UNIT-3

ELLIPTIC CURVE CRYPTOGRAPHY

ELGAMAL SYSTEM

Along with RSA, there are other public-key cryptosystems proposed. Many of them are based on
different versions of the Discrete Logarithm Problem.

ElGamal cryptosystem, called Elliptic Curve Variant, is based on the Discrete Logarithm Problem. It
derives the strength from the assumption that the discrete logarithms cannot be found in practical time
frame for a given number, while the inverse operation of the power can be computed efficiently.

Let us go through a simple version of ElGamal that works with numbers modulo p. In the case of elliptic
curve variants, it is based on quite different number systems.

Generation of ElGamal Key Pair

Each user of ElGamal cryptosystem generates the key pair through as follows

 Choosing a large prime p. Generally, a prime number of 1024 to 2048 bits length is chosen.
 Choosing a generator element g.
o This number must be between 1 and p - 1, but cannot be any number.
o It is a generator of the multiplicative group of integers modulo p. This means for every
integer m co-prime to p, there is an integer k such that gk=a mod n. For example, 3 is
generator of group 5 (Z5 = {1, 2, 3, 4}).

N 3n 3n mod 5

1 3 3

2 9 4

3 27 2

4 81 1

 Choosing the private key. The private key x is any number bigger than 1 and smaller than p-1.
 Computing part of the public key. The value y is computed from the parameters p, g and the
private key x as follows y = g mod p
 Obtaining Public key. The ElGamal public key consists of the three parameters (p, g, y).

For example, suppose that p = 17 and that g = 6 (It can be confirmed that 6 is a generator of group Z 17).
The private key x can be any number bigger than 1 and smaller than 71, so we choose x = 5. The value y
is then computed as follows y = 65 mod 17 = 7

 Thus, the private key is 62 and the public key is (17, 6, 7).
Encryption and Decryption

The generation of an ElGamal key pair is comparatively simpler than the equivalent process for RSA. But
the encryption and decryption are slightly more complex than RSA.

ElGamal Encryption

Suppose sender wishes to send a plaintext to someone whose ElGamal public key is (p, g, y), then-

 Sender represents the plaintext as a series of numbers modulo p.

 To encrypt the first plaintext P, which is represented as a number modulo p. The encryption
process to obtain the ciphertext C is as follows –
o Randomly generate a number k;
o Compute two values C1 and C2, where
C1 = gk mod p
C2 = (P*yk) mod p
 Send the ciphertext C, consisting of the two separate values (C1, C2), sent together.
 Referring to our ElGamal key generation example given above, the plaintext P = 13 is encrypted
as follows
o Randomly generate a number, say k = 10
o Compute the two values C1 and C2, where –
C1=610 mod 17
C2 = (13*710) mod 17 = 9
o Send the ciphertext C = (C1, C2) = (15, 9).

ElGamal Decryption

 To decrypt the ciphertext (C1, C2) using private key x, the following two steps are taken-
o Compute the modular inverse of (C1)x modulo p, which is (C1)-x , generally referred to as
decryption factor.
o Obtain the plaintext by using the following formula –
C2 × (C1)-x mod p = Plaintext
 In our example, to decrypt the ciphertext C = (C1, C2) = (15, 9) using private key x = 5, the
decryption factor is 155 mod 17=9
 Extract plaintext P = (9 x 9) mod 17 = 13.

ElGamal Analysis

In ElGamal system, each user has a private key x. and has three components of public key - prime
modulus p, generator g, and public Y = gx mod p. The strength of the ElGamal is based on the difficulty
of discrete logarithm problem. The secure key size is generally > 1024 bits. Today even 2048 bits long
key are used. On the processing speed front, ElGamal is quite slow; it is used mainly for key
authentication protocols. Due to higher processing efficiency, Elliptic Curve variants of ElGamal are
becoming increasingly popular.
 SCHNORR SIGNATURE SCHEME
In cryptography, a Schnorr signature is a digital signature produced by the Schnorr signature algorithm
that was described by Claus Schnorr. It is a digital signature scheme known for its simplicity, is efficient
and generates short signatures. It is one of the protocols used to implement “Proof Of Knowledge”.

In cryptography, a proof of knowledge is an interactive proof in which the prover succeeds in

‘convincing’ a verifier that the prover knows something ‘X’. For a machine to know ‘X’ is defined in terms
of computation. A machine knows ‘X’ if this ‘X’ can be computed. The Verifier either accepts or rejects
the proof. The signature proof is supposed to convince the Verifier that they are communicating with a
user who knows the private key corresponding to the public key. In other words, the Verifier should be
convinced that they are communicating with the Prover without knowing the private key. Schnorr
Digital Signature to implement Zero Knowledge Proof: Let’s take an example of two friends Sachin and
Sanchita. Sanchita has announced to the world that she has a public key and can accept and receive
information through it. Sachin thinks that Sanchita is lying. Sanchita wants to prove her honesty without
showing her private keys. Here is where Schnorr’s protocol will help us. Consider the following
parameters:

P, q, a, s, v, r, x, y

where,

“p” is any prime number

“q” is factor of p-1

“a” such that a^q = 1 mod p

The above three variables are global and public which means anyone can see these three variables at a
given scenario. We will have two keys.

“s” is the secret key or the private key (0<s<q).

“v” is the public key = a^-s mod q.

The public key “v” will be global and public knowledge along with p, q and a. However only Sanchita will
have the knowledge of the private key “s”. Now Sanchita signs wants to sends an encrypted message
“M”. She will follow the following steps to use Schnorr’s signature: -

1. She will first choose a random number “r” such that 0<r<q.
2. She will now compute a value X such that: X= a^r mod p.
3. Now that she has computed the value of X, she is going concatenate this with the original
message (same as string concatenation). So, she is going to concatenate M and X to get M||X.
and she is going to store the hash of this value in e.

e = H(M||X) where H() is the hash function

1.She is going to get a value “y” such that:

y = (r + s*e) mod q

Now that all the computations are over, she is going to send the following to Sachin.

1. The message “M”.

2. The signatures e and y.

Along with this, Sachin has the following public piece of information: -

1. Sanchita’s public key “v”.

2. The prime number that Sanchita choose “p”.
3. “q” which is the factor of “p-1” which Sanchita choose.
4. “a” such that a^q = 1 mod p, chosen by Sanchita.

Now, Sachin will have to compute “X” such that:

X’ = a^y * v^e mod p

We know that v = a^-s, let’s substitute that in the equation above and we get:

X’ = a^y * a^-se = a ^ (y-s*e)

Now we also know that,

y = r + s*e

Which means:

r = y-s*e

Let’s substitute this value in the equation above:

We get: X’= a^r

As we have already seen above:

X= a^r

So technically:

X = X’

But Sachin doesn’t know the value of “X” because he never received that value. All that he received are
the following: The message M, the signatures (e and y) and the host of public variables (public key “v”, p,
q, and a). So he is going to solve for e by doing the following:

e = H (M||X’)
Note that earlier we solved for e by doing:

H(M||X))

So, by that logic, if the two values of e come up to be the same then that means

X = X’

This follows all three Properties of Zero Knowledge Proof:

1. Completeness - Sachin was convinced of Sanchita’s honesty because at the end X = X’.
2. Soundness - The plan was sound because Sanchita only had one way to prove her honesty and
that was through her private key.
3. Zero Knowledge - Sachin never got to know about Sanchita’s private key.

ELGamal DIGITAL SIGNATURE SCHEME

The ElGamal Digital Signature Scheme is a public key cryptographic algorithm used for generating and
verifying digital signatures. It is based on the principles of the ElGamal encryption system and the
discrete logarithm problem.

The ElGamal Digital Signature Scheme involves the following steps for generating and verifying digital
signatures:

1. Key Generation: A user generates a public key and a private key. The public key consists of the values
p, g, and y, where p is a large prime number, g is a generator of the multiplicative group modulo P, and
y = g^x mod P, where x is the private key.

2. Signing: To sign a message M, the signer performs the following steps:

a. Generate a random number k such that 1<k< p-1.

b. Calculate r = g^k mod p.

c. Calculate h = hash(M), where hash is a fixed-size hash function.

d. Calculate s = (h-xr)*k^-1 mod (p-1) mod (p-1).

e. The signature of the message M is the pair (r, s).

3. Verifying: To verify the signature (r, s) of a message M, the verifier performs the following steps:

a. Verify that 1< r <p-1 and 0< s < p-1. If either condition is not satisfied, the signature is invalid.

b. Calculate h = hash(M).

c. Calculate v1 = (y^r * r^s) mod p.

d. Calculate v2 = g^h mod p.

e. If v1 = v2, the signature is valid. Otherwise, the signature is invalid.

The ElGamal Digital Signature Scheme uses a fixed-size hash function to produce a message digest,
which is then used to generate and verify digital signatures. The private key is used to sign the message,
and the public key is used to verify the signature.

The ElGamal Digital Signature Scheme provides several advantages over other digital signature
algorithms. It is relatively easy to implement and provides a high level of security against attacks,
including forgery, tampering, and impersonation. Additionally, the algorithm provides a high level of key
security, as the private key is never transmitted or shared.

However, the ElGamal Digital Signature Scheme also has limitations. It is computationally intensive and
requires large key sizes to ensure security. Additionally, it is vulnerable to certain attacks, such as key
compromise and side-channel attacks.

Overall, the ElGamal Digital Signature Scheme is an important cryptographic tool for secure digital
communication and transactions. Its efficient and secure nature has made it a popular choice for digital
signature applications.

DIGITAL SIGNATURE
Digital signatures are the public-key primitives of message authentication. In the physical world, it is
common to use handwritten signatures on handwritten or typed messages. They are used to bind
signatory to the message.

Similarly, a digital signature is a technique that binds a person/entity to the digital data. This binding can
be independently verified by receiver as well as any third party.

Digital signature is a cryptographic value that is calculated from the data and a secret key known only by
the signer.

In real world, the receiver of message needs assurance that the message belongs to the sender and he
should not be able to repudiate the origination of that message. This requirement is very crucial in
business applications, since likelihood of a dispute over exchanged data is very high.

The most important development from the work on public key encryption is the digital signature. The
digital signature provides a set of security capabilities that would be difficult to implement in any other
way.

A digital signature is an authentication mechanism that enables the creator of a message to attach a
code that acts as a signature. Typically, the signature is formed by taking the hash of the message and
encrypting the message with the creator’s private key. The signature guarantees the source and integrity
of the message.
A digital signature standard (DSS) is an NIST (National institute of standards and technology)that uses
the secure hash algorithm (SHA). Consider the diagram:

Generic Model of Digital signature Process

Message Authentication protects 2 parties who exchange message from any 3rd party. However, it does
not protect the 2 parties against each other. Several forms are dispute between 2 parties. For example,
suppose that John sends an authenticated message to Mary, using one of the schemes message
encryption process. Here, we have to consider the following disputes that Could arise.

1. Mary may forge a different message and claim that it came from John. Mary Walls would simply have
to create a message and append an authentication code using the key that John and Mary share.

2. John can deny sending the message. Because it is possible for Mary to forge a message, there is no
way to prove that John did in fact send the message.

In situations where there is not complete trust between sender and receiver, something more than
authentication is needed. The most attractive solution to this problem is the digital signature. The digital
signature must have the following properties:

 It must verify the author and the date and time of the signature.
 It must authenticate the contents at the time of the signature.
 It must be verifiable by third parties, to resolve disputes.

Thus, the digital signature function includes the authentication function.

 Simplified Depiction of Essential Elements of Digital Signature Process

Attacks and Forgeries

Here A denotes the user whose signature method is being attacked, and C denotes the attacker.

 Key-only attack: C only knows A’s public key.

 Known message attack: C is given access to a set of messages and their signatures.
 Generic chosen message attack: C chooses a list of messages before attempting to breaks A’s
signature scheme.
 Directed chosen message attack: Similar to the generic attack, except that the list of messages
to be signed is chosen after C knows A’s public key but before any signatures are seen.
 Adaptive chosen message attack: C is allowed to use A as an “oracle”. This means the A may
request signatures of messages that depend on previously obtained message-signature pairs.
 Total break: C determines A’s private key.
 Universal forgery: C finds an efficient signing algorithm that provides an equivalent way of
constructing signatures on arbitrary messages.
 Selective forgery: C forges a signature for a particular message chosen by C.
 Existential forgery: C forges a signature for at least one message. C has no control over the
message. Consequently, this forgery may only be a minor nuisance to A.

Digital Signature Requirements

On the basis of the properties and attacks just discussed, we can formulate the following requirements
for a digital signature.

 The signature must be a bit pattern that depends on the message being signed.
 The signature must use some information unique to the sender to prevent both forgery and
denial.
 It must be relatively easy to produce the digital signature.
 It must be relatively easy to recognize and verify the digital signature.
  It must be computationally infeasible to forge a digital signature, either by constructing a new
message for an existing digital signature or by constructing a fraudulent digital signature for a
given message.
 It must be practical to retain a copy of the digital signature in storage.

A secure hash function, embedded in a scheme such that it provides a basis for satisfying these
requirements.

Model of Digital Signature

As mentioned earlier, the digital signature scheme is based on public key cryptography. The model of
digital signature scheme is depicted in the following illustration-

The following points explain the entire process in detail

 Each person adopting this scheme has a public-private key pair.

 Generally, the key pairs used for encryption/decryption and signing/verifying are different. The
private key used for signing is referred to as the signature key and the public key as the
verification key.
 Signer feeds data to the hash function and generates hash of data.
 Hash value and signature key are then fed to the signature algorithm which produces the digital
signature on given hash. Signature is appended to the data and then both are sent to the
verifier.
 Verifier feeds the digital signature and the verification key into the verification algorithm. The
verification algorithm gives some value as output.
 Verifier also runs same hash function on received data to generate hash value.
 For verification, this hash value and output of verification algorithm are compared. Based on the
comparison result, verifier decides whether the digital signature is valid.
 Since digital signature is created by ‘private’ key of signer and no one else can have this key; the
signer cannot repudiate signing the data in future.
It should be noticed that instead of signing data directly by signing algorithm, usually a hash of data is
created. Since the hash of data is a unique representation of data, it is sufficient to sign the hash in place
of data. The most important reason of using hash instead of data directly for signing is efficiency of the
scheme.

Let us assume RSA is used as the signing algorithm. As discussed in public key encryption chapter, the
encryption/signing process using RSA involves modular exponentiation.

Signing large data through modular exponentiation is computationally expensive and time consuming.
The hash of the data is a relatively small digest of the data, hence signing a hash is more efficient than
signing the entire data.

Importance of Digital Signature

Out of all cryptographic primitives, the digital signature using public key cryptography is considered as
very important and useful tool to achieve information security.

Apart from ability to provide non-repudiation of message, the digital signature also provides message
authentication and data integrity. Let us briefly see how this is achieved by the digital signature -

 Message authentication - When the verifier validates the digital signature using public key of a
sender, he is assured that signature has been created only by sender who possess the
corresponding secret private key and no one else.
 Data Integrity- In case an attacker has access to the data and modifies it, the digital signature
verification at receiver end fails. The hash of modified data and the output provided by the
verification algorithm will not match. Hence, receiver can safely deny the message assuming
that data integrity has been breached.
 Non-repudiation- Since it is assumed that only the signer has the knowledge of the signature
key, he can only create unique signature on a given data. Thus, the receiver can present data
and the digital signature to a third party as evidence if any dispute arises in the future.

By adding public-key encryption to digital signature scheme, we can create a cryptosystem that can
provide the four essential elements of security namely - Privacy, Authentication, Integrity, and Non-
repudiation.

Encryption with Digital Signature

In many digital communications, it is desirable to exchange an encrypted messages than plaintext to

achieve confidentiality. In public key encryption scheme, a public (encryption) key of sender is available
in open domain, and hence anyone can spoof his identity and send any encrypted message to the
receiver.

This makes it essential for users employing PKC for encryption to seek digital signatures along with
encrypted data to be assured of message authentication and non-repudiation.
This can be archived by combining digital signatures with encryption scheme. Let us briefly discuss how
to achieve this requirement. There are two possibilities, sign-then- encrypt and encrypt-then-sign.

However, the crypto system based on sign-then-encrypt can be exploited by receiver to spoof identity of
sender and sent that data to third party. Hence, this method is not preferred. The process of encrypt-
then-sign is more reliable and widely adopted. This is depicted in the following illustration-

The receiver after receiving the encrypted data and signature on it, first verifies the signature using
sender’s public key. After ensuring the validity of the signature, he then retrieves the data through
decryption using his private key.

DIGITAL SIGNATURE ALGORITHM

The first part of the DSA algorithm is the public key and private key generation through some steps,
which can be told as:

 Firstly, choose a prime number q, which is called the prime divisor in this.
 Then, choose another primer number p, such that p-1 mod q = 0. p is called the prime modulus
in this.
 Then, choose an integer g, such that 1 < g < p, g**q mod p = 1 and g = h**((p–1)/q) mod p. q is
also called g's multiplicative order modulo p in this algorithm.
 Then, choose an integer, such that 0 < x < q for this.
 Now, compute y as g**x mod p.
 Thus, Package the public key as {p,q,g,y} is this.
 And, Package the private key as {p,q,g,x} is this.

Then, the second part of the DSA algorithm is the signature generation and signature verification in this
algorithm, which can be told as:

Firstly, to generate a message signature, the sender can follow these further steps:

 Firstly, generate the message digest h, using a hash algorithm like SHA1.
  Then, generate a random number k, such that 0 < k < q.
 Then, Computer as (g**k mod p) mod q. If r = 0, select a different k.
 And, Compute i, such that k*i mod q = 1. i is called the modular multiplicative inverse of k
modulo q in this.
 Then, Compute s = i*(h+r*x) mod q. If s = 0, select a different k.
 Thus, Package the digital signature as {r,s}.

Then, to verify a message signature, the receiver of the message and the digital signature can follow
these further steps as:

 Firstly, Generate the message digest h, using the same hash algorithm.
 Then, Compute w, such that s*w mod q = 1. w is called the modular multiplicative inverse of s
modulo q in this.
 Then, Compute u1 = h*w mod q.
 And, Compute u2 = r*w mod q.
 Then, Compute v = (((g**u1)*(y**u2)) mod p) mod q.
 Wherever, If v == r, the digital signature is valid.

ELLIPTIC CURVE
An elliptic curve for current ECC purposes is a plane curve over a finite field which is made up of the
points satisfying the equation: y2=x3+ ax + b. In this elliptic curve cryptography example, any point on the
curve can be mirrored over the x-axis and the curve will stay the same.

ECC is an alternative to the Rivest-Shamir-Adleman (RSA) cryptographic algorithm and is most often
used for digital signatures in cryptocurrencies, such as Bitcoin and Ethereum, as well as one-way
encryption of emails, data and software.

Such functions are powerful tools that were used to solve Fermat’s Last Theorem and are used in
cryptography to send private keys over public systems. Elliptic curves are also useful in factoring and
determining primality.
A point on an elliptic curve is an (x, y) pair that satisfies y2 = x3 + ax + b for a given a and b. For example,
the point (3, 6) is in the curve y2 = x3 + 9 because it 62 = 33 +9. In group theoretic terms, (3, 6) is a
member of the set defined by y2=x3+9.

ELLIPTIC CURVE OVER THE REALS

Elliptic Curve Fundamentals:

An elliptic curve E over a field K is a cubic curve that consists of the points (x, y) satisfying the equation

y2 = x3 + ax + b

together with an element O called “the point at infinity”.

It is important to note that is in the simplified Weierstrass form and holds only for fields in which the
characteristic is not equal to 2 or 3.

Elliptic Curves over the Reals. First, to get the general idea of how operations over elliptic curves work,
we define the properties of elliptic curves over real numbers. The field of real numbers is used to get a
clearer idea of the visual representations of the curves and understand how the geometry of the points
on the curves works. An elliptic curve over the reals is defined by where a and b are real numbers. The
graph of the elliptic curve over real numbers consists of two components if its discriminant is positive
and of one component if it is negative. We now define the group law on elliptic curves which is useful
for cryptographic purposes. In this paper, we will use the geometric approach to introduce the group
law. Let’s suppose that O is a “point at infinity” and that all the vertical lines in the space where our
elliptic curve exists go through this point. Let E be an elliptic curve and let P and Q be two points on E.
The addition of the points on the curve is best illustrated by the following composition law. We will use
to denote the composition of two points.

If P, Q ϵ E and L is the line through Q and P (if P = Q, L is the line tangent to E at P) which intersects the
curve at the third point R, then the line L’ through O and R intersects E at the third point which we
denote PQ. Thus PQ is the point we get as a result of adding points P and Q on the curve.

The above law can be visualized on the elliptic curve in R .

We now claim that the points on the elliptic curve form an abelian group. This can be derived from the
properties of the composition law.

Elliptic Curves over Finite Fields. Let K = Fq be the finite field where q= pr and E be an elliptic curve
defined over K. An elliptic curve over Fq is defined by where a, b ϵ Fq. The graph of elliptic curve over a
finite field does not look as neat as the one over R: usually, it is just a discrete set of points.
Nevertheless, the set of points E(Fq) still forms a finite abelian group in Fq which is either cyclic or a
product of two cyclic groups. A group forms a finite number of points, a feature that enables precise
arithmetic to be performed with faster calculations and lower probability of a round-off error. For
example, the field Fq is widely used in practice mostly because of the convenience of mathematical
operations used in it. All the values produced by operations on the points within a field are reduced
modulo p and result in another points within the same field. Besides, every integer has a multiplicative
inverse modulo p which is convenient for division in the field. An important information regarding
elliptic curves over finite fields is the number of rational points it forms. The value of the number of
points is essential for determining the difficulty of solving the discrete logarithm problem in E(F q) and
ensures the security of the system which depends on that value having a large prime factor. Since there
are q choices for each x and for each choice of x, there are at most 2 choices for y in the equation that
defines elliptic curves over the finite fields, E has at most 2q+1 Fq points counting O “point at infinity”.
Hasse’s theorem gives a more precise estimate of the number of points on E bounding the value both
above and below:

|#E(F) - (q+1)| ≤ 2√q.

 ELLIPTIC CURVES OVER GF(P)
Our previous elliptic curve group used a real field for calculations involved in adding points.
Cryptography requires modular arithmetic. We have defined an elliptic curve group with an addition
operation, but the operation on the coordinates of the point are over the GF(p) field with p>3. In
modular arithmetic, the points on the curve do not make nice graphs as seen in the previous figures, but
the concept is the same. We use the same addition operation with the calculation done in modulo p. We
call the resulting elliptic curve Ep(a, b), where p defines the modulus and a and b are the coefficient of
the equation y2=x3+ax+b. Note that although the value of x in this case ranges from 0 to p, normally not
all points are on the curve.

Finding an Inverse

The inverse of a point (x, y) is (x, -y), where -y is the additive inverse of y. For example, if p= 13, the
inverse of (4, 2) is (4, 11).

Finding Points on the Curve

Algorithm shows the pseudocode for finding the points on the curve Ep(a, b).

Algorithm: Pseudocode for finding points on an elliptic curve

elliptic Curve points (p, a, b) //p is the modulus

x← 0

while (x<p}

w← (x3+ax+b) mod p //w is y2

if (w is a perfect square in Zp) output (x, √w) (x,-√w)

x← x+1

}
Example

Define an elliptic curve E13(1, 1). The equation is y2=x3+x+1 and the calculation is done modulo 13. Points
on the curve can be found as shown.

Figure : Points on an elliptic curve over GF(p)

ELLIPTIC CURVES MODULO A PRIME

Let the elliptic curve E modulo a. prime p have N points. Then, p +1-2 √p ≤ N ≤ p +1+2 √ p. When P is a
point on an elliptic curve and k is a positive integer we write KP for the sum P +P +...+P of k P’s.

Let P be a prime number. Consider an equation y2 = X3+ ax + b with a,b ϵ Fp={0,1,...,p-1} (integers
modulo $p$) such that the cubic is X3 + ax + b has distinct roots. The group of points on E modulo P is

E(FP) = {(x,y) ϵ Fp × Fp : y2 = x3 + ax + b} U {0}

An elliptic curve cryptosystem can be defined by picking a prime number as a maximum, a curve
equation and a public point on the curve. A private key is a number priv, and a public key is the public
point dotted with itself priv times.
 PROPERTIES OF ELLIPTIC CURVES
ECC features smaller cipher texts, keys, and signatures, and faster generation of keys and signatures. Its
decryption and encryption speeds are moderately fast. ECC enables lower latency than inverse
throughout by computing signatures in two stages.

“Classical" point compression on elliptic curves consists of taking a point (x0,y0) on an elliptic Curve y2 =
F(x) and dropping its y-coordinate. To decompress (up to a sign ambiguity in the y-coordinate), use x 0
and the equation of the elliptic curve to solve for y0.

COMPUTING POINT MULTIPLES ON ELLIPTIC CURVES

Definition of Point Addition

We wish to put a group structure on E(Q).

Geometrically, define point addition from the tangent-chord method where we want to find where a
tangent line or a chord intersects an elliptic curve at a third point. If P and Q are two points on the
curve,define the operation as finding a third point R’= (x1,y1) on the curve so that P Q = R’. After R’ is
found, find its reflection across the x- axis and define this operation as point addition + so that P+Q= R
where R = (x1,-y1). The line connecting points P and Q shows the operations of and +.

We also define P+Q= ∞ whenever the line connecting P and Q is vertical. We use ∞ as a shorthand for
(0, 1, 0), which we saw earlier was the point for infinity for our elliptic curve. This is the point where all
vertical lines intersect in the projective plane and we identify this as the identity element so that
P+∞ = P for all P on the curve.
Let E be a projective elliptic curve defined by y2 = x3+ Ax+ B. Let P1 = (x1,y1) and P2 = (x2, y2) be points on
E. We can compute the addition of points into the following cases.

P1 + P2 = P3 = (X3, Y3).

1. For all points P, define P+∞ =P.

For a vertical line connecting P1 and ∞, then the line crosses E a third time at the reflection of P1 across
the x-axis. By definition of ,we find P1 ∞ = (x1,-y1), so that by definition of +,

P1+∞ = (x1, -(-y1) = P1,

which holds for all points P on E.

2. For P1 = P2 and y1, y2 ≠ 0,

we can find the slope of the line tangent to E by taking the derivative, finding

m= 3x12 + A

2y1
We find the y-intercept b of the tangent line by b = y1 - mx1. Thus we have the equation of the line
tangent to the curve y = mx+b. By substitution,

(mx+b)2 = x3+Ax+B

0 = x3- m2x2+...

Note also, that if x1, x2, x3 are the roots of any cubic, then

0 = (x-x1)(x − x2)(x − x3) = x3 − (x1 + x2 + x3)x2+...

We can relate the two equations by setting them equal to each other. Thus

x3 - (x1 + x2 + x3)x2+… = x3 - m2x2+…

We set the coefficients of the x2 term equal to each other and

x1 + x2 + x3 = m2.

Since x1 = x2, then

x3= m2 - 2x1.

Therefore,

Y’3 = mx3 + b

y’3 = -y’3 = - (mx3+ y1-mx1)

=m(x1 - x3) –y1

3. If x1 = x2, and y1 = -y2, then line connecting the two points is vertical since m = y2+y1 = 2y1 .

x2-x1 0

In this case y1 = y2= 0, then p1= p2 and dy/dx=(3x2+A)/0.Thus,

P1 + P2 = ∞.

4. If x1≠ x2,

we find the slope of the line between the two points

m = y2 - y 1

x2 - x1

Find x3 by subtracting two known roots from m2 so that

x3 = m2 - x1 - x2.

Find y3 as in Case 2A: y3 = m(x1-x3)-y1

 ELLIPTIC CURVE DIGITAL SIGNATURE ALGORITHM
Another advantage of elliptic curve cryptography is that just like RSA cryptosystem, it provides the
opportunity for the parties to “sign” their messages so that the receiver knows exactly the message is
from him. Let m be the message and n be the prime order of the subgroup generated by P.

Algorithm 1 Signature generation algorithm

1. procedure SIGGEN (m, n, P)

2. Compute e = hash(m).
3. z← l leftmost bits of e where I is bit length of n.
4. Select k ϵ R [1, n - 1].
5. Compute (x1,y1) = kP.
6. Computer r= x1 mod n.
7. if r = 0 then
8. Select a new k, back to step 4.
9. Compute s = k -1 (z + rdA) mod n where dA is Alice’s private key and k-1 is the multiplicative
inverse of k mod n.
10. if s = 0 then
11. Select a new k, back to step 4.
12. Return (r, s).

Then Bob can verify Alice’s signature using Algorithm 3. He needs to obtain a copy of Alice’s public key
QA to accomplish this task.

Even though ECC shows many great advantages mentioned before, one if its main drawbacks is that the
domain parameters need to be computed in advance.

Algorithm 2 Signature verification algorithm

1. procedure SIGVER(E, n, QA, s, z, P,r)

2. if QA≠O and QA ϵ E and nQA = O and r, s ϵ R [1, n - 1] then
3. Compute u1=zs-1 mod n.
4. Compute u2=rs-1 mod n.
5. Compute the point (x1,y1) = u1P+ u2QA.
6. if (x1,y1) ≠O and r = x1 mod n then
7. “The signature is valid”.
8. else
9. “The signature is invalid”.
10. else
11. “The signature is invalid”.
 ELGamal SYSTEM ON ELLIPTIC CURVES
Let p be a prime, E - a chosen elliptic curve over Fp, P - a randomly chosen point on E, and n - the order
of P. Let Q be the public key of the intended recipient of the enciphered message generated in the same
way as in Diffie-Hellman key exchange. Let m represent the plaintext.

First of all, a sender Alice comes up with a public fucntion f: m→ M which maps a message m to a point
M on E. Then, she chooses a random value k such that k ϵ R [1, n - 1] and computes C = kP. After that, she
gets a point M on the curve by computing M= f(m). Finally, she computes D = M + kQ. The ciphertext she
sends to Bob is represented as a set of points (C, D).Then Bob uses his private key d to get a plaintext.
He first computes M = D-dC and then performs m = f-1(M).

We note that dC = d(kP) = k(dP) = kQ and it can be seen that a third party who wishes to receive a value
of M, needs to compute kQ. Computing kQ given domain parameters kP and Q is the same discrete
logarithm problem introduced as part of the Diffie-Hellman key exchange.

ECEIGamal CRYPTOSYSTEM
Recall non-EC version:

1. Alice wants to send a message m s.t. 0 ≤ m < p to Bob.

2. Bob chooses a large prime p and a primitive root α. He also chooses a secret integer a and
computes β = α3 (mod p).
3. Bob makes (p, α, β) his public key and keeps a secret.
4. Alice chooses a random k and computes y1 and y2, where Y1 = αk and y2 = βkm (mod p).
-a
5. She sends (y1, y2) to Bob, who then decrypts by calculating m = y2y1 (mod p).

EC ElGamal

1. Alice wants to send a message m to Bob.

2. Bob chooses an elliptic curve E mod p. He chooses a point α on E and a secret integer a. He
computes β = a x α.
3. The points α and β are made public, while a is kept secret.
4. Alice expresses her message as a point M on E. She chooses a random k, computes Y1 = k x α
and Y2 = M + k x β, and sends the pair (Y1, Y2) to Bob.
5. Bob decrypts by calculating M = Y2-a x Y1.

Difficulties with EC ElGamal

There are some practical difficulties in implementing an EC ElGamal cryptosystem.

Message expansion: ElGamal has a message expansion factor of two. The EC version has a message
expansion factor of about because each ciphertext consists of four elements.
Message encoding: The plaintext space consists of points on curve E and there is no convenient method
to deterministically generate points on E. Koblitz’s method is one approach, but it might fail on some

A Better Elliptic Curve ElGamal Algorithm

Below is an improved algorithm (from Stinson’s book) based on the idea of “blinding” that allows any
message in Zp* to be encrypted.

EC ElGamal (improved version)

1. Alice wants to send a message m Є Zp* to Bob.

2. Bob chooses an elliptic curve E mod p. He chooses a point α on E and a secret integer a. He
computes β = a x α.
3. The points α and β are made public, while a is kept secret.
4. Alice chooses a random k and computes γ= k x β. She then computes Y1 = k x α and
Y2 =mx0 mod p, where x0 is the x-coordinate of γ. She sends the pair (Y1, Y2) to Bob.
5. Bob decrypts by calculating γ = a x Y1, letting x0 be the x-coordinate of γ, and then calculating
m = Y2x0 -1mod p.

EIGamal EC DIGITAL SIGNATURE SCHEME

The ElGamal signature scheme is a digital signature scheme based on the algebraic properties of
modular exponentiation, together with the discrete logarithm problem.It was described by Taher
Elgamal in 1985.
A variant developed at the NSA and known as the Digital Signature Algorithm is much more widely
used. There are several other variants. The ElGamal signature scheme must not be confused
with ElGamal encryption which was also invented by Taher Elgamal.
The algorithm uses a key pair consisting of a public key and a private key. The private key is used to
generate a digital signature for a message, and such a signature can be verified by using the signer's
corresponding public key. The digital signature provides message authentication (the receiver can verify
the origin of the message), integrity (the receiver can verify that the message has not been modified
since it was signed) and non-repudiation (the sender cannot falsely claim that they have not signed the
message).
The scheme involves four operations: key generation (which creates the key pair), key distribution,
signing and signature verification.

1.Key generation
Key generation has two phases. The first phase is a choice of algorithm parameters which may be shared
between different users of the system, while the second phase computes a single key pair for one user.

a. Parameter generation

 Choose a key length N.

 Choose a N-bit prime number P.
  Choose a cryptographic hash function H with output length L bits. If L > N, only the
leftmost N bits of the hash output are used.
 Choose a generator g < p of the multiplicative group of integers modulo p, ZP*

The algorithm parameters are (p,g). These parameters may be shared between users of the system.

b. Per-user keys
Given a set of parameters, the second phase computes the key pair for a single user:

 Choose an integer x randomly from {1…p – 2}..

 Compute y : = gx mod p.

X is the private key and y is the public key.

2. Key distribution
The signer should send the public key y to the receiver via a reliable, but not necessarily secret,
mechanism. The signer should keep the private key x secret.

3. Signing
A message m is signed as follows:
 Choose an integer k randomly from {2…p – 2} with k relatively prime to p-1.
 Compute r:=gk mod p.
 Compute s:=H(m) – xr)k-1 mod (p-1).
 In the unlikely event that s=0 start again with a different random k.
The signature is (r,s).

4. Signature Verification
One can verify that a signature (r,s) is a valid signature for a message m as follows:
 Verify that 0 < r < p and 0 < s < p-1.
 The signature is valid if and only if gH(m)=yrrs (mod p).

ELLIPTIC CURVE FACTORIZATION

Usefulness: Elliptic curve factorization (ECF) is a fast, intermediate method when factoring integers of
50 to 60 digits and most commonly used to pull out Small divisors (up to 20 to 30 digits) of a large
integer ([22], (20] p. 180). Pollard's p – 1 method may be useful for factoring numbers up to 107, the
quadratic sieve up to 1075, and number sieve for numbers beyond that. These bounds are not hard and
fast as to what researchers and computer programmers employ when deciding which algorithms to use
when
factoring numbers, this fact is simply mentioned to give an idea of when different algorithms are put
into effect. ECF is also useful that it can be run in parallel. As we will see below, several curves to be
explored can be built and tested at the same time. This allows the algorithm to be run on several
processors at once and to gain results in a reasonable amount of time.
ECF Overview. For a curve E in Weierstrass form, when computing slope dy/dx = u/v (mod n) for some
n, one must compute v-1 (mod n). If no such inverse exists, then v is not invertible, so gcd(v, n) ≠1 and v
and n share a common factor. For an n that one wishes to factor, the goal of ECF is took look for non-
invertible elements v (mod n) and then compute gcd(v, n) to find a non-trivial factor of n.
For example, consider the following elliptic curve E.
Y2=x3+ 3x (mod 15)
Consider the case of P = (9,9). In order to find 2P, we must first find the slope m.
We know that
2y dy = (3x2 + 3) dx (mod 15) →3 dy = 6dx (mod 15).
In order to find the slope, we must first multiply by the inverse of 3, however gcd(3, 15)≠1. Thus there is
no inverse, and 3 is non-invertible. We calculate gcd(3, 15) = 3 and3 is a non-trivial factor of 15. We find
then that 15 is factored as 15 = 3.5. This mnethod requires one to use enough elliptic curves E i mod the
desired n and enough starting points pi on the curves to find a point where one finds non-invertibility.
Here, we describe the steps to perform ECF.
Elliptic curves can be easily constructed by choosing parameters, A, u, and v and computing.
B= v2 - u3 - Au. (mod n)
Thus, if we let u= x, and v = y, then we have Created elliptic curve E =y2= +x3+ Ar +B (mod n) in normal
Weierstrass form modulo a chosen integer. The algorithm calls for several curves to be constructed and
tested simultaneously. We can let each Ei correspond to parameters (ui, vi, Ai). For example, working
with modulus 29, the reader can verify that the parameters (u1, v1, A1) = (10, 1, 3) produce the curve
E1 = y12 + x3 + 3x + 15 (mod 29) with rational point (10, 1). ,

Example. Find a factorization of 332977.

For parameters (u1, v1, A1) we chose (10, 1, 3). After substituting into , this yields B=331948. Thus
E1 = (10, 1, 3) → y2 = x3 + 3x + 331948.
Before finding C!, we find doubled points of P = (10, 1) such as 2P = (272665, 148403),
4P = (16212, 288709), etc. up to whatever 2k-multiple of P is necessary till a contradiction is reached.
Calculating up to 9!P, we find the following:

2!P = 2P = (272665, 148403)

 3!P= 6P = 2P+4P

= (216731, 197614)

4!P = 24P = 16P + 8P =

= (257684, 150650)

5!P = 120P = (64P+32P) + 16P + 8P

= (255384, 188904)

6!P = 720P = (512P+128P) + 64P + 16P

= (244293, 261270)

7!P = 5040P = (4096P + 512P) + 256P + 128P + 32P + 16P

= (71093, 179000)

8!P = 40320P = 32768P+ 4096 P+2048P+ 1024P + 256P + 128P

= (320501, 59583)

9!P = 362880P = [262144P +65536P]+32768P + 2048P+256P + 128 P

= (294766, 283642) + (193877, 155420)

When trying to find the slope between these two points in order to find point addition, we find that
x1 - x2 = 294766 - 193877 = 100899 (mod 332977). After performing the Euclidean algorithm in order to
find 100899-1 (mod 332977), we find gcd (100889, 332977) = 433. Thus we have found a factor of 433
and we find,

332977 = 433.769.
 ELLIPTIC CURVE PRIMALITY TEST
Remarks. No algorithm that can factor an integer in polynomial time is known to exist, and it has not
yet been proven (and it is widely believed) that no such algorithm does exist. The largest integer
factored that is not of a special form is RSA-250, a 250 decimal digit integer that was factored in
February 2020 and took 2700 core-hours. In fact the largest of the RSA numbers, RSA-2048, a 2048 bit,
617 decimal-digit number, may not be factorable for the next century with current bit-computing. A
quantum computer (if even possible) could factor RSA-2048 in less than 24 hours, but that capability
may still be ten to twenty years from this writing.

There are algorithms that can test a number's primality in polynomial time. They can test integers that
are much larger than those that have been factored . Some tests can test numbers with several hundred
digits, but elliptic curve primality testing is the most popular and can test random integers not of a
special form with over a thousand decimal-digits ([20] p. 184).

If a primality test states that a number is composite, it does not necessarily produce a factorization; it
only says that an integer is composite. If p is the number that is being tested for primality, and for some
base ap- 1 ≠ 1 (mod p), then we conclude p is composite. Integers that continually pass pseudo-primality
tests (that is, fail to show that they are composite) are probably prime. The more tests that they pass,
the more the probability increases that they are prime.