5.1. Elliptic curves
281
R !
Q
!
P!
L
E
P Q = R
!
Figure 5.2: The addition law on an elliptic curve
!
"2
7
1
X
= X 3 15X + 18,
3
3
1
49 2 14
X X + = X 3 15X + 18,
9
9
9
161
49
121
X+
.
0 = X3 X2
9
9
9
We need to find the roots of this cubic polynomial.

304
5. Elliptic Curves and Cryptography
E : Y 2 = X 3 + AX + B
and suppose that P = (a, b) is a point on E modulo N , by which we mean
that
b2 a3 + A a + B (mod N ).
Then we can apply the elliptic curve addition algorithm (Theorem 5.6) to
compute 2P, 3P,

288
5. Elliptic Curves and Cryptography
using the addition algorithm formulas, although there are many special cases
to consider. The alternative is to develop more of the general theory of elliptic
curves, as is done in the references cited in the proof

282
5. Elliptic Curves and Cryptography
R
!
L
P!
L is tangent to E at P
E
2P = P P = R
!
Figure 5.3: Adding a point P to itself
itself, we simply take L to be the tangent line to E at P , as illustrated in
Figure 5.3. Then L intersects E at P and at

302
5. Elliptic Curves and Cryptography
The purely mathematical question whether ECC provided a secure and
ecient alternative to RSA was clouded by the fact that there were commercial and financial issues at stake. In order to be commercially successful,

5.8. Bilinear pairings on elliptic curves
5.8.2
317
Rational functions and divisors on elliptic curves
In order to define the Weil and Tate pairings, we need to explain how a rational
function on an elliptic curve is related to its zeros and poles. We sta

306
5. Elliptic Curves and Cryptography
Input. Integer N to be factored.
1. Choose random values A, a, and b modulo N .
2. Set P = (a, b) and B b2 a3 A a (mod N ).
Let E be the elliptic curve E : Y 2 = X 3 + AX + B.
3. Loop j = 2, 3, 4, . . . up to a spec

310
5. Elliptic Curves and Cryptography
The geometric definition of the addition law on E is similar to our earlier
definition, the only change being that the old reflection step (x, y) ! (x, y)
is replaced by the slightly more complicated reflection step

5.1. Elliptic curves
285
verify, since the line that goes through P and Q is the same as the line that
goes through Q and P , so the order of the points does not matter.
The remaining piece of Theorem 5.5 is the associative law (c). One might
not think th

5.5. The evolution of public key cryptography
!
0
Extra bit =
1
301
if 0 y < 12 p,
if 12 p < y < p
(See Exercise 5.15.) In this way, Bob needs to send only the x-coordinates
of C1 and C2 , plus two extra bits. This idea is sometimes referred to as point
c

5.6. Lenstras elliptic curve factorization algorithm
305
Thus 3P = (54, 105) on the curve E modulo 187. Again we needed to compute
a reciprocal, in this case, the reciprocal of 5 modulo 187. We leave it to you to
continue the calculations. For example, it

5.3. The elliptic curve discrete logarithm problem
295
allow sums and dierences of powers of 2, then one can show that most n have
an expansion with 23 of the terms being 0. So for most n, we can compute nP
in about 43 k + 1 steps (k + 1 doublings and 13

5.2. Elliptic curves over finite fields
287
modulo 13. Next we try X = 1, which gives 1+3+8 = 12. It turns out that 12
is a square modulo 13; in fact, it has two square roots,
52 12
(mod 13)
and
82 12
(mod 13).
This gives two points (1, 5) and (1, 8) in E

320
5. Elliptic Curves and Cryptography
(d) The Weil pairing is nondegenerate, which means that
if em (P, Q) = 1 for all Q E[m], then P = O.
Remark 5.39. The definition of the Weil pairing may seem mysterious, but it is
not surprising that there is an alt

300
5. Elliptic Curves and Cryptography
Public Parameter Creation
A trusted party chooses and publishes a (large) prime p,
an elliptic curve E over Fp , and a point P in E(Fp ).
Alice
Bob
Key Creation
Chooses a private key nA .
Computes QA = nA P in E(Fp

5.7. Elliptic curves over F2 and over F2k
309
(See Example 2.59 for a discussion of Fp2 for primes p 3 (mod 4).) Let E
be the elliptic curve over F9 defined by the equation
E : Y 2 = X 3 + (1 + i)X + (2 + i).
By trial and error we find that there are 10 p

5.8. Bilinear pairings on elliptic curves
323
has the desired divisor (5.17). Finally, the addition formula (Theorem 5.6) tells
us that xP +Q = 2 xP xQ , and we can eliminate from the numerator
of gP,Q using yP = xP + .
If = , then P +Q = O, so we want gP

5.4. Elliptic curve cryptography
297
Public Parameter Creation
A trusted party chooses and publishes a (large) prime p,
an elliptic curve E over Fp , and a point P in E(Fp ).
Private Computations
Alice
Bob
Chooses a secret integer nA .
Chooses a secret in

290
5. Elliptic Curves and Cryptography
Example 5.12. Let E be given by the equation
E : Y 2 = X 3 + 4X + 6.
We can think of E as an elliptic curve over Fp for dierent finite fields Fp and
count the number of points in E(Fp ). Table 5.2 lists the results

5.1. Elliptic curves
283
223
substitute X = 193
64 into the equation (5.3) for L to get Y = 512 , and then
we switch the sign on Y to get
!
"
193 223
,
P P =
.
64 512
A second potential problem with our addition law arises if we try to
add a point P = (a,

286
5. Elliptic Curves and Cryptography
(X + )2 = X 3 + AX + B,
so
X 3 2 X 2 + (A 2)X + (B 2 ) = 0.
We know that this cubic has x1 and x2 as two of its roots. If we call the third
root x3 , then it factors as
X 3 2 X 2 + (A 2)X + (B 2 ) = (X x1 )(X x2 )(X

292
5. Elliptic Curves and Cryptography
Notice the analogy with the ordinary logarithm log() = log() + log()
and the discrete logarithm for Fp (cf. Remark 2.2). The fact that the discrete
logarithm for E(Fp ) satisfies (5.4) means that it respects the add

5.8. Bilinear pairings on elliptic curves
5.8.3
319
The Weil pairing
The Weil pairing, which is denoted by em , takes as input a pair of points
P, Q E[m] and gives as output an mth root of unity em (P, Q). The bilinearity
of the Weil pairing is expressed

5.6. Lenstras elliptic curve factorization algorithm
303
in town meant that it automatically received extensive scrutiny from the
academic community, which helped to validate its security.
The invention and eventual commercial implementation of ECC follow

298
5. Elliptic Curves and Cryptography
Bob and Alice have exchanged the secret point (3347, 1242). As will be explained in Remark 5.20, they should discard the y-coordinate and treat only
the value x = 3347 as a secret shared value.
One way for Eve to di

5.4. Elliptic curve cryptography
Alice computes
Bob computes
299
QA = nA P = 2489(920, 303) = (593, 719) E(F3851 ),
QB = nB P = 2286(920, 303) = (3681, 612) E(F3851 ).
However, rather than sending both coordinates, Alice sends only xA = 593 to
Bob and Bob

296
5. Elliptic Curves and Cryptography
As we saw in Section 4.4, if r is somewhat larger than p, say r 3 p, then
there is a very good chance that there will be a collision.
This naive collision algorithm requires quite a lot of storage for the two
lists.

312
5. Elliptic Curves and Cryptography
(P + Q) = (P ) + (Q).
(5.11)
In other words, maps E(F2k ) to itself, and it respects the addition law.
(In mathematical terminology, the Frobenius map is a group homomorphism
of E(F2k ) to itself.)
It is easy to ch