Elliptic Curve

p2. Outline EC over Z p EC over GF(2 n )

EC over Z p

p4. Let a, b in Z p and 4a 3 +27b 2 !=0 mod p Define: where O is an identity point at infinity Ex: Elliptic Curve Over Z p (P>3):

p5. Define operation + Assume define P+Q: Elliptic Curve Over Zp (cont.) P -P-P

p6. Elliptic Curve Over Zp (cont.)

p7. Elliptic Curve Over Zp (cont.) Comparing coefficient of x 2 :

p8. Example: P -P Q P+Q

p9. Hasse’s Theorem Over a finite field Z p, the order of E(Z p ) is denoted by #E(Z p ). Hasse’s Theorem p+1-2p 0.5 <= #E(Z p ) <= p+1+2p 0.5

p10. Theorem (Group structure of E(Z p ) ) Let E be an elliptic curve defined over Z p and p>3. Then there exist positive integers n 1 and n 2 such that (E,+) is isomorphic to Z n1 x Z n2. Further, n 2 |n 1 and n 2 |(p-1).

p11. Define a singular point on elliptic curves: We write the equation as the form: If there exists a point, which is on the curve, and such that then we call P is a singular point on the curve. The reason for

p12. The singular point on the curve will make the tangent line at that point not well-define. ---destroy the group structure on the elliptic curve.

p13. Lemma: If there is a singular point on is a double root of pf:

p14.

p15. Consider f(x) has a double root x 1 and another root x 2 :

p16. Example: Find all (x,y)’s and O: 1.fix x and determine y. 2. O is an artificial point. 12 (x,y) pairs plus O and have #E=13

p17. There are 13 points on the group E 1,6 (Z 11 ) and so any non-identity point (i.e. not the point at infinity, noted as O) is a generator of E 1,6 (Z 11 ). Choose generator α=(2,7). α=(2,7) 2α=(5,2) 3α=(8,3) 4α=(10,2) 5α=(3,6) 6α=(7,9) 7α=(7,2) 8α=(3,5) 9α=(10,9) 10α=(8,8) 11α=(5,9) 12α=(2,4) 13α=O

p18. Recall the ElGamal encryption scheme Parameters p : a large prime α: a primitive number in GF(p) a : a private key, a [1, p-1] β : a public key, β = α a (mod p) m : a message to be signed, m [1, p-1] k : a random integer that is privately selected, k [0, p-2] K = (p, α, a, β) : public key + private key Encryption e K (m, k)=(y 1, y 2 ) where y 1 = α k mod p and y 2 =mβ k mod p Decryption m = d K (y 1, y 2 ) = y 2 (y 1 a ) -1 mod p

p19. Let’s modify ElGamal encryption by using the elliptic curve E 1,6 (Z 11 ). Suppose that α=(2,7) and Bob’s private key is 7, so β= 7α=(7,2) Thus the encryption operation is e K (x,k)=(k(2,7), x+k(7,2)), where x is in E and 0<=k<=12, and the decryption operation is d K (y 1,y 2 )=y 2 -7y 1

p20. Suppose that Alice wishes to encrypt the plaintext x=(10,9) (which is a point on E). if she chooses the random value k=3, then y 1 =3(2,7)=(8,3) and y 2 =(10,9)+3(7,2) =(10,9)+(3,5)=(10,2) Hence y=((8,3),(10,2)). Now, if Bob receives the ciphertext y, he decrypts it as follows: x=(10,2)-7(8,3) =(10,2)-(3,5) =(10,2)+(3,6) =(10,9).

EC over GF(2 n )

p22. Galois Field Z 2 [x] is the set of polynomials with coefficient over Z 2 and p(x) is an irreducible polynomial of degree n in Z 2 [x]. Ex: has elements {0,1,x,x+1 ……..,x 3 +x 2 +x+1}.

p23. The elements of Z 2 [x]/x 4 +x+1 : 0 x 9 =x 8 x=x 3 +x x 0 = 1 x 10 =x 9 x=x 4 +x 2 =x 2 +x+1 x 1 = x x 11 =x 10 x=x 3 +x 2 +x x 2 = x 2 x 12 =x 4 +x 3 +x 2 =x 3 +x 2 +x+1 x 3 = x 3 x 13 =x 4 +x 3 +x 2 +x=x 3 +x 2 +1 x 4 = x 4 =x+1 x 14 =x 4 +x 3 +x=x 3 +1 x 5 = x 4 x=x 2 +x x 15 =1=x 0 x 6 = x 5 x=x 3 +x 2 x 7 = x 6 x=x 4 +x 3 =x 3 +x+1 x 8 = x 7 x=x 4 +x 2 +x=x 2 +1 x is a generator.

p24. GF(2 n ) in Vector Form Rewrite a 3 x 3 +a 2 x 2 +a 1 x 1 +a 0 x 0 in vector form (a 3 a 2 a 1 a 0 ), g=x is a generator. (0000) 0 g 1 = (0010) x g 2 = (0100) x 2 g 3 = (1000) X 3 g 4 = (0011) x+1 g 5 = (0110) x 2 +x g 6 = (1100) x 3 +x 2 g 7 = (1011) x 3 +x+1 g 8 = (0101) x 2 +1 g 9 = (1010) x 3 +x g 10 = (0111) x 2 +x+1 g 11 = (1110) x 3 +x 2 +x g 12 = (1111) x 3 +x 2 +x+1 g 13 = (1101) x 3 +x 2 +1 g 14 = (1001) x 3 +1 g 15 = (0001) 1

p25. Elliptic Curve over GF(2 n ) Over GF(2 n ), Elliptic Curve can be written in the form: Points on Elliptic Curve E/ GF(2 n ) : O is an identity point at infinity

p26. Example (1)

p27. Example (1) (0001)g 1 = (0010) g 2 = (0100) g 3 = (1000) g 4 = (0011) g 5 = (0110) g 6 = (1100) g 7 = (1011) g 8 = (0101) g 9 = (1010) g 10 = (0111) g 11 = (1110) g 12 = (1111) g 13 = (1101) g 14 = (1001) g 15 =g 0 (0001)

p28. Adding Formula Def: Define P+Q :, O is an identity point at infinity Go

p29. Example (2) (0001)g 1 = (0010) g 2 = (0100) g 3 = (1000) g 4 = (0011) g 5 = (0110) g 6 = (1100) g 7 = (1011) g 8 = (0101) g 9 = (1010) g 10 = (0111) g 11 = (1110) g 12 = (1111) g 13 = (1101) g 14 = (1001) g 15 =g 0 (0001)

p30. Example (2) (0001)g 1 = (0010) g 2 = (0100) g 3 = (1000) g 4 = (0011) g 5 = (0110) g 6 = (1100) g 7 = (1011) g 8 = (0101) g 9 = (1010) g 10 = (0111) g 11 = (1110) g 12 = (1111) g 13 = (1101) g 14 = (1001) g 15 =g 0 (0001)

p31. Check –P is on Curve. Back

p32. Back (x 1,y 1 ) (x 2,y 2 ) (x 3,y 3 ) (x 3,y ’ )

p33. The Slope when P=Q Back