If is a prime, we can work with elliptic curves mod using the aforementioned ideas. For example, consider
The points on are the pairs mod 5 that satisfy the equation, along with the point at infinity. These can be listed as follows. The possibilities for mod 5 are 0, 1, 2, 3, 4. Substitute each of these into the equation and find the values of that solve the equation:
The points on are
The addition of points on an elliptic curve mod is done via the same formulas as given previously, except that a rational number must be treated as where This requires that
More generally, it is possible to develop a theory of elliptic curves mod for any integer In this case, when we encounter a fraction we need to have The situations where this fails form the key to using elliptic curves for factorization, as we’ll see in Section 21.3. There are various technical problems in the general theory that arise when but the method to overcome these will not be needed in the following. For details on how to treat this case, see [Washington]. For our purposes, when we encounter an elliptic curve mod a composite we can pretend is prime. If something goes wrong, we usually obtain useful information about for example its factorization.
Let’s compute on the curve just considered. The slope is
Therefore,
This means that
Here is a somewhat larger example. Let Let
Let’s compute To get the slope of the tangent line, we differentiate implicitly and evaluate at
But we are working mod 2773. Using the extended Euclidean algorithm (see Section 3.2), we find that so we can replace by 2311. Therefore,
The formulas yield
The final answer is
Now that we’re done with the example, we mention that is not prime. When we try to calculate in Section 21.3, we’ll obtain the factorization of
Let be an elliptic curve, where is prime. We can list the points on by letting and seeing when is a square mod Since half of the nonzero numbers are squares mod we expect that will be a square approximately half the time. When it is a nonzero square, there are two square roots: and Therefore, approximately half the time we get two values of and half the time we get no Therefore, we expect around points. Including the point we expect a total of approximately points. In the 1930s, H. Hasse made this estimate more precise.
Suppose has points. Then
The proof of this theorem is well beyond the scope of this book (for a proof, see [Washington]). It can also be shown that whenever and satisfy the inequality of the theorem, there is an elliptic curve mod with exactly points.
If is large, say around it is infeasible to count the points on an elliptic curve by listing them. More sophisticated algorithms have been developed by Schoof, Atkin, Elkies, and others to deal with this problem. See the Sage Appendix.
Recall the classical discrete logarithm problem: We know that for some and we want to find There is an elliptic curve version: Suppose we have points on an elliptic curve and we know that for some integer We want to find This might not look like a logarithm problem, but it is clearly the analog of the classical discrete logarithm problem. Therefore, it is called the discrete logarithm problem for elliptic curves.
There is no good general attack on the discrete logarithm problem for elliptic curves. There is an analog of the Pohlig-Hellman attack that works in some situations. Let be an elliptic curve mod a prime and let be the smallest integer such that If has only small prime factors, then it is possible to calculate the discrete logarithm mod the prime powers dividing and then use the Chinese remainder theorem to find (see Exercise 25). The Pohlig-Hellman attack can be thwarted by choosing and so that has a large prime factor.
There is no replacement for the index calculus attack described in Section 10.2. This is because there is no good analog of “small.” You might try to use points with small coordinates in place of the “small primes,” but this doesn’t work. When you factor a number by dividing off the prime factors one by one, the quotients get smaller and smaller until you finish. On an elliptic curve, you could have a point with fairly small coordinates, subtract off a small point, and end up with a point with large coordinates (see Computer Problem 5). So there is no good way to know when you are making progress toward expressing a point in terms of the factor base of small points.
The Baby Step, Giant Step attack on discrete logarithms works for elliptic curves (Exercise 13(b)), although it requires too much memory to be practical in most situations. For other attacks, see [Blake et al.] and [Washington].
In most cryptographic systems, we must have a method for mapping our original message into a numerical value upon which we can perform mathematical operations. In order to use elliptic curves, we need a method for mapping a message onto a point on an elliptic curve. Elliptic curve cryptosystems then use elliptic curve operations on that point to yield a new point that will serve as the ciphertext.
The problem of encoding plaintext messages as points on an elliptic curve is not as simple as it was in the conventional case. In particular, there is no known polynomial time, deterministic algorithm for writing down points on an arbitrary elliptic curve However, there are fast probabilistic methods for finding points, and these can be used for encoding messages. These methods have the property that with small probability they will fail to produce a point. By appropriately choosing parameters, this probability can be made arbitrarily small, say on the order of
Here is one method, due to Koblitz. The idea is the following. Let be the elliptic curve. The message (already represented as a number) will be embedded in the of a point. However, the probability is only about 1/2 that is a square mod Therefore, we adjoin a few bits at the end of and adjust them until we get a number such that is a square mod
More precisely, let be a large integer so that a failure rate of is acceptable when trying to encode a message as a point. Assume that satisfies The message will be represented by a number where For compute and try to calculate the square root of For example, if the method of Section 3.9 can be used. If there is a square root then we take otherwise, we increment by one and try again with the new We repeat this until either we find a square root or If ever equals then we fail to map a message to a point. Since is a square approximately half of the time, we have about a chance of failure.
In order to recover the message from the point we simply calculate by
where denotes the greatest integer less than or equal to
Let and suppose that our elliptic curve is If we are satisfied with a failure rate of then we may take Since we need we need Suppose our message is We consider of the form The possible choices for are For we get and Thus, we represent the message by the point The message can be recovered by