Abstract
The subject of elliptic curves encompasses a vast amount of mathematics. Our aim in this section is to summarize just enough of the basic theory for cryptographic applications. For additional reading, there are a number of survey articles and books devoted to elliptic curve cryptography [14, 68, 81, 135], and many others that describe the number theoretic aspects of the theory of elliptic curves, including [25, 65, 73, 74, 136, 134, 138].
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Indeed, even before elliptic curves burst into cryptographic prominence, a well-known mathematicianĀ [73] opined that āit is possible to write endlessly on elliptic curves!ā
- 2.
A word of warning. You may recall from high school geometry that an ellipse is a geometric object that looks like a squashed circle. Elliptic curves are not ellipses, and indeed, despite their somewhat unfortunate name, elliptic curves and ellipses have only the most tenuous connection with one another.
- 3.
Not to be confused with the identical symbol ā that we used to denote the XOR operation in a different context!
- 4.
Recall that the equation of the line through two points (x 1,āy 1) and (x 2,āy 2) is given by the pointāslope formula Y ā y 1ā=āĪ» ā ā(X ā x 1), where the slopeĀ Ī» is equal to \(\frac{y_{2}-y_{1}} {x_{2}-x_{1}}\).
- 5.
This is a good time to learn that \(\frac{1} {5}\) is a symbol for a solution to the equation 5xā=ā1. In order to assign a value to the symbolĀ \(\frac{1} {5}\), you must know where that value lives. InĀ \(\mathbb{Q}\), the value ofĀ \(\frac{1} {5}\) is the usual number with which you are familiar, but inĀ \(\mathbb{F}_{13}\) the value ofĀ \(\frac{1} {5}\) isĀ 8, while inĀ \(\mathbb{F}_{11}\) the value ofĀ \(\frac{1} {5}\) isĀ 9. And inĀ \(\mathbb{F}_{5}\) the symbolĀ \(\frac{1} {5}\) is not assigned a value.
- 6.
The congruence \(X^{3} + AX + B \equiv 0\pmod p\) has at most three solutions, and if p is large, the chance of randomly choosing one of them is very small.
- 7.
InĀ 1997, the RSA corporation posted the following quote by RSA co-inventor Ron Rivest on its website: āBut the security of cryptosystems based on elliptic curves is not well understood, due in large part to the abstruse nature of elliptic curvesā¦.
Over time, this may change, but for now trying to get an evaluation of the security of an elliptic-curve cryptosystem is a bit like trying to get an evaluation of some recently discovered Chaldean poetry. Until elliptic curves have been further studied and evaluated, I would advise against fielding any large-scale applications based on them.ā
- 8.
For example, at the end of Sect.ā6.4.2 we described how to save bandwidth in elliptic Elgamal by sending theĀ x-coordinate and one additional bit to specify theĀ y-coordinate. This idea is called āpoint compressionā and is covered by USĀ PatentĀ 6,141,420.
- 9.
In mathematical terminology, the Frobenius mapĀ Ļ is a field automorphism ofĀ \(\mathbb{F}_{p^{k}}\). It also fixesĀ \(\mathbb{F}_{p}\). One can show that the Galois group ofĀ \(\mathbb{F}_{p^{k}}/\mathbb{F}_{p}\) is cyclic of orderĀ k and is generated byĀ Ļ.
- 10.
For those who have taken a course in abstract algebra, we mention that the other glorious property of the Weil pairing is that it interacts well with Galois theory. Thus letĀ E be an elliptic curve over a fieldĀ K, letĀ LāK be a Galois extension, and letĀ P,āQāāāE(L)[m]. Then for every elementĀ gāāāGal(LāK), the Weil pairing obeys the rule \(e_{m}{\bigl (g(P),g(Q)\bigr )} = g{\bigl (e_{m}(P,Q)\bigr )}\).
- 11.
Or so it would seem, but we will see in Sect.ā6.9.3 that the ECDLP onĀ E does have its uses in cryptography!
- 12.
There are various definitions of distortion maps in the literature. The one that we give distills the essential properties needed for most cryptographic applications. In practice, one also requires an efficient algorithm to computeĀ Ļ.
- 13.
In the language of abstract algebra, the mapĀ Ļ is a homomorphism of the groupĀ E(K) to itself; see ExerciseĀ 2.63 . In the language of algebraic geometry, a homomorphism from an elliptic curve to itself is called an isogeny.
- 14.
There are various ways define a hash functionĀ H 1 with values inĀ \(E(\mathbb{F}_{q})[\ell]\). For example, take a given UserĀ IDĀ I, convert it to a binary stringĀ Ī², apply a hash function toĀ Ī² that takes values uniformly inĀ {1,ā2,āā¦,āā ā 1} to get an integerĀ m, and setĀ H 1(I)ā=āmP.
References
ANSI-ECDSA, Public key cryptography for the financial services industry: the elliptic curve digital signature algorithm (ECDSA). ANSI Report X9.62, American National Standards Institute, 1998
I.F. Blake, G.Ā Seroussi, N.P. Smart, Elliptic Curves in Cryptography. Volume 265 of London Mathematical Society Lecture Note Series (Cambridge University Press, Cambridge, 2000)
D.Ā Boneh, M.Ā Franklin, Identity-based encryption from the Weil pairing, in Advances in CryptologyāCRYPTO 2001, Santa Barbara. Volume 2139 of Lecture Notes in Computer Science (Springer, Berlin, 2001), pp.Ā 213ā229
D.Ā Boneh, M.Ā Franklin, Identity-based encryption from the Weil pairing. SIAM J. Comput. 32(3), 586ā615 (electronic) (2003)
J.W.S. Cassels, Lectures on Elliptic Curves. VolumeĀ 24 of London Mathematical Society Student Texts (Cambridge University Press, Cambridge, 1991)
H.Ā Cohen, A Course in Computational Algebraic Number Theory. Volume 138 of Graduate Texts in Mathematics (Springer, Berlin, 1993)
H.Ā Cohen, G.Ā Frey, R.Ā Avanzi, C.Ā Doche, T.Ā Lange, K.Ā Nguyen, F.Ā Vercauteren (eds.), Handbook of Elliptic and Hyperelliptic Curve Cryptography. Discrete Mathematics and Its Applications (Boca Raton) (Chapman & Hall/CRC, Boca Raton, 2006)
M.Ā Fouquet, P.Ā Gaudry, R.Ā Harley, An extension of Satohās algorithm and its implementation. J. Ramanujan Math. Soc. 15(4), 281ā318 (2000)
A.Ā Joux, A one round protocol for tripartite Diffie-Hellman, in Algorithmic Number Theory, Leiden, 2000. Volume 1838 of Lecture Notes in Computer Science (Springer, Berlin, 2000), pp.Ā 385ā393
A.Ā Joux, A one round protocol for tripartite Diffie-Hellman. J. Cryptol. 17(4), 263ā276 (2004)
A.W. Knapp, Elliptic Curves. VolumeĀ 40 of Mathematical Notes (Princeton University Press, Princeton, 1992)
N.Ā Koblitz, Elliptic curve cryptosystems. Math. Comput. 48(177), 203ā209 (1987)
N.Ā Koblitz, Algebraic Aspects of Cryptography. VolumeĀ 3 of Algorithms and Computation in Mathematics (Springer, Berlin, 1998)
S.Ā Lang, Elliptic Curves: Diophantine Analysis. Volume 231 of Grundlehren der Mathematischen Wissenschaften (Fundamental Principles of Mathematical Sciences) (Springer, Berlin, 1978)
S.Ā Lang, Elliptic Functions. Volume 112 of Graduate Texts in Mathematics, 2nd edn. (Springer, New York, 1987). With an appendix by J. Tate
H.W. Lenstra Jr., Factoring integers with elliptic curves. Ann. Math. (2) 126(3), 649ā673 (1987)
A.Ā Menezes, Elliptic Curve Public Key Cryptosystems. The Kluwer International Series in Engineering and Computer Science, 234 (Kluwer Academic, Boston, 1993)
A.J. Menezes, T.Ā Okamoto, S.A. Vanstone, Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Trans. Inf. Theory 39(5), 1639ā1646 (1993)
V.S. Miller, Use of elliptic curves in cryptography, in Advances in CryptologyāCRYPTO ā85, Santa Barbara, 1985. Volume 218 of Lecture Notes in Computer Science (Springer, Berlin, 1986), pp.Ā 417ā426
V.S. Miller, The Weil pairing, and its efficient calculation. J. Cryptol. 17(4), 235ā261 (2004). Updated and expanded version of unpublished manuscript Short programs for functions on curves, 1986
T.Ā Satoh, The canonical lift of an ordinary elliptic curve over a finite field and its point counting. J. Ramanujan Math. Soc. 15(4), 247ā270 (2000)
T.Ā Satoh, K.Ā Araki, Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves. Comment. Math. Univ. St. Paul. 47(1), 81ā92 (1998)
R.Ā Schoof, Elliptic curves over finite fields and the computation of square roots mod p. Math. Comput. 44(170), 483ā494 (1985)
R.Ā Schoof, Counting points on elliptic curves over finite fields. J. ThĆ©or. Nombres Bordx. 7(1), 219ā254 (1995). Les Dix-huitiĆØmes JournĆ©es ArithmĆ©tiques, Bordeaux, 1993
I.A. Semaev, Evaluation of discrete logarithms in a group of p-torsion points of an elliptic curve in characteristic p. Math. Comput. 67(221), 353ā356 (1998)
A.Ā Shamir, Identity-based cryptosystems and signature schemes, in Advances in Cryptology, Santa Barbara, 1984. Volume 196 of Lecture Notes in Computer Science (Springer, Berlin, 1985), pp.Ā 47ā53
J.H. Silverman, Advanced Topics in the Arithmetic of Elliptic Curves. Volume 151 of Graduate Texts in Mathematics (Springer, New York, 1994)
J.H. Silverman, Elliptic curves and cryptography, in Public-Key Cryptography, Les Diablerets. VolumeĀ 62 of Proceedings of Symposia in Applied Mathematics (American Mathematical Society, Providence, 2005), pp.Ā 91ā112
J.H. Silverman, The Arithmetic of Elliptic Curves. Volume 106 of Graduate Texts in Mathematics, 2nd edn. (Springer, Dordrecht, 2009)
J.H. Silverman, J.Ā Tate, Rational Points on Elliptic Curves. Undergraduate Texts in Mathematics (Springer, New York, 1992)
B.Ā Skjernaa, Satohās algorithm in characteristic 2. Math. Comput. 72(241), 477ā487 (electronic) (2003)
N.P. Smart, The discrete logarithm problem on elliptic curves of trace one. J. Cryptol. 12(3), 193ā196 (1999)
StandardsĀ for EfficientĀ Cryptography, SEC 2: recommended elliptic curve domain parameters (Version 1), 20 Sept 2000. http://www.secg.org/collateral/sec2_final.pdf
L.C. Washington, Elliptic Curves: Number Theory and Cryptography. Discrete Mathematics and Its Applications (Chapman & Hall/CRC, Boca Raton, 2003)
Author information
Authors and Affiliations
Rights and permissions
Copyright information
Ā© 2014 Springer Science+Business Media New York
About this chapter
Cite this chapter
Hoffstein, J., Pipher, J., Silverman, J.H. (2014). Elliptic Curves and Cryptography. In: An Introduction to Mathematical Cryptography. Undergraduate Texts in Mathematics. Springer, New York, NY. https://doi.org/10.1007/978-1-4939-1711-2_6
Download citation
DOI: https://doi.org/10.1007/978-1-4939-1711-2_6
Published:
Publisher Name: Springer, New York, NY
Print ISBN: 978-1-4939-1710-5
Online ISBN: 978-1-4939-1711-2
eBook Packages: Mathematics and StatisticsMathematics and Statistics (R0)