## Elliptic Curves

### Introduction

Recently a topic in number theory and algebraic geometry, namely the theory of elliptic curves defined over finite fields, has found applications in cryptology. The basic reason for this is that elliptic curves over finite fields provide an inexhaustible supply of finite abelian groups which, even when large, are amenable to computation because of their rich structure. We have already worked extensively with the multiplicative groups of fields. In many ways elliptic curves are natural analogs of these groups; but they have the advantage that one has more flexibility in choosing an elliptic curve than in choosing a finite field.

We shall start by presenting the basic definitions and facts about elliptic curves. We shall include only the minimal amount of background necessary to understand the applications to cryptology.

In this section let K be a field. We will restrict ourselves to cases where K is R the field of reals, Q the field of rationals, C the field of complex numbers, or GF(q) a finite field of order q.

Def: An elliptic curve over K is the set of points (x,y,z) in the projective plane PG(2,K) which satisfy the equation:

y2z + a1xyz + a3yz2 = x3 + a2x2z + a4xz2 + a6z3,
with the coefficients in K. When the cubic function of the right hand side has multiple roots, we say that the elliptic curve is degenerate. If z = 0, the above equation reduces to 0 = x3, so, the point with projective coordinates (0,1,0) is on this curve and is the only point of the curve on the line z = 0 (recall that (0,0,0) does not represent a point in a projective geometry). To simplify the discussion, we will refer to the point (0,1,0) as O, the point at infinity, and use affine coordinates for the remaining points of the curve [the affine coordinates are obtained from the projective coordinates (x',y',z') by taking the representative (x,y,1) and dropping the last coordinate to obtain (x,y).] So, in terms of affine coordinates, the points of the curve other than O, satisfy:
y2 + a1xy + a3y = x3 + a2x2 + a4x + a6.
If char K is not 2, then the substitution y = Y - ½(a1x + a2) reduces the equation to:
Y2 = x3 + ax2 + bx + c.             (1)
Furthermore, if char K is not 3, then the substitution x = X - a/3 further reduces the equation to:
Y2 = X3 + b'X + c'.                  (2)
If char K = 2, then we shall take as the "general form" of an elliptic curve, the equation:
Y2 + Y = X3 + aX + b.
While not all elliptic curves over fields of characteristic 2 can be written in this form, we will only consider those than can be so written.

The fact that makes elliptic curves useful is that the points of the curve form an additive abelian group with O as the identity element. To see this most clearly, we consider the case that K = R, and the elliptic curve has an equation of the form given in (3). For a point P = (x,y) (not equal to O) on the curve, we define -P to be the point with coordinates (x,-y), which by (3) is also a point of the curve. Geometrically, recalling that the lines through O are the vertical lines, we see that -P is obtained as the third point of the curve on the line determined by P and O. If P and Q are two points of the curve, then let R be the third point of the curve on the line determined by P and Q (if the line is tangent at P, let R = P, and if it is tangent at Q, let R = Q). We then define the "sum" P + Q to be the point -R. If P and Q are the same point, then take, as the line determined by the two points, the tangent at P, and let R be the other point of the curve on this line (and in the case that P is a point of inflection, R = P). By defining -O = O, we see that O + P = P and P + (-P) = O, for all points P on the curve, so O acts as an identity element. There are several ways to prove that this definition of P + Q makes the points of the elliptic curve an abelian group. One can use a projective geometry argument, a complex analytic argument with doubly periodic functions, or an algebraic argument involving divisors on curves ... but we shall not prove this here.

To obtain a formula in terms of coordinates in this case, consider the general case of P and Q being distinct and not on the same vertical line. Let P = (x1,y1), Q = (x2,y2) and P+Q = (x3,y3). The line through P and Q has an (affine) equation of the form y = mx + k, where m = (y2 -y1)/(x2 - x1) and k = y1 - mx1. A point on this line with coordinates (x, mx+k) lies on the curve given by (2) iff (mx+k)2 = x3 + b'x + c'. Thus, x must be a solution of 0 = x3 -m2x2 + (b' -2mk)x + c'-k2. Since a cubic equation over the reals must have 1 or 3 real roots, and we know (because P and Q are on the curve) that x1 and x2 are both real roots, a unique third real root exists (i.e., x3). As the sum of the roots of a cubic equation is the negative of the coefficient of the square term, we have that:

x3 = m2 - x1 - x2.
Since the point R has coordinates (x3, mx3 + k), we have that P + Q = (x3, -(mx3 + k)). Thus, we may calculate :
y3 = -(mx3 + k) = -(mx3 + y1 - mx1)
= m(x1 - x3) - y1.
In the case that P = Q, the line determined by P and Q used above is replaced by the tangent line at P. The slope of this line can be obtained by implicitly differentiating (2) and evaluating at P (the value of k remains the same). So, in this case we have:
m = (3x12 + b')/2y1
and the formulas for x3 and y3 remain the same.

While these formulas were derived over the field R, they remain valid (although the arguments are slightly different) for all fields except those of characteristic 2 or 3.

### Elliptic Curves over Finite Fields

#### Elliptic Curves in Characteristic 2

Since working with fields of characteristic 2 is easily implemented on computers, we will consider the modifications needed to work with elliptic curves in this case.

First observe that the formula (2) does not work well in characteristic 2. Consider the slope of the tangent lines to the curve calculated in the last section. Since 2 = 0, these slopes are all "infinite", i.e., all tangent lines pass through the point O (note the similarity to the knot of an oval in characteristic 2). To avoid this difficulty, we will work exclusively with elliptic curves of the form

Y2 + Y = X3 + aX + b.
The second difficulty arises in the computation of the point -P. If P has coordinates (x,y), our previous computation would have -P = (x,-y), but in characteristic 2, 1 = -1, so we would have P = -P for all points P. To rectify this, recall that -P should be the third point of the curve on the vertical line through O and P. In characteristic 2, this third point has coordinates (x,1+y) when P = (x,y), since (1+y)2 + (1+y) = 1 + y2 + 1 + y = y2 + y. So, in characteristic 2 we have -P = (x,1+y).

With these modifications, the addition law is the same as in the other cases.

#### Example

Consider the elliptic curve given by y2 + y = x3 + wx over the field GF(4) whose elements are {0,1,w,w2}. Besides O, the points on this curve have coordinates (0,0), (0,1), (w2,0) and (w2,1). Let P = (0,1) and Q = (w2,0). The line joining P and Q has the (affine) equation y = wx + 1. By implicit differentiation, the slope of the tangent line at a point (x,y) is x2 + w. Thus, the line joining P and Q is tangent at P (and not at Q). Thus, R = P and -R = (0,1+1) = (0,0). So, P + Q = (0,0). To calculate 2P = P + P, we use the tangent line at P, which is y = wx + 1, to find R = (w2,0) and so, -R = (w2,1). Thus, 2P = (w2,1). Note that this example is degenerate.

We can also derive the corresponding formulas for the coordinates of the sum of P and Q, points of Y2 + Y = X3 + aX + b. Let P = (x1,y1), Q = (x2,y2) and P+Q = (x3,y3). The same analysis as in the real case gives us,

x3 = m2 + x1 + x2,
where m is the slope of the line through P and Q. The computation of y3 is altered since when R = (x3, mx3 + k), -R = (x3, 1 + mx3 + k) and we obtain,
y3 = 1 + mx3 + k = 1 + mx3 + y1 - mx1
= m(x1 + x3) + y1 + 1.
This uses the fact that 1 = -1. Finally, if P = Q, then the slope m should be replaced by x12 + a, and x3 = m2.

#### Number of Points on an Elliptic Curve over GF(q)

It is easy to see that an elliptic curve over GF(q) can have at most 2q + 1 points, since for each x of the field (q possible values) there can be at most 2 values for y which satisfy the elliptic equation. Together with O, this gives the maximum value of 2q + 1. For the rest of this discussion, we shall assume that q is odd, so we may take the equation of the elliptic curve as y2 = x3 + ax2 + bx + c.

Let X be the quadratic character of GF(q), that is the map X: -> {0,1,-1} defined by X(0) = 0 and X(u) = 1 if u is a non-zero square and X(u) = -1 if u is a non-square. The number of solutions of y2 = u in GF(q) is thus 1 + X(u) [2 if u is a non-zero square, 0 if u is a non-square and 1 if u = 0]. The number of points on our elliptic curve is thus

1 + Sumx in GF(q) (1 + X(x3+ax2+bx+c)) = q + 1 + Sumx in GF(q) X(x3+ax2+bx+c).
The initial 1 is counting the point O. By finding an upper bound on the final sum, H. Hasse was able to prove:

Hasse's Theorem: Let N be the number of points on an elliptic curve over GF(q). Then

|N - (q+1)| 2 sqrt(q).

### Elliptic Curve Cryptosystems

We have seen how the multiplicative group of a finite field can be used to create public key cryptosystems. These systems depend for security on the difficulty of taking discrete logarithms in these groups. We can create analogous public key cryptosystems using the finite abelian groups of an elliptic curve defined over GF(q). The major step in the conversion is to take the field multiplication of the former case and replace it by the addition of points on the elliptic curve. Security is still based on the difficulty of finding discrete logarithms, and for elliptic curves this appears to be even more difficult since some of the methods used to attack the classical discrete log problem have no analogies in the elliptic curve case.

Throughout this section we will assume that the finite field does not have characteristic 2 or 3 so that we may represent our elliptic curves in the form y2 = x3 + ax + b. This will make the underlying ideas easier to see, but in practice, computer implementations of these algorithms are usually much easier if the field has characteristic 2.

#### Discrete Logarithms on Elliptic Curves

In the classical discrete logarithm problem, given a field GF(q) and a generator a of that field, one is asked to find, for any non-zero y in the field the exponent x so that y = ax. (The integer x is then the logarithm of y with respect to the base a in GF(q)). The corresponding problem for elliptic curves is then, given an elliptic curve E defined over GF(q) and a base point A on E, for any point Y of E determine the integer x so that Y = xA, if x exists. One can easily see that this is essentially the same problem with multiplicative notation switched to additive notation. So, we still refer to x as being the logarithm of Y with respect to A on the elliptic curve E. The only real difference is that the base point A may not be a generator of the group of E (indeed, these groups do not have to be cyclic, so generators need not exist). For this reason, logarithms on elliptic curves don't always exist. The order of a point A on E is the smallest integer m so that mA = O. Since the group of E is a finite group, every point has an order which must be a divisor of N, the number of points on E. If the order of a point is N, then the group is cyclic and all points will have logarithms with respect to that point. For practical applications, one chooses a base point A to be one with large (relative to N) order and works in the cyclic subgroup generated by that point. Finally, just as in the classical case where we use the square and multiply algorithm to minimize the computational effort of taking powers, we also use that algorithm to find multiples of points. So, to do the computation of 100A, we would organize it as 2(2(1+2(2(2(1+2A))))), where a 1 indicates that A should be added to the previous point.

#### Representing Plaintext

In order to construct a cryptosystem based on elliptic curves we will need to have a way of making plaintexts correspond to points on the elliptic curve (this is encoding and not encryption, the method used here is public knowledge). It is not sufficient to use the plaintext (already converted to numbers) as say x coordinates of the points on E, since not every possible x coordinate will correspond to a point of the curve. As there is no known deterministic polynomial time algorithm for writing down large numbers of points on an elliptic curve, we will make do with a probabilistic method which has a failure rate of 1/2k where k is any preselected integer. In practice, k can be selected in the range of 30 to 50.

Suppose that we have written our plaintext message as a series of integers m, with 0 m < M. Choose a finite field GF(q), with q = pr, p not 2 or 3, and q > Mk. We set up a bijection between the integers from 0 to Mk with a subset of elements of GF(q). An easy way to do this is to write the integer in it's p-adic form and associate the integer with the element of GF(q) that corresponds to the vector of coefficients of this form. That is, write s = a0 + a1p + a2p2 + ... + ar-1pr-1 (each ai in Zp) and associate s with the field element (a0,a1,a2, ..., ar-1). Now, to each message unit m, we will associate all the integers of the form mj = mk + j, with 0 j < k. Using the bijection we associate each mj with a field element (and by abuse of notation we will also call the field element mj), and calculate f(mj) where f(x) = x3 + ax + b (the right hand side of the equation of our elliptic curve). We do this successively for each j until we obtain a square. When we get a square, we associate the message unit m to both of the points with first coordinate mj on the elliptic curve. Since half of the elements of GF(q) are squares, the probability that we fail to find a square (and hence fail to associate m to a point) is about 1/2k. Should failure occur for any m, we would start again with a different q. To decode a point, convert the x-coordinate of the point back to an integer mj and then divide by k and drop the remainder, that is, m = [mj/k], where [..] is the greatest integer function.

#### An Elliptic Curve El-Gamal Cryptosystem

In the elliptic curve version of this cryptosystem, the field GF(q), the elliptic curve E and a base point A of E are public information (as is M, the maximum plaintext message unit, but that is part of the protocol). Each participant selects a secret random integer b, calculates and publishes the point bA.

To send a message Pm (a point on E) to Bob, Alice chooses a random integer c and sends the pair of points (cA, Pm + c(bBA)), where bBA is Bob's published public point. Upon receiving this pair, Bob multiplies the first point by his secret integer bB and subtracts it from the second point obtaining Pm + c(bBA) - bB(cA) = Pm. The security of the system lies in Oscar's inability to find bB knowing only bBA.

#### Elliptic Curve Diffie-Hellman Key Exchange

With the same set up as in the above cryptosystem, in order for Alice and Bob to obtain a common secret key, each multiplies the other's public point by their own private integer. That is Alice computes bA(bBA) and Bob computes bB(bAA), both obtaining (bAbB)A. There appears to be no way of obtaining this point from the public points without solving the discrete log problem on this elliptic curve.

#### El-Gamal Digital Signatures

In order to obtain an elliptic curve analogue of the El-Gamal Digital Signature Scheme we will also need to make public the value of N = the number of points on the elliptic curve E. It is assumed that the system has been set up so that M < N, where M is the maximum size of a message unit.

If Alice wishes to sign a message m (which may be the hash of a longer message) she first chooses a random integer k with 1 k < N and gcd(k,N) = 1. She computes the point R = kA = (x,y) and the integer s k-1(m - aAx) mod N. The signed message is then the triple (m,R,s). To verify this signature, Bob calculates V = x(aAA) + sR and W = mA. He will declare the signature valid iff V = W. This follows from the calculation:

V = x(aAA) + sR = x(aAA) + k-1(m - aAx)(kA) = x(aAA) + mA - (aAx)A = mA = W.
In the above verification calculation, we have used the fact that k-1kA = A, and this needs to be checked since k-1 was only determined mod N. That is, we only have k-1k = 1 + tN for some integer t. But, k-1kA = (1+tN)A = A + t(NA) = A + O = A (that tNA = O follows from the fact that rO = O for any positive integer r, and that the order of A, say n, is a divisor of N.)

### Factoring with Elliptic Curves

A key reason for the increasing interest in elliptic curves on the part of cryptographers is the ingenious use of elliptic curves by H.W. Lenstra to obtain a factorization method that in many respects is better than earlier known ones. The improvement in in efficiency is not significant enough in practice to pose a threat to the security of cryptosystems based on the assumed intractability of factoring; nevertheless, the discovery of an improvement using an unexpected new device serves as a warning that one should never be too complacent about the supposed imperviousness of the factoring problem to dramatic breakthroughs.

Lenstra's algorithm is an analogue of Pollard's p-1 method, but whereas Pollard's method can get stuck if p-1 has a large prime factor, the elliptic curve version can get around that problem by changing the curve. Given enough curves, you are almost guaranteed to find one that gives a factorization.

The elliptic curves used in this factoring algorithm are defined over the field of rationals, Q. Thus, we may assume that they have equations given by y2 = x3 + ax + b, where we will always take a and b to be integers. For any integer n, we consider the mod n reduction of such an elliptic curve. That is, if E is the elliptic curve and P = (x,y) a point of the curve, with integer coordinates, then the modulo n reduction of E, denoted by E mod n, contains the point P mod n = (x mod n, y mod n). Every time we compute a multiple of P, we will really only be concerned with the reduction of its coordinates mod n. The formulas we have developed for curves of this form are still valid when we reduce them mod n. There is only one caveat to treating the numbers in this way, and that is, whenever we calculate a division (such as in finding a slope of a line) we must have the divisor be relatively prime to n. The calculation of the inverses to do the divisions is done with the extended Euclidean algorithm, so in doing the calculation, determining whether or not the divisor is relatively prime to n is automatic.

The essential idea behind the algorithm is very simple. Starting with a, possibly arbitrary, elliptic curve and any integer coordinate point P on it, calculate all integer multiples of P mod n up to a predetermined bound, where n is the number you wish to factor. At each step, there will be a division, and so, the gcd of the divisor and n will be calculated. If this gcd always turns out to be 1, you will be able to obtain the multiple of P mod n that you sought, and will have failed to factor n. If the gcd is ever not 1, then either it is n, and you can again stop since you have failed to factor n, or the gcd is not 1 or n, and therefore is a proper factor of n (success!!!). Whenever the method fails to produce a factor, just pick a new elliptic curve and point and start over.

#### Example

We want to factor 4453. Let E be the elliptic curve y2 = x3 + 10x -2, and P = (1,3). As we calculate 2P, we need the slope of the tangent line at P, which is (3x2 + 10)/2y evaluated at P, i.e., 13/6. We take this mod 4453, and use the fact that gcd(6,4453) = 1 to obtain, 6-1= 3711 mod 4453, and therefore the slope is 3713. Using our formulas we have 2P mod 4453 = (4332, 3230). Now we calculate 3P as P + 2P. The slope of the line joining these points is 3227/4331. But gcd (4331, 4453) = 61, so the computation can not be carried out, however we obtain that 4453 = 61 × 73.

The only real issues to settle are how to pick a supply of elliptic curves and points, and what a good bound for the computation would be. In selecting the elliptic curve, we could randomly select the integers a and b and then locate a point P on the curve, but this is not very efficient. Rather, select the point P = (x,y) first, then randomly pick an integer a and finally calculate b = y2 -x3 -ax to obtain the the elliptic curve which contains the point P. Since we need to have non-degenerate elliptic curves, we must check that the discriminant of the cubic function is not 0 (compare this to the quadratic function case). The discriminant of our cubic is 4a3 + 27b2. Actually, we want to have that the discriminant is not 0 mod n, so we will first calculate the gcd(4a3 + 27b2, n). If this gcd is n, then we must select another elliptic curve. If it is 1, we can continue and if it has any other value, we have found a factor of n and may stop. The bound is essentially the point at which we give up on any elliptic curve we are examining. If the bound is too small then we will be giving up too soon and will have to examine many elliptic curves before finding one that gives a factor. If the bound is too large, then the chance of finding a factor from any elliptic curve is much higher but the computational effort becomes too great. Thus the bound needs to be a compromise value, not too small and not too large. The right order of magnitude for the bound depends on the size of the expected factor (generally an unknown quantity) and so is often set experimentally.

The elliptic curve method seems to be best suited for factoring numbers of medium size, say around 40 or 50 decimal digits. These numbers are no longer used for the security of factoring-based systems such as RSA. For larger numbers, the quadratic sieve and number field sieve are superior.