Introduction to the Mathematical Foundations of Elliptic Curve Cryptography Youssef El Housni To cite this version: Youssef El Housni. Introduction to the Mathematical Foundations of Elliptic Curve Cryptography. 2018. hal-01914807 HAL Id: hal-01914807 https://hal.archives-ouvertes.fr/hal-01914807 Preprint submitted on 3 Dec 2018 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Introduction to the Mathematical Foundations of Elliptic Curve Cryptography Youssef El Housni EY Wavespace LAB - Paris [email protected] November 7, 2018 Contents 1 Elliptic curves 3 1.1 Weistrass equations . .3 1.2 Elliptic curve isomorphims . .6 2 The group of elliptic curves 8 2.1 Geometric addition . .8 2.2 Algebraic addition . 11 2.3 Scalar multiplication . 15 2.4 The logarithm problem . 16 3 Elliptic curves over finite fields 17 3.1 Group order . 18 3.2 A cyclic subgroup . 19 3.3 Subgroup order . 20 3.4 Discrete logarithm problem . 21 4 Examples of ECC algorithms 22 4.1 ECDH: Elliptic Curve Diffie-Hellman . 22 4.2 ECDSA: Elliptic Curve Digital Signature . 23 Appendices 25 A Hasse’s theorem 26 B Chinese remainder theorem 28 1 Introduction The history of cryptography can be split into two eras: the classical era and the modern era. The turning point between the two occurred when asymetric cryptography was introduced. These new algorithms were revolutionary be- cause they represented the first viable cryptographic schemes where security was based on the theory of numbers; it was the first to enable secure commu- nication between two parties without a shared secret. Cryptography went from being about securely transporting messages around the world to being able to have provably secure communication between any two parties without worry- ing about someone listening in on the key exchange. The founding idea is that the key you use to encrypt your data can be made public while the key that is used to decrypt your data can be kept private. What you need for an asymetric cryptographic system to work is a set of algorithms that is easy to process in one direction, but difficult to undo. The first, and still most widely used, algorithm introduced was RSA. Its security relies on the fact that multiplying two prime numbers is easy, but factoring the product into its two component primes is dif- ficult. After RSA, researchers explored other mathematics-based cryptographic solutions looking for other algorithms beyond factoring that serve asymetric schemes. Elliptic curve cryptography was then proposed. What is an elliptic curve? And how can it be deployed to build an asymetric cryptographic algorithm ? 2 Chapter 1 Elliptic curves The mathematical objects of ECC are -of course- elliptic curves. For crypto- graphic purposes we are mainly interested in curves over finite fields but we will study elliptic curves over an arbitrary field K because most of the theory is not harder to study in a general setting - it might even become clearer. 1.1 Weistrass equations An elliptic curve over a a field K is a pair (E; O), where E is a cubic equation in the projective geometry and O 2 E a point of the curve called the base point, on the line at 1 (in projective geometry two parallel lines meet in a point at 1). 2 2 3 2 3 (E): Y Z + a1XYZ + a3YZ = X + a2X Z + a4XZ + a6Z (1.1.1) Here O = [0; 1; 0] is the base point and a1; :::; a6 2 K and X; Y; Z are the homoge- nous coordinates in the projective geometry. To ease notations we generally write Weistrass equations for our elliptic curve using non-homogenous coordinate (affine geometry) x = X=Z and y = Y=Z, 2 3 2 (E): y + a1xy + a3y = x + a2x + a4x + a6 (1.1.2) Considering K = R, figure (1.1) gives examples of plots in the affine plane of (E) with given values a1; :::; a6 2 R. Question: Elliptic curves do not resemble ellipses in any way. So why are they called "elliptic" ? Answer: They are solutions to elliptic functions used to find an ellipse’s arc length. Definition: For a field K with multiplicative identity 1K and addition iden- tity 0K, the field characteristic p = char(K) satisfies: 1K + 1K + ::: + 1K = 0K. | {z } p times 3 Figure 1.1: Graph of curves y2 = x3 − x and y2 = x3 − x + 1 The equation of (E) can be simplified over K, by the following subsitutions. If the field characteristic char(K) 6= 2, we substitute: a a y 7! y − 1 x − 3 2 2 We have then: a a a a a a (y − 1 x − 3 )2 + a x(y − 1 x − 3 ) + a (y − 1 x − 3 ) = x3 + a x2 + a x + a 2 2 1 2 2 3 2 2 2 4 6 a2 a2 a a a2 a a a a a2 y2 + 1 x2 + 3 − a xy − a y + 1 3 x + a xy − 1 x2 − 1 3 x + a y − 1 3 x − 3 4 4 1 3 2 1 2 2 3 2 2 3 2 = x + a2x + a4x + a6 2 3 2 2 2 y = x + a2 + a1=4 x + (a4 + a1a3=2) x + a6 + a3=4 | {z } | {z } | {z } 0 a0 0 a2 4 a6 If further char(K) 6= 2; 3 the substitution a0 x 7! x − 2 3 eliminates the x2 term, yielding the simpler equation 2 3 0 0 2 0 0 0 y = (x − a2=3) + a2 (x − a2=3) + a4 (x − a2=3) + a6 a03 a03 2 a0 a0 y2 = x3 − 2 − a0 x2 − a0 x2 + a0 x2 + 2 − a02x + a0 x − 2 4 + a0 27 2 2 2 9 3 2 4 3 6 2 3 0 02 0 03 0 0 y = x + a4 − a2 =3 x + a6 + 2a2 =27 − a2a4=3 | {z } | {z } a4" a6" The properties of a field K with char(K = 2) is of interest in cryptography as we will see later. With the substitution 2 x 7! a1x + a3=a1 3 2 2 3 y 7! a1y + (a1a4 + a3)=a1 4 we get 3 2 2 32 2 3 2 2 3 3 2 2 3 a1y + (a1a4 + a3)=a1 + a1 a1x + a3=a1 a1y + (a1a4 + a3)=a1 + a3 a1y + (a1a4 + a3)=a1 2 3 2 2 2 = a1x + a3=a1 + a2 a1x + a3=a1 + a4 a1x + a3=a1 + a6 Keeping in mind that 2ai = 0 8ai 2 K because char(K) = 2 we find 2 3 2 −3 2 y + xy = x + a1a3 + a1 + a2 a1 x | {z0 } a2 4 2 4 2 2 2 2 2 a1a4 + a3 a1a4 + a3 a3(a1a4 + a3) a2a3 a4a3 + 6 + 2 + 2 + 2 + + a6 a1 a1 a1 a1 a1 | {z0 } a6 Let us remind the Weistrass short forms of elliptic curves we have found: char(K) Weistrass Short Form 6= 2; 3 y2 = x3 + ax + b 2 y2 + xy = x3 + ax2 + b Table 1.1: Weistrass short forms for elliptic curves Note that, in case char(K) = 2 and a1 = 0, we can find another short form 2 3 y + ay = x + bx + c with the substitution x 7! x + a2. Fields with char 3 are not of interest in ECC and thus there is no need to find short forms in this case. Definition: df(xP ;yP ) df(xP ;yP ) A curve f(x; y) is singular in a point P (xP ; yP ) if dx = dy = 0 Our curves have to be non-singular (we will see why later). Rather than studying the singularity of elliptic curves in a general setting, we take a look at our short forms from Table 1.1. When char(K) 6= 2; 3 we have 2 3 (E1): y = x + ax + b (1.1.3) The curve is singular in a point P (xP ; yP ) if dE (x ; y ) 1 P P = 3x2 + a = 0 dx P dE (x ; y ) 1 P P = 2y = 0 dy P 5 substituing in (1.1.3) −a 3 −a 1 0 = ( ) 2 + a( ) 2 + b 3 3 −a a3 2a3 b2 = ( )3 − + 3 3 9 −4a3 b2 = 27 So our curve of equation (1.1.3) is non-singular if 4a3 + 27b2 6= 0. When char(K) = 2 we have 2 3 2 (E2): y + xy = x + ax + b (1.1.4) The curve is singular in a point P (xP ; yP ) if dE (x ; y ) 2 P P = y − 3x2 − 2ax = y + x2 = 0 dx P P P P P dE (x ; y ) 2 P P = 2y + x = x = 0 dy P P P substituing in (1.1.4) b = 0 So our curve of equation (1.1.4) is non-singular if b 6= 0. NB: Note that we can actually find a general condition to define non-singular elliptic curves by computing the discriminat ∆ of (1.1.2) and solving the equa- tion ∆ = 0, where 2 2 2 2 2 3 2 ∆ = −(a1 + 4a2) (a1a6 + 4a2a6 − a1a3a4 + a2a3 − a4) − 8(2a4 + a1a3) − 27(2a4 + a1a3) 2 2 + 9(a1 + 4a2)(2a4 + a1a3)(a3 + 4a6) The calculus is tedious and it is easier to understand the singularities of the curves the way we did.