1. Elliptic Curves: Modern Cryptography
Eric Seifert
May 4, 2014
Abstract
This paper explains the mathematics behind elliptic curve cryptography, its
various protocols, and the importance of elliptic curve encryption systems. Math-
ematical topics include group theory, rings, and modular arithmetic. Additionally,
we discuss elliptic curves as intellectual property and their legal ramifications.
1 Introduction
The concept of transmitting information to a third party via a secure network has been
of interest since antiquity. Over time technology advancements changed the methods of
encrypting information. Methods for transmitting information were not strictly reliant
on transposition or substitution ciphers. Much of the increased need for cryptography
was due in part to World War I and the later World War II [3].
The spark of the computer age of the latter half of the 20th century caused the
use of cryptography to accelerate. The power and capabilities of the computer allowed
cryptography to become even more sophisticated. American cryptographers Whitfield
Diffie and Martin Hellman’s paper in 1976 [3] was a significant step in the development
of what is now known as public key cryptography. In 1977, American cryptographers
Ronald Rivest, Adi Shamir, and Len Adleman used Diffie and Hellman’s findings to
develop a practical encryption system known as the RSA algorithm [15].
However, booming technological advancements caused a demand for more secure en-
cryption systems. In the 1980s, computers started seeing improvements in computational
speeds, improving their ability to compute more complex mathematical problems faster.
There was a growing need for more computationally difficult encryption systems.
In 1985 Neal Koblitz [9] and Victor S. Miller [11] independently suggested the use
of elliptic curves as an encryption system. In 2004, elliptic curves entered wide use.
This was due largely in part to the lack of technology available to handle such complex
calculations as those of elliptic curves. The computationally intractable mathematics of
elliptic curves allows them to utilize more efficient key sizes while offering the same level
of security as their RSA counterparts. This complexity is magnified by the types of time
algorithms used to solve them. The three main types are polynomial, sub-exponential,
and exponential. The names stem from their algebraic properties. For example, an
elliptic curve time algorithm is a varient of an exponential time algorithm.
In this paper we will discuss the underlying abstract mathematics used in elliptic curve
algorithms, present current protocols, and finally end with a discussion about patents and
current issues surrounding elliptic curve cryptography. Specifically, in Section 2 we will
introduce the elliptic curve over the real numbers and define the associated algebraic
1

2. properties. Then in Section 3 we introduce the algrebraic properties of rings. Section 4
will introduce non-elliptic curve encryption protocols. Then Section 5 introduces two
main elliptic curve encryption systems. Finally, Section 6 concludes with a discussion of
patenting elliptic curves for use and various legal ramifications.
2 Elliptic Curves over the Real Numbers
An elliptic curve is a cubic curve with genus one defined over some set of numbers. A
genus refers to the largest number of nonintersecting closed curves that can be drawn on
a surface without seperation.
In practice, elliptic curve encryption systems utilize 19th Century German mathemati-
cian Karl Weierstrass’s elliptic curve equation. This stems from the Weierstrass Elliptic
Function (notably documented as ℘). Much of Weierstrass’s work centered around Cal-
culus, but his work on elliptic curves influenced much of modern cryptography [8].
Weierstrass equations are commonly used for their accessibility over any set of num-
bers. A Weierstrass equation is any equation of the following
y2
+ ay = x3
+ bx2
+ cxy + dx + e where a, b, c, d, e ∈ R
Though the coefficients of the Weierstrass equation above are defined over R, they
could also be defined over other sets, which we will discuss later. A commonly used
Weierstrass equation is as follows
y2
= x3
+ dx + e where d, e ∈ R, and a = b = c = 0
In practice and for efficiency reasons, the National Institute of Standards and Tech-
nology recommends elliptic encryption systems to use the above equation with d = −3
[13]. One can also consider other variants of cubic curves such as the general cubic curve
ax3
+ b2
y + cxy2
+ dy3
+ ex2
+ fxy + gy2
+ hx + iy + j = 0
Here a, b, c, d, e, f, g, h, i, j ∈ S, where S is a field, which we will discuss below. We
will focus on the Weierstrass equation since it is most commonly used in practice.
2.1 Elliptic Curve Properties
We now explain some important properties of an elliptic curve by defining an algebraic
structure on a collection of points on a fixed elliptic curve. These properties are vital to
the use of elliptic curves in cryptography.
2.1.1 Point Addition
We define elliptic curve addition as follows:
Definition 2.1. Let P, R and Q be points on the elliptic curve E. Then P + Q ≡ R,
where R is R−1
reflected over the x-axis and R−1
is the point of intersection between the
elliptic curve and the line that contains P and Q. Figure 1 illustrates this concept.
2

3. 1
−1
−2
1−1−2
•P
•
R−1
•
Q
•R
Figure 1: Graph showing elliptic curve point addition
We use this definition of addition because, due to a special property of elliptic curves,
it will allow us to have additive inverses. Furthermore, in order to understand why we
reflect the point R in Definition 2.1 we need to define the identity of an elliptic curve.
Definition 2.2. Let P be a point on the elliptic curve E, and O be the point at infinity,
then P + O = O + P = P. Figure 2 illustrates this concept.
1
−1
−2
1−1−2
•P
•
P−1
•O
Figure 2: Graph showing the identity at infinity
3

4. Definition 2.1 implies that P + P−1
= O, where P−1
is sometimes denoted as −P.
Graphically, the line created between P and O is assumed to be a vertical line, intersecting
the curve at P−1
. This implies the point at infinity is the identity element.
2.1.2 Point Doubling
Rather than computing repeated sums, most encryption algorithms use point doubling
to reduce run time. Instead of considering two points on the curve we will consider one
point P on the elliptic curve E. If we add P to itself this is equivalent to drawing a
tangent line through P. This line intersects the curve at point (2P)−1
. After reflection
we see that P + P = 2P. Figure 3 illustrates this concept.
1
−1
−2
1−1−2
•
P
•
•
(2P)−1
2P
Figure 3: Graph showing elliptic curve point doubling
Example 2.1. Instead of calculating 15P = P + P + · · · + P
15 times
, we can more efficiently
calculate this using point doubling. Namely, 15P = P +2(P +2(P +2P)). This effectively
reduces the number of operations from 15 to six [16].
To actually evaluate 2P depends on the type of elliptic curve. There are specific
formulae that solve for the point doubling value. For example, the interested reader can
verify that for the elliptic curve y2
= x3
+ ax + b, 2P = R, where P = (Px, Py) and
R = (Rx, Ry). The point R is calculated as follows
Rx = s2
− 2Px and Ry = s(Px − Rx) − Py where s = (3P2
x + a)/(2Py) (1)
Multiple point doubling is one of the main reasons that makes Elliptic Curve algo-
rithms so effective.
4

5. 2.2 Group Definition
In conjunction with the property of elliptic curve addition, elliptic curves form an alge-
braic structure known as a group.
Definition 2.3. A group (G, ◦) consists of a set of elements G and a binary operation ◦
that satisfy the following axioms as defined from Judson [7]:
• (Associativitiy) a ◦ (b ◦ c) = (a ◦ b) ◦ c for all a, b, c ∈ G.
• (Identity) There exists an element e ∈ G such that a ◦ e = e + a = a for all a ∈ G.
• (Inverse) For each a ∈ G, there exists and element a−1
∈ G, such that a ◦ a−1
=
a−1
◦ a = e.
Now we can define a group (E, +) based on the elliptic curve E. This is known as
the elliptic group. Elliptic curve addition is associative since P + (Q + R) = (P + Q) + R
for all P, Q, R ∈ E. Every element of the elliptic group contains an identity element we
call O. Finally, inverses exists since by definition P + P−1
= O. For these reasons, the
elliptic group is indeed a group.
3 Prime Modulus and Binary Fields
In the previous section we discussed elliptic curves over R. However in practice, com-
puters have a difficult time working with an infinite set of numbers. For this reason,
early encryption systems such as RSA rely heavily on a basic concept of number theory:
modular arithmetic. Mathematically, modular arithmetic is defined as follows
Definition 3.1. Let a and b be two integers and suppose that n ∈ N then a is congruent
to b modulo n if a − b is divisible by n; that is, a − b = nk for some k ∈ Z. We denote
by Zn the set of equivalence classes of the integers mod n, as defined from Judson [7].
3.1 Rings
Though we defined Zn as the set of equivalence class of the integers mod n, we can also
define it as a set with two binary operations, addition and multiplication.
Theorem 3.1. Let a1 ≡ b1 mod n and a2 ≡ b2 mod n. Then a1 + a2 ≡ (b1 + b2) mod n.
Furthermore, a1a2 ≡ (b1b2) mod n.
The resulting system has a nice algebraic structure called a ring, which is defined as
follows
Definition 3.2. A nonempty set R is a ring if it has two closed binary operations,
addition and multiplication, satisfying the following conditions.
• (Commutativity in Addition) a + b = b + a for a, b ∈ R.
• (Associativity in Addition) (a + b) + c = a + (b + c) for a, b, c ∈ R.
• (Additive Identity) There exists an element 0 in R such that a+0 = a for all a ∈ R.
5

6. • (Additive Inverse) For every element a ∈ R, there exists an element −a ∈ R such
that a + (−a) = 0.
• (Associativity in Multiplication) (ab)c = a(bc) for a, b, c ∈ R.
• (Distributivity) For a, b, c ∈ R, a(b + c) = ab + ac and (a + b)c = ac + bc.
Notice that in a ring every element has an addiditive inverse. A special type of ring
is a field.
Definition 3.3. A field is a ring for which ab = ba for all a, b ∈ R, there exists a nonzero
element 1 ∈ R such 1a = a1 = a for every a ∈ R, and any nonzero element a in R has a
unique element a−1
such that a−1
a = a−1
a = 1.
Notice that in a field every element has both an addiditive and multiplicative inverse.
We have already seen an example of a field.
Example 3.1. We can see that Z3 is a field because every element has a multiplicative
inverse, there exists an identity element, and it is commutative. However, Z6 is not a
field because not every element has a multiplicative inverse. For example consider the
element 2. We see that 2 multiplied by any other element of Z6 yields only 0, 2 or 4.
When defining the types of fields used in elliptic curve cryptography, we must define
the following theorem that explains the connection between a field and the ring Zn.
Theorem 3.2. If p is prime then every element of Zp has a multiplicative inverse. Fur-
thermore, Zp is a field.
Proof. Commutativity of addition and multiplication follow from Theorem 3.1. We want
to show that any element x of Zp has a multiplicative inverse. Let x be some integer such
that 0 < x < p. Then gcd(x, p) = 1. By the Eucilidean Algorithm there exists integers a
and b such that ap + bx = 1. Then bx = 1 − ap = 1 mod p, which implies bx = 1. Thus
any element x ∈ Zp has a multiplicative inverse. Therefore Zp is a field.
The characteristic p of field F is the smallest positive integer such that for every
nonzero element α ∈ F, pα = 0.
Proposition 3.1. If F is a finite field of characteristic p, then the order of F is pn
for
some n ∈ N.
As an example, see Judson [7].
3.2 The Galois Field
Fundamentally, all fields of order pn
, where p is prime, are the same in structure to one
another. Therefore, there exists only one field of order pn
we call the Galois Field; written
as Fpn or GF(pn
). The Galois Field is a finite field whose order is a prime power. Notice
that when p is prime, Zp is the Galois Field Fp. When p = 2, the Galois Field is known as
a binary field because the elements of the field are the same in structure to the integers
modulo 2.
Example 3.2. We can clearly see that when n = 1 the binary field is simply F2, which
is the same in structure to the integers modulo 2.
6

7. When thinking of F2n we can think of its elements in terms of a polynomial represen-
tation with coefficients in Z2[x] = Z2 mod p(x) where p(x) is an irreducible polynomial
(i.e. a polynomial that is not factorable). Then given an irreducible polynomial of degree
n, we can construct a field of prime power. It is important to note that such a polynomial
exists for any n and any p.
Example 3.3. Let p(x) be an irreducible polynomial in Z2[x] with degree n. Then
Z2[x]/⟨p(x)⟩ is F2n where ⟨p(x)⟩ = {p(x)q(x) : q(x) ∈ Z2[x]} (i.e. the set of polynomials
generated by p(x)). It is clear that both Z2[x] and ⟨p(x)⟩ have infinite order. However,
Z2[x]/⟨p(x)⟩ has order p2
.
Example 3.4. Suppose we have the irreducible polynomial p(x) = x3
+x2
+x+1, where
p(x) ∈ Z2[x]. Then Z2[x]/⟨p(x)⟩ is F23 and has elements {0, 1, x, x2
, x + 1, x2
+ x, x2
+
1, x2
+x+1}. Here the polynomial basis is defined as {x2
, x, 1}, where the polynomial basis
is the set of single polynomials that in linear combination can represent every polynomial
element in the given Galois Field.
Example 3.4 uses the Galois Field F23 which is equivalent to F8 or a finite field of
order 8. Thus it is possible to create finite fields of non-prime order. Though there exists
no field of order 6 because there exists no prime number such that pn
= 6 for n ∈ N.
Example 3.4 provides further insight into the binary field. Each element of the poly-
nomial p(x) = x3
+ x2
+ x + 1 over Z2 can be expressed as a binary sequence. For
example, the element x2
+ x can be expressed as (1, 1, 0), whereas x + 1 is called (0, 1, 1).
Combinatorically, one can see that over Z2 there are 23
binary sequences of length 3.
Furthermore, if m(x) is irreducible over Zp with degree n, then |Z2[x]/⟨p(x)⟩| = pn
and
there exists pn
p-inary sequences of length n.
The value of the Galois Field when p = 2, is its ability to represent large finite fields
in binary form. Together, these provide efficient computing for the complex algorithms
of elliptic curve cryptography.
In terms of notation, E(Fpn ) refers to an elliptic curve E over prime field Fpn . We
will use this notation when we discuss elliptic curve algorithms in Section 5.
4 Cryptographic Protocols
Cryptography is the study of techniques for securing communication in the presence of
third-party adversaries. Encryption is a subset of cryptography aiming at developing
algorithms to obscure information passed during communication. There are two types
of encryption: symmetric key and public key encryption. Both types of encryption in-
volve two communicating parties and a third party commonly called the attacker. In
symmetric key encryption the two parties must agree upon a private key for both en-
cryption and decryption before communicating. The key acts as the means to determine
the functional output of the encryption algorithm. In contrast, public key encryption in-
volves asymmetric key algorithms since there exists two different keys used for encryption
and decryption–a public encryption key and a private decryption key respectively. The
intention is that it should be nearly impossible to calculate the private key given only
the public key. This difficulty is due to the mathematical complexity of the encryption
algorithms and is of interest to elliptic curve cryptography.
7

8. 4.1 RSA Encryption
A notable encryption system that is an example of public key encryption is called RSA;
where its name stems from its 1977 inventors Ronald Rivest, Adi Shamir, and Len Adle-
man [15]. Algorithm 1 illustrates the RSA algorithm considering parties A and B.
Algorithm 1 RSA Encryption
INPUT: A picks picks two large prime numbers p and q.
OUTPUT: Shared B’s message with A.
Step 1: A computes n = pq.
Step 2: A computes ϕ(n) = (p − 1)(q − 1).
Step 3: A computes her d = e−1
mod ϕ(n), for some e such that gcd(e, ϕ(n)) = 1.
Step 4: B encrypts message m by computing me
mod n, publicly sending it to A.
Step 5: A receives the encrypted message c = me
mod n.
Step 6: A decrypts the encrypted message by computing cd
mod n = m.
In the above algorithm e and n are the public keys and d is the private key. In order to
prove the RSA algorithm we need to define the following theorem proven by 18th century
mathematician Leonhard Euler:
Theorem 4.1 (Euler’s Theorem). Let a and n be integers such that n > 0 and
gcd(a, n) = 1. Then aϕ(n)
≡ 1 mod n.
Proof that RSA works. We need to show (me
)d
mod n = m. We know that ed = 1 mod
ϕ(n). This implies that ϕ(n)|(ed − 1). Therefore there exists some integer k such that
ed = 1 + kϕ(n). Then (me
)d
≡ med
≡ m1+kϕ(n)
≡ m · (mϕ(n)
)k
≡ m · 1k
≡ m mod
n = m.
The security of RSA encyrption is magnified by the difficulty of factoring the product
of two large prime numbers pq. Namely, it is difficult to determine prime numbers a and
b given only ab. In practice, computers may take months in order to find a and b. An
RSA algorithm complexity has a subexponential time algorithm. Namely, the amount of
time needed to find a and b increases roughly exponentially as mentioned by Hankerson,
Vanstone, and Menezes in [5]. This may seem like a lot of time but as we will see, elliptic
curve algorithms require exponentially greater amount of time to crack.
4.2 The Diffie-Hellman Key Exchange
One of the more important problems that pertains to elliptic curve cryptography is the
discrete logarithm problem. The idea of the problem centers around the formula y = gx
.
On its own, y is easy to calculate if given g and x. However, solving for x when given y and
g proves to be much more difficult. For that reason cryptographers have been interested
in desigining encyrption systems that center around the discrete logarithm problem.
Cryptographers Whitfield Diffie and Martin Hellman published one of the earliest
algorithms which centered around the discrete logarithm problem; notably called the
Diffie-Hellman Key Exchange [3]. This algorithm allows two parties with no prior knowl-
edge of one another to decide upon a secure key over a third party (i.e. an attacker).
The algorithm involves solving for x given y = gx
mod p, where p is prime, and g and y
are non-negative integers. However, given only g, p, and y it is often extremely difficult
8

9. to solve for x where x = logg y mod p. Algorithm 2 illustrates the Diffie-Hellman Key
Exchange algorithm again assuming parties A and B.
Algorithm 2 Diffie-Hellman Key Exchange
INPUT: prime number p, element g from the group Zp.
OUTPUT: Shared secret over a third party.
Step 1: A picks a natural number a and computes ga
mod p and sends it to B.
Step 2: B picks a natural number b and computes gb
mod p and sends it to A.
Step 3: A computes (gb
)a
mod p.
Step 4: B computes (ga
)b
mod p.
In conclusion, A and B successfully shared the secret gab
over a third party. The
mathematical idea here centers around the fact that (ga
)b
mod p = (gb
)a
mod p proven
by Diffie and Hellman in [3]. The algorithm focuses on the difficulty finding gab
given
public keys ga
, gb
, g, and p. This is known as the Diffie-Hellman Problem.
A similar problem can be applied to elliptic curves. We call this the elliptic curve
discrete logarithm problem. The idea is to find an integer n only given the point P and
the end result nP. Again the difficulty here is solving for n given limited information.
We will revist this topic in Section 5.2.
4.3 Digital Signature Algorithm
A Digital Signature is often an effective way at verifying that information sent to another
party has not been altered during transit and by verifying that the recipient is certain of
the originators’ identity. Unlike the previous algorithms, the digital signature algorithm
acts as a means to verify someone’s identity. The algorithm is two-fold. The first party
generates the signature, which is then verifed by the second party. This helps insure the
validity of the first party’s signature. The idea of a digital signature was first mentioned
by Whitfield Diffie and Martin Hellman in their 1976 paper “New Directions in Cryp-
tography” [3] and further developed in 1995 by cryptographers Shafi Goldwasser, Silvio
Micali and Ronald Rivest [4]. The actual algorithm was proposed in 1991 by the National
Institute of Standards and Technology (NIST). The algorithm is currently attributed to
former NSA employee David W. Krause and is covered by a United States patent [10].
The algorithm stems from the discrete logarithm problem. Algorithm 3 illustrates the
algorithm for signature generation and Algorithm 4 illustrates the algorithm for signature
verfication.
9

10. Algorithm 3 Digital Signature: Signature Generation
INPUT: Message m.
OUTPUT: Signature (r, s).
Step 1: Choose a prime number q less than or equal to the output length of Secure
Hash Algorithm (H(·))–algorithm that maps data of arbitrary length to data of fixed
length; typically a bit string to a fixed hexidecimal representation.
Step 2: Choose a prime number p such that p − 1 is a multiple of q.
Step 3: Choose an element x and k at random from [0, q − 1].
Step 4: Choose an element h at random from [0, p − 1].
Step 5: Compute g = h(p−1)/q
mod p.
Step 6: Compute y = gx
mod p.
Step 7: Compute r = (gk
mod p) mod q.
Step 8: Compute s = (k−1
(H(m) + xr)) mod q.
Algorithm 4 Digital Signature: Signature Verification
INPUT: Public key (p, q, g, y), private key (m, x), signature (r, s).
OUTPUT: Signature (r, s).
Step 1: Hash function H computes H(m) = e.
Step 2: Compute w = s−1
mod q.
Step 3: Compute u1 = ew mod q.
Step 4: Compute u2 = rs−1
mod q.
Step 5: Compute v = (gu1
yu2
mod p) mod q.
Step 6: If v = r then return(“Accept the Signature”); Else return(“Reject Signature”).
We will not prove that the algorithm works, but the interested reader can consult the
proof in the NIST report on Digital Security Standards [12]. The idea purpose of the
algorithm is to make sure that the person who sent the signature is actually the correct
person. If v ̸= r then the signature was not constructed by the signature generation
algorithm. This tells the verifying party that the signature created was not a correct
signature based on the input parameters.
Overall, the digital signature algorithm’s security relies on the complexity of the
discrete logarithm problem mod an integer. Furthermore, a brief introduction is necessary
for comparison with the elliptic curve digital signature algorithm mentioned in the next
section.
5 Elliptic Curve Protocols
In order to discuss the various elliptic curve protocols, we need to first illustrate how one
can prepare all of the necessary parameters for implementing a protocol.
5.1 Preparing for an Elliptic Curve Algorithm
Developing an algorithm based on an elliptic curve has many parameters to consider.
Currently and as of 1999, The National Institue of Standards and Technology (NIST)
documents fifteen elliptic curves and their various recommended parameters. We list the
parameter considerations.
10

11. 1. Choice of Key Length
The key length is represented through a combination of a specific based point G on
the elliptic curve E and the elliptic curve itself. We choose a base point G that has
large prime order r, where the order r of a point G is the smallest integer such that
rG = G + G + · · · + G
r times
= O. The number of points on the curve is n = fr where
f is an integer such that f is not divisble by r. NIST recommends that the value
for f should be no smaller than 1 to optimize efficiency [13]. We are now gathering
more information to describe the curve.
2. Choice of Field
We focused our attention on prime characteristic fields because they are the two
choices of underlying fields recommended by NIST. The following table lists the
order of p followed by a field degree m (i.e. the degree of the polynomial represen-
tation of the field). Here ∥p∥ refers to the length of the binary expansion of the
integer p.
Prime Field Binary Field
∥p∥ = 192 m = 163
∥p∥ = 224 m = 233
∥p∥ = 256 m = 283
∥p∥ = 384 m = 401
∥p∥ = 521 m = 571
Table 1: NIST Recommended Field Sizes [13]
For example, P-192 refers to a binary expansion of prime field ∥p∥ = 192 and is
p = 6277101735386680763835789423207666416083908700390324961279.
Additionally, Curve K-163 refers to binary field m = 163 with a polynomial repre-
sentation degree of 163 and is as follows
p(t) = t163
+ t7
+ t6
+ t3
+ 1
where p(t) is the field polynomial representation of GF(2163
).
3. Choice of Basis
When using a binary field we use a basis to help interpret a bit string. NIST
recommends using either a polynomial basis or a normal basis. We explained a
polynomial basis in Example 3.4 but will not explain a normal basis. The interested
reader should consult [13] for more information about a normal basis.
4. Choice of Curve
An elliptic curve is either supersingular or non-supersinglar. An elliptic curve is
supersingular if its trace t is divisible by its characteristic p of Fq [6].
Supersingular curves satisfy
11

12. y2
+ ay = x3
+ bx + c where a, b, c ∈ R
while non-supersingular curves satisfy
y2
+ axy = x3
+ bx2
+ c where a, b, c ∈ R.
Supersingluar curves are not suitable for cryptography because of their ability to
reduce the discrete logarithm problem to one that is much easier to attack, according
to Rosing in [16]. For that reason, elliptic curve cryptography focuses on non-
supersingular curves.
NIST recommends either pseudo-random or special curves. Psuedo-random curves
are the most common and have coefficients generated by a specific cryptographic
hash algorithm. Special curves are curves that have selected coefficients from un-
derlying fields in order to optimize efficiency of the elliptic curve operations. These
types of curves defined over F2n are also called Koblitz Curves, whose name stems
from mathematician Neal Koblitz, a prominent figure in the field of elliptic curve
cryptography.
As documented in [13], there are currently 15 elliptic curves used in practice. The
first five curves are defined over five different prime fields Fp with five different
prime orders r and satisfy the following formula
y2
≡ x3
− 3x + b mod p
where for efficiency reasons a = −3 and b satisfies b2
c ≡ −27 mod p, where c is the
output of the SHA-1 algorithm.
The last 10 curves are defined over the binary field Fpn with 10 different field degrees
m and are defined as
y2
+ xy = x3
+ ax2
+ b where a, b ∈ R (2)
The psuedo-random curves satisfy Equation 2 with a = 1, while the Koblitz curves
satisfy Equation 2 with b = 1 and a = 0 or 1 (dependent on the key length variable
f).
5. Choice of Base Point
NIST also provides a base point G = (Gx, Gy) with order r as a general way to
follow their specific computations. The base point ultimately acts like a seed when
computing the coefficients of the curve. It is private information and for that reason,
one should not use the provided base point in [13] but generate their own.
12

13. 5.2 Elliptic Curve Diffie-Hellman Key Exchange
Now that we have provided the foundations of the mathematics and the requirements
of preparing an elliptic curve algorithm, we begin discussing the Elliptic Curve Diffie-
Hellman Key Exchange. Algorithm 5 illustrates the Elliptic Curve Diffie-Hellman Algo-
rithm again assuming parties A and B.
Algorithm 5 Elliptic Curve Diffie-Hellman
INPUT: E(Fpn ), point P with order r
OUTPUT: Shared secret over a third party
Step 1: A and B choose a private key nA and nB in the interval [1, r − 1] respectively
Step 2: A and B compute and trade QA = nAP ∈ E(Fpn ) and QB = nBP ∈ E(Fpn )
respectively
Step 3: A and B compute nAQB ∈ E(Fpn ) and nBQA ∈ E(Fpn ) respectively
In conclusion, nAQB = nBQA which means A and B have successfully decided upon
a shared secret key over a third party.
In general, the concept behind the algorithm is the same as in Algorithm 2. An
attacker would have to find nAnBP when only given nAP, nBP, and P making it dif-
ficult to calculate the secret. The difference lies with the efficiency of the elliptic curve
calculations. According to the National Security Agency it generally would take 2k − 1
operations to attack an algorithm with a k-bit key size [1]. Ideally, a secure public key
algorithm should use parameters that require at least 2k − 1 operations to attack. Ta-
ble 2 illustrates a comparison between RSA and Diffie-Hellman key sizes and those using
elliptic curves.
As with all elliptic curve encryption systems, the mathematically difficult aspect cen-
ters around the Elliptic Curve Discrete Logarithm Problem. The problem is similar to
the non-elliptic curve previously mentioned. However instead it relies on elliptic curve
point multiplication and the difficulty it is to solve for n given Q = nP, where P is a
point on the elliptic curve E.
It becomes increasingly difficult to find n only given Q and P since in order to find n
one would have to continually test different n values, each time computing the associate
mutliple point doublings. Given the complexity of only one point doubling as stated in
Equation 1, this task can easily become time consuming. For this reason, elliptic curves
require an exponential time algorithm to crack. Because the operations are more complex
to crack than its non-elliptic counterparts, the size of the private key can be much lower
as illustrated in Table 2.
Non-Elliptic Curve Elliptic Curve
Key Size (Bits) Key Size (Bits)
1024 160
2048 224
3072 256
7680 384
15360 521
Table 2: NIST Recommended Key Sizes [1]
13

14. 5.3 Elliptic Curve Digital Signature Algorithm
A more common algorithm used in practice is the Elliptic Curve Digital Signature Al-
gorithm. The algorithm of Elliptic Curve Digital Signature is similar to the non-elliptic
curve algorithm. Algorithm 6 illustrates the algorithm for signature generation and Al-
gorithm 7 illustrates the algorithm for signature verfication as published by Johnson,
Menezes, and Vanstone in [6].
Algorithm 6 Elliptic Curve Digital Signature: Signature Generation
INPUT: E(Fpn ), point P, integer n, private key d, message m.
OUTPUT: Signature (r, s).
Step 1: Choose an element k at random from [1, n − 1].
Step 2: Compute kP = (x1, y1).
Step 3: Compute r = x1 mod n. If r = 0 then go to step 1.
Step 4: Hash function H computes H(m) = e.
Step 5: Compute s = k−1
(e + dr) mod n. If s = 0 then go to step 1.
Step 6: Return (r, s).
Algorithm 7 Elliptic Curve Digital Signature: Signature Verification
INPUT: E(Fpn ), point P, integer n, public key Q = dP, message m, signature (r, s).
OUTPUT: Acceptance or rejection of the signature.
Step 1: Verify that r and s are integers in the interval [1, n − 1]. If verification fails
return(“Reject Signature”).
Step 2: Hash function H computes H(m) = e.
Step 3: Compute w = s−1
mod n.
Step 4: Compute u1 = ew mod n and u2 = rw mod n.
Step 5: Compute X = u1P + u2Q = (x1, y1)
Step 6: If X = O return(“Reject Signature”)
Step 7: Compute v = x1 mod n.
Step 8: If v = r then return(“Accept the Signature”); Else return(“Reject Signature”).
The digital signature algorithm and the elliptic curve digital signature algorithm are
conceptually the same with the difference centering on how their signature is calculated.
We provide the proof of signature verification.
Proof. We need to verify that the steps in the algorithm lead to the conclusion v = r.
We know from the signature generation that s = k−1
(e + dr). Rearranging we see
s−1
= k(e + dr)−1
. Then w = k(e + dr)−1
mod n which implies X = (ek(e + dr)−1
mod
n + drk(e + dr)−1
mod n)P since dP = Q. Furthermore, X = kP mod n. But v = x1
mod n = r. Therefore the conclusion verifies the signature’s validity.
The security of the hash algorithm is another important aspect of the algorithm. An
insecure hash algorithm could cause an attacker to forge a signature. For example, a
third party E selects an integer l and computes the x coordinate of Q+lP mod n setting
it equal to r. E then can set s = r and compute e = rl mod n. In the event E finds a
message m such that e = H(m), then (r, s) becomes a valid signature for m [5].
For elliptic curves, the algorithms necessary to crack require greater amount of com-
plexity. The current fastest algorithm known for solving the the elliptic curve discrete
14

15. logarithm problem is called the Pollard’s rho algorithm. The algorithm’s run time is based
on a probabilistic method for factoring a composite number N. For more information
consult Hankerson, Menezes, and Vanstone’s result in [5].
6 Elliptic Curve Cryptography in Practice
In practice, acquiring elliptic curves to use for encrypting can be difficult due to patent
laws. Above all, elliptic curves are intellectual property and thus come with many legal
considerations.
6.1 Intellectual Property
Despite the high security with using an elliptic curve algorithm, elliptic curves are in-
tellectual property and are patented formulas. Canadian company Certicom holds over
130 elliptic curve patents. However, this protection limits the use of elliptic curves in
academia and other venues [1]. For this reason, the National Security Administration
purchased licenses for all of Certicom’s intellectual property with the stipulation that
the property would only be used under NSA permission. Additionally, the license only
applies to prime field curves with a prime greater than 2255. This applies to only three
out of the 15 NIST approved curves. Other non-governmental vendors may receive a
license from the NSA to use their curves or negotiate a seperate license agreement with
Certicom [1]. As of 2009, Certicom is a wholly owned subsidary of BlackBerry Limited
previously known as Research in Motion.
However, the numerous Certicom patents poses a debate on patenting mathematics,
specifically elliptic curves. Alone, an elliptic curve cannot legally be patented. Instead,
the elliptic curve must serve as a tool producing a tangible result. From Certicom’s
standpoint, they are patenting the mathematical process of using the elliptic curve in
a way that enhances previous known encryption systems. For that reason it is legal to
patent the actual curve since they use the curve in an algorithm to produce a tangible
result. Ultimately, they hope to profit off their monopolized findings [14].
On May 30th, 2007 Certicom filed a lawsuit against Sony Corporation for patent
infringement. Certain Sony technologies such as Blue-ray DVD players and Playstation 3
were found utilizing elliptic curve technologies without a license. Considering BlackBerry
Limited acquired Certicom for $106 million, shows the increasing value of this type of
technology. Furthermore, the NSA has urged a shift for elliptic curve cryptography for
its greater security and improved performance cabilities according to former Certicom
Director John Callahan in [2].
6.2 Future of Elliptic Curve Cryptography
In the future, elliptic curve cryptography could expand into the use of hyperelliptic
curves [16]. A hyperelliptic curve is simply an extension of an elliptic curve following
y2
= f(x) where f(x) is some polynomial with degree greater than 3. Naturally, the
number of operations to compute multiple point doublings would be higher allowing for
even greater security than with normal elliptic curves. However, technological advance-
ments have not yet discarded the security of elliptic curves to make hyperelliptic curves
more appealing. Unfortunately, the structure of hyperelliptic curves may make them
15

16. more attackable, according to Rosing in [16]. However, much of this area of cryptography
has not been explored for this statement to be valid.
7 Conclusion
The fundamentals of elliptic curve cryptography have stemed from decades of work from
notable cryptographers such as Diffie, Hellman, Koblitz, Miller, Rivest, Shamir, and
Adleman. The continued growth of computer technology has enable us to re-develop
previous algorithms using the more complex mathematics of elliptic curves. The core
success is due to the difficulty of solving the elliptic curve discrete logarithm problem
and the extremely difficult task it is for a third party attacker to gain access to private
information. The benefits of elliptic curve cryptography are simple: efficiency. With
something more complex, comes something more simple and efficient to encrypt. The
only thing now is to see how the future of technology shapes elliptic curve cryptography.
16

17. References
[1] National Security Agency. The Case for Elliptic Curve Cryptography. http://www.
nsa.gov/business/programs/elliptic_curve.shtml, January 2009.
[2] John Callahan. Certicom Files Suit Against Sony for Patent Infringement. Certicom
Corporation: https://www.certicom.com/index.php/2007-press-releases/
20-certicom-files-suit-against-sony-for-patent-infringement, May 2007.
[3] Whitfield Diffie and Martin Hellman. New Directions in Cryptography. IEEE Trans-
actions on Information Theory, IT-22(6), November 1976.
[4] Shafi Goldwasser, Silvio Micali, and Ronald L Rivest. A digital signature scheme
secure against adaptive chosen message attacks. SIAM Journal on Computing,
17(2):281–308, 1988.
[5] Darrel Hankerson, Scott Vanstone, and Alfred J. Menezes. Guide to Elliptic Curve
Cryptography. Springer Professional Computing. Springer, 2004.
[6] Don Johnson, Alfred Menezes, and Scott Vanstone. The Elliptic Curve Digital Signa-
ture Algorithm (ECDSA). International Journal of Information Security, 1(1):36–63,
2001.
[7] Thomas W. Judson. Abstract Algebra: Theory and Applications. http://
abstract.ups.edu/, 2009. Accessed: 2014-05-04.
[8] Israel Kleiner. Excursions in the History of Mathematics: The State Space Method.
Operator theory, advances and applications. Birkh¨auser, 2012.
[9] Neal Koblitz, Alfred Menezes, and Scott Vanstone. The State of Elliptic Curve
Cryptography. Number 19, pages 173–193. November 2000.
[10] D.W. Kravitz. Digital signature algorithm, July 1993. US Patent 5,231,668.
[11] Victor S. Miller. Use of elliptic curves in cryptography. In Hugh C. Williams, editor,
Advances in Cryptology CRYPTO 85 Proceedings, volume 218 of Lecture Notes in
Computer Science, pages 417–426. Springer Berlin Heidelberg, 1986.
[12] U.S. Department of Commerce, National Institute of Standards, and Technology.
Digital Security Standard (DSS). Technical Report 186-4, Federal Information Pro-
cessing Standards Publication, December 2013.
[13] National Institute of Standards and Technology. Recommended Elliptic Curves for
Federal Government Use. July 1999.
[14] Teresa Riordan. Patents; An appeals court says a mathematical formula can be
patented, if it is a moneymaker. New York Times, August 1998.
[15] Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman. A Method for Obtaining
Digital Signatures and Public-Key Cryptosystems. Commun. ACM, 21(2):120–126,
1978.
[16] Michael Rosing. Implementing Elliptic Curve Cryptography. Manning Pubs Co
Series. Manning Publications Company, 1999.
17