elliptic curve cryptography: arithmetic behind

Arithmetic ofElliptic Curves

AyanSengupta

GroupStructure ofElliptic Curves

RationalPoints ofFinite Orderon EllipticCurve

Group ofRationalPoints onElliptic Curve

Application inCryptography

Arithmetic of Elliptic Curves

Ayan Sengupta

May 5, 2015


AyanSengupta





Overview

1 Group Structure of Elliptic Curves

2 Rational Points of Finite Order on Elliptic Curve

3 Group of Rational Points on Elliptic Curve

4 Application in Cryptography


AyanSengupta





Motivation

Very important concept and major area of current researchin Number Theory.

Andrew Wiles used in his famour proof of Fermat’s lasttheorem.

They are vividly used in many algorithms:- Lenstra elliptic curve factorization.- Elliptic curve primality testing.

Elliptic curve cryptography (ECC) is based on the ellipticcurve discrete logarithm problem.


AyanSengupta





What is Elliptic Curve ?

An algebraic curve of the form

Y 2 = X 3 + aX 2 + bX + c (1)

where a, b, c ∈ K , field (most popular are Q, Fp), such thatf (X ) = X 3 + aX 2 + bX + c has no repeated root in C.

We also assume a point at infinity O included in elliptic curve,that is the point where the vertical lines in XY -plane meet.

(a) One real root of f (X ) (b) Three real roots of f (X )


AyanSengupta





What is Elliptic Curve ?

A smooth, projective algebraic curve of genus one with apre-assumed point O.

It is nothing related to ellipses!


AyanSengupta





Group Structure of Elliptic Curves

Figure : Addition operation on elliptic curve

Explicitely,x3 = λ2 − a− x1 − x2 (2)

y3 = λx3 + ν (3)

where, λ and ν are respectively the slope and intercept of theline joining P1,P2.


AyanSengupta






Figure : Doubling a point

x3 =x41−2bx21−8cx1+b2−4ac

4x31+4ax21+4bx1+4c(duplication formula)


AyanSengupta






Figure : Inverse of a point


AyanSengupta






Using Nine intersection theorem, associativity can be proved.


AyanSengupta






Points on an elliptic curve form an abelian group under theabove mentioned addition operation.


AyanSengupta






Concentrate on elliptic curve C over Q and points (x1, y1) suchthat both x1, y1 ∈ Q.It can be shown that such points (rational points) on C form asubgroup under the same addition operation.


AyanSengupta





Order of a Point on Elliptic Curve

P is a point (x1, y1) on elliptic curve C with order m if

mP = P + P + · · ·+ P︸︷︷︸m

= O (4)

such that m′P 6= O for all integers 1 ≤ m

′< m.

If no such m exists then P is of infinite order.


AyanSengupta





Points of Order 2

2P = O if and only if P = −P, i.e. y1 = −y1. So, y1 = 0.

Number of rational points of order 2 depends on the number ofsolutions of the equation f (x) = 0 in Q.


AyanSengupta





Points of Order 2

2P = O if and only if P = −P, i.e. y1 = −y1. So, y1 = 0.Number of rational points of order 2 depends on the number ofsolutions of the equation f (x) = 0 in Q.


AyanSengupta





Points of Order 3

3P = O if and only if 2P = P.From duplication formula,

x41 − 2bx2

1 − 8cx1 + b2 − 4ac

4x31 + 4ax2

1 + 4bx1 + 4c= x1 (5)

So, x1 is a root of the equation3X 4 + 4aX 3 + 6bX 2 + 12cX + (4ac − b2) which is same as

2f (X )f′′

(X )− f′(X )

2.

For each x1 we can get two distinct y1s. So, total there are 9points in complex field of order 3 (including O).

These points are precisely all the inflection points i.e., thepoints on the curve C , such that the tangent at that point hasmultiplicity 3.


AyanSengupta





Points of Order 3

3P = O if and only if 2P = P.From duplication formula,

x41 − 2bx2

1 − 8cx1 + b2 − 4ac

4x31 + 4ax2

1 + 4bx1 + 4c= x1 (5)

So, x1 is a root of the equation3X 4 + 4aX 3 + 6bX 2 + 12cX + (4ac − b2) which is same as

2f (X )f′′

(X )− f′(X )

2.

For each x1 we can get two distinct y1s. So, total there are 9points in complex field of order 3 (including O).These points are precisely all the inflection points i.e., thepoints on the curve C , such that the tangent at that point hasmultiplicity 3.


AyanSengupta





Nagell-Lutz Theorem

This theorem gives the overview of all the rational points thatcan have finite order.

Theorem

(Nagell-Lutz) Let

Y 2 = f (X ) = X 3 + aX 2 + bX + c (6)

be a non-singular cubic curve with integer coefficients a, b, c;and let D be the discriminant of the cubic polynomial f (x),

D = −4a3c + a2b2 + 18abc − 4b3 − 27c2. (7)

Let P = (x , y) be a rational point of finite order. Then x and yare integers; and either y = 0, or else y |D.


AyanSengupta





Nagell-Lutz Theorem

Nagell-Lutz theorem is not an if and only ifcondition!

To find whether a particular point on C has finite order or not,we need to check all of its multiples to find the order. Mazur’stheorem is a very strong result which makes our life easier.


AyanSengupta





Mazur’s Theorem

Theorem

Let C be a non-singular rational cubic curve, and suppose thatC (Q) contans a point of finite order m. Then either

1 ≤ m ≤ 10 or m = 12.

More precisely, the set of all points of finite order in C (Q)forms a subgroup, which has one of the following two forms:a) A cyclic group of order N with 1 ≤ N ≤ 10 or N = 12.b) The product of a cyclic group of order two and a cyclicgroup of order 2N with 1 ≤ N ≤ 4.


AyanSengupta





Example


AyanSengupta





Mordell’s Theorem

Theorem

Let C be a non-singular cubic curve with rational coefficientsand has a rational point. Then the group of rational pointsC (Q) is finitely generated.

This theorem tells us that starting from a single rational pointon an elliptic curve and using only the group laws (addition,duplication, inversion) we can generate the whole set ofrational points.


AyanSengupta





Mordell’s Theorem

We define a map H : C −→ [0,∞) such that

H(x , y) = max{|m|, |n|}

where, x = mn in its irreducible form.

If x = 0, we define H(x , y) = 1. Also H(O) = 1.We call this map “height”of a point.

Define “small height”h(x , y) = logH(x , y).


AyanSengupta





Mordell’s Theorem

We define a map H : C −→ [0,∞) such that

H(x , y) = max{|m|, |n|}

where, x = mn in its irreducible form.

If x = 0, we define H(x , y) = 1. Also H(O) = 1.We call this map “height”of a point.Define “small height”h(x , y) = logH(x , y).


AyanSengupta





Proof of Mordell’s Theorem

Theorem

(Descent’s Theorem) If Γ is a abelian group with a functionh : Γ −→ [0,∞) such thata) For every real number n, the set {P ∈ Γ : h(P) ≤ n} is finite.b) For every P0 ∈ Γ, there is a constant k0 such that

h(P + P0) ≤ 2h(P) + k0 (8)

for every P ∈ Γ.c) There is a constant k such that

h(2P) ≥ 4h(P)− k (9)

for all P ∈ Γ.d) The subgroup 2Γ has finite index in Γ.Then Γ is finitely generated.


AyanSengupta





Proof of Mordell’s Theorem

It can be proved explicitely that C (Q) and the map “littleheight”h satisfy the above conditions.


AyanSengupta





Mordell’s Theorem

We have

C (Q) ∼= Z⊕ Z⊕ · · · ⊕ Z︸︷︷︸r

⊕Zp1d1⊕ Zp2d2

⊕ · · · ⊕ Zps ds . (10)

r is called rank of Γ and the subgroupZp1d1

⊕ Zp2d2⊕ · · · ⊕ Zps ds correspondes to the elements of

finite order in C (Q).


AyanSengupta





Example


AyanSengupta





Basics of Cryptography

Cryptography is the study of message hiding. The basic modelof cryptography is

Figure : Adversarial model of cryptography


AyanSengupta





Secure Systems

For most secure and robust system, we assume that theadversary has considerable capabilites. He is able to read allthe data transmitted over the channel, has significantcomputational resources and has complete descriptions of thecommunications protocols and any cryptographic mechanismsdeployed (except for secret keying informations). The challengeis to design a robust mechanism to secure the communicationfrom such powerful adversaries.


AyanSengupta





Public-Key Cryptography

It is a part of cryptography where each entity selects a pair ofkeys, consisting of a public key, which is used for encryptionand a private key which is used for decryption. The keys havethe property that the actual plain text can not be computedeffeciently from the knowledge of only cipher text and thepublic keys. Public-key cryptosystems rely on the hardness ofsome very popular number theoretic problems. e.g.-

RSA scheme is based on the intractibility of integerfactorization problem for semiprimes.

ECC schemes depends totally on the hardness of ellipticcurve discrete logarithm problem (ECDLP).

Merkle-Hellman knapsack cryptosystem is based on integerknapsack problem (also called subset sum problem).


AyanSengupta





ECDLP

Definition

For a point P of order n and a pointQ ∈ {O,P, 2P, · · · , (n − 1)P} find the integer d ∈ [0, n − 1]such that Q = dP.


AyanSengupta





ElGamal Elliptic Curve Cryptographic System

Suppose we have an elliptic curve C defined over a finite fieldFq, where q is a large prime. C , q and a point P ∈ C withlarge order n are publicly known. We first represent ourmessage m as a point M in C (Fq). When A wants tocommunicate secretly with B, they proceed thus:

B choose a random integer b ∈ [0, n − 1] and publishesthe point bP as public key and keeps b to himself as theprivate key.

A chooses a random integer a ∈ [0, n − 1] and publishesthe point aP. He then sends the pair (aP,M + a(bP)) toB, where M + a(bP) is the ciphertext. A keeps his secretkey, a to himself.


AyanSengupta





ElGamal Elliptic Curve Cryptographic System

To decrypt the message, B first calculates b(aP) using A’spublic key and B’s own private key. As C is an abeliangroup, a(bP) = b(aP).

Now, B gets back the message fromM + a(bP)− b(aP) = M. From M, B gets back theoriginal message m by reversing the imbedding.


AyanSengupta





ECDLP

Many protocols like - Elliptic Curve Integrated EncryptionScheme, Elliptic Curve Digital Signature Algorithm are basedon the intractibility of ECDLP.

There are several algorithms such as Number field sieve,Pohlig-Hellman algorithm, Pollard’s rho algorithm, Shor’salgorithm solve this problem. But the best known algorithm sofar is of complexity O(

√p), where p is the largest prime divisor

of n. But yet no one has been able to prove mathematically theintractibility of ECDLP.


AyanSengupta





ECDLP

Many protocols like - Elliptic Curve Integrated EncryptionScheme, Elliptic Curve Digital Signature Algorithm are basedon the intractibility of ECDLP.There are several algorithms such as Number field sieve,Pohlig-Hellman algorithm, Pollard’s rho algorithm, Shor’salgorithm solve this problem. But the best known algorithm sofar is of complexity O(

√p), where p is the largest prime divisor

of n. But yet no one has been able to prove mathematically theintractibility of ECDLP.


AyanSengupta






AyanSengupta





Acknoweledgement

1. http://en.wikipedia.org/wiki2. https://www.nsa.gov/ia/programs/suitebcryptography/index.shtml


AyanSengupta





The End

elliptic curve cryptography: arithmetic behind

Science