Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

21.2 Elliptic Curves Mod p

If $p$ $p$ is a prime, we can work with elliptic curves mod $p$ $p$ using the aforementioned ideas. For example, consider

\begin{matrix} E : y^{2} \equiv x^{3} + 4 x + 4 & (\mod 5) . \end{matrix}

$\begin{matrix} E : y^{2} \equiv x^{3} + 4 x + 4 & (\mod 5) . \end{matrix}$

The points on $E$ $E$ are the pairs $(x, y)$ $(x, y)$ mod 5 that satisfy the equation, along with the point at infinity. These can be listed as follows. The possibilities for $x$ $x$ mod 5 are 0, 1, 2, 3, 4. Substitute each of these into the equation and find the values of $y$ $y$ that solve the equation:

\begin{array}{lllll} x \equiv 0 ⟹ y^{2} \equiv 4 & ⟹ y \equiv 2, 3 (m o d 5) \\ x \equiv 1 ⟹ y^{2} \equiv 9 \equiv 4 & ⟹ y \equiv 2, 3 (m o d 5) \\ x \equiv 2 ⟹ y^{2} \equiv 20 \equiv 0 & ⟹ y \equiv 0 (m o d 5) \\ x \equiv 3 ⟹ y^{2} \equiv 43 \equiv 3 & ⟹ no solutions \\ x \equiv 4 ⟹ y^{2} \equiv 84 \equiv 4 & ⟹ y \equiv 2, 3 (m o d 5) \\ x = ∞ ⟹ y = ∞ . \end{array}

$\begin{array}{lllll} x \equiv 0 ⟹ y^{2} \equiv 4 & ⟹ y \equiv 2, 3 (m o d 5) \\ x \equiv 1 ⟹ y^{2} \equiv 9 \equiv 4 & ⟹ y \equiv 2, 3 (m o d 5) \\ x \equiv 2 ⟹ y^{2} \equiv 20 \equiv 0 & ⟹ y \equiv 0 (m o d 5) \\ x \equiv 3 ⟹ y^{2} \equiv 43 \equiv 3 & ⟹ no solutions \\ x \equiv 4 ⟹ y^{2} \equiv 84 \equiv 4 & ⟹ y \equiv 2, 3 (m o d 5) \\ x = ∞ ⟹ y = ∞ . \end{array}$

The points on $E$ $E$ are $(0, 2), (0, 3), (1, 2), (1, 3), (2, 0), (4, 2), (4, 3), (∞, ∞) .$ $(0, 2), (0, 3), (1, 2), (1, 3), (2, 0), (4, 2), (4, 3), (∞, ∞) .$

The addition of points on an elliptic curve mod $p$ $p$ is done via the same formulas as given previously, except that a rational number $a / b$ $a / b$ must be treated as $a b^{- 1},$ $a b^{- 1},$ where $b^{- 1} b \equiv 1 (m o d p) .$ $b^{- 1} b \equiv 1 (m o d p) .$ This requires that $\gcd (b, p) = 1.$ $\gcd (b, p) = 1.$

More generally, it is possible to develop a theory of elliptic curves mod $n$ $n$ for any integer $n .$ $n .$ In this case, when we encounter a fraction $a / b,$ $a / b,$ we need to have $gcd (b, n) = 1 .$ $gcd (b, n) = 1 .$ The situations where this fails form the key to using elliptic curves for factorization, as we’ll see in Section 21.3. There are various technical problems in the general theory that arise when $1 < \gcd (b, n) < n,$ $1 < \gcd (b, n) < n,$ but the method to overcome these will not be needed in the following. For details on how to treat this case, see [Washington]. For our purposes, when we encounter an elliptic curve mod a composite $n,$ $n,$ we can pretend $n$ $n$ is prime. If something goes wrong, we usually obtain useful information about $n,$ $n,$ for example its factorization.

Example

Let’s compute $(1, 2) + (4, 3)$ $(1, 2) + (4, 3)$ on the curve just considered. The slope is

\begin{matrix} m \equiv \frac{3 - 2}{4 - 1} \equiv 2 & (\mod 5) . \end{matrix}

$\begin{matrix} m \equiv \frac{3 - 2}{4 - 1} \equiv 2 & (\mod 5) . \end{matrix}$

Therefore,

\begin{array}{l} x_{3} & \equiv & m^{2} - x_{1} - x_{2} \equiv 2^{2} - 1 - 4 \equiv 4 (\mod 5) \\ y_{3} & \equiv & m (x_{1} - x_{3}) - y_{1} \equiv 2 (1 - 4) - 2 \equiv 2 (\mod 5) . \end{array}

$\begin{array}{l} x_{3} & \equiv & m^{2} - x_{1} - x_{2} \equiv 2^{2} - 1 - 4 \equiv 4 (\mod 5) \\ y_{3} & \equiv & m (x_{1} - x_{3}) - y_{1} \equiv 2 (1 - 4) - 2 \equiv 2 (\mod 5) . \end{array}$

This means that

(1, 2) + (4, 3) = (4, 2) .

$(1, 2) + (4, 3) = (4, 2) .$

Example

Here is a somewhat larger example. Let $n = 2773 .$ $n = 2773 .$ Let

\begin{matrix} E : y^{2} \equiv x^{3} + 4 x + 4 & (\mod 2773), and P = (1, 3) . \end{matrix}

$\begin{matrix} E : y^{2} \equiv x^{3} + 4 x + 4 & (\mod 2773), and P = (1, 3) . \end{matrix}$

Let’s compute $2 P = P + P .$ $2 P = P + P .$ To get the slope of the tangent line, we differentiate implicitly and evaluate at $(1, 3) :$ $(1, 3) :$

2 y d y = (3 x^{2} + 4) d x \Rightarrow \frac{d y}{d x} = \frac{7}{6} .

$2 y d y = (3 x^{2} + 4) d x \Rightarrow \frac{d y}{d x} = \frac{7}{6} .$

But we are working mod 2773. Using the extended Euclidean algorithm (see Section 3.2), we find that $2311 \cdot 6 \equiv 1 (m o d 2773),$ $2311 \cdot 6 \equiv 1 (m o d 2773),$ so we can replace $1 / 6$ $1 / 6$ by 2311. Therefore,

m \equiv \frac{7}{6} \equiv 7 \times 2311 \equiv 2312 (m o d 2773) .

$m \equiv \frac{7}{6} \equiv 7 \times 2311 \equiv 2312 (m o d 2773) .$

The formulas yield

\begin{array}{rcl} x_{3} \equiv 2312^{2} - 1 - 1 \equiv 1771 (m o d 2773) \\ y_{3} \equiv 2312 (1 - 1771) - 3 \equiv 705 (m o d 2773) . \end{array}

$\begin{array}{rcl} x_{3} \equiv 2312^{2} - 1 - 1 \equiv 1771 (m o d 2773) \\ y_{3} \equiv 2312 (1 - 1771) - 3 \equiv 705 (m o d 2773) . \end{array}$

The final answer is

2 P = P + P = (1771, 705) .

$2 P = P + P = (1771, 705) .$

Now that we’re done with the example, we mention that $2773$ $2773$ is not prime. When we try to calculate $3 P$ $3 P$ in Section 21.3, we’ll obtain the factorization of $2773 .$ $2773 .$

21.2.1 Number of Points Mod p

Let $E : y^{2} \equiv x^{3} + b x + c (m o d p)$ $E : y^{2} \equiv x^{3} + b x + c (m o d p)$ be an elliptic curve, where $p \geq 5$ $p \geq 5$ is prime. We can list the points on $E$ $E$ by letting $x = 0, 1, \dots, p - 1$ $x = 0, 1, \dots, p - 1$ and seeing when $x^{3} + b x + c$ $x^{3} + b x + c$ is a square mod $p .$ $p .$ Since half of the nonzero numbers are squares mod $p,$ $p,$ we expect that $x^{3} + b x + c$ $x^{3} + b x + c$ will be a square approximately half the time. When it is a nonzero square, there are two square roots: $y$ $y$ and $- y .$ $- y .$ Therefore, approximately half the time we get two values of $y$ $y$ and half the time we get no $y .$ $y .$ Therefore, we expect around $p$ $p$ points. Including the point $∞,$ $∞,$ we expect a total of approximately $p + 1$ $p + 1$ points. In the 1930s, H. Hasse made this estimate more precise.

Hasse’s Theorem

Suppose $E (m o d p)$ $E (m o d p)$ has $N$ $N$ points. Then

| N - p - 1 | < 2 \sqrt{p} .

$| N - p - 1 | < 2 \sqrt{p} .$

The proof of this theorem is well beyond the scope of this book (for a proof, see [Washington]). It can also be shown that whenever $N$ $N$ and $p$ $p$ satisfy the inequality of the theorem, there is an elliptic curve $E$ $E$ mod $p$ $p$ with exactly $N$ $N$ points.

If $p$ $p$ is large, say around $10^{20},$ $10^{20},$ it is infeasible to count the points on an elliptic curve by listing them. More sophisticated algorithms have been developed by Schoof, Atkin, Elkies, and others to deal with this problem. See the Sage Appendix.

21.2.2 Discrete Logarithms on Elliptic Curves

Recall the classical discrete logarithm problem: We know that $x \equiv g^{k} (m o d p)$ $x \equiv g^{k} (m o d p)$ for some $k,$ $k,$ and we want to find $k .$ $k .$ There is an elliptic curve version: Suppose we have points $A, B$ $A, B$ on an elliptic curve $E$ $E$ and we know that $B = k A (= A + A + \dots + A)$ $B = k A (= A + A + \dots + A)$ for some integer $k .$ $k .$ We want to find $k .$ $k .$ This might not look like a logarithm problem, but it is clearly the analog of the classical discrete logarithm problem. Therefore, it is called the discrete logarithm problem for elliptic curves.

There is no good general attack on the discrete logarithm problem for elliptic curves. There is an analog of the Pohlig-Hellman attack that works in some situations. Let $E$ $E$ be an elliptic curve mod a prime $p$ $p$ and let $n$ $n$ be the smallest integer such that $n A = ∞ .$ $n A = ∞ .$ If $n$ $n$ has only small prime factors, then it is possible to calculate the discrete logarithm $k$ $k$ mod the prime powers dividing $n$ $n$ and then use the Chinese remainder theorem to find $k$ $k$ (see Exercise 25). The Pohlig-Hellman attack can be thwarted by choosing $E$ $E$ and $A$ $A$ so that $n$ $n$ has a large prime factor.

There is no replacement for the index calculus attack described in Section 10.2. This is because there is no good analog of “small.” You might try to use points with small coordinates in place of the “small primes,” but this doesn’t work. When you factor a number by dividing off the prime factors one by one, the quotients get smaller and smaller until you finish. On an elliptic curve, you could have a point with fairly small coordinates, subtract off a small point, and end up with a point with large coordinates (see Computer Problem 5). So there is no good way to know when you are making progress toward expressing a point in terms of the factor base of small points.

The Baby Step, Giant Step attack on discrete logarithms works for elliptic curves (Exercise 13(b)), although it requires too much memory to be practical in most situations. For other attacks, see [Blake et al.] and [Washington].

21.2.3 Representing Plaintext

In most cryptographic systems, we must have a method for mapping our original message into a numerical value upon which we can perform mathematical operations. In order to use elliptic curves, we need a method for mapping a message onto a point on an elliptic curve. Elliptic curve cryptosystems then use elliptic curve operations on that point to yield a new point that will serve as the ciphertext.

The problem of encoding plaintext messages as points on an elliptic curve is not as simple as it was in the conventional case. In particular, there is no known polynomial time, deterministic algorithm for writing down points on an arbitrary elliptic curve $E (m o d p) .$ $E (m o d p) .$ However, there are fast probabilistic methods for finding points, and these can be used for encoding messages. These methods have the property that with small probability they will fail to produce a point. By appropriately choosing parameters, this probability can be made arbitrarily small, say on the order of $1 / 2^{30} .$ $1 / 2^{30} .$

Here is one method, due to Koblitz. The idea is the following. Let $E : y^{2} \equiv x^{3} + b x + c (m o d p)$ $E : y^{2} \equiv x^{3} + b x + c (m o d p)$ be the elliptic curve. The message $m$ $m$ (already represented as a number) will be embedded in the $x -coordinate$ $x -coordinate$ of a point. However, the probability is only about 1/2 that $m^{3} + b m + c$ $m^{3} + b m + c$ is a square mod $p .$ $p .$ Therefore, we adjoin a few bits at the end of $m$ $m$ and adjust them until we get a number $x$ $x$ such that $x^{3} + b x + c$ $x^{3} + b x + c$ is a square mod $p .$ $p .$

More precisely, let $K$ $K$ be a large integer so that a failure rate of $1 / 2^{K}$ $1 / 2^{K}$ is acceptable when trying to encode a message as a point. Assume that $m$ $m$ satisfies $(m + 1) K < p .$ $(m + 1) K < p .$ The message $m$ $m$ will be represented by a number $x = m K + j,$ $x = m K + j,$ where $0 \leq j < K .$ $0 \leq j < K .$ For $j = 0, 1, \dots, K - 1,$ $j = 0, 1, \dots, K - 1,$ compute $x^{3} + b x + c$ $x^{3} + b x + c$ and try to calculate the square root of $x^{3} + b x + c (m o d p) .$ $x^{3} + b x + c (m o d p) .$ For example, if $p \equiv 3 (m o d 4),$ $p \equiv 3 (m o d 4),$ the method of Section 3.9 can be used. If there is a square root $y,$ $y,$ then we take $P_{m} = (x, y);$ $P_{m} = (x, y);$ otherwise, we increment $j$ $j$ by one and try again with the new $x .$ $x .$ We repeat this until either we find a square root or $j = K .$ $j = K .$ If $j$ $j$ ever equals $K,$ $K,$ then we fail to map a message to a point. Since $x^{3} + b x + c$ $x^{3} + b x + c$ is a square approximately half of the time, we have about a $1 / 2^{K}$ $1 / 2^{K}$ chance of failure.

In order to recover the message from the point $P_{m} = (x, y)$ $P_{m} = (x, y)$ we simply calculate $m$ $m$ by

m = ⌊ x / K ⌋,

$m = ⌊ x / K ⌋,$

where $⌊ x / K ⌋$ $⌊ x / K ⌋$ denotes the greatest integer less than or equal to $x / K .$ $x / K .$

Example

Let $p = 179$ $p = 179$ and suppose that our elliptic curve is $y^{2} = x^{3} + 2 x + 7 .$ $y^{2} = x^{3} + 2 x + 7 .$ If we are satisfied with a failure rate of $1 / 2^{10},$ $1 / 2^{10},$ then we may take $K = 10 .$ $K = 10 .$ Since we need $(m + 1) K < 179,$ $(m + 1) K < 179,$ we need $0 \leq m \leq 16 .$ $0 \leq m \leq 16 .$ Suppose our message is $m = 5 .$ $m = 5 .$ We consider $x$ $x$ of the form $m K + j = 50 + j .$ $m K + j = 50 + j .$ The possible choices for $x$ $x$ are $50, 51, \dots, 59 .$ $50, 51, \dots, 59 .$ For $x = 51$ $x = 51$ we get $x^{3} + 2 x + 7 \equiv 121 (m o d 179),$ $x^{3} + 2 x + 7 \equiv 121 (m o d 179),$ and $11^{2} \equiv 121 (m o d 179) .$ $11^{2} \equiv 121 (m o d 179) .$ Thus, we represent the message $m = 5$ $m = 5$ by the point $P_{m} = (51, 11) .$ $P_{m} = (51, 11) .$ The message $m$ $m$ can be recovered by $m = [51 / 10] = 5 .$ $m = [51 / 10] = 5 .$

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for 21.2 Elliptic Curves Mod p

Create new playlist

Sign In

Sign Up

Table of Contents for
21.2 Elliptic Curves Mod p