cstef
/posts/elliptic-curve
TOP

Elliptic Curve and Shenanigans for Sane People

A gentle introduction to elliptic curve cryptography, without the need for a PhD in mathematics.

04/12/2024 Β· 6 min read Β· sapling πŸͺ΄

cryptography maths
Info

I am not a cryptographer, nor a mathematician. This article is the result of my own research and understanding of the subject. If you find any mistakes, please let me know!

The vast majority of what is written here is taken from various sources, which are listed at the end of this article. I highly recommend you to read them if you want to dive deeper into the subject.

Elliptic curve cryptography (ECC) is a fascinating field of study that has been around for a while. It’s a cornerstone of modern cryptography, and it’s used in many applications, from secure messaging to cryptocurrencies. RSA, the most widely used public-key cryptosystem, is slowly being replaced by ECC due to its efficiency and security.

The trapdoor function (easy to do one way, hard the other) for an elliptic curve is the multiplication of a point PP by a scalar nn which is just adding the point PP to itself nn times. This operation is denoted as n dot Pn dot P. If nn is large enough, it is computationally impossible to find nn for Q = n dot PQ = n dot P, being given both QQ and PP, in a reasonable time.

What is a "reasonable time"?

Let’s suppose we have supercomputer that is able to compute 10^1210^12 point multiplications per second (generous assumption).

In a year, we have about 365 * 24 * 60 * 60 tilde.eq 31'556'952365 * 24 * 60 * 60 tilde.eq 31'556'952 seconds, that means we could compute:

31'556'952 dot 10^12 tilde.eq 10^19 "[keys/year]"31'556'952 dot 10^12 tilde.eq 10^19 "[keys/year]"

Let’s take a SECP256k1 private key for our example. The elliptic curve is over a 256-bit field, which means we have 2^256 tilde.eq 10^772^256 tilde.eq 10^77 possible keys.

10^77/10^19 = 10^(77-19) = 10^58 "[years]"10^77/10^19 = 10^(77-19) = 10^58 "[years]"

For reference, the age of the universe is about 10^1010^10 years :D

Even with a quantum computer capable of running non-stop, using Shor’s algorithm, you’d need to perform sqrt(2^256) = 2^(128) tilde.eq 10^38sqrt(2^256) = 2^(128) tilde.eq 10^38 multiplications:

10^38/10^19 = 10^19 "[years]"10^38/10^19 = 10^19 "[years]"

Let’s start out by graphically representing the addition of two points GG and AA in an elliptic curve.

One easy way to think of the addition is to draw a line that goes through GG and AA, and find the third point of intersection with the curve. The symmetrical point is the result of the addition of GG and AA. This is because elliptic curve have the property that any line between two points intersects the curve at most one more time.

In the case where there is no third point of intersection (i.e. the line is vertical), we define the result of the addition as the point at infinity, denoted as cal(O)cal(O).

#set text(size: 10pt) #let point(x) = (x, calc.sq#set text(size: 10pt) #let point(x) = (x, calc.sq

The resulting point B = G + AB = G + A is then reflected to CC over the x-axis. This symmetry property is easily explained by the fact that the curve’s yy coordinates are squared, so for a given xx coordinate, there are two possible yy coordinates, yy and -y-y.

The operation can then be done over and over again to find subsequent points.

#set text(size: 10pt) #let point(x) = (x, calc.sq#set text(size: 10pt) #let point(x) = (x, calc.sq

Given two points A(x_A, y_A)A(x_A, y_A) and B(x_B, y_B)B(x_B, y_B), the resulting coordinates of the point C(x_C, y_C) = A + BC(x_C, y_C) = A + B can be found by:

  1. Finding the slope mm of the line between AA and BB.

    m = (y_B - y_A)/(x_B - x_A)m = (y_B - y_A)/(x_B - x_A)

  2. Finding the xx coordinate of CC by substituting y = m(x - x_A) + y_Ay = m(x - x_A) + y_A into the curve equation.

    y^2 = x^3 + 7 \ <==> (m(x - x_A) + y_A)^2 = x^3 + y^2 = x^3 + 7 \ <==> (m(x - x_A) + y_A)^2 = x^3 +

    Grouping each power of xx together nicely:

    x^3 - m^2 x^2 + (2 m^2 x_A - 2m y_A) x + (7 - m^2 x^3 - m^2 x^2 + (2 m^2 x_A - 2m y_A) x + (7 - m^2

    We have an single-variable third degree equation, and our good old friend Viète tells us that for a polynomial P(x) = a_0 + a_1 x + ... + a_n x^nP(x) = a_0 + a_1 x + ... + a_n x^n of degree nn, we have nn roots:

    P(x) = 0 <==> cases(space x = x_1,space x = x_2, sP(x) = 0 <==> cases(space x = x_1,space x = x_2, s

    Among other properties, these roots x_ix_i always satisfy:

    sum_(i = 0)^(n) x_i = x_1 + x_2 + ... + x_n = - (asum_(i = 0)^(n) x_i = x_1 + x_2 + ... + x_n = - (a

    Which means that in our case, we can write:

    x_A + x_B + x_C = -(-m^2)/1 = m^2x_A + x_B + x_C = -(-m^2)/1 = m^2

    Because we already know that the line will intersect with AA and BB (the grouped equation will be satisfied at both x_Ax_A and x_Bx_B), we are left with only x_Cx_C:

    x_C = m^2 - x_A - x_Bx_C = m^2 - x_A - x_B

  3. Finding y_Cy_C is as easy as plugging our freshly found x_Cx_C into the equation of the line and reflecting it over the xx-axis:

    y'_C = m(x_C - x_A) + y_A \y'_C = m(x_C - x_A) + y_A \

    y'Cy'C is our intermediate point before it being reflected.

    y_C = -y'C &= -m(x_C - x_A) - y_A \ &= m(xy_C = -y'C &= -m(x_C - x_A) - y_A \ &= m(x

In the case where G = AG = A, we can’t really draw a line between the two points, so we take the tangent to the curve at GG and find the third point of intersection. This is the result of the addition of GG and GG, denoted as 2 dot G2 dot G.

#set text(size: 10pt) #let point(x) = (x, calc.sq#set text(size: 10pt) #let point(x) = (x, calc.sq

To find the tangent at G(x_G, y_G)G(x_G, y_G), we need to find the slope m = (d y)/(d x) = y'(x)m = (d y)/(d x) = y'(x).

Differentiating both sides with respect to xx, y^2y^2, which actually depends on xx can be written as y(x)^2y(x)^2 for clarity:

(y(x)^2)' = 2y(x) dot y'(x)(y(x)^2)' = 2y(x) dot y'(x)

See this as if we were differentiating u^2u^2, where u = y(x)u = y(x).

The right side is just a function of xx, so we can differentiate it as we would with any other function:

(x^3 + 7)' = 3x^2 (x^3 + 7)' = 3x^2

Our differentiated equation is:

2y dot y'(x) = 3x^2 2y dot y'(x) = 3x^2

Solving for m = y'(x)m = y'(x):

y'(x) = (3x^2)/(2y) = m y'(x) = (3x^2)/(2y) = m

Notice that the tangent’s slope depends on both xx and yy, which makes sense because we’d have two different slopes otherwise:

(3x^2)/(2y) = plus.minus (3x^2)/(2sqrt(x^3 + 7))(3x^2)/(2y) = plus.minus (3x^2)/(2sqrt(x^3 + 7))

And we have our tangent equation for x_Gx_G and y_Gy_G:

t: y &= m(x - x_G) + y_G \ &= (3x_G^2)/(2y_G)t: y &= m(x - x_G) + y_G \ &= (3x_G^2)/(2y_G)

References / Suggested readings