curve definition ![](https://hackmd.io/_uploads/Skn3nkioh.png) elliptic curves are symmetric about the x-axis. group defines addition operation: ![](https://hackmd.io/_uploads/SkMX6yson.png) group defined on elliptical curve: ![](https://hackmd.io/_uploads/r10Ua1si2.png) need to define corner cases where P+P or P and Q is tangent to the curve if we reduce the domain of our elliptic curves from real number to finite field, scalar multiplication remains “easy”, while the discrete logarithm becomes a “hard” problem. This duality is the key brick of elliptic curve cryptography. field definition: ![](https://hackmd.io/_uploads/B1HQueij2.png) convert into finite field ![](https://hackmd.io/_uploads/r1Ghdlssh.png) updated addition definition: ![](https://hackmd.io/_uploads/r1xSFxoi3.png) cyclic sub group is foundation of ECC: ![](https://hackmd.io/_uploads/rkPG5eoj3.png) There are some classes of elliptic curves that are particularly weak and allow the use of special purpose algorithms to solve the discrete logarithm problem efficiently. For example, all the curves that have p=hn (that is, the order of the finite field is equal to the order of the elliptic curve) are vulnerable to Smart’s attack ECC: ![](https://hackmd.io/_uploads/Sk6nhliin.png) secp256k1 is used by bitcoin and ethereum ECDH is for key exchange, relies on hardness of diffie-hellman problem ECDSA is for signature sign, requires subgroup has prime order. almost all standardized curves have a prime order, and those that have a non-prime order are unsuitable for ECDSA. multiplicative gorup is more useful than additive group group order: ![](https://hackmd.io/_uploads/ryQZn8Tj3.png) Lagrange theorem: ![](https://hackmd.io/_uploads/H149TLpj2.png) generator: ![](https://hackmd.io/_uploads/H1i2a8Toh.png) cyclic group: ![](https://hackmd.io/_uploads/SJJCT8aj3.png) discrete logarithm: ![](https://hackmd.io/_uploads/HkFrCUpj2.png) **We will look for groups where computing the group operations is easy (namely, polynomial time) but computing discrete logarithms is hard (namely, exponential or sub-exponential time).** discrete log in additive group is easy, but in multiplicative group it's hard. finding greatest common divisor: ![](https://hackmd.io/_uploads/B1im3tToh.png) The multiplicative inverse of a exists if and only if gcd(a, N) = 1 Chinese remainder theorem: ![](https://hackmd.io/_uploads/Syiq3Yaih.png) complexity of basic bit operations: ![](https://hackmd.io/_uploads/SJWvaF6in.png) multiplicative group definition: ![](https://hackmd.io/_uploads/HkY96Y6i2.png) Euler's theorem: ![](https://hackmd.io/_uploads/H1efRtpi2.png) ![](https://hackmd.io/_uploads/ByofRYpo2.png) on multiplicative group for prime P: ![](https://hackmd.io/_uploads/Hkqk156jn.png) ![](https://hackmd.io/_uploads/BJG7JcTs3.png) isomorphism between additive group and multiplicative group: ![](https://hackmd.io/_uploads/HJxHl9pin.png) ![](https://hackmd.io/_uploads/H1gcQqaoh.png) proof: just need to prove in additive group N, if x and N is relatively prime, then x is a generator. since gcd(x, N) = 1, exist y s.t. x * y = 1, if d* x=0(mod N), then d * x * y = 0 * y, then d = 0. ![](https://hackmd.io/_uploads/BkNL4caj3.png) how to test if a given g is a generator: ![](https://hackmd.io/_uploads/B1-EHcTi2.png) baby-step giant-step algorithm: faster algorithm for solving discret log on **arbitrary groups** ![](https://hackmd.io/_uploads/HJD2Sq6o2.png) on quadratic residues: ![](https://hackmd.io/_uploads/BJKw9caj2.png) **square root can be computed in poly time.** **computational diffie-hellman**: ![](https://hackmd.io/_uploads/HkYdsqTs2.png) **decisional diffie-hellman**: ![](https://hackmd.io/_uploads/HkDJpcpj2.png) P=2*Q+1 is needed due to quadratic residue check. ![](https://hackmd.io/_uploads/SJUP6q6sh.png) DDH to PRG: ![](https://hackmd.io/_uploads/r1CiAcaon.png) DDH to PRF: ![](https://hackmd.io/_uploads/r1tf1i6i3.png) ## references https://andrea.corbellini.name/2015/05/17/elliptic-curve-cryptography-a-gentle-introduction/ https://mit6875.github.io/HANDOUTS/numbertheory.pdf