elliptic curves tiplain theme - rwth aachen university · elliptic curves tiplain theme de nition...
TRANSCRIPT
TIplain themeElliptic Curves
De�nitionThe set of points (x,y), satisfying the equality
y2 = x3 + ax + b
with
4a3 + 27b2 6= 0
is called an elliptic curve. a, b, and the variables x and y are elements ofthe same algebraic structure M .
I Some point ∞ is included to form the neutral element.
I a and b are called parameters of the elliptic curve.
R. Mathar � Canterbury University � CSSE, 28.3.08 12
TIplain themeElliptic Curves over the RealsI Simple graphical representation of the curve
I Graphical representation of addition and doubling of points
R. Mathar � Canterbury University � CSSE, 28.3.08 13
TIplain themeElliptic Curves over the RealsI Simple graphical representation of the curve
I Graphical representation of addition and doubling of points
108642
−2−4−6−8−10
54321−1−2−3
y2 = x3 − 6x + 10
R. Mathar � Canterbury University � CSSE, 28.3.08 13
TIplain themeElliptic Curves over the RealsI Simple graphical representation of the curve
I Graphical representation of addition and doubling of points
108642
−2−4−6−8−10
54321−1−2−3
y2 = x3 − 6x + 6
R. Mathar � Canterbury University � CSSE, 28.3.08 13
TIplain themeElliptic Curves over the RealsI Simple graphical representation of the curve
I Graphical representation of addition and doubling of points
108642
−2−4−6−8−10
54321−1−2−3
4a3 + 27b2 = 0
y2 = x3 − 6x + 5.657
R. Mathar � Canterbury University � CSSE, 28.3.08 13
TIplain themeElliptic Curves over the RealsI Simple graphical representation of the curve
I Graphical representation of addition and doubling of points
108642
−2−4−6−8−10
54321−1−2−3
y2 = x3 − 6x + 2
R. Mathar � Canterbury University � CSSE, 28.3.08 13
TIplain themeElliptic Curves over the RealsI Simple graphical representation of the curve
I Graphical representation of addition and doubling of points
108642
−2−4−6−8−10
54321−1−2−3
y2 = x3 − 6x− 4
R. Mathar � Canterbury University � CSSE, 28.3.08 13
TIplain themeElliptic Curves over the RealsI Simple graphical representation of the curve
I Graphical representation of addition and doubling of points
108642
−2−4−6−8−10
54321−1−2−3
4a3 + 27b2 = 0
s
y2 = x3 − 6x− 5.657
R. Mathar � Canterbury University � CSSE, 28.3.08 13
TIplain themeElliptic Curves over the RealsI Simple graphical representation of the curve
I Graphical representation of addition and doubling of points
108642
−2−4−6−8−10
54321−1−2−3
y2 = x3 − 6x− 10
R. Mathar � Canterbury University � CSSE, 28.3.08 13
TIplain themeElliptic Curves over the RealsGraphical Representation of Addition
I De�ne a line through P and Q.
I The third intersecting point on the curve is -R.
I Mirror the point −R at the x-axis to obtain R = P + Q.
108642
−2−4−6−8−10
54321−1−2Ps
Qs
y2 = x3 − 6x + 6
R. Mathar � Canterbury University � CSSE, 28.3.08 14
TIplain themeElliptic Curves over the RealsGraphical Representation of Addition
I De�ne a line through P and Q.
I The third intersecting point on the curve is -R.
I Mirror the point −R at the x-axis to obtain R = P + Q.
108642
−2−4−6−8−10
54321−1−2Ps
Qs-Rs
y2 = x3 − 6x + 6
R. Mathar � Canterbury University � CSSE, 28.3.08 14
TIplain themeElliptic Curves over the RealsGraphical Representation of Addition
I De�ne a line through P and Q.
I The third intersecting point on the curve is -R.
I Mirror the point −R at the x-axis to obtain R = P + Q.
108642
−2−4−6−8−10
54321−1−2Ps
Qs-Rs
Rs
y2 = x3 − 6x + 6
R. Mathar � Canterbury University � CSSE, 28.3.08 14
TIplain themeElliptic Curves over the RealsGraphical Representation of Addition
I Special case P + (−P ) =∞I ∞ is the neutral element w.r.t. addition of points.
108642
−2−4−6−8−10
54321−1−2P
s-Ps
y2 = x3 − 6x + 6
R. Mathar � Canterbury University � CSSE, 28.3.08 14
TIplain themeElliptic Curves over the RealsGraphically doubling a point, P + P
I Draw the tangent line at the elliptic curve in P .
I The second intersecting point of the tangent line de�nes −R.
I Mirror −R at the x-axis to obtain R = 2P.
108642
−2−4−6−8−10
54321−1−2−3
Ps
y2 = x3 − 6x + 6
R. Mathar � Canterbury University � CSSE, 28.3.08 15
TIplain themeElliptic Curves over the RealsGraphically doubling a point, P + P
I Draw the tangent line at the elliptic curve in P .
I The second intersecting point of the tangent line de�nes −R.
I Mirror −R at the x-axis to obtain R = 2P.
108642
−2−4−6−8−10
54321−1−2−3
Ps -Rs
y2 = x3 − 6x + 6
R. Mathar � Canterbury University � CSSE, 28.3.08 15
TIplain themeElliptic Curves over the RealsGraphically doubling a point, P + P
I Draw the tangent line at the elliptic curve in P .
I The second intersecting point of the tangent line de�nes −R.
I Mirror −R at the x-axis to obtain R = 2P.
108642
−2−4−6−8−10
54321−1−2−3
Ps -Rs
Rs
y2 = x3 − 6x + 6
R. Mathar � Canterbury University � CSSE, 28.3.08 15
TIplain themeElliptic Curves over the RealsGraphically doubling a point, P + P
I Special case 2P =∞, if yP = 0
108642
−2−4−6−8−10
54321−1−2−3
Ps
y2 = x3 − 6x + 6
R. Mathar � Canterbury University � CSSE, 28.3.08 15
TIplain themeElliptic Curves over the RealsAlgebraic representation of addition
I R = P + Q with P 6= ±Q:
s =yP − yQ
xP − xQ
xR = s2 − xP − xQ
yR = −yP + s(xP − xR)
I P + (−P ) =∞I P + P ⇒ Doubling of points
R. Mathar � Canterbury University � CSSE, 28.3.08 16
TIplain themeElliptic Curves over the RealsAlgebraic representation of addition
I R = P + Q with P 6= ±Q:
s =yP − yQ
xP − xQ
xR = s2 − xP − xQ
yR = −yP + s(xP − xR)
I P + (−P ) =∞
I P + P ⇒ Doubling of points
R. Mathar � Canterbury University � CSSE, 28.3.08 16
TIplain themeElliptic Curves over the RealsAlgebraic representation of addition
I R = P + Q with P 6= ±Q:
s =yP − yQ
xP − xQ
xR = s2 − xP − xQ
yR = −yP + s(xP − xR)
I P + (−P ) =∞I P + P ⇒ Doubling of points
R. Mathar � Canterbury University � CSSE, 28.3.08 16
TIplain themeElliptic Curves over the RealsAlgebraic doubling of points
I R = 2P with yP 6= 0:
s =3x2
P + a
2yP
xR = s2 − 2xP
yR = −yP + s(xP − xR)
I 2P =∞, if yP = 0
R. Mathar � Canterbury University � CSSE, 28.3.08 17
TIplain themeElliptic Curves over the RealsAlgebraic doubling of points
I R = 2P with yP 6= 0:
s =3x2
P + a
2yP
xR = s2 − 2xP
yR = −yP + s(xP − xR)
I 2P =∞, if yP = 0
R. Mathar � Canterbury University � CSSE, 28.3.08 17
TIplain themeElliptic Curves over Finite FieldsFinite �eld Fp
In cryptography elliptic curves over �nite �elds are used.
I Avoid �oating point arithmetic.
I No rounding errors, essential for deciphering messages.
Elliptic curves over Fp
y2 = x3 + ax + b (mod p) with a, b, x, y integers ∈ {0, 1, . . . , p− 1}
0
5
10
15
20
0 5 10 15 20s
s
s
s
sss
s
s
s
sss
ss sss
s
s
s
ss y2 = x3 + x in F23
Algebraic Formulae asabove with reductionmodulo p
R. Mathar � Canterbury University � CSSE, 28.3.08 18
TIplain themeElliptic Curves over Finite FieldsFinite �eld Fp
In cryptography elliptic curves over �nite �elds are used.
I Avoid �oating point arithmetic.
I No rounding errors, essential for deciphering messages.
Elliptic curves over Fp
y2 = x3 + ax + b (mod p) with a, b, x, y integers ∈ {0, 1, . . . , p− 1}
0
5
10
15
20
0 5 10 15 20s
s
s
s
sss
s
s
s
sss
ss sss
s
s
s
ss y2 = x3 + x in F23
Algebraic Formulae asabove with reductionmodulo p
R. Mathar � Canterbury University � CSSE, 28.3.08 18
TIplain themeElliptic Curves over Finite FieldsFinite �eld Fp
In cryptography elliptic curves over �nite �elds are used.
I Avoid �oating point arithmetic.
I No rounding errors, essential for deciphering messages.
Elliptic curves over Fp
y2 = x3 + ax + b (mod p) with a, b, x, y integers ∈ {0, 1, . . . , p− 1}
0
5
10
15
20
0 5 10 15 20s
s
s
s
sss
s
s
s
sss
ss sss
s
s
s
ss y2 = x3 + x in F23
Algebraic Formulae asabove with reductionmodulo p
R. Mathar � Canterbury University � CSSE, 28.3.08 18
TIplain themeElliptic Curves over Finite FieldsFinite �eld Fp
In cryptography elliptic curves over �nite �elds are used.
I Avoid �oating point arithmetic.
I No rounding errors, essential for deciphering messages.
Elliptic curves over Fp
y2 = x3 + ax + b (mod p) with a, b, x, y integers ∈ {0, 1, . . . , p− 1}
0
5
10
15
20
0 5 10 15 20s
s
s
s
sss
s
s
s
sss
ss sss
s
s
s
ss y2 = x3 + x in F23
Algebraic Formulae asabove with reductionmodulo p
R. Mathar � Canterbury University � CSSE, 28.3.08 18
TIplain themeElliptic Curves over Finite FieldsFinite �eld Fpk
Each a ∈ Fpk is represented as coe�cients(ak−1, . . . , a0) ∈ {0, . . . , p− 1}k of a polynomial of order k − 1:
f(x) =k−1∑i=0
aixi = ak−1x
k−1 + ak−2xk−2 + . . . + a1x + a0
De�nitionA polynomial firr(x) is called irreducible over the �eld Fpk , if
I deg firr(x) > 0I There is no factorization firr(x) = g(x) · h(x)
with deg g(x) > 0 and deg h(x) > 0.
Elliptic curve over Fpk
y2 = x3 + ax + b (mod firr) with a, b, x, y polynomials
Algebraic formulae as above with reduction modulo firr
R. Mathar � Canterbury University � CSSE, 28.3.08 19
TIplain themeElliptic Curves over Finite FieldsFinite �eld Fpk
Each a ∈ Fpk is represented as coe�cients(ak−1, . . . , a0) ∈ {0, . . . , p− 1}k of a polynomial of order k − 1:
f(x) =k−1∑i=0
aixi = ak−1x
k−1 + ak−2xk−2 + . . . + a1x + a0
De�nitionA polynomial firr(x) is called irreducible over the �eld Fpk , if
I deg firr(x) > 0I There is no factorization firr(x) = g(x) · h(x)
with deg g(x) > 0 and deg h(x) > 0.
Elliptic curve over Fpk
y2 = x3 + ax + b (mod firr) with a, b, x, y polynomials
Algebraic formulae as above with reduction modulo firr
R. Mathar � Canterbury University � CSSE, 28.3.08 19
TIplain themeElliptic Curves over Finite FieldsFinite �eld Fpk
Each a ∈ Fpk is represented as coe�cients(ak−1, . . . , a0) ∈ {0, . . . , p− 1}k of a polynomial of order k − 1:
f(x) =k−1∑i=0
aixi = ak−1x
k−1 + ak−2xk−2 + . . . + a1x + a0
De�nitionA polynomial firr(x) is called irreducible over the �eld Fpk , if
I deg firr(x) > 0I There is no factorization firr(x) = g(x) · h(x)
with deg g(x) > 0 and deg h(x) > 0.
Elliptic curve over Fpk
y2 = x3 + ax + b (mod firr) with a, b, x, y polynomials
Algebraic formulae as above with reduction modulo firr
R. Mathar � Canterbury University � CSSE, 28.3.08 19
TIplain themeElliptic Curves over Finite FieldsFinite �eld Fpk
Each a ∈ Fpk is represented as coe�cients(ak−1, . . . , a0) ∈ {0, . . . , p− 1}k of a polynomial of order k − 1:
f(x) =k−1∑i=0
aixi = ak−1x
k−1 + ak−2xk−2 + . . . + a1x + a0
De�nitionA polynomial firr(x) is called irreducible over the �eld Fpk , if
I deg firr(x) > 0I There is no factorization firr(x) = g(x) · h(x)
with deg g(x) > 0 and deg h(x) > 0.
Elliptic curve over Fpk
y2 = x3 + ax + b (mod firr) with a, b, x, y polynomials
Algebraic formulae as above with reduction modulo firr
R. Mathar � Canterbury University � CSSE, 28.3.08 19
TIplain themeDi�e-Hellman Key Exchange
Cryptographic Framework
I Elliptic curve over the �nite �eld Fpk
I Generator G of some cyclic subgroup of order n
User A
I selects an integerkA ∈ {2, . . . , n− 1} at random.
I Q = kAG
I transmits point Q to user B.
I K = kAR = kAkBG
User B
I selects an integerkB ∈ {2, . . . , n− 1} at random.
I R = kBG
I transmits point R to user A.
I K = kBQ = kAkBG
R. Mathar � Canterbury University � CSSE, 28.3.08 20
TIplain themeDi�e-Hellman Key Exchange
Cryptographic Framework
I Elliptic curve over the �nite �eld Fpk
I Generator G of some cyclic subgroup of order n
User A
I selects an integerkA ∈ {2, . . . , n− 1} at random.
I Q = kAG
I transmits point Q to user B.
I K = kAR = kAkBG
User B
I selects an integerkB ∈ {2, . . . , n− 1} at random.
I R = kBG
I transmits point R to user A.
I K = kBQ = kAkBG
R. Mathar � Canterbury University � CSSE, 28.3.08 20
TIplain themeDi�e-Hellman Key Exchange
Cryptographic Framework
I Elliptic curve over the �nite �eld Fpk
I Generator G of some cyclic subgroup of order n
User A
I selects an integerkA ∈ {2, . . . , n− 1} at random.
I Q = kAG
I transmits point Q to user B.
I K = kAR = kAkBG
User B
I selects an integerkB ∈ {2, . . . , n− 1} at random.
I R = kBG
I transmits point R to user A.
I K = kBQ = kAkBG
R. Mathar � Canterbury University � CSSE, 28.3.08 20
TIplain themeDi�e-Hellman Key Exchange
Cryptographic Framework
I Elliptic curve over the �nite �eld Fpk
I Generator G of some cyclic subgroup of order n
User A
I selects an integerkA ∈ {2, . . . , n− 1} at random.
I Q = kAG
I transmits point Q to user B.
I K = kAR = kAkBG
User B
I selects an integerkB ∈ {2, . . . , n− 1} at random.
I R = kBG
I transmits point R to user A.
I K = kBQ = kAkBG
R. Mathar � Canterbury University � CSSE, 28.3.08 20
TIplain themeDi�e-Hellman Key Exchange
Cryptographic Framework
I Elliptic curve over the �nite �eld Fpk
I Generator G of some cyclic subgroup of order n
User A
I selects an integerkA ∈ {2, . . . , n− 1} at random.
I Q = kAG
I transmits point Q to user B.
I K = kAR = kAkBG
User B
I selects an integerkB ∈ {2, . . . , n− 1} at random.
I R = kBG
I transmits point R to user A.
I K = kBQ = kAkBG
R. Mathar � Canterbury University � CSSE, 28.3.08 20
TIplain themeDi�e-Hellman Key Exchange
Cryptographic Framework
I Elliptic curve over the �nite �eld Fpk
I Generator G of some cyclic subgroup of order n
User A
I selects an integerkA ∈ {2, . . . , n− 1} at random.
I Q = kAG
I transmits point Q to user B.
I K = kAR = kAkBG
User B
I selects an integerkB ∈ {2, . . . , n− 1} at random.
I R = kBG
I transmits point R to user A.
I K = kBQ = kAkBG
R. Mathar � Canterbury University � CSSE, 28.3.08 20
TIplain themeDi�e-Hellman Key Exchange
Cryptographic Framework
I Elliptic curve over the �nite �eld Fpk
I Generator G of some cyclic subgroup of order n
User A
I selects an integerkA ∈ {2, . . . , n− 1} at random.
I Q = kAG
I transmits point Q to user B.
I K = kAR = kAkBG
User B
I selects an integerkB ∈ {2, . . . , n− 1} at random.
I R = kBG
I transmits point R to user A.
I K = kBQ = kAkBG
R. Mathar � Canterbury University � CSSE, 28.3.08 20
TIplain themeDi�e-Hellman Key Exchange
Cryptographic Framework
I Elliptic curve over the �nite �eld Fpk
I Generator G of some cyclic subgroup of order n
User A
I selects an integerkA ∈ {2, . . . , n− 1} at random.
I Q = kAG
I transmits point Q to user B.
I K = kAR = kAkBG
User B
I selects an integerkB ∈ {2, . . . , n− 1} at random.
I R = kBG
I transmits point R to user A.
I K = kBQ = kAkBG
R. Mathar � Canterbury University � CSSE, 28.3.08 20
TIplain themeElGamal Encryption over Elliptic Curves
Cryptographic Framework
I Elliptic curve over the �nite �eld Fpk
I Generator G of some cyclic subgroup of order n
Private and public key of each user
I Each user selects an integer private key d ∈ {2, . . . , n− 1} atrandom.
I Q = dG is the public key.
Sender
I selects a random integerk ∈ {2, . . . , n− 1}.
I C1 = kG
I C2 = M + kQ
Receiver
I M = C2 − dC1
R. Mathar � Canterbury University � CSSE, 28.3.08 21
TIplain themeElGamal Encryption over Elliptic Curves
Cryptographic Framework
I Elliptic curve over the �nite �eld Fpk
I Generator G of some cyclic subgroup of order n
Private and public key of each user
I Each user selects an integer private key d ∈ {2, . . . , n− 1} atrandom.
I Q = dG is the public key.
Sender
I selects a random integerk ∈ {2, . . . , n− 1}.
I C1 = kG
I C2 = M + kQ
Receiver
I M = C2 − dC1
R. Mathar � Canterbury University � CSSE, 28.3.08 21
TIplain themeElGamal Encryption over Elliptic Curves
Cryptographic Framework
I Elliptic curve over the �nite �eld Fpk
I Generator G of some cyclic subgroup of order n
Private and public key of each user
I Each user selects an integer private key d ∈ {2, . . . , n− 1} atrandom.
I Q = dG is the public key.
Sender
I selects a random integerk ∈ {2, . . . , n− 1}.
I C1 = kG
I C2 = M + kQ
Receiver
I M = C2 − dC1
R. Mathar � Canterbury University � CSSE, 28.3.08 21
TIplain themeElGamal Encryption over Elliptic Curves
Cryptographic Framework
I Elliptic curve over the �nite �eld Fpk
I Generator G of some cyclic subgroup of order n
Private and public key of each user
I Each user selects an integer private key d ∈ {2, . . . , n− 1} atrandom.
I Q = dG is the public key.
Sender
I selects a random integerk ∈ {2, . . . , n− 1}.
I C1 = kG
I C2 = M + kQ
Receiver
I M = C2 − dC1
R. Mathar � Canterbury University � CSSE, 28.3.08 21
TIplain themeElGamal Encryption over Elliptic Curves
Cryptographic Framework
I Elliptic curve over the �nite �eld Fpk
I Generator G of some cyclic subgroup of order n
Private and public key of each user
I Each user selects an integer private key d ∈ {2, . . . , n− 1} atrandom.
I Q = dG is the public key.
Sender
I selects a random integerk ∈ {2, . . . , n− 1}.
I C1 = kG
I C2 = M + kQ
Receiver
I M = C2 − dC1
R. Mathar � Canterbury University � CSSE, 28.3.08 21