inverse of the point of intersection with
the curve of the tangent line to the curve at P .
This completes the description of the group operation. Although it arises from the complex
case, this description is valid over any field, and can be taken to be the definition of the group
action. In is a straightforward technical manner to check that the axioms for group operation are
indeed satisfied by this operation.
The geometrical description of the operation is insightful but of little use in algebraic calcula-
tions. However, straightforward analytic geometry gives simple equations for calculating addition
of points. The actual equations depends on the simplified form of the curve; we will focus later on
the cases where charK 6= 2, 3 and charK = 2 as these are the main cases used in practice.

2.4 Group Structure

The structure of the group of an elliptic curve highly depends on the underlying field. For K = C
we have already seen that it has the structure of a torus. Over Q, a famous theorem of Mordell
shows that the group is finitely generated; since it is also abelian, it is of the form Zr × Z where Z
(the torsion subgroup of the curve) is a finite abelian group. The torsion of an elliptic curve is easy
to compute and is very well known - it is known that there are only 15 possible torsion subgroups,
the largest of whom of cardinality 16. The main difficulty is computing the parameter r - the rank
of the curve. Of the the most famous open conjectures in mathematics, the Birch and Swinnerton-
Dyer conjecture, deals with the connection between the rank of a curve (and various other related
parameters) and the behavior of a special function related to the curve (the zeta-function of that
curve).
Over a finite field K = Fq (q a power of a prime), the order of the curve is, of course, finite.
However, it is not easy to know in general what is the exact number of points on the curve. A
reasonable estimate is given by Hasse’s theorem, which shows that the order is roughly q + 1, with
a square-root bound on the error. More precisely, if #E(Fq ) is the number of points on the curve
√
E over Fq , then |#E(Fq ) − (q + 1)| ≤ 2 q
Knowing the order of the curve is very important when using curves for cryptographic purposes.
There exist algorithms for computing the order, but they are quite complicated and not very
efficient. Thus, sometimes a different approach is used - first the order is chosen, and then a
suitable curve for that order is generated. We elaborate on this later.

4
3 Elliptic Curve Arithmetic

3.1 Projective Coordinates

As we shall see, the usual usage of elliptic curve in cryptosystems is in computing P +P +. . .+P for
a given point P . The formulas for adding points on the curve includes a division operation, which in
most implementations is very costly. Therefore, it is reasonable to transform the coordinate system
into one in which no division is needed for the addition operation itself, only for transforming back
to the standard coordinate system once the calculation is complete. Such a coordinate system is
the projective coordinate system.
Theoretically it is possible to imagine the projective coordinate system as one in which every
two-dimensional point is represented by a ray in the three dimensional space. Formally we consider
the set K 3
{(0, 0, 0)} with an equivalence relation characterized by two positive integers c, d and defined by
(X1 , Y1 , Z1 ) ∼ (X2 , Y2 , Z2 ) if X1 = λc X2 , Y1 = λd Y2 , Z1 = λZ2 for some λ ∈ K ∗ (for c = d = 1
indeed we have that each equivalence class is a line in K 3 ).
The two-dimensional point (X, Y ) can be identified with the projective point represented by
(X, Y, 1), and so in general a projective point represented by (X, Y, Z) with Z 6= 0 corresponds to
a standard point ( ZXa , ZYb ). However, projective points represented by (X, Y, 0) have no standard
two-dimensional equivalent, and so are considered ”points in infinity“. Indeed, this is a way to
formally represent O.

3.2 Addition Formulas - The Prime Field Case

We consider now the case K = Fp for p > 3 prime (however, for any K such that charK 6= 2, 3
our description is essentially the same). In this case let E be a curve defined by y 2 = x3 + ax + b.
Given two points on the curve P = (x1 , y1 ), Q = (x2 , y2 ) we first consider the case x1 6= x2
(and so P 6= ±Q). The line passing both in P and Q has slope xy22 −y 1
−x1 and so its equation is
 
−y1
y = y1 + xy22 −x 1
(x − x1 ).
Substituting y into the curve’s equation yields a complicated equation of degree 3 in x; however,
since we already know of two roots to the equation x1 , x2 we can find the third one x3 by using the
fact that −(x1 + x2 + x3 ) equals the coefficient of x2 in the equation, which is exactly the square
−y1
of the slope, xy22 −x 1
Hence we have
 2
y2 − y1
x3 = − x1 − x2
x2 − x1

Given x3 , finding y3 is easy, and we see that

 
y2 − y1
y3 = (x1 − x3 ) − y1
x2 − x1

When adding a point P = (x1 , y1 ) to itself the only difference is the calculation of the slope,
3x2 +a
which in this case is the tangent to the curve at x1 , hence the implicit derivative 2y1 1 . This yields
the equations

5
 2
3x21 + a

x3 = − x1 − x2
2y1

and

3x21 + a
 
y3 = (x1 − x3 ) − y1
2y1

3.3 Addition Formulas - The Binary Field Case

In the binary case K = F2 , the curve E is defined by y 2 + xy = x3 + ax2 + b. First note that the
negative of a point S = (x, y) is defined as −S = (x, x + y), and it can be checked that the point
−P indeed lies on E. For two points P = (x1 , y1 ), Q = (x2 , y2 ) (denote P + Q = (x3 , y3 )), the
easiest cases are P = ∞ or Q = ∞. By the group law, it holds that P + ∞ = P and ∞ + Q = Q.
In the case of P = −Q, the result is P + Q = ∞.
The remaining two cases are P = Q and P 6= Q.
y1
If P = Q, we need to double the coordinate, where λ = x1 + x1 is the slope of the tangent,
analogue to the prime case. As resulting x-coordinate one gets x3 = a + λ2 + λ.
If P 6= Q, the slope of the connecting line is xy11 +y2
+x2 (note that addition and subtraction are the
same in binary field arithmetic). It holds that x3 = a + λ2 + λ + x2 + x1 (in the case P = Q,
x2 + x1 = x1 + x1 = 0).
Finally in both cases the y-coordinate is computed as y3 = (x2 + x3 )λ + x3 + y2 . The overall
algorithm derived from the formula requires 3 multiplications (one is squaring), one multiplicative
field inversion, and 9 (or 6 in case of doubling) additions. While the additions are very cheap
operations, computing the inverse could be avoided by using projective coordinates as described in
3.1.

3.4 Point Multiplication

Scalar point multiplication is a frequently used operation in the cryptosystem we implemented and
it is of big importance to implement this efficiently. We want to compute kP = Q for a scalar k
and a point P . Using only addition, one could compute this as |P + {z ... + P}, with a complexity of
k
O(k). A better way is to use the additive equivalent of the square-and-multiply algorithm. There, k
is processed bit-wise. In each iteration, the result is doubled, and if the bit equals one, P is added.
Let [klog k , ..., k1 ] be the bit-representation of k, with k1 as the least significant bit:

1. Q = ∞

2. for i = 1.. log k:

3. Q = Q + Q

4. if ki = 1: Q = Q + P

6
 The complexity of this algorithm is O(log k). There are some optimizations to this algorithm,
most notably the replacement of the binary representation of k with its non-adjacent form which
results in a shorter representation.

3.5 Binary Field Arithmetic

The arithmetic in prime fields Fp is basically well-now; addition and multiplication correspond
to integer arithmetic modulo p. Finding the inverse can be done using the extended euclidean
algorithm. Those operations are provided in the big integer library GMP we used.
In the binary extension field F d ∼
2 = F2 (θ)/m(θ), the arithmetic is slightly different and we
decided to implement it from scratch. One could alternatively use a library like NTL.
Elements of the binary field are actually polynomials of degree d with binary coefficients. And
all operations in the polynomial basis are done modulo the reduction polynomial m(θ). For example
the polynomial θ4 + θ + 1 can be displayed as the bit-string 10011. There is also a normal basis
field representation which we will not treat because the more inefficient behavior of its arithmetic.

Addition/Subtraction Addition is the simplest operation and is computed as bit-wise XOR:

for a, b ∈ F2d , a + b = a ⊕ b.

Multiplication Multiplication of two elements a and b has always to be done modulo m. Lopez
and Dahab [15] present some efficient algorithms for this case. We implemented one which re-
minds of the square-and-multiply algorithm and could be called ”shift-and-add“ algorithm (a is
represented as al , ..., a1 and b as bl , ..., b1 , let the result be c):

1. c = 0

2. for i = l, ..., 1:

3. shift c one to the left (c = c << 1)

4. if ai = 1: c = c + b;

5. if the degree of c exceeds d: c = c + m

We note that in each iteration, c’s degree could be at most one degree to high, it can therefore be
reduced by m by just adding m to c.

Inverse As we know the extended euclidean algorithm can be used to compute the multiplicative
inverse in a finite field. This is also the case in binary fields. Suppose we want to compute the
inverse of a modulo the reduction polynomial m. We have aa−1 ≡m 1, reforming this we get
aa−1 − 1 = mx for a positive x. This can be reformed to aa−1 − mx = 1, which is is exactly the
setup for the euclidean algorithm, since gcd(a, −m) = 1, the algorithm can run on the inputs a and
−m and delivers as one output a−1 .

7
Quadratic Equations A frequent task is the computation of a y-coordinate for a given x-
coordinate. Reviewing the equation y 2 + xy = x3 + ax2 + b, the problem is for given x reduced to
a quadratic equation y 2 + a0 y − b0 = 0, that has either two or no solution. The solutions of this
0
equation equation is equivalent to the solution of y 2 + y = c0 , with c0 = ab02 .
The procedure to solve this equations is described in IEEE P1363/D13 [2], and works as follows:

1. Choose a random ρ ∈ F2d

2. Initialize z = 0, w = ρ
3. Repeat the following two steps d − 1 times:
4. z = z 2 + w2 c0
5. w = w2 + ρ
6. if w = 0: start over at point 1. Else output z.

This algorithm only works with odd degrees, which is sufficient for our purposes since it is a
security requirement for binary field cryptography to choose d as a prime.

4 Cryptosystem

To form a cryptosystem, generally a set of three algorithms is required:

1. Key-generation: An algorithm for generating an encryption/decryption key.

2. Encryption: An algorithm for encrypting plaintexts.
3. Decryption: An algorithm for decrypting ciphertexts.

In traditional symmetric or private-key cryptography, the generated key is used for both encryption
and decryption, with the consequence that anybody that possesses the key is able to en- and decrypt
messages. To ensure confidentiality, the key has to be kept secret between communication partners.
There was originally no way to establish a secret key over insecure channels (for example in-
ternet, using the http protocol). So to establish a shared secret key, a secret channel (which isn’t
eavesdropped) would be necessary.
The situation changed thanks to public-key cryptography. Its origin lies in the Diffie-Hellman
[7] protocol, a method to generate a shared secret key between two communication partners over an
insecure but authenticated channel. From it, the ElGamal cryptosystem [8] was derived. In such an
asymmetric system, two separate keys are generated for encryption and decryption. This enables
one to publish the public-key, with which anyone can encrypt messages, while the private-key for
decryption is kept secret. Besides encryption schemes, also signature schemes exist, with the goal
to ensure authenticity of a message instead of confidentiality. There, the private-key is used to sign
a message, while the public-key is used to verify the signature.
We will first discuss some security issues, then we present the cryptosystem we implemented
for the project - Elliptic Curve ElGamal. Finally we will treat the issue how to represent messages
as points on elliptic curves.

8
 Symmetric key size Z∗n public key size Elliptic Curve public key size
80 bit 1024 bit 160 bit
112 bit 2048 bit 224 bit
128 bit 3072 bit 256 bit
192 bit 7680 bit 384 bit
256 bit 15360 bit 521 bit

Table 1: Equivalent key sizes in bits, recommended by NIST

4.1 Security

The security of Diffie-Hellman and ElGamal relies on the hardness of the discrete logarithm, which
is the analogue of the ordinary logarithm, but in a finite cyclic group. The group traditionally
used in public-key cryptography is Z∗p , where the best known algorithm for computing the discrete
logarithm is the index calculus method.
RSA ([18]), another famous cryptosystem relies on the hardness of factoring large numbers.
Both RSA and ElGamal can be adapted for elliptic curves, where the respective variants are
called the elliptic curve analogues. Elliptic curve RSA analogues don’t provide significant better
security since the factoring problem essentially remains the same [14]. For the elliptic curve discrete
logarithm, specialized algorithms like index calculus cannot be applied which results in better
security and smaller key sizes. The National Institute of Standards and Technology (NIST) lists
key sizes with comparable security for symmetric, Z∗n and elliptic curve asymmetric cryptography,
which is shown in Table 1.
As an example, today usual security from a RSA key size of 2048 bit can already be achieved
with a 224 bit elliptic curve key.

4.2 Elliptic Curve ElGamal

The cryptosystem consists of a key generation algorithm based on the elliptic curve analogue of
Diffie-Hellman, and an encryption and decryption algorithm based on the elliptic curve analogue
of ElGamal.

Public Parameters The parameters known to the public in advance are:

1. The elliptic curve E.

2. A curve-point P , which generates a cyclic subgroup of E.

3. The order n of the cyclic subgroup of E.

P is a generator of the cyclic subgroup of E:

hP i = {∞, P, 2P, 3P, ..., (n − 1)P }

9
 Addition/Subtraction Multiplication
Key Generation 0 1
Encryption 1 2
Decryption 1 1

Table 2: Number of elliptic curve operations done in the cryptosystem.

Key-pair Generation As input we give the public parameters from before. The procedure runs
as follows:

1. Choose d ∈u.a.r. {1, ..., n − 1}

2. Compute Q = dP .

3. Output pair (Q, d). public key: Q, private key: d.

We observe that computing the private key d from a given public-key Q requires solving the discrete
logarithm problem.

Encryption Besides the public parameters, we are given the public-key Q. We want to encrypt a
message M , which is encoded as a point on the elliptic curve (we elaborate how to do the encoding
in the next section):

1. Choose k ∈u.a.r. {1, ..., n − 1}

2. Compute C1 = kP

3. Compute C2 = M + kQ

4. Output ciphertext: (C1 , C2 )

One observation is that since k is chosen at random, C2 = M + kQ actually also appears to be

random.

Decryption We are given the ciphertext-pair (C1 , C2 ), and the private key d. The goal is to
reconstruct the message-point M :

1. C2 − dC1 = M + kQ − dkP
|{z} =M
=k(dP )=kQ

Note that for decryption, the curve order n isn’t actually needed.
We now quickly want to investigate the number of elliptic curve operations each of the pro-
cedures require. The analysis is illustrated in Table 2. We observe that decryption needs one
multiplication compared to two in decryption. The results of our implementation show that the
time needed for encryption is almost twice of decryption. It can be concluded that multiplication
is the dominating operation compared to addition.

10
4.3 Message Encoding

The only remaining question is how text messages could be encoded, or hashed onto points on the
elliptic curve. For practical purposes, we restricted our implementation to ASCII text, where each
character is represented as one byte code. This doesn’t mean a loss of generality since arbitrary files
can be encoded as ASCII text (for example by using base64, which is used for e-mail attachments).
Since the size of the bit representation of elliptic curve points is restricted by the curve’s
modulus, messages have to be split in blocks. For example points on a 163 bit curve offer space for
at most b 163
8 c = 20 characters.
The basic idea of the encoding is that the message corresponds to the x-coordinate. Finding
the corresponding y-coordinate requires computing a square-root in the prime case and solving a
quadratic equation in the binary case. Now we know that only every second x-coordinate corre-
sponds to a valid point and that if the point is valid, two y-coordinates exist. While we can select
one of the tow y-coordinates simply at random, we have to ensure that the point is actually valid.
This is done by adding some random padding to the coordinate, as long until the point is valid.
The method is summarized as follows (m is the message we want to encode and the elliptic
curve points offer space for l characters):

1. Split m in blocks mi of size at most l − 1 bytes.

2. For each mi : Choose a random byte r.

3. Set ASCII(mi )|r as x-coordinate, and find the corresponding y-coordinate.

4. If there are two y-coordinates: select one at random and output (x, y). Otherwise if no
y-coordinate exists, choose another padding r and go back to point 3.

We note that using 8 bit padding, the probability not to find a valid point is negligible (2−256 ).

5 Random Elliptic Curve Generation

5.1 Introduction

The usage of predefined elliptic curves has its advantages and disadvantages. On one side there
exist a set of curves recommended by NIST, which are publicly available in FIPS 186-3. Contained
in the document are both curves over prime and binary fields with bit-sizes ranging from about
160 bits to about 500 bits. Those curves meet some security requirements and are especially suited
for efficient implementations. When it comes to elliptic curve cryptography it is probably the
straightforward way to use the well-known NIST-recommended curves. Test-benches are available
and the additional task to generate a curve is obsolete.
On the other side, there are not many reasons why not to use a new random curve for each
key-agreement, given that the curves meet the same security properties than predefined curves.
The main advantage is obvious: when the curve is not known in advance, no precomputation can
be done on it that might compromise its security. As an illustrative result, [4] claims the security
when using a random curve is the same as using a fixed curve with an 11 bit longer key. The critical

11
factor however is efficiency. Generating a random curve needs costly operations, and the process
should not take much longer than a few seconds on modern hardware to be feasible in practice.

5.1.1 Basic Approaches

In the prime case, a curve is given by the equation

y 2 = x3 + ap x + bp

and in the binary case by

y 2 + x = x3 + ab x2 + bb .
The task is in both cases to select the parameters a and b randomly, while the field modulus, or
the reduction polynomial are given, respectively. In practice, the parameter a could also be fixed
in advance without much loss of generality, for instance to ap = −3 and ab = 0 in order to enable
using efficient EC arithmetic.
Just selecting random coefficients would be easy and efficient, but the major concern is that
also the curve order has to be known in order to use a cryptosystem. There are two conceptually
different approaches how to deal with the order while generating the curve, the random approach
and the complex multiplication approach

Random Approach The random approach consists of the following steps:

1. Select the curve coefficients at random.

2. Compute the curve order, using a point counting algorithm.

3. If the curve doesn’t meet the security requirements, start again with step 1.

Using the point counting in each iteration would significantly influence the efficiency of the
random approach. Instead, one can use an early-abort strategy as described in [9] that detects
insecure curves quickly without the need to first compute their exact order. We will not further
investigate this strategy but the results show that the point counting algorithm is clearly the dom-
inating part of the random approach. We therefore only implement the point counting algorithm
when we evaluate the random approach.

Complex Multiplication Approach The complex multiplication approach solves the curve
generation from the other side: the conceptual idea is instead of computing the order for a purely
random curve to define an order in advance and generate a matching curve to it. The advantage
of this method is that no point-counting algorithm has to run, which generally results in a better
performance than in the random approach. The disadvantage however is that the curve is not
entirely random.
The trade-off in selecting one of the two methods lies in efficiency versus randomness. If the
latter is not of a big concern, one could use complex multiplication, while the random approach
becomes more interesting the more efficient point-counting algorithms get.

12
5.1.2 Security Requirements

There are two main security requirements for elliptic curves as described in [3]. They have to be
checked by the generation methods. The first one ensures that the order is large enough (at least
about 160 bits), to avoid the usage of generic discrete logarithm algorithms:

• |E| = k · r, r ≥ 160, k ≤ 4

There are more specific attacks where the elliptic curve discrete logarithm problem is transferred
to the ordinary DL problem over Zp . We don’t go into details here, but the resulting requirement
for a prime curve (over Fp ) is:

• ps 6≡ 1 mod r, for s ∈ {1, .., 20}, and p 6= r

and the corresponding requirement for binary curves over F2n is:

• 2ns 6≡ 1 mod r, for s ∈ {1, .., 20}, and n prime

5.2 The Prime Field Case

5.2.1 Complex Multiplication

For K = Fp , p a given large prime, there is a polynomial time algorithm of Schoof for computing
the number of points on a given curve. However, it is quite slow in practice (the basic running time
is O(log8 p), although improvements were made) and quite complicated to implement. Therefore
we have used a different approach - first we decide on the desired order of the curve and the value
of p, and afterward we generate a curve over Fp with that order. The method we use is referred
to as the Complex Multiplication method. The theory of complex multiplication is quite deep; we
present here a brief overview of the facts related to the method.
Given an elliptic curve E over some field K, we consider the set of endomorphisms of E
(an homomorphism from E to itself). There are always ”trivial“ endomorphisms ϕm defined by
ϕm (P ) = m · P = P + P + . . . + P , and it’s easy to see that endomorphisms form a ring with
induced addition (i.e. (ϕ + ψ)(P ) = ϕ(P ) + ψ(P )) and composition serving as multiplication, and
that the ”trivial” endomorphisms form a subring isomorphic to Z. If the curve possess more endo-
morphisms, it is said to have possess complex multiplication. The name stems
√ from the fact that in
this case the ring of endomorphisms is isomorphic to Zτ + Z with τ = (D + D)/2 for some D < 0
such that D ≡ 0, 1(mod4), i.e. the ring of endomorphisms is contained in a quadratic imaginary
field. The value D is called the discriminant of the endomorphisms ring, and the isomorphic ring
is denoted by OD .
The usefulness of complex multiplication for our goals comes from the following fact: if E is
an elliptic curve possessing complex multiplication over Q with discriminant D, we can effectively
calculate the order of E over almost any field Fp , problems arising only in cases where p divides D
or when the equation of E does not define a proper elliptic curve over Fp (because the curve is not
smooth). These cases are rare and pose no real problem.
√
Recall that the order of any curve over Fp is p + 1 + ap , with |ap | ≤ 2 p, so the challenge lies
in computing ap . If D is a quadratic residue over p, we have ap = π + π, with π being an element

13
 √
a+b D
√
a−b D
√
of OD such that ππ = p. π can be denoted 2 , and so π= 2 (recall that D < 0 so D
√ √
a2 +|D|b2 a+b D+(a−b D
is imaginary), and so p = ππ = 4 , or 4p = a + |D|b2 ,
2 and ap = π + π = 2 = a.
Hence, if D and p are already known, to compute the order of the curve one needs only to solve
the equation a2 + |D|b2 = 4p. However, this equation has two solutions (for a) which differ by
sign, and so we get two different candidates for the order of the curve. A practical solution to this
problem, which we have implemented, is to take a random point P on the curve and raise it to the
power of each of the candidates, expecting to get O only once. This proved to be an efficient and
reliable solution.
Two questions remain: First, how to solve the equation a2 + b2 |D| = 4p; and second, how to
find a curve E possing complex multiplication for a given D?

5.2.2 Cornacchia’s Algorithm

The first problem touches upon a well-known problem in mathematics - when is there a solution to
the equation x2 + ny 2 = p with p prime and n a natural number, and how can such a solution be
found? The origins of the question can be traced to Fermat who gave the complete classification
of p having solution for n = 1, 2, 3. The proof of Fermat’s results was first given by Euler, and
it is connected strongly to the quadratic reciprocity theorem. The general theory classifying p for
an arbitrary n is quite deep and heavily relies on class field theory. However, there is a simple
algorithm which is essentially based on the Euclidean algorithm which always yields a solution if
one exists.
The algorithm, due to Cornacchia, first determines whether −n is a quadratic residue modulo
 2
p and aborts if it is not (if x + ny = p then x = −ny modulo p, i.e. −n = xy
2 2 2 2 modulo p).
Next, a square root x0 is found (i.e. x20 = −d modulo p) - this requires an algorithm for square-
root extension modulo p but in most cases it is quite easy and there is a standard probabilistic
algorithm due to Shanks which deals with the only difficult case. The next step is simply applying
√
the Euclidean algorithm to the pair (p, x0 ) until
 q a b is 
obtained such that b < p, and then the
2
solution to the original equation is (x, y) = b, p−b n (if the square root does not exist, it is
guaranteed there is no solution to the original equation).
We are dealing with a slightly different equation as on the right-hand side we have 4p instead of
p. However, this requires only a slight change in the algorithm - if we start the Euclidean algorithm
√
with (2p, x0 ) and terminate it as soon as a value lower than 2 p is found, it is still guaranteed to
work unless no solution exists.

5.2.3 The Hilbert Class Polynomials

We turn now to the question of finding an elliptic curve possessing complex multiplication over
Q for a given discriminant D. Given a curve E defined by the equation y 2 = x3 + ax + b its
3
j-invariant is defined as follows: j0 = 1728 4a34a +27b2
(the constant 1728 is traditionally used for
normalization purposes which we won’t describe here). Over Q the j-invariant is unique for each
isomorphism class of curves; however, over Fp , it is not. It is easy to see that for a curve given by
y 2 = x3 + ax + b and any c ∈ F∗p , the curve defined by y 2 = x3 + ac2 x + bc3 has the same j-invariant,

14
but if c is non-square, the new curve (termed the twist of the original curve) is not isomorphic to
the original (if c is a square, we have a new curve that is isomorphic to the original). This is not a
real problem, though: recall that we have said that there are two possible candidates for the order
of the generated curve; one of the candidates is the real order of the curve, and the other one is
the order of its twist.
Given a j0 ∈ Fp value, it is not difficult to construct an elliptic curve over Fp with j0 as the
j0
j-invariant; indeed, define k = 1728−j0
, and define E by the equation y 2 = x3 + 3kx + 2k. Now, by
direct computation of the j-invariant we see that:

4a3 22 · 33 k 3 1728 1728

1728 = 1728 = = = j0
4a3 + 27b2 22 · 33 k 3 + 33 · 22 k 2 1 + k −1 j0 +1728−j0
j0

As required.
Based on the theory of complex multiplication (which is not possible to describe here in detail),
a polynomial with integer coefficients, called the Hilbert Class Polynomial can be found for every
value of discriminant D, such that if j0 is a root of the polynomial (over Q), the corresponding
elliptic curve possesses complex multiplication for D. As we are only interested in the j-invariant
modulo p, it suffices to find a root to the Hilbert class polynomial over Fp - a relatively simple and
discrete process which does not involve issues of precision.
The Hilbert class polynomials are usually computed by generating their roots in C and mul-
tiplying accordingly. This is a costly process which does involve precision issues. Therefore, an
alternative approach is simply to rely on a large known list of the Hilbert class polynomials for
small values of D. This works very well in practice and does not compromise the safety of the curve
(which relies on the size of p and its order).

5.2.4 Summary - Overview of The Full Method

We now describe the exact algorithm used for generation of curves over Fp with a known order.
There are two possible approaches, depending on one’s goals. One can start with a known p and
search for a suitable curve among the known values of D, or one can choose D upfront and choose
random values of p. Therefore we have two “initialization” algorithms:
Version 1: Known p.

1. Choose some value of D.

2. Apply Cornacchia’s algorithm in order to find t,s such that t2 + |D|s2 = 4p.

3. Check that among the two order candidates, u1 = p + 1 + t, u2 = p + 1 − t there is at least

one with admissible factorization. Otherwise, go back to step 1.

Version 2: Known D.

1. Randomly choose integers s, t. of the appropriate magnitude.

t2 +|D|s2
2. Check that p = 4 is a prime integer (using the Miller-Rabin primality test, for example).

15
 3. Check that among the two order candidates, u1 = p + 1 + t, u2 = p + 1 − t there is at least
one with admissible factorization. Otherwise, go back to step 1.

The rest of the algorithm is the same no matter which initialization method was chosen:

1. Calculate (or find from a given list) the Hilbert class polynomial HD corresponding to D.
2. Find a root j0 of HD in the field Fp .
j0
3. Set k = 1728−j0 modulo p.

4. Set the resulting curve to be the one defined by a = 3kc2 , b = 2kc3 for a random c ∈ Fp
5. Check which of the two possible candidates is the order of the curve. If it has an admissible
factorization, return the curve; otherwise, return the twist of the curve (i.e. pick randomly a
non-square e ∈ Fp and return the curve y 2 = x3 + ae2 + be3 .

5.3 The Binary Field Case

The complex multiplication method for generating a random curve can also be applied for the
binary field case K = F2n , where n is prime. In contrast to the prime field case, more efficient
point counting algorithms for elliptic curves over fields of small characteristic exist. Besides Schoof’s
algorithm, which is also applicable in the binary case, the more efficient variants are so-called p-
adic algorithms that require a special kind of arithmetic. The most noticeable among them are the
Satoh-FGH algorithm [9], the Elliptic Curve AGM algorithm [10][6], and the SST algorithm [19].
The first two have an asymptotic complexity of O(n3+ ) and SST has a complexity of O(n2.5+ ),
where the  depends on the implementation of basic big integer arithmetic.
Despite the theoretic advantage of SST, AGM has found to be the best choice so far for practical
implementations, which is the reason why we selected it for this project.
Arithmetic Geometric Mean (AGM) is a mixture of the arithmetic mean (the average of two
numbers) and the geometric mean (the square root of the product of two numbers). If we have two
natural numbers a and b, we define the following sequence.
1 p
a0 := a, b0 := b, an+1 = (an + bn ), bn+1 = an bn
2
Gauss and Legendre originally discovered that the two sequences converge after a few iterations,
so the AGM is defined as their limes:
AGM (a, b) := lim an = lim bn
n→∞ n→∞

A traditional extension of AGM was found by Brent and Salamin, and can be used to compute the
digits of π. The iteration is in this case defined as AGM (1, √12 ). When sn = sn−1 − 2n (a2n + b2n ),
2a2n
pn = sn converges to π.
Applied to elliptic curves, AGM can be used to compute the trace of an elliptic curve, from
which the order can easily be derived. In this section we don’t give a full algebraic explanation of
how AGM is used to recover the trace of the curve, and we refer to [6] which provides an in-depth
derivation. We rather concentrate on implementation related aspects. One is the use of 2-adic
polynomials for the initialization of AGM.

16
5.3.1 2-adic Arithmetic

For practical purposes we present 2-adic arithmetic based on binary field arithmetic. There we
have a binary extension field F2d ∼= F2 (θ)/m(θ), where the elements are polynomials up to degree
d with binary coefficients. The field operation is modulus an irreducible polynomial m(θ). 2-adic
integers can be imagined like the binary representation of natural numbers, and can be represented
by a unique fraction of two natural numbers. The approximations of those fractions form a ring
structure. Formally, Z2d is the valuation ring of an unramified extension of Q2 . Those elements are
approximated up to a precision N , and are taken modulus a polynomial M (T ): Z2d ∼ = Z2 (T )/M (T ).
The elements of Z2d /2N Z2d are polynomials of degree d, with coefficients modulus 2N . To come
back to the connection with binary fields, elements in F2d can be lifted to Z2d . The lift is not
unique: the coefficients must be congruent modulus 2. For example, for c = 1 + θ4 ∈ F2 (θ) both
c01 = 1 + T 4 ∈ Z2 (T ) and c02 = 1 + 2T 2 + 3T 4 ∈ Z2 (T ) are valid lifts to precision at least 2.
For the arithmetic over 2-adic polynomials (approximated to precision N ), no programming
libraries exist that provide the operations out of the box. The following operations are required for
AGM:

Addition The coefficients of the polynomials are added and taken modulus 2N . No modular
reduction is required here as the resulting polynomial doesn’t exceed the maximum degree d.

Multiplication Requires a polynomial multiplication, followed by a reduction modulus M (T ).

The coefficients are always taken modulo 2N .

Modular Reduction All operations that result in a polynomial of a higher degree than d require
a modular reduction.

Inverse The inverse of an element a is computed as the root of the polynomial f (X) = 1 − aX.
For this purpose a Newton iteration is run N times, so that the result has precision N . The initial
approximation to precision 1 is actually the inverse over binary fields, which is well known. The
inverse is used for instance of polynomial division.

Square root For computing the square root, the inverse of the inverse square is taken. The
inverse square root is computed as the root of the polynomial f (X) = 1 − aX 2 . This is computed
using a Newton iteration. As initial approximation of precision 1, the binary field square root must
be implemented.
From those operations, we have have found multiplication and reduction to be the major bot-
tleneck in the implementation. Polynomial multiplication can be highly optimized for example by
using Fast Fourier Transformation (FFT). This is the point where our approach “building every-
thing from scratch” has certain limitations since highly optimized libraries exist especially for this
purpose. We therefore also used polynomial multiplication from the NTL library besides our own
implementation.

17
5.3.2 Elliptic Curve AGM

The AGM iteration consists of two parts. The first is computing starting values a0 and b0 to full
working precision N = d d2 e + 3. The second part consists of d AGM iterations in precision N .
The input elliptic curve has the form y 2 + x = x3 + b. The output of the algorithm is the trace
t, from which the order can be reconstructed as 2d + 1 − t. The order of the twisted curve given by
y 2 + x = x3 + x2 + b is 2d + 1 + t.
Summarized, the steps in the algorithm involve (see also [6]):

1. Lift c to an arbitrary c0 of precision 4.

2. Initialize a = 1 and b = 1 + 8c0

√
3. for i = 5..N : (a, b) = ( a+b
2 , ab) (computation to precision i)

4. set a0 = a

5. for i = 1..d: (ai , bi ) = ( ai−1 +b i−1

p
2 , ai−1 bi−1 ) (computation to precision N )
a0
6. set t = ad (to precision N − 1)

7. if t2 > 2d+2 : t = t − 2N −1

8. return the trace: t.

As an example we define d = 7, the binary reduction polynomial 1 + θ + θ7 and a coefficient

b = 1 + θ2 + θ6 . As intermediate results of the algorithm we get

a0 = 29 + 12T + 16T 2 + 20T 3 + 24T 4 + 8T 5 + 28T 6

ad = 9 + 60T + 16T 2 + 4T 3 + 56T 4 + 40T 5 + 44T 6

. Before step 7, t = 56. It gets t = t − 2N −1 = −11 afterwards. The elliptic curve order is therefore
27 + 1 − (−11) = 140 points. The result can be verified by multiplying an arbitrary point times
140, and the result should be (and indeed is) the point at infinity (0).

6 Implementation

In this section we describe the various components implemented by us in the project.

6.1 Prime field algorithms

We have implemented a wrapper class for elements of Fp (zp int), complete with arithmetic and
comparison operators, as well as standard and Jacobian coordinate classes. We have also imple-
mented a class for polynomials over Fp (ModularPolynomial) - again, complete with arithmetic
(including GCD).
Most of the algorithms we have used are described in Henri Cohen’s book [5]; we give the page
numbers.

18
 We have implemented the algorithm of Tonelli and Shanks for computing square roots over
Fp (pg. 33), and used it to implement an algorithm for finding roots of general polynomials over
Fp (pg. 37) needed in the complex multiplication method in order to find roots of the Hilbert
class polynomial. These algorithms require the computation of Legendre’s symbol and so we have
implemented the standard efficient algorithm which utilizes the quadratic reciprocity theorem (pg.
29 gives an extended version). We have also implemented Cornacchia’s algorithm for finding x, y
such that x2 + |D|y 2 = 4p for given p, D (pg. 35). Primality testing was done via GMP’s library
(which implements Miller-Rabin).

6.2 Binary field algorithms

We have implemented binary finite field arithmetic in the class GFE.h as two variants. The first
one “from scratch”, with algorithms for addition, multiplication ([15]), the extended euclidean
algorithm for binary finite fields in order to compute the multiplicative inverse, and an algorithm
for solving quadratic equations over F2d (see section 3.5). The last algorithm is especially of use
in solving the curve-equation (y 2 + xy = x3 + ax2 + b) to the y-coordinate. The second variant is
actually a wrapper around the same functions provided by the NTL library. For the evaluations
however we used in the implementation from scratch. The implementation was done in a way that
GFE objects can be used the same way as “primitive” types, with the corresponding operators.
The algorithms used for AGM point-counting are defined in adicops.h. This contains the AGM
algorithm itself, as defined in the Book “Handbook of Elliptic and Hyperelliptic Curve Cryptogra-
phy” by Cohen and Frey [6] at page 439. The p-adic algorithms required for AGM are: square-root
computation, inverse square-root computation and inverse element computation. These algorithms
are described in chapter 12 of the same book. In addition to this, p-adic polynomial-arithmetic
containing addition, subtraction, multiplication and division (all operations modulo an irreducible
polynomial) was implemented in two variants: the first one from scratch in the wrapper class de-
fined in Poly.h. The second variant used modular polynomials from NTL and is defined in the
wrapper class in ModPoly.h.

6.3 Elliptic curve implementation

The implementation of elliptic curves had to be done in such a way that a caller that wants to use
its arithmetic doesn’t have to distinguish between prime and binary curves. This was achieved by
using a stable interface class defined in Ellipticcurve.h, which defines the following virtual functions:

• Point addition

• Point subtraction

• Point doubling

• Point multiplication

• Get a point from the “compressed format” (see section 6.3.2).

• Convert a point to the “compressed format” (section 6.3.2).

19
 • Get a random point on the curve (see section 6.3.1).

The concrete implementation of the functions are done in ECPrime.h for prime curves and
ECBinary.h for binary curves. In this way, the program can deal with objects of abstract type
Ellipticcurve without having to know the underlying implementation. The predefined NIST-curves
are all implemented as own subclasses of ECBinary or ECPrime, which simplifies the initializa-
tion of those curves. In this case an Ellipticcurve object is simply initialized with the concrete
CurveNISTp192 implementation, representing the prime NIST curve over 192 bit.
Elliptic curve arithmetic, namely addition and multiplication was implemented according to
Menezes’ book “Guide to Elliptic Curve Cryptography” [11], pg. 81,97.

6.3.1 Finding a random point on the curve

Another algorithm which is implementation specific is finding a random point on the curve. This
is required while generating a random curve suitable for the cryptosystem.
Both algorithms for prime and binary curves choose a random x coordinate until a corresponding
y coordinate exists. For prime curves y 2 = x3 + ax + b, this requires computing a modular square
root, and in the binary case for curves y 2 + xy = x3 + ax2 + b, a binary quadratic equation must
be solved.

6.3.2 Compressed format

Because we are able to find the y-coordinate for a given x, the full definition of y is actually
redundant information. Since there are two solutions for x, the question is only which one was
intended.
For the purpose of storing and recovering points from text-files (as described in section 8.3), we
use the compressed format. This consists of the x-coordinate, preceeded by either “+” or “-” at
the beginning, indicating which of the possible y-coordinates has to be chosen. As an example,

-6468585198793925939445065556022715668330587295808

is a valid point in compressed format for the 163 bit binary NIST curve.
The algorithms we implemented for compression and decompression are defined in [1], section
E.2.3.1 (compression) and in [2], section A.12.8/9 (decompression).

6.4 Cryptosystem implementation

The elliptic curve ElGamal cryptosystem is implemented in the class defined in elgamal.h. To
the cryptosystem, an “Ellipticcurve” object must be passed which is used for the elliptic curve
operations. ECC ElGamal consists of the following functionality:

• Plaintext encryption

• Ciphertext decryption

20
 • Random key-pair generation

For the corresponding algorithms, see section 4.2. In addition to this, routines for encoding
strings to a point on an elliptic curve (including random padding) and for decoding string from
points are implemented (for details, see section 4.3). Furthermore, a curve validation function is
implemented, which multiplies the curve-point with the curve-order. In a correctly defined curve,
the result should be the point at infinity.

6.5 Command-line interface

The command-line interface, used for interpreting the user’s parameters is implemented in cmd.h. It
parses the switches provided over the command-line, and launches actions like key-pair generation,
encryption or decryption accordingly. A guide how to use the interface is given in chapter 8.

6.6 Metrics

The implementation is done in C++ and consists of approximately 7500 lines of code. The code
is distributed in 29 files, containing 34 classes. In total, 53 test-cases are written (using CppUnit)
and can be executed at any time.

7 Results

In this section we present some measurements and some highlighted results regarding our imple-
mentation. First, the key generation timings with different key sizes for both prime and binary
curves are analyzed in 7.1. In 7.2, we measure the timings for encryption and decryption, and in
7.3 we measure the efficiency of the AGM point-counting algorithm. The measurements were done
on an Intel Core Duo processor with 1.8 GHz.

7.1 Key Generation

The key-pair generation was run with the built-in NIST curves over prime and binary fields. The
key sizes are 192, 224, 256, 384 and 521 bits for prime curves and 163, 283, 409 and 571 bits for
binary curves. The results are shown in Figure 3.
As expected, the time increases about linearly with the key size, while the slope in prime curve
is slightly higher than in binary curves.. The operation done is essentially one elliptic curve point
multiplication. The timings for all tested curves don’t exceed one second and are therefore feasible.
The computation in prime curve show a significant advantage over the binary curves. The difference
most likely comes from the fact that the binary curve arithmetic uses binary field arithmetic built
from scratch while prime field arithmetic was done using GMP. For a definite result, more optimized
binary field arithmetic should be used.

21
 Figure 3: Key-pair generation, with prime and binary curves.

7.2 Encryption and Decryption

While in the key-generation test the processed data depends on the key-size, in the encryption and
decryption test all cases process a file of the same size: 3.3KB. Because a curve with double key
size can store the double amount of information on one point, larger key sizes have the theoretical
advantage that less ciphertext-points are produced and therefore less operations are done. The
results are illustrated in Figure 4.
The first thing we observe is that encryption takes approximately twice as much time as decryp-
tion. This is explained with the fact that encryption requires two multiplication while decryption
needs only one (see Table 2). We again see a significant advantage of the prime curves, like in
curve generation. Furthermore it can be observed that the efficiency of smaller keys is better than
of larger keys, even though the total number of processed blocks is higher. The slopes of the
measurement curves is however steeper in key-generation.
As a general comment, public-key cryptography is in practice not very often used for actual
encryption because of its inferior performance compared to symmetric key cryptography. Instead,
it is usually used to establish a symmetric key and the actual encryption is done for example with
AES. We can also see in our results that the efficiency of our implementation is not sufficient to
encrypt large files in a reasonable time.

7.3 Point Counting with AGM

The first attempt with the AGM algorithm was an implementation of the underlying polynomial
multiplication and reduction “from scratch”. This was identified as the clear bottleneck as the
runtime for a key-size of 300 bits was about 30 minutes. We therefore decided to replace those
operations with the ones provided by the NTL library, which resulted in a dramatic performance
improvement: the runtime for the same key-size was reduced to only a few seconds. The results

22
Figure 4: Encryption/Decryption results on a 3.3KB file. Top: prime curves. Bottom: binary
curves.

are illustrated in Figure 5.

The initial goal to be able to generate random curves in only a few seconds is attained, looking
at the results for key sizes up to about 500 bits. As an additional step for curve generation, an
early-abort strategy to skip insecure curves [9] would be needed. As described in the reference, a
single point counting run dominates the early-abort step, from which we can conclude the feasibility
of the random curve generation approach with AGM.

7.4 Challenge Solution

For testing the correctness of the implementation we were given a test consisting of the following
tasks:

• Generating an elliptic curve over prime field.

• Decrypting two messages over prime field.

• Decrypting two messages over binary field.

• Deciding which message was forged.

23
 Figure 5: AGM point counting with varied key sizes.

In the first task, we were given the prime field modulus and some information needed to generate
a curve using the complex multiplication method. The modulo equals the 13th Mersenne prime
(n = 2521 − 1), the imaginary field discriminant for complex multiplication is D > −400 and the
EC parameter a = −3. An additional security constraint was imposed on the curve - its order had
largest prime divisor > 2160 and the rest of the prime divisors were < 216 . The original description
is available in Appendix A.
These constraints admit a unique “solution”, i.e. a suitable curve. In order to find it we
generated using the CM methods all the possible curves over Fp for our specific p and the possible
values of D (i.e. D > −400), except for those values of D for which there is no solution to the
equation x2 + |D|y 2 = 4p (i.e. Cornacchia’s algorithm fails on them). Not all those curves were
isomorphic to curves with a = −3, and so they were also discarded. For the remaining curve, their
order was known as a result of the CM method and among them all, only one curve had order
satisfying the security constraints (for D = −139).
Finally the private key definition, readable by our implementation for the first curve was (for
the format, see section 8.3):

prime
6864797660130609714981900799081393217269435300143305409394463459185543183397656052 \
122559640661454554977296311391480858037121987999716643812574028291115057151
-3
3527776260069785152007274377287143876629163004151083436918067245834023095352803352 \
619592071776153064995010045981739923633622717991755444624957640186908953364
-398540598942556796715601841984589553814663412077882118326991138647122232976515044 \
0620991823676837980440324457306600557245758586407123663426871114407190797434
6864797660130609714981900799081393217269435300143305409394463459185543183397650992 \
549354694781534209408074441975667428948389124479097456824493161776014158579
2744834878295875502523990898255970938931750803137064564739517102097730423490652151 \

24
 435936560016891481734286491312379889015178748930010199888643781513

And for the second curve:

prime
6864797660130609714981900799081393217269435300143305409394463459185543183397656052 \
122559640661454554977296311391480858037121987999716643812574028291115057151
-3
3527776260069785152007274377287143876629163004151083436918067245834023095352803352 \
619592071776153064995010045981739923633622717991755444624957640186908953364
+277633783987862290745991157088307728706423274798898334066464657055442467551243242 \
7452835254055623705198536338718514654123364891577242648186860775805757142087
6864797660130609714981900799081393217269435300143305409394463459185543183397650992 \
549354694781534209408074441975667428948389124479097456824493161776014158579
1237946678497568790188826094418628206193474380513556414420549154032544215130643918 \
215405913748994282110182353617745746987799819718799994745251376454

The decrypted first ciphertext was (without new lines):

f(z) : m = 283 in Table A.1, a = 1, b =

43fdf8a39baa3eaad2fc71f1329184399a63e6fc51239c3df5e8b9e9de57618887eee7c, P =
+587e2fa0ab7ccd194ba4d79aa859b109adef00bc75c66bf6c69a2536c256b8bb816927b. Private
key = 26334010226743190633240527195230292831833139108096019898661304553382794977231705.
Cypher : (+2996b532a62d94cd884558af3a22e4352e748808bab983bddbf387c35a4c0847a62d92c,
-464089c5b600dfe844fcf0c9fbfb5056a8b166c70cdaf501b9ea59a0e1f8b3c0255e1ac)
(-735bb3c6145270c85c8b4990fd76881fea861a2696f66074613a0ad088ae9ac829b1976,
+d8d0ef69942277d300e3e1c8c679fc539f736cd1207ca536ff1156d0b50484b7f93cf8).

The decrypted second ciphertext was:

f(z) : m = 283 in Table A.1, a = 0, b =

7cb16923a86f239ccb3d1cd7bd4d3de5dc3b97eda43330f533da57d8c208701899724dd, P =
-fb4941d427a0b0ffe32ba899f6c8c7c9f89ad50f7291853d44004a5ea72762b048a54a. Private key =
26326629228593706558136978105130308473615944643701116377878072489053032875983292312
8. Cypher : (-1c77506e381a30b83def3e1ebb8d835a49108ee89ad826e5342d5285a0e4f9cb1f0bd28,
-1a48f416a4c3047701154062bfe56552e18bea284c6b3eff14d3f7ce30e311af61d27ee)
(-7ba754244a3b5fd85c6f64a7d959fc24e5b766d383684886fe5171ca64b59eba09af9fe,
-350c1b2efdb3bd7d3579158820c358c99328d329e6bce9f189937fab79019aa3e3797d8).

So there was a second layer in the challenge, which consists of full definitions of two binary
curves and two ciphertexts. The curve order isn’t included, but this isn’t necessary information for
decryption. The reduction polynomial can be read from a table in [11] and is z 283 +z 12 +z 7 +z 5 +1.
The first curve is defined as

y 2 +xy = x3 +x2 +43f df 8a39baa3eaad2f c71f 1329184399a63e6f c51239c3df 5e8b9e9de57618887eee7c

25
and the second as
y 2 + xy = x3 + 7cb16923a86f 239ccb3d1cd7bd4d3de5dc3b97eda43330f 533da57d8c208701899724dd

After bringing this information in the format readable for our application, the ciphertext was
decrypted. The first message was:

Class number for discriminant -877991 equals 818.

The decrypted second message was:

Class number for discriminant -1293367 equals 513.

The class number is a well-known invariant in Algebraic Number Theory and can be computed
using standard algebra libraries. Using the sage library, it was found that the first solution is true
while the other is false (the class number in the second case is 511). Hence, the second message
was forged.

8 User Guide

This section is intended to provide information to the interested user who wants to experiment
with our application. With the command line interface, our program provides a convenient way
to use elliptic curve cryptography in practice. The functions and how they are used is presented,
along with some practical examples.

8.1 Getting the Source

The program source itself can be downloaded over one of the two identical repositories: http:
//github.com/gadial/ECC and http://github.com/bhess/ECC. One can also use git to download
the source:

#> git clone git://github.com/gadial/ECC.git

Once the repository is cloned, the source can be actualized with

#> git pull

git itself is available under http://git-scm.com.

8.2 Compiling the Source

The source repository provides a makefile, so that the source is compiled by running

#ECC> make

in the root folder of the repository.

26
8.2.1 Dependencies

In order to successfully compile the source, some shared libraries should be installed. We recommend
to install current versions of the following libraries (in braces are tested versions):

• CppUnit (version 1.12.0) http://cppunit.sourceforge.net

• GMP - GNU Multi-Precision Library (version 4.3.1) http://gmplib.org

• NTL (version 5.5.2) http://www.shoup.net/ntl

The program is tested under 32 bit Linux. As compiler we used g++ version 4.4.1.

8.3 Elliptic Curve Definitions

Public-key and private-keys contain the full definition of the corresponding elliptic curve. The files
must be provided to the application in order to do encryption and decryption. A sample public-key
or private-key file has the following structure:

• 1. line: “prime” or “binary” curve.

• 2. line: Elliptic curve modulus (prime) or reduction polynomial (binary)

• 3. line: Parameter a.

• 4. line: Parameter b.

• 5. line: Point P on the elliptic curve, in compressed form.

• 6. line: Elliptic curve order.

• 7. line: Public key (in compressed form) or private key.

All values must be decimal. A sample public key definition for a prime curve could looks the
following way:

prime
6277101735386680763835789423207666416083908700390324961279
-3
2455155546008943817740293915197451784769108058161191238065
+602046282375688656758213480587526111916698976636884684818
6277101735386680763835789423176059013767194773182842284081
-4202774374097843812550356794057673546542297328739257456130

27
8.4 Command Line Interface

Over a simple command line interface, the following three functions of the cryptosystem can be
used:

• Key-pair generation.

• Encryption

• Decryption

When the executable is run without switch, the usage parameters are displayed:

#ECC> ./ECC
Usage:
ECC {-pk </path/to/pk> -enc </path/to/plaintext> |
-sk </path/to/sk> -dec </path/to/ciphertext> |
-gen_key {-ec_name ’name’ | -use_ec </path/to/ec>}
-validate </path/to/ec>
Predefined Curves (NIST): [p192|p224|p256|p384|p521|b163|b283|b409|b571]

8.4.1 Key-pair Generation

By using the switch -gen key we indicate that a public-key/private-key should be generated. For
this purpose the elliptic curve has to be known. The 9 curves recommended by NIST are built-in
and can be specified with the switch -ec name. In the NIST curve names, ’p’ indicates a prime
curve and ’b’ a binary curve; the number afterwards indicate their bit-size. If we want to generate
a key-pair with the curve p192, we run:

#ECC> ./ECC -gen_key -ec_name p192

Then two textfiles, containing the curve information and the keys are generated (the file-names
contain a timestamp when the curve key has been generated):

#ECC> cat public_key_201003220104.txt

prime
6277101735386680763835789423207666416083908700390324961279
-3
2455155546008943817740293915197451784769108058161191238065
+602046282375688656758213480587526111916698976636884684818
6277101735386680763835789423176059013767194773182842284081
-4202774374097843812550356794057673546542297328739257456130

#ECC> cat private_key_201003220104.txt

prime
6277101735386680763835789423207666416083908700390324961279

28
-3
2455155546008943817740293915197451784769108058161191238065
+602046282375688656758213480587526111916698976636884684818
6277101735386680763835789423176059013767194773182842284081
3693200230270282832430567472370334031293814885720270459444

The second possibility is to use a curve-definition from a file, with the -use ec switch. In the
next example, we take the above generated public-key file as definition of a curve.

#ECC> ./ECC -gen_key -use_ec public_key_201003220104.txt

And the following files are created:

#ECC> cat public_key_201003220109.txt

prime
6277101735386680763835789423207666416083908700390324961279
-3
2455155546008943817740293915197451784769108058161191238065
+602046282375688656758213480587526111916698976636884684818
6277101735386680763835789423176059013767194773182842284081
+6073060550633047313222863878319194062684276429882449125142

#ECC> cat private_key_201003220109.txt

prime
6277101735386680763835789423207666416083908700390324961279
-3
2455155546008943817740293915197451784769108058161191238065
+602046282375688656758213480587526111916698976636884684818
6277101735386680763835789423176059013767194773182842284081
4495925941769958181740011055363126307352799406048087058490

A function to generate a random curve directly over the command line is currently not available.
For random curve generation, the program API has to be used directly.

8.4.2 Encryption

For encrypting textfiles, one needs to provide a public-key file which also contains the elliptic curve
definition. Suppose we want to encrypt the file faust.txt:

#ECC> cat faust.txt

Habe nun ach! Philosophie, Juristerei und Medizin, und leider auch Theologie!
durchaus studiert mit heissem Bemuehn. Da steh ich nun, ich armer Tor! und bin so
klug als wie zuvor; heisse Magister, heisse Doktor gar, und ziehe schon an der zehen
Jahr herauf, herab und quer und krumm meine Schueler an der Nase herum - und sehe,
dass wir nichts wissen koennen! Das will mir schier das Herz verbrennen!

29
 We use the first public-key generated in the last section with the NIST curve p192 for encryption,
and the command is:

#ECC> ./ECC -pk public_key_201003220104.txt -enc faust.txt

The name of the file containing the ciphertext is the plaintext-name with extension .enc. The
ciphertext point-pairs are written in compressed form and are separated line by line (in the following
some contents were truncated for layout reasons):

#ECC> cat faust.txt.enc

-2941418657115936641805...,+1926840320549465382934...
+1538291260063052821414...,+4260644256050139287355...
-2348564039062829639347...,+2883638826011508920689...
+4677737476484516605321...,+3559085594982234746243...
+7134535296842259156817...,-3305284033086540132053...
-3357881763927395711480...,-5323445310157508381249...
+5981876371431035768184...,-5576058672905230562784...
...
...

8.4.3 Decryption

Analogue to encryption, we provide the private key, containing the curve definition to the command
line interface to decrypt a ciphertext. To decrypt the example from before, run the following
command:

#ECC> ./ECC -sk private_key_201003220104.txt -dec faust.txt.enc

The decrypted file has the file-extension .dec, and indeed, the decryption was successful!:

#ECC> cat faust.txt.enc.dec

Habe nun ach! Philosophie, Juristerei und Medizin, und leider auch Theologie!
durchaus studiert mit heissem Bemuehn. Da steh ich nun, ich armer Tor! und bin so
klug als wie zuvor; heisse Magister, heisse Doktor gar, und ziehe schon an der zehen
Jahr herauf, herab und quer und krumm meine Schueler an der Nase herum - und sehe,
dass wir nichts wissen koennen! Das will mir schier das Herz verbrennen!

8.4.4 Elliptic Curve Validation

For elliptic curves defined in a text-file, the switch -validate provides a quick and handy function
to validate that the provided parameters are correct. Beside curve definition files consisting of 6
lines, also private and public keys can be provided, where the last line defining the key is simply
ignored.
Suppose we want to to validate the elliptic curve defined in the following public-key file:

30
 #ECC> cat ./challenge/private_key_binary1.txt
binary
15541351137805832567355695254588151253139254712417116170014499277911234281641667989665
1
8255380585809383688639434939783260988279527409588319652248090673203645932948626009724
+10744526979748405769424843092044115614633826679604470999470890953483892379364112110203
15541351137805832567355695254588151253139256032115589896844343002557484362928298853438
26334010226743190633240527195230292831833139108096019898661304553382794977231705

To validate we run:

#ECC> ./ECC -validate ./challenge/private_key_binary1.txt

Validation succeeded!

More specifically, the test reads in the EC parameters, decompresses the point on the curve
and multiplies the point with the curve order. If the result is the point at infinity, the validation
succeeds and otherwise it fails.

8.4.5 Testcases

The implementation has a large number of built-in test-cases that test different aspects of the
implementation, like finite field arithmetic or several algorithms. With the switch -t the test-cases
are launched:

#ECC> ./ECC -t
.....................................................

OK (53)

This is mainly for debugging purposes and shows that “everything should be right”, especially after
changes in the code are made.

9 Conclusion

In this project we investigated the large field of elliptic curve cryptography, whose properties enable
to achieve the same security with much smaller key sizes compared to public key cryptography
over Z∗n . We implemented an elliptic curve cryptosystem “from scratch”, relying only on big
integer arithmetic. This implied the implementation of finite field arithmetic and several additional
algorithms. Furthermore, the implementation was done for both elliptic curves over prime and
binary fields. Besides the deep insight this approach gave, also some limitations were shown,
namely not all our implementation can compete with highly optimized libraries.
Besides the cryptosystem, we implemented two cutting-edge methods to generate random ellip-
tic curves. The two approaches are conceptually different: the Complex Multiplication (over prime
fields) generates a curve for a given order, and the AGM point-counting method (over binary fields)

31
computes the order for given curve parameters. We showed the practical feasibility of both methods
and that a random curve with not too large bit-size up to about 300 bits can be generated within
a few seconds. We successfully solved a challenge consisting of generation of a prime curve, and
decryption over a prime and a binary curve.
Further work could involve the implementation of Complex Multiplication for binary fields and
point-counting for prime fields, which would enable a direct comparison between binary and prime
curves. Several optimizations could be done, either by choosing more efficient algorithms or by
low-level optimizations. Additionally, a comparison of our implementations with variants from
optimized library would be interesting. As cryptosystem, we choose the ECC ElGamal system for
encryption and decryption. An additional task would be to implement a signature scheme, or to
choose a different encryption system.
For end-users, the product of our project is an elliptic-curve-cryptosystem that is ready-to-use.
One can either define own curves or choose between different predefined curves recommended by
NIST. They can be used for key-generation, encryption and decryption of arbitrary text-messages.
The implementation in C++ is done in a clean, easy-extensible object-oriented design, and achieves
a high efficiency typical for native code. The entire project consists of approximately 7500 lines of
code.

A Challenge Description

32
General Information
You are given two messages encrypted by an Elliptic Curve cryptography system. One of the messages is
authentic, while the other was intentionally forged. The goal is to decrypt both messages, identify
which message is forged, and explain your decision.

Elliptic Curve
Both messages were generated using the same elliptic curve E over a prime field of order equal to 13-
th Mersenne prime, and coefficient a equal to -3. E was generated using Complex Multiplication method
with imaginary field discriminant D > -400. Security constraints on #E: largest prime divisor > 2160;
second largest prime divisor < 216.

Cryptosystem
Both messages were encrypted using ElGamal scheme. Every message was encrypted using a different point
on the curve E, and different private key d.

Converting text to elliptic curve points was performed using 1 byte padding.

Representation of Elliptic Curve points

Points on elliptic curves are represented in the so called “Compressed” format (see e.g.
http://www.cdc.informatik.tu-
darmstadt.de/TI/Veroeffentlichung/Artikel/Kryptographie/PublicKeyAllgemein/P1363-E-10-05-98.pdf,
section E.2.3.1), where the x-coordinate is preceded by a “+” or “-“ sign, whenever the compressed y-
coordinate equals to 1 or 0, respectively.

Messages
Message 1:

EC point :
-39854059894255679671560184198458955381466341207788211832699113864712223297651504406209918236768379804
40324457306600557245758586407123663426871114407190797434

d :
274483487829587550252399089825597093893175080313706456473951710209773042349065215143593656001689148173
4286491312379889015178748930010199888643781513

Cypher : (-
252835703411563142854525709736229315524521149551134582131724751536380401344761114315148810849703883888
2419925192612058882477886376375392499117604490017507195,
+49938368138975226976303726116381107008375562097222477041826762836953124933844950351967161977191555513
14086198667082611254956263153338585535105207094553529724) (-
807582541666249309948858058085472788687189980713748071337151691942532474674558916476551741835759196678
999627742866421543918842045242322706140479081608801403,
+48895184225146340576989096938782009425102806022592335856230935456690157697537869879840694481515998005
14073525483193692865113332156753076091327305893814157488) (-
679630172372118173791048428760365318585369540257351588678301976065500670649992936379053243952731609158
2421373307676022032584816062907148992202158083073657174,
+34100361230470345235538416213457966803859349577856572731338138608591495828776684341409852662502523611
77808056393746843043495937454835962635471364599503778914) (-
561889917735615060310021170648583339895539588780113058171060706538144711415480120520439764968156787719
3378329302663252759695442411984697549064004060837984107,
+34169336482657079864211904130164242671491998507969626927159824425318473123159700897784519933424521773
7539872946863989992194716323289690891004041268042668564)
(+4235758105861964896313922479521614774399507655761878046735487902288096563093634511599744907905830774
841694687039221811871553400595742436602677202143044770141,
+19203061345999046403709866799484725008271545126069049790268849889477291786002233659394475856373581332
93933912384477678159894523458074217777044245906315737985) (-
167639929996260244969199291229952196734245270031769606292055154563291117077311222337928229641416905447
0009769931733617412661761766136515381083096223460757692,
-28230416287331726547518646043017347622686310127882715861308205747507696304971434510457084825058925403
35055071660984523043768042537646777529110184222757386529) (-
669118185410344423365965721186351099450775489112270063899703046574925505313526910847741781159547502585
6175587612473112403403179770305225109670750779244964933,
-32484351231830818188317641151119521993348787563631945721193720736270366856789020104628184103698082049
44454922323827120101700994654694162354750425538764180318)
(+1406208326462625871550153049559327152713821450658747013469528101583960433363630768786769019545269492
061578185789151508992536111638185429977854041528728745825,
-19380147320171542124863083967272001725045338172249514956232782696359364469550900712765869087738998288
30119078454890410738510219099902157175312998242270309117)
(+4463360652700831124779007257770797164600011742739107203093911197345805867468889629863524641427473640
277704524524605946229133630958577529608000668060320168287,
-16086448545878424986627918690118573477880276245524709467021538570652035415353122714293874940539989113
47089161130949985218389364756006779380126202650015997410)
(+2818467245937478880899020790063162934039063013387338118987235483753572611427565287573857335110867652
683847947104745604647777495832028117539334552783179612593,
+37701058376807207766959963494049155910421971382886648009692030078536171177487558992942980727879562761
31842203302923504671116151769790972879180736258586782490)

Message 2:

EC point :
+27763378398786229074599115708830772870642327479889833406646465705544246755124324274528352540556237051
98536338718514654123364891577242648186860775805757142087

d :
123794667849756879018882609441862820619347438051355641442054915403254421513064391821540591374899428211
0182353617745746987799819718799994745251376454.

Cypher : (-
197542715652313372805940142380940031747916243766886028514164403434368770719190771961695944404996374968
6985125830909183055835481164893435443108087740233751320,
+95061590514746985732786963002280025522979803208335512879728320095798707162338098912329950613143050605
3514303302744830317033748178044163647959940639519968273) (-
197128563347860393338289796621830314952865760284319457651389791245564701512444883100749214126497190326
6683707174414705713477114893468750017824789054114995168,
+16223831278461926689012958700482321917359763316171406672452424765521575461056076270064249532232111070
83352370346681736726811767818398859999053924097562123440)
(+2298904090272300885190990535111997197486668184065802162441701241490888955524447698378388632387626395
81349159121779668679807217132841491803497660395004480186,
-46794025745540458675939373124663466497396641044456593261429130651859228280690643899495340592345420998
61549554285673717029470599773249366829710319385222516048) (-
640017089388028683073291876378082782367489373891950964103570180778642330496554950754804320054419815389
9846369274748801074718526017110431107194963470396961082,
-58922837742391356223650605002042741627010917393368018011609709706664425796096597597526242849563930530
51342630972227835627153497557988907877177257039759020890) (-
428158704551641322950313570046282464827653663017259346893868570539058176645686857393918227165766598072
3311821624217054870198945535932375175016778864736665987,
+40577106785120901491056855108266549975685726997834121787137599291196152497965728709854095016879532815
44941260681374601471813694973767358115408564004666276636)
(+6348372797490198939913384817789336207713558474076389468046280939246687269958457375671470368984089013
224681949116217577896048502592333521840476544659788523588,
+14005084396014793052896208402879699976925487138613446569685400470691945186808086167489112395596094426
21451406655147968808604401372824811071605425929952329189) (-
181615409734449730640319982340410857164848682859499841533214516635876427359830816346672962662766460147
5417777353666312555340451140002523677352638668760792557,
-30503472401927837051444023353362726252997828757466527410225646956800106132198647670709357144150570664
47641504689272335405848906955745560178398891597357063033) (-
333698948226212712572754640111987340035584713367594015950420776467149002614435029361524963271164187011
7312504114802305699435794041557668272281373666166594624,
+54308964856537978546895360064317087416675630862591405053679677550001463474099684771860039759192477449
19515429328149416050984069127194833007556263533677402393) (-
344912518630044352510148625649483931671228679643201198987182068300072228025644085961703933691509059417
7866760812111760274356266744393960130787209786446083836,
-15696994340682602509016388688841316949960518664515386530059717925697405291055041480639728255778087799
11092579065132039234721668709644500977474367536535281987)
(+2969664203751695398556436358574917069564949522825544586857765637192129137297871311499442486884246637
213672503865944909087484961552572722819168917185606598415,
-64569954810308224840472263351302448046694976625362399661112571384139676562586573575659413287130633329
81760509218428553953432864458433375635272144841246940117)
References
[1] Ieee p1363/d8 annex e, http://grouper.ieee.org/groups/1363/P1363/draft.html, 1998.

[2] Ieee p1363/d13 annex a, http://grouper.ieee.org/groups/1363/P1363/draft.html, 1999.

[3] Harald Baier and Johannes Buchmann. Generation methods of elliptic curves, 2002.

[4] Gary Carter, Edward Dawson, Yvonne Hitchcock, and Paul Montague. The security of fixed
versus random elliptic curves in cryptography. 2003.

[5] Henri Cohen. A Course In Computational Algebraic Number Theory, volume 138 of Graduate
Texts in Mathematics. Springer-Verlag New York, Inc., 3 edition, 1996.

[6] Henri Cohen and Gerhard Frey. Handbook of elliptic and hyperelliptic curve cryptography
edited by h. cohen, 2006.

[7] Whitfield Diffie and Martin E. Hellman. New directions in cryptography, 1976.

[8] Taher El Gamal. A public key cryptosystem and a signature scheme based on discrete log-
arithms. In Proceedings of CRYPTO 84 on Advances in cryptology, pages 10–18, New York,
NY, USA, 1985. Springer-Verlag New York, Inc.

[9] Mireille Fouquet, Pierrick Gaudry, and Robert Harley. Finding secure curves with the satoh-fgh
algorithm and an early-abort strategy. In in B. P (ed), Advances in Cryptology - EUROCRYPT
2001, Lecture Notes in Computer Science 2045, pages 14–29. Springer-Verlag, 2001.

[10] Pierrick Gaudry. A comparison and a combination of sst and agm algorithms for counting
points of elliptic curves in characteristic 2. In ASIACRYPT ’02: Proceedings of the 8th Inter-
national Conference on the Theory and Application of Cryptology and Information Security,
pages 311–327, London, UK, 2002. Springer-Verlag.

[11] Darrel Hankerson, Alfred J. Menezes, and Scott Vanstone. Guide to Elliptic Curve Cryptog-
raphy. Springer-Verlag New York, Inc., Secaucus, NJ, USA, 2003.

[12] Neal Koblitz. Introduction to Elliptic Curves and Modular Forms, volume 97 of Graduate Texts
in Mathematics. Springer-Verlag New York, Inc., 1984.

[13] Neal Koblitz. Elliptic curve cryptosystems. Mathematics of Computation, 48:203–209, 1987.

[14] Neal Koblitz, Alfred Menezes, and Scott Vanstone. The state of elliptic curve cryptography.
Des. Codes Cryptography, 19(2-3):173–193, 2000.

[15] Julio López and Ricardo Dahab. High-speed software multiplication in f2m. In INDOCRYPT
’00: Proceedings of the First International Conference on Progress in Cryptology, pages 203–
212, London, UK, 2000. Springer-Verlag.

[16] Ueli Maurer. Lecture notes in cryptography (at eth zurich), 2007.

[17] V. Miller. Use of elliptic curves in cryptography. CRYPTO, 85, 1985.

[18] R.L. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and
public-key cryptosystems. Communications of the ACM, 21:120–126, 1978.

35
[19] Takakazu Satoh, Berit Skjernaa, and Yuichiro Taguchi. Fast computation of canonical lifts
of elliptic curves and its application to point counting. Finite Fields and Their Applications,
9(1):89–101, 2003.

[20] J. Silverman. The Arithmetic of Elliptic Curves, volume 106 of Graduate Texts in Mathematics.
Springer-Verlag New York, Inc., 1986.

36