2
{ }0 1 2 1
A finite group of order is if it has an element of .
In this case, , , , , ; is said to be
gener
ated by , and is a .
In any
cyclic
generato
r
Cyclic groups
q
G q g q
G g g g g g G
g g
−=
•
•
=
{ }0 1 2 1
group (not necessarily finite or cyclic), if is an element
of finite order , then , , , ,
is a cyclic group of order .
Note: in general, denotes the subgroup generated by
q
g
q g g g g g
q
g
−
•
=
mod
.
Note: we implicitly assume multiplicative groups, and will write t
Recall: For
he identity of t
any element
he group
,
as 1.
. m Gma G a a
g
∈
•
=•
3
{ }0 1 2 1
Let be a group of order , and let be any generator.
So, , , , ,
For any , there is a unique such that .
cyclic
This in
Discrete logarithm problem (DLP)
xq
q
G q g
G g g g g
gh G x h
g −= =
∈ ∈
•
=•
( ) ( ) ( )1 2 1 2
discrete logarithmlo
teger is called the (or index) of with respect to base . We write .
Standard logarithm rules still hold: log 1 0,
log log log mod , log l g m
o
g
g
kg
g
g g g g
x hg
h h h h q
h
h k h
x=
=
⋅ = + =
•
od .
The DLP in with base is to compute log for any . g u
q
G g h h G←•
4
{ } { }{ }
*
*
*
0 1 2 2*
1
If is prime, then is a cyclic group of order 1.
Let be any generato
Theor
r of .
1, 2, , 1 , , ,
em:
, .
, ,0 , , .
2 2
DLP:
1
DLP in
p
p
p
p
p
p
p p
g
p g g g g
p
−
−
−
=• −
=
•
•
•
−
=
( )( )
*
g
*
lo
given , compute .
There is a subexponential-time algori
Index Calculu
thm for DLP
s
in
, 2 , where log .
p
O n n
p
xg
O
x
n p
•
∈
=
5
{ }* 0 1 2 2
*
0 1 2
, , , , ,
where is a large prime, and is a generator.
A subgroup of of prime order ,
,
//less
,
secu
,
re /
/
,
Frequently used groups p
p
p
g g g g
p g
q
G α α α α α
−
−
• =
•
= =
{ }1 *
* ( 1)/
,
where is an element of prime order (e.g. ).
The doesn't work.
Elliptic curves defined over finite field //increas
In
s.
In these
i
gro
ngl
dex Calculus
y popular
up
//
s
p
p qp q gα α −
⊂
∈ =
•
•
, there is no polynomial-time algorithm known for DLP.
6
{ }
*19
* 0 1 2 1719
0 1 2 3 4 5
6 7
2
2
2
{1, 2, ..., 18}.
2 is a generator. 2 2 , 2 , 2 , , 2 .
2 1, 2 2, 2 4, 2 8, 2 16, 2 13, 2 7, 2 14, log 7 6log 14 7log 12 ?
Example 1
G = =
= =
= = = = = =
= ====
7
{ }
{ }
*11
5
*5 11
3
3
1, 2, , 10 .
3 = 1, 3, 9, 5, 4 .
3 is a generator of , but not a generator of .log 5 3log 10 not defined
Example 2
G
G
G Z
= =
=
==
8
DLP in the additive group .
Every 0 coprime to is a generator.
DLP: given , compute .
Example 3
N
Ng N
k g k
≠ ∈
⋅
9
( )
1
1
RSA
RSA
RSA
RSA is a one-way function: (easy)
(difficult)
trapdo
( is a trapdoor)
Expon
or
RSA vs. Discrete Logarithm
e
e
de
x x
x x
x x d
−
−
•
→
←
←
•exp
log
etiation is a one-way function :
(easy)
(difficult)
An encryption
without a tr
scheme based
apdoor
on the difficulty of discrete log
g
g
x
x
x g
x g
→
←
•
will simply encrypt as .not xx g
10
{ }{ }
( )
0 1 2 1 , , , , , a cyclic group of order .
, , , , .
Alice and Bob wish to set u
0 1 2 1
secretp a key. 1. They agree on , , .
2. Alice B
Diffie-Hellman key agreement q
q
G g g g g q
G
q
g q
−
−
• =
=
•
→
( )
ob: , where .
3. Alice Bob: , where .
4. The agreed-on key: .
Remark: in practice, , , is standardized, and there is a mapping between bit strings and the eleme
xu q
yu q
x y
g x
g y
g
G g q
⋅
←
← ←
•
nts of .G
11
{ }{ }
0 1 2
*
2*
1 0 1
, , , , , a large prime.
, , , , .
Alice and Bob wish to set up a key. 1. Alice and Bob agree on a large p
2 2
secret
Diffie-Hellman key agreement using p
p
p
pg g g g
p
p−
− −
• =
=
•
*
1
1
rime and a generator . ( )
2. Alice Bob: mod , where .
3. Alice Bob: mod , wher
, , not secret
e .
4. They agree on the key: mod .
p
xu p
yu p
xy
pg
g p x
g p y
g
p g
p
−
−
∈
→ ←
← ←
12
{ }{ }
0 1 2 1 , , , , , a cyclic group of order .
, , , , .
Computational Diffie-Hellman Problem: given , , where
(
C,
D
0
H, compu
1
t)
e
1 2
Diffie-Hellman problemsq
q
x y xu q
q
G g g g g q
Z
g g G x y Z g ⋅
−• =
=
•
−
∈ ←
.
Decisional Diffie-Hellman Problem: given , , , where , , and
with probability 1 2
a random element in with probability 1 2
determine if
(DDH
.
)
y
x yu q
x y
x y
g g h G x y Z
gh
G
h g
⋅
⋅
•
∈ ←
=
=
13
*
DDH CDH DLP.
Open question: Is CDH DLP?
There are example of groups (e.g., ) in which
CDH and DLP are believed to be hard, but DDH is easy.
Relationships between DDH, CDH, DLP
p
• ≤ ≤
• ≥
•
14
{ } { }
( ) ( )
0 1 2 1
, , , , , , , , , .
Keys: , , , , , , , where , .
To encrypt a message :
Use Diff
0 1
ie-H
2 1
ellman agreemen
ElGamal encryption schemeq
x
q
q
G g g q
sk x pk
g g
G g q G g q xh
G
h g
m
−= =
• ←
−
= = =
• ∈
1 2 2 1
t to set up a "key" by choosing and computing : ( ).
Use to encrypt as .
The ciphertext is , , .
Decryption: ( , ) .
y x yu q
y y y
xsk
k Gy k h g
k m k m G
g k m g h m
Dec c c c c
⋅
−
∈
← = =
⋅ ∈
⋅ = ⋅
• = ⋅
15
*
*
1
1. Key generation (e.g. for Alice): choose a large prime and a generator ,
where 1 has a large prime factor. randomly choose a number and co
ElGamal encryption in p
p
p
p gp
x −
• ∈
−
• ∈
*1
1 2 2 1*
mpute ;
let ( , , ) and ( , , ).2. Encryption: ( ) ( , ), where , .
3. Decryption: ( , ) .
4. Remarks: Multiplications are done in , . ., mod
x
y ypk p u p
xsk
p
h gp g p gEnc m g h m m y
D c c c
sk
ci
k
e
x p h
−
−
=
• = =
= ⋅ ∈ ←
= ⋅
ulo .
The encryption ra nsc doheme mize is d.
p
16
If the DDH problem is hard, then
the ElGamal encryption scheme is CPA-secure.
ElGamal encryption is n
homomorphic and thus CCA-s
The
ecure.
orem:
ot
Security of ElGamal encryption
•
•
17
( )
ElGamal enc
A function : is if ( ) ( ) ( ).
( ) ( ) ( ), in the following sense:
ryptio
h
n
If ( ) ,
is homo
o
m
an
or
momor
phic
p ic
,
h
d
Homomorphism of ElGamal encryption
y y
f G G f xy f x f y
E mm E m E m
E m g mh
′• → =
′ ′• = ⋅
= ( )( ) ( )( )( )
( ) , , then
( ) ( ) , ,
,
,
is a valid encryption of .
y y y
y y
y y y y
y y y y
y
E m g m h
E m E m g mh g m h
g g mh
mm
m
h
h
m
m
g ′ ′+
′ ′
′ ′
′ ′
+
′ ′=
′ ′⋅ =
=
=
′
′
′
⋅
A field, denoted by ( , , ), is a set with two binary operations, and , such that 1. ( , ) is an abelian group (with identity 0). 2. ( \{0}, ) is an abelian group (with identy 1).
FieldF F
FF
• + ×+ ×
+×
1
3. For all elements , 0 0 0. 3. , , , ( ) (distributive).
Example fields: ( , , ), ( , , ), ( , , ).
( , , ) is not a field, because (except for 1).
For
a F a ax y z F x y z x y x z
z z−
∈ × = × =∀ ∈ × + = × + ×
• + × + × + ×
• + × ∉ =
•
any prime , ( , , ) is a field, denoted as .p pp F+ ×
20
3
3
2
2 3 An is a curve given by
It is required that the discrimin
elliptic c
ant =4 27 0. When 0, the polynomial
urve
The equation of an elliptic curve
x axa b
y x ax b∆ + ≠
∆ ≠
•
•
+ +
= + +
has distinct roots, and the curve is said to be nonsingular. For reasons to be explained later, we introduce an
additional point, , call the point at infinityed , so the elliptic curve
0
O
b =
•
{ } { }2 3
is the set
( , ) :E x y y x ax b O= = + +
21
{ } { }
{ } { }
{ } { }
2 3
2 3
2 3
We are often interested in points on the curve of specific coordinates:
( ) ( , ) :
( ) ( , ) :
( ) ( , ) :
( ) ( , ) :
E x y y x ax b O
E x y y x ax b O
E x y y x ax b O
E x y
•
= ∈ × = + +
= ∈ × = + +
= ∈ × = + +
= ∈ ×
{ } { }
{ } { }
2 3
2 3
( ) ( , ) : p p p
y x ax b O
E F x y F F y x ax b O
= + +
= ∈ × = + +
23
Amazing fact: we can use geometry to make the points of an elliptic curve into a group.
Suppose . Then def
ine .
Making an elliptic curve into a group
P Q P Q R
•
• ≠ + =
P
Q
R
-R=R’
25
What if ( , ), ( , ), so that is vertical? In this case, we define .
This is why we added the extra point into the cu e
rv .
P x y Q x y PQP Q O
O
• = = −+ =
•
P=(x,y)
-P=(x,-y)Q=(x,-y)
26
Now having defined for , , we still need to define .
Let play the role
of identity, and define .
Now every point ( , ) has an inverse: ( , ).
P Q P Q OP O
OP O O P P
P x y P x y
+ ≠+
+ = + == − = −
•
•
•
P=(x,y)
-P=(x,-y)
27
The addition law on has these properties: 1. for all . 2. ( ) for all . 3. ( ) ( ) for all , , . 4. for all
The
( ( )
, .
That , )
ore
fis
m.
,
EP O O P P P EP P O P EP Q R P Q R P Q R EP Q Q P P Q E
E
+ = + = ∈+ − = ∈+ + = + + ∈+ = +
+
∈
•
All of these properties are trivial to check except the associative law (3), which can be verified by a lengthy computation usin explicit formul
orms an a
g , or by
belian grou
using m
as
p.
ore
•
advanced algebraic or analytic methods.
28
1 1 22 3
3 3
23 1
2
1 21 1
1
2
3 1 3
2
1
( , ), ( , ), . .
The curve : .
The line :
( , )
( )
, where
and
Formulas fo
.
r Addition on
E
y x ax b
y x
P x y Q x y P Q R P Q x y
x x xy x x
E
PQy y y x
y
x x
λ
λ
λ ν λ
ν
λ
= = ≠
•
=• + =
= − −=
−=
= + +
= −−
•
=
− −
•
+
P
Q
R
-R=R’
29
P=Q
R=2P
-R
3 3
23 1
1 1 1
21
1
3 1 3 1
If ( , ), with 0, and2 , th en
( , )
2
3
(
2
)
P Q x y yP Q P
x ay
R x y
x xy x x y
λ
λλ
= = ≠•
= −= −
= =
+=
−
+ =
30
2 3: If and are in a field and if and have coordinates
in , then and 2 as computed by the formulas also have coordinates in
.
, or equal .Thu
s
An important fact
Ea b K P QK P Q P
K
y x x b
O
a• = + +•
•
+
, we can use the same addition laws to make the points of an elliptic curve over a finite field into a group, even
though the addition laws will no longer have the geometric interpretation
pF
s.
31
2 3
Let be a field, and suppose that an elliptic curve is givenby an equation of the form : with , .Let ( ) denote the set of points of with coordi
Theorem (Poincare, 19 ) 00K E
E y x ax b a b KE K E
= + + ∈
≈
{ } { }
nates in ,plus , ( ) ( , ) : , .Then ( ) is a group.
KOE K x y E x y K O
E K= ∈ ∈ ∪
32
{ } { }
2 3
2 3
: with , .
Let ( ) denote the set of points of with coordinates in ,plus ,
( ) is isomorph
( ) ( , ) :
An amazing fact: ic
What does ( ) look like?
E y x ax b a b R
E E CO
E x y C C
E
y x ax b O
E C
= + + ∈
= ∈ × = + + ∪
to a torus.
34
{ } { }
2 3
3 2
2 3
2 323
Equation: over
where 3, , , 4 27 0 (mod ).
( , ) :
: over Example:
Elliptic curves defined over
p
p
p p
p
y x ax b F
p a b F a b p
E x y F F y x ax b O
E y x x F
F
= + +
> ∈ + ≠
= ∈ × = + + ∪
= +
35
2 311
113
211
11
: 6 over
To find all points ( , ) of ,for each , compute
6mod11 anddetermine whether is aquadratic residue. If so, solve in .
( ) 13.
ExampleE y x x F
x y Ex F
z x xz
y z FE F
= + +
∈
= + +
=
= 9,241079
8,3989,247
869,245
846,5337,452
8160
res? quad63
yesnoyesyesnoyesnoyesyesnono
yxxx ++
36
( )2 2
2211
1
There are 13 points in the group.
So, it is cyclic and any point other is a generator.
Let (2,7). We can compute 2 ( , ) as follows.
3 2 13 13 2 3 2 4 8 ( mod2 2 7 14
Example (continued)
O
x y
x ay
α α
λ −
= =
++= = = = × = × =
×
( ) ( )( )
222 1
2 1 2 1
11)
2 8 2 2 5 ( mod11)
( ) 2 5 8 7 2 ( mod11)
2 (5,2)
x x
y x x y
λ
λ
α
= − = − × =
= − − = − × − =
=
37
( )
3 3
2 1
2 12 2
3 1 2
3 1 3 1
Let 3 ( , ). Then,2 7 2 ( mod11)5 2
2 2 5 8 ( mod11) ( ) 2 8
Ex
2 7 3 ( mod11)
(2,7) 2 (5,2) 3 (8,3)4 (10,2) 5 (
ample (continued
3,6) 6 (7,9)7 (7,2) 8 (
)x y
y yx x
x x xy x x y
α
λ
λλ
α α αα α αα α
=− −
= = =− −
= − − = − − =
= − − = − × − =
= = == = == = 3,5) 9 (10,9)
10 (8,8) 11 (5,9) 12 (2,4)
13 12 2 11 3 10 ?
αα α α
α α α α α α α
== = =
= + = + = + = =
38
Hasse's Theor
Determining ( ) is an important problem,
called point counting.
1 2 ( ) 1 2 .
There are polynomial time algorithms that
precisely determi
m:
e
e
n
Point Counting
p
p
E F
p p E F p p+ − ≤ ≤ + +
•
•
•
( ) .
In practice, ( ) of prime order is used.
p
p
E F
E F q•
39
{ }0 1 2 1 Let , , , , be a group of order .
DLP in : given an element , find the
unique exponent such that .
DLP in - reviewedq
xq
g g g g g q
g h g
x h
g
g
−• =
• ∈
∈ =
40
{ }
Consider an elliptic curve group ( ).
Let ( ) be a point of large prime order .
0 , 1 , 2 , , ( 1) is a subgroup of ( ).
ECDLP : given
Elliptic Curve Discrete Logarithm Problem
p
p
p
E FG E F q
G G G G q G E F
•
•
•
•
∈
= −
a point , find the unique multiplier such that .q
H Gx xG H
∈
∈ =
41
Alice Bob
Alice Bob Agreed key:
Alice Bob
Diffie-Hellman key agreement
Elliptic Curve Diffie-Hellman
a
b
g
g
ab
aG
g
→
←
→
Alice Bob Agreed key:
bG
abG←
42
Alice and Bob wish to agree on a key. 1. Alice and Bob agree on an elliptic curve ( )
and a point on the curve of large p
secret
rime order
Elliptic Curve Diffie-Hellman key agreement
pE FG
•
. 2. Alice Bob: , where .
3. Alice Bob: , where b .
4. They agree on the key , which is a point on ( ).
They can now use ( ), the -coordinate of , as a secret
u q
u q
p
qaG a ZbG Z
E F
x abG
G
x
a
abG
b
→ ←
← ←
•key for, for example, a symmetric encryption
scheme.