Elliptic curves

(1)

Topics in Algebra: Cryptography

Univ.-Prof. Dr. Goulnara ARZHANTSEVA

WS 2019

(2)

Weierstrass equation

Letkbe a field.

Weierstrass equations

TheaffineWeierstrass equation:

E:y²+a₁xy +a₃y =x³+a₂x²+a₄x+a₆,a_i ∈k.

ThehomogeneousWeierstrass equation:

E^∗:y²z+a₁xyz+a₃yz²=x³+a₂x²z+a₄xz²+a₆z³,a_i ∈k.

Thevanishing set:

E(k) ={(x :y :z)∈P²so thatx,y,z ∈kis a solution ofE^∗} ⊆P² Thedefining polynomial:

F^∗:y²z+a₁xyz+a₃yz²−(x³+a₂x²z+a₄xz²+a₆z³),a_i ∈k.

c

Univ.-Prof. Dr. Goulnara Arzhantseva Chapter 03: Elliptic Curve Cryptography 2 / 37

(3)

Elliptic curves: projective plane and the point at ∞

E :y²=x³−x + 1, E^∗:y²z =x³−xz²+z³and the point (0 : 1 : 0) at∞ [image by ‘Squeamish Ossifrage’: crypto.stackexchange.com]

(4)

Elliptic curves

Definition: Elliptic curve

E isellipticifE is smooth.

Normal forms

1. Ifchark6= 2 then inE substitutey 7→y −^a¹^x+a₂ ³ obtaining y²=x³+a⁰₂x²+a⁰₄x+a⁰₆

2. Ifchark6= 2,3 then substitutex 7→x− ¹₃a⁰₂,a⁰₂=a₂+^a₄²¹ obtaining y²=x³+ax +b

chark6= 2,3 :disc(x³+ax+b) =−16(4a³+ 27b²)

chark6= 2,y²=f(x) =x³+a⁰₂x²+a⁰₄x+a⁰₆is singular⇐⇒discf = 0

c

(5)

Elliptic curves

Elliptic curves in normal form [image: Wikipedia]

(6)

Elliptic curve: The group structure (E (k), +)

ka field,kits algebraic closure,O= (0 : 1 : 0)∈E(k) the point at∞

Group structure on theR-points ofE :y²=x³−x + 1 [image: Wikipedia]

Group structure: collinear triples sum toO.

c

(7)

Elliptic curve: The group structure (E (k), +)

ka field,kits algebraic closure.

E(k) is theprojective algebraic setdefined by a homogeneous Weierstrass equation over the algebraic closure of the field.

An elliptic curve always contains the point at infinity, which is the neutral element in the corresponding abelian group.

An elliptic curve is a special case of aplane algebraic curve.

We can view the additiongeometrically,algebraically, and analytically.

(8)

Elliptic curve and projective lines

The defining polynomial:

LetL={(x :y :z)|ax +by+cz = 0} ⊂P²(k) be a projective line with (a,b,c)6= (0,0,0)

Theorem: Intersection ofE with a projective line

LetL⊂P²(k) be a projective line. Then|L∩E(k)|= 3, counted with multiplicity.

IfLisk-rational (i.e.a,b,c∈k), and 2 of the intersection points are k-rational, then so is the 3rd point of the intersection.

If a polynomial of degreed overkhasd −1 roots ink, then the last root is also ink.

c

(9)

Elliptic curve and projective lines

LetL={(x :y :z)|ax +by+cz = 0} ⊂P²(k) be a projective line with (a,b,c)6= (0,0,0)

Theorem: Intersection ofE with a projective line

LetL⊂P²(k) be a projective line. Then|L∩E(k)|= 3, counted with multiplicity.

IfLisk-rational (i.e.a,b,c∈k), and 2 of the intersection points are k-rational, then so is the 3rd point of the intersection.

If a polynomial of degreed overkhasd −1 roots ink, then the last root is also ink.

(10)

Elliptic curve and projective lines

Proof: a=b = 0. ThenL={(x :y : 0)}is the line at infinity and L∩E(k) ={(0 : 1 : 0)}of multiplicity 3.

a6= 0 orb6= 0. ThenL={(x :y : 1)|ax+by =−c} ∪ {(b:−a: 0)}and

we have two sub-cases.

1)b 6= 0. Then (b:−a: 0)6= (0 : 1 : 0), hence, (b:−a: 0)6∈E(k) as

(0 : 1 : 0) is its only point at infinity.

We substitutey =−^ax+c_b inE and obtain a cubic polynomial inx with 3 roots ink, counted with multiplicity.

2)b = 0,a6= 0. (0 : 1 : 0)∈L∩E(k).

We substitutex =−_a^c inE and obtain a quadratic polynomial iny that has two roots ink, counted with multiplicity. This gives 3 points.

For thek-rationality assertion useVieta’s formulas.

c

(11)

Elliptic curve and projective lines

2)b = 0,a6= 0. (0 : 1 : 0)∈L∩E(k).

(12)

Elliptic curve and projective lines

2)b = 0,a6= 0. (0 : 1 : 0)∈L∩E(k).

c

(13)

Elliptic curve and projective lines

2)b = 0,a6= 0. (0 : 1 : 0)∈L∩E(k).

We substitutex =−^c_a inE and obtain a quadratic polynomial iny that has two roots ink, counted with multiplicity. This gives 3 points.

(14)

Elliptic curve and projective lines: Bézout’s theorem

Alternatively, to obtain|L∩E(k)|= 3, we can use the following result.

Theorem: Bézout’1779

LetC₁,C₂be two plane projective curves over a fieldkwhose defining polynomialsF₁,F₂are relatively prime (i.e. their polynomial greatest common divisor is a constant) and have degreesd₁andd₂.

Then their intersectionC₁∩ C₂inP²(k⁰), withk⁰ an algebraically closed fieldk⁰ ⊇k, counted with theirmultiplicities, consists ofd₁·d₂points.

E has degree 3 (i.e. F^∗ has degree 3), a projective line has degree 1.

c

(15)

Elliptic curve and projective lines: Tangents

Definition: Tangents

LetP∈E(k). The projective line T_P :=

(u:v :w)∈P²| ∂F^∗

∂x (P)·u+∂F^∗

∂y (P)·v+∂F^∗

∂z (P)·w = 0

is thetangentofE at pointP.

Let∇= (_∂x^∂,_∂y^∂ ,_∂z^∂ ), thenT_P is defined by∇F^∗(P)·





 u v w





= 0.

ForO= (0 : 1 : 0), we have∇F^∗(O) = (0,0,1),then O ∈TO ={(u :v :w)|w = 0}the line at∞.

(16)

Elliptic curve: The group structure (E (k), +)

We can view the additiongeometrically,algebraically, and analytically.

Group structure onE(k), geometrically

ForP,Q∈E(k) defineP∗Q byE(k)∩L={P,Q,P∗Q}, where L:=

(the projective line throughP andQifP 6=Q the tangentT_P ofE atPifP =Q

We define

P+Q:= (P∗Q)∗ O.

c

(17)

Elliptic curve: The group structure (E (k), +)

Theorem: Group structure onE(k)

LetP,Q,R∈E(k) andL⊂P²(k) a projective line. Then:

1 ∗and + are commutative.

2 (P∗Q)∗P =Q.

3 O ∗ O=O

4 IfL∩E(k) ={P,Q,R}, then (P+Q) +R=O.

5 P+O=P.

6 P+Q=O ⇔P∗Q=O.

7 + is associative.

8 (E(k),+) is an abelian group with neutral elementOand

−P=P∗ O.

9 E(k) is a subgroup ofE(k).

(18)

Elliptic curve: The group structure (E (k), +)

Proof:

1 By definitions of∗and +.

2 By definition ofLin the definition of∗.

3 SinceO ∈TO, see above.

4 (P+Q) +R= (((P∗Q)∗ O)∗R)∗ O^2.=O ∗ O^3.=O.

5 P+O= (P∗ O)∗ O^1.= (O ∗P)∗ O^2.=P.

6 IfP∗Q=O, thenP+Q= (P∗Q)∗ O=O ∗ O^3.=O.IfP+Q=O, then

P∗Q^5.= (P∗Q) +O= ((P∗Q)∗ O)∗ O= (P+Q)∗ O=O ∗ O^3.=O.

7 Case by case analysis (whetherP =Qor/andR=P+Q, etc.) or, use algebraic formulas, or see the next slide.

8 Follows from 1, 5, 6, and 7.

9 IfE is defined overkandP,Q∈E(k), thenL,L∩E are defined overk. In addition,P∗Qis, as the 3rd root ofL∩E(k), also ink.

c

(19)

The group structure (E (k), +): Associativity

Sketch: LetP,Q,R∈E(k).

To compute−((P+Q) +R) we form projective lines L₁=PQ,M₂=O,P+QandL₃=R,P+Q.

To compute−(P+ (Q+R)) we form projective lines M₁=QR,L₂=O,Q+RandM₃=P,Q+R.

We see thatP_ij =L_i∩M_j ∈E, except possiblyP₃₃. Bythe Theorem below, having 8 pointsP_ij 6=P₃₃onE ⇒P₃₃ ∈E.

SinceL₃∩E ={R,P+Q,−((P+Q) +R)}, we must have

−((P+Q) +R) =P₃₃.

Similarly,−(P+ (Q+R)) =P₃₃, so−((P+Q) +R) =−(P+ (Q+R)), whence the associativity.

Cases:P_ij =OorP_ij =P_kl (a line is tangent) or two lines are equal.

(20)

The group structure (E (k), +): Associativity

We see thatP_ij =L_i ∩M_j ∈E, except possiblyP₃₃. Bythe Theorem below, having 8 pointsP_ij 6=P₃₃onE ⇒P₃₃ ∈E.

−((P+Q) +R) =P₃₃.

c

(21)

The group structure (E (k), +): Associativity

−((P+Q) +R) =P₃₃.

(22)

The group structure (E (k), +): Associativity

−((P+Q) +R) =P₃₃.

c

(23)

The group structure (E (k), +): Associativity

Theorem: Cayley-Bacharach’1886

IfP₁, . . . ,P₈are points inP²(k), no 4 on a line, and no 7 on a conic, then there is a 9th pointQsuch thatanycubic throughP₁, . . . ,P₈also passes throughQ.

Using the Theorem: Two cubic curves,L₁L₂L₃= 0 andM₁M₂M₃= 0, pass through 8 points: O,P,Q,R,P+Q,Q+R,−(P+Q),−(Q+R).By Bezout’s theorem, two cubics intersect in 9 points,P₃₃is the 9th point.

By the Theorem, any other cubic through these 8 points also passes throughP₃₃. So,E passes throughP₃₃.OnM₁M₂M₃∩E we have:

O,P,Q,R,P+Q,Q+R,−(P+Q),−(Q+R),−(P+ (Q+R)),P₃₃. Only 3 points on a line intersect a cubic, so two of these points must coincide. By definition,P₃₃ is6= any of the first 8 points, so

P₃₃=−(P+ (Q+R)).

Similarly, forL₁L₂L₃∩E, that givesP₃₃ =−((P+Q) +R).

(24)

The group structure (E (k), +): Associativity

By the Theorem, any other cubic through these 8 points also passes throughP₃₃. So,E passes throughP₃₃.

OnM₁M₂M₃∩E we have: O,P,Q,R,P+Q,Q+R,−(P+Q),−(Q+R),−(P+ (Q+R)),P₃₃. Only 3 points on a line intersect a cubic, so two of these points must coincide. By definition,P₃₃ is6= any of the first 8 points, so

P₃₃=−(P+ (Q+R)).

c

(25)

The group structure (E (k), +): Associativity

P₃₃=−(P+ (Q+R)).

(26)

The group structure (E (k), +): Associativity

P₃₃=−(P+ (Q+R)).

c

(27)

The group structure (E (k), +): Associativity

IfP₁, . . . ,P₈are points inP²(k), no 4 on a line, and no 7 on a conic, then there is a 9th pointQsuch that any cubic throughP₁, . . . ,P₈also passes throughQ.

Hypothesis of the Theorem are fulfilled: If 4 of the points

O,P,Q,R,P+Q,Q+R,−(P+Q),−(Q+R) are on a lineL, then, as they are also onE,|L∩E(k)|>4, which contradicts Bezout’s theorem (as 1·3 = 3).

If 7 of them lie on a conicC, as they are also onE,|C∩E(k)|>7, which contradicts Bezout’s theorem (as 2·3 = 6.)

(28)

Elliptic curve: The group structure (E (k), +)

P = (x₁,y₁) = (x₁:y₁: 1),Q= (x₂,y₂) = (x₂:y₂: 1)∈E(k) with P,Q6=O.

Letλ= ^y_x²^−y¹

2−x₁ ifP 6=Qandλ=

∂F∗

∂x (P)

∂F∗

∂y (P) =−^a¹^y¹_2y^−3x¹²^−2a²^x¹^−a⁴

1+a₁x₁+a₃ ifP=Q.

Group structure onE(k), algebraically (without proof) P+Q= (λ²+a₁λ−a₂−x₁−x₂,−y₁+λ(x₁−x₃)−a₁x₁−a₃)

−P =P∗ O= (x₁:−y₁−a₁x₁−a₃: 1) Here: x₃=λ²+a₁λ−a₂−x₁−x₂.

c

(29)

Elliptic curve: The group structure (E (k), +)

Theorem: Mordell’1922–Weil’1928

For an abelian varietyAover a number fieldk, the groupA(k) of k-rational points ofAis afinitely-generatedabelian group.

Corollary

For a number fieldk, the abelian groupE(k) is finitely generated.

Theorem: Structure of finitely generated abelian groups

Given a finitely generated abelian groupA, there existr,k ∈N>0and n₁, . . . ,n_k ∈Nwithn_i|n_i+1such thatA∼= Z^r×Z/n₁Z× · · · ×Z/n_kZ,r is therankofAand then_i’s are thedeterminantal divisorsofA.

(30)

Elliptic curves over finite fields

Elliptic curveE:y²=x³−x over the finite fieldF61[image: Wikipedia]

The tangentTPofE algebraically:Pis the double root ofF^∗−T_P^∗.

c

(31)

Elliptic curve: Size of (E ( F

^q

), +)

Letpbe a prime,q =pⁿandN =|E(Fq)|.

Theorem: Hasse’1933 (without proof)

The order ofE(Fq) satisfies:

|q+ 1−N|62√ q

LetP∈E(Fq), the order ofE(Fq) satisfiesN·P=O. By Hasse’s bound, we can findNin 4√

q steps.

Exercises: Shank’s Baby-Step Giant-Step algorithmto solve theDLP inE(Fq). In particular, we can findNin 4q¹⁴ steps.

(32)

Elliptic curve: Size of (E ( F

^q

), +)

Letpbe a prime,q =pⁿandN =|E(Fq)|.

Theorem: Hasse’1933 (without proof)

The order ofE(Fq) satisfies:

|q+ 1−N|62√ q

LetP∈E(Fq), the order ofE(Fq) satisfiesN·P=O.

By Hasse’s bound, we can findNin 4√

q steps.

Exercises: Shank’s Baby-Step Giant-Step algorithmto solve theDLP inE(Fq). In particular, we can findNin 4q¹⁴ steps.

c

(33)

Elliptic curve: Structure of (E ( F

^q

), +)

Theorem: existence of elliptic curves over finite fields (without proof) Letpbe a prime,q =pⁿandN =q+ 1−afor somea∈Zwith

|a|62√

q.Then there is an elliptic curveE(Fq) with|E(Fq)|=N if and only ifasatisfies one of the following conditions:

1 gcd(a,p) =1.

2 nis even anda=±2√ q

3 nis even,p6≡1 mod 3, anda=±√ q.

4 nis odd,p= 2 orp= 3, anda=±pⁿ⁺¹² .

5 nis even,p6≡1 mod 4, anda= 0.

6 nis odd anda= 0.

(34)

Elliptic curve: Structure of (E ( F

^q

), +)

Theorem: structure for elliptic curves over finite fields (without proof) Letpbe a prime,q =pⁿandN =q+ 1−afor somea∈Zwith

|a|62√

q.WriteN =p^en₁n₂withp6 |n₁n₂andn₁|n₂(possiblyn₁= 1).

Then there isE(Fq) such that

E(Fq)∼= Z/p^eZ×Z/n₁Z×Z/n₂Z if and only if

1 n₁|q−1 in the cases 1, 3, 4, 5, 6 of the preceding Theorem.

2 n₁=n₂in the case 2 of the preceding theorem.

These areall groupsthat occur asE(Fq).

c

(35)

Realizations of abelian groups

DLP assumptionincludes that theDLP in ((Z/pZ)^×,·) is not in BPP.

Exercises: theDLP in (Z/(p−1)Z,+) is in P.

However,

((Z/pZ)^×,·)∼= (Z/(p−1)Z,+).

Thus, the complexity of the DLP depends on therealizationof the abelian group.

(E(k),+) is an elliptic curve realization of the abelian group. It is a realization which resists allknown attackson the DLP. SafeCurves= curves with efficientandsecure implementation.

(36)

Realizations of abelian groups

However,

((Z/pZ)^×,·)∼= (Z/(p−1)Z,+).

(E(k),+) is an elliptic curve realization of the abelian group.

It is a realization which resists allknown attackson the DLP.

SafeCurves= curves with efficientandsecure implementation.

c

(37)

Realizations of abelian groups

However,

((Z/pZ)^×,·)∼= (Z/(p−1)Z,+).

(E(k),+) is an elliptic curve realization of the abelian group.

It is a realization which resists allknown attackson the DLP.

SafeCurves= curves with efficientandsecure implementation.

(38)

ECC versus RSA

A smaller key size with ECC

ECC with 256-bit key∼RSA with 3072-bit key

Protection Symmetric RSA modulus Elliptic curve

Standard: not now 80 1024 160

Near-term: 2018-28 128 3072 256

Long-term: 2018-68 256 15360 512

ECRYPT-CSA Recommendations (2018)

c

(39)

ECC versus RSA

A smaller key size with ECC

ECC with 256-bit key∼ElGamal 3072-bit group size

General number field sieve(GNFS) for DLP in (Z/pZ)^× runs in time 2^O(n^1/3^·(log²ⁿ⁾^2/3⁾forpof lengthO(n).

So, for a512-bit primep, the GNFS solves the DLP in (Z/pZ)^×in roughly

2⁵¹²^1/3^·9^2/3 ∼2^8·4= 2³²steps.

The bestgeneric algorithmsolves DLP inE(Fq) withN=|E(Fq)|, whereN is a64-bit prime, in roughly

√

N∼2^64/2= 2³²steps.

(40)

ECC in Practice: Example

SSL / TLS protocols

SSL=Secure Sockets Layer, TLS=Transport Layer Security

They use public key cryptography to derive symmetric keys and then use symmetric key cryptography to ensureconfidentialityanddata integrityof the communication.

Web browsing, email, instant messaging, communication between a browser and a server.

c

(41)

Diffie-Hellman key agreement

To exchange keys securely over an insecure communication channel:

Diffie-Hellman’1976Key exchangeprotocol

1 Alice and Bob agree publicly on a cyclic groupG=hgi.

2 Alice choses randomly 06a6|G|and computesA:=g^a. Bob chooses randomly 06b6|G|and computesB:=g^b.

3 Alice sendsA, Bob sendsB.

4 Alice computesS:=B^a. Bob computesS:=A^b.

5 Since it is the sameS, they can use it as their secrete key to encrypt and decrypt messages.

Standard choice: G= (Z/pZ)^×, Public information: G=hgi,A,B.

(42)

Diffie-Hellman key agreement: Interceptor attacks

Passive attack by Eve

Eve=eavesdroppershould solve theDHP, i.e. giveng^aandg^b(but not aorb) she wants to findS=g^ab.

Solving the DLP inGwould solve the DHP inG. Hence, DLP6∈BPP is at least as strong as DHP6∈BPP. Theequivalenceis unknown.

Active attack by Mallory

Mallory=(wo)man-in-the middle attacktells Allice to be Bob and does the exchange gettingS.

He/she tells to Bob to be Alice and does the exchange gettingS⁰. Whenever Alice sends Bob a message, Mallory takes the cyphertext, decrypts it withS, reads it, then encrypts it withS⁰ and sends to Bob.

c

(43)

Diffie-Hellman key agreement: Interceptor attacks

Passive attack by Eve

Eve=eavesdroppershould solve theDHP, i.e. giveng^aandg^b(but not aorb) she wants to findS=g^ab.

Solving the DLP inGwould solve the DHP inG. Hence, DLP6∈BPP is at least as strong as DHP6∈BPP. Theequivalenceis unknown.

Active attack by Mallory

Mallory=(wo)man-in-the middle attacktells Allice to be Bob and does the exchange gettingS.

He/she tells to Bob to be Alice and does the exchange gettingS⁰. Whenever Alice sends Bob a message, Mallory takes the cyphertext, decrypts it withS, reads it, then encrypts it withS⁰ and sends to Bob.

(44)

EC based Diffie-Hellman

Standard choice: G= (Z/pZ)^×, Public information: G=hgi,A,B.

ECC choice: G=E(Fq) and the elliptic-curve public-private key pair.

Practice: ECDHEprotocol, last E=ephemeral, i.e. the public keys are not static, they are temporary.

c

(45)

Digital Signature Scheme

To ensure the authenticity of data over an insecure channel:

Definition: Signature schemeis a 5-tuple (P,A,K,S,V), satisfying:

P is a finite set of possiblemessages;

Ais a finite set of possiblesignatures;

K, thekeyspace, is a finite set of possiblekeys;

S ={sig_k :k ∈ K}consists of polynomialsigning algorithms sig_k:P → A;

V ={ver_k :k ∈ K}consists of polynomialverification algorithms verk:P × A → {true, false};

∀x ∈ P,∀y ∈ A:ver_k(x,y) =

(true, ify =sig_k(x) false, otherwise.

A pair (x,y) withx ∈ P,y ∈ Ais called asigned message.

(46)

Digital Signature Scheme (DSS)

∀k ∈ K,ver_k is public andsig_k is private.

There might by more than oney ∈ Asuch thatver_k(x,y) = true, depending on the definition ofverk.

We require that the problem that, given a messagex ∈ P, anyone other than Alice can compute a signaturey ∈ Asuch that

verk(x,y) = true, is not in BPP.

Aforged signatureis a valid signature produced by someone other than Alice.

Usually, one signs only hash values of messages for performance reasons: ‘hash-then-sign’.

A digital signature should lose its validity if anything in the signed data was altered.

c

(47)

Digital Signature Scheme (DSS)

∀k ∈ K,ver_k is public andsig_k is private.

There might by more than oney ∈ Asuch thatver_k(x,y) = true, depending on the definition ofverk.

We require that the problem that, given a messagex ∈ P, anyone other than Alice can compute a signaturey ∈ Asuch that

verk(x,y) = true, is not in BPP.

Aforged signatureis a valid signature produced by someone other than Alice.

Usually, one signs only hash values of messages for performance reasons: ‘hash-then-sign’.

A digital signature should lose its validity if anything in the signed data was altered.

(48)

RSA and EC variants of Digital Signature

RSA Signature Algorithm

It is the DSS withsig_k defined by the RSA decryption functionD_k and ver_k defined by the RSA encryption functionE_k:

sig_k(x) =D_k(x) andverk(x,y) = true⇔x =E_k(y)

Reminder:D_k(x) =x^d modnandE_k(y) =y^e mod n, Analogously: DSS using one-way functions with trapdoors.

c

(49)

EC variant of Digital Signature

EIGamal Signature Scheme: a suitable signature scheme, not just use of the ElGamal cryptosystem in the DSS.

Digital Signature Algorithm (DSA)

ECDSA

(50)

Every day example

‘The connection to this site is encrypted and authenticated using TLS 1.2 (a strong protocol), ECDHE_RSA with X25519 (a strong key exchange), and AES_128_GCM (a strong cipher).’

c

(51)

Test questions

Question 12

1 Why does ElGamal producetwocomponents ciphertext?

2 Why the exponents used for decryption are smaller for ElGamal compared to RSA?

3 Why ECC is more popular than the original ElGamal?

Question 13

Which of the following statements are true?

1 Breaking ElGamal is equivalent to solving Asymmetry of ElGamal.

2 ElGamal is less efficient for encryption than RSA.

3 ElGamal is more efficient for decryption than RSA.

4 There is no message expansion in the RSA-OAEP cryptosystem.

(52)

Test questions

Question 14

Prove Cayley-Bacharach’s theorem.

Question 15

Check that for a primeq, each natural number in the Hasse interval occurs as the order ofE(Fq).

c