Download - Introduction to Elliptic Curve Cryptography
Cryptocurrency Cafeacutecs4501 Spring 2015David EvansUniversity of Virginia
Class 3Elliptic Curve Cryptography
y2 = x3 + 7
Project 1 will be posted by midnight tonight and is due on January 30
Plan for Today
Bitcoin Wallets and Passwords
Asymmetric Cryptography Recap
Transferring a Coin
Crash Course in Number Theory
Elliptic Curve Cryptography
1
Buying Bitcoin
2
3
4
5
My Advice
6
Donrsquot waste brainpowerspace on passwords that donrsquot matterldquosillyrdquo is a fine password for most things than need one
Donrsquot follow any widely-available advicepassword cracker authors can read too
Humans cannot generate randomness and neither can youGenerate a random password
Share your password(but only with people with whom you are willing to raise children)
Write down your important passwordsStore them somewhere safe and write down in a way that someone who steals it wouldnrsquot be able to use
Using Bitcoin in This Class
7
It is ldquorealrdquo money try not lose (all of) it (But you can do everything in this class with very small amounts)
If you do Irsquoll send you more (so long as you learned something from the loss) Everyone gets one embarrassment-free transfer
Using Asymmetric Crypto Signatures
8
E DVerified Message
Signed MessageMessage
Insecure Channel
KUBKRB
Bob
Generates key pair KUB KRB
Publishes KUB
Anyone
Get KUB from trusted provider
Transferring a Coin
9
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
How does Bob transfer x to Colleen (KUC)
Transferring a Coin
10
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB
Transferring a Coin
11
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB
Colleen signs m2 = ldquoI give coin x = KUA t given to me by m2to address KUDrdquo with KRC
hellipThis does not prevent double spending (Next week)
Asymmetry RequiredNeed a function f that isEasy to compute
given x easy to compute f (x)
Hard to invertgiven f (x) hard to compute x
Has a trap-doorgiven f (x) and t
easy to compute x
12
Elliptic Curve Cryptography
13
14
Real numbers are useless
Groups
15
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 0
16
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Integers + a group
17
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Naturals + a group
18
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Rationals a group
Abelian Groups
19
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
20
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
Is Rationals ndash 0 an abelian group
Finite Fields
21
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under
the oplus operation2 The set F - 0 is an abelian group with identity 1
under the times operation3 Distributive For all a b c isin F
(a oplus b) times c = (a times c) oplus (b times c)
Know any finite
fields
22
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times
operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)
23
0
1
2
34
5
6
GF(7)
Eacutevariste GaloisKilled in duel at 20
Prime Fields
24
Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
Plan for Today
Bitcoin Wallets and Passwords
Asymmetric Cryptography Recap
Transferring a Coin
Crash Course in Number Theory
Elliptic Curve Cryptography
1
Buying Bitcoin
2
3
4
5
My Advice
6
Donrsquot waste brainpowerspace on passwords that donrsquot matterldquosillyrdquo is a fine password for most things than need one
Donrsquot follow any widely-available advicepassword cracker authors can read too
Humans cannot generate randomness and neither can youGenerate a random password
Share your password(but only with people with whom you are willing to raise children)
Write down your important passwordsStore them somewhere safe and write down in a way that someone who steals it wouldnrsquot be able to use
Using Bitcoin in This Class
7
It is ldquorealrdquo money try not lose (all of) it (But you can do everything in this class with very small amounts)
If you do Irsquoll send you more (so long as you learned something from the loss) Everyone gets one embarrassment-free transfer
Using Asymmetric Crypto Signatures
8
E DVerified Message
Signed MessageMessage
Insecure Channel
KUBKRB
Bob
Generates key pair KUB KRB
Publishes KUB
Anyone
Get KUB from trusted provider
Transferring a Coin
9
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
How does Bob transfer x to Colleen (KUC)
Transferring a Coin
10
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB
Transferring a Coin
11
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB
Colleen signs m2 = ldquoI give coin x = KUA t given to me by m2to address KUDrdquo with KRC
hellipThis does not prevent double spending (Next week)
Asymmetry RequiredNeed a function f that isEasy to compute
given x easy to compute f (x)
Hard to invertgiven f (x) hard to compute x
Has a trap-doorgiven f (x) and t
easy to compute x
12
Elliptic Curve Cryptography
13
14
Real numbers are useless
Groups
15
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 0
16
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Integers + a group
17
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Naturals + a group
18
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Rationals a group
Abelian Groups
19
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
20
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
Is Rationals ndash 0 an abelian group
Finite Fields
21
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under
the oplus operation2 The set F - 0 is an abelian group with identity 1
under the times operation3 Distributive For all a b c isin F
(a oplus b) times c = (a times c) oplus (b times c)
Know any finite
fields
22
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times
operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)
23
0
1
2
34
5
6
GF(7)
Eacutevariste GaloisKilled in duel at 20
Prime Fields
24
Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
Buying Bitcoin
2
3
4
5
My Advice
6
Donrsquot waste brainpowerspace on passwords that donrsquot matterldquosillyrdquo is a fine password for most things than need one
Donrsquot follow any widely-available advicepassword cracker authors can read too
Humans cannot generate randomness and neither can youGenerate a random password
Share your password(but only with people with whom you are willing to raise children)
Write down your important passwordsStore them somewhere safe and write down in a way that someone who steals it wouldnrsquot be able to use
Using Bitcoin in This Class
7
It is ldquorealrdquo money try not lose (all of) it (But you can do everything in this class with very small amounts)
If you do Irsquoll send you more (so long as you learned something from the loss) Everyone gets one embarrassment-free transfer
Using Asymmetric Crypto Signatures
8
E DVerified Message
Signed MessageMessage
Insecure Channel
KUBKRB
Bob
Generates key pair KUB KRB
Publishes KUB
Anyone
Get KUB from trusted provider
Transferring a Coin
9
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
How does Bob transfer x to Colleen (KUC)
Transferring a Coin
10
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB
Transferring a Coin
11
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB
Colleen signs m2 = ldquoI give coin x = KUA t given to me by m2to address KUDrdquo with KRC
hellipThis does not prevent double spending (Next week)
Asymmetry RequiredNeed a function f that isEasy to compute
given x easy to compute f (x)
Hard to invertgiven f (x) hard to compute x
Has a trap-doorgiven f (x) and t
easy to compute x
12
Elliptic Curve Cryptography
13
14
Real numbers are useless
Groups
15
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 0
16
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Integers + a group
17
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Naturals + a group
18
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Rationals a group
Abelian Groups
19
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
20
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
Is Rationals ndash 0 an abelian group
Finite Fields
21
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under
the oplus operation2 The set F - 0 is an abelian group with identity 1
under the times operation3 Distributive For all a b c isin F
(a oplus b) times c = (a times c) oplus (b times c)
Know any finite
fields
22
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times
operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)
23
0
1
2
34
5
6
GF(7)
Eacutevariste GaloisKilled in duel at 20
Prime Fields
24
Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
3
4
5
My Advice
6
Donrsquot waste brainpowerspace on passwords that donrsquot matterldquosillyrdquo is a fine password for most things than need one
Donrsquot follow any widely-available advicepassword cracker authors can read too
Humans cannot generate randomness and neither can youGenerate a random password
Share your password(but only with people with whom you are willing to raise children)
Write down your important passwordsStore them somewhere safe and write down in a way that someone who steals it wouldnrsquot be able to use
Using Bitcoin in This Class
7
It is ldquorealrdquo money try not lose (all of) it (But you can do everything in this class with very small amounts)
If you do Irsquoll send you more (so long as you learned something from the loss) Everyone gets one embarrassment-free transfer
Using Asymmetric Crypto Signatures
8
E DVerified Message
Signed MessageMessage
Insecure Channel
KUBKRB
Bob
Generates key pair KUB KRB
Publishes KUB
Anyone
Get KUB from trusted provider
Transferring a Coin
9
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
How does Bob transfer x to Colleen (KUC)
Transferring a Coin
10
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB
Transferring a Coin
11
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB
Colleen signs m2 = ldquoI give coin x = KUA t given to me by m2to address KUDrdquo with KRC
hellipThis does not prevent double spending (Next week)
Asymmetry RequiredNeed a function f that isEasy to compute
given x easy to compute f (x)
Hard to invertgiven f (x) hard to compute x
Has a trap-doorgiven f (x) and t
easy to compute x
12
Elliptic Curve Cryptography
13
14
Real numbers are useless
Groups
15
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 0
16
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Integers + a group
17
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Naturals + a group
18
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Rationals a group
Abelian Groups
19
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
20
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
Is Rationals ndash 0 an abelian group
Finite Fields
21
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under
the oplus operation2 The set F - 0 is an abelian group with identity 1
under the times operation3 Distributive For all a b c isin F
(a oplus b) times c = (a times c) oplus (b times c)
Know any finite
fields
22
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times
operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)
23
0
1
2
34
5
6
GF(7)
Eacutevariste GaloisKilled in duel at 20
Prime Fields
24
Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
4
5
My Advice
6
Donrsquot waste brainpowerspace on passwords that donrsquot matterldquosillyrdquo is a fine password for most things than need one
Donrsquot follow any widely-available advicepassword cracker authors can read too
Humans cannot generate randomness and neither can youGenerate a random password
Share your password(but only with people with whom you are willing to raise children)
Write down your important passwordsStore them somewhere safe and write down in a way that someone who steals it wouldnrsquot be able to use
Using Bitcoin in This Class
7
It is ldquorealrdquo money try not lose (all of) it (But you can do everything in this class with very small amounts)
If you do Irsquoll send you more (so long as you learned something from the loss) Everyone gets one embarrassment-free transfer
Using Asymmetric Crypto Signatures
8
E DVerified Message
Signed MessageMessage
Insecure Channel
KUBKRB
Bob
Generates key pair KUB KRB
Publishes KUB
Anyone
Get KUB from trusted provider
Transferring a Coin
9
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
How does Bob transfer x to Colleen (KUC)
Transferring a Coin
10
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB
Transferring a Coin
11
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB
Colleen signs m2 = ldquoI give coin x = KUA t given to me by m2to address KUDrdquo with KRC
hellipThis does not prevent double spending (Next week)
Asymmetry RequiredNeed a function f that isEasy to compute
given x easy to compute f (x)
Hard to invertgiven f (x) hard to compute x
Has a trap-doorgiven f (x) and t
easy to compute x
12
Elliptic Curve Cryptography
13
14
Real numbers are useless
Groups
15
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 0
16
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Integers + a group
17
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Naturals + a group
18
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Rationals a group
Abelian Groups
19
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
20
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
Is Rationals ndash 0 an abelian group
Finite Fields
21
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under
the oplus operation2 The set F - 0 is an abelian group with identity 1
under the times operation3 Distributive For all a b c isin F
(a oplus b) times c = (a times c) oplus (b times c)
Know any finite
fields
22
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times
operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)
23
0
1
2
34
5
6
GF(7)
Eacutevariste GaloisKilled in duel at 20
Prime Fields
24
Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
5
My Advice
6
Donrsquot waste brainpowerspace on passwords that donrsquot matterldquosillyrdquo is a fine password for most things than need one
Donrsquot follow any widely-available advicepassword cracker authors can read too
Humans cannot generate randomness and neither can youGenerate a random password
Share your password(but only with people with whom you are willing to raise children)
Write down your important passwordsStore them somewhere safe and write down in a way that someone who steals it wouldnrsquot be able to use
Using Bitcoin in This Class
7
It is ldquorealrdquo money try not lose (all of) it (But you can do everything in this class with very small amounts)
If you do Irsquoll send you more (so long as you learned something from the loss) Everyone gets one embarrassment-free transfer
Using Asymmetric Crypto Signatures
8
E DVerified Message
Signed MessageMessage
Insecure Channel
KUBKRB
Bob
Generates key pair KUB KRB
Publishes KUB
Anyone
Get KUB from trusted provider
Transferring a Coin
9
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
How does Bob transfer x to Colleen (KUC)
Transferring a Coin
10
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB
Transferring a Coin
11
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB
Colleen signs m2 = ldquoI give coin x = KUA t given to me by m2to address KUDrdquo with KRC
hellipThis does not prevent double spending (Next week)
Asymmetry RequiredNeed a function f that isEasy to compute
given x easy to compute f (x)
Hard to invertgiven f (x) hard to compute x
Has a trap-doorgiven f (x) and t
easy to compute x
12
Elliptic Curve Cryptography
13
14
Real numbers are useless
Groups
15
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 0
16
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Integers + a group
17
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Naturals + a group
18
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Rationals a group
Abelian Groups
19
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
20
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
Is Rationals ndash 0 an abelian group
Finite Fields
21
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under
the oplus operation2 The set F - 0 is an abelian group with identity 1
under the times operation3 Distributive For all a b c isin F
(a oplus b) times c = (a times c) oplus (b times c)
Know any finite
fields
22
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times
operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)
23
0
1
2
34
5
6
GF(7)
Eacutevariste GaloisKilled in duel at 20
Prime Fields
24
Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
My Advice
6
Donrsquot waste brainpowerspace on passwords that donrsquot matterldquosillyrdquo is a fine password for most things than need one
Donrsquot follow any widely-available advicepassword cracker authors can read too
Humans cannot generate randomness and neither can youGenerate a random password
Share your password(but only with people with whom you are willing to raise children)
Write down your important passwordsStore them somewhere safe and write down in a way that someone who steals it wouldnrsquot be able to use
Using Bitcoin in This Class
7
It is ldquorealrdquo money try not lose (all of) it (But you can do everything in this class with very small amounts)
If you do Irsquoll send you more (so long as you learned something from the loss) Everyone gets one embarrassment-free transfer
Using Asymmetric Crypto Signatures
8
E DVerified Message
Signed MessageMessage
Insecure Channel
KUBKRB
Bob
Generates key pair KUB KRB
Publishes KUB
Anyone
Get KUB from trusted provider
Transferring a Coin
9
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
How does Bob transfer x to Colleen (KUC)
Transferring a Coin
10
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB
Transferring a Coin
11
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB
Colleen signs m2 = ldquoI give coin x = KUA t given to me by m2to address KUDrdquo with KRC
hellipThis does not prevent double spending (Next week)
Asymmetry RequiredNeed a function f that isEasy to compute
given x easy to compute f (x)
Hard to invertgiven f (x) hard to compute x
Has a trap-doorgiven f (x) and t
easy to compute x
12
Elliptic Curve Cryptography
13
14
Real numbers are useless
Groups
15
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 0
16
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Integers + a group
17
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Naturals + a group
18
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Rationals a group
Abelian Groups
19
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
20
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
Is Rationals ndash 0 an abelian group
Finite Fields
21
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under
the oplus operation2 The set F - 0 is an abelian group with identity 1
under the times operation3 Distributive For all a b c isin F
(a oplus b) times c = (a times c) oplus (b times c)
Know any finite
fields
22
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times
operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)
23
0
1
2
34
5
6
GF(7)
Eacutevariste GaloisKilled in duel at 20
Prime Fields
24
Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
Using Bitcoin in This Class
7
It is ldquorealrdquo money try not lose (all of) it (But you can do everything in this class with very small amounts)
If you do Irsquoll send you more (so long as you learned something from the loss) Everyone gets one embarrassment-free transfer
Using Asymmetric Crypto Signatures
8
E DVerified Message
Signed MessageMessage
Insecure Channel
KUBKRB
Bob
Generates key pair KUB KRB
Publishes KUB
Anyone
Get KUB from trusted provider
Transferring a Coin
9
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
How does Bob transfer x to Colleen (KUC)
Transferring a Coin
10
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB
Transferring a Coin
11
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB
Colleen signs m2 = ldquoI give coin x = KUA t given to me by m2to address KUDrdquo with KRC
hellipThis does not prevent double spending (Next week)
Asymmetry RequiredNeed a function f that isEasy to compute
given x easy to compute f (x)
Hard to invertgiven f (x) hard to compute x
Has a trap-doorgiven f (x) and t
easy to compute x
12
Elliptic Curve Cryptography
13
14
Real numbers are useless
Groups
15
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 0
16
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Integers + a group
17
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Naturals + a group
18
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Rationals a group
Abelian Groups
19
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
20
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
Is Rationals ndash 0 an abelian group
Finite Fields
21
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under
the oplus operation2 The set F - 0 is an abelian group with identity 1
under the times operation3 Distributive For all a b c isin F
(a oplus b) times c = (a times c) oplus (b times c)
Know any finite
fields
22
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times
operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)
23
0
1
2
34
5
6
GF(7)
Eacutevariste GaloisKilled in duel at 20
Prime Fields
24
Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
Using Asymmetric Crypto Signatures
8
E DVerified Message
Signed MessageMessage
Insecure Channel
KUBKRB
Bob
Generates key pair KUB KRB
Publishes KUB
Anyone
Get KUB from trusted provider
Transferring a Coin
9
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
How does Bob transfer x to Colleen (KUC)
Transferring a Coin
10
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB
Transferring a Coin
11
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB
Colleen signs m2 = ldquoI give coin x = KUA t given to me by m2to address KUDrdquo with KRC
hellipThis does not prevent double spending (Next week)
Asymmetry RequiredNeed a function f that isEasy to compute
given x easy to compute f (x)
Hard to invertgiven f (x) hard to compute x
Has a trap-doorgiven f (x) and t
easy to compute x
12
Elliptic Curve Cryptography
13
14
Real numbers are useless
Groups
15
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 0
16
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Integers + a group
17
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Naturals + a group
18
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Rationals a group
Abelian Groups
19
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
20
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
Is Rationals ndash 0 an abelian group
Finite Fields
21
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under
the oplus operation2 The set F - 0 is an abelian group with identity 1
under the times operation3 Distributive For all a b c isin F
(a oplus b) times c = (a times c) oplus (b times c)
Know any finite
fields
22
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times
operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)
23
0
1
2
34
5
6
GF(7)
Eacutevariste GaloisKilled in duel at 20
Prime Fields
24
Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
Transferring a Coin
9
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
How does Bob transfer x to Colleen (KUC)
Transferring a Coin
10
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB
Transferring a Coin
11
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB
Colleen signs m2 = ldquoI give coin x = KUA t given to me by m2to address KUDrdquo with KRC
hellipThis does not prevent double spending (Next week)
Asymmetry RequiredNeed a function f that isEasy to compute
given x easy to compute f (x)
Hard to invertgiven f (x) hard to compute x
Has a trap-doorgiven f (x) and t
easy to compute x
12
Elliptic Curve Cryptography
13
14
Real numbers are useless
Groups
15
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 0
16
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Integers + a group
17
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Naturals + a group
18
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Rationals a group
Abelian Groups
19
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
20
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
Is Rationals ndash 0 an abelian group
Finite Fields
21
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under
the oplus operation2 The set F - 0 is an abelian group with identity 1
under the times operation3 Distributive For all a b c isin F
(a oplus b) times c = (a times c) oplus (b times c)
Know any finite
fields
22
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times
operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)
23
0
1
2
34
5
6
GF(7)
Eacutevariste GaloisKilled in duel at 20
Prime Fields
24
Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
Transferring a Coin
10
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB
Transferring a Coin
11
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB
Colleen signs m2 = ldquoI give coin x = KUA t given to me by m2to address KUDrdquo with KRC
hellipThis does not prevent double spending (Next week)
Asymmetry RequiredNeed a function f that isEasy to compute
given x easy to compute f (x)
Hard to invertgiven f (x) hard to compute x
Has a trap-doorgiven f (x) and t
easy to compute x
12
Elliptic Curve Cryptography
13
14
Real numbers are useless
Groups
15
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 0
16
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Integers + a group
17
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Naturals + a group
18
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Rationals a group
Abelian Groups
19
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
20
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
Is Rationals ndash 0 an abelian group
Finite Fields
21
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under
the oplus operation2 The set F - 0 is an abelian group with identity 1
under the times operation3 Distributive For all a b c isin F
(a oplus b) times c = (a times c) oplus (b times c)
Know any finite
fields
22
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times
operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)
23
0
1
2
34
5
6
GF(7)
Eacutevariste GaloisKilled in duel at 20
Prime Fields
24
Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
Transferring a Coin
11
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB
Colleen signs m2 = ldquoI give coin x = KUA t given to me by m2to address KUDrdquo with KRC
hellipThis does not prevent double spending (Next week)
Asymmetry RequiredNeed a function f that isEasy to compute
given x easy to compute f (x)
Hard to invertgiven f (x) hard to compute x
Has a trap-doorgiven f (x) and t
easy to compute x
12
Elliptic Curve Cryptography
13
14
Real numbers are useless
Groups
15
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 0
16
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Integers + a group
17
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Naturals + a group
18
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Rationals a group
Abelian Groups
19
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
20
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
Is Rationals ndash 0 an abelian group
Finite Fields
21
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under
the oplus operation2 The set F - 0 is an abelian group with identity 1
under the times operation3 Distributive For all a b c isin F
(a oplus b) times c = (a times c) oplus (b times c)
Know any finite
fields
22
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times
operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)
23
0
1
2
34
5
6
GF(7)
Eacutevariste GaloisKilled in duel at 20
Prime Fields
24
Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
Asymmetry RequiredNeed a function f that isEasy to compute
given x easy to compute f (x)
Hard to invertgiven f (x) hard to compute x
Has a trap-doorgiven f (x) and t
easy to compute x
12
Elliptic Curve Cryptography
13
14
Real numbers are useless
Groups
15
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 0
16
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Integers + a group
17
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Naturals + a group
18
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Rationals a group
Abelian Groups
19
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
20
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
Is Rationals ndash 0 an abelian group
Finite Fields
21
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under
the oplus operation2 The set F - 0 is an abelian group with identity 1
under the times operation3 Distributive For all a b c isin F
(a oplus b) times c = (a times c) oplus (b times c)
Know any finite
fields
22
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times
operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)
23
0
1
2
34
5
6
GF(7)
Eacutevariste GaloisKilled in duel at 20
Prime Fields
24
Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
Elliptic Curve Cryptography
13
14
Real numbers are useless
Groups
15
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 0
16
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Integers + a group
17
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Naturals + a group
18
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Rationals a group
Abelian Groups
19
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
20
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
Is Rationals ndash 0 an abelian group
Finite Fields
21
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under
the oplus operation2 The set F - 0 is an abelian group with identity 1
under the times operation3 Distributive For all a b c isin F
(a oplus b) times c = (a times c) oplus (b times c)
Know any finite
fields
22
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times
operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)
23
0
1
2
34
5
6
GF(7)
Eacutevariste GaloisKilled in duel at 20
Prime Fields
24
Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
14
Real numbers are useless
Groups
15
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 0
16
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Integers + a group
17
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Naturals + a group
18
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Rationals a group
Abelian Groups
19
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
20
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
Is Rationals ndash 0 an abelian group
Finite Fields
21
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under
the oplus operation2 The set F - 0 is an abelian group with identity 1
under the times operation3 Distributive For all a b c isin F
(a oplus b) times c = (a times c) oplus (b times c)
Know any finite
fields
22
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times
operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)
23
0
1
2
34
5
6
GF(7)
Eacutevariste GaloisKilled in duel at 20
Prime Fields
24
Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
Groups
15
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 0
16
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Integers + a group
17
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Naturals + a group
18
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Rationals a group
Abelian Groups
19
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
20
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
Is Rationals ndash 0 an abelian group
Finite Fields
21
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under
the oplus operation2 The set F - 0 is an abelian group with identity 1
under the times operation3 Distributive For all a b c isin F
(a oplus b) times c = (a times c) oplus (b times c)
Know any finite
fields
22
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times
operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)
23
0
1
2
34
5
6
GF(7)
Eacutevariste GaloisKilled in duel at 20
Prime Fields
24
Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
16
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Integers + a group
17
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Naturals + a group
18
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Rationals a group
Abelian Groups
19
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
20
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
Is Rationals ndash 0 an abelian group
Finite Fields
21
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under
the oplus operation2 The set F - 0 is an abelian group with identity 1
under the times operation3 Distributive For all a b c isin F
(a oplus b) times c = (a times c) oplus (b times c)
Know any finite
fields
22
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times
operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)
23
0
1
2
34
5
6
GF(7)
Eacutevariste GaloisKilled in duel at 20
Prime Fields
24
Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
17
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Naturals + a group
18
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Rationals a group
Abelian Groups
19
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
20
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
Is Rationals ndash 0 an abelian group
Finite Fields
21
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under
the oplus operation2 The set F - 0 is an abelian group with identity 1
under the times operation3 Distributive For all a b c isin F
(a oplus b) times c = (a times c) oplus (b times c)
Know any finite
fields
22
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times
operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)
23
0
1
2
34
5
6
GF(7)
Eacutevariste GaloisKilled in duel at 20
Prime Fields
24
Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
18
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Rationals a group
Abelian Groups
19
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
20
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
Is Rationals ndash 0 an abelian group
Finite Fields
21
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under
the oplus operation2 The set F - 0 is an abelian group with identity 1
under the times operation3 Distributive For all a b c isin F
(a oplus b) times c = (a times c) oplus (b times c)
Know any finite
fields
22
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times
operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)
23
0
1
2
34
5
6
GF(7)
Eacutevariste GaloisKilled in duel at 20
Prime Fields
24
Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
Abelian Groups
19
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
20
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
Is Rationals ndash 0 an abelian group
Finite Fields
21
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under
the oplus operation2 The set F - 0 is an abelian group with identity 1
under the times operation3 Distributive For all a b c isin F
(a oplus b) times c = (a times c) oplus (b times c)
Know any finite
fields
22
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times
operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)
23
0
1
2
34
5
6
GF(7)
Eacutevariste GaloisKilled in duel at 20
Prime Fields
24
Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
20
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
Is Rationals ndash 0 an abelian group
Finite Fields
21
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under
the oplus operation2 The set F - 0 is an abelian group with identity 1
under the times operation3 Distributive For all a b c isin F
(a oplus b) times c = (a times c) oplus (b times c)
Know any finite
fields
22
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times
operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)
23
0
1
2
34
5
6
GF(7)
Eacutevariste GaloisKilled in duel at 20
Prime Fields
24
Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
Finite Fields
21
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under
the oplus operation2 The set F - 0 is an abelian group with identity 1
under the times operation3 Distributive For all a b c isin F
(a oplus b) times c = (a times c) oplus (b times c)
Know any finite
fields
22
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times
operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)
23
0
1
2
34
5
6
GF(7)
Eacutevariste GaloisKilled in duel at 20
Prime Fields
24
Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
Know any finite
fields
22
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times
operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)
23
0
1
2
34
5
6
GF(7)
Eacutevariste GaloisKilled in duel at 20
Prime Fields
24
Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
23
0
1
2
34
5
6
GF(7)
Eacutevariste GaloisKilled in duel at 20
Prime Fields
24
Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
Prime Fields
24
Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending