5.1. Elliptic curves
281
R !
Q
!
P!
L
E
P Q = R
!
Figure 5.2: The addition law on an elliptic curve
!
"2
7
1
X
= X 3 15X + 18,
3
3
1
49 2 14
X X + = X 3 15X + 18,
9
9
9
161
49
121
X+
.
0 = X3 X2
9
9
9
We need to find the roots of this cubic polynomial.
290
5. Elliptic Curves and Cryptography
Example 5.12. Let E be given by the equation
E : Y 2 = X 3 + 4X + 6.
We can think of E as an elliptic curve over Fp for dierent finite fields Fp and
count the number of points in E(Fp ). Table 5.2 lists the results
5.1. Elliptic curves
283
223
substitute X = 193
64 into the equation (5.3) for L to get Y = 512 , and then
we switch the sign on Y to get
!
"
193 223
,
P P =
.
64 512
A second potential problem with our addition law arises if we try to
add a point P = (a,
286
5. Elliptic Curves and Cryptography
(X + )2 = X 3 + AX + B,
so
X 3 2 X 2 + (A 2)X + (B 2 ) = 0.
We know that this cubic has x1 and x2 as two of its roots. If we call the third
root x3 , then it factors as
X 3 2 X 2 + (A 2)X + (B 2 ) = (X x1 )(X x2 )(X
292
5. Elliptic Curves and Cryptography
Notice the analogy with the ordinary logarithm log() = log() + log()
and the discrete logarithm for Fp (cf. Remark 2.2). The fact that the discrete
logarithm for E(Fp ) satisfies (5.4) means that it respects the add
5.8. Bilinear pairings on elliptic curves
5.8.3
319
The Weil pairing
The Weil pairing, which is denoted by em , takes as input a pair of points
P, Q E[m] and gives as output an mth root of unity em (P, Q). The bilinearity
of the Weil pairing is expressed
5.6. Lenstras elliptic curve factorization algorithm
303
in town meant that it automatically received extensive scrutiny from the
academic community, which helped to validate its security.
The invention and eventual commercial implementation of ECC follow
298
5. Elliptic Curves and Cryptography
Bob and Alice have exchanged the secret point (3347, 1242). As will be explained in Remark 5.20, they should discard the y-coordinate and treat only
the value x = 3347 as a secret shared value.
One way for Eve to di
5.4. Elliptic curve cryptography
Alice computes
Bob computes
299
QA = nA P = 2489(920, 303) = (593, 719) E(F3851 ),
QB = nB P = 2286(920, 303) = (3681, 612) E(F3851 ).
However, rather than sending both coordinates, Alice sends only xA = 593 to
Bob and Bob
296
5. Elliptic Curves and Cryptography
As we saw in Section 4.4, if r is somewhat larger than p, say r 3 p, then
there is a very good chance that there will be a collision.
This naive collision algorithm requires quite a lot of storage for the two
lists.
312
5. Elliptic Curves and Cryptography
(P + Q) = (P ) + (Q).
(5.11)
In other words, maps E(F2k ) to itself, and it respects the addition law.
(In mathematical terminology, the Frobenius map is a group homomorphism
of E(F2k ) to itself.)
It is easy to ch
324
5. Elliptic Curves and Cryptography
284
fQ (P S)
=
= 88 F631 .
fQ (S)
204
Finally, taking the ratio of these two values yields
e5 (P, Q) =
473
= 242 F631 .
88
We check that (242)5 = 1, so e5 (P, Q) is a fifth root of unity in F631 .
Continuing to work
5.9. The Weil pairing over fields of prime power order
327
5. Solve the DLP for and in Fpk , i.e., find an exponent n such that
= n . If pk is not too large, this can be done using the index calculus.
Note that the index calculus (Section 3.8) is a subex
5.4. Elliptic curve cryptography
297
Public Parameter Creation
A trusted party chooses and publishes a (large) prime p,
an elliptic curve E over Fp , and a point P in E(Fp ).
Private Computations
Alice
Bob
Chooses a secret integer nA .
Chooses a secret in