a gentle introduction to elliptic curve cryptography...part 2: elliptic curves part 3: elliptic...

A gentle introduction to elliptic curve cryptography Craig Costello

Upload: others

Post on 04-Jun-2020




0 download


A gentle introduction to elliptic curve cryptography

Craig Costello

Part 1: Motivation

Part 2: Elliptic Curves

Part 3: Elliptic Curve Cryptography

Part 4: Next-generation ECC

Diffie-Hellman key exchange (circa 1976)

π‘Ž =685408003627063761059275919665781694368639459527871881531452

𝑔 = 123456789

π‘ž = 1606938044258990275541962092341162602522202993782792835301301

𝑏 =362059131912941987637880257325269696682836735524942246807440

π‘”π‘Ž mod π‘ž = 78467374529422653579754596319852702575499692980085777948593

π‘”π‘Žπ‘ mod π‘ž = 437452857085801785219961443000845969831329749878767465041215

560048104293218128667441021342483133802626271394299410128798 = 𝑔𝑏 mod π‘ž

31 ≑ 3324 ≑ βˆ’22 β‹… 7 β‹… 13325 ≑ 53

330 ≑ βˆ’2 β‹… 52

334 ≑ βˆ’3 β‹… 7 β‹… 19354 ≑ βˆ’5 β‹… 11371 ≑ βˆ’17387 ≑ 13

Index calculus

e.g. 3π‘₯ ≑ 37 (mod 1217)

- factor base 𝑝𝑖 = {2,3,5,7,11,13,17,19}, #𝑝𝑖 = 8

- Find 8 values of π‘˜ where 3π‘˜ splits over 𝑝𝑖, i.e., 3π‘˜ ≑ Β±βˆπ‘π‘– mod 𝑝

solve 𝑔π‘₯ ≑ β„Ž (mod 𝑝)

𝐿 2 ≑ 216𝐿 3 ≑ 1𝐿 5 ≑ 819𝐿 7 ≑ 113

𝐿 11 ≑ 1059𝐿 13 ≑ 87𝐿 17 ≑ 679𝐿 19 ≑ 528

(mod 1217) (mod 1216)

1 ≑ 𝐿(3)24 ≑ 608 + 2 β‹… 𝐿 2 + 𝐿 7 + 𝐿(13)25 ≑ 3 β‹… 𝐿(5)30 ≑ 608 + 𝐿 2 + 2 β‹… 𝐿(5)34 ≑ 608 + 𝐿 3 + 𝐿 7 + 𝐿(19)54 ≑ 608 + 𝐿 5 + 𝐿(11)71 ≑ 608 + 𝐿(17)87 ≑ 𝐿(13)

(mod 1216)

Index calculus

e.g. 3π‘₯ ≑ 37 (mod 1217)solve 𝑔π‘₯ ≑ β„Ž (mod 𝑝)

𝐿 2 ≑ 216𝐿 3 ≑ 1𝐿 5 ≑ 819𝐿 7 ≑ 113

𝐿 11 ≑ 1059𝐿 13 ≑ 87𝐿 17 ≑ 679𝐿 19 ≑ 528

Now search for 𝑗 such that 𝑔𝑗 β‹… β„Ž = 3𝑗 β‹… 37 factors over 𝑝𝑖

316 β‹… 37 ≑ 23 β‹… 7 β‹… 11 (mod 1217)

𝐿 37 ≑ 3 β‹… 𝐿 2 + 𝐿 7 + 𝐿 11 βˆ’ 16 mod 1216≑ 3 β‹… 216 + 113 + 1059 βˆ’ 1≑ 588

Subexponential complexity 𝐿𝑝 1/3, 64/9 1/3 = 𝑒64/9 1/3+π‘œ 1 (ln 𝑝 )1/3β‹…(lnln 𝑝 )2/3

Diffie-Hellman key exchange (circa 2016)

𝑔 = 123456789

π‘ž =5809605995369958062859502533304574370686975176362895236661486152287203730997110225737336044533118407251326157754980517443990529594540047121662885672187032401032111639706440498844049850989051627200244765807041812394729680540024104827976584369381522292361208779044769892743225751738076979568811309579125511333093243519553784816306381580161860200247492568448150242515304449577187604136428738580990172551573934146255830366405915000869643732053218566832545291107903722831634138599586406690325959725187447169059540805012310209639011750748760017095360734234945757416272994856013308616958529958304677637019181594088528345061285863898271763457294883546638879554311615446446330199254382340016292057090751175533888161918987295591531536698701292267685465517437915790823154844634780260102891718032495396075041899485513811126977307478969074857043710


π‘”π‘Žπ‘ =330166919524192149323761733598426244691224199958894654036331526394350099088627302979833339501183059198113987880066739419999231378970715307039317876258453876701124543849520979430233302777503265010724513551209279573183234934359636696506968325769489511028943698821518689496597758218540767517885836464160289471651364552490713961456608536013301649753975875610659655755567474438180357958360226708742348175045563437075840969230826767034061119437657466993989389348289599600338950372251336932673571743428823026014699232071116171392219599691096846714133643382745709376112500514300983651201961186613464267685926563624589817259637248558104903657371981684417053993082671827345252841433337325420088380059232089174946086536664984836041334031650438692639106287627157575758383128971053401037407031731509582807639509448704617983930135028


π‘Ž =7147687166405; 9571879053605547396582692405186145916522354912615715297097100679170037904924330116019497881089087696131592831386326210951294944584






𝑏 =655456209464694; 93360682685816031704969423104727624468251177438749706128879957701\93698826859762790479113062308975863428283798589097017957365590672\8357138638957122466760949930089855480244640303954430074800250796203638661931522988606354100532244846391589798641210273772558373965\48653931285483865070903191974204864923589439190352993032676961005\08840431979272991603892747747094094858192679116146502863521484987\08623286193422239171712154568612530067276018808591500424849476686\706784051068715397706852664532638332403983747338379697022624261377163163204493828299206039808703403575100467337085017748387148822224875309641791879395483731754620034884930540399950519191679471224\05558557093219350747155777569598163700850920394705281936392411084\43600686183528465724969562186437214972625833222544865996160464558\54629937016589470425264445624157899586972652935647856967092689604\42796501209877036845001246792761563917639959736383038665362727158




(mod q)=




(mod q)

β€’ Individual secret keys secure under Discrete Log Problem (DLP): 𝑔, 𝑔π‘₯ ↦ π‘₯

β€’ Shared secret secure under Diffie-Hellman Problem (DHP): 𝑔, π‘”π‘Ž, 𝑔𝑏 ↦ π‘”π‘Žπ‘

β€’ Fundamental operation in DH is group exponentiation: 𝑔, π‘₯ ↦ 𝑔π‘₯

… done via β€œsquare-and-multiply”, e.g., π‘₯ 2 = 1,0,1,1,0,0,0,1 …

β€’ We are working β€œmod π‘žβ€, but only with one operation: multiplication

β€’ Main reason for fields being so big: (sub-exponential) index calculus attacks!

Diffie-Hellman key exchange (cont.)

DH key exchange (Koblitz-Miller style)

If all we need is a group, why not use elliptic curve groups?

Rationale: β€œit is extremely unlikely that an index calculus attack on the elliptic curve method will ever be able to work” [Miller, 85]

Part 1: Motivation

Part 2: Elliptic Curves

Part 3: Elliptic Curve Cryptography

Part 4: Next-generation ECC

Some good references

Silverman’s talk: β€œAn Introduction to the Theory of Elliptic Curves”http://www.math.brown.edu/~jhs/Presentations/WyomingEllipticCurve.pdf

Sutherland’s MIT course on elliptic curves: https://math.mit.edu/classes/18.783/2015/lectures.html

Koblitz-Menezes: ECC: the serpentine course of a paradigm shift http://eprint.iacr.org/2008/390.pdf

Elliptic curves

Elliptic curves


group (G,+) can do + βˆ’

ring (R, +, Γ—) can do + βˆ’ Γ—

field (F, +, Γ—) can do + βˆ’ Γ— Γ·

elliptic curve group (𝐸,βŠ•) can do βŠ• βŠ–

underlying field (𝐾, +, Γ—) can do + βˆ’ Γ— Γ·

If you’ve never seen an elliptic curve before....

Remember: an elliptic curve is a group defined over a field

operations in underlying field are used and combined to compute the elliptic curve operation βŠ•

Degree 1 (lines)

Degree 2 (conic sections)

e.g., ellipses, hyperbolas, parabolas

β€’ β€œGenus” measures geometric complexity, and both are genus 0

β€’ We know how to describe all solutions to these, e.g., over (exts of) β„š

β€’ Not cryptographically interesting

Boring curves𝑓 π‘₯, 𝑦 = 0 or 𝑓 𝑋, π‘Œ, 𝑍 = 0

π‘Žπ‘₯2 + 𝑏π‘₯𝑦 + 𝑐𝑦2 + 𝑑π‘₯ + 𝑒𝑦 + 𝑓 = 0

π‘Žπ‘ β‰  0π‘Žπ‘₯ + 𝑏𝑦 = 𝑐

π‘Žπ‘π‘ β‰  0

β€’ Degree 3 is where all the fun begins…

Elliptic curves

π‘Žπ‘₯3 + 𝑏π‘₯2𝑦 + 𝑐π‘₯𝑦2 + 𝑑𝑦3 + 𝑒π‘₯2 + 𝑓π‘₯𝑦 + 𝑔𝑦2 + β„Žπ‘₯ + 𝑖𝑦 + 𝑗 = 0

𝐸/𝐾: 𝑦2 = π‘₯3 + π‘Žπ‘₯ + 𝑏

π‘β„Ž 𝐾 β‰  2,3

β€’ Elliptic curves ↔ genus 1 curves

β€’ Set is β‰ˆ points π‘₯, 𝑦 ∈ 𝐾 Γ— 𝐾 satisfying above equation

β€’ Geometrically/arithmetically/cryptographically interesting

β€’ Fermat’s last theorem/BSD conjecture/ …

𝐸 specified by 𝐾, π‘Ž, 𝑏

Elliptic curves, pictorially

𝐸/ℝ : 𝑦2 = π‘₯3 + π‘₯ + 1 𝐸/ℝ : 𝑦2 = π‘₯3 βˆ’ π‘₯

β€’ So 𝐸 is a set, but to be a group we need an operation

β€’ The operation is between points π‘₯𝑃, 𝑦𝑃 βŠ• π‘₯𝑄, 𝑦𝑄 = π‘₯𝑅 , 𝑦𝑅

β€’ Remember: a group (𝐸,βŠ•) defined over a field (𝐾, +,Γ—)

β€’ 𝐾 will be fields we’re used to, e.g., β„š, β„‚, ℝ, 𝔽𝑝

β€’ Remember: the (boring) operations +,βˆ’,Γ—,Γ· in 𝐾 are used to compute the (exotic) operation βŠ• on 𝐸

Elliptic curves are groups

Fun fact: homomorphism between Jacobian of elliptic curve and elliptic curve itself.

Upshot: you don’t have to know what a Jacobian is tounderstand/do elliptic curve cryptography

Elliptic curve group law is easy

The elliptic curve group law βŠ•

We need π‘₯𝑃, 𝑦𝑃 βŠ• π‘₯𝑄, 𝑦𝑄 = π‘₯𝑅 , 𝑦𝑅

Question: Given two points lying on a cubic curve, how can we use their coordinates to give a third point lying on the curve?

The elliptic curve group law βŠ•

We need π‘₯𝑃, 𝑦𝑃 βŠ• π‘₯𝑄, 𝑦𝑄 = π‘₯𝑅 , 𝑦𝑅

Question: Given two points lying on a cubic curve, how can we use their coordinates to give a third point lying on the curve?

Answer: A line that intersects a cubic twice must intersect it again, so we draw a line through the points π‘₯𝑃, 𝑦𝑃 and π‘₯𝑄, 𝑦𝑄

The elliptic curve group law βŠ•

The elliptic curve group law βŠ•π‘¦2= π‘₯3 + π‘Žπ‘₯ + 𝑏𝑦 = πœ†π‘₯ + 𝜈

π‘₯3 βˆ’ πœ†π‘₯ + 𝜈 2 + π‘Žπ‘₯ + 𝑏 = 0

π‘₯3 βˆ’ πœ†2π‘₯2 + π‘Ž βˆ’ 2πœ†πœˆ π‘₯ + 𝑏 βˆ’ 𝜈2 = π‘₯ βˆ’ π‘₯𝑃 π‘₯ βˆ’ π‘₯𝑄 (π‘₯ βˆ’ 𝒙𝑹)

π‘₯𝑅 = πœ†2 βˆ’ π‘₯𝑃 βˆ’ π‘₯𝑄

𝑦𝑅 = βˆ’(πœ†π‘₯𝑅 + 𝜈)

πœ† =𝑦𝑄 βˆ’ 𝑦𝑃

π‘₯𝑄 βˆ’ π‘₯π‘ƒπœ† =



3π‘₯𝑃2 + π‘Ž


intersected with

A toy example

𝐸/ℝ : 𝑦2 = π‘₯3 βˆ’ 2π‘₯

What about 𝐸/β„š : 𝑦2 = π‘₯3 βˆ’ 2 ?

The (abelian) group axioms

β€’ Closure: the third point of intersection must be in the field

β€’ Identity: πΈπ‘Ž,𝑏 𝐾 = { π‘₯, 𝑦 ∢ 𝑦2 = π‘₯3 + π‘Žπ‘₯ + 𝑏} βˆͺ {∞}

β€’ Inverse: βŠ– π‘₯, 𝑦 = (π‘₯, βˆ’π‘¦)

β€’ Associative: proof by picture

β€’ Commutative: line through 𝑃 and 𝑄 same as line through 𝑄 and 𝑃

A toy example, cont.

#𝐸 = 12

5,7 βŠ• 8,10 = (10,10)

𝐸/𝔽11: 𝑦2 = π‘₯3 βˆ’ 2π‘₯

Part 1: Motivation

Part 2: Elliptic Curves

Part 3: Elliptic Curve Cryptography

Part 4: Next-generation ECC

Diffie-Hellman key exchange (circa 2016)

𝑔 = 123456789

π‘ž =5809605995369958062859502533304574370686975176362895236661486152287203730997110225737336044533118407251326157754980517443990529594540047121662885672187032401032111639706440498844049850989051627200244765807041812394729680540024104827976584369381522292361208779044769892743225751738076979568811309579125511333093243519553784816306381580161860200247492568448150242515304449577187604136428738580990172551573934146255830366405915000869643732053218566832545291107903722831634138599586406690325959725187447169059540805012310209639011750748760017095360734234945757416272994856013308616958529958304677637019181594088528345061285863898271763457294883546638879554311615446446330199254382340016292057090751175533888161918987295591531536698701292267685465517437915790823154844634780260102891718032495396075041899485513811126977307478969074857043710


π‘”π‘Žπ‘ =330166919524192149323761733598426244691224199958894654036331526394350099088627302979833339501183059198113987880066739419999231378970715307039317876258453876701124543849520979430233302777503265010724513551209279573183234934359636696506968325769489511028943698821518689496597758218540767517885836464160289471651364552490713961456608536013301649753975875610659655755567474438180357958360226708742348175045563437075840969230826767034061119437657466993989389348289599600338950372251336932673571743428823026014699232071116171392219599691096846714133643382745709376112500514300983651201961186613464267685926563624589817259637248558104903657371981684417053993082671827345252841433337325420088380059232089174946086536664984836041334031650438692639106287627157575758383128971053401037407031731509582807639509448704617983930135028


π‘Ž =7147687166405; 9571879053605547396582692405186145916522354912615715297097100679170037904924330116019497881089087696131592831386326210951294944584






𝑏 =655456209464694; 93360682685816031704969423104727624468251177438749706128879957701\93698826859762790479113062308975863428283798589097017957365590672\8357138638957122466760949930089855480244640303954430074800250796203638661931522988606354100532244846391589798641210273772558373965\48653931285483865070903191974204864923589439190352993032676961005\08840431979272991603892747747094094858192679116146502863521484987\08623286193422239171712154568612530067276018808591500424849476686\706784051068715397706852664532638332403983747338379697022624261377163163204493828299206039808703403575100467337085017748387148822224875309641791879395483731754620034884930540399950519191679471224\05558557093219350747155777569598163700850920394705281936392411084\43600686183528465724969562186437214972625833222544865996160464558\54629937016589470425264445624157899586972652935647856967092689604\42796501209877036845001246792761563917639959736383038665362727158




(mod q)=




(mod q)

NIST Curve P-256

ECDH key exchange (1999 – nowish)

𝑃 = (48439561293906451759052585252797914202762949526041747995844080717082404635286,36134250956749795798585127919587881956611106672985015071877198253568414405109)

𝑝 = 2256 βˆ’ 2224 + 2192 + 296 βˆ’ 1𝑝 = 115792089210356248762697446949407573530086143415290314195533631308867097853951

π‘Ž =891306445912460335776397706414628550231450284928352556031837219223173


𝐸/𝔽𝑝: 𝑦2 = π‘₯3 βˆ’ 3π‘₯ + 𝑏

𝑏 =100955574639327864188069383161907080327719109190584053916797810821934


[a]𝑃 = (84116208261315898167593067868200525612344221886333785331584793435449501658416,102885655542185598026739250172885300109680266058548048621945393128043427650740)

[b]𝑃 = (101228882920057626679704131545407930245895491542090988999577542687271695288383,77887418190304022994116595034556257760807185615679689372138134363978498341594)

[ab]𝑃 = (101228882920057626679704131545407930245895491542090988999577542687271695288383,77887418190304022994116595034556257760807185615679689372138134363978498341594)

#𝐸 = 115792089210356248762697446949407573529996955224135760342422259061068512044369

The fundamental ECC operation

𝑃, π‘˜ ↦ π‘˜ 𝑃

GIF: Wouter Castryck

Scalar multiplications via double-and-addHow to (naively) compute π‘˜, 𝑄 ↦ π‘˜ 𝑄 ?

for 𝑖 from 𝑛 βˆ’ 1 downto 0 do

if π‘˜π‘– = 1 then

end if

end for


π‘˜ = π‘˜π‘›, π‘˜π‘›βˆ’1, … , π‘˜0 2

𝑃 ← 2 𝑃

𝑃 ← 𝑃 βŠ• 𝑄

𝑃 ← 𝑄

𝑃 (= π‘˜ 𝑄)



Scalar multiplications via double-and-addHow to (naively) compute π‘˜, 𝑄 ↦ π‘˜ 𝑄 ?

for 𝑖 from 𝑛 βˆ’ 1 downto 0 do

if π‘˜π‘– = 1 then

end if

end for


π‘˜ = π‘˜π‘›, π‘˜π‘›βˆ’1, … , π‘˜0 2

𝑃 ← 2 𝑃

𝑃 ← 𝑃 βŠ• 𝑄

𝑃 ← 𝑄

𝑃 (= π‘˜ 𝑄)



Scalar multiplications via double-and-addHow to compute π‘˜, 𝑄 ↦ π‘˜ 𝑄 on 𝑦2 = π‘₯3 + π‘Žπ‘₯ + 𝑏?

for 𝑖 from 𝑛 βˆ’ 1 downto 0 do

if π‘˜π‘– = 1 then

end for


π‘˜ = (π‘˜π‘›, π‘˜π‘›βˆ’1, … , π‘˜0)

πœ† ← (3π‘₯𝑃2 + π‘Ž)/(2𝑦𝑃) ;

(π‘₯𝑃, 𝑦𝑃) ← 𝑄

𝜈 ← 𝑦𝑃 βˆ’ πœ†π‘₯𝑃 ;

πœ† ← (𝑦𝑃 βˆ’ 𝑦𝑄)/(π‘₯𝑃 βˆ’ π‘₯𝑄) ; 𝜈 ← 𝑦𝑃 βˆ’ πœ†π‘₯𝑃 ;

π‘₯𝑃 ← πœ†2 βˆ’ 2π‘₯𝑃; 𝑦𝑃 ← βˆ’(πœ†π‘₯𝑃 + 𝑣);

π‘₯𝑃 ← πœ†2 βˆ’ π‘₯𝑃 βˆ’ π‘₯𝑄; 𝑦𝑃 ← βˆ’(πœ†π‘₯𝑃 + 𝑣)

π‘₯𝑃, 𝑦𝑃 = π‘˜ (π‘₯𝑄, 𝑦𝑄)

Projective spaceβ€’ Recall we defined the group of 𝐾-rational points as

πΈπ‘Ž,𝑏 𝐾 = { π‘₯, 𝑦 : 𝑦2 = π‘₯3 + π‘Žπ‘₯ + 𝑏} βˆͺ {∞}

β€’ The natural habitat for elliptic curve groups is in β„™2(𝐾), not 𝔸2 𝐾

β€’ For (easiest) example, rather than π‘₯, 𝑦 ∈ 𝔸2, take 𝑋: π‘Œ: 𝑍 ∈ β„™2 modulo the equivalence 𝑋: π‘Œ: 𝑍 ∼ (πœ† 𝑋 ∢ πœ†π‘Œ ∢ πœ†π‘) for πœ† ∈ πΎβˆ—

β€’ Replace π‘₯ with 𝑋/𝑍 and 𝑦 with π‘Œ/𝑍, so πΈπ‘Ž,𝑏 𝐾 is the set of solutions 𝑋: π‘Œ: 𝑍 ∈ β„™2 𝐾to

β€’ So the affine points π‘₯, 𝑦 from before become π‘₯ ∢ 𝑦 ∢ 1 ∼ (πœ†π‘₯ ∢ πœ†π‘¦ ∢ πœ†) and the point at infinity is the unique point with 𝑍 = 0, i.e., 0 ∢ 1 ∢ 0 ∼ (0 ∢ πœ† ∢ 0)

𝐸 ∢ π‘Œ2𝑍 = 𝑋3 + π‘Žπ‘‹π‘2 + 𝑏𝑍3

Projective space, cont.β€’ One practical benefit of working over β„™2 is that the explicit formulas for

computing βŠ• become much faster, by avoiding field inversions

β€’ Thus, the fundamental ECC operation π‘˜, 𝑃 ↦ π‘˜ 𝑃 becomes much faster…

πœ† ← (3π‘₯2 + π‘Ž)/(2𝑦) ;

π‘₯β€² ← πœ†2 βˆ’ 2π‘₯;

𝑦′ ← βˆ’(πœ†(π‘₯β€² βˆ’ π‘₯) + 𝑦);

π‘₯β€², 𝑦′ = [2](π‘₯, 𝑦)

𝑋′ = 2π‘‹π‘Œ( 3𝑋2 + π‘Žπ‘2 2βˆ’ 8π‘Œ2𝑋𝑍)

𝑋′ ∢ π‘Œβ€² ∢ 𝑍′ = [2](𝑋 ∢ π‘Œ ∢ 𝑍)

1𝑆 + 2𝑀 + 1𝐼

π‘Œβ€² = 3𝑋2 + π‘Žπ‘2 12π‘Œ2𝑋𝑍 βˆ’ 3𝑋2 + π‘Žπ‘2 2βˆ’ 8π‘Œ4𝑍2

𝑍′ = 8π‘Œ3𝑍3

5𝑀 + 6𝑆

Projective scalar multiplications

for 𝑖 from 𝑛 βˆ’ 1 downto 0 do

if π‘˜π‘– = 1 then

𝑋𝑃: π‘Œπ‘ƒ: 𝑍𝑃 ← 𝑋𝑃: π‘Œπ‘ƒ: 𝑍𝑃 βŠ• (𝑋𝑄: π‘Œπ‘„: 𝑍𝑄)end for

return π‘₯𝑃 , 𝑦𝑃 ← (𝑋𝑃/𝑍𝑃 ,π‘Œπ‘ƒ/𝑍𝑃)

(𝑋𝑃: π‘Œπ‘ƒ: 𝑍𝑃 ) ← 𝑄

𝑋𝑃: π‘Œπ‘ƒ: 𝑍𝑃 ← [2] 𝑋𝑃: π‘Œπ‘ƒ: 𝑍𝑃

How to compute π‘˜, 𝑄 ↦ π‘˜ 𝑄 on 𝑦2 = π‘₯3 + π‘Žπ‘₯ + 𝑏?π‘˜ = (π‘˜π‘›, π‘˜π‘›βˆ’1, … , π‘˜0)

5𝑀 + 6𝑆

9𝑀 + 2𝑆

1𝐼 + 2𝑀

ECDLP security and Pollard’s rho algorithm

β€’ ECDLP: given 𝑃, 𝑄 ∈ 𝐸(𝔽𝑝) of prime order 𝑁, find π‘˜ such that 𝑄 = π‘˜ 𝑃

β€’ Pollard’78: compute pseudo-random 𝑅𝑖 = π‘Žπ‘– 𝑃 + 𝑏𝑖 𝑄 until we find a collision 𝑅𝑖 = 𝑅𝑗 with 𝑏𝑖 β‰  𝑏𝑗, then π‘˜ = (π‘Žπ‘— βˆ’ π‘Žπ‘–)/(𝑏𝑖 βˆ’ 𝑏𝑗)

β€’ Birthday paradox says we can expect collision after computing

πœ‹π‘›/2 group elements 𝑅𝑖 , i.e., after β‰ˆ 𝑁 group operations.

So 2128 security needs 𝑁 β‰ˆ 2256

β€’ The best known ECDLP algorithm on (well-chosen) elliptic curves remains generic, i.e., elliptic curves are as strong as is possible

Consider 𝐸/𝔽1217: 𝑦2 = π‘₯3 βˆ’ 3π‘₯ + 139

Index calculus on elliptic curves?

#𝐸 𝔽1217 = 1277

𝑃 = (3,401) and 𝑄 = (192,847)

ECDLP: find π‘˜ such that π‘˜ 𝑃 = 𝑄

[Miller, 85] : β€œit is extremely unlikely that an index calculus […] will ever be able to work”

Writing 𝑆 = βˆ‘ π‘˜π‘– 𝑅𝑖 involves solving discrete logarithms, compare this to integers mod 𝑝 where we lift and factorise over the integers

e.g., factor base 𝑅𝑖 = 3,401 , 5,395 , 7,73 , 11,252 , 13,104 , 19,265

Regardless of factor base, can’t efficiently decompose elements!

Part 1: Motivation

Part 2: Elliptic Curves

Part 3: Elliptic Curve Cryptography

Part 4: Next-generation ECC

β€’ Side-channel attacks: starting with Kocher’99, side-channel attacks and their countermeasures have become extremely sophisticated

β€’ Decades of new research: we now know much better/faster/simpler/safer ways to do ECC

β€’ Suspicion surrounding previous standards: Snowden leaks, dual EC-DRBG backdoor, etc., lead to conjectured weaknesses in the NIST curves

What’s wrong with old school ECC?

Next generation elliptic curves

β€’ 2014: CFRG receives formal request from TLS working group for recommendations for new elliptic curves

β€’ 2015: NIST holds workshop on ECC standards

β€’ 2015: CFRG announces two chosen curves, both specified in Montgomery (1987) form

β€’ Bernstein’s Curve25519 [2006]: 𝑝 = 2255 βˆ’ 19 and 𝐴 = 486662

β€’ Hamburg’s Goldilocks [2015]: 𝑝 = 2448 βˆ’ 2224 βˆ’ 1 and 𝐴 = 156326

β€’ Both primes offer fast software implementations!

β€’ Their group orders are divisible by 8 and 4, but this form offers several advantages.

𝐸/𝔽𝑝 ∢ 𝑦2 = π‘₯3 + 𝐴π‘₯2 + π‘₯

Montgomery’s fast differential arithmetic𝐸/𝔽𝑝 ∢ 𝑦2 = π‘₯3 + 𝐴π‘₯2 + π‘₯

𝑋 2 𝑃 = 𝑋𝑃 + 𝑍𝑃2 𝑋𝑃 βˆ’ 𝑍𝑃


𝑍 2 𝑃 = 4𝑋𝑃𝑍𝑃( 𝑋𝑃 βˆ’ 𝑍𝑃2 + 𝐴 + 2 𝑋𝑃𝑍𝑃)

Extremely fast pseudo-doubling: xDBL

𝑋𝑃+𝑄 = π‘π‘ƒβˆ’π‘„ 𝑋𝑃 βˆ’ 𝑍𝑃 𝑋𝑄 + 𝑍𝑄 + 𝑋𝑃 + 𝑍𝑃 𝑋𝑄 βˆ’ 𝑍𝑄2

Extremely fast pseudo-addition: xADD

2𝑀 + 2𝑆

𝑍𝑃+𝑄 = π‘‹π‘ƒβˆ’π‘„ 𝑋𝑃 βˆ’ 𝑍𝑃 𝑋𝑄 + 𝑍𝑄 βˆ’ 𝑋𝑃 + 𝑍𝑃 𝑋𝑄 βˆ’ 𝑍𝑄2 4𝑀 + 2𝑆

β€’ drop the 𝑦-coordinate, and work with π‘₯-only.

β€’ projectively, work with 𝑋 ∢ 𝑍 ∈ β„™1 instead of 𝑋 ∢ π‘Œ ∢ 𝑍 ∈ β„™2

β€’ But (pseudo-)addition of x(𝑃) and x(𝑄) requires π‘₯(𝑄 βŠ– 𝑃)

Differential additions and the Montgomery ladder

β€’ Given only the π‘₯-coordinates of two points, the π‘₯-coordinate of their sum can be two possibilities

β€’ Inputting the π‘₯-coordinate of the difference resolves ambiguity

β€’ The (ingenious!) Montgomery ladder fixes all differences as the input point: in π‘˜, π‘₯(𝑃) ↦ π‘₯( π‘˜ 𝑃), every xADD is of the form

xADD π‘₯( 𝑛 + 1 𝑃), π‘₯( 𝑛 𝑃), π‘₯(𝑃)

β€’ We carry two multiples of 𝑃 β€œup the ladder”: π‘₯(𝑄) and π‘₯ 𝑄 βŠ• 𝑃

β€’ At π‘–π‘‘β„Žstep: compute π‘₯ 2 𝑄 βŠ• 𝑃 = π‘₯𝐴𝐷𝐷(π‘₯ 𝑄 βŠ• 𝑃 , π‘₯ 𝑄 , π‘₯ 𝑃 )

β€’ At π‘–π‘‘β„Žstep: pseudo-double (xDBL) one of them depending on π‘˜π‘–

see https://tools.ietf.org/html/rfc7748

(Elliptic curves for security)

Fast, compact, simple, safer Diffie-Hellman

(π‘₯0, π‘₯1) ← (xDBL π‘₯𝑃 , π‘₯𝑃)for 𝑖 = β„“ βˆ’ 2 downto 0 do

(π‘₯0, π‘₯1) ← cSWAP π‘˜π‘–+1 βŠ— π‘˜π‘– , π‘₯0, π‘₯1

(π‘₯0, π‘₯1) ← (xDBL π‘₯0 , xADD π‘₯0, π‘₯1, π‘₯𝑃 )end for(π‘₯0, π‘₯1) ← cSWAP π‘˜0, π‘₯0, π‘₯1

return π‘₯0 (= π‘₯ π‘˜ 𝑃)

β€’ π‘₯-only Diffie-Hellman (Miller ’85): π‘₯ π‘Žπ‘ 𝑃 = π‘₯ π‘Ž 𝑏 𝑃 = π‘₯( 𝑏 π‘Ž 𝑃 )

β€’ Write π‘˜ = βˆ‘π‘–=0β„“βˆ’1 π‘˜π‘–2𝑖 with π‘˜β„“βˆ’1 = 1 and 𝑃 = (π‘₯𝑃, 𝑦𝑃) in 𝐸

(e.g., on Curve25519 or Goldilocks)

Inherently uniform, much easier to implement in


β€’ See β€œElliptic curves for security” https://tools.ietf.org/html/rfc7748

β€’ Both curves integrated into TLS ciphersuites

β€’ In 2014, OpenSSH defaults to Curve25519

β€’ Curve25519 is used in Signal Protocol (Facebook Messenger, Google Allo, WhatsApp), iOS, GnuPG, etc(https://en.wikipedia.org/wiki/Curve25519)

Curve25519 and Goldilocks in the real world

(Elliptic curves for security)

(Twisted) Edwards curves

π‘₯1, 𝑦1 + π‘₯2, 𝑦2 =π‘₯1𝑦1 + π‘₯2𝑦2

𝑦1𝑦2 βˆ’ π‘₯1π‘₯2,π‘₯1𝑦1 βˆ’ π‘₯2𝑦2

π‘₯1𝑦2 βˆ’ 𝑦1π‘₯2

𝐸 ∢ π‘Žπ‘₯2 + 𝑦2 = 1 + 𝑑π‘₯2𝑦2

β€’ Neutral element is 0,1 - no projective space needed for 𝐸(𝐾)

β€’ Addition law is complete (for well-chosen 𝐸)

β€’ Extremely fast: 8M! Also works for doubling, inverses, everything

β€’ Fast, simple, exception-free implementations that always compute correctly

β€’ Also birationally equivalent to Montgomery curves!

Elliptic curves: the best of both worlds

attacker: generic us: not genericvs.

ECC is the best of both worlds

attacker’s toolbox our toolboxvs.
