[go: up one dir, main page]
Scribd
Upload
126 views34 pages

Elliptic Curves for Cryptographers

The document provides information on various topics related to elliptic curves, including: - Definitions of group, abelian group, Weierstrass curve, symmetry, and finite field. - Examples of curves over finite fields in Sage, including curve equations and plot visualizations. - Details on the NIST P-256 curve parameters. - Information on the Curve25519 and Ed25519 curves, including their equations and underlying finite fields. - Explanations of elliptic curve point addition and scalar multiplication algorithms. - Performance comparisons of different curve shapes and representations for common elliptic curve operations. - References to resources for learning more about elliptic curves and cryptographic applications.

Uploaded by

Sándor Nagy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
126 views34 pages

Elliptic Curves for Cryptographers

The document provides information on various topics related to elliptic curves, including: - Definitions of group, abelian group, Weierstrass curve, symmetry, and finite field. - Examples of curves over finite fields in Sage, including curve equations and plot visualizations. - Details on the NIST P-256 curve parameters. - Information on the Curve25519 and Ed25519 curves, including their equations and underlying finite fields. - Explanations of elliptic curve point addition and scalar multiplication algorithms. - Performance comparisons of different curve shapes and representations for common elliptic curve operations. - References to resources for learning more about elliptic curves and cryptographic applications.

Uploaded by

Sándor Nagy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 34

elliptikus gorbek

stf

<2020-09-12 Sat>
csoport (group)

halmaz , amin van 1 muvelet ertelmezve ami teljesiti ezeket az


axiomakat:
I zart: a + b = c, ahol c szinten resze a halmaznak.
I asszociativ: (a + b) + c = a + (b + c).
I egysegelem: 0 + a = a + 0 = a
I inverzelem: a + b = b + a = 0 ahol b = -a
Pl egesz szamok halmaza es az osszeadas.
abelian csoport

a muvelet kommutativ: a + b = b + a
Weierstrass

2
y = x 3 + ax + b
2
y + a1 xy + a3 y = x 3 + a2 x 2 + a4 x + a6

I point at innity:
O = [0 : 1 : 0]
O = −O
P +O =P
P −P =O
I van olyan Weierstrass amit Montgomeryva lehet konvertalni, pl
secp256k1 nem
sage:Weierstrass
E0 = EllipticCurve([2,3])
latex(E0)

2
y = x 3 + 2x + 3
E0; plot(E0)
Szimmetria

a gorbek szimmetrikusak "az" x tengelyre


veges test (nite eld)

veges elemu halmaz, amin +-*/ muveletek ertelmezve vannak.


legegyszerubb vegesse tevo muvelet a mod p
sage: Curve over Finite Field
E1 = EllipticCurve(GF(101),[5,1])
latex(E1)

2
y = x 3 + 5x + 1
g0 = E1.gens()[0]
pts = [ g0 * x for x in range(g0.order()) ]
plots = [ plot(p, hue = 0.1) for p in pts ]
plots.append(plot(E0,xmax=20))
E1; (g0, g0.order()); plot(sum(plots))
NIST P-256

2
y = x 3 + ax + b
a=-3
b=41058363725152142129326129780047268409114441015993725554835256314039467401291
p = 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff
= 2^256 - 2^224 + 2^192 + 2^96 - 1
25519-es Weierstrass gorbe

F2 = GF((2^255)-19)
latex(F2)
F3618502788666131106986593281521497120414687020801267626233049500247285301239

c25519 = EllipticCurve(F2, [0, 486662, 0, 1, 0])


P25519 = c25519.point([9,F2(9^3 + 486662*9^2 + 9).sqrt()])
print(c25519)
Elliptic Curve dened by
2
y = x 3 + 486662 ∗ x 2 + x

over Finite Field of size


57896044618658097711785492504343953926634992332820282019728792003956564819949

print("basepoint", P25519)
basepoint (9 : 14781619447589544791020593568409986887264606134616475288964881837755586237401 : 1)
P + Q = R (gfx)
P + Q = R (math)

yQ − yP
λ=
xQ − xP
xR = λ2 − xP − xQ
yR = λ(xP − xR ) − yP
P = Q?

P == Q
P + Q = 2P = R
2*P = R (math)

3xP2 + a
λ=
2yP
xR = λ2 − xP − xQ
yR = λ ∗ (xP − xR ) − yP
skalaris szorzas

n ∗P
ECDH - toy curve
E = EllipticCurve(GF(1009),[5,1]); E
Elliptic Curve defined by y^2 = x^3 + 5*x + 1
over Finite Field of size 1009

g = E.gens()[0]; (g, g.order())


((141 : 193 : 1), 1039)

rA = randrange(g.order()); RA = rA*g; (rA, RA)


(613, (692 : 533 : 1))

rB = randrange(g.order()); RB = rB*g; (rB, RB)


(562, (674 : 840 : 1))

kA = rA*RB; kA
(838 : 797 : 1)

kB = rB*RA; kB
(838 : 797 : 1)
ECDH - toy curve (gfx)
ECDSA - toy curve

h = sha256("message")

# ephemeral key
k = randrange(g.order())
K = k*g
# t = the x coordinate of K
t = ZZ(K[0])
# rA = privkey
s = (h + rA*t)/k % g.order()
ECDSA verify(h, t, s, RA)

w = (1/s) % g.order()
u = (w*h) % g.order()
v = (w*t) % g.order()
F = u*g
H = v*RA
Q = F + H

return Q == K
ECDH - x25519

secret = randrange(P25519.order())
print('secret', secret)
public = P25519 * secret
print('public', public)
secret 2474517389788147812652700940496933089969416600201071491658451959833189791111
public (33847521402654535275984173222656606429154647117417863807654818999207209807879 :
18850501614000529740270573117745299636309336266624443809366841812006263033815 : 1)
Montgomery

2
By = x3 + A x2 + x
2
B (A − 4) 6= 0
curve25519:

A = 486662, B = 1 over the nite eld F2255 −19

I konvertalhato Weierstrassza
I gyors az ismeretlen bazisu szorzas (sk*pk), es const-time
Twisted Edwards

Twisted edwards
2
ax + y 2 = 1 + dx 2 y 2
a 6= 1
a 6= d 6= 0
Ed25519:
−121665
a = −1, d = over the nite eld F2255 −19
121666

I konvertalhato Montgomeryva
I gyors x (ez const time is) es dupla-bazisu skalar szorzas.
performance

Curve shape, representation DBL ADD mADD mDBL


Short Weierstrass projective 11 14 11 8
Short Weierstrass projective a4=-3 10 14 11 8
Twisted Edwards projective 7 11 10 6
Twisted Edwards Inverted 7 10 9 6
Twisted Edwards Extended 8 9 8 7
Edwards projective 7 11 9 6
Edwards curve inverted 7 10 9 6
Montgomery curve 4 3
elliptic curves zoo

I http://cr.yp.to/talks/2008.06.20/slides.pdf
I https://safecurves.cr.yp.to/equation.html
I https://hyperelliptic.org/EFD/g1p/index.html
EdDSA

non-interactive Schnorr zero-knowledge proof on the twisted


edwards curve ed25519
EdDSA kulcsgeneralas

from hashlib import sha512

l = 2252 + 27742317777372353535851937790883648493
b = 256
k = randrange (2b )
H = sha512(k )
a = int (H [: 32])
A = aB
I privat kulcs: k v. H
I pub kulcs: A
EdDSA alairas

M = ”uzenet ”
r = sha512(H [32 :]|M )
R = rB
S = (r + sha512(R , A, M )a) mod l
EdDSA ellenorzes

valid = 8SB == 8R + 8sha512(R , A, M )A


most akkor mi micsoda?

I curve25519: egy montgomery gorbe


I x25519: ECDH a curve25519 gorben
I ed25519: egy twisted edwards gorbe
I EdDSA: egy alairasi protokol az ed25519 gorben
I Ristretto: prime-order group over curve25519
ristretto

I sok kriptoprotokol prime-order groupot igenyel


I sajnos a modern gorbek 4 .v 8-as kofaktorral rendelkeznek
I aki ezt nem veszi gyelembe, ugy jarhat mint a monero, ahol
ez octospending problemahoz vezetett
I a ristretto az edwards gorbeket "xeli" meg
I 1/x included!
ki akarom probalni!

I sage a kriptografusok replje: https://www.sagemath.org/


I cocalc pedig az etherpadjuk: https://cocalc.com/
wikipedia

I https://en.wikipedia.org/wiki/Elliptic_curve
I https:
//en.wikipedia.org/wiki/Homogeneous_coordinates
I https://en.wikipedia.org/wiki/Montgomery_curve
I https://en.wikipedia.org/wiki/Edwards_curve
I https:
//en.wikipedia.org/wiki/Twisted_Edwards_curve
I https://en.wikipedia.org/wiki/Table_of_costs_of_
operations_in_elliptic_curves
I https://en.wikipedia.org/wiki/Twists_of_curves
I https://en.wikipedia.org/wiki/Elliptic_curve_
point_multiplication
I https://en.wikipedia.org/wiki/EdDSA
links

I https://safecurves.cr.yp.to/
I https://hackernoon.com/
what-is-the-math-behind-elliptic-curve-cryptography-f61
I https://lukas-prokop.at/proj/eddsa/
I https://crypto.stackexchange.com/questions/27866
I https:
//blog.mozilla.org/warner/2011/11/29/ed25519-keys/
I https://github.com/mulllhausen/visual-secp256k1
I https://andrea.corbellini.name/2015/05/17/
elliptic-curve-cryptography-a-gentle-introduction/
I https://www.cryptologie.net/article/193/
schnorrs-signature-and-non-interactive-protocols/
I https://ristretto.group
kerdesek?

You might also like