elliptic c public key cryptography 1. i pkc ec · roblem in cryptography [1976, before rsa] 644...

59
E LLIPTIC C URVES AND P UBLIC KEY C RYPTOGRAPHY 1. I NTRODUCTION TO PKC AND EC Adolfo Quirós (Gracián) [email protected] Universidad Autónoma de Madrid 3rd VDS Summer School Techendorf am Weißensee, 17/09/2018 1 / 45

Upload: others

Post on 04-Jun-2020

1 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

ELLIPTIC CURVES ANDPUBLIC KEY CRYPTOGRAPHY

1. INTRODUCTION TO PKC AND EC

Adolfo Quirós (Gracián)[email protected]

Universidad Autónoma de Madrid

3rd VDS Summer SchoolTechendorf am Weißensee, 17/09/2018

1 / 45

Page 2: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

PLAN FOR THE WEEK

Lecture 1: Introduction to Public Key Cryptography(Discrete Logarithm Problem); introduction to EllipticCurves.Lecture 2: The Discrete Logarithm Problem in EllipticCurve Cryptography.Discussion / Problems session 1: A discrete matrixgroup calculation; Projective Plane; Riemann-RochTheorem; application to Elliptic Curves.Lecture 3: Isogenies and Cryptography. (PostquantumCryptography)Discussion / Problems session 2: Calculations;Hasse-Weil Zeta-function and the Riemann Hypothesis (docryptographers care?).

2 / 45

Page 3: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

THE BASIC PROBLEM

A(lice) wants to communicate a message m to B(ob), butshe does not want E(ve) to know what it says.Of course, if A can “whisper in B’s ear”, there is noproblem.Difficulties arise when the message must be transmittedthrough an insecure channel which is accesible to E.Access can be (relatively) hard [intercept a messenger or atelegraph/telephone land line] but sometimes it is trivial[intercept a radio or mobile phone transmission].

3 / 45

Page 4: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

APPLICATIONS

Historically: military and diplomatic. Few people involved.E=SPY.Eventually, even this kinds of communications involvedmassive exchanges of information [World War II].XXI century: all kinds of electronic communications:

Bank/Finantial transactions.E-mail.Internet shopping.Mobile phones.

New applications in identification problems:What mobile phone is it?Electronic signature.

WE CAN:1 Try to hide that the message exists2 Make the message unreadable even if it is intercepted:

Cryptography

4 / 45

Page 5: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

CAESAR [SUBSTITUTION] CRYPTOSYSTEM

Suetonius, De Vita Caesarum.Book I [Julius Caesar]

LVI. [. . . ] If he had anything confidentialto say, he wrote it in cypher, that is, by sochanging the order of the letters of thealphabet that not a word could be madeout. If anyone wishes to decypher these,and get at their meaning, he mustsubstitute the fourth letter of the alphabet,namely D, by A, and so with the others.

Using a (standard) 26 letters alphabet

CypherM A X I M U S# # # # # # #P D A L P Y V

DecipherC B Q R# # # #Z E N O

5 / 45

Page 6: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

LET’S FORMALISE CRYPTOGRAPHY

1 There are two sets of messages [message units]:

M = {Clear messages (what we want to say)}C = {Cypher messages (what we actually transmit)}

2 As in the example, messages are written in analphabet= A =finite set of symbols.

Alphabets for M and C may or not coincide.

Examples:A ={A , B , . . . , Z}A ={A ,B, . . . ,Z , . , : ,?, ,1,2,3,. . . ,9,0}A =ASCII codeA ={0 , 1},

6 / 45

Page 7: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

LET’S FORMALISE CRYPTOGRAPHY (2)

3 Cypher/Encrypt function:

f : M �! C INJECTIVE

The corresponding decypher/decrypt function is

f�1 : C �!M

4 A(lice) must know f and B(ob) must know f�1.

When A wants to communicate a message m 2M to B,she calculates f (m) = c and sends this c to B.

B can calculate f�1(c) = m and read the message.

5 Breaking the cypher= Someone other than B knows f�1.

7 / 45

Page 8: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

LET’S FORMALISE CRYPTOGRAPHY (3)

Can we use more than one cypher function?

6 Cryptosystem. Collection of cypher functions:

fe : Me �! Ce

wheree 2 E = {encryption keys}

The decypher functions, (fe)�1, depend then on

d 2 D = {decryption keys}

Of course d = d(e).

The difference between “symmetric key” and “public key” ishow easy/hard is the procedure to find d from e.

8 / 45

Page 9: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

FORMALISATION OF CAESAR CRYPTOSYSTEM

A = {A,B,C,. . . ,X,Y,Z} ! {0, 1, . . . , 25} ! Z/26

We can use modular arithmetic mod 26

M = C = E = D = A = (Z/26,+)

As keys: A= +0, B=+1,. . . , Z=+25 = �1.

fe : M �! C, fe(m) = m + e.

(fe)�1 = f�e, that is, d = �e.

Caesar is a very weak cryptosystem because:there are very few keys,Since message units are just single letters it is easy to dofrequency analysis.

We should use cryptosystems where message units are

not single letters.

9 / 45

Page 10: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

AN EXAMPLE WITH VECTORS AND MATRICES

Alphatet, as before: A = {A,B,C,. . . ,X,Y,Z} ! Z/26.Messages: pairs of letters= dimension 2 vectors.

M = C = (Z/26)2

AD

�=

03

�,

OL

�=

1411

�,

FO

�=

5

14

�.

Keys: 2⇥ 2 matrices modulo 26.

f✓

OL

�◆=

2 51 8

� 1411

�=

5

24

�=

FY

�,

f✓

FO

�◆=

2 51 8

� 514

�=

2

13

�=

CN

�.

The inverse function is multiplication by A�1 mod 26:

E = D = GL2(Z/26) := {A 2 Mat2⇥2(Z/26) : A has an inverse}

10 / 45

Page 11: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

A MACHINE T DO LINEAR ALGEBRA

Mechanical device that multiplies a matrix A 2 GL6(Z/26) anda vector X 2 (Z/26)6. Patented by Lester S. Hill and LouisWeisner in 1929 (U.S. Patent 1,845,947).

Hill cryptosystem: We divide the text in blocks of 6 letters, andeach resulting clear message unit X 2 (Z/26)6 is encryptedusing the machine as the unique C 2 (Z/26)6 defined by

AX = C.

Each C is written as a block of 6 letters, all these blocks arejoined and the resulting cypher text is transmitted.

11 / 45

Page 12: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

HOW MANY DIFFERENT MACHINES COULD HILL ANDWEISNER MANUFACTURE?

Each machine used a single matrix A [which made them a lotless useful!].

How many elements are there in GL6(Z/26)?

2636 matrices A 2 Mat6⇥6(Z/26): how many have an inverse?

It is not enough that det(A) 6= 0. Linear Algebra is easierover a field. But Z/26 is NOT a field.A has an inverse () m.c.d .(det(A), 26) = 1.Chinese Remainder Theorem (36 times)+ Linear Algebraover the fields Z/2 and Z/13:

|GL6(Z/26)| = |GL6(Z/2)| · |GL6(Z/13)| =233813562465700543438777563435557819277317976883200

(51 digits).

12 / 45

Page 13: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

LOTS OF PROGRESS OVER TIME

Enigma machine.

DES (Data EncryptionStandard, 1976)

AES (Advanced EncryptionStandard, 2002)

One-time pad (perfectsecurity!)

13 / 45

Page 14: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

ALL OF THESE CRYPTOSYSTEMS SHARE A PROPERTY

If e=encryption key is known, it is easy to find d=decryption key.

They are known as symmetric key cryptosystems.

CONSEQUENCES

Each couple of users must use a different e.If a new user wants to join, she first has to exchange keys,through a secure channel, with all other users.

These are not big problems for a ring of spies, but they are fore-mail users / tax payers / e-bay / Amazon /. . .

14 / 45

Page 15: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

SOLUTION: USE ONE-WAY [TRAPDOOR] FUNCTIONS

Injective functionsf : M �! C

such that, even if one knows f , it is in practice impossibleto find f�1 unless one has additional information [=thetrapdoor].

In other words.

Knowing e=encryption key, is not enough (without access tothe trapdoor) to know d=decryption key.

15 / 45

Page 16: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

EASY / HARD CALCULATIONS

Given a datum n 2 Z, its size is the number of digits of n:

log10 n ⇠ log2 n ⇠ log n.

A procedure (that we apply to n) is

easy if running it takes polynomial time: O((log n)k ).

hard if running it takes exponential time:O(ec log n) = O(nc).

less hard if running it takes sub-exponential time, forexample: O(ec(log n)1/3(log log n)2/3

).

NOTATION

f , g : Z>0 ! R>0. We write f = O(g) if there exist constants B,Csuch that f (n) C · g(n) for all n � B.

16 / 45

Page 17: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

PUBLIC KEY CRYPTOGRAPHY

1 If we have a cryptosystem that uses one-way functions toencrypt, then each user A, B, C,. . . chooses an encryptionkey eA, eB, eC , . . . and publishes it [in some short of “KeyBook”, or in the user’s web page], while keeping secret thedecryption keys dA, dB, dC . . . .

2 When B(ob) wants to send a message m to A(lice), hefinds in the Key Book eA, and therefore knows fA, thePUBLIC function that EVERYBODY uses to encryptmessages send to Alice. In particular, Bob will transmit

c = fA(m).

3 Then Alice, AND ONLY SHE, knows dA. Hence Alice, ANDONLY SHE, can compute f�1

A , and therefore read

f�1A (c) = f�1

A (fA(m)) = m.

17 / 45

Page 18: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

CONSEQUENCES

Now we only need a par of keys (e, d)[=(public, private)]for each user.

If a new user wants to join, it is enough to publish in the”Key Book” his / her public key e. No need to get in touchwith other users beforehand!

18 / 45

Page 19: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

SOME APPLICATIONS

Using public key cryptography to encrypt messages isexpensive. But it can be used, and in fact is used, for otherpurposes.

1 To create a virtual secure channel to exchange classicsymmetric keys [PGP, mobile phone]: if k is the symmetrickey, we can send to A(lice) fA(k).

2 User authentification [mobile phone]: If I send to A(lice)fA(challenge) and she returns challenge, I may assume Ais Alice (nobody else knows f�1

A ).

3 Digital signatures: only A can sign a message usingf�1A (message digest). Everybody can check the signature(everybody knows fA).

All of this is great, provided one-way functions exist and areeasy to use!

19 / 45

Page 20: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

THE RSA CRYPTOSYSTEM[R. RIVEST, A. SHAMIR, L. ADLEMAN, 1977]

SRA (1977) – RSA (2003)

What is the idea behind RSA?

Finding large primes p, q(⇠ 300 digits ⇠ 1024 bits)is easy.

However, even knowing thatn = pq (⇠ 600 digits),finding its factors is,in practice, impossible.

Number of particles in theUniverse: 1072 – 1087.

20 / 45

Page 21: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

ANOTHER ONE-WAY FUNCTION:THE DISCRETE LOGARITHM PROBLEM

(Not hard to prove) Given a prime p, the set

F⇤p := Z/p \ {0} = {1, 2, . . . , p � 1}

is a cyclic (multiplicative) group, that is there exists g 2 F⇤p

such thatF⇤

p = {g, g2, g3, . . . , gp�1}.

[Remark: Fermat’s Little Theorem) gp�1 = 1 mod p.]

Given an integer x , finding gx mod p is easy.

By contrast, for large p, given y 2 F⇤p, finding x such that

gx = y mod p is, in practice, impossible.

Finding x from y is the Discrete Logarithm Problem [DLP]

21 / 45

Page 22: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

GRAPH OF gx mod p FOR p = 1231, g = 3

22 / 45

Page 23: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

GRAPH OF gx mod p FOR p = 11113, g = 13

23 / 45

Page 24: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

FIRST APPEARANCE OF THE DISCRETE LOGARITHMPROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA]

644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976

New Directions in Cryptography Invited Paper

WHITFIELD DIFFIE AND MARTIN E. HELLMAN, MEMBER, IEEE

Abstract-Two kinds of contemporary developments in cryp- tography are examined. Widening applications of teleprocessing have given rise to a need for new types of cryptographic systems, which minimize the need for secure key distribution channels and supply the equivalent of a written signature. This paper suggests ways to solve these currently open problems. It also discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long stand- ing.

I. INTRODUCTION

W E STAND TODAY on the brink of a revolution in cryptography. The development of cheap digital

hardware has freed it from the design limitations of me- chanical computing and brought the cost of high grade cryptographic devices down to where they can be used in such commercial applications as remote cash dispensers and computer terminals. In turn, such applications create a need for new types of cryptographic systems which minimize the necessity of secure key distribution channels and supply the equivalent of a written signature. At the same time, theoretical developments in information theory and computer science show promise of providing provably secure cryptosystems, changing this ancient art into a science.

The development of computer controlled communica- tion networks pron$ses effortless and inexpensive contact between people or computers on opposite sides of the world, replacing most mail and many excursions with telecommunications. For many applications these contacts must be made secure against both eavesdropping.and the injection of illegitimate messages. At present, however, the solution of security problems lags well behind other areas of communications technology. Contemporary cryp- tography is unable to meet the requirements, in that its use would impose such severe inconveniences on the system users, as to eliminate many of the benefits of teleprocess- ing.

Manuscript received June 3,1976. This work was partially supported by the National Science Foundation under NSF Grant ENG 10173. Portions of this work were presented at the IEEE Information Theory Workshop;Lenox , MA, June 23-25, 1975 and the IEEE International Symposium on Information Theory in Ronneby, Sweden, June 21-24, 1976.

W. Diffie is with the Department of Electrical Engineering, Stanford Universitv. Stanford. CA. and the St,anford Artificial IntelliPence Lab- oratory, g&ford, CIk 94.505.

Y

M. E. Hellman is with the Department of Electrical Engineering, Stanford University, Stanford, CA 94305.

The best known cryptographic problem is that of pri- vacy: preventing the unauthorized extraction of informa- tion from communications over an insecure channel. In order to use cryptography to insure privacy, however, it is currently necessary for the communicating parties to share a key which is known to no one else. This is done by send- ing the key in advance over some secure channel such as private courier or registered mail. A private conversation between two people with no prior acquaintance-is a com- mon occurrence in business, however, and it is unrealistic to expect initial business contacts to be postponed long enough for keys to be transmitted by some physical means. The cost and delay imposed by this key distribution problem is a major barrier to the transfer of business communications to large teleprocessing networks.

Section III proposes two approaches to transmitting keying information over public (i.e., insecure) channels without compromising the security of the system. In a public key cryptosystem enciphering and deciphering are governed by distinct keys, E and D, such that computing D from E is computationally infeasible (e.g., requiring lOloo instructions). The enciphering key E can thus be publicly disclosed without compromising the deciphering key D. Each user of the network can, therefore, place his enciphering key in a public directory. This enables any user of the system to send a message to any other user enci- phered in such a way that only the intended receiver is able to decipher it. As such, a public key cryptosystem is a multiple access cipher. A private conversation can there- fore be held between any two individuals regardless of whether they have ever communicated before. Each one sends messages to the other enciphered in the receiver’s public enciphering key and deciphers the messages he re- ceives using his own secret deciphering key.

We propose some techniques for developing public key cryptosystems, but the problem is still largely open.

Public key distribution systems offer a different ap- proach to eliminating the need for a secure key distribution channel. In such a system, two users who wish to exchange a key communicate back and forth until they arrive at a key in common. A third party eavesdropping on this ex- change must find it computationally infeasible to compute the key from the information overheard, A possible solu- tion to the public key distribution problem is given in Section III, and Merkle [l] has a partial solution of a dif- ferent form.

A second problem, amenable to cryptographic solution, which stands in the way of replacing contemporary busi-

.

24 / 45

Page 25: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

DIFFIE-HELLMAN KEY EXCHANGE

A and B must agree on an integer k [for example, a key fora symmetric cryptosystem].They choose (or somebody provides) in advance a largeprime p (such that we will have 0 < k < p) and a generatorg for F⇤

p. Neither p nor g need to be kept secret.A chooses (secretly! [and at random]) an integer a, andsends ga mod p to B.B chooses (secretly! [and at random]) an integer b, andsends gb mod p to A.Without knowing b, A can calculate (gb)a mod p.Without knowing a, B can calculate (ga)b mod p.A and B may use k = (gb)a = (ga)b as a key.E can intercept ga and gb, but can not calculate k withoutsolving a Discrete Logarithm Problem! [More precisely, aDiffie-Hellman Problem: given ga and gb, find gab.]

25 / 45

Page 26: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

A (RIDICULOUSLY SMALL) DIFFIE-HELLMAN EXAMPLE

x 5x

1 52 23 104 45 206 87 178 169 11

10 911 2212 1813 2114 1315 1916 317 1518 619 720 1221 1422 1

Consider the prime p = 23.

Check that g = 5 generates F⇤23.

A chooses as exponent a = 9.

A sends 11.

B chooses as exponent b = 16.

B sends 3.

The common key is

k = 39 = 1116 = 59⇥16 = 5144 = 512 = 18 mod 23

26 / 45

Page 27: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

IF WE CAN TRANSMIT KEYS,COULDN’T WE TRANSMIT MESSAGES?

Based on the Discrete LogarithmProblem, Taher Elgamal proposedin 1984:

A cryptosystem.

A digital signature scheme.

[He also worked in Netscape,where he developed the SSL(Secure Sockets Layer) protocol.]

27 / 45

Page 28: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

ELGAMAL CRYPTOSYSTEM [SLIGHTLY SIMPLIFIED]

Messages are integers 1 M k . A large prime p > kand a generator g for F⇤

p are made public.A [and all other users] chooses [at random] a positiveinteger d ( p � 1), its private key.A makes public e = gd mod p, its public key.If B wants to send a message M to A:

B chooses [at random] an integer r .Sends to A: c = (gr , er M) = (c1, c2).

A recibes c. To decrypt it, A calculates

c2

cd1=

er Mgrd =

er Mer = M.

If you are not A, to do this, you must be able to calculategrd from gd and gr , that is, you must solve a Diffie-HellmanProblem.

28 / 45

Page 29: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

CAN WE WORK ON GROUPS OTHER THAN F⇤p?

To set up Diffie-Hellman or Elgamal we need

A finite cyclic group G =< g > . . .

Examples:

Multiplicative group of any finite field: (F⇤q, ·), q = pr .

Additive group of integers modulo N: (Z/N,+), any N > 1.

Aren’t all cyclic groups G =< g > with |G| = N isomorphic?

Z/N ⇠�!< g >

x 7�! gx

Why chose one group and not another?

29 / 45

Page 30: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

ISOMORPHIC GROUPS ARE NOT EQUAL FOR DLP

To set up Diffie-Hellman or Elgamal we need

A finite cyclic group G =< g > . . .. . . where the Discrete Logarithm Problem is hard.

DLP, to make explicit the inverse isomorphism

< g >⇠�! Z/N

This is not equally easy / hard for all groups.

For F⇤q, it is about as hard as for F⇤

p (of the same size).For Z/N, it is trivial: (Z/N,+) =< 1 >, log1a = a;(Z/N,+) =< g >, logga = a/g mod N.

Are there cyclic groups where DLP is harder than in F⇤q?

Enter Elliptic Curve Cryptography

30 / 45

Page 31: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

WHAT ARE ELLIPTIC CURVES?

An ellipse is NOT an elliptic curve, but there is some relation[the length of an ellipse is given by an elliptic integral].

An elliptic curve E is an algebraic, projective, smooth, genus 1curve together with a point O 2 E .E is defined over the field K if it is given by polynomials withcoefficients in K and O has coordinates in K .

Thanks to the Riemann-Roch Theorem, we can give a moreconcrete definition.

Elliptic curve defined over a field K (char(K ) 6= 2, 3): solutions(in K ) of

E : y2 = x3 + Ax + B, A,B 2 K ,� = �16(4A3 + 27B2) 6= 0,

together with O: a point “at infinity” contained in all verticallines.

31 / 45

Page 32: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

EXAMPLES OF ELLIPTIC CURVES (DRAWN IN R2)

y2 = x3 � x y2 = x3 + x y2 = x3 + x2

y2 = x3

32 / 45

Page 33: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

EXAMPLES OF ELLIPTIC CURVES (DRAWN IN R2)

y2 = x3 � x y2 = x3 + x y2 = x3 + x2

y2 = x3

32 / 45

Page 34: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

EXAMPLES OF ELLIPTIC CURVES (DRAWN IN R2)

y2 = x3 � x y2 = x3 + x y2 = x3 + x2

y2 = x3

The curve must be smooth.It can not have crossings (nodes), norpinchpoints (cusps).It must have a (unique) tangent ateach point.

32 / 45

Page 35: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

AT HOW MANY POINTS DOES A LINE INTERSECT ANELLIPTIC CURVE?

E : y2 = x3 +Ax +By = rx + s ; (rx + s)2 = x3 +Ax +B has 3roots, maybe multiple, maybe in thealgebraic closure K , but if we countcorrectly there are 3 points of intersection.

What if the line is vertical?: x = s; y2 = s3 + As + B has only 2 roots(maybe multiple, maybe in K ).

E is a projective curve; it has points atinfinity (not in the affine plane). In this case,there is a unique O 2 E at infinity containedin all vertical lines.

All lines cut E at 3 points (properlycounted).

The line at infinity cuts E at O withmultiplicity 3.

33 / 45

Page 36: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

WE CAN ADD POINTS ON AN ELLIPTIC CURVE!

We may define geometrically a sum on E :chords-and-tangents method.

P,Q 2 E ) R(= PQ) 2 EPQ,O 2 E )P + Q := (PQ)O 2 E

(E ,+) is an abelian group.

P + Q = Q + P by construction.Identity element = OP = (x , y)) �P = (x ,�y)Associativity is the only hardproperty: formulas, geometry,Riemann-Roch / Picard group.

34 / 45

Page 37: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

(DRAFT OF) GEOMETRIC PROOF OF ASSOCIATIVITY

CAYLEY-BACHARACH THEOREM

C,C1,C2 proyective cubics.C\C1 = {P1,P2, . . . ,P7,P8,A}.C\C2 = {P1,P2, . . . ,P7,P8,B}.

Then A = B.

35 / 45

Page 38: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

(DRAFT OF) GEOMETRIC PROOF OF ASSOCIATIVITY

CAYLEY-BACHARACH THEOREM

C,C1,C2 proyective cubics.C\C1 = {P1,P2, . . . ,P7,P8,A}.C\C2 = {P1,P2, . . . ,P7,P8,B}.

Then A = B.

COROLLARY

(P + Q)R = P(Q + R)) (P + Q) + R = P + (Q + R)

35 / 45

Page 39: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

(DRAFT OF) GEOMETRIC PROOF OF ASSOCIATIVITY

CAYLEY-BACHARACH THEOREM

C,C1,C2 proyective cubics.C\C1 = {P1,P2, . . . ,P7,P8,A}.C\C2 = {P1,P2, . . . ,P7,P8,B}.

Then A = B.

COROLLARY

(P + Q)R = P(Q + R)) (P + Q) + R = P + (Q + R)

35 / 45

Page 40: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

(DRAFT OF) GEOMETRIC PROOF OF ASSOCIATIVITY

CAYLEY-BACHARACH THEOREM

C,C1,C2 proyective cubics.C\C1 = {P1,P2, . . . ,P7,P8,A}.C\C2 = {P1,P2, . . . ,P7,P8,B}.

Then A = B.

COROLLARY

(P + Q)R = P(Q + R)) (P + Q) + R = P + (Q + R)

35 / 45

Page 41: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

K -RATIONAL POINTS

Suppose E is defined over K , that is

E : y2 = x3 + Ax + B, A,B 2 K .

It makes sense to look for solutions in K :

When K = Q this solves diophantine problems.The curve E has infinitely many points in K , but to docryptography we would like to have a finite group.

Let K be a field and E be an elliptic curve defined over K

The K -rational points of E are

E(K ) = {P 2 E : P = (x , y), x , y 2 K} [O.

Notice that we require (but in fact it follows from the projectiveequation) that O 2 E(K ). In particular, E(K ) 6= ;.

36 / 45

Page 42: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

K -RATIONAL POINTS ARE ALSO A (SUB-)GROUP

FUNDAMENTAL FACT

Assume:E is defined over K .P,Q 2 E(K ).r is the line joining P and Q.The three points where r cuts E are P,Q and R.

Then also R 2 E(K ).

Proof?

COROLLARY

P,Q 2 E(K )) P + Q 2 E(K ).E(K ) ( 6= ;) is a subgroup of E .

37 / 45

Page 43: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

LET’S DO AN EXAMPLE

E : y2 = x3 � 2x ,defined over Q.

P = (0, 0) 2 E(Q)

Q = (�1,�1) 2 E(Q)

P + Q = (2,�2)

2Q =

2(P + Q) =

38 / 45

Page 44: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

LET’S DO AN EXAMPLE

E : y2 = x3 � 2x ,defined over Q.

P = (0, 0) 2 E(Q)

Q = (�1,�1) 2 E(Q)

P + Q = (2,�2)

2Q =

2(P + Q) =

38 / 45

Page 45: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

LET’S DO AN EXAMPLE

E : y2 = x3 � 2x ,defined over Q.

P = (0, 0) 2 E(Q)

Q = (�1,�1) 2 E(Q)

P + Q = (2,�2)

2Q =

2(P + Q) =

38 / 45

Page 46: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

LET’S DO AN EXAMPLE

E : y2 = x3 � 2x ,defined over Q.

P = (0, 0) 2 E(Q)

Q = (�1,�1) 2 E(Q)

P + Q = (2,�2)

2Q =

2(P + Q) =

38 / 45

Page 47: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

LET’S DO AN EXAMPLE

E : y2 = x3 � 2x ,defined over Q.

P = (0, 0) 2 E(Q)

Q = (�1,�1) 2 E(Q)

P + Q = (2,�2)

2Q =

2(P + Q) =

38 / 45

Page 48: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

LET’S DO AN EXAMPLE

E : y2 = x3 � 2x ,defined over Q.

P = (0, 0) 2 E(Q)

Q = (�1,�1) 2 E(Q)

P + Q = (2,�2)

2Q = (94 ,

218 )

2(P + Q) = (94 ,

218 )

38 / 45

Page 49: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

LET’S DO AN EXAMPLE

E : y2 = x3 � 2x ,defined over Q.

P = (0, 0) 2 E(Q)

Q = (�1,�1) 2 E(Q)

P + Q = (2,�2)

2Q = (94 ,

218 )

2(P + Q) = (94 ,

218 )

8Q = 8(P + Q) =

38 / 45

Page 50: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

LET’S DO AN EXAMPLE

E : y2 = x3 � 2x ,defined over Q.

P = (0, 0) 2 E(Q)

Q = (�1,�1) 2 E(Q)

P + Q = (2,�2)

2Q = (94 ,

218 )

2(P + Q) = (94 ,

218 )

8Q = 8(P + Q) =

( 6897012211958668922875209739998784 ,

159969286818790737227291513459773175236858805437952 )

38 / 45

Page 51: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

LET’S DO AN EXAMPLE

E : y2 = x3 � 2x ,defined over Q.

P = (0, 0) 2 E(Q)

Q = (�1,�1) 2 E(Q)

P + Q = (2,�2)

2Q = (94 ,

218 )

2(P + Q) = (94 ,

218 )

8Q = 8(P + Q) =

( 6897012211958668922875209739998784 ,

159969286818790737227291513459773175236858805437952 )

= (3.0150 . . . , 4.623 . . . )38 / 45

Page 52: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

WHAT DOES THE GROUP (E(K ),+) LOOK LIKE?

It depends on K .Let’s start with K = C.L = Z!1 � Z!2 ⇢ C a lattice.

Weierstrass } function for L:

}(z) =1z2+

X

0 6=!2L

✓1

(z � !)2 �1!2

}(z) = }(z + !1) = }(z + !2)

g2 = 60X

0 6=!2L

!�4

g3 = 140X

06=!2L

!�6

(}(z)0)2 = 4}(z)3�g2}(z)�g3.

We get an isomorphismC/⇤! {y2 = 4x3 � g2x � g3}

z 7! (}(z),}(z)0)

All E/C are like this.

C/⇤ = ; genus 139 / 45

Page 53: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

OVER R

Let S1 be the circle group. There are two possibilities.

E(R) ' S1 E(R) ' S1 ⇥ Z/240 / 45

Page 54: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

OVER Q

MORDELL (-WEIL) THEOREM, 1922

E : y2 = x3 + Ax + B, A,B 2 Z (or 2 Q).

Then E(Q) is a finitely generated abelian group:

E(Q) = Zr � E(Q)tors, E(Q)tors := (finite) torsion subgroup

MAZUR, 1978

E(Q)tors =

⇢Z/n, n = 1, . . . , 10, 12Z/2⇥ Z/n, n = 2, 4, 6, 8

We know a lot less about r=rank. Can it be arbitrarily large?

Elkies (2006), r � 28:y2 + xy + y = x3 � x2 � 20067762415575526585033208209338542750930230312178956502x +

34481611795030556467032985690390720374855944359319180361266008296291939448732243429

Bhargava-Shankar (2015): average rank 1.17.41 / 45

Page 55: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

EXAMPLES OVER Q

E4,0 : y2 = x3 + 4x E0,6 : y2 = x3 + 6 E�2,0 : y2 = x3 � 2xE4,0(Q) = Z/4 E0,6(Q) = O E�2,0(Q) = Z/2� Z

P = (0, 0),Q = (�1,�1){nQ,P ± nQ : �25 n 25}

SIEGEL, 1929E has only finitely many points with integer coordinates.

EXAMPLE: INTEGER POINTS ON E�2,0

{(0, 0)(�1,�1), (�1, 1), (2,�2), (2, 2), (338,�6214), (338, 6214)}= {P,Q,�Q,P �Q,P �Q,P + 3Q,P � 3Q}

42 / 45

Page 56: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

OVER Z/p (= Fp , FINITE FIELDS)

If p is prime and A,B 2 Z, we look for solutions to

y2 = x3 + Ax + B mod p.

If p 6 |� = �16(4A3 + 27B2), these (together with O) are anelliptic curve over Z/p.

E(Z/p) is, for sure, finite, (why?). In fact (why?):

|E(Z/p)| p2 + 1.

For p = 1231 this bound is 1 515 362, but

|E0,6(Z/1231)| = 1183, |E�2,0(Z/1231)| = 1232,

much closer to p than to p2.

43 / 45

Page 57: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

EXAMPLES OVER Z/p (p = 1231)

E0,6 : y2 = x3 + 6 mod 1231 E�2,0 : y2 = x3 � 2x mod 1231

E0,6(Q) = O E�2,0(Q) = Z/2� Z

|E0,6(Z/1231)| = 1183 |E�2,0(Z/1231)| = 1232

E0,6(Z/1231) = Z/1183 E�2,0(Z/1231) = Z/2� Z/616

44 / 45

Page 58: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

HOW LARGE IS E(Z/p)? (E : y2 = x3 + Ax + B)

E(Z/p) is obviously finite. (|E(Z/p)| 2p + 1)

Why in the examples |E(Z/p)| ⇠ p?

How many squares in Z/p? p�12 + 1 = p+1

2 .Probability of x3 + Ax + B, x 2 Z/p being a square: ⇠ 1

2 .For how many x 2 Z/p does y2 = x3 + Ax + B havesolutions? ⇠ p

2 .How many points in E come from each x 2 Z/p withy2 = x3 + Ax + B having a solution? 2.Hence |E(Z/p)| ⇠ p (+1).

There is a good bound for the error term in this estimate

HASSE BOUND, 1934

| |E(Z/p)|� (p + 1) | 2p

p

45 / 45

Page 59: ELLIPTIC C PUBLIC KEY CRYPTOGRAPHY 1. I PKC EC · ROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA] 644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976 New Directions

HOW LARGE IS E(Z/p)? (E : y2 = x3 + Ax + B)

E(Z/p) is obviously finite. (|E(Z/p)| p2 + 1)E(Z/p) is obviously finite. (|E(Z/p)| 2p + 1)

Why in the examples |E(Z/p)| ⇠ p?

How many squares in Z/p? p�12 + 1 = p+1

2 .Probability of x3 + Ax + B, x 2 Z/p being a square: ⇠ 1

2 .For how many x 2 Z/p does y2 = x3 + Ax + B havesolutions? ⇠ p

2 .How many points in E come from each x 2 Z/p withy2 = x3 + Ax + B having a solution? 2.Hence |E(Z/p)| ⇠ p (+1).

There is a good bound for the error term in this estimate

HASSE BOUND, 1934

| |E(Z/p)|� (p + 1) | 2p

p

45 / 45