Elliptic Curve Cryptography: 轻轻的学

Elliptic curves
Algebraic addition
Scalar multiplication
Multiplicative inverse modulo ppp
Elliptic curves in Fp\mathbb{F}_pFp, the field of integers modulo ppp
Discrete logarithm
ECC domain parameters

Elliptic curves

Elliptic curves over real numbers and the group law .

An elliptic curve will simply be the set of points described by the equation:
y2=x3+ax+by^2 = x^3+ax+b y2=x3+ax+b
where 4a3+27b2≠04a^3+27b^2 \neq 04a3+27b2=0

Algebraic addition

Given two non-zero, non-symmetric points P=(x1,y1)P = (x_1, y_1)P=(x1,y1) and Q=(x2,y2)Q = (x_2, y_2)Q=(x2,y2). The line through them has slope
m=y1−y2x1−x2m = \frac{y_1-y_2}{x_1-x_2} m=x1−x2y1−y2
The intersection of this line with the elliptic curve is point R=(xR,yR)R = (x_R, y_R)R=(xR,yR) where
xR=m2−x1−x2yR=y1+m(xR−x1)=y2+m(xR−x2)x_R = m^2-x_1-x_2 \\ y_R = y_1 + m(x_R-x_1) = y_2 + m(x_R-x_2) xR=m2−x1−x2yR=y1+m(xR−x1)=y2+m(xR−x2)
such that
P+Q+R=0P+ Q + R = 0P+Q+R=0 or P+Q=−RP + Q = -RP+Q=−R.

The case of P=QP=QP=Q needs to be treated differently since x1=x2x_1=x_2x1=x2, we must use a different equation for the slope
m=3x12+a2y1m = \frac{3x_1^2+a}{2y_1} m=2y13x12+a

Scalar multiplication

The double and add algorithm:

def bits(n):"""Generates the binary digits of n, startingfrom the least significant bit.bits(151) -> 1, 1, 1, 0, 1, 0, 0, 1"""while n:yield n & 1n >>= 1def double_and_add(n, x):"""Returns the result of n * x, computed usingthe double and add algorithm."""result = 0addend = xfor bit in bits(n):if bit == 1:result += addendaddend *= 2return result

Multiplicative inverse modulo ppp

Computing the multiplicative inverse can be “easily” done with the extended Euclidean algorithm. Here is a working Python implementation:

def extended_euclidean_algorithm(a, b):"""Returns a three-tuple (gcd, x, y) such thata * x + b * y == gcd, where gcd is the greatestcommon divisor of a and b.This function implements the extended Euclideanalgorithm and runs in O(log b) in the worst case."""s, old_s = 0, 1t, old_t = 1, 0r, old_r = b, awhile r != 0:quotient = old_r // rold_r, r = r, old_r - quotient * rold_s, s = s, old_s - quotient * sold_t, t = t, old_t - quotient * treturn old_r, old_s, old_tdef inverse_of(n, p):"""Returns the multiplicative inverse ofn modulo p.This function returns an integer m such that(n * m) % p == 1."""gcd, x, y = extended_euclidean_algorithm(n, p)assert (n * x + p * y) % p == gcdif gcd != 1:# Either n is 0, or p is not a prime number.raise ValueError('{} has no multiplicative inverse ''modulo {}'.format(n, p))else:return x % p

Elliptic curves in Fp\mathbb{F}_pFp, the field of integers modulo ppp

Restrict elliptic curves over Fp\mathbb{F}_pFp. An elliptic curve defined over a finite field has a finite number of points. The number of points in a group is called the order of the group.

Lagrange’s theorem states that the order of a subgroup is a divisor of the order of the parent group.

For ECC algorithms, we want subgroups with a high order. We will first choose an order that looks high enough, and then hunt for a suitable base point.

Discrete logarithm

The problem, known as the discrete logarithm problem for elliptic curves, is believed to be a “hard” problem, in that there is no known polynomial time algorithm that can run on a classical computer.

If we know PPP and QQQ, what is kkk such that Q=kPQ = kPQ=kP?

Scalar multiplication remains “easy”, while the discrete logarithm becomes a “hard” problem. This duality is the key brick of elliptic curve cryptography.

ECC domain parameters

Elliptic curve algorithms will work in a cyclic subgroup of an elliptic curve over a finite field. Therefore, will need the following parameters:

The prime ppp that specifies the size of the finite field
The coefficients aaa and bbb of the elliptic curve equation
The base point GGG that generates our subgroup
The order nnn of the subgroup
The cofactor hhh of the subgroup

The private key is a random integer ddd chosen from {1,...,n−1}\{1,...,n-1\}{1,...,n−1}
The public key is the point H=dGH = dGH=dG

If we know HHH and GGG, finding the private key ddd is “hard”, because it requires us to solve the discrete logarithm problem.

Encryption with ECDH (Elliptic curve Diffie-Hellman), digital signing with ECDSA (Elliptic Curve Digital Signature Algorithm)