A Formula for the Root Number of a Family of Elliptic Curves Eric Liverance

Those of you who know what public-key cryptography is may have already heard of ECC, ECDH or ECDSA. The beginning is an acronym for Elliptic Bend Cryptography, the others are names for algorithms based on it.

Today, we can notice elliptic curves cryptosystems in TLS, PGP and SSH, which are just iii of the principal technologies on which the mod web and It earth are based. Not to mention Bitcoin and other cryptocurrencies.

Before ECC become popular, almost all public-key algorithms were based on RSA, DSA, and DH, culling cryptosystems based on modular arithmetic. RSA and friends are still very important today, and often are used alongside ECC. However, while the magic backside RSA and friends can be easily explained, is widely understood, and rough implementations can be written quite easily, the foundations of ECC are still a mystery to most.

With a series of blog posts I'grand going to give yous a gentle introduction to the world of elliptic bend cryptography. My aim is not to provide a complete and detailed guide to ECC (the web is full of information on the subject), but to provide a simple overview of what ECC is and why it is considered secure, without losing time on long mathematical proofs or boring implementation details. I volition too requite helpful examples together with visual interactive tools and scripts to play with.

Specifically, here are the topics I'll touch:

1. Elliptic curves over real numbers and the grouping law (covered in this web log post)
2. Elliptic curves over finite fields and the discrete logarithm problem
3. Primal pair generation and 2 ECC algorithms: ECDH and ECDSA
4. Algorithms for breaking ECC security, and a comparison with RSA

In order to empathize what'due south written here, you'll need to know some basic stuff of set theory, geometry and modular arithmetics, and have familiarity with symmetric and disproportionate cryptography. Lastly, yous need to accept a clear idea of what an "easy" problem is, what a "hard" problem is, and their roles in cryptography.

Fix? Let's start!

Elliptic Curves

Get-go of all: what is an elliptic bend? Wolfram MathWorld gives an excellent and complete definition. Only for our aims, an elliptic curve volition only be the prepare of points described past the equation: $$y^2 = x^3 + ax + b$$

where $4a^three + 27b^two \ne 0$ (this is required to exclude singular curves). The equation above is what is called Weierstrass normal form for elliptic curves.

Different shapes for different elliptic curves ($b = ane$, $a$ varying from 2 to -3).

Types of singularities: on the left, a curve with a cusp ($y^ii = ten^3$). On the right, a curve with a self-intersection ($y^2 = ten^3 - 3x + 2$). None of them is a valid elliptic curve.

Depending on the value of $a$ and $b$, elliptic curves may assume unlike shapes on the airplane. Equally information technology can exist easily seen and verified, elliptic curves are symmetric about the $x$-axis.

For our aims, we will also demand a indicate at infinity (also known equally platonic bespeak) to be part of our curve. From at present on, nosotros volition denote our point at infinity with the symbol 0 (goose egg).

If we desire to explicitly have into account the point at infinity, we can refine our definition of elliptic bend as follows: $$\left\{ (x, y) \in \mathbb{R}^2\ |\ y^2 = x^3 + ax + b,\ 4 a^3 + 27 b^two \ne 0 \right\}\ \cup\ \left\{ 0 \correct\}$$

Groups

A group in mathematics is a set for which nosotros accept divers a binary operation that we call "addition" and indicate with the symbol +. In order for the set up $\mathbb{K}$ to be a group, addition must divers then that it respects the following 4 backdrop:

1. closure: if $a$ and $b$ are members of $\mathbb{K}$, and then $a + b$ is a member of $\mathbb{G}$;
2. associativity: $(a + b) + c = a + (b + c)$;
3. at that place exists an identity element 0 such that $a + 0 = 0 + a = a$;
4. every element has an inverse, that is: for every $a$ there exists $b$ such that $a + b = 0$.

If we add a fifth requirement:

5. commutativity: $a + b = b + a$,

so the group is called abelian group.

With the usual notion of addition, the prepare of integer numbers $\mathbb{Z}$ is a group (moreover, information technology's an abelian grouping). The prepare of natural numbers $\mathbb{N}$ however is non a group, equally the 4th property can't be satisfied.

Groups are prissy because, if we can demonstrate that those 4 properties hold, we get some other properties for costless. For example: the identity element is unique; as well the inverses are unique, that is: for every $a$ at that place exists only one $b$ such that $a + b = 0$ (and we can write $b$ equally $-a$). Either directly or indirectly, these and other facts about groups will be very important for u.s.a. afterwards.

The grouping law for elliptic curves

Nosotros tin can ascertain a group over elliptic curves. Specifically:

• the elements of the grouping are the points of an elliptic bend;
• the identity chemical element is the signal at infinity 0;
• the changed of a bespeak $P$ is the one symmetric about the $x$-axis;
• improver is given by the following rule: given three aligned, not-nix points $P$, $Q$ and $R$, their sum is $P + Q + R = 0$.

The sum of 3 aligned betoken is 0.

Note that with the last rule, nosotros only require iii aligned points, and three points are aligned without respect to society. This means that, if $P$, $Q$ and $R$ are aligned, then $P + (Q + R) = Q + (P + R) = R + (P + Q) = \cdots = 0$. This way, nosotros accept intuitively proved that our + operator is both associative and commutative: we are in an abelian grouping.

So far, so nifty. Only how practice we actually compute the sum of two arbitrary points?

Geometric addition

Thanks to the fact that we are in an abelian group, we can write $P + Q + R = 0$ as $P + Q = -R$. This equation, in this grade, lets us derive a geometric method to compute the sum between two points $P$ and $Q$: if we draw a line passing through $P$ and $Q$, this line will intersect a 3rd signal on the curve, $R$ (this is implied by the fact that $P$, $Q$ and $R$ are aligned). If we take the changed of this signal, $-R$, we have found the event of $P + Q$.

Draw the line through $P$ and $Q$. The line intersects a third point $R$. The bespeak symmetric to it, $-R$, is the issue of $P + Q$.

This geometric method works but needs some refinement. Particularly, we need to answer a few questions:

• What if $P = 0$ or $Q = 0$? Certainly, we can't draw any line (0 is not on the $xy$-aeroplane). Merely given that we accept divers 0 as the identity element, $P + 0 = P$ and $0 + Q = Q$, for whatever $P$ and for whatever $Q$.
• What if $P = -Q$? In this instance, the line going through the ii points is vertical, and does non intersect any 3rd bespeak. But if $P$ is the changed of $Q$, then we have $P + Q = P + (-P) = 0$ from the definition of changed.
• What if $P = Q$? In this case, there are infinitely many lines passing through the point. Here things outset getting a bit more complicated. But consider a point $Q' \ne P$. What happens if we make $Q'$ arroyo $P$, getting closer and closer to information technology?
  

  

  Equally the two points become closer together, the line passing through them becomes tangent to the curve.

As $Q'$ tends towards $P$, the line passing through $P$ and $Q'$ becomes tangent to the curve. In the calorie-free of this we tin say that $P + P = -R$, where $R$ is the point of intersection betwixt the curve and the line tangent to the curve in $P$. * What if $P \ne Q$, but in that location is no third signal $R$? We are in a case very similar to the previous ane. In fact, we are in the example where the line passing through $P$ and $Q$ is tangent to the curve.

If our line intersects merely two points, then it means that it'south tangent to the curve. It'due south like shooting fish in a barrel to see how the upshot of the sum becomes symmetric to one of the 2 points.

Allow'due south assume that $P$ is the tangency point. In the previous instance, nosotros would accept written $P + P = -Q$. That equation now becomes $P + Q = -P$. If, on the other hand, $Q$ were the tangency bespeak, the correct equation would have been $P + Q = -Q$.

The geometric method is now consummate and covers all cases. With a pencil and a ruler we are able to perform add-on involving every point of any elliptic bend. If you want to try, accept a look at the HTML5/JavaScript visual tool I've built for computing sums on elliptic curves!

Algebraic addition

If we want a computer to perform signal addition, we need to turn the geometric method into an algebraic method. Transforming the rules described above into a set of equations may seem straightforward, but actually it tin can be really tedious because it requires solving cubic equations. For this reason, here I will report only the results.

Start, allow's become get rid of the well-nigh annoying corner cases. We already know that $P + (-P) = 0$, and we also know that $P + 0 = 0 + P = P$. So, in our equations, nosotros will avoid these ii cases and nosotros will only consider ii non-zilch, non-symmetric points $P = (x_P, y_P)$ and $Q = (x_Q, y_Q)$.

If $P$ and $Q$ are distinct ($x_P \ne x_Q$), the line through them has slope: $$m = \frac{y_P - y_Q}{x_P - x_Q}$$

The intersection of this line with the elliptic bend is a third point $R = (x_R, y_R)$: $$\begin{marshal*} x_R & = m^two - x_P - x_Q \\ y_R & = y_P + m(x_R - x_P) \end{align*}$$

or, equivalently: $$y_R = y_Q + m(x_R - x_Q)$$

Hence $(x_P, y_P) + (x_Q, y_Q) = (x_R, -y_R)$ (pay attention at the signs and remember that $P + Q = -R$).

If we wanted to check whether this effect is right, we would take had to cheque whether $R$ belongs to the curve and whether $P$, $Q$ and $R$ are aligned. Checking whether the points are aligned is trivial, checking that $R$ belongs to the curve is not, as we would need to solve a cubic equation, which is not fun at all.

Instead, permit's play with an example: according to our visual tool, given $P = (1, ii)$ and $Q = (three, 4)$ over the curve $y^2 = x^three - 7x + 10$, their sum is $P + Q = -R = (-three, 2)$. Let's see if our equations agree: $$\begin{align*} m & = \frac{y_P - y_Q}{x_P - x_Q} = \frac{2 - 4}{1 - 3} = 1 \\ x_R & = thou^2 - x_P - x_Q = 1^2 - i - 3 = -3 \\ y_R & = y_P + m(x_R - x_P) = 2 + i \cdot (-3 - 1) = -2 \\ & = y_Q + m(x_R - x_Q) = iv + 1 \cdot (-iii - 3) = -2 \end{align*}$$

Yes, this is right!

Notation that these equations work fifty-fifty if one of $P$ or $Q$ is a tangency betoken. Permit'southward try with $P = (-one, 4)$ and $Q = (1, 2)$. $$\begin{align*} m & = \frac{y_P - y_Q}{x_P - x_Q} = \frac{4 - 2}{-1 - 1} = -one \\ x_R & = grand^2 - x_P - x_Q = (-1)^2 - (-1) - 1 = i \\ y_R & = y_P + m(x_R - x_P) = iv + -one \cdot (1 - (-1)) = 2 \end{align*}$$

We go the result $P + Q = (1, -2)$, which is the same event given by the visual tool.

The case $P = Q$ needs to be treated a bit differently: the equations for $x_R$ and $y_R$ are the same, but given that $x_P = x_Q$, we must utilize a different equation for the gradient: $$chiliad = \frac{3 x_P^2 + a}{2 y_P}$$

Annotation that, as we would expect, this expression for $m$ is the offset derivative of: $$y_P = \pm \sqrt{x_P^iii + ax_P + b}$$

To evidence the validity of this result it is plenty to check that $R$ belongs to the bend and that the line passing through $P$ and $R$ has only two intersections with the bend. But over again, we don't bear witness this fact, and instead try with an example: $P = Q = (ane, two)$. $$\begin{align*} yard & = \frac{3x_P^two + a}{2 y_P} = \frac{3 \cdot ane^2 - vii}{2 \cdot 2} = -1 \\ x_R & = m^ii - x_P - x_Q = (-1)^ii - 1 - 1 = -1 \\ y_R & = y_P + thousand(x_R - x_P) = 2 + (-1) \cdot (-1 - i) = four \end{marshal*}$$

Which gives us $P + P = -R = (-1, -iv)$. Correct!

Although the procedure to derive them can be really deadening, our equations are pretty meaty. This is thanks to Weierstrass normal class: without information technology, these equations could have been actually long and complicated!

Scalar multiplication

Other than addition, we can define another operation: scalar multiplication, that is: $$nP = \underbrace{P + P + \cdots + P}_{n\ \text{times}}$$

where $n$ is a natural number. I've written a visual tool for scalar multiplication too, if you want to play with that.

Written in that class, it may seem that calculating $nP$ requires $n$ additions. If $n$ has $m$ binary digits, so our algorithm would be $O(2^k)$, which is not really skilful. Simply in that location exist faster algorithms.

Ane of them is the double and add algorithm. Its principle of performance can be better explained with an example. Take $n = 151$. Its binary representation is $10010111_2$. This binary representation can be turned into a sum of powers of two: $$\begin{align*} 151 & = one \cdot 2^7 + 0 \cdot 2^6 + 0 \cdot ii^5 + i \cdot ii^4 + 0 \cdot 2^3 + i \cdot two^two + ane \cdot 2^i + 1 \cdot ii^0 \\ & = ii^7 + ii^iv + 2^2 + 2^1 + two^0 \end{marshal*}$$

(Nosotros have taken each binary digit of $n$ and multiplied it by a power of ii.)

In view of this, nosotros tin can write: $$151 \cdot P = 2^7 P + 2^4 P + 2^2 P + ii^1 P + two^0 P$$

What the double and add algorithm tells us to do is:

• Take $P$.
• Double it, so that we get $2P$.
• Add $2P$ to $P$ (in club to go the result of $2^1P + 2^0P$).
• Double $2P$, and so that nosotros get $2^2P$.
• Add it to our result (so that nosotros get $ii^2P + 2^1P + 2^0P$).
• Double $2^2P$ to get $2^3P$.
• Don't perform any add-on involving $2^3P$.
• Double $2^3P$ to become $2^4P$.
• Add it to our result (and then that we get $2^4P + 2^2P + 2^1P + 2^0P$).
• ...

In the end, we can compute $151 \cdot P$ performing just seven doublings and four additions.

If this is not articulate enough, hither'due south a Python script that implements the algorithm:

                                      def              bits              (              north              ):              """                              Generates the binary digits of n, starting                              from the least significant bit.                              bits(151) -> one, ane, 1, 0, ane, 0, 0, 1                              """              while              n              :              yield              due north              &              1              n              >>=              1              def              double_and_add              (              n              ,              x              ):              """                              Returns the consequence of north * x, computed using                              the double and add algorithm.                              """              issue              =              0              addend              =              x              for              bit              in              $.25              (              north              ):              if              bit              ==              1              :              result              +=              addend              addend              *=              2              return              result                      

If doubling and calculation are both $O(1)$ operations, then this algorithm is $O(\log n)$ (or $O(yard)$ if we consider the scrap length), which is pretty good. Surely much ameliorate than the initial $O(north)$ algorithm!

Logarithm

Given $n$ and $P$, we now have at least one polynomial time algorithm for calculating $Q = nP$. But what nearly the other way circular? What if we know $Q$ and $P$ and need to detect out $northward$? This problem is known as the logarithm trouble. We phone call information technology "logarithm" instead of "partitioning" for conformity with other cryptosystems (where instead of multiplication we take exponentiation).

I don't know of whatsoever "easy" algorithm for the logarithm problem, however playing with multiplication it'southward easy to see some patterns. For instance, take the bend $y^ii = x^iii - 3x + i$ and the point $P = (0, 1)$. We tin can immediately verify that, if $northward$ is odd, $nP$ is on the bend on the left semiplane; if $due north$ is even, $nP$ is on the curve on the correct semiplane. If nosotros experimented more, nosotros could probably find more than patterns that eventually could lead u.s.a. to write an algorithm for calculating the logarithm on that curve efficiently.

Only there's a variant of the logarithm trouble: the discrete logarithm problem. As we will meet in the next mail, if nosotros reduce the domain of our elliptic curves, scalar multiplication remains "easy", while the detached logarithm becomes a "difficult" problem. This duality is the key brick of elliptic curve cryptography.

See you next week

That'due south all for today, I hope you lot enjoyed this mail service! Next calendar week we volition discover finite fields and the detached logarithm problem, along with examples and tools to play with. If this stuff sounds interesting to you, and then stay tuned!

Read the next post of the serial »

perrycowake82.blogspot.com

Source: https://andrea.corbellini.name/2015/05/17/elliptic-curve-cryptography-a-gentle-introduction/

Bagikan Artikel ini