ecchacks: cryptography a gentle introduction …...2014/12/27 · a gentle introduction to...
TRANSCRIPT
![Page 1: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/1.jpg)
ECCHacks:
a gentle introduction
to elliptic-curve cryptography
Daniel J. Bernstein
University of Illinois at Chicago &
Technische Universiteit Eindhoven
Tanja Lange
Technische Universiteit Eindhoven
ecchacks.cr.yp.to
Cryptography
Public-key signatures:
e.g., RSA, DSA, ECDSA.
Some uses: signed OS updates,
SSL certificates, e-passports.
Public-key encryption:
e.g., RSA, DH, ECDH.
Some uses: SSL key exchange,
locked iPhone mail download.
Secret-key encryption:
e.g., AES, Salsa20.
Some uses: disk encryption,
bulk SSL encryption.
![Page 2: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/2.jpg)
ECCHacks:
a gentle introduction
to elliptic-curve cryptography
Daniel J. Bernstein
University of Illinois at Chicago &
Technische Universiteit Eindhoven
Tanja Lange
Technische Universiteit Eindhoven
ecchacks.cr.yp.to
Cryptography
Public-key signatures:
e.g., RSA, DSA, ECDSA.
Some uses: signed OS updates,
SSL certificates, e-passports.
Public-key encryption:
e.g., RSA, DH, ECDH.
Some uses: SSL key exchange,
locked iPhone mail download.
Secret-key encryption:
e.g., AES, Salsa20.
Some uses: disk encryption,
bulk SSL encryption.
Why ECC?
“Index calculus”: fastest method we know
to break original DH and RSA.
Long history,
including many major improvements:
1975, CFRAC;
1977, linear sieve (LS);
1982, quadratic sieve (QS);
1990, number-field sieve (NFS);
1994, function-field sieve (FFS);
2006, medium-prime FFS/NFS;
2013, xq � x FFS “cryptopocalypse”.
(FFS is not relevant to RSA.)
![Page 3: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/3.jpg)
ECCHacks:
a gentle introduction
to elliptic-curve cryptography
Daniel J. Bernstein
University of Illinois at Chicago &
Technische Universiteit Eindhoven
Tanja Lange
Technische Universiteit Eindhoven
ecchacks.cr.yp.to
Cryptography
Public-key signatures:
e.g., RSA, DSA, ECDSA.
Some uses: signed OS updates,
SSL certificates, e-passports.
Public-key encryption:
e.g., RSA, DH, ECDH.
Some uses: SSL key exchange,
locked iPhone mail download.
Secret-key encryption:
e.g., AES, Salsa20.
Some uses: disk encryption,
bulk SSL encryption.
Why ECC?
“Index calculus”: fastest method we know
to break original DH and RSA.
Long history,
including many major improvements:
1975, CFRAC;
1977, linear sieve (LS);
1982, quadratic sieve (QS);
1990, number-field sieve (NFS);
1994, function-field sieve (FFS);
2006, medium-prime FFS/NFS;
2013, xq � x FFS “cryptopocalypse”.
(FFS is not relevant to RSA.)
![Page 4: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/4.jpg)
ECCHacks:
a gentle introduction
to elliptic-curve cryptography
Daniel J. Bernstein
University of Illinois at Chicago &
Technische Universiteit Eindhoven
Tanja Lange
Technische Universiteit Eindhoven
ecchacks.cr.yp.to
Cryptography
Public-key signatures:
e.g., RSA, DSA, ECDSA.
Some uses: signed OS updates,
SSL certificates, e-passports.
Public-key encryption:
e.g., RSA, DH, ECDH.
Some uses: SSL key exchange,
locked iPhone mail download.
Secret-key encryption:
e.g., AES, Salsa20.
Some uses: disk encryption,
bulk SSL encryption.
Why ECC?
“Index calculus”: fastest method we know
to break original DH and RSA.
Long history,
including many major improvements:
1975, CFRAC;
1977, linear sieve (LS);
1982, quadratic sieve (QS);
1990, number-field sieve (NFS);
1994, function-field sieve (FFS);
2006, medium-prime FFS/NFS;
2013, xq � x FFS “cryptopocalypse”.
(FFS is not relevant to RSA.)
![Page 5: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/5.jpg)
Cryptography
Public-key signatures:
e.g., RSA, DSA, ECDSA.
Some uses: signed OS updates,
SSL certificates, e-passports.
Public-key encryption:
e.g., RSA, DH, ECDH.
Some uses: SSL key exchange,
locked iPhone mail download.
Secret-key encryption:
e.g., AES, Salsa20.
Some uses: disk encryption,
bulk SSL encryption.
Why ECC?
“Index calculus”: fastest method we know
to break original DH and RSA.
Long history,
including many major improvements:
1975, CFRAC;
1977, linear sieve (LS);
1982, quadratic sieve (QS);
1990, number-field sieve (NFS);
1994, function-field sieve (FFS);
2006, medium-prime FFS/NFS;
2013, xq � x FFS “cryptopocalypse”.
(FFS is not relevant to RSA.)
![Page 6: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/6.jpg)
Cryptography
Public-key signatures:
e.g., RSA, DSA, ECDSA.
Some uses: signed OS updates,
SSL certificates, e-passports.
Public-key encryption:
e.g., RSA, DH, ECDH.
Some uses: SSL key exchange,
locked iPhone mail download.
Secret-key encryption:
e.g., AES, Salsa20.
Some uses: disk encryption,
bulk SSL encryption.
Why ECC?
“Index calculus”: fastest method we know
to break original DH and RSA.
Long history,
including many major improvements:
1975, CFRAC;
1977, linear sieve (LS);
1982, quadratic sieve (QS);
1990, number-field sieve (NFS);
1994, function-field sieve (FFS);
2006, medium-prime FFS/NFS;
2013, xq � x FFS “cryptopocalypse”.
(FFS is not relevant to RSA.)
Also many smaller improvements:
� 100 scientific papers.
Approximate costs of these algorithms
for breaking RSA-1024, RSA-2048:
CFRAC: 2120, 2170.
LS: 2110, 2160.
QS: 2100, 2150.
NFS: 280, 2112.
![Page 7: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/7.jpg)
Cryptography
Public-key signatures:
e.g., RSA, DSA, ECDSA.
Some uses: signed OS updates,
SSL certificates, e-passports.
Public-key encryption:
e.g., RSA, DH, ECDH.
Some uses: SSL key exchange,
locked iPhone mail download.
Secret-key encryption:
e.g., AES, Salsa20.
Some uses: disk encryption,
bulk SSL encryption.
Why ECC?
“Index calculus”: fastest method we know
to break original DH and RSA.
Long history,
including many major improvements:
1975, CFRAC;
1977, linear sieve (LS);
1982, quadratic sieve (QS);
1990, number-field sieve (NFS);
1994, function-field sieve (FFS);
2006, medium-prime FFS/NFS;
2013, xq � x FFS “cryptopocalypse”.
(FFS is not relevant to RSA.)
Also many smaller improvements:
� 100 scientific papers.
Approximate costs of these algorithms
for breaking RSA-1024, RSA-2048:
CFRAC: 2120, 2170.
LS: 2110, 2160.
QS: 2100, 2150.
NFS: 280, 2112.
![Page 8: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/8.jpg)
Cryptography
Public-key signatures:
e.g., RSA, DSA, ECDSA.
Some uses: signed OS updates,
SSL certificates, e-passports.
Public-key encryption:
e.g., RSA, DH, ECDH.
Some uses: SSL key exchange,
locked iPhone mail download.
Secret-key encryption:
e.g., AES, Salsa20.
Some uses: disk encryption,
bulk SSL encryption.
Why ECC?
“Index calculus”: fastest method we know
to break original DH and RSA.
Long history,
including many major improvements:
1975, CFRAC;
1977, linear sieve (LS);
1982, quadratic sieve (QS);
1990, number-field sieve (NFS);
1994, function-field sieve (FFS);
2006, medium-prime FFS/NFS;
2013, xq � x FFS “cryptopocalypse”.
(FFS is not relevant to RSA.)
Also many smaller improvements:
� 100 scientific papers.
Approximate costs of these algorithms
for breaking RSA-1024, RSA-2048:
CFRAC: 2120, 2170.
LS: 2110, 2160.
QS: 2100, 2150.
NFS: 280, 2112.
![Page 9: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/9.jpg)
Why ECC?
“Index calculus”: fastest method we know
to break original DH and RSA.
Long history,
including many major improvements:
1975, CFRAC;
1977, linear sieve (LS);
1982, quadratic sieve (QS);
1990, number-field sieve (NFS);
1994, function-field sieve (FFS);
2006, medium-prime FFS/NFS;
2013, xq � x FFS “cryptopocalypse”.
(FFS is not relevant to RSA.)
Also many smaller improvements:
� 100 scientific papers.
Approximate costs of these algorithms
for breaking RSA-1024, RSA-2048:
CFRAC: 2120, 2170.
LS: 2110, 2160.
QS: 2100, 2150.
NFS: 280, 2112.
![Page 10: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/10.jpg)
Why ECC?
“Index calculus”: fastest method we know
to break original DH and RSA.
Long history,
including many major improvements:
1975, CFRAC;
1977, linear sieve (LS);
1982, quadratic sieve (QS);
1990, number-field sieve (NFS);
1994, function-field sieve (FFS);
2006, medium-prime FFS/NFS;
2013, xq � x FFS “cryptopocalypse”.
(FFS is not relevant to RSA.)
Also many smaller improvements:
� 100 scientific papers.
Approximate costs of these algorithms
for breaking RSA-1024, RSA-2048:
CFRAC: 2120, 2170.
LS: 2110, 2160.
QS: 2100, 2150.
NFS: 280, 2112.
1985 Miller
“Use of elliptic curves in cryptography”:
“It is extremely unlikely that an
‘index calculus’ attack on the elliptic
curve method will ever be able to work.”
![Page 11: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/11.jpg)
Why ECC?
“Index calculus”: fastest method we know
to break original DH and RSA.
Long history,
including many major improvements:
1975, CFRAC;
1977, linear sieve (LS);
1982, quadratic sieve (QS);
1990, number-field sieve (NFS);
1994, function-field sieve (FFS);
2006, medium-prime FFS/NFS;
2013, xq � x FFS “cryptopocalypse”.
(FFS is not relevant to RSA.)
Also many smaller improvements:
� 100 scientific papers.
Approximate costs of these algorithms
for breaking RSA-1024, RSA-2048:
CFRAC: 2120, 2170.
LS: 2110, 2160.
QS: 2100, 2150.
NFS: 280, 2112.
1985 Miller
“Use of elliptic curves in cryptography”:
“It is extremely unlikely that an
‘index calculus’ attack on the elliptic
curve method will ever be able to work.”
The clock
y
x
OO
//
This is the curve x2 + y2 = 1.
Warning:
This is not an elliptic curve.
“Elliptic curve” 6= “ellipse.”
![Page 12: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/12.jpg)
Why ECC?
“Index calculus”: fastest method we know
to break original DH and RSA.
Long history,
including many major improvements:
1975, CFRAC;
1977, linear sieve (LS);
1982, quadratic sieve (QS);
1990, number-field sieve (NFS);
1994, function-field sieve (FFS);
2006, medium-prime FFS/NFS;
2013, xq � x FFS “cryptopocalypse”.
(FFS is not relevant to RSA.)
Also many smaller improvements:
� 100 scientific papers.
Approximate costs of these algorithms
for breaking RSA-1024, RSA-2048:
CFRAC: 2120, 2170.
LS: 2110, 2160.
QS: 2100, 2150.
NFS: 280, 2112.
1985 Miller
“Use of elliptic curves in cryptography”:
“It is extremely unlikely that an
‘index calculus’ attack on the elliptic
curve method will ever be able to work.”
The clock
y
x
OO
//
This is the curve x2 + y2 = 1.
Warning:
This is not an elliptic curve.
“Elliptic curve” 6= “ellipse.”
![Page 13: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/13.jpg)
Why ECC?
“Index calculus”: fastest method we know
to break original DH and RSA.
Long history,
including many major improvements:
1975, CFRAC;
1977, linear sieve (LS);
1982, quadratic sieve (QS);
1990, number-field sieve (NFS);
1994, function-field sieve (FFS);
2006, medium-prime FFS/NFS;
2013, xq � x FFS “cryptopocalypse”.
(FFS is not relevant to RSA.)
Also many smaller improvements:
� 100 scientific papers.
Approximate costs of these algorithms
for breaking RSA-1024, RSA-2048:
CFRAC: 2120, 2170.
LS: 2110, 2160.
QS: 2100, 2150.
NFS: 280, 2112.
1985 Miller
“Use of elliptic curves in cryptography”:
“It is extremely unlikely that an
‘index calculus’ attack on the elliptic
curve method will ever be able to work.”
The clock
y
x
OO
//
This is the curve x2 + y2 = 1.
Warning:
This is not an elliptic curve.
“Elliptic curve” 6= “ellipse.”
![Page 14: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/14.jpg)
Also many smaller improvements:
� 100 scientific papers.
Approximate costs of these algorithms
for breaking RSA-1024, RSA-2048:
CFRAC: 2120, 2170.
LS: 2110, 2160.
QS: 2100, 2150.
NFS: 280, 2112.
1985 Miller
“Use of elliptic curves in cryptography”:
“It is extremely unlikely that an
‘index calculus’ attack on the elliptic
curve method will ever be able to work.”
The clock
y
x
OO
//
This is the curve x2 + y2 = 1.
Warning:
This is not an elliptic curve.
“Elliptic curve” 6= “ellipse.”
![Page 15: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/15.jpg)
Also many smaller improvements:
� 100 scientific papers.
Approximate costs of these algorithms
for breaking RSA-1024, RSA-2048:
CFRAC: 2120, 2170.
LS: 2110, 2160.
QS: 2100, 2150.
NFS: 280, 2112.
1985 Miller
“Use of elliptic curves in cryptography”:
“It is extremely unlikely that an
‘index calculus’ attack on the elliptic
curve method will ever be able to work.”
The clock
y
x
OO
//
This is the curve x2 + y2 = 1.
Warning:
This is not an elliptic curve.
“Elliptic curve” 6= “ellipse.”
Examples of points on this curve:
![Page 16: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/16.jpg)
Also many smaller improvements:
� 100 scientific papers.
Approximate costs of these algorithms
for breaking RSA-1024, RSA-2048:
CFRAC: 2120, 2170.
LS: 2110, 2160.
QS: 2100, 2150.
NFS: 280, 2112.
1985 Miller
“Use of elliptic curves in cryptography”:
“It is extremely unlikely that an
‘index calculus’ attack on the elliptic
curve method will ever be able to work.”
The clock
y
x
OO
//
This is the curve x2 + y2 = 1.
Warning:
This is not an elliptic curve.
“Elliptic curve” 6= “ellipse.”
Examples of points on this curve:
![Page 17: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/17.jpg)
Also many smaller improvements:
� 100 scientific papers.
Approximate costs of these algorithms
for breaking RSA-1024, RSA-2048:
CFRAC: 2120, 2170.
LS: 2110, 2160.
QS: 2100, 2150.
NFS: 280, 2112.
1985 Miller
“Use of elliptic curves in cryptography”:
“It is extremely unlikely that an
‘index calculus’ attack on the elliptic
curve method will ever be able to work.”
The clock
y
x
OO
//
This is the curve x2 + y2 = 1.
Warning:
This is not an elliptic curve.
“Elliptic curve” 6= “ellipse.”
Examples of points on this curve:
![Page 18: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/18.jpg)
The clock
y
x
OO
//
This is the curve x2 + y2 = 1.
Warning:
This is not an elliptic curve.
“Elliptic curve” 6= “ellipse.”
Examples of points on this curve:
![Page 19: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/19.jpg)
The clock
y
x
OO
//
This is the curve x2 + y2 = 1.
Warning:
This is not an elliptic curve.
“Elliptic curve” 6= “ellipse.”
Examples of points on this curve:
(0; 1) = “12:00”.
![Page 20: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/20.jpg)
The clock
y
x
OO
//
This is the curve x2 + y2 = 1.
Warning:
This is not an elliptic curve.
“Elliptic curve” 6= “ellipse.”
Examples of points on this curve:
(0; 1) = “12:00”.
(0;�1) = “6:00”.
![Page 21: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/21.jpg)
The clock
y
x
OO
//
This is the curve x2 + y2 = 1.
Warning:
This is not an elliptic curve.
“Elliptic curve” 6= “ellipse.”
Examples of points on this curve:
(0; 1) = “12:00”.
(0;�1) = “6:00”.
(1; 0) = “3:00”.
![Page 22: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/22.jpg)
The clock
y
x
OO
//
This is the curve x2 + y2 = 1.
Warning:
This is not an elliptic curve.
“Elliptic curve” 6= “ellipse.”
Examples of points on this curve:
(0; 1) = “12:00”.
(0;�1) = “6:00”.
(1; 0) = “3:00”.
(�1; 0) = “9:00”.
![Page 23: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/23.jpg)
The clock
y
x
OO
//
This is the curve x2 + y2 = 1.
Warning:
This is not an elliptic curve.
“Elliptic curve” 6= “ellipse.”
Examples of points on this curve:
(0; 1) = “12:00”.
(0;�1) = “6:00”.
(1; 0) = “3:00”.
(�1; 0) = “9:00”.
(p
3=4; 1=2) =
![Page 24: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/24.jpg)
The clock
y
x
OO
//
This is the curve x2 + y2 = 1.
Warning:
This is not an elliptic curve.
“Elliptic curve” 6= “ellipse.”
Examples of points on this curve:
(0; 1) = “12:00”.
(0;�1) = “6:00”.
(1; 0) = “3:00”.
(�1; 0) = “9:00”.
(p
3=4; 1=2) = “2:00”.
![Page 25: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/25.jpg)
The clock
y
x
OO
//
This is the curve x2 + y2 = 1.
Warning:
This is not an elliptic curve.
“Elliptic curve” 6= “ellipse.”
Examples of points on this curve:
(0; 1) = “12:00”.
(0;�1) = “6:00”.
(1; 0) = “3:00”.
(�1; 0) = “9:00”.
(p
3=4; 1=2) = “2:00”.
(1=2;�p
3=4) =
![Page 26: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/26.jpg)
The clock
y
x
OO
//
This is the curve x2 + y2 = 1.
Warning:
This is not an elliptic curve.
“Elliptic curve” 6= “ellipse.”
Examples of points on this curve:
(0; 1) = “12:00”.
(0;�1) = “6:00”.
(1; 0) = “3:00”.
(�1; 0) = “9:00”.
(p
3=4; 1=2) = “2:00”.
(1=2;�p
3=4) = “5:00”.
(�1=2;�p
3=4) =
![Page 27: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/27.jpg)
The clock
y
x
OO
//
This is the curve x2 + y2 = 1.
Warning:
This is not an elliptic curve.
“Elliptic curve” 6= “ellipse.”
Examples of points on this curve:
(0; 1) = “12:00”.
(0;�1) = “6:00”.
(1; 0) = “3:00”.
(�1; 0) = “9:00”.
(p
3=4; 1=2) = “2:00”.
(1=2;�p
3=4) = “5:00”.
(�1=2;�p
3=4) = “7:00”.
![Page 28: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/28.jpg)
The clock
y
x
OO
//
This is the curve x2 + y2 = 1.
Warning:
This is not an elliptic curve.
“Elliptic curve” 6= “ellipse.”
Examples of points on this curve:
(0; 1) = “12:00”.
(0;�1) = “6:00”.
(1; 0) = “3:00”.
(�1; 0) = “9:00”.
(p
3=4; 1=2) = “2:00”.
(1=2;�p
3=4) = “5:00”.
(�1=2;�p
3=4) = “7:00”.
(p
1=2;p
1=2) = “1:30”.
(3=5; 4=5). (�3=5; 4=5).
![Page 29: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/29.jpg)
The clock
y
x
OO
//
This is the curve x2 + y2 = 1.
Warning:
This is not an elliptic curve.
“Elliptic curve” 6= “ellipse.”
Examples of points on this curve:
(0; 1) = “12:00”.
(0;�1) = “6:00”.
(1; 0) = “3:00”.
(�1; 0) = “9:00”.
(p
3=4; 1=2) = “2:00”.
(1=2;�p
3=4) = “5:00”.
(�1=2;�p
3=4) = “7:00”.
(p
1=2;p
1=2) = “1:30”.
(3=5; 4=5). (�3=5; 4=5).
(3=5;�4=5). (�3=5;�4=5).
(4=5; 3=5). (�4=5; 3=5).
(4=5;�3=5). (�4=5;�3=5).
Many more.
![Page 30: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/30.jpg)
The clock
y
x
OO
//
This is the curve x2 + y2 = 1.
Warning:
This is not an elliptic curve.
“Elliptic curve” 6= “ellipse.”
Examples of points on this curve:
(0; 1) = “12:00”.
(0;�1) = “6:00”.
(1; 0) = “3:00”.
(�1; 0) = “9:00”.
(p
3=4; 1=2) = “2:00”.
(1=2;�p
3=4) = “5:00”.
(�1=2;�p
3=4) = “7:00”.
(p
1=2;p
1=2) = “1:30”.
(3=5; 4=5). (�3=5; 4=5).
(3=5;�4=5). (�3=5;�4=5).
(4=5; 3=5). (�4=5; 3=5).
(4=5;�3=5). (�4=5;�3=5).
Many more.
Addition on the clock:
y
x
OO
//
neutral = (0; 1)� P1 = (x1; y1)��1P2 = (x2; y2)�
P3 = (x3; y3)�
x2 + y2 = 1, parametrized by
x = sin�, y = cos�.
![Page 31: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/31.jpg)
The clock
y
x
OO
//
This is the curve x2 + y2 = 1.
Warning:
This is not an elliptic curve.
“Elliptic curve” 6= “ellipse.”
Examples of points on this curve:
(0; 1) = “12:00”.
(0;�1) = “6:00”.
(1; 0) = “3:00”.
(�1; 0) = “9:00”.
(p
3=4; 1=2) = “2:00”.
(1=2;�p
3=4) = “5:00”.
(�1=2;�p
3=4) = “7:00”.
(p
1=2;p
1=2) = “1:30”.
(3=5; 4=5). (�3=5; 4=5).
(3=5;�4=5). (�3=5;�4=5).
(4=5; 3=5). (�4=5; 3=5).
(4=5;�3=5). (�4=5;�3=5).
Many more.
Addition on the clock:
y
x
OO
//
neutral = (0; 1)� P1 = (x1; y1)��1P2 = (x2; y2)�
P3 = (x3; y3)�
x2 + y2 = 1, parametrized by
x = sin�, y = cos�.
![Page 32: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/32.jpg)
The clock
y
x
OO
//
This is the curve x2 + y2 = 1.
Warning:
This is not an elliptic curve.
“Elliptic curve” 6= “ellipse.”
Examples of points on this curve:
(0; 1) = “12:00”.
(0;�1) = “6:00”.
(1; 0) = “3:00”.
(�1; 0) = “9:00”.
(p
3=4; 1=2) = “2:00”.
(1=2;�p
3=4) = “5:00”.
(�1=2;�p
3=4) = “7:00”.
(p
1=2;p
1=2) = “1:30”.
(3=5; 4=5). (�3=5; 4=5).
(3=5;�4=5). (�3=5;�4=5).
(4=5; 3=5). (�4=5; 3=5).
(4=5;�3=5). (�4=5;�3=5).
Many more.
Addition on the clock:
y
x
OO
//
neutral = (0; 1)� P1 = (x1; y1)��1P2 = (x2; y2)�
P3 = (x3; y3)�
x2 + y2 = 1, parametrized by
x = sin�, y = cos�.
![Page 33: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/33.jpg)
Examples of points on this curve:
(0; 1) = “12:00”.
(0;�1) = “6:00”.
(1; 0) = “3:00”.
(�1; 0) = “9:00”.
(p
3=4; 1=2) = “2:00”.
(1=2;�p
3=4) = “5:00”.
(�1=2;�p
3=4) = “7:00”.
(p
1=2;p
1=2) = “1:30”.
(3=5; 4=5). (�3=5; 4=5).
(3=5;�4=5). (�3=5;�4=5).
(4=5; 3=5). (�4=5; 3=5).
(4=5;�3=5). (�4=5;�3=5).
Many more.
Addition on the clock:
y
x
OO
//
neutral = (0; 1)� P1 = (x1; y1)��1P2 = (x2; y2)�
P3 = (x3; y3)�
x2 + y2 = 1, parametrized by
x = sin�, y = cos�.
![Page 34: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/34.jpg)
Examples of points on this curve:
(0; 1) = “12:00”.
(0;�1) = “6:00”.
(1; 0) = “3:00”.
(�1; 0) = “9:00”.
(p
3=4; 1=2) = “2:00”.
(1=2;�p
3=4) = “5:00”.
(�1=2;�p
3=4) = “7:00”.
(p
1=2;p
1=2) = “1:30”.
(3=5; 4=5). (�3=5; 4=5).
(3=5;�4=5). (�3=5;�4=5).
(4=5; 3=5). (�4=5; 3=5).
(4=5;�3=5). (�4=5;�3=5).
Many more.
Addition on the clock:
y
x
OO
//
neutral = (0; 1)� P1 = (x1; y1)��1P2 = (x2; y2)�
P3 = (x3; y3)�
x2 + y2 = 1, parametrized by
x = sin�, y = cos�. Recall
(sin(�1 + �2); cos(�1 + �2)) =
![Page 35: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/35.jpg)
Examples of points on this curve:
(0; 1) = “12:00”.
(0;�1) = “6:00”.
(1; 0) = “3:00”.
(�1; 0) = “9:00”.
(p
3=4; 1=2) = “2:00”.
(1=2;�p
3=4) = “5:00”.
(�1=2;�p
3=4) = “7:00”.
(p
1=2;p
1=2) = “1:30”.
(3=5; 4=5). (�3=5; 4=5).
(3=5;�4=5). (�3=5;�4=5).
(4=5; 3=5). (�4=5; 3=5).
(4=5;�3=5). (�4=5;�3=5).
Many more.
Addition on the clock:
y
x
OO
//
neutral = (0; 1)� P1 = (x1; y1)��1P2 = (x2; y2)�
P3 = (x3; y3)�
x2 + y2 = 1, parametrized by
x = sin�, y = cos�. Recall
(sin(�1 + �2); cos(�1 + �2)) =
(sin�1 cos�2 + cos�1 sin�2;
![Page 36: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/36.jpg)
Examples of points on this curve:
(0; 1) = “12:00”.
(0;�1) = “6:00”.
(1; 0) = “3:00”.
(�1; 0) = “9:00”.
(p
3=4; 1=2) = “2:00”.
(1=2;�p
3=4) = “5:00”.
(�1=2;�p
3=4) = “7:00”.
(p
1=2;p
1=2) = “1:30”.
(3=5; 4=5). (�3=5; 4=5).
(3=5;�4=5). (�3=5;�4=5).
(4=5; 3=5). (�4=5; 3=5).
(4=5;�3=5). (�4=5;�3=5).
Many more.
Addition on the clock:
y
x
OO
//
neutral = (0; 1)� P1 = (x1; y1)��1P2 = (x2; y2)�
P3 = (x3; y3)�
x2 + y2 = 1, parametrized by
x = sin�, y = cos�. Recall
(sin(�1 + �2); cos(�1 + �2)) =
(sin�1 cos�2 + cos�1 sin�2;
cos�1 cos�2 � sin�1 sin�2).
![Page 37: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/37.jpg)
Examples of points on this curve:
(0; 1) = “12:00”.
(0;�1) = “6:00”.
(1; 0) = “3:00”.
(�1; 0) = “9:00”.
(p
3=4; 1=2) = “2:00”.
(1=2;�p
3=4) = “5:00”.
(�1=2;�p
3=4) = “7:00”.
(p
1=2;p
1=2) = “1:30”.
(3=5; 4=5). (�3=5; 4=5).
(3=5;�4=5). (�3=5;�4=5).
(4=5; 3=5). (�4=5; 3=5).
(4=5;�3=5). (�4=5;�3=5).
Many more.
Addition on the clock:
y
x
OO
//
neutral = (0; 1)� P1 = (x1; y1)��1P2 = (x2; y2)�
P3 = (x3; y3)�
x2 + y2 = 1, parametrized by
x = sin�, y = cos�. Recall
(sin(�1 + �2); cos(�1 + �2)) =
(sin�1 cos�2 + cos�1 sin�2;
cos�1 cos�2 � sin�1 sin�2).
Clock addition without sin, cos:
y
x
OO
//
neutral = (0; 1)� P1 = (x1; y1)�P2 = (x2; y2)�
P3 = (x3; y3)�
Use Cartesian coordinates for addition.
Addition formula
for the clock x2 + y2 = 1:
sum of (x1; y1) and (x2; y2) is
(x1y2 + y1x2; y1y2 � x1x2).
![Page 38: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/38.jpg)
Examples of points on this curve:
(0; 1) = “12:00”.
(0;�1) = “6:00”.
(1; 0) = “3:00”.
(�1; 0) = “9:00”.
(p
3=4; 1=2) = “2:00”.
(1=2;�p
3=4) = “5:00”.
(�1=2;�p
3=4) = “7:00”.
(p
1=2;p
1=2) = “1:30”.
(3=5; 4=5). (�3=5; 4=5).
(3=5;�4=5). (�3=5;�4=5).
(4=5; 3=5). (�4=5; 3=5).
(4=5;�3=5). (�4=5;�3=5).
Many more.
Addition on the clock:
y
x
OO
//
neutral = (0; 1)� P1 = (x1; y1)��1P2 = (x2; y2)�
P3 = (x3; y3)�
x2 + y2 = 1, parametrized by
x = sin�, y = cos�. Recall
(sin(�1 + �2); cos(�1 + �2)) =
(sin�1 cos�2 + cos�1 sin�2;
cos�1 cos�2 � sin�1 sin�2).
Clock addition without sin, cos:
y
x
OO
//
neutral = (0; 1)� P1 = (x1; y1)�P2 = (x2; y2)�
P3 = (x3; y3)�
Use Cartesian coordinates for addition.
Addition formula
for the clock x2 + y2 = 1:
sum of (x1; y1) and (x2; y2) is
(x1y2 + y1x2; y1y2 � x1x2).
![Page 39: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/39.jpg)
Examples of points on this curve:
(0; 1) = “12:00”.
(0;�1) = “6:00”.
(1; 0) = “3:00”.
(�1; 0) = “9:00”.
(p
3=4; 1=2) = “2:00”.
(1=2;�p
3=4) = “5:00”.
(�1=2;�p
3=4) = “7:00”.
(p
1=2;p
1=2) = “1:30”.
(3=5; 4=5). (�3=5; 4=5).
(3=5;�4=5). (�3=5;�4=5).
(4=5; 3=5). (�4=5; 3=5).
(4=5;�3=5). (�4=5;�3=5).
Many more.
Addition on the clock:
y
x
OO
//
neutral = (0; 1)� P1 = (x1; y1)��1P2 = (x2; y2)�
P3 = (x3; y3)�
x2 + y2 = 1, parametrized by
x = sin�, y = cos�. Recall
(sin(�1 + �2); cos(�1 + �2)) =
(sin�1 cos�2 + cos�1 sin�2;
cos�1 cos�2 � sin�1 sin�2).
Clock addition without sin, cos:
y
x
OO
//
neutral = (0; 1)� P1 = (x1; y1)�P2 = (x2; y2)�
P3 = (x3; y3)�
Use Cartesian coordinates for addition.
Addition formula
for the clock x2 + y2 = 1:
sum of (x1; y1) and (x2; y2) is
(x1y2 + y1x2; y1y2 � x1x2).
![Page 40: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/40.jpg)
Addition on the clock:
y
x
OO
//
neutral = (0; 1)� P1 = (x1; y1)��1P2 = (x2; y2)�
P3 = (x3; y3)�
x2 + y2 = 1, parametrized by
x = sin�, y = cos�. Recall
(sin(�1 + �2); cos(�1 + �2)) =
(sin�1 cos�2 + cos�1 sin�2;
cos�1 cos�2 � sin�1 sin�2).
Clock addition without sin, cos:
y
x
OO
//
neutral = (0; 1)� P1 = (x1; y1)�P2 = (x2; y2)�
P3 = (x3; y3)�
Use Cartesian coordinates for addition.
Addition formula
for the clock x2 + y2 = 1:
sum of (x1; y1) and (x2; y2) is
(x1y2 + y1x2; y1y2 � x1x2).
![Page 41: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/41.jpg)
Addition on the clock:
y
x
OO
//
neutral = (0; 1)� P1 = (x1; y1)��1P2 = (x2; y2)�
P3 = (x3; y3)�
x2 + y2 = 1, parametrized by
x = sin�, y = cos�. Recall
(sin(�1 + �2); cos(�1 + �2)) =
(sin�1 cos�2 + cos�1 sin�2;
cos�1 cos�2 � sin�1 sin�2).
Clock addition without sin, cos:
y
x
OO
//
neutral = (0; 1)� P1 = (x1; y1)�P2 = (x2; y2)�
P3 = (x3; y3)�
Use Cartesian coordinates for addition.
Addition formula
for the clock x2 + y2 = 1:
sum of (x1; y1) and (x2; y2) is
(x1y2 + y1x2; y1y2 � x1x2).
Examples of clock addition:
“2:00” + “5:00”
= (p
3=4; 1=2) + (1=2;�p
3=4)
= (�1=2;�p
3=4) = “7:00”.
“5:00” + “9:00”
= (1=2;�p
3=4) + (�1; 0)
= (p
3=4; 1=2) = “2:00”.
2
�3
5;
4
5
�=
�24
25;
7
25
�.
![Page 42: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/42.jpg)
Addition on the clock:
y
x
OO
//
neutral = (0; 1)� P1 = (x1; y1)��1P2 = (x2; y2)�
P3 = (x3; y3)�
x2 + y2 = 1, parametrized by
x = sin�, y = cos�. Recall
(sin(�1 + �2); cos(�1 + �2)) =
(sin�1 cos�2 + cos�1 sin�2;
cos�1 cos�2 � sin�1 sin�2).
Clock addition without sin, cos:
y
x
OO
//
neutral = (0; 1)� P1 = (x1; y1)�P2 = (x2; y2)�
P3 = (x3; y3)�
Use Cartesian coordinates for addition.
Addition formula
for the clock x2 + y2 = 1:
sum of (x1; y1) and (x2; y2) is
(x1y2 + y1x2; y1y2 � x1x2).
Examples of clock addition:
“2:00” + “5:00”
= (p
3=4; 1=2) + (1=2;�p
3=4)
= (�1=2;�p
3=4) = “7:00”.
“5:00” + “9:00”
= (1=2;�p
3=4) + (�1; 0)
= (p
3=4; 1=2) = “2:00”.
2
�3
5;
4
5
�=
�24
25;
7
25
�.
![Page 43: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/43.jpg)
Addition on the clock:
y
x
OO
//
neutral = (0; 1)� P1 = (x1; y1)��1P2 = (x2; y2)�
P3 = (x3; y3)�
x2 + y2 = 1, parametrized by
x = sin�, y = cos�. Recall
(sin(�1 + �2); cos(�1 + �2)) =
(sin�1 cos�2 + cos�1 sin�2;
cos�1 cos�2 � sin�1 sin�2).
Clock addition without sin, cos:
y
x
OO
//
neutral = (0; 1)� P1 = (x1; y1)�P2 = (x2; y2)�
P3 = (x3; y3)�
Use Cartesian coordinates for addition.
Addition formula
for the clock x2 + y2 = 1:
sum of (x1; y1) and (x2; y2) is
(x1y2 + y1x2; y1y2 � x1x2).
Examples of clock addition:
“2:00” + “5:00”
= (p
3=4; 1=2) + (1=2;�p
3=4)
= (�1=2;�p
3=4) = “7:00”.
“5:00” + “9:00”
= (1=2;�p
3=4) + (�1; 0)
= (p
3=4; 1=2) = “2:00”.
2
�3
5;
4
5
�=
�24
25;
7
25
�.
![Page 44: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/44.jpg)
Clock addition without sin, cos:
y
x
OO
//
neutral = (0; 1)� P1 = (x1; y1)�P2 = (x2; y2)�
P3 = (x3; y3)�
Use Cartesian coordinates for addition.
Addition formula
for the clock x2 + y2 = 1:
sum of (x1; y1) and (x2; y2) is
(x1y2 + y1x2; y1y2 � x1x2).
Examples of clock addition:
“2:00” + “5:00”
= (p
3=4; 1=2) + (1=2;�p
3=4)
= (�1=2;�p
3=4) = “7:00”.
“5:00” + “9:00”
= (1=2;�p
3=4) + (�1; 0)
= (p
3=4; 1=2) = “2:00”.
2
�3
5;
4
5
�=
�24
25;
7
25
�.
![Page 45: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/45.jpg)
Clock addition without sin, cos:
y
x
OO
//
neutral = (0; 1)� P1 = (x1; y1)�P2 = (x2; y2)�
P3 = (x3; y3)�
Use Cartesian coordinates for addition.
Addition formula
for the clock x2 + y2 = 1:
sum of (x1; y1) and (x2; y2) is
(x1y2 + y1x2; y1y2 � x1x2).
Examples of clock addition:
“2:00” + “5:00”
= (p
3=4; 1=2) + (1=2;�p
3=4)
= (�1=2;�p
3=4) = “7:00”.
“5:00” + “9:00”
= (1=2;�p
3=4) + (�1; 0)
= (p
3=4; 1=2) = “2:00”.
2
�3
5;
4
5
�=
�24
25;
7
25
�.
3
�3
5;
4
5
�=
�117
125;�44
125
�.
![Page 46: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/46.jpg)
Clock addition without sin, cos:
y
x
OO
//
neutral = (0; 1)� P1 = (x1; y1)�P2 = (x2; y2)�
P3 = (x3; y3)�
Use Cartesian coordinates for addition.
Addition formula
for the clock x2 + y2 = 1:
sum of (x1; y1) and (x2; y2) is
(x1y2 + y1x2; y1y2 � x1x2).
Examples of clock addition:
“2:00” + “5:00”
= (p
3=4; 1=2) + (1=2;�p
3=4)
= (�1=2;�p
3=4) = “7:00”.
“5:00” + “9:00”
= (1=2;�p
3=4) + (�1; 0)
= (p
3=4; 1=2) = “2:00”.
2
�3
5;
4
5
�=
�24
25;
7
25
�.
3
�3
5;
4
5
�=
�117
125;�44
125
�.
4
�3
5;
4
5
�=
�336
625;�527
625
�.
![Page 47: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/47.jpg)
Clock addition without sin, cos:
y
x
OO
//
neutral = (0; 1)� P1 = (x1; y1)�P2 = (x2; y2)�
P3 = (x3; y3)�
Use Cartesian coordinates for addition.
Addition formula
for the clock x2 + y2 = 1:
sum of (x1; y1) and (x2; y2) is
(x1y2 + y1x2; y1y2 � x1x2).
Examples of clock addition:
“2:00” + “5:00”
= (p
3=4; 1=2) + (1=2;�p
3=4)
= (�1=2;�p
3=4) = “7:00”.
“5:00” + “9:00”
= (1=2;�p
3=4) + (�1; 0)
= (p
3=4; 1=2) = “2:00”.
2
�3
5;
4
5
�=
�24
25;
7
25
�.
3
�3
5;
4
5
�=
�117
125;�44
125
�.
4
�3
5;
4
5
�=
�336
625;�527
625
�.
(x1; y1) + (0; 1) =
![Page 48: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/48.jpg)
Clock addition without sin, cos:
y
x
OO
//
neutral = (0; 1)� P1 = (x1; y1)�P2 = (x2; y2)�
P3 = (x3; y3)�
Use Cartesian coordinates for addition.
Addition formula
for the clock x2 + y2 = 1:
sum of (x1; y1) and (x2; y2) is
(x1y2 + y1x2; y1y2 � x1x2).
Examples of clock addition:
“2:00” + “5:00”
= (p
3=4; 1=2) + (1=2;�p
3=4)
= (�1=2;�p
3=4) = “7:00”.
“5:00” + “9:00”
= (1=2;�p
3=4) + (�1; 0)
= (p
3=4; 1=2) = “2:00”.
2
�3
5;
4
5
�=
�24
25;
7
25
�.
3
�3
5;
4
5
�=
�117
125;�44
125
�.
4
�3
5;
4
5
�=
�336
625;�527
625
�.
(x1; y1) + (0; 1) = (x1; y1).
![Page 49: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/49.jpg)
Clock addition without sin, cos:
y
x
OO
//
neutral = (0; 1)� P1 = (x1; y1)�P2 = (x2; y2)�
P3 = (x3; y3)�
Use Cartesian coordinates for addition.
Addition formula
for the clock x2 + y2 = 1:
sum of (x1; y1) and (x2; y2) is
(x1y2 + y1x2; y1y2 � x1x2).
Examples of clock addition:
“2:00” + “5:00”
= (p
3=4; 1=2) + (1=2;�p
3=4)
= (�1=2;�p
3=4) = “7:00”.
“5:00” + “9:00”
= (1=2;�p
3=4) + (�1; 0)
= (p
3=4; 1=2) = “2:00”.
2
�3
5;
4
5
�=
�24
25;
7
25
�.
3
�3
5;
4
5
�=
�117
125;�44
125
�.
4
�3
5;
4
5
�=
�336
625;�527
625
�.
(x1; y1) + (0; 1) = (x1; y1).
(x1; y1) + (�x1; y1) =
![Page 50: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/50.jpg)
Clock addition without sin, cos:
y
x
OO
//
neutral = (0; 1)� P1 = (x1; y1)�P2 = (x2; y2)�
P3 = (x3; y3)�
Use Cartesian coordinates for addition.
Addition formula
for the clock x2 + y2 = 1:
sum of (x1; y1) and (x2; y2) is
(x1y2 + y1x2; y1y2 � x1x2).
Examples of clock addition:
“2:00” + “5:00”
= (p
3=4; 1=2) + (1=2;�p
3=4)
= (�1=2;�p
3=4) = “7:00”.
“5:00” + “9:00”
= (1=2;�p
3=4) + (�1; 0)
= (p
3=4; 1=2) = “2:00”.
2
�3
5;
4
5
�=
�24
25;
7
25
�.
3
�3
5;
4
5
�=
�117
125;�44
125
�.
4
�3
5;
4
5
�=
�336
625;�527
625
�.
(x1; y1) + (0; 1) = (x1; y1).
(x1; y1) + (�x1; y1) = (0; 1).
![Page 51: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/51.jpg)
Clock addition without sin, cos:
y
x
OO
//
neutral = (0; 1)� P1 = (x1; y1)�P2 = (x2; y2)�
P3 = (x3; y3)�
Use Cartesian coordinates for addition.
Addition formula
for the clock x2 + y2 = 1:
sum of (x1; y1) and (x2; y2) is
(x1y2 + y1x2; y1y2 � x1x2).
Examples of clock addition:
“2:00” + “5:00”
= (p
3=4; 1=2) + (1=2;�p
3=4)
= (�1=2;�p
3=4) = “7:00”.
“5:00” + “9:00”
= (1=2;�p
3=4) + (�1; 0)
= (p
3=4; 1=2) = “2:00”.
2
�3
5;
4
5
�=
�24
25;
7
25
�.
3
�3
5;
4
5
�=
�117
125;�44
125
�.
4
�3
5;
4
5
�=
�336
625;�527
625
�.
(x1; y1) + (0; 1) = (x1; y1).
(x1; y1) + (�x1; y1) = (0; 1).
Clocks over finite fields
����
���
����
���
����
���
����
���
����
���
����
���
����
���
�
���
�
�
�
�
Clock(F7) =�
(x; y) 2 F7 � F7 : x2+y2=1
.
Here F7 = f0; 1; 2; 3; 4; 5; 6g= f0; 1; 2; 3;�3;�2;�1g
with arithmetic modulo 7.
e.g. 2 � 5 = 3 and 3=2 = 5 in F7.
![Page 52: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/52.jpg)
Clock addition without sin, cos:
y
x
OO
//
neutral = (0; 1)� P1 = (x1; y1)�P2 = (x2; y2)�
P3 = (x3; y3)�
Use Cartesian coordinates for addition.
Addition formula
for the clock x2 + y2 = 1:
sum of (x1; y1) and (x2; y2) is
(x1y2 + y1x2; y1y2 � x1x2).
Examples of clock addition:
“2:00” + “5:00”
= (p
3=4; 1=2) + (1=2;�p
3=4)
= (�1=2;�p
3=4) = “7:00”.
“5:00” + “9:00”
= (1=2;�p
3=4) + (�1; 0)
= (p
3=4; 1=2) = “2:00”.
2
�3
5;
4
5
�=
�24
25;
7
25
�.
3
�3
5;
4
5
�=
�117
125;�44
125
�.
4
�3
5;
4
5
�=
�336
625;�527
625
�.
(x1; y1) + (0; 1) = (x1; y1).
(x1; y1) + (�x1; y1) = (0; 1).
Clocks over finite fields
����
���
����
���
����
���
����
���
����
���
����
���
����
���
�
���
�
�
�
�
Clock(F7) =�
(x; y) 2 F7 � F7 : x2+y2=1
.
Here F7 = f0; 1; 2; 3; 4; 5; 6g= f0; 1; 2; 3;�3;�2;�1g
with arithmetic modulo 7.
e.g. 2 � 5 = 3 and 3=2 = 5 in F7.
![Page 53: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/53.jpg)
Clock addition without sin, cos:
y
x
OO
//
neutral = (0; 1)� P1 = (x1; y1)�P2 = (x2; y2)�
P3 = (x3; y3)�
Use Cartesian coordinates for addition.
Addition formula
for the clock x2 + y2 = 1:
sum of (x1; y1) and (x2; y2) is
(x1y2 + y1x2; y1y2 � x1x2).
Examples of clock addition:
“2:00” + “5:00”
= (p
3=4; 1=2) + (1=2;�p
3=4)
= (�1=2;�p
3=4) = “7:00”.
“5:00” + “9:00”
= (1=2;�p
3=4) + (�1; 0)
= (p
3=4; 1=2) = “2:00”.
2
�3
5;
4
5
�=
�24
25;
7
25
�.
3
�3
5;
4
5
�=
�117
125;�44
125
�.
4
�3
5;
4
5
�=
�336
625;�527
625
�.
(x1; y1) + (0; 1) = (x1; y1).
(x1; y1) + (�x1; y1) = (0; 1).
Clocks over finite fields
����
���
����
���
����
���
����
���
����
���
����
���
����
���
�
���
�
�
�
�
Clock(F7) =�
(x; y) 2 F7 � F7 : x2+y2=1
.
Here F7 = f0; 1; 2; 3; 4; 5; 6g= f0; 1; 2; 3;�3;�2;�1g
with arithmetic modulo 7.
e.g. 2 � 5 = 3 and 3=2 = 5 in F7.
![Page 54: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/54.jpg)
Examples of clock addition:
“2:00” + “5:00”
= (p
3=4; 1=2) + (1=2;�p
3=4)
= (�1=2;�p
3=4) = “7:00”.
“5:00” + “9:00”
= (1=2;�p
3=4) + (�1; 0)
= (p
3=4; 1=2) = “2:00”.
2
�3
5;
4
5
�=
�24
25;
7
25
�.
3
�3
5;
4
5
�=
�117
125;�44
125
�.
4
�3
5;
4
5
�=
�336
625;�527
625
�.
(x1; y1) + (0; 1) = (x1; y1).
(x1; y1) + (�x1; y1) = (0; 1).
Clocks over finite fields
����
���
����
���
����
���
����
���
����
���
����
���
����
���
�
���
�
�
�
�
Clock(F7) =�
(x; y) 2 F7 � F7 : x2+y2=1
.
Here F7 = f0; 1; 2; 3; 4; 5; 6g= f0; 1; 2; 3;�3;�2;�1g
with arithmetic modulo 7.
e.g. 2 � 5 = 3 and 3=2 = 5 in F7.
![Page 55: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/55.jpg)
Examples of clock addition:
“2:00” + “5:00”
= (p
3=4; 1=2) + (1=2;�p
3=4)
= (�1=2;�p
3=4) = “7:00”.
“5:00” + “9:00”
= (1=2;�p
3=4) + (�1; 0)
= (p
3=4; 1=2) = “2:00”.
2
�3
5;
4
5
�=
�24
25;
7
25
�.
3
�3
5;
4
5
�=
�117
125;�44
125
�.
4
�3
5;
4
5
�=
�336
625;�527
625
�.
(x1; y1) + (0; 1) = (x1; y1).
(x1; y1) + (�x1; y1) = (0; 1).
Clocks over finite fields
����
���
����
���
����
���
����
���
����
���
����
���
����
���
�
���
�
�
�
�
Clock(F7) =�
(x; y) 2 F7 � F7 : x2+y2=1
.
Here F7 = f0; 1; 2; 3; 4; 5; 6g= f0; 1; 2; 3;�3;�2;�1g
with arithmetic modulo 7.
e.g. 2 � 5 = 3 and 3=2 = 5 in F7.
>>> for x in range(7):
... for y in range(7):
... if (x*x+y*y) % 7 == 1:
... print (x,y)
...
(0, 1)
(0, 6)
(1, 0)
(2, 2)
(2, 5)
(5, 2)
(5, 5)
(6, 0)
>>>
![Page 56: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/56.jpg)
Examples of clock addition:
“2:00” + “5:00”
= (p
3=4; 1=2) + (1=2;�p
3=4)
= (�1=2;�p
3=4) = “7:00”.
“5:00” + “9:00”
= (1=2;�p
3=4) + (�1; 0)
= (p
3=4; 1=2) = “2:00”.
2
�3
5;
4
5
�=
�24
25;
7
25
�.
3
�3
5;
4
5
�=
�117
125;�44
125
�.
4
�3
5;
4
5
�=
�336
625;�527
625
�.
(x1; y1) + (0; 1) = (x1; y1).
(x1; y1) + (�x1; y1) = (0; 1).
Clocks over finite fields
����
���
����
���
����
���
����
���
����
���
����
���
����
���
�
���
�
�
�
�
Clock(F7) =�
(x; y) 2 F7 � F7 : x2+y2=1
.
Here F7 = f0; 1; 2; 3; 4; 5; 6g= f0; 1; 2; 3;�3;�2;�1g
with arithmetic modulo 7.
e.g. 2 � 5 = 3 and 3=2 = 5 in F7.
>>> for x in range(7):
... for y in range(7):
... if (x*x+y*y) % 7 == 1:
... print (x,y)
...
(0, 1)
(0, 6)
(1, 0)
(2, 2)
(2, 5)
(5, 2)
(5, 5)
(6, 0)
>>>
![Page 57: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/57.jpg)
Examples of clock addition:
“2:00” + “5:00”
= (p
3=4; 1=2) + (1=2;�p
3=4)
= (�1=2;�p
3=4) = “7:00”.
“5:00” + “9:00”
= (1=2;�p
3=4) + (�1; 0)
= (p
3=4; 1=2) = “2:00”.
2
�3
5;
4
5
�=
�24
25;
7
25
�.
3
�3
5;
4
5
�=
�117
125;�44
125
�.
4
�3
5;
4
5
�=
�336
625;�527
625
�.
(x1; y1) + (0; 1) = (x1; y1).
(x1; y1) + (�x1; y1) = (0; 1).
Clocks over finite fields
����
���
����
���
����
���
����
���
����
���
����
���
����
���
�
���
�
�
�
�
Clock(F7) =�
(x; y) 2 F7 � F7 : x2+y2=1
.
Here F7 = f0; 1; 2; 3; 4; 5; 6g= f0; 1; 2; 3;�3;�2;�1g
with arithmetic modulo 7.
e.g. 2 � 5 = 3 and 3=2 = 5 in F7.
>>> for x in range(7):
... for y in range(7):
... if (x*x+y*y) % 7 == 1:
... print (x,y)
...
(0, 1)
(0, 6)
(1, 0)
(2, 2)
(2, 5)
(5, 2)
(5, 5)
(6, 0)
>>>
![Page 58: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/58.jpg)
Clocks over finite fields
����
���
����
���
����
���
����
���
����
���
����
���
����
���
�
���
�
�
�
�
Clock(F7) =�
(x; y) 2 F7 � F7 : x2+y2=1
.
Here F7 = f0; 1; 2; 3; 4; 5; 6g= f0; 1; 2; 3;�3;�2;�1g
with arithmetic modulo 7.
e.g. 2 � 5 = 3 and 3=2 = 5 in F7.
>>> for x in range(7):
... for y in range(7):
... if (x*x+y*y) % 7 == 1:
... print (x,y)
...
(0, 1)
(0, 6)
(1, 0)
(2, 2)
(2, 5)
(5, 2)
(5, 5)
(6, 0)
>>>
![Page 59: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/59.jpg)
Clocks over finite fields
����
���
����
���
����
���
����
���
����
���
����
���
����
���
�
���
�
�
�
�
Clock(F7) =�
(x; y) 2 F7 � F7 : x2+y2=1
.
Here F7 = f0; 1; 2; 3; 4; 5; 6g= f0; 1; 2; 3;�3;�2;�1g
with arithmetic modulo 7.
e.g. 2 � 5 = 3 and 3=2 = 5 in F7.
>>> for x in range(7):
... for y in range(7):
... if (x*x+y*y) % 7 == 1:
... print (x,y)
...
(0, 1)
(0, 6)
(1, 0)
(2, 2)
(2, 5)
(5, 2)
(5, 5)
(6, 0)
>>>
>>> class F7:
... def __init__(self,x):
... self.int = x % 7
... def __str__(self):
... return str(self.int)
... __repr__ = __str__
...
>>> print F7(2)
2
>>> print F7(6)
6
>>> print F7(7)
0
>>> print F7(10)
3
![Page 60: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/60.jpg)
Clocks over finite fields
����
���
����
���
����
���
����
���
����
���
����
���
����
���
�
���
�
�
�
�
Clock(F7) =�
(x; y) 2 F7 � F7 : x2+y2=1
.
Here F7 = f0; 1; 2; 3; 4; 5; 6g= f0; 1; 2; 3;�3;�2;�1g
with arithmetic modulo 7.
e.g. 2 � 5 = 3 and 3=2 = 5 in F7.
>>> for x in range(7):
... for y in range(7):
... if (x*x+y*y) % 7 == 1:
... print (x,y)
...
(0, 1)
(0, 6)
(1, 0)
(2, 2)
(2, 5)
(5, 2)
(5, 5)
(6, 0)
>>>
>>> class F7:
... def __init__(self,x):
... self.int = x % 7
... def __str__(self):
... return str(self.int)
... __repr__ = __str__
...
>>> print F7(2)
2
>>> print F7(6)
6
>>> print F7(7)
0
>>> print F7(10)
3
![Page 61: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/61.jpg)
Clocks over finite fields
����
���
����
���
����
���
����
���
����
���
����
���
����
���
�
���
�
�
�
�
Clock(F7) =�
(x; y) 2 F7 � F7 : x2+y2=1
.
Here F7 = f0; 1; 2; 3; 4; 5; 6g= f0; 1; 2; 3;�3;�2;�1g
with arithmetic modulo 7.
e.g. 2 � 5 = 3 and 3=2 = 5 in F7.
>>> for x in range(7):
... for y in range(7):
... if (x*x+y*y) % 7 == 1:
... print (x,y)
...
(0, 1)
(0, 6)
(1, 0)
(2, 2)
(2, 5)
(5, 2)
(5, 5)
(6, 0)
>>>
>>> class F7:
... def __init__(self,x):
... self.int = x % 7
... def __str__(self):
... return str(self.int)
... __repr__ = __str__
...
>>> print F7(2)
2
>>> print F7(6)
6
>>> print F7(7)
0
>>> print F7(10)
3
![Page 62: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/62.jpg)
>>> for x in range(7):
... for y in range(7):
... if (x*x+y*y) % 7 == 1:
... print (x,y)
...
(0, 1)
(0, 6)
(1, 0)
(2, 2)
(2, 5)
(5, 2)
(5, 5)
(6, 0)
>>>
>>> class F7:
... def __init__(self,x):
... self.int = x % 7
... def __str__(self):
... return str(self.int)
... __repr__ = __str__
...
>>> print F7(2)
2
>>> print F7(6)
6
>>> print F7(7)
0
>>> print F7(10)
3
![Page 63: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/63.jpg)
>>> for x in range(7):
... for y in range(7):
... if (x*x+y*y) % 7 == 1:
... print (x,y)
...
(0, 1)
(0, 6)
(1, 0)
(2, 2)
(2, 5)
(5, 2)
(5, 5)
(6, 0)
>>>
>>> class F7:
... def __init__(self,x):
... self.int = x % 7
... def __str__(self):
... return str(self.int)
... __repr__ = __str__
...
>>> print F7(2)
2
>>> print F7(6)
6
>>> print F7(7)
0
>>> print F7(10)
3
>>> F7.__eq__ = \
... lambda a,b: a.int == b.int
>>>
>>> print F7(7) == F7(0)
True
>>> print F7(10) == F7(3)
True
>>> print F7(-3) == F7(4)
True
>>> print F7(0) == F7(1)
False
>>> print F7(0) == F7(2)
False
>>> print F7(0) == F7(3)
False
![Page 64: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/64.jpg)
>>> for x in range(7):
... for y in range(7):
... if (x*x+y*y) % 7 == 1:
... print (x,y)
...
(0, 1)
(0, 6)
(1, 0)
(2, 2)
(2, 5)
(5, 2)
(5, 5)
(6, 0)
>>>
>>> class F7:
... def __init__(self,x):
... self.int = x % 7
... def __str__(self):
... return str(self.int)
... __repr__ = __str__
...
>>> print F7(2)
2
>>> print F7(6)
6
>>> print F7(7)
0
>>> print F7(10)
3
>>> F7.__eq__ = \
... lambda a,b: a.int == b.int
>>>
>>> print F7(7) == F7(0)
True
>>> print F7(10) == F7(3)
True
>>> print F7(-3) == F7(4)
True
>>> print F7(0) == F7(1)
False
>>> print F7(0) == F7(2)
False
>>> print F7(0) == F7(3)
False
![Page 65: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/65.jpg)
>>> for x in range(7):
... for y in range(7):
... if (x*x+y*y) % 7 == 1:
... print (x,y)
...
(0, 1)
(0, 6)
(1, 0)
(2, 2)
(2, 5)
(5, 2)
(5, 5)
(6, 0)
>>>
>>> class F7:
... def __init__(self,x):
... self.int = x % 7
... def __str__(self):
... return str(self.int)
... __repr__ = __str__
...
>>> print F7(2)
2
>>> print F7(6)
6
>>> print F7(7)
0
>>> print F7(10)
3
>>> F7.__eq__ = \
... lambda a,b: a.int == b.int
>>>
>>> print F7(7) == F7(0)
True
>>> print F7(10) == F7(3)
True
>>> print F7(-3) == F7(4)
True
>>> print F7(0) == F7(1)
False
>>> print F7(0) == F7(2)
False
>>> print F7(0) == F7(3)
False
![Page 66: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/66.jpg)
>>> class F7:
... def __init__(self,x):
... self.int = x % 7
... def __str__(self):
... return str(self.int)
... __repr__ = __str__
...
>>> print F7(2)
2
>>> print F7(6)
6
>>> print F7(7)
0
>>> print F7(10)
3
>>> F7.__eq__ = \
... lambda a,b: a.int == b.int
>>>
>>> print F7(7) == F7(0)
True
>>> print F7(10) == F7(3)
True
>>> print F7(-3) == F7(4)
True
>>> print F7(0) == F7(1)
False
>>> print F7(0) == F7(2)
False
>>> print F7(0) == F7(3)
False
![Page 67: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/67.jpg)
>>> class F7:
... def __init__(self,x):
... self.int = x % 7
... def __str__(self):
... return str(self.int)
... __repr__ = __str__
...
>>> print F7(2)
2
>>> print F7(6)
6
>>> print F7(7)
0
>>> print F7(10)
3
>>> F7.__eq__ = \
... lambda a,b: a.int == b.int
>>>
>>> print F7(7) == F7(0)
True
>>> print F7(10) == F7(3)
True
>>> print F7(-3) == F7(4)
True
>>> print F7(0) == F7(1)
False
>>> print F7(0) == F7(2)
False
>>> print F7(0) == F7(3)
False
>>> F7.__add__ = \
... lambda a,b: F7(a.int + b.int)
>>> F7.__sub__ = \
... lambda a,b: F7(a.int - b.int)
>>> F7.__mul__ = \
... lambda a,b: F7(a.int * b.int)
>>>
>>> print F7(2) + F7(5)
0
>>> print F7(2) - F7(5)
4
>>> print F7(2) * F7(5)
3
>>>
![Page 68: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/68.jpg)
>>> class F7:
... def __init__(self,x):
... self.int = x % 7
... def __str__(self):
... return str(self.int)
... __repr__ = __str__
...
>>> print F7(2)
2
>>> print F7(6)
6
>>> print F7(7)
0
>>> print F7(10)
3
>>> F7.__eq__ = \
... lambda a,b: a.int == b.int
>>>
>>> print F7(7) == F7(0)
True
>>> print F7(10) == F7(3)
True
>>> print F7(-3) == F7(4)
True
>>> print F7(0) == F7(1)
False
>>> print F7(0) == F7(2)
False
>>> print F7(0) == F7(3)
False
>>> F7.__add__ = \
... lambda a,b: F7(a.int + b.int)
>>> F7.__sub__ = \
... lambda a,b: F7(a.int - b.int)
>>> F7.__mul__ = \
... lambda a,b: F7(a.int * b.int)
>>>
>>> print F7(2) + F7(5)
0
>>> print F7(2) - F7(5)
4
>>> print F7(2) * F7(5)
3
>>>
![Page 69: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/69.jpg)
>>> class F7:
... def __init__(self,x):
... self.int = x % 7
... def __str__(self):
... return str(self.int)
... __repr__ = __str__
...
>>> print F7(2)
2
>>> print F7(6)
6
>>> print F7(7)
0
>>> print F7(10)
3
>>> F7.__eq__ = \
... lambda a,b: a.int == b.int
>>>
>>> print F7(7) == F7(0)
True
>>> print F7(10) == F7(3)
True
>>> print F7(-3) == F7(4)
True
>>> print F7(0) == F7(1)
False
>>> print F7(0) == F7(2)
False
>>> print F7(0) == F7(3)
False
>>> F7.__add__ = \
... lambda a,b: F7(a.int + b.int)
>>> F7.__sub__ = \
... lambda a,b: F7(a.int - b.int)
>>> F7.__mul__ = \
... lambda a,b: F7(a.int * b.int)
>>>
>>> print F7(2) + F7(5)
0
>>> print F7(2) - F7(5)
4
>>> print F7(2) * F7(5)
3
>>>
![Page 70: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/70.jpg)
>>> F7.__eq__ = \
... lambda a,b: a.int == b.int
>>>
>>> print F7(7) == F7(0)
True
>>> print F7(10) == F7(3)
True
>>> print F7(-3) == F7(4)
True
>>> print F7(0) == F7(1)
False
>>> print F7(0) == F7(2)
False
>>> print F7(0) == F7(3)
False
>>> F7.__add__ = \
... lambda a,b: F7(a.int + b.int)
>>> F7.__sub__ = \
... lambda a,b: F7(a.int - b.int)
>>> F7.__mul__ = \
... lambda a,b: F7(a.int * b.int)
>>>
>>> print F7(2) + F7(5)
0
>>> print F7(2) - F7(5)
4
>>> print F7(2) * F7(5)
3
>>>
![Page 71: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/71.jpg)
>>> F7.__eq__ = \
... lambda a,b: a.int == b.int
>>>
>>> print F7(7) == F7(0)
True
>>> print F7(10) == F7(3)
True
>>> print F7(-3) == F7(4)
True
>>> print F7(0) == F7(1)
False
>>> print F7(0) == F7(2)
False
>>> print F7(0) == F7(3)
False
>>> F7.__add__ = \
... lambda a,b: F7(a.int + b.int)
>>> F7.__sub__ = \
... lambda a,b: F7(a.int - b.int)
>>> F7.__mul__ = \
... lambda a,b: F7(a.int * b.int)
>>>
>>> print F7(2) + F7(5)
0
>>> print F7(2) - F7(5)
4
>>> print F7(2) * F7(5)
3
>>>
Larger example: Clock(F1000003).
p = 1000003
class Fp:
...
def clockadd(P1,P2):
x1,y1 = P1
x2,y2 = P2
x3 = x1*y2+y1*x2
y3 = y1*y2-x1*x2
return x3,y3
![Page 72: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/72.jpg)
>>> F7.__eq__ = \
... lambda a,b: a.int == b.int
>>>
>>> print F7(7) == F7(0)
True
>>> print F7(10) == F7(3)
True
>>> print F7(-3) == F7(4)
True
>>> print F7(0) == F7(1)
False
>>> print F7(0) == F7(2)
False
>>> print F7(0) == F7(3)
False
>>> F7.__add__ = \
... lambda a,b: F7(a.int + b.int)
>>> F7.__sub__ = \
... lambda a,b: F7(a.int - b.int)
>>> F7.__mul__ = \
... lambda a,b: F7(a.int * b.int)
>>>
>>> print F7(2) + F7(5)
0
>>> print F7(2) - F7(5)
4
>>> print F7(2) * F7(5)
3
>>>
Larger example: Clock(F1000003).
p = 1000003
class Fp:
...
def clockadd(P1,P2):
x1,y1 = P1
x2,y2 = P2
x3 = x1*y2+y1*x2
y3 = y1*y2-x1*x2
return x3,y3
![Page 73: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/73.jpg)
>>> F7.__eq__ = \
... lambda a,b: a.int == b.int
>>>
>>> print F7(7) == F7(0)
True
>>> print F7(10) == F7(3)
True
>>> print F7(-3) == F7(4)
True
>>> print F7(0) == F7(1)
False
>>> print F7(0) == F7(2)
False
>>> print F7(0) == F7(3)
False
>>> F7.__add__ = \
... lambda a,b: F7(a.int + b.int)
>>> F7.__sub__ = \
... lambda a,b: F7(a.int - b.int)
>>> F7.__mul__ = \
... lambda a,b: F7(a.int * b.int)
>>>
>>> print F7(2) + F7(5)
0
>>> print F7(2) - F7(5)
4
>>> print F7(2) * F7(5)
3
>>>
Larger example: Clock(F1000003).
p = 1000003
class Fp:
...
def clockadd(P1,P2):
x1,y1 = P1
x2,y2 = P2
x3 = x1*y2+y1*x2
y3 = y1*y2-x1*x2
return x3,y3
![Page 74: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/74.jpg)
>>> F7.__add__ = \
... lambda a,b: F7(a.int + b.int)
>>> F7.__sub__ = \
... lambda a,b: F7(a.int - b.int)
>>> F7.__mul__ = \
... lambda a,b: F7(a.int * b.int)
>>>
>>> print F7(2) + F7(5)
0
>>> print F7(2) - F7(5)
4
>>> print F7(2) * F7(5)
3
>>>
Larger example: Clock(F1000003).
p = 1000003
class Fp:
...
def clockadd(P1,P2):
x1,y1 = P1
x2,y2 = P2
x3 = x1*y2+y1*x2
y3 = y1*y2-x1*x2
return x3,y3
![Page 75: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/75.jpg)
>>> F7.__add__ = \
... lambda a,b: F7(a.int + b.int)
>>> F7.__sub__ = \
... lambda a,b: F7(a.int - b.int)
>>> F7.__mul__ = \
... lambda a,b: F7(a.int * b.int)
>>>
>>> print F7(2) + F7(5)
0
>>> print F7(2) - F7(5)
4
>>> print F7(2) * F7(5)
3
>>>
Larger example: Clock(F1000003).
p = 1000003
class Fp:
...
def clockadd(P1,P2):
x1,y1 = P1
x2,y2 = P2
x3 = x1*y2+y1*x2
y3 = y1*y2-x1*x2
return x3,y3
>>> P = (Fp(1000),Fp(2))
>>> P2 = clockadd(P,P)
>>> print P2
(4000, 7)
>>> P3 = clockadd(P2,P)
>>> print P3
(15000, 26)
>>> P4 = clockadd(P3,P)
>>> P5 = clockadd(P4,P)
>>> P6 = clockadd(P5,P)
>>> print P6
(780000, 1351)
>>> print clockadd(P3,P3)
(780000, 1351)
>>>
![Page 76: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/76.jpg)
>>> F7.__add__ = \
... lambda a,b: F7(a.int + b.int)
>>> F7.__sub__ = \
... lambda a,b: F7(a.int - b.int)
>>> F7.__mul__ = \
... lambda a,b: F7(a.int * b.int)
>>>
>>> print F7(2) + F7(5)
0
>>> print F7(2) - F7(5)
4
>>> print F7(2) * F7(5)
3
>>>
Larger example: Clock(F1000003).
p = 1000003
class Fp:
...
def clockadd(P1,P2):
x1,y1 = P1
x2,y2 = P2
x3 = x1*y2+y1*x2
y3 = y1*y2-x1*x2
return x3,y3
>>> P = (Fp(1000),Fp(2))
>>> P2 = clockadd(P,P)
>>> print P2
(4000, 7)
>>> P3 = clockadd(P2,P)
>>> print P3
(15000, 26)
>>> P4 = clockadd(P3,P)
>>> P5 = clockadd(P4,P)
>>> P6 = clockadd(P5,P)
>>> print P6
(780000, 1351)
>>> print clockadd(P3,P3)
(780000, 1351)
>>>
![Page 77: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/77.jpg)
>>> F7.__add__ = \
... lambda a,b: F7(a.int + b.int)
>>> F7.__sub__ = \
... lambda a,b: F7(a.int - b.int)
>>> F7.__mul__ = \
... lambda a,b: F7(a.int * b.int)
>>>
>>> print F7(2) + F7(5)
0
>>> print F7(2) - F7(5)
4
>>> print F7(2) * F7(5)
3
>>>
Larger example: Clock(F1000003).
p = 1000003
class Fp:
...
def clockadd(P1,P2):
x1,y1 = P1
x2,y2 = P2
x3 = x1*y2+y1*x2
y3 = y1*y2-x1*x2
return x3,y3
>>> P = (Fp(1000),Fp(2))
>>> P2 = clockadd(P,P)
>>> print P2
(4000, 7)
>>> P3 = clockadd(P2,P)
>>> print P3
(15000, 26)
>>> P4 = clockadd(P3,P)
>>> P5 = clockadd(P4,P)
>>> P6 = clockadd(P5,P)
>>> print P6
(780000, 1351)
>>> print clockadd(P3,P3)
(780000, 1351)
>>>
![Page 78: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/78.jpg)
Larger example: Clock(F1000003).
p = 1000003
class Fp:
...
def clockadd(P1,P2):
x1,y1 = P1
x2,y2 = P2
x3 = x1*y2+y1*x2
y3 = y1*y2-x1*x2
return x3,y3
>>> P = (Fp(1000),Fp(2))
>>> P2 = clockadd(P,P)
>>> print P2
(4000, 7)
>>> P3 = clockadd(P2,P)
>>> print P3
(15000, 26)
>>> P4 = clockadd(P3,P)
>>> P5 = clockadd(P4,P)
>>> P6 = clockadd(P5,P)
>>> print P6
(780000, 1351)
>>> print clockadd(P3,P3)
(780000, 1351)
>>>
![Page 79: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/79.jpg)
Larger example: Clock(F1000003).
p = 1000003
class Fp:
...
def clockadd(P1,P2):
x1,y1 = P1
x2,y2 = P2
x3 = x1*y2+y1*x2
y3 = y1*y2-x1*x2
return x3,y3
>>> P = (Fp(1000),Fp(2))
>>> P2 = clockadd(P,P)
>>> print P2
(4000, 7)
>>> P3 = clockadd(P2,P)
>>> print P3
(15000, 26)
>>> P4 = clockadd(P3,P)
>>> P5 = clockadd(P4,P)
>>> P6 = clockadd(P5,P)
>>> print P6
(780000, 1351)
>>> print clockadd(P3,P3)
(780000, 1351)
>>>
>>> def scalarmult(n,P):
... if n == 0: return (Fp(0),Fp(1))
... if n == 1: return P
... Q = scalarmult(n//2,P)
... Q = clockadd(Q,Q)
... if n % 2: Q = clockadd(P,Q)
... return Q
...
>>> n = oursixdigitsecret
>>> scalarmult(n,P)
(947472, 736284)
>>>
Can you figure out our secret n?
![Page 80: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/80.jpg)
Larger example: Clock(F1000003).
p = 1000003
class Fp:
...
def clockadd(P1,P2):
x1,y1 = P1
x2,y2 = P2
x3 = x1*y2+y1*x2
y3 = y1*y2-x1*x2
return x3,y3
>>> P = (Fp(1000),Fp(2))
>>> P2 = clockadd(P,P)
>>> print P2
(4000, 7)
>>> P3 = clockadd(P2,P)
>>> print P3
(15000, 26)
>>> P4 = clockadd(P3,P)
>>> P5 = clockadd(P4,P)
>>> P6 = clockadd(P5,P)
>>> print P6
(780000, 1351)
>>> print clockadd(P3,P3)
(780000, 1351)
>>>
>>> def scalarmult(n,P):
... if n == 0: return (Fp(0),Fp(1))
... if n == 1: return P
... Q = scalarmult(n//2,P)
... Q = clockadd(Q,Q)
... if n % 2: Q = clockadd(P,Q)
... return Q
...
>>> n = oursixdigitsecret
>>> scalarmult(n,P)
(947472, 736284)
>>>
Can you figure out our secret n?
![Page 81: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/81.jpg)
Larger example: Clock(F1000003).
p = 1000003
class Fp:
...
def clockadd(P1,P2):
x1,y1 = P1
x2,y2 = P2
x3 = x1*y2+y1*x2
y3 = y1*y2-x1*x2
return x3,y3
>>> P = (Fp(1000),Fp(2))
>>> P2 = clockadd(P,P)
>>> print P2
(4000, 7)
>>> P3 = clockadd(P2,P)
>>> print P3
(15000, 26)
>>> P4 = clockadd(P3,P)
>>> P5 = clockadd(P4,P)
>>> P6 = clockadd(P5,P)
>>> print P6
(780000, 1351)
>>> print clockadd(P3,P3)
(780000, 1351)
>>>
>>> def scalarmult(n,P):
... if n == 0: return (Fp(0),Fp(1))
... if n == 1: return P
... Q = scalarmult(n//2,P)
... Q = clockadd(Q,Q)
... if n % 2: Q = clockadd(P,Q)
... return Q
...
>>> n = oursixdigitsecret
>>> scalarmult(n,P)
(947472, 736284)
>>>
Can you figure out our secret n?
![Page 82: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/82.jpg)
>>> P = (Fp(1000),Fp(2))
>>> P2 = clockadd(P,P)
>>> print P2
(4000, 7)
>>> P3 = clockadd(P2,P)
>>> print P3
(15000, 26)
>>> P4 = clockadd(P3,P)
>>> P5 = clockadd(P4,P)
>>> P6 = clockadd(P5,P)
>>> print P6
(780000, 1351)
>>> print clockadd(P3,P3)
(780000, 1351)
>>>
>>> def scalarmult(n,P):
... if n == 0: return (Fp(0),Fp(1))
... if n == 1: return P
... Q = scalarmult(n//2,P)
... Q = clockadd(Q,Q)
... if n % 2: Q = clockadd(P,Q)
... return Q
...
>>> n = oursixdigitsecret
>>> scalarmult(n,P)
(947472, 736284)
>>>
Can you figure out our secret n?
![Page 83: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/83.jpg)
>>> P = (Fp(1000),Fp(2))
>>> P2 = clockadd(P,P)
>>> print P2
(4000, 7)
>>> P3 = clockadd(P2,P)
>>> print P3
(15000, 26)
>>> P4 = clockadd(P3,P)
>>> P5 = clockadd(P4,P)
>>> P6 = clockadd(P5,P)
>>> print P6
(780000, 1351)
>>> print clockadd(P3,P3)
(780000, 1351)
>>>
>>> def scalarmult(n,P):
... if n == 0: return (Fp(0),Fp(1))
... if n == 1: return P
... Q = scalarmult(n//2,P)
... Q = clockadd(Q,Q)
... if n % 2: Q = clockadd(P,Q)
... return Q
...
>>> n = oursixdigitsecret
>>> scalarmult(n,P)
(947472, 736284)
>>>
Can you figure out our secret n?
Clock cryptography
The “Clock Diffie–Hellman protocol”:
Standardize a large prime p
and base point (x; y) 2 Clock(Fp).
Alice chooses big secret a.
Alice computes her public key a(x; y).
Bob chooses big secret b.
Bob computes his public key b(x; y).
Alice computes a(b(x; y)).
Bob computes b(a(x; y)).
They use this shared secret
to encrypt with AES-GCM etc.
![Page 84: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/84.jpg)
>>> P = (Fp(1000),Fp(2))
>>> P2 = clockadd(P,P)
>>> print P2
(4000, 7)
>>> P3 = clockadd(P2,P)
>>> print P3
(15000, 26)
>>> P4 = clockadd(P3,P)
>>> P5 = clockadd(P4,P)
>>> P6 = clockadd(P5,P)
>>> print P6
(780000, 1351)
>>> print clockadd(P3,P3)
(780000, 1351)
>>>
>>> def scalarmult(n,P):
... if n == 0: return (Fp(0),Fp(1))
... if n == 1: return P
... Q = scalarmult(n//2,P)
... Q = clockadd(Q,Q)
... if n % 2: Q = clockadd(P,Q)
... return Q
...
>>> n = oursixdigitsecret
>>> scalarmult(n,P)
(947472, 736284)
>>>
Can you figure out our secret n?
Clock cryptography
The “Clock Diffie–Hellman protocol”:
Standardize a large prime p
and base point (x; y) 2 Clock(Fp).
Alice chooses big secret a.
Alice computes her public key a(x; y).
Bob chooses big secret b.
Bob computes his public key b(x; y).
Alice computes a(b(x; y)).
Bob computes b(a(x; y)).
They use this shared secret
to encrypt with AES-GCM etc.
![Page 85: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/85.jpg)
>>> P = (Fp(1000),Fp(2))
>>> P2 = clockadd(P,P)
>>> print P2
(4000, 7)
>>> P3 = clockadd(P2,P)
>>> print P3
(15000, 26)
>>> P4 = clockadd(P3,P)
>>> P5 = clockadd(P4,P)
>>> P6 = clockadd(P5,P)
>>> print P6
(780000, 1351)
>>> print clockadd(P3,P3)
(780000, 1351)
>>>
>>> def scalarmult(n,P):
... if n == 0: return (Fp(0),Fp(1))
... if n == 1: return P
... Q = scalarmult(n//2,P)
... Q = clockadd(Q,Q)
... if n % 2: Q = clockadd(P,Q)
... return Q
...
>>> n = oursixdigitsecret
>>> scalarmult(n,P)
(947472, 736284)
>>>
Can you figure out our secret n?
Clock cryptography
The “Clock Diffie–Hellman protocol”:
Standardize a large prime p
and base point (x; y) 2 Clock(Fp).
Alice chooses big secret a.
Alice computes her public key a(x; y).
Bob chooses big secret b.
Bob computes his public key b(x; y).
Alice computes a(b(x; y)).
Bob computes b(a(x; y)).
They use this shared secret
to encrypt with AES-GCM etc.
![Page 86: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/86.jpg)
>>> def scalarmult(n,P):
... if n == 0: return (Fp(0),Fp(1))
... if n == 1: return P
... Q = scalarmult(n//2,P)
... Q = clockadd(Q,Q)
... if n % 2: Q = clockadd(P,Q)
... return Q
...
>>> n = oursixdigitsecret
>>> scalarmult(n,P)
(947472, 736284)
>>>
Can you figure out our secret n?
Clock cryptography
The “Clock Diffie–Hellman protocol”:
Standardize a large prime p
and base point (x; y) 2 Clock(Fp).
Alice chooses big secret a.
Alice computes her public key a(x; y).
Bob chooses big secret b.
Bob computes his public key b(x; y).
Alice computes a(b(x; y)).
Bob computes b(a(x; y)).
They use this shared secret
to encrypt with AES-GCM etc.
![Page 87: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/87.jpg)
>>> def scalarmult(n,P):
... if n == 0: return (Fp(0),Fp(1))
... if n == 1: return P
... Q = scalarmult(n//2,P)
... Q = clockadd(Q,Q)
... if n % 2: Q = clockadd(P,Q)
... return Q
...
>>> n = oursixdigitsecret
>>> scalarmult(n,P)
(947472, 736284)
>>>
Can you figure out our secret n?
Clock cryptography
The “Clock Diffie–Hellman protocol”:
Standardize a large prime p
and base point (x; y) 2 Clock(Fp).
Alice chooses big secret a.
Alice computes her public key a(x; y).
Bob chooses big secret b.
Bob computes his public key b(x; y).
Alice computes a(b(x; y)).
Bob computes b(a(x; y)).
They use this shared secret
to encrypt with AES-GCM etc.
Alice’s secret key a
��
$$
Bob’s secret key b
��
zz
Alice’s public keya(x; y)
((
Bob’s public keyb(x; y)
vvfAlice;Bobg’sshared secretab(x; y)
=fBob;Aliceg’sshared secretba(x; y)
![Page 88: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/88.jpg)
>>> def scalarmult(n,P):
... if n == 0: return (Fp(0),Fp(1))
... if n == 1: return P
... Q = scalarmult(n//2,P)
... Q = clockadd(Q,Q)
... if n % 2: Q = clockadd(P,Q)
... return Q
...
>>> n = oursixdigitsecret
>>> scalarmult(n,P)
(947472, 736284)
>>>
Can you figure out our secret n?
Clock cryptography
The “Clock Diffie–Hellman protocol”:
Standardize a large prime p
and base point (x; y) 2 Clock(Fp).
Alice chooses big secret a.
Alice computes her public key a(x; y).
Bob chooses big secret b.
Bob computes his public key b(x; y).
Alice computes a(b(x; y)).
Bob computes b(a(x; y)).
They use this shared secret
to encrypt with AES-GCM etc.
Alice’s secret key a
��
$$
Bob’s secret key b
��
zz
Alice’s public keya(x; y)
((
Bob’s public keyb(x; y)
vvfAlice;Bobg’sshared secretab(x; y)
=fBob;Aliceg’sshared secretba(x; y)
![Page 89: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/89.jpg)
>>> def scalarmult(n,P):
... if n == 0: return (Fp(0),Fp(1))
... if n == 1: return P
... Q = scalarmult(n//2,P)
... Q = clockadd(Q,Q)
... if n % 2: Q = clockadd(P,Q)
... return Q
...
>>> n = oursixdigitsecret
>>> scalarmult(n,P)
(947472, 736284)
>>>
Can you figure out our secret n?
Clock cryptography
The “Clock Diffie–Hellman protocol”:
Standardize a large prime p
and base point (x; y) 2 Clock(Fp).
Alice chooses big secret a.
Alice computes her public key a(x; y).
Bob chooses big secret b.
Bob computes his public key b(x; y).
Alice computes a(b(x; y)).
Bob computes b(a(x; y)).
They use this shared secret
to encrypt with AES-GCM etc.
Alice’s secret key a
��
$$
Bob’s secret key b
��
zz
Alice’s public keya(x; y)
((
Bob’s public keyb(x; y)
vvfAlice;Bobg’sshared secretab(x; y)
=fBob;Aliceg’sshared secretba(x; y)
![Page 90: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/90.jpg)
Clock cryptography
The “Clock Diffie–Hellman protocol”:
Standardize a large prime p
and base point (x; y) 2 Clock(Fp).
Alice chooses big secret a.
Alice computes her public key a(x; y).
Bob chooses big secret b.
Bob computes his public key b(x; y).
Alice computes a(b(x; y)).
Bob computes b(a(x; y)).
They use this shared secret
to encrypt with AES-GCM etc.
Alice’s secret key a
��
$$
Bob’s secret key b
��
zz
Alice’s public keya(x; y)
((
Bob’s public keyb(x; y)
vvfAlice;Bobg’sshared secretab(x; y)
=fBob;Aliceg’sshared secretba(x; y)
![Page 91: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/91.jpg)
Clock cryptography
The “Clock Diffie–Hellman protocol”:
Standardize a large prime p
and base point (x; y) 2 Clock(Fp).
Alice chooses big secret a.
Alice computes her public key a(x; y).
Bob chooses big secret b.
Bob computes his public key b(x; y).
Alice computes a(b(x; y)).
Bob computes b(a(x; y)).
They use this shared secret
to encrypt with AES-GCM etc.
Alice’s secret key a
��
$$
Bob’s secret key b
��
zz
Alice’s public keya(x; y)
((
Bob’s public keyb(x; y)
vvfAlice;Bobg’sshared secretab(x; y)
=fBob;Aliceg’sshared secretba(x; y)
Warning #1: Many choices of p are unsafe!
Warning #2: Clocks aren’t elliptic!
Can use index calculus
to attack clock cryptography.
To match RSA-3072 security
need p � 21536.
![Page 92: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/92.jpg)
Clock cryptography
The “Clock Diffie–Hellman protocol”:
Standardize a large prime p
and base point (x; y) 2 Clock(Fp).
Alice chooses big secret a.
Alice computes her public key a(x; y).
Bob chooses big secret b.
Bob computes his public key b(x; y).
Alice computes a(b(x; y)).
Bob computes b(a(x; y)).
They use this shared secret
to encrypt with AES-GCM etc.
Alice’s secret key a
��
$$
Bob’s secret key b
��
zz
Alice’s public keya(x; y)
((
Bob’s public keyb(x; y)
vvfAlice;Bobg’sshared secretab(x; y)
=fBob;Aliceg’sshared secretba(x; y)
Warning #1: Many choices of p are unsafe!
Warning #2: Clocks aren’t elliptic!
Can use index calculus
to attack clock cryptography.
To match RSA-3072 security
need p � 21536.
Warning #3: Attacker sees more than
the public keys a(x; y) and b(x; y).
Attacker sees how much time
Alice uses to compute a(b(x; y)).
Often attacker can see time
for each operation performed by Alice,
not just total time.
This reveals secret scalar a.
Some timing attacks: 2011 Brumley–Tuveri;
2013 “Lucky Thirteen” (not ECC);
2014 Benger–van de Pol–Smart–Yarom; etc.
![Page 93: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/93.jpg)
Clock cryptography
The “Clock Diffie–Hellman protocol”:
Standardize a large prime p
and base point (x; y) 2 Clock(Fp).
Alice chooses big secret a.
Alice computes her public key a(x; y).
Bob chooses big secret b.
Bob computes his public key b(x; y).
Alice computes a(b(x; y)).
Bob computes b(a(x; y)).
They use this shared secret
to encrypt with AES-GCM etc.
Alice’s secret key a
��
$$
Bob’s secret key b
��
zz
Alice’s public keya(x; y)
((
Bob’s public keyb(x; y)
vvfAlice;Bobg’sshared secretab(x; y)
=fBob;Aliceg’sshared secretba(x; y)
Warning #1: Many choices of p are unsafe!
Warning #2: Clocks aren’t elliptic!
Can use index calculus
to attack clock cryptography.
To match RSA-3072 security
need p � 21536.
Warning #3: Attacker sees more than
the public keys a(x; y) and b(x; y).
Attacker sees how much time
Alice uses to compute a(b(x; y)).
Often attacker can see time
for each operation performed by Alice,
not just total time.
This reveals secret scalar a.
Some timing attacks: 2011 Brumley–Tuveri;
2013 “Lucky Thirteen” (not ECC);
2014 Benger–van de Pol–Smart–Yarom; etc.
![Page 94: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/94.jpg)
Clock cryptography
The “Clock Diffie–Hellman protocol”:
Standardize a large prime p
and base point (x; y) 2 Clock(Fp).
Alice chooses big secret a.
Alice computes her public key a(x; y).
Bob chooses big secret b.
Bob computes his public key b(x; y).
Alice computes a(b(x; y)).
Bob computes b(a(x; y)).
They use this shared secret
to encrypt with AES-GCM etc.
Alice’s secret key a
��
$$
Bob’s secret key b
��
zz
Alice’s public keya(x; y)
((
Bob’s public keyb(x; y)
vvfAlice;Bobg’sshared secretab(x; y)
=fBob;Aliceg’sshared secretba(x; y)
Warning #1: Many choices of p are unsafe!
Warning #2: Clocks aren’t elliptic!
Can use index calculus
to attack clock cryptography.
To match RSA-3072 security
need p � 21536.
Warning #3: Attacker sees more than
the public keys a(x; y) and b(x; y).
Attacker sees how much time
Alice uses to compute a(b(x; y)).
Often attacker can see time
for each operation performed by Alice,
not just total time.
This reveals secret scalar a.
Some timing attacks: 2011 Brumley–Tuveri;
2013 “Lucky Thirteen” (not ECC);
2014 Benger–van de Pol–Smart–Yarom; etc.
![Page 95: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/95.jpg)
Alice’s secret key a
��
$$
Bob’s secret key b
��
zz
Alice’s public keya(x; y)
((
Bob’s public keyb(x; y)
vvfAlice;Bobg’sshared secretab(x; y)
=fBob;Aliceg’sshared secretba(x; y)
Warning #1: Many choices of p are unsafe!
Warning #2: Clocks aren’t elliptic!
Can use index calculus
to attack clock cryptography.
To match RSA-3072 security
need p � 21536.
Warning #3: Attacker sees more than
the public keys a(x; y) and b(x; y).
Attacker sees how much time
Alice uses to compute a(b(x; y)).
Often attacker can see time
for each operation performed by Alice,
not just total time.
This reveals secret scalar a.
Some timing attacks: 2011 Brumley–Tuveri;
2013 “Lucky Thirteen” (not ECC);
2014 Benger–van de Pol–Smart–Yarom; etc.
![Page 96: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/96.jpg)
Alice’s secret key a
��
$$
Bob’s secret key b
��
zz
Alice’s public keya(x; y)
((
Bob’s public keyb(x; y)
vvfAlice;Bobg’sshared secretab(x; y)
=fBob;Aliceg’sshared secretba(x; y)
Warning #1: Many choices of p are unsafe!
Warning #2: Clocks aren’t elliptic!
Can use index calculus
to attack clock cryptography.
To match RSA-3072 security
need p � 21536.
Warning #3: Attacker sees more than
the public keys a(x; y) and b(x; y).
Attacker sees how much time
Alice uses to compute a(b(x; y)).
Often attacker can see time
for each operation performed by Alice,
not just total time.
This reveals secret scalar a.
Some timing attacks: 2011 Brumley–Tuveri;
2013 “Lucky Thirteen” (not ECC);
2014 Benger–van de Pol–Smart–Yarom; etc.
Fix: constant-time code,
performing same operations
no matter what scalar is.
![Page 97: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/97.jpg)
Alice’s secret key a
��
$$
Bob’s secret key b
��
zz
Alice’s public keya(x; y)
((
Bob’s public keyb(x; y)
vvfAlice;Bobg’sshared secretab(x; y)
=fBob;Aliceg’sshared secretba(x; y)
Warning #1: Many choices of p are unsafe!
Warning #2: Clocks aren’t elliptic!
Can use index calculus
to attack clock cryptography.
To match RSA-3072 security
need p � 21536.
Warning #3: Attacker sees more than
the public keys a(x; y) and b(x; y).
Attacker sees how much time
Alice uses to compute a(b(x; y)).
Often attacker can see time
for each operation performed by Alice,
not just total time.
This reveals secret scalar a.
Some timing attacks: 2011 Brumley–Tuveri;
2013 “Lucky Thirteen” (not ECC);
2014 Benger–van de Pol–Smart–Yarom; etc.
Fix: constant-time code,
performing same operations
no matter what scalar is.
Addition on an elliptic curve
y
x
OO
//
neutral = (0; 1)�P1 = (x1; y1)�
P2 = (x2; y2)�P3 = (x3; y3)�
x2 + y2 = 1� 30x2y2.
Sum of (x1; y1) and (x2; y2) is
((x1y2+y1x2)=(1�30x1x2y1y2),
(y1y2�x1x2)=(1+30x1x2y1y2)).
![Page 98: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/98.jpg)
Alice’s secret key a
��
$$
Bob’s secret key b
��
zz
Alice’s public keya(x; y)
((
Bob’s public keyb(x; y)
vvfAlice;Bobg’sshared secretab(x; y)
=fBob;Aliceg’sshared secretba(x; y)
Warning #1: Many choices of p are unsafe!
Warning #2: Clocks aren’t elliptic!
Can use index calculus
to attack clock cryptography.
To match RSA-3072 security
need p � 21536.
Warning #3: Attacker sees more than
the public keys a(x; y) and b(x; y).
Attacker sees how much time
Alice uses to compute a(b(x; y)).
Often attacker can see time
for each operation performed by Alice,
not just total time.
This reveals secret scalar a.
Some timing attacks: 2011 Brumley–Tuveri;
2013 “Lucky Thirteen” (not ECC);
2014 Benger–van de Pol–Smart–Yarom; etc.
Fix: constant-time code,
performing same operations
no matter what scalar is.
Addition on an elliptic curve
y
x
OO
//
neutral = (0; 1)�P1 = (x1; y1)�
P2 = (x2; y2)�P3 = (x3; y3)�
x2 + y2 = 1� 30x2y2.
Sum of (x1; y1) and (x2; y2) is
((x1y2+y1x2)=(1�30x1x2y1y2),
(y1y2�x1x2)=(1+30x1x2y1y2)).
![Page 99: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/99.jpg)
Alice’s secret key a
��
$$
Bob’s secret key b
��
zz
Alice’s public keya(x; y)
((
Bob’s public keyb(x; y)
vvfAlice;Bobg’sshared secretab(x; y)
=fBob;Aliceg’sshared secretba(x; y)
Warning #1: Many choices of p are unsafe!
Warning #2: Clocks aren’t elliptic!
Can use index calculus
to attack clock cryptography.
To match RSA-3072 security
need p � 21536.
Warning #3: Attacker sees more than
the public keys a(x; y) and b(x; y).
Attacker sees how much time
Alice uses to compute a(b(x; y)).
Often attacker can see time
for each operation performed by Alice,
not just total time.
This reveals secret scalar a.
Some timing attacks: 2011 Brumley–Tuveri;
2013 “Lucky Thirteen” (not ECC);
2014 Benger–van de Pol–Smart–Yarom; etc.
Fix: constant-time code,
performing same operations
no matter what scalar is.
Addition on an elliptic curve
y
x
OO
//
neutral = (0; 1)�P1 = (x1; y1)�
P2 = (x2; y2)�P3 = (x3; y3)�
x2 + y2 = 1� 30x2y2.
Sum of (x1; y1) and (x2; y2) is
((x1y2+y1x2)=(1�30x1x2y1y2),
(y1y2�x1x2)=(1+30x1x2y1y2)).
![Page 100: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/100.jpg)
Warning #3: Attacker sees more than
the public keys a(x; y) and b(x; y).
Attacker sees how much time
Alice uses to compute a(b(x; y)).
Often attacker can see time
for each operation performed by Alice,
not just total time.
This reveals secret scalar a.
Some timing attacks: 2011 Brumley–Tuveri;
2013 “Lucky Thirteen” (not ECC);
2014 Benger–van de Pol–Smart–Yarom; etc.
Fix: constant-time code,
performing same operations
no matter what scalar is.
Addition on an elliptic curve
y
x
OO
//
neutral = (0; 1)�P1 = (x1; y1)�
P2 = (x2; y2)�P3 = (x3; y3)�
x2 + y2 = 1� 30x2y2.
Sum of (x1; y1) and (x2; y2) is
((x1y2+y1x2)=(1�30x1x2y1y2),
(y1y2�x1x2)=(1+30x1x2y1y2)).
![Page 101: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/101.jpg)
Warning #3: Attacker sees more than
the public keys a(x; y) and b(x; y).
Attacker sees how much time
Alice uses to compute a(b(x; y)).
Often attacker can see time
for each operation performed by Alice,
not just total time.
This reveals secret scalar a.
Some timing attacks: 2011 Brumley–Tuveri;
2013 “Lucky Thirteen” (not ECC);
2014 Benger–van de Pol–Smart–Yarom; etc.
Fix: constant-time code,
performing same operations
no matter what scalar is.
Addition on an elliptic curve
y
x
OO
//
neutral = (0; 1)�P1 = (x1; y1)�
P2 = (x2; y2)�P3 = (x3; y3)�
x2 + y2 = 1� 30x2y2.
Sum of (x1; y1) and (x2; y2) is
((x1y2+y1x2)=(1�30x1x2y1y2),
(y1y2�x1x2)=(1+30x1x2y1y2)).
The clock again, for comparison:
y
x
OO
//
neutral = (0; 1)� P1 = (x1; y1)�P2 = (x2; y2)�
P3 = (x3; y3)�
x2 + y2 = 1.
Sum of (x1; y1) and (x2; y2) is
(x1y2 + y1x2,
y1y2 � x1x2).
![Page 102: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/102.jpg)
Warning #3: Attacker sees more than
the public keys a(x; y) and b(x; y).
Attacker sees how much time
Alice uses to compute a(b(x; y)).
Often attacker can see time
for each operation performed by Alice,
not just total time.
This reveals secret scalar a.
Some timing attacks: 2011 Brumley–Tuveri;
2013 “Lucky Thirteen” (not ECC);
2014 Benger–van de Pol–Smart–Yarom; etc.
Fix: constant-time code,
performing same operations
no matter what scalar is.
Addition on an elliptic curve
y
x
OO
//
neutral = (0; 1)�P1 = (x1; y1)�
P2 = (x2; y2)�P3 = (x3; y3)�
x2 + y2 = 1� 30x2y2.
Sum of (x1; y1) and (x2; y2) is
((x1y2+y1x2)=(1�30x1x2y1y2),
(y1y2�x1x2)=(1+30x1x2y1y2)).
The clock again, for comparison:
y
x
OO
//
neutral = (0; 1)� P1 = (x1; y1)�P2 = (x2; y2)�
P3 = (x3; y3)�
x2 + y2 = 1.
Sum of (x1; y1) and (x2; y2) is
(x1y2 + y1x2,
y1y2 � x1x2).
![Page 103: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/103.jpg)
Warning #3: Attacker sees more than
the public keys a(x; y) and b(x; y).
Attacker sees how much time
Alice uses to compute a(b(x; y)).
Often attacker can see time
for each operation performed by Alice,
not just total time.
This reveals secret scalar a.
Some timing attacks: 2011 Brumley–Tuveri;
2013 “Lucky Thirteen” (not ECC);
2014 Benger–van de Pol–Smart–Yarom; etc.
Fix: constant-time code,
performing same operations
no matter what scalar is.
Addition on an elliptic curve
y
x
OO
//
neutral = (0; 1)�P1 = (x1; y1)�
P2 = (x2; y2)�P3 = (x3; y3)�
x2 + y2 = 1� 30x2y2.
Sum of (x1; y1) and (x2; y2) is
((x1y2+y1x2)=(1�30x1x2y1y2),
(y1y2�x1x2)=(1+30x1x2y1y2)).
The clock again, for comparison:
y
x
OO
//
neutral = (0; 1)� P1 = (x1; y1)�P2 = (x2; y2)�
P3 = (x3; y3)�
x2 + y2 = 1.
Sum of (x1; y1) and (x2; y2) is
(x1y2 + y1x2,
y1y2 � x1x2).
![Page 104: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/104.jpg)
Addition on an elliptic curve
y
x
OO
//
neutral = (0; 1)�P1 = (x1; y1)�
P2 = (x2; y2)�P3 = (x3; y3)�
x2 + y2 = 1� 30x2y2.
Sum of (x1; y1) and (x2; y2) is
((x1y2+y1x2)=(1�30x1x2y1y2),
(y1y2�x1x2)=(1+30x1x2y1y2)).
The clock again, for comparison:
y
x
OO
//
neutral = (0; 1)� P1 = (x1; y1)�P2 = (x2; y2)�
P3 = (x3; y3)�
x2 + y2 = 1.
Sum of (x1; y1) and (x2; y2) is
(x1y2 + y1x2,
y1y2 � x1x2).
![Page 105: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/105.jpg)
Addition on an elliptic curve
y
x
OO
//
neutral = (0; 1)�P1 = (x1; y1)�
P2 = (x2; y2)�P3 = (x3; y3)�
x2 + y2 = 1� 30x2y2.
Sum of (x1; y1) and (x2; y2) is
((x1y2+y1x2)=(1�30x1x2y1y2),
(y1y2�x1x2)=(1+30x1x2y1y2)).
The clock again, for comparison:
y
x
OO
//
neutral = (0; 1)� P1 = (x1; y1)�P2 = (x2; y2)�
P3 = (x3; y3)�
x2 + y2 = 1.
Sum of (x1; y1) and (x2; y2) is
(x1y2 + y1x2,
y1y2 � x1x2).
More elliptic curves
Choose an odd prime p.
Choose a non-square d 2 Fp.
f(x; y) 2 Fp � Fp :
x2 + y2 = 1 + dx2y2gis a “complete Edwards curve”.
def edwardsadd(P1,P2):
x1,y1 = P1
x2,y2 = P2
x3 = (x1*y2+y1*x2)/(1+d*x1*x2*y1*y2)
y3 = (y1*y2-x1*x2)/(1-d*x1*x2*y1*y2)
return x3,y3
![Page 106: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/106.jpg)
Addition on an elliptic curve
y
x
OO
//
neutral = (0; 1)�P1 = (x1; y1)�
P2 = (x2; y2)�P3 = (x3; y3)�
x2 + y2 = 1� 30x2y2.
Sum of (x1; y1) and (x2; y2) is
((x1y2+y1x2)=(1�30x1x2y1y2),
(y1y2�x1x2)=(1+30x1x2y1y2)).
The clock again, for comparison:
y
x
OO
//
neutral = (0; 1)� P1 = (x1; y1)�P2 = (x2; y2)�
P3 = (x3; y3)�
x2 + y2 = 1.
Sum of (x1; y1) and (x2; y2) is
(x1y2 + y1x2,
y1y2 � x1x2).
More elliptic curves
Choose an odd prime p.
Choose a non-square d 2 Fp.
f(x; y) 2 Fp � Fp :
x2 + y2 = 1 + dx2y2gis a “complete Edwards curve”.
def edwardsadd(P1,P2):
x1,y1 = P1
x2,y2 = P2
x3 = (x1*y2+y1*x2)/(1+d*x1*x2*y1*y2)
y3 = (y1*y2-x1*x2)/(1-d*x1*x2*y1*y2)
return x3,y3
![Page 107: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/107.jpg)
Addition on an elliptic curve
y
x
OO
//
neutral = (0; 1)�P1 = (x1; y1)�
P2 = (x2; y2)�P3 = (x3; y3)�
x2 + y2 = 1� 30x2y2.
Sum of (x1; y1) and (x2; y2) is
((x1y2+y1x2)=(1�30x1x2y1y2),
(y1y2�x1x2)=(1+30x1x2y1y2)).
The clock again, for comparison:
y
x
OO
//
neutral = (0; 1)� P1 = (x1; y1)�P2 = (x2; y2)�
P3 = (x3; y3)�
x2 + y2 = 1.
Sum of (x1; y1) and (x2; y2) is
(x1y2 + y1x2,
y1y2 � x1x2).
More elliptic curves
Choose an odd prime p.
Choose a non-square d 2 Fp.
f(x; y) 2 Fp � Fp :
x2 + y2 = 1 + dx2y2gis a “complete Edwards curve”.
def edwardsadd(P1,P2):
x1,y1 = P1
x2,y2 = P2
x3 = (x1*y2+y1*x2)/(1+d*x1*x2*y1*y2)
y3 = (y1*y2-x1*x2)/(1-d*x1*x2*y1*y2)
return x3,y3
![Page 108: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/108.jpg)
The clock again, for comparison:
y
x
OO
//
neutral = (0; 1)� P1 = (x1; y1)�P2 = (x2; y2)�
P3 = (x3; y3)�
x2 + y2 = 1.
Sum of (x1; y1) and (x2; y2) is
(x1y2 + y1x2,
y1y2 � x1x2).
More elliptic curves
Choose an odd prime p.
Choose a non-square d 2 Fp.
f(x; y) 2 Fp � Fp :
x2 + y2 = 1 + dx2y2gis a “complete Edwards curve”.
def edwardsadd(P1,P2):
x1,y1 = P1
x2,y2 = P2
x3 = (x1*y2+y1*x2)/(1+d*x1*x2*y1*y2)
y3 = (y1*y2-x1*x2)/(1-d*x1*x2*y1*y2)
return x3,y3
![Page 109: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/109.jpg)
The clock again, for comparison:
y
x
OO
//
neutral = (0; 1)� P1 = (x1; y1)�P2 = (x2; y2)�
P3 = (x3; y3)�
x2 + y2 = 1.
Sum of (x1; y1) and (x2; y2) is
(x1y2 + y1x2,
y1y2 � x1x2).
More elliptic curves
Choose an odd prime p.
Choose a non-square d 2 Fp.
f(x; y) 2 Fp � Fp :
x2 + y2 = 1 + dx2y2gis a “complete Edwards curve”.
def edwardsadd(P1,P2):
x1,y1 = P1
x2,y2 = P2
x3 = (x1*y2+y1*x2)/(1+d*x1*x2*y1*y2)
y3 = (y1*y2-x1*x2)/(1-d*x1*x2*y1*y2)
return x3,y3
“Hey, there are divisions
in the Edwards addition law!
What if the denominators are 0?”
![Page 110: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/110.jpg)
The clock again, for comparison:
y
x
OO
//
neutral = (0; 1)� P1 = (x1; y1)�P2 = (x2; y2)�
P3 = (x3; y3)�
x2 + y2 = 1.
Sum of (x1; y1) and (x2; y2) is
(x1y2 + y1x2,
y1y2 � x1x2).
More elliptic curves
Choose an odd prime p.
Choose a non-square d 2 Fp.
f(x; y) 2 Fp � Fp :
x2 + y2 = 1 + dx2y2gis a “complete Edwards curve”.
def edwardsadd(P1,P2):
x1,y1 = P1
x2,y2 = P2
x3 = (x1*y2+y1*x2)/(1+d*x1*x2*y1*y2)
y3 = (y1*y2-x1*x2)/(1-d*x1*x2*y1*y2)
return x3,y3
“Hey, there are divisions
in the Edwards addition law!
What if the denominators are 0?”
![Page 111: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/111.jpg)
The clock again, for comparison:
y
x
OO
//
neutral = (0; 1)� P1 = (x1; y1)�P2 = (x2; y2)�
P3 = (x3; y3)�
x2 + y2 = 1.
Sum of (x1; y1) and (x2; y2) is
(x1y2 + y1x2,
y1y2 � x1x2).
More elliptic curves
Choose an odd prime p.
Choose a non-square d 2 Fp.
f(x; y) 2 Fp � Fp :
x2 + y2 = 1 + dx2y2gis a “complete Edwards curve”.
def edwardsadd(P1,P2):
x1,y1 = P1
x2,y2 = P2
x3 = (x1*y2+y1*x2)/(1+d*x1*x2*y1*y2)
y3 = (y1*y2-x1*x2)/(1-d*x1*x2*y1*y2)
return x3,y3
“Hey, there are divisions
in the Edwards addition law!
What if the denominators are 0?”
![Page 112: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/112.jpg)
More elliptic curves
Choose an odd prime p.
Choose a non-square d 2 Fp.
f(x; y) 2 Fp � Fp :
x2 + y2 = 1 + dx2y2gis a “complete Edwards curve”.
def edwardsadd(P1,P2):
x1,y1 = P1
x2,y2 = P2
x3 = (x1*y2+y1*x2)/(1+d*x1*x2*y1*y2)
y3 = (y1*y2-x1*x2)/(1-d*x1*x2*y1*y2)
return x3,y3
“Hey, there are divisions
in the Edwards addition law!
What if the denominators are 0?”
![Page 113: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/113.jpg)
More elliptic curves
Choose an odd prime p.
Choose a non-square d 2 Fp.
f(x; y) 2 Fp � Fp :
x2 + y2 = 1 + dx2y2gis a “complete Edwards curve”.
def edwardsadd(P1,P2):
x1,y1 = P1
x2,y2 = P2
x3 = (x1*y2+y1*x2)/(1+d*x1*x2*y1*y2)
y3 = (y1*y2-x1*x2)/(1-d*x1*x2*y1*y2)
return x3,y3
“Hey, there are divisions
in the Edwards addition law!
What if the denominators are 0?”
Answer: Can prove that
the denominators are never 0.
Addition law is complete.
![Page 114: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/114.jpg)
More elliptic curves
Choose an odd prime p.
Choose a non-square d 2 Fp.
f(x; y) 2 Fp � Fp :
x2 + y2 = 1 + dx2y2gis a “complete Edwards curve”.
def edwardsadd(P1,P2):
x1,y1 = P1
x2,y2 = P2
x3 = (x1*y2+y1*x2)/(1+d*x1*x2*y1*y2)
y3 = (y1*y2-x1*x2)/(1-d*x1*x2*y1*y2)
return x3,y3
“Hey, there are divisions
in the Edwards addition law!
What if the denominators are 0?”
Answer: Can prove that
the denominators are never 0.
Addition law is complete.
This proof relies on
choosing non-square d.
![Page 115: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/115.jpg)
More elliptic curves
Choose an odd prime p.
Choose a non-square d 2 Fp.
f(x; y) 2 Fp � Fp :
x2 + y2 = 1 + dx2y2gis a “complete Edwards curve”.
def edwardsadd(P1,P2):
x1,y1 = P1
x2,y2 = P2
x3 = (x1*y2+y1*x2)/(1+d*x1*x2*y1*y2)
y3 = (y1*y2-x1*x2)/(1-d*x1*x2*y1*y2)
return x3,y3
“Hey, there are divisions
in the Edwards addition law!
What if the denominators are 0?”
Answer: Can prove that
the denominators are never 0.
Addition law is complete.
This proof relies on
choosing non-square d.
If we instead choose square d:
curve is still elliptic, and
addition seems to work,
but there are failure cases,
often exploitable by attackers.
Safe code is more complicated.
![Page 116: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/116.jpg)
More elliptic curves
Choose an odd prime p.
Choose a non-square d 2 Fp.
f(x; y) 2 Fp � Fp :
x2 + y2 = 1 + dx2y2gis a “complete Edwards curve”.
def edwardsadd(P1,P2):
x1,y1 = P1
x2,y2 = P2
x3 = (x1*y2+y1*x2)/(1+d*x1*x2*y1*y2)
y3 = (y1*y2-x1*x2)/(1-d*x1*x2*y1*y2)
return x3,y3
“Hey, there are divisions
in the Edwards addition law!
What if the denominators are 0?”
Answer: Can prove that
the denominators are never 0.
Addition law is complete.
This proof relies on
choosing non-square d.
If we instead choose square d:
curve is still elliptic, and
addition seems to work,
but there are failure cases,
often exploitable by attackers.
Safe code is more complicated.
“Hey, divisions are really slow!”
![Page 117: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/117.jpg)
More elliptic curves
Choose an odd prime p.
Choose a non-square d 2 Fp.
f(x; y) 2 Fp � Fp :
x2 + y2 = 1 + dx2y2gis a “complete Edwards curve”.
def edwardsadd(P1,P2):
x1,y1 = P1
x2,y2 = P2
x3 = (x1*y2+y1*x2)/(1+d*x1*x2*y1*y2)
y3 = (y1*y2-x1*x2)/(1-d*x1*x2*y1*y2)
return x3,y3
“Hey, there are divisions
in the Edwards addition law!
What if the denominators are 0?”
Answer: Can prove that
the denominators are never 0.
Addition law is complete.
This proof relies on
choosing non-square d.
If we instead choose square d:
curve is still elliptic, and
addition seems to work,
but there are failure cases,
often exploitable by attackers.
Safe code is more complicated.
“Hey, divisions are really slow!”
![Page 118: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/118.jpg)
More elliptic curves
Choose an odd prime p.
Choose a non-square d 2 Fp.
f(x; y) 2 Fp � Fp :
x2 + y2 = 1 + dx2y2gis a “complete Edwards curve”.
def edwardsadd(P1,P2):
x1,y1 = P1
x2,y2 = P2
x3 = (x1*y2+y1*x2)/(1+d*x1*x2*y1*y2)
y3 = (y1*y2-x1*x2)/(1-d*x1*x2*y1*y2)
return x3,y3
“Hey, there are divisions
in the Edwards addition law!
What if the denominators are 0?”
Answer: Can prove that
the denominators are never 0.
Addition law is complete.
This proof relies on
choosing non-square d.
If we instead choose square d:
curve is still elliptic, and
addition seems to work,
but there are failure cases,
often exploitable by attackers.
Safe code is more complicated.
“Hey, divisions are really slow!”
![Page 119: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/119.jpg)
“Hey, there are divisions
in the Edwards addition law!
What if the denominators are 0?”
Answer: Can prove that
the denominators are never 0.
Addition law is complete.
This proof relies on
choosing non-square d.
If we instead choose square d:
curve is still elliptic, and
addition seems to work,
but there are failure cases,
often exploitable by attackers.
Safe code is more complicated.
“Hey, divisions are really slow!”
![Page 120: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/120.jpg)
“Hey, there are divisions
in the Edwards addition law!
What if the denominators are 0?”
Answer: Can prove that
the denominators are never 0.
Addition law is complete.
This proof relies on
choosing non-square d.
If we instead choose square d:
curve is still elliptic, and
addition seems to work,
but there are failure cases,
often exploitable by attackers.
Safe code is more complicated.
“Hey, divisions are really slow!”
Instead of dividing a by b,
store fraction a=b as pair (a; b).
Remember arithmetic on fractions?
![Page 121: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/121.jpg)
“Hey, there are divisions
in the Edwards addition law!
What if the denominators are 0?”
Answer: Can prove that
the denominators are never 0.
Addition law is complete.
This proof relies on
choosing non-square d.
If we instead choose square d:
curve is still elliptic, and
addition seems to work,
but there are failure cases,
often exploitable by attackers.
Safe code is more complicated.
“Hey, divisions are really slow!”
Instead of dividing a by b,
store fraction a=b as pair (a; b).
Remember arithmetic on fractions?
One option: “projective coordinates”.
Store (X; Y; Z) representing (X=Z; Y=Z).
Another option: “extended coordinates”.
Store projective (X; Y; Z) and T = XY=Z.
See “Explicit Formulas Database”
for many more options and speedups:
hyperelliptic.org/EFD
![Page 122: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/122.jpg)
“Hey, there are divisions
in the Edwards addition law!
What if the denominators are 0?”
Answer: Can prove that
the denominators are never 0.
Addition law is complete.
This proof relies on
choosing non-square d.
If we instead choose square d:
curve is still elliptic, and
addition seems to work,
but there are failure cases,
often exploitable by attackers.
Safe code is more complicated.
“Hey, divisions are really slow!”
Instead of dividing a by b,
store fraction a=b as pair (a; b).
Remember arithmetic on fractions?
One option: “projective coordinates”.
Store (X; Y; Z) representing (X=Z; Y=Z).
Another option: “extended coordinates”.
Store projective (X; Y; Z) and T = XY=Z.
See “Explicit Formulas Database”
for many more options and speedups:
hyperelliptic.org/EFD
Elliptic-curve cryptography
Standardize prime p, safe non-square d,
base point (x; y) on elliptic curve.
Alice knows her secret key a
and Bob’s public key b(x; y).
Alice computes (and caches)
shared secret ab(x; y).
Alice uses shared secret to encrypt
and authenticate packet for Bob.
Packet overhead at high security level:
32 bytes for Alice’s public key,
24 bytes for nonce,
16 bytes for authenticator.
![Page 123: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/123.jpg)
“Hey, there are divisions
in the Edwards addition law!
What if the denominators are 0?”
Answer: Can prove that
the denominators are never 0.
Addition law is complete.
This proof relies on
choosing non-square d.
If we instead choose square d:
curve is still elliptic, and
addition seems to work,
but there are failure cases,
often exploitable by attackers.
Safe code is more complicated.
“Hey, divisions are really slow!”
Instead of dividing a by b,
store fraction a=b as pair (a; b).
Remember arithmetic on fractions?
One option: “projective coordinates”.
Store (X; Y; Z) representing (X=Z; Y=Z).
Another option: “extended coordinates”.
Store projective (X; Y; Z) and T = XY=Z.
See “Explicit Formulas Database”
for many more options and speedups:
hyperelliptic.org/EFD
Elliptic-curve cryptography
Standardize prime p, safe non-square d,
base point (x; y) on elliptic curve.
Alice knows her secret key a
and Bob’s public key b(x; y).
Alice computes (and caches)
shared secret ab(x; y).
Alice uses shared secret to encrypt
and authenticate packet for Bob.
Packet overhead at high security level:
32 bytes for Alice’s public key,
24 bytes for nonce,
16 bytes for authenticator.
![Page 124: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/124.jpg)
“Hey, there are divisions
in the Edwards addition law!
What if the denominators are 0?”
Answer: Can prove that
the denominators are never 0.
Addition law is complete.
This proof relies on
choosing non-square d.
If we instead choose square d:
curve is still elliptic, and
addition seems to work,
but there are failure cases,
often exploitable by attackers.
Safe code is more complicated.
“Hey, divisions are really slow!”
Instead of dividing a by b,
store fraction a=b as pair (a; b).
Remember arithmetic on fractions?
One option: “projective coordinates”.
Store (X; Y; Z) representing (X=Z; Y=Z).
Another option: “extended coordinates”.
Store projective (X; Y; Z) and T = XY=Z.
See “Explicit Formulas Database”
for many more options and speedups:
hyperelliptic.org/EFD
Elliptic-curve cryptography
Standardize prime p, safe non-square d,
base point (x; y) on elliptic curve.
Alice knows her secret key a
and Bob’s public key b(x; y).
Alice computes (and caches)
shared secret ab(x; y).
Alice uses shared secret to encrypt
and authenticate packet for Bob.
Packet overhead at high security level:
32 bytes for Alice’s public key,
24 bytes for nonce,
16 bytes for authenticator.
![Page 125: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/125.jpg)
“Hey, divisions are really slow!”
Instead of dividing a by b,
store fraction a=b as pair (a; b).
Remember arithmetic on fractions?
One option: “projective coordinates”.
Store (X; Y; Z) representing (X=Z; Y=Z).
Another option: “extended coordinates”.
Store projective (X; Y; Z) and T = XY=Z.
See “Explicit Formulas Database”
for many more options and speedups:
hyperelliptic.org/EFD
Elliptic-curve cryptography
Standardize prime p, safe non-square d,
base point (x; y) on elliptic curve.
Alice knows her secret key a
and Bob’s public key b(x; y).
Alice computes (and caches)
shared secret ab(x; y).
Alice uses shared secret to encrypt
and authenticate packet for Bob.
Packet overhead at high security level:
32 bytes for Alice’s public key,
24 bytes for nonce,
16 bytes for authenticator.
![Page 126: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/126.jpg)
“Hey, divisions are really slow!”
Instead of dividing a by b,
store fraction a=b as pair (a; b).
Remember arithmetic on fractions?
One option: “projective coordinates”.
Store (X; Y; Z) representing (X=Z; Y=Z).
Another option: “extended coordinates”.
Store projective (X; Y; Z) and T = XY=Z.
See “Explicit Formulas Database”
for many more options and speedups:
hyperelliptic.org/EFD
Elliptic-curve cryptography
Standardize prime p, safe non-square d,
base point (x; y) on elliptic curve.
Alice knows her secret key a
and Bob’s public key b(x; y).
Alice computes (and caches)
shared secret ab(x; y).
Alice uses shared secret to encrypt
and authenticate packet for Bob.
Packet overhead at high security level:
32 bytes for Alice’s public key,
24 bytes for nonce,
16 bytes for authenticator.
Bob receives packet,
sees Alice’s public key a(x; y).
Bob computes (and caches)
shared secret ab(x; y).
Bob uses shared secret to
verify authenticator and decrypt packet.
Alice and Bob
reuse the same shared secret to
encrypt, authenticate, verify, and decrypt
all subsequent packets.
All of this is so fast that
we can afford to encrypt all packets.
![Page 127: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/127.jpg)
“Hey, divisions are really slow!”
Instead of dividing a by b,
store fraction a=b as pair (a; b).
Remember arithmetic on fractions?
One option: “projective coordinates”.
Store (X; Y; Z) representing (X=Z; Y=Z).
Another option: “extended coordinates”.
Store projective (X; Y; Z) and T = XY=Z.
See “Explicit Formulas Database”
for many more options and speedups:
hyperelliptic.org/EFD
Elliptic-curve cryptography
Standardize prime p, safe non-square d,
base point (x; y) on elliptic curve.
Alice knows her secret key a
and Bob’s public key b(x; y).
Alice computes (and caches)
shared secret ab(x; y).
Alice uses shared secret to encrypt
and authenticate packet for Bob.
Packet overhead at high security level:
32 bytes for Alice’s public key,
24 bytes for nonce,
16 bytes for authenticator.
Bob receives packet,
sees Alice’s public key a(x; y).
Bob computes (and caches)
shared secret ab(x; y).
Bob uses shared secret to
verify authenticator and decrypt packet.
Alice and Bob
reuse the same shared secret to
encrypt, authenticate, verify, and decrypt
all subsequent packets.
All of this is so fast that
we can afford to encrypt all packets.
![Page 128: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/128.jpg)
“Hey, divisions are really slow!”
Instead of dividing a by b,
store fraction a=b as pair (a; b).
Remember arithmetic on fractions?
One option: “projective coordinates”.
Store (X; Y; Z) representing (X=Z; Y=Z).
Another option: “extended coordinates”.
Store projective (X; Y; Z) and T = XY=Z.
See “Explicit Formulas Database”
for many more options and speedups:
hyperelliptic.org/EFD
Elliptic-curve cryptography
Standardize prime p, safe non-square d,
base point (x; y) on elliptic curve.
Alice knows her secret key a
and Bob’s public key b(x; y).
Alice computes (and caches)
shared secret ab(x; y).
Alice uses shared secret to encrypt
and authenticate packet for Bob.
Packet overhead at high security level:
32 bytes for Alice’s public key,
24 bytes for nonce,
16 bytes for authenticator.
Bob receives packet,
sees Alice’s public key a(x; y).
Bob computes (and caches)
shared secret ab(x; y).
Bob uses shared secret to
verify authenticator and decrypt packet.
Alice and Bob
reuse the same shared secret to
encrypt, authenticate, verify, and decrypt
all subsequent packets.
All of this is so fast that
we can afford to encrypt all packets.
![Page 129: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/129.jpg)
Elliptic-curve cryptography
Standardize prime p, safe non-square d,
base point (x; y) on elliptic curve.
Alice knows her secret key a
and Bob’s public key b(x; y).
Alice computes (and caches)
shared secret ab(x; y).
Alice uses shared secret to encrypt
and authenticate packet for Bob.
Packet overhead at high security level:
32 bytes for Alice’s public key,
24 bytes for nonce,
16 bytes for authenticator.
Bob receives packet,
sees Alice’s public key a(x; y).
Bob computes (and caches)
shared secret ab(x; y).
Bob uses shared secret to
verify authenticator and decrypt packet.
Alice and Bob
reuse the same shared secret to
encrypt, authenticate, verify, and decrypt
all subsequent packets.
All of this is so fast that
we can afford to encrypt all packets.
![Page 130: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/130.jpg)
Elliptic-curve cryptography
Standardize prime p, safe non-square d,
base point (x; y) on elliptic curve.
Alice knows her secret key a
and Bob’s public key b(x; y).
Alice computes (and caches)
shared secret ab(x; y).
Alice uses shared secret to encrypt
and authenticate packet for Bob.
Packet overhead at high security level:
32 bytes for Alice’s public key,
24 bytes for nonce,
16 bytes for authenticator.
Bob receives packet,
sees Alice’s public key a(x; y).
Bob computes (and caches)
shared secret ab(x; y).
Bob uses shared secret to
verify authenticator and decrypt packet.
Alice and Bob
reuse the same shared secret to
encrypt, authenticate, verify, and decrypt
all subsequent packets.
All of this is so fast that
we can afford to encrypt all packets.
A safe example
Choose p = 2255 � 19.
Choose d = 121665=121666;
this is non-square in Fp.
x2 + y2 = 1 + dx2y2
is a safe curve for ECC.
![Page 131: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/131.jpg)
Elliptic-curve cryptography
Standardize prime p, safe non-square d,
base point (x; y) on elliptic curve.
Alice knows her secret key a
and Bob’s public key b(x; y).
Alice computes (and caches)
shared secret ab(x; y).
Alice uses shared secret to encrypt
and authenticate packet for Bob.
Packet overhead at high security level:
32 bytes for Alice’s public key,
24 bytes for nonce,
16 bytes for authenticator.
Bob receives packet,
sees Alice’s public key a(x; y).
Bob computes (and caches)
shared secret ab(x; y).
Bob uses shared secret to
verify authenticator and decrypt packet.
Alice and Bob
reuse the same shared secret to
encrypt, authenticate, verify, and decrypt
all subsequent packets.
All of this is so fast that
we can afford to encrypt all packets.
A safe example
Choose p = 2255 � 19.
Choose d = 121665=121666;
this is non-square in Fp.
x2 + y2 = 1 + dx2y2
is a safe curve for ECC.
![Page 132: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/132.jpg)
Elliptic-curve cryptography
Standardize prime p, safe non-square d,
base point (x; y) on elliptic curve.
Alice knows her secret key a
and Bob’s public key b(x; y).
Alice computes (and caches)
shared secret ab(x; y).
Alice uses shared secret to encrypt
and authenticate packet for Bob.
Packet overhead at high security level:
32 bytes for Alice’s public key,
24 bytes for nonce,
16 bytes for authenticator.
Bob receives packet,
sees Alice’s public key a(x; y).
Bob computes (and caches)
shared secret ab(x; y).
Bob uses shared secret to
verify authenticator and decrypt packet.
Alice and Bob
reuse the same shared secret to
encrypt, authenticate, verify, and decrypt
all subsequent packets.
All of this is so fast that
we can afford to encrypt all packets.
A safe example
Choose p = 2255 � 19.
Choose d = 121665=121666;
this is non-square in Fp.
x2 + y2 = 1 + dx2y2
is a safe curve for ECC.
![Page 133: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/133.jpg)
Bob receives packet,
sees Alice’s public key a(x; y).
Bob computes (and caches)
shared secret ab(x; y).
Bob uses shared secret to
verify authenticator and decrypt packet.
Alice and Bob
reuse the same shared secret to
encrypt, authenticate, verify, and decrypt
all subsequent packets.
All of this is so fast that
we can afford to encrypt all packets.
A safe example
Choose p = 2255 � 19.
Choose d = 121665=121666;
this is non-square in Fp.
x2 + y2 = 1 + dx2y2
is a safe curve for ECC.
![Page 134: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/134.jpg)
Bob receives packet,
sees Alice’s public key a(x; y).
Bob computes (and caches)
shared secret ab(x; y).
Bob uses shared secret to
verify authenticator and decrypt packet.
Alice and Bob
reuse the same shared secret to
encrypt, authenticate, verify, and decrypt
all subsequent packets.
All of this is so fast that
we can afford to encrypt all packets.
A safe example
Choose p = 2255 � 19.
Choose d = 121665=121666;
this is non-square in Fp.
x2 + y2 = 1 + dx2y2
is a safe curve for ECC.
�x2 + y2 = 1� dx2y2
is another safe curve
using the same p and d.
![Page 135: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/135.jpg)
Bob receives packet,
sees Alice’s public key a(x; y).
Bob computes (and caches)
shared secret ab(x; y).
Bob uses shared secret to
verify authenticator and decrypt packet.
Alice and Bob
reuse the same shared secret to
encrypt, authenticate, verify, and decrypt
all subsequent packets.
All of this is so fast that
we can afford to encrypt all packets.
A safe example
Choose p = 2255 � 19.
Choose d = 121665=121666;
this is non-square in Fp.
x2 + y2 = 1 + dx2y2
is a safe curve for ECC.
�x2 + y2 = 1� dx2y2
is another safe curve
using the same p and d.
Actually, the second curve
is the first curve in disguise:
replace x in first curve
byp�1 � x, using
p�1 2 Fp.
![Page 136: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/136.jpg)
Bob receives packet,
sees Alice’s public key a(x; y).
Bob computes (and caches)
shared secret ab(x; y).
Bob uses shared secret to
verify authenticator and decrypt packet.
Alice and Bob
reuse the same shared secret to
encrypt, authenticate, verify, and decrypt
all subsequent packets.
All of this is so fast that
we can afford to encrypt all packets.
A safe example
Choose p = 2255 � 19.
Choose d = 121665=121666;
this is non-square in Fp.
x2 + y2 = 1 + dx2y2
is a safe curve for ECC.
�x2 + y2 = 1� dx2y2
is another safe curve
using the same p and d.
Actually, the second curve
is the first curve in disguise:
replace x in first curve
byp�1 � x, using
p�1 2 Fp.
Even more elliptic curves
Edwards curves:
x2 + y2 = 1 + dx2y2.
Twisted Edwards curves:
ax2 + y2 = 1 + dx2y2.
Weierstrass curves:
y2 = x3 + a4x + a6.
Montgomery curves:
By2 = x3 + Ax2 + x.
Many relationships:
e.g., obtain Edwards (x; y)
given Montgomery (x0; y0) by
computing x = x0=y0, y = (x0 � 1)=(x0 + 1).
![Page 137: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/137.jpg)
Bob receives packet,
sees Alice’s public key a(x; y).
Bob computes (and caches)
shared secret ab(x; y).
Bob uses shared secret to
verify authenticator and decrypt packet.
Alice and Bob
reuse the same shared secret to
encrypt, authenticate, verify, and decrypt
all subsequent packets.
All of this is so fast that
we can afford to encrypt all packets.
A safe example
Choose p = 2255 � 19.
Choose d = 121665=121666;
this is non-square in Fp.
x2 + y2 = 1 + dx2y2
is a safe curve for ECC.
�x2 + y2 = 1� dx2y2
is another safe curve
using the same p and d.
Actually, the second curve
is the first curve in disguise:
replace x in first curve
byp�1 � x, using
p�1 2 Fp.
Even more elliptic curves
Edwards curves:
x2 + y2 = 1 + dx2y2.
Twisted Edwards curves:
ax2 + y2 = 1 + dx2y2.
Weierstrass curves:
y2 = x3 + a4x + a6.
Montgomery curves:
By2 = x3 + Ax2 + x.
Many relationships:
e.g., obtain Edwards (x; y)
given Montgomery (x0; y0) by
computing x = x0=y0, y = (x0 � 1)=(x0 + 1).
![Page 138: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/138.jpg)
Bob receives packet,
sees Alice’s public key a(x; y).
Bob computes (and caches)
shared secret ab(x; y).
Bob uses shared secret to
verify authenticator and decrypt packet.
Alice and Bob
reuse the same shared secret to
encrypt, authenticate, verify, and decrypt
all subsequent packets.
All of this is so fast that
we can afford to encrypt all packets.
A safe example
Choose p = 2255 � 19.
Choose d = 121665=121666;
this is non-square in Fp.
x2 + y2 = 1 + dx2y2
is a safe curve for ECC.
�x2 + y2 = 1� dx2y2
is another safe curve
using the same p and d.
Actually, the second curve
is the first curve in disguise:
replace x in first curve
byp�1 � x, using
p�1 2 Fp.
Even more elliptic curves
Edwards curves:
x2 + y2 = 1 + dx2y2.
Twisted Edwards curves:
ax2 + y2 = 1 + dx2y2.
Weierstrass curves:
y2 = x3 + a4x + a6.
Montgomery curves:
By2 = x3 + Ax2 + x.
Many relationships:
e.g., obtain Edwards (x; y)
given Montgomery (x0; y0) by
computing x = x0=y0, y = (x0 � 1)=(x0 + 1).
![Page 139: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/139.jpg)
A safe example
Choose p = 2255 � 19.
Choose d = 121665=121666;
this is non-square in Fp.
x2 + y2 = 1 + dx2y2
is a safe curve for ECC.
�x2 + y2 = 1� dx2y2
is another safe curve
using the same p and d.
Actually, the second curve
is the first curve in disguise:
replace x in first curve
byp�1 � x, using
p�1 2 Fp.
Even more elliptic curves
Edwards curves:
x2 + y2 = 1 + dx2y2.
Twisted Edwards curves:
ax2 + y2 = 1 + dx2y2.
Weierstrass curves:
y2 = x3 + a4x + a6.
Montgomery curves:
By2 = x3 + Ax2 + x.
Many relationships:
e.g., obtain Edwards (x; y)
given Montgomery (x0; y0) by
computing x = x0=y0, y = (x0 � 1)=(x0 + 1).
![Page 140: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/140.jpg)
A safe example
Choose p = 2255 � 19.
Choose d = 121665=121666;
this is non-square in Fp.
x2 + y2 = 1 + dx2y2
is a safe curve for ECC.
�x2 + y2 = 1� dx2y2
is another safe curve
using the same p and d.
Actually, the second curve
is the first curve in disguise:
replace x in first curve
byp�1 � x, using
p�1 2 Fp.
Even more elliptic curves
Edwards curves:
x2 + y2 = 1 + dx2y2.
Twisted Edwards curves:
ax2 + y2 = 1 + dx2y2.
Weierstrass curves:
y2 = x3 + a4x + a6.
Montgomery curves:
By2 = x3 + Ax2 + x.
Many relationships:
e.g., obtain Edwards (x; y)
given Montgomery (x0; y0) by
computing x = x0=y0, y = (x0 � 1)=(x0 + 1).
Addition on Weierstrass curves
y2 = x3 + a4x + a6:
![Page 141: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/141.jpg)
A safe example
Choose p = 2255 � 19.
Choose d = 121665=121666;
this is non-square in Fp.
x2 + y2 = 1 + dx2y2
is a safe curve for ECC.
�x2 + y2 = 1� dx2y2
is another safe curve
using the same p and d.
Actually, the second curve
is the first curve in disguise:
replace x in first curve
byp�1 � x, using
p�1 2 Fp.
Even more elliptic curves
Edwards curves:
x2 + y2 = 1 + dx2y2.
Twisted Edwards curves:
ax2 + y2 = 1 + dx2y2.
Weierstrass curves:
y2 = x3 + a4x + a6.
Montgomery curves:
By2 = x3 + Ax2 + x.
Many relationships:
e.g., obtain Edwards (x; y)
given Montgomery (x0; y0) by
computing x = x0=y0, y = (x0 � 1)=(x0 + 1).
Addition on Weierstrass curves
y2 = x3 + a4x + a6:
![Page 142: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/142.jpg)
A safe example
Choose p = 2255 � 19.
Choose d = 121665=121666;
this is non-square in Fp.
x2 + y2 = 1 + dx2y2
is a safe curve for ECC.
�x2 + y2 = 1� dx2y2
is another safe curve
using the same p and d.
Actually, the second curve
is the first curve in disguise:
replace x in first curve
byp�1 � x, using
p�1 2 Fp.
Even more elliptic curves
Edwards curves:
x2 + y2 = 1 + dx2y2.
Twisted Edwards curves:
ax2 + y2 = 1 + dx2y2.
Weierstrass curves:
y2 = x3 + a4x + a6.
Montgomery curves:
By2 = x3 + Ax2 + x.
Many relationships:
e.g., obtain Edwards (x; y)
given Montgomery (x0; y0) by
computing x = x0=y0, y = (x0 � 1)=(x0 + 1).
Addition on Weierstrass curves
y2 = x3 + a4x + a6:
![Page 143: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/143.jpg)
Even more elliptic curves
Edwards curves:
x2 + y2 = 1 + dx2y2.
Twisted Edwards curves:
ax2 + y2 = 1 + dx2y2.
Weierstrass curves:
y2 = x3 + a4x + a6.
Montgomery curves:
By2 = x3 + Ax2 + x.
Many relationships:
e.g., obtain Edwards (x; y)
given Montgomery (x0; y0) by
computing x = x0=y0, y = (x0 � 1)=(x0 + 1).
Addition on Weierstrass curves
y2 = x3 + a4x + a6:
![Page 144: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/144.jpg)
Even more elliptic curves
Edwards curves:
x2 + y2 = 1 + dx2y2.
Twisted Edwards curves:
ax2 + y2 = 1 + dx2y2.
Weierstrass curves:
y2 = x3 + a4x + a6.
Montgomery curves:
By2 = x3 + Ax2 + x.
Many relationships:
e.g., obtain Edwards (x; y)
given Montgomery (x0; y0) by
computing x = x0=y0, y = (x0 � 1)=(x0 + 1).
Addition on Weierstrass curves
y2 = x3 + a4x + a6:
for x1 6= x2, (x1; y1) + (x2; y2) =
(x3; y3) with x3 = �2 � x1 � x2,
y3 = �(x1 � x3)� y1,
� = (y2 � y1)=(x2 � x1);
for y1 6= 0, (x1; y1) + (x1; y1) =
(x3; y3) with x3 = �2 � x1 � x2,
y3 = �(x1 � x3)� y1,
� = (3x21 + a4)=2y1;
(x1; y1) + (x1;�y1) = 1;
(x1; y1) +1 = (x1; y1);
1+ (x2; y2) = (x2; y2);
1+1 = 1.
![Page 145: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/145.jpg)
Even more elliptic curves
Edwards curves:
x2 + y2 = 1 + dx2y2.
Twisted Edwards curves:
ax2 + y2 = 1 + dx2y2.
Weierstrass curves:
y2 = x3 + a4x + a6.
Montgomery curves:
By2 = x3 + Ax2 + x.
Many relationships:
e.g., obtain Edwards (x; y)
given Montgomery (x0; y0) by
computing x = x0=y0, y = (x0 � 1)=(x0 + 1).
Addition on Weierstrass curves
y2 = x3 + a4x + a6:
for x1 6= x2, (x1; y1) + (x2; y2) =
(x3; y3) with x3 = �2 � x1 � x2,
y3 = �(x1 � x3)� y1,
� = (y2 � y1)=(x2 � x1);
for y1 6= 0, (x1; y1) + (x1; y1) =
(x3; y3) with x3 = �2 � x1 � x2,
y3 = �(x1 � x3)� y1,
� = (3x21 + a4)=2y1;
(x1; y1) + (x1;�y1) = 1;
(x1; y1) +1 = (x1; y1);
1+ (x2; y2) = (x2; y2);
1+1 = 1.
Messy to implement and test.
![Page 146: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/146.jpg)
Even more elliptic curves
Edwards curves:
x2 + y2 = 1 + dx2y2.
Twisted Edwards curves:
ax2 + y2 = 1 + dx2y2.
Weierstrass curves:
y2 = x3 + a4x + a6.
Montgomery curves:
By2 = x3 + Ax2 + x.
Many relationships:
e.g., obtain Edwards (x; y)
given Montgomery (x0; y0) by
computing x = x0=y0, y = (x0 � 1)=(x0 + 1).
Addition on Weierstrass curves
y2 = x3 + a4x + a6:
for x1 6= x2, (x1; y1) + (x2; y2) =
(x3; y3) with x3 = �2 � x1 � x2,
y3 = �(x1 � x3)� y1,
� = (y2 � y1)=(x2 � x1);
for y1 6= 0, (x1; y1) + (x1; y1) =
(x3; y3) with x3 = �2 � x1 � x2,
y3 = �(x1 � x3)� y1,
� = (3x21 + a4)=2y1;
(x1; y1) + (x1;�y1) = 1;
(x1; y1) +1 = (x1; y1);
1+ (x2; y2) = (x2; y2);
1+1 = 1.
Messy to implement and test.
Much nicer than Weierstrass: Montgomery
curves with the “Montgomery ladder”.
def scalarmult(n,x1):
x2,z2,x3,z3 = 1,0,x1,1
for i in reversed(range(maxnbits)):
bit = 1 & (n >> i)
x2,x3 = cswap(x2,x3,bit)
z2,z3 = cswap(z2,z3,bit)
x3,z3 = ((x2*x3-z2*z3)^2,
x1*(x2*z3-z2*x3)^2)
x2,z2 = ((x2^2-z2^2)^2,
4*x2*z2*(x2^2+A*x2*z2+z2^2))
x2,x3 = cswap(x2,x3,bit)
z2,z3 = cswap(z2,z3,bit)
return x2*z2^(p-2)
![Page 147: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/147.jpg)
Even more elliptic curves
Edwards curves:
x2 + y2 = 1 + dx2y2.
Twisted Edwards curves:
ax2 + y2 = 1 + dx2y2.
Weierstrass curves:
y2 = x3 + a4x + a6.
Montgomery curves:
By2 = x3 + Ax2 + x.
Many relationships:
e.g., obtain Edwards (x; y)
given Montgomery (x0; y0) by
computing x = x0=y0, y = (x0 � 1)=(x0 + 1).
Addition on Weierstrass curves
y2 = x3 + a4x + a6:
for x1 6= x2, (x1; y1) + (x2; y2) =
(x3; y3) with x3 = �2 � x1 � x2,
y3 = �(x1 � x3)� y1,
� = (y2 � y1)=(x2 � x1);
for y1 6= 0, (x1; y1) + (x1; y1) =
(x3; y3) with x3 = �2 � x1 � x2,
y3 = �(x1 � x3)� y1,
� = (3x21 + a4)=2y1;
(x1; y1) + (x1;�y1) = 1;
(x1; y1) +1 = (x1; y1);
1+ (x2; y2) = (x2; y2);
1+1 = 1.
Messy to implement and test.
Much nicer than Weierstrass: Montgomery
curves with the “Montgomery ladder”.
def scalarmult(n,x1):
x2,z2,x3,z3 = 1,0,x1,1
for i in reversed(range(maxnbits)):
bit = 1 & (n >> i)
x2,x3 = cswap(x2,x3,bit)
z2,z3 = cswap(z2,z3,bit)
x3,z3 = ((x2*x3-z2*z3)^2,
x1*(x2*z3-z2*x3)^2)
x2,z2 = ((x2^2-z2^2)^2,
4*x2*z2*(x2^2+A*x2*z2+z2^2))
x2,x3 = cswap(x2,x3,bit)
z2,z3 = cswap(z2,z3,bit)
return x2*z2^(p-2)
![Page 148: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/148.jpg)
Even more elliptic curves
Edwards curves:
x2 + y2 = 1 + dx2y2.
Twisted Edwards curves:
ax2 + y2 = 1 + dx2y2.
Weierstrass curves:
y2 = x3 + a4x + a6.
Montgomery curves:
By2 = x3 + Ax2 + x.
Many relationships:
e.g., obtain Edwards (x; y)
given Montgomery (x0; y0) by
computing x = x0=y0, y = (x0 � 1)=(x0 + 1).
Addition on Weierstrass curves
y2 = x3 + a4x + a6:
for x1 6= x2, (x1; y1) + (x2; y2) =
(x3; y3) with x3 = �2 � x1 � x2,
y3 = �(x1 � x3)� y1,
� = (y2 � y1)=(x2 � x1);
for y1 6= 0, (x1; y1) + (x1; y1) =
(x3; y3) with x3 = �2 � x1 � x2,
y3 = �(x1 � x3)� y1,
� = (3x21 + a4)=2y1;
(x1; y1) + (x1;�y1) = 1;
(x1; y1) +1 = (x1; y1);
1+ (x2; y2) = (x2; y2);
1+1 = 1.
Messy to implement and test.
Much nicer than Weierstrass: Montgomery
curves with the “Montgomery ladder”.
def scalarmult(n,x1):
x2,z2,x3,z3 = 1,0,x1,1
for i in reversed(range(maxnbits)):
bit = 1 & (n >> i)
x2,x3 = cswap(x2,x3,bit)
z2,z3 = cswap(z2,z3,bit)
x3,z3 = ((x2*x3-z2*z3)^2,
x1*(x2*z3-z2*x3)^2)
x2,z2 = ((x2^2-z2^2)^2,
4*x2*z2*(x2^2+A*x2*z2+z2^2))
x2,x3 = cswap(x2,x3,bit)
z2,z3 = cswap(z2,z3,bit)
return x2*z2^(p-2)
![Page 149: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/149.jpg)
Addition on Weierstrass curves
y2 = x3 + a4x + a6:
for x1 6= x2, (x1; y1) + (x2; y2) =
(x3; y3) with x3 = �2 � x1 � x2,
y3 = �(x1 � x3)� y1,
� = (y2 � y1)=(x2 � x1);
for y1 6= 0, (x1; y1) + (x1; y1) =
(x3; y3) with x3 = �2 � x1 � x2,
y3 = �(x1 � x3)� y1,
� = (3x21 + a4)=2y1;
(x1; y1) + (x1;�y1) = 1;
(x1; y1) +1 = (x1; y1);
1+ (x2; y2) = (x2; y2);
1+1 = 1.
Messy to implement and test.
Much nicer than Weierstrass: Montgomery
curves with the “Montgomery ladder”.
def scalarmult(n,x1):
x2,z2,x3,z3 = 1,0,x1,1
for i in reversed(range(maxnbits)):
bit = 1 & (n >> i)
x2,x3 = cswap(x2,x3,bit)
z2,z3 = cswap(z2,z3,bit)
x3,z3 = ((x2*x3-z2*z3)^2,
x1*(x2*z3-z2*x3)^2)
x2,z2 = ((x2^2-z2^2)^2,
4*x2*z2*(x2^2+A*x2*z2+z2^2))
x2,x3 = cswap(x2,x3,bit)
z2,z3 = cswap(z2,z3,bit)
return x2*z2^(p-2)
![Page 150: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/150.jpg)
Addition on Weierstrass curves
y2 = x3 + a4x + a6:
for x1 6= x2, (x1; y1) + (x2; y2) =
(x3; y3) with x3 = �2 � x1 � x2,
y3 = �(x1 � x3)� y1,
� = (y2 � y1)=(x2 � x1);
for y1 6= 0, (x1; y1) + (x1; y1) =
(x3; y3) with x3 = �2 � x1 � x2,
y3 = �(x1 � x3)� y1,
� = (3x21 + a4)=2y1;
(x1; y1) + (x1;�y1) = 1;
(x1; y1) +1 = (x1; y1);
1+ (x2; y2) = (x2; y2);
1+1 = 1.
Messy to implement and test.
Much nicer than Weierstrass: Montgomery
curves with the “Montgomery ladder”.
def scalarmult(n,x1):
x2,z2,x3,z3 = 1,0,x1,1
for i in reversed(range(maxnbits)):
bit = 1 & (n >> i)
x2,x3 = cswap(x2,x3,bit)
z2,z3 = cswap(z2,z3,bit)
x3,z3 = ((x2*x3-z2*z3)^2,
x1*(x2*z3-z2*x3)^2)
x2,z2 = ((x2^2-z2^2)^2,
4*x2*z2*(x2^2+A*x2*z2+z2^2))
x2,x3 = cswap(x2,x3,bit)
z2,z3 = cswap(z2,z3,bit)
return x2*z2^(p-2)
Curve selection
How to defend yourself against
an attacker armed with a mathematician:
1999 ANSI X9.62.
2000 IEEE P1363.
2000 Certicom SEC 2.
2000 NIST FIPS 186-2.
2001 ANSI X9.63.
2005 Brainpool.
2005 NSA Suite B.
2010 Certicom SEC 2 v2.
2010 OSCCA SM2.
2011 ANSSI FRP256V1.
![Page 151: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/151.jpg)
Addition on Weierstrass curves
y2 = x3 + a4x + a6:
for x1 6= x2, (x1; y1) + (x2; y2) =
(x3; y3) with x3 = �2 � x1 � x2,
y3 = �(x1 � x3)� y1,
� = (y2 � y1)=(x2 � x1);
for y1 6= 0, (x1; y1) + (x1; y1) =
(x3; y3) with x3 = �2 � x1 � x2,
y3 = �(x1 � x3)� y1,
� = (3x21 + a4)=2y1;
(x1; y1) + (x1;�y1) = 1;
(x1; y1) +1 = (x1; y1);
1+ (x2; y2) = (x2; y2);
1+1 = 1.
Messy to implement and test.
Much nicer than Weierstrass: Montgomery
curves with the “Montgomery ladder”.
def scalarmult(n,x1):
x2,z2,x3,z3 = 1,0,x1,1
for i in reversed(range(maxnbits)):
bit = 1 & (n >> i)
x2,x3 = cswap(x2,x3,bit)
z2,z3 = cswap(z2,z3,bit)
x3,z3 = ((x2*x3-z2*z3)^2,
x1*(x2*z3-z2*x3)^2)
x2,z2 = ((x2^2-z2^2)^2,
4*x2*z2*(x2^2+A*x2*z2+z2^2))
x2,x3 = cswap(x2,x3,bit)
z2,z3 = cswap(z2,z3,bit)
return x2*z2^(p-2)
Curve selection
How to defend yourself against
an attacker armed with a mathematician:
1999 ANSI X9.62.
2000 IEEE P1363.
2000 Certicom SEC 2.
2000 NIST FIPS 186-2.
2001 ANSI X9.63.
2005 Brainpool.
2005 NSA Suite B.
2010 Certicom SEC 2 v2.
2010 OSCCA SM2.
2011 ANSSI FRP256V1.
![Page 152: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/152.jpg)
Addition on Weierstrass curves
y2 = x3 + a4x + a6:
for x1 6= x2, (x1; y1) + (x2; y2) =
(x3; y3) with x3 = �2 � x1 � x2,
y3 = �(x1 � x3)� y1,
� = (y2 � y1)=(x2 � x1);
for y1 6= 0, (x1; y1) + (x1; y1) =
(x3; y3) with x3 = �2 � x1 � x2,
y3 = �(x1 � x3)� y1,
� = (3x21 + a4)=2y1;
(x1; y1) + (x1;�y1) = 1;
(x1; y1) +1 = (x1; y1);
1+ (x2; y2) = (x2; y2);
1+1 = 1.
Messy to implement and test.
Much nicer than Weierstrass: Montgomery
curves with the “Montgomery ladder”.
def scalarmult(n,x1):
x2,z2,x3,z3 = 1,0,x1,1
for i in reversed(range(maxnbits)):
bit = 1 & (n >> i)
x2,x3 = cswap(x2,x3,bit)
z2,z3 = cswap(z2,z3,bit)
x3,z3 = ((x2*x3-z2*z3)^2,
x1*(x2*z3-z2*x3)^2)
x2,z2 = ((x2^2-z2^2)^2,
4*x2*z2*(x2^2+A*x2*z2+z2^2))
x2,x3 = cswap(x2,x3,bit)
z2,z3 = cswap(z2,z3,bit)
return x2*z2^(p-2)
Curve selection
How to defend yourself against
an attacker armed with a mathematician:
1999 ANSI X9.62.
2000 IEEE P1363.
2000 Certicom SEC 2.
2000 NIST FIPS 186-2.
2001 ANSI X9.63.
2005 Brainpool.
2005 NSA Suite B.
2010 Certicom SEC 2 v2.
2010 OSCCA SM2.
2011 ANSSI FRP256V1.
![Page 153: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/153.jpg)
Much nicer than Weierstrass: Montgomery
curves with the “Montgomery ladder”.
def scalarmult(n,x1):
x2,z2,x3,z3 = 1,0,x1,1
for i in reversed(range(maxnbits)):
bit = 1 & (n >> i)
x2,x3 = cswap(x2,x3,bit)
z2,z3 = cswap(z2,z3,bit)
x3,z3 = ((x2*x3-z2*z3)^2,
x1*(x2*z3-z2*x3)^2)
x2,z2 = ((x2^2-z2^2)^2,
4*x2*z2*(x2^2+A*x2*z2+z2^2))
x2,x3 = cswap(x2,x3,bit)
z2,z3 = cswap(z2,z3,bit)
return x2*z2^(p-2)
Curve selection
How to defend yourself against
an attacker armed with a mathematician:
1999 ANSI X9.62.
2000 IEEE P1363.
2000 Certicom SEC 2.
2000 NIST FIPS 186-2.
2001 ANSI X9.63.
2005 Brainpool.
2005 NSA Suite B.
2010 Certicom SEC 2 v2.
2010 OSCCA SM2.
2011 ANSSI FRP256V1.
![Page 154: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/154.jpg)
Much nicer than Weierstrass: Montgomery
curves with the “Montgomery ladder”.
def scalarmult(n,x1):
x2,z2,x3,z3 = 1,0,x1,1
for i in reversed(range(maxnbits)):
bit = 1 & (n >> i)
x2,x3 = cswap(x2,x3,bit)
z2,z3 = cswap(z2,z3,bit)
x3,z3 = ((x2*x3-z2*z3)^2,
x1*(x2*z3-z2*x3)^2)
x2,z2 = ((x2^2-z2^2)^2,
4*x2*z2*(x2^2+A*x2*z2+z2^2))
x2,x3 = cswap(x2,x3,bit)
z2,z3 = cswap(z2,z3,bit)
return x2*z2^(p-2)
Curve selection
How to defend yourself against
an attacker armed with a mathematician:
1999 ANSI X9.62.
2000 IEEE P1363.
2000 Certicom SEC 2.
2000 NIST FIPS 186-2.
2001 ANSI X9.63.
2005 Brainpool.
2005 NSA Suite B.
2010 Certicom SEC 2 v2.
2010 OSCCA SM2.
2011 ANSSI FRP256V1.
You can pick any of these standards.
What your chosen standard achieves:
No known attack will compute
ECC user’s secret key from public key.
(“Elliptic-curve discrete-log problem.”)
Example of criterion in all standards:
Standard base point (x; y)
has huge prime “order” `,
i.e., exactly ` different multiples.
All criteria are computer-verifiable.
See our evaluation site for scripts:
safecurves.cr.yp.to
![Page 155: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/155.jpg)
Much nicer than Weierstrass: Montgomery
curves with the “Montgomery ladder”.
def scalarmult(n,x1):
x2,z2,x3,z3 = 1,0,x1,1
for i in reversed(range(maxnbits)):
bit = 1 & (n >> i)
x2,x3 = cswap(x2,x3,bit)
z2,z3 = cswap(z2,z3,bit)
x3,z3 = ((x2*x3-z2*z3)^2,
x1*(x2*z3-z2*x3)^2)
x2,z2 = ((x2^2-z2^2)^2,
4*x2*z2*(x2^2+A*x2*z2+z2^2))
x2,x3 = cswap(x2,x3,bit)
z2,z3 = cswap(z2,z3,bit)
return x2*z2^(p-2)
Curve selection
How to defend yourself against
an attacker armed with a mathematician:
1999 ANSI X9.62.
2000 IEEE P1363.
2000 Certicom SEC 2.
2000 NIST FIPS 186-2.
2001 ANSI X9.63.
2005 Brainpool.
2005 NSA Suite B.
2010 Certicom SEC 2 v2.
2010 OSCCA SM2.
2011 ANSSI FRP256V1.
You can pick any of these standards.
What your chosen standard achieves:
No known attack will compute
ECC user’s secret key from public key.
(“Elliptic-curve discrete-log problem.”)
Example of criterion in all standards:
Standard base point (x; y)
has huge prime “order” `,
i.e., exactly ` different multiples.
All criteria are computer-verifiable.
See our evaluation site for scripts:
safecurves.cr.yp.to
![Page 156: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/156.jpg)
Much nicer than Weierstrass: Montgomery
curves with the “Montgomery ladder”.
def scalarmult(n,x1):
x2,z2,x3,z3 = 1,0,x1,1
for i in reversed(range(maxnbits)):
bit = 1 & (n >> i)
x2,x3 = cswap(x2,x3,bit)
z2,z3 = cswap(z2,z3,bit)
x3,z3 = ((x2*x3-z2*z3)^2,
x1*(x2*z3-z2*x3)^2)
x2,z2 = ((x2^2-z2^2)^2,
4*x2*z2*(x2^2+A*x2*z2+z2^2))
x2,x3 = cswap(x2,x3,bit)
z2,z3 = cswap(z2,z3,bit)
return x2*z2^(p-2)
Curve selection
How to defend yourself against
an attacker armed with a mathematician:
1999 ANSI X9.62.
2000 IEEE P1363.
2000 Certicom SEC 2.
2000 NIST FIPS 186-2.
2001 ANSI X9.63.
2005 Brainpool.
2005 NSA Suite B.
2010 Certicom SEC 2 v2.
2010 OSCCA SM2.
2011 ANSSI FRP256V1.
You can pick any of these standards.
What your chosen standard achieves:
No known attack will compute
ECC user’s secret key from public key.
(“Elliptic-curve discrete-log problem.”)
Example of criterion in all standards:
Standard base point (x; y)
has huge prime “order” `,
i.e., exactly ` different multiples.
All criteria are computer-verifiable.
See our evaluation site for scripts:
safecurves.cr.yp.to
![Page 157: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/157.jpg)
Curve selection
How to defend yourself against
an attacker armed with a mathematician:
1999 ANSI X9.62.
2000 IEEE P1363.
2000 Certicom SEC 2.
2000 NIST FIPS 186-2.
2001 ANSI X9.63.
2005 Brainpool.
2005 NSA Suite B.
2010 Certicom SEC 2 v2.
2010 OSCCA SM2.
2011 ANSSI FRP256V1.
You can pick any of these standards.
What your chosen standard achieves:
No known attack will compute
ECC user’s secret key from public key.
(“Elliptic-curve discrete-log problem.”)
Example of criterion in all standards:
Standard base point (x; y)
has huge prime “order” `,
i.e., exactly ` different multiples.
All criteria are computer-verifiable.
See our evaluation site for scripts:
safecurves.cr.yp.to
![Page 158: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/158.jpg)
Curve selection
How to defend yourself against
an attacker armed with a mathematician:
1999 ANSI X9.62.
2000 IEEE P1363.
2000 Certicom SEC 2.
2000 NIST FIPS 186-2.
2001 ANSI X9.63.
2005 Brainpool.
2005 NSA Suite B.
2010 Certicom SEC 2 v2.
2010 OSCCA SM2.
2011 ANSSI FRP256V1.
You can pick any of these standards.
What your chosen standard achieves:
No known attack will compute
ECC user’s secret key from public key.
(“Elliptic-curve discrete-log problem.”)
Example of criterion in all standards:
Standard base point (x; y)
has huge prime “order” `,
i.e., exactly ` different multiples.
All criteria are computer-verifiable.
See our evaluation site for scripts:
safecurves.cr.yp.to
You do everything right.
You pick the Brainpool curve
brainpoolP256t1: huge prime p,
y2 = x3 � 3x + somehugenumber,
standard base point.
This curve isn’t compatible
with Edwards or Montgomery.
So you check and test every case
in the Weierstrass formulas.
You make it all constant-time.
It’s horrendously slow,
but it’s secure.
![Page 159: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/159.jpg)
Curve selection
How to defend yourself against
an attacker armed with a mathematician:
1999 ANSI X9.62.
2000 IEEE P1363.
2000 Certicom SEC 2.
2000 NIST FIPS 186-2.
2001 ANSI X9.63.
2005 Brainpool.
2005 NSA Suite B.
2010 Certicom SEC 2 v2.
2010 OSCCA SM2.
2011 ANSSI FRP256V1.
You can pick any of these standards.
What your chosen standard achieves:
No known attack will compute
ECC user’s secret key from public key.
(“Elliptic-curve discrete-log problem.”)
Example of criterion in all standards:
Standard base point (x; y)
has huge prime “order” `,
i.e., exactly ` different multiples.
All criteria are computer-verifiable.
See our evaluation site for scripts:
safecurves.cr.yp.to
You do everything right.
You pick the Brainpool curve
brainpoolP256t1: huge prime p,
y2 = x3 � 3x + somehugenumber,
standard base point.
This curve isn’t compatible
with Edwards or Montgomery.
So you check and test every case
in the Weierstrass formulas.
You make it all constant-time.
It’s horrendously slow,
but it’s secure.
![Page 160: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/160.jpg)
Curve selection
How to defend yourself against
an attacker armed with a mathematician:
1999 ANSI X9.62.
2000 IEEE P1363.
2000 Certicom SEC 2.
2000 NIST FIPS 186-2.
2001 ANSI X9.63.
2005 Brainpool.
2005 NSA Suite B.
2010 Certicom SEC 2 v2.
2010 OSCCA SM2.
2011 ANSSI FRP256V1.
You can pick any of these standards.
What your chosen standard achieves:
No known attack will compute
ECC user’s secret key from public key.
(“Elliptic-curve discrete-log problem.”)
Example of criterion in all standards:
Standard base point (x; y)
has huge prime “order” `,
i.e., exactly ` different multiples.
All criteria are computer-verifiable.
See our evaluation site for scripts:
safecurves.cr.yp.to
You do everything right.
You pick the Brainpool curve
brainpoolP256t1: huge prime p,
y2 = x3 � 3x + somehugenumber,
standard base point.
This curve isn’t compatible
with Edwards or Montgomery.
So you check and test every case
in the Weierstrass formulas.
You make it all constant-time.
It’s horrendously slow,
but it’s secure.
![Page 161: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/161.jpg)
You can pick any of these standards.
What your chosen standard achieves:
No known attack will compute
ECC user’s secret key from public key.
(“Elliptic-curve discrete-log problem.”)
Example of criterion in all standards:
Standard base point (x; y)
has huge prime “order” `,
i.e., exactly ` different multiples.
All criteria are computer-verifiable.
See our evaluation site for scripts:
safecurves.cr.yp.to
You do everything right.
You pick the Brainpool curve
brainpoolP256t1: huge prime p,
y2 = x3 � 3x + somehugenumber,
standard base point.
This curve isn’t compatible
with Edwards or Montgomery.
So you check and test every case
in the Weierstrass formulas.
You make it all constant-time.
It’s horrendously slow,
but it’s secure.
![Page 162: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/162.jpg)
You can pick any of these standards.
What your chosen standard achieves:
No known attack will compute
ECC user’s secret key from public key.
(“Elliptic-curve discrete-log problem.”)
Example of criterion in all standards:
Standard base point (x; y)
has huge prime “order” `,
i.e., exactly ` different multiples.
All criteria are computer-verifiable.
See our evaluation site for scripts:
safecurves.cr.yp.to
You do everything right.
You pick the Brainpool curve
brainpoolP256t1: huge prime p,
y2 = x3 � 3x + somehugenumber,
standard base point.
This curve isn’t compatible
with Edwards or Montgomery.
So you check and test every case
in the Weierstrass formulas.
You make it all constant-time.
It’s horrendously slow,
but it’s secure.
Actually, it’s not. You’re screwed.
The attacker sent you (x0; y0) with
x0 = 1025b35abab9150d86770f6bda12f8ec1e86bec6c6bac120535e4134fea87831
and
y0 = 12ace5eeae9a5b0bca8ed1c0f9540d05d123d55f68100099b65a99ac358e3a75
.
You computed “shared secret” a(x0; y0)
using the Weierstrass formulas.
You encrypted data using AES-GCM
with a hash of a(x0; y0) as a key.
![Page 163: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/163.jpg)
You can pick any of these standards.
What your chosen standard achieves:
No known attack will compute
ECC user’s secret key from public key.
(“Elliptic-curve discrete-log problem.”)
Example of criterion in all standards:
Standard base point (x; y)
has huge prime “order” `,
i.e., exactly ` different multiples.
All criteria are computer-verifiable.
See our evaluation site for scripts:
safecurves.cr.yp.to
You do everything right.
You pick the Brainpool curve
brainpoolP256t1: huge prime p,
y2 = x3 � 3x + somehugenumber,
standard base point.
This curve isn’t compatible
with Edwards or Montgomery.
So you check and test every case
in the Weierstrass formulas.
You make it all constant-time.
It’s horrendously slow,
but it’s secure.
Actually, it’s not. You’re screwed.
The attacker sent you (x0; y0) with
x0 = 1025b35abab9150d86770f6bda12f8ec1e86bec6c6bac120535e4134fea87831
and
y0 = 12ace5eeae9a5b0bca8ed1c0f9540d05d123d55f68100099b65a99ac358e3a75
.
You computed “shared secret” a(x0; y0)
using the Weierstrass formulas.
You encrypted data using AES-GCM
with a hash of a(x0; y0) as a key.
![Page 164: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/164.jpg)
You can pick any of these standards.
What your chosen standard achieves:
No known attack will compute
ECC user’s secret key from public key.
(“Elliptic-curve discrete-log problem.”)
Example of criterion in all standards:
Standard base point (x; y)
has huge prime “order” `,
i.e., exactly ` different multiples.
All criteria are computer-verifiable.
See our evaluation site for scripts:
safecurves.cr.yp.to
You do everything right.
You pick the Brainpool curve
brainpoolP256t1: huge prime p,
y2 = x3 � 3x + somehugenumber,
standard base point.
This curve isn’t compatible
with Edwards or Montgomery.
So you check and test every case
in the Weierstrass formulas.
You make it all constant-time.
It’s horrendously slow,
but it’s secure.
Actually, it’s not. You’re screwed.
The attacker sent you (x0; y0) with
x0 = 1025b35abab9150d86770f6bda12f8ec1e86bec6c6bac120535e4134fea87831
and
y0 = 12ace5eeae9a5b0bca8ed1c0f9540d05d123d55f68100099b65a99ac358e3a75
.
You computed “shared secret” a(x0; y0)
using the Weierstrass formulas.
You encrypted data using AES-GCM
with a hash of a(x0; y0) as a key.
![Page 165: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/165.jpg)
You do everything right.
You pick the Brainpool curve
brainpoolP256t1: huge prime p,
y2 = x3 � 3x + somehugenumber,
standard base point.
This curve isn’t compatible
with Edwards or Montgomery.
So you check and test every case
in the Weierstrass formulas.
You make it all constant-time.
It’s horrendously slow,
but it’s secure.
Actually, it’s not. You’re screwed.
The attacker sent you (x0; y0) with
x0 = 1025b35abab9150d86770f6bda12f8ec1e86bec6c6bac120535e4134fea87831
and
y0 = 12ace5eeae9a5b0bca8ed1c0f9540d05d123d55f68100099b65a99ac358e3a75
.
You computed “shared secret” a(x0; y0)
using the Weierstrass formulas.
You encrypted data using AES-GCM
with a hash of a(x0; y0) as a key.
![Page 166: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/166.jpg)
You do everything right.
You pick the Brainpool curve
brainpoolP256t1: huge prime p,
y2 = x3 � 3x + somehugenumber,
standard base point.
This curve isn’t compatible
with Edwards or Montgomery.
So you check and test every case
in the Weierstrass formulas.
You make it all constant-time.
It’s horrendously slow,
but it’s secure.
Actually, it’s not. You’re screwed.
The attacker sent you (x0; y0) with
x0 = 1025b35abab9150d86770f6bda12f8ec1e86bec6c6bac120535e4134fea87831
and
y0 = 12ace5eeae9a5b0bca8ed1c0f9540d05d123d55f68100099b65a99ac358e3a75
.
You computed “shared secret” a(x0; y0)
using the Weierstrass formulas.
You encrypted data using AES-GCM
with a hash of a(x0; y0) as a key.
What you never noticed:
(x0; y0) isn’t his public key b(x; y);
it isn’t even a point on brainpoolP256t1;
it’s a point on y2 = x3 � 3x + 5
of order only 4999.
![Page 167: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/167.jpg)
You do everything right.
You pick the Brainpool curve
brainpoolP256t1: huge prime p,
y2 = x3 � 3x + somehugenumber,
standard base point.
This curve isn’t compatible
with Edwards or Montgomery.
So you check and test every case
in the Weierstrass formulas.
You make it all constant-time.
It’s horrendously slow,
but it’s secure.
Actually, it’s not. You’re screwed.
The attacker sent you (x0; y0) with
x0 = 1025b35abab9150d86770f6bda12f8ec1e86bec6c6bac120535e4134fea87831
and
y0 = 12ace5eeae9a5b0bca8ed1c0f9540d05d123d55f68100099b65a99ac358e3a75
.
You computed “shared secret” a(x0; y0)
using the Weierstrass formulas.
You encrypted data using AES-GCM
with a hash of a(x0; y0) as a key.
What you never noticed:
(x0; y0) isn’t his public key b(x; y);
it isn’t even a point on brainpoolP256t1;
it’s a point on y2 = x3 � 3x + 5
of order only 4999.
Your formulas worked for y2 = x3 � 3x + 5
because they work for any y2 = x3�3x+a6:
Addition on Weierstrass curves
y2 = x3 + a4x + a6:
for x1 6= x2, (x1; y1) + (x2; y2) =
(x3; y3) with x3 = –2 − x1 − x2,
y3 = –(x1 − x3)− y1,
– = (y2 − y1)=(x2 − x1);
for y1 6= 0, (x1; y1) + (x1; y1) =
(x3; y3) with x3 = –2 − x1 − x2,
y3 = –(x1 − x3)− y1,
– = (3x21 + a4)=2y1;
(x1; y1) + (x1;−y1) =∞;
(x1; y1) +∞ = (x1; y1);
∞+ (x2; y2) = (x2; y2);
∞+∞ =∞.
Messy to implement and test.
9>>>>>>>>>>>>>>>=>>>>>>>>>>>>>>>;
No a6 here!
![Page 168: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/168.jpg)
You do everything right.
You pick the Brainpool curve
brainpoolP256t1: huge prime p,
y2 = x3 � 3x + somehugenumber,
standard base point.
This curve isn’t compatible
with Edwards or Montgomery.
So you check and test every case
in the Weierstrass formulas.
You make it all constant-time.
It’s horrendously slow,
but it’s secure.
Actually, it’s not. You’re screwed.
The attacker sent you (x0; y0) with
x0 = 1025b35abab9150d86770f6bda12f8ec1e86bec6c6bac120535e4134fea87831
and
y0 = 12ace5eeae9a5b0bca8ed1c0f9540d05d123d55f68100099b65a99ac358e3a75
.
You computed “shared secret” a(x0; y0)
using the Weierstrass formulas.
You encrypted data using AES-GCM
with a hash of a(x0; y0) as a key.
What you never noticed:
(x0; y0) isn’t his public key b(x; y);
it isn’t even a point on brainpoolP256t1;
it’s a point on y2 = x3 � 3x + 5
of order only 4999.
Your formulas worked for y2 = x3 � 3x + 5
because they work for any y2 = x3�3x+a6:
Addition on Weierstrass curves
y2 = x3 + a4x + a6:
for x1 6= x2, (x1; y1) + (x2; y2) =
(x3; y3) with x3 = –2 − x1 − x2,
y3 = –(x1 − x3)− y1,
– = (y2 − y1)=(x2 − x1);
for y1 6= 0, (x1; y1) + (x1; y1) =
(x3; y3) with x3 = –2 − x1 − x2,
y3 = –(x1 − x3)− y1,
– = (3x21 + a4)=2y1;
(x1; y1) + (x1;−y1) =∞;
(x1; y1) +∞ = (x1; y1);
∞+ (x2; y2) = (x2; y2);
∞+∞ =∞.
Messy to implement and test.
9>>>>>>>>>>>>>>>=>>>>>>>>>>>>>>>;
No a6 here!
![Page 169: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/169.jpg)
You do everything right.
You pick the Brainpool curve
brainpoolP256t1: huge prime p,
y2 = x3 � 3x + somehugenumber,
standard base point.
This curve isn’t compatible
with Edwards or Montgomery.
So you check and test every case
in the Weierstrass formulas.
You make it all constant-time.
It’s horrendously slow,
but it’s secure.
Actually, it’s not. You’re screwed.
The attacker sent you (x0; y0) with
x0 = 1025b35abab9150d86770f6bda12f8ec1e86bec6c6bac120535e4134fea87831
and
y0 = 12ace5eeae9a5b0bca8ed1c0f9540d05d123d55f68100099b65a99ac358e3a75
.
You computed “shared secret” a(x0; y0)
using the Weierstrass formulas.
You encrypted data using AES-GCM
with a hash of a(x0; y0) as a key.
What you never noticed:
(x0; y0) isn’t his public key b(x; y);
it isn’t even a point on brainpoolP256t1;
it’s a point on y2 = x3 � 3x + 5
of order only 4999.
Your formulas worked for y2 = x3 � 3x + 5
because they work for any y2 = x3�3x+a6:
Addition on Weierstrass curves
y2 = x3 + a4x + a6:
for x1 6= x2, (x1; y1) + (x2; y2) =
(x3; y3) with x3 = –2 − x1 − x2,
y3 = –(x1 − x3)− y1,
– = (y2 − y1)=(x2 − x1);
for y1 6= 0, (x1; y1) + (x1; y1) =
(x3; y3) with x3 = –2 − x1 − x2,
y3 = –(x1 − x3)− y1,
– = (3x21 + a4)=2y1;
(x1; y1) + (x1;−y1) =∞;
(x1; y1) +∞ = (x1; y1);
∞+ (x2; y2) = (x2; y2);
∞+∞ =∞.
Messy to implement and test.
9>>>>>>>>>>>>>>>=>>>>>>>>>>>>>>>;
No a6 here!
![Page 170: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/170.jpg)
Actually, it’s not. You’re screwed.
The attacker sent you (x0; y0) with
x0 = 1025b35abab9150d86770f6bda12f8ec1e86bec6c6bac120535e4134fea87831
and
y0 = 12ace5eeae9a5b0bca8ed1c0f9540d05d123d55f68100099b65a99ac358e3a75
.
You computed “shared secret” a(x0; y0)
using the Weierstrass formulas.
You encrypted data using AES-GCM
with a hash of a(x0; y0) as a key.
What you never noticed:
(x0; y0) isn’t his public key b(x; y);
it isn’t even a point on brainpoolP256t1;
it’s a point on y2 = x3 � 3x + 5
of order only 4999.
Your formulas worked for y2 = x3 � 3x + 5
because they work for any y2 = x3�3x+a6:
Addition on Weierstrass curves
y2 = x3 + a4x + a6:
for x1 6= x2, (x1; y1) + (x2; y2) =
(x3; y3) with x3 = –2 − x1 − x2,
y3 = –(x1 − x3)− y1,
– = (y2 − y1)=(x2 − x1);
for y1 6= 0, (x1; y1) + (x1; y1) =
(x3; y3) with x3 = –2 − x1 − x2,
y3 = –(x1 − x3)− y1,
– = (3x21 + a4)=2y1;
(x1; y1) + (x1;−y1) =∞;
(x1; y1) +∞ = (x1; y1);
∞+ (x2; y2) = (x2; y2);
∞+∞ =∞.
Messy to implement and test.
9>>>>>>>>>>>>>>>=>>>>>>>>>>>>>>>;
No a6 here!
![Page 171: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/171.jpg)
Actually, it’s not. You’re screwed.
The attacker sent you (x0; y0) with
x0 = 1025b35abab9150d86770f6bda12f8ec1e86bec6c6bac120535e4134fea87831
and
y0 = 12ace5eeae9a5b0bca8ed1c0f9540d05d123d55f68100099b65a99ac358e3a75
.
You computed “shared secret” a(x0; y0)
using the Weierstrass formulas.
You encrypted data using AES-GCM
with a hash of a(x0; y0) as a key.
What you never noticed:
(x0; y0) isn’t his public key b(x; y);
it isn’t even a point on brainpoolP256t1;
it’s a point on y2 = x3 � 3x + 5
of order only 4999.
Your formulas worked for y2 = x3 � 3x + 5
because they work for any y2 = x3�3x+a6:
Addition on Weierstrass curves
y2 = x3 + a4x + a6:
for x1 6= x2, (x1; y1) + (x2; y2) =
(x3; y3) with x3 = –2 − x1 − x2,
y3 = –(x1 − x3)− y1,
– = (y2 − y1)=(x2 − x1);
for y1 6= 0, (x1; y1) + (x1; y1) =
(x3; y3) with x3 = –2 − x1 − x2,
y3 = –(x1 − x3)− y1,
– = (3x21 + a4)=2y1;
(x1; y1) + (x1;−y1) =∞;
(x1; y1) +∞ = (x1; y1);
∞+ (x2; y2) = (x2; y2);
∞+∞ =∞.
Messy to implement and test.
9>>>>>>>>>>>>>>>=>>>>>>>>>>>>>>>;
No a6 here!
Why this matters: (x0; y0) has order 4999.
a(x0; y0) is determined by a mod 4999.
The attacker tries all 4999 possibilities,
compares to the AES-GCM output,
learns your secret a mod 4999.
![Page 172: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/172.jpg)
Actually, it’s not. You’re screwed.
The attacker sent you (x0; y0) with
x0 = 1025b35abab9150d86770f6bda12f8ec1e86bec6c6bac120535e4134fea87831
and
y0 = 12ace5eeae9a5b0bca8ed1c0f9540d05d123d55f68100099b65a99ac358e3a75
.
You computed “shared secret” a(x0; y0)
using the Weierstrass formulas.
You encrypted data using AES-GCM
with a hash of a(x0; y0) as a key.
What you never noticed:
(x0; y0) isn’t his public key b(x; y);
it isn’t even a point on brainpoolP256t1;
it’s a point on y2 = x3 � 3x + 5
of order only 4999.
Your formulas worked for y2 = x3 � 3x + 5
because they work for any y2 = x3�3x+a6:
Addition on Weierstrass curves
y2 = x3 + a4x + a6:
for x1 6= x2, (x1; y1) + (x2; y2) =
(x3; y3) with x3 = –2 − x1 − x2,
y3 = –(x1 − x3)− y1,
– = (y2 − y1)=(x2 − x1);
for y1 6= 0, (x1; y1) + (x1; y1) =
(x3; y3) with x3 = –2 − x1 − x2,
y3 = –(x1 − x3)− y1,
– = (3x21 + a4)=2y1;
(x1; y1) + (x1;−y1) =∞;
(x1; y1) +∞ = (x1; y1);
∞+ (x2; y2) = (x2; y2);
∞+∞ =∞.
Messy to implement and test.
9>>>>>>>>>>>>>>>=>>>>>>>>>>>>>>>;
No a6 here!
Why this matters: (x0; y0) has order 4999.
a(x0; y0) is determined by a mod 4999.
The attacker tries all 4999 possibilities,
compares to the AES-GCM output,
learns your secret a mod 4999.
![Page 173: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/173.jpg)
Actually, it’s not. You’re screwed.
The attacker sent you (x0; y0) with
x0 = 1025b35abab9150d86770f6bda12f8ec1e86bec6c6bac120535e4134fea87831
and
y0 = 12ace5eeae9a5b0bca8ed1c0f9540d05d123d55f68100099b65a99ac358e3a75
.
You computed “shared secret” a(x0; y0)
using the Weierstrass formulas.
You encrypted data using AES-GCM
with a hash of a(x0; y0) as a key.
What you never noticed:
(x0; y0) isn’t his public key b(x; y);
it isn’t even a point on brainpoolP256t1;
it’s a point on y2 = x3 � 3x + 5
of order only 4999.
Your formulas worked for y2 = x3 � 3x + 5
because they work for any y2 = x3�3x+a6:
Addition on Weierstrass curves
y2 = x3 + a4x + a6:
for x1 6= x2, (x1; y1) + (x2; y2) =
(x3; y3) with x3 = –2 − x1 − x2,
y3 = –(x1 − x3)− y1,
– = (y2 − y1)=(x2 − x1);
for y1 6= 0, (x1; y1) + (x1; y1) =
(x3; y3) with x3 = –2 − x1 − x2,
y3 = –(x1 − x3)− y1,
– = (3x21 + a4)=2y1;
(x1; y1) + (x1;−y1) =∞;
(x1; y1) +∞ = (x1; y1);
∞+ (x2; y2) = (x2; y2);
∞+∞ =∞.
Messy to implement and test.
9>>>>>>>>>>>>>>>=>>>>>>>>>>>>>>>;
No a6 here!
Why this matters: (x0; y0) has order 4999.
a(x0; y0) is determined by a mod 4999.
The attacker tries all 4999 possibilities,
compares to the AES-GCM output,
learns your secret a mod 4999.
![Page 174: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/174.jpg)
Your formulas worked for y2 = x3 � 3x + 5
because they work for any y2 = x3�3x+a6:
Addition on Weierstrass curves
y2 = x3 + a4x + a6:
for x1 6= x2, (x1; y1) + (x2; y2) =
(x3; y3) with x3 = –2 − x1 − x2,
y3 = –(x1 − x3)− y1,
– = (y2 − y1)=(x2 − x1);
for y1 6= 0, (x1; y1) + (x1; y1) =
(x3; y3) with x3 = –2 − x1 − x2,
y3 = –(x1 − x3)− y1,
– = (3x21 + a4)=2y1;
(x1; y1) + (x1;−y1) =∞;
(x1; y1) +∞ = (x1; y1);
∞+ (x2; y2) = (x2; y2);
∞+∞ =∞.
Messy to implement and test.
9>>>>>>>>>>>>>>>=>>>>>>>>>>>>>>>;
No a6 here!
Why this matters: (x0; y0) has order 4999.
a(x0; y0) is determined by a mod 4999.
The attacker tries all 4999 possibilities,
compares to the AES-GCM output,
learns your secret a mod 4999.
![Page 175: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/175.jpg)
Your formulas worked for y2 = x3 � 3x + 5
because they work for any y2 = x3�3x+a6:
Addition on Weierstrass curves
y2 = x3 + a4x + a6:
for x1 6= x2, (x1; y1) + (x2; y2) =
(x3; y3) with x3 = –2 − x1 − x2,
y3 = –(x1 − x3)− y1,
– = (y2 − y1)=(x2 − x1);
for y1 6= 0, (x1; y1) + (x1; y1) =
(x3; y3) with x3 = –2 − x1 − x2,
y3 = –(x1 − x3)− y1,
– = (3x21 + a4)=2y1;
(x1; y1) + (x1;−y1) =∞;
(x1; y1) +∞ = (x1; y1);
∞+ (x2; y2) = (x2; y2);
∞+∞ =∞.
Messy to implement and test.
9>>>>>>>>>>>>>>>=>>>>>>>>>>>>>>>;
No a6 here!
Why this matters: (x0; y0) has order 4999.
a(x0; y0) is determined by a mod 4999.
The attacker tries all 4999 possibilities,
compares to the AES-GCM output,
learns your secret a mod 4999.
Attacker then tries again with
x0 = 9bc001a0d2d5c43863aadb0f881df3bbaf3a5ea81eedd2385e6525521aa8b1e2
and
y0 = 0d124e9e94dcede52aa0e3bcac1852cfed28eb86039c0d8e0cfaa4ae703eac07
,
a point of order 19559
on y2 = x3 � 3x + 211;
learns your secret a mod 19559.
Etc. Uses “Chinese remainder theorem”
to combine this information.
![Page 176: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/176.jpg)
Your formulas worked for y2 = x3 � 3x + 5
because they work for any y2 = x3�3x+a6:
Addition on Weierstrass curves
y2 = x3 + a4x + a6:
for x1 6= x2, (x1; y1) + (x2; y2) =
(x3; y3) with x3 = –2 − x1 − x2,
y3 = –(x1 − x3)− y1,
– = (y2 − y1)=(x2 − x1);
for y1 6= 0, (x1; y1) + (x1; y1) =
(x3; y3) with x3 = –2 − x1 − x2,
y3 = –(x1 − x3)− y1,
– = (3x21 + a4)=2y1;
(x1; y1) + (x1;−y1) =∞;
(x1; y1) +∞ = (x1; y1);
∞+ (x2; y2) = (x2; y2);
∞+∞ =∞.
Messy to implement and test.
9>>>>>>>>>>>>>>>=>>>>>>>>>>>>>>>;
No a6 here!
Why this matters: (x0; y0) has order 4999.
a(x0; y0) is determined by a mod 4999.
The attacker tries all 4999 possibilities,
compares to the AES-GCM output,
learns your secret a mod 4999.
Attacker then tries again with
x0 = 9bc001a0d2d5c43863aadb0f881df3bbaf3a5ea81eedd2385e6525521aa8b1e2
and
y0 = 0d124e9e94dcede52aa0e3bcac1852cfed28eb86039c0d8e0cfaa4ae703eac07
,
a point of order 19559
on y2 = x3 � 3x + 211;
learns your secret a mod 19559.
Etc. Uses “Chinese remainder theorem”
to combine this information.
Traditional response to this security failure:
Blame the implementor.
“You should have checked that
the incoming (x0; y0) was on the right curve
and had the right order.”
(And maybe paid patent fees to Certicom.)
![Page 177: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/177.jpg)
Your formulas worked for y2 = x3 � 3x + 5
because they work for any y2 = x3�3x+a6:
Addition on Weierstrass curves
y2 = x3 + a4x + a6:
for x1 6= x2, (x1; y1) + (x2; y2) =
(x3; y3) with x3 = –2 − x1 − x2,
y3 = –(x1 − x3)− y1,
– = (y2 − y1)=(x2 − x1);
for y1 6= 0, (x1; y1) + (x1; y1) =
(x3; y3) with x3 = –2 − x1 − x2,
y3 = –(x1 − x3)− y1,
– = (3x21 + a4)=2y1;
(x1; y1) + (x1;−y1) =∞;
(x1; y1) +∞ = (x1; y1);
∞+ (x2; y2) = (x2; y2);
∞+∞ =∞.
Messy to implement and test.
9>>>>>>>>>>>>>>>=>>>>>>>>>>>>>>>;
No a6 here!
Why this matters: (x0; y0) has order 4999.
a(x0; y0) is determined by a mod 4999.
The attacker tries all 4999 possibilities,
compares to the AES-GCM output,
learns your secret a mod 4999.
Attacker then tries again with
x0 = 9bc001a0d2d5c43863aadb0f881df3bbaf3a5ea81eedd2385e6525521aa8b1e2
and
y0 = 0d124e9e94dcede52aa0e3bcac1852cfed28eb86039c0d8e0cfaa4ae703eac07
,
a point of order 19559
on y2 = x3 � 3x + 211;
learns your secret a mod 19559.
Etc. Uses “Chinese remainder theorem”
to combine this information.
Traditional response to this security failure:
Blame the implementor.
“You should have checked that
the incoming (x0; y0) was on the right curve
and had the right order.”
(And maybe paid patent fees to Certicom.)
![Page 178: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/178.jpg)
Your formulas worked for y2 = x3 � 3x + 5
because they work for any y2 = x3�3x+a6:
Addition on Weierstrass curves
y2 = x3 + a4x + a6:
for x1 6= x2, (x1; y1) + (x2; y2) =
(x3; y3) with x3 = –2 − x1 − x2,
y3 = –(x1 − x3)− y1,
– = (y2 − y1)=(x2 − x1);
for y1 6= 0, (x1; y1) + (x1; y1) =
(x3; y3) with x3 = –2 − x1 − x2,
y3 = –(x1 − x3)− y1,
– = (3x21 + a4)=2y1;
(x1; y1) + (x1;−y1) =∞;
(x1; y1) +∞ = (x1; y1);
∞+ (x2; y2) = (x2; y2);
∞+∞ =∞.
Messy to implement and test.
9>>>>>>>>>>>>>>>=>>>>>>>>>>>>>>>;
No a6 here!
Why this matters: (x0; y0) has order 4999.
a(x0; y0) is determined by a mod 4999.
The attacker tries all 4999 possibilities,
compares to the AES-GCM output,
learns your secret a mod 4999.
Attacker then tries again with
x0 = 9bc001a0d2d5c43863aadb0f881df3bbaf3a5ea81eedd2385e6525521aa8b1e2
and
y0 = 0d124e9e94dcede52aa0e3bcac1852cfed28eb86039c0d8e0cfaa4ae703eac07
,
a point of order 19559
on y2 = x3 � 3x + 211;
learns your secret a mod 19559.
Etc. Uses “Chinese remainder theorem”
to combine this information.
Traditional response to this security failure:
Blame the implementor.
“You should have checked that
the incoming (x0; y0) was on the right curve
and had the right order.”
(And maybe paid patent fees to Certicom.)
![Page 179: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/179.jpg)
Why this matters: (x0; y0) has order 4999.
a(x0; y0) is determined by a mod 4999.
The attacker tries all 4999 possibilities,
compares to the AES-GCM output,
learns your secret a mod 4999.
Attacker then tries again with
x0 = 9bc001a0d2d5c43863aadb0f881df3bbaf3a5ea81eedd2385e6525521aa8b1e2
and
y0 = 0d124e9e94dcede52aa0e3bcac1852cfed28eb86039c0d8e0cfaa4ae703eac07
,
a point of order 19559
on y2 = x3 � 3x + 211;
learns your secret a mod 19559.
Etc. Uses “Chinese remainder theorem”
to combine this information.
Traditional response to this security failure:
Blame the implementor.
“You should have checked that
the incoming (x0; y0) was on the right curve
and had the right order.”
(And maybe paid patent fees to Certicom.)
![Page 180: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/180.jpg)
Why this matters: (x0; y0) has order 4999.
a(x0; y0) is determined by a mod 4999.
The attacker tries all 4999 possibilities,
compares to the AES-GCM output,
learns your secret a mod 4999.
Attacker then tries again with
x0 = 9bc001a0d2d5c43863aadb0f881df3bbaf3a5ea81eedd2385e6525521aa8b1e2
and
y0 = 0d124e9e94dcede52aa0e3bcac1852cfed28eb86039c0d8e0cfaa4ae703eac07
,
a point of order 19559
on y2 = x3 � 3x + 211;
learns your secret a mod 19559.
Etc. Uses “Chinese remainder theorem”
to combine this information.
Traditional response to this security failure:
Blame the implementor.
“You should have checked that
the incoming (x0; y0) was on the right curve
and had the right order.”
(And maybe paid patent fees to Certicom.)
But it’s much better to
design the system without traps.
Never send uncompressed (x; y).
Design protocols to compress
one coordinate down to 1 bit, or 0 bits!
Drastically limits possibilities
for attacker to choose points.
![Page 181: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/181.jpg)
Why this matters: (x0; y0) has order 4999.
a(x0; y0) is determined by a mod 4999.
The attacker tries all 4999 possibilities,
compares to the AES-GCM output,
learns your secret a mod 4999.
Attacker then tries again with
x0 = 9bc001a0d2d5c43863aadb0f881df3bbaf3a5ea81eedd2385e6525521aa8b1e2
and
y0 = 0d124e9e94dcede52aa0e3bcac1852cfed28eb86039c0d8e0cfaa4ae703eac07
,
a point of order 19559
on y2 = x3 � 3x + 211;
learns your secret a mod 19559.
Etc. Uses “Chinese remainder theorem”
to combine this information.
Traditional response to this security failure:
Blame the implementor.
“You should have checked that
the incoming (x0; y0) was on the right curve
and had the right order.”
(And maybe paid patent fees to Certicom.)
But it’s much better to
design the system without traps.
Never send uncompressed (x; y).
Design protocols to compress
one coordinate down to 1 bit, or 0 bits!
Drastically limits possibilities
for attacker to choose points.
Always multiply DH scalar by cofactor.
If the curve has c � ` points
and the base point P has order `
then c is called the cofactor
and c � ` is called the curve order.
Design DH protocols to multiply by c.
Always choose twist-secure curves.
Montgomery formulas use only A,
but modifying B gives only two different
curve orders. Require both of these orders
to be large primes times small cofactors.
DH protocols with all of these protections
are robust against
every common DH implementation error.
![Page 182: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/182.jpg)
Why this matters: (x0; y0) has order 4999.
a(x0; y0) is determined by a mod 4999.
The attacker tries all 4999 possibilities,
compares to the AES-GCM output,
learns your secret a mod 4999.
Attacker then tries again with
x0 = 9bc001a0d2d5c43863aadb0f881df3bbaf3a5ea81eedd2385e6525521aa8b1e2
and
y0 = 0d124e9e94dcede52aa0e3bcac1852cfed28eb86039c0d8e0cfaa4ae703eac07
,
a point of order 19559
on y2 = x3 � 3x + 211;
learns your secret a mod 19559.
Etc. Uses “Chinese remainder theorem”
to combine this information.
Traditional response to this security failure:
Blame the implementor.
“You should have checked that
the incoming (x0; y0) was on the right curve
and had the right order.”
(And maybe paid patent fees to Certicom.)
But it’s much better to
design the system without traps.
Never send uncompressed (x; y).
Design protocols to compress
one coordinate down to 1 bit, or 0 bits!
Drastically limits possibilities
for attacker to choose points.
Always multiply DH scalar by cofactor.
If the curve has c � ` points
and the base point P has order `
then c is called the cofactor
and c � ` is called the curve order.
Design DH protocols to multiply by c.
Always choose twist-secure curves.
Montgomery formulas use only A,
but modifying B gives only two different
curve orders. Require both of these orders
to be large primes times small cofactors.
DH protocols with all of these protections
are robust against
every common DH implementation error.
![Page 183: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/183.jpg)
Why this matters: (x0; y0) has order 4999.
a(x0; y0) is determined by a mod 4999.
The attacker tries all 4999 possibilities,
compares to the AES-GCM output,
learns your secret a mod 4999.
Attacker then tries again with
x0 = 9bc001a0d2d5c43863aadb0f881df3bbaf3a5ea81eedd2385e6525521aa8b1e2
and
y0 = 0d124e9e94dcede52aa0e3bcac1852cfed28eb86039c0d8e0cfaa4ae703eac07
,
a point of order 19559
on y2 = x3 � 3x + 211;
learns your secret a mod 19559.
Etc. Uses “Chinese remainder theorem”
to combine this information.
Traditional response to this security failure:
Blame the implementor.
“You should have checked that
the incoming (x0; y0) was on the right curve
and had the right order.”
(And maybe paid patent fees to Certicom.)
But it’s much better to
design the system without traps.
Never send uncompressed (x; y).
Design protocols to compress
one coordinate down to 1 bit, or 0 bits!
Drastically limits possibilities
for attacker to choose points.
Always multiply DH scalar by cofactor.
If the curve has c � ` points
and the base point P has order `
then c is called the cofactor
and c � ` is called the curve order.
Design DH protocols to multiply by c.
Always choose twist-secure curves.
Montgomery formulas use only A,
but modifying B gives only two different
curve orders. Require both of these orders
to be large primes times small cofactors.
DH protocols with all of these protections
are robust against
every common DH implementation error.
![Page 184: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/184.jpg)
Traditional response to this security failure:
Blame the implementor.
“You should have checked that
the incoming (x0; y0) was on the right curve
and had the right order.”
(And maybe paid patent fees to Certicom.)
But it’s much better to
design the system without traps.
Never send uncompressed (x; y).
Design protocols to compress
one coordinate down to 1 bit, or 0 bits!
Drastically limits possibilities
for attacker to choose points.
Always multiply DH scalar by cofactor.
If the curve has c � ` points
and the base point P has order `
then c is called the cofactor
and c � ` is called the curve order.
Design DH protocols to multiply by c.
Always choose twist-secure curves.
Montgomery formulas use only A,
but modifying B gives only two different
curve orders. Require both of these orders
to be large primes times small cofactors.
DH protocols with all of these protections
are robust against
every common DH implementation error.
![Page 185: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/185.jpg)
Traditional response to this security failure:
Blame the implementor.
“You should have checked that
the incoming (x0; y0) was on the right curve
and had the right order.”
(And maybe paid patent fees to Certicom.)
But it’s much better to
design the system without traps.
Never send uncompressed (x; y).
Design protocols to compress
one coordinate down to 1 bit, or 0 bits!
Drastically limits possibilities
for attacker to choose points.
Always multiply DH scalar by cofactor.
If the curve has c � ` points
and the base point P has order `
then c is called the cofactor
and c � ` is called the curve order.
Design DH protocols to multiply by c.
Always choose twist-secure curves.
Montgomery formulas use only A,
but modifying B gives only two different
curve orders. Require both of these orders
to be large primes times small cofactors.
DH protocols with all of these protections
are robust against
every common DH implementation error.
ECC standards: the next generation
Fix the standard curves and protocols
so that simple implementations
are secure implementations.
Bonus: next-generation curves such as
Curve25519 are faster than the standards!
2010.03 Adam Langley, TLS mailing list:
“Curve25519 doesn’t currently
appear on IANA’s list : : : and we
[Google] would like to see it included.”
![Page 186: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/186.jpg)
Traditional response to this security failure:
Blame the implementor.
“You should have checked that
the incoming (x0; y0) was on the right curve
and had the right order.”
(And maybe paid patent fees to Certicom.)
But it’s much better to
design the system without traps.
Never send uncompressed (x; y).
Design protocols to compress
one coordinate down to 1 bit, or 0 bits!
Drastically limits possibilities
for attacker to choose points.
Always multiply DH scalar by cofactor.
If the curve has c � ` points
and the base point P has order `
then c is called the cofactor
and c � ` is called the curve order.
Design DH protocols to multiply by c.
Always choose twist-secure curves.
Montgomery formulas use only A,
but modifying B gives only two different
curve orders. Require both of these orders
to be large primes times small cofactors.
DH protocols with all of these protections
are robust against
every common DH implementation error.
ECC standards: the next generation
Fix the standard curves and protocols
so that simple implementations
are secure implementations.
Bonus: next-generation curves such as
Curve25519 are faster than the standards!
2010.03 Adam Langley, TLS mailing list:
“Curve25519 doesn’t currently
appear on IANA’s list : : : and we
[Google] would like to see it included.”
![Page 187: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/187.jpg)
Traditional response to this security failure:
Blame the implementor.
“You should have checked that
the incoming (x0; y0) was on the right curve
and had the right order.”
(And maybe paid patent fees to Certicom.)
But it’s much better to
design the system without traps.
Never send uncompressed (x; y).
Design protocols to compress
one coordinate down to 1 bit, or 0 bits!
Drastically limits possibilities
for attacker to choose points.
Always multiply DH scalar by cofactor.
If the curve has c � ` points
and the base point P has order `
then c is called the cofactor
and c � ` is called the curve order.
Design DH protocols to multiply by c.
Always choose twist-secure curves.
Montgomery formulas use only A,
but modifying B gives only two different
curve orders. Require both of these orders
to be large primes times small cofactors.
DH protocols with all of these protections
are robust against
every common DH implementation error.
ECC standards: the next generation
Fix the standard curves and protocols
so that simple implementations
are secure implementations.
Bonus: next-generation curves such as
Curve25519 are faster than the standards!
2010.03 Adam Langley, TLS mailing list:
“Curve25519 doesn’t currently
appear on IANA’s list : : : and we
[Google] would like to see it included.”
![Page 188: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/188.jpg)
Always multiply DH scalar by cofactor.
If the curve has c � ` points
and the base point P has order `
then c is called the cofactor
and c � ` is called the curve order.
Design DH protocols to multiply by c.
Always choose twist-secure curves.
Montgomery formulas use only A,
but modifying B gives only two different
curve orders. Require both of these orders
to be large primes times small cofactors.
DH protocols with all of these protections
are robust against
every common DH implementation error.
ECC standards: the next generation
Fix the standard curves and protocols
so that simple implementations
are secure implementations.
Bonus: next-generation curves such as
Curve25519 are faster than the standards!
2010.03 Adam Langley, TLS mailing list:
“Curve25519 doesn’t currently
appear on IANA’s list : : : and we
[Google] would like to see it included.”
![Page 189: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/189.jpg)
Always multiply DH scalar by cofactor.
If the curve has c � ` points
and the base point P has order `
then c is called the cofactor
and c � ` is called the curve order.
Design DH protocols to multiply by c.
Always choose twist-secure curves.
Montgomery formulas use only A,
but modifying B gives only two different
curve orders. Require both of these orders
to be large primes times small cofactors.
DH protocols with all of these protections
are robust against
every common DH implementation error.
ECC standards: the next generation
Fix the standard curves and protocols
so that simple implementations
are secure implementations.
Bonus: next-generation curves such as
Curve25519 are faster than the standards!
2010.03 Adam Langley, TLS mailing list:
“Curve25519 doesn’t currently
appear on IANA’s list : : : and we
[Google] would like to see it included.”
2013.05 Bernstein–Krasnova–Lange
specify a procedure to generate a
next-generation curve at any security level.
![Page 190: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/190.jpg)
Always multiply DH scalar by cofactor.
If the curve has c � ` points
and the base point P has order `
then c is called the cofactor
and c � ` is called the curve order.
Design DH protocols to multiply by c.
Always choose twist-secure curves.
Montgomery formulas use only A,
but modifying B gives only two different
curve orders. Require both of these orders
to be large primes times small cofactors.
DH protocols with all of these protections
are robust against
every common DH implementation error.
ECC standards: the next generation
Fix the standard curves and protocols
so that simple implementations
are secure implementations.
Bonus: next-generation curves such as
Curve25519 are faster than the standards!
2010.03 Adam Langley, TLS mailing list:
“Curve25519 doesn’t currently
appear on IANA’s list : : : and we
[Google] would like to see it included.”
2013.05 Bernstein–Krasnova–Lange
specify a procedure to generate a
next-generation curve at any security level.
2013.09 Patrick Pelletier: “Given the doubt
that’s recently been cast on the NIST
curves, is it time to revive the idea of
adding curve25519 as a named curve?”
![Page 191: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/191.jpg)
Always multiply DH scalar by cofactor.
If the curve has c � ` points
and the base point P has order `
then c is called the cofactor
and c � ` is called the curve order.
Design DH protocols to multiply by c.
Always choose twist-secure curves.
Montgomery formulas use only A,
but modifying B gives only two different
curve orders. Require both of these orders
to be large primes times small cofactors.
DH protocols with all of these protections
are robust against
every common DH implementation error.
ECC standards: the next generation
Fix the standard curves and protocols
so that simple implementations
are secure implementations.
Bonus: next-generation curves such as
Curve25519 are faster than the standards!
2010.03 Adam Langley, TLS mailing list:
“Curve25519 doesn’t currently
appear on IANA’s list : : : and we
[Google] would like to see it included.”
2013.05 Bernstein–Krasnova–Lange
specify a procedure to generate a
next-generation curve at any security level.
2013.09 Patrick Pelletier: “Given the doubt
that’s recently been cast on the NIST
curves, is it time to revive the idea of
adding curve25519 as a named curve?”
![Page 192: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/192.jpg)
Always multiply DH scalar by cofactor.
If the curve has c � ` points
and the base point P has order `
then c is called the cofactor
and c � ` is called the curve order.
Design DH protocols to multiply by c.
Always choose twist-secure curves.
Montgomery formulas use only A,
but modifying B gives only two different
curve orders. Require both of these orders
to be large primes times small cofactors.
DH protocols with all of these protections
are robust against
every common DH implementation error.
ECC standards: the next generation
Fix the standard curves and protocols
so that simple implementations
are secure implementations.
Bonus: next-generation curves such as
Curve25519 are faster than the standards!
2010.03 Adam Langley, TLS mailing list:
“Curve25519 doesn’t currently
appear on IANA’s list : : : and we
[Google] would like to see it included.”
2013.05 Bernstein–Krasnova–Lange
specify a procedure to generate a
next-generation curve at any security level.
2013.09 Patrick Pelletier: “Given the doubt
that’s recently been cast on the NIST
curves, is it time to revive the idea of
adding curve25519 as a named curve?”
![Page 193: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/193.jpg)
ECC standards: the next generation
Fix the standard curves and protocols
so that simple implementations
are secure implementations.
Bonus: next-generation curves such as
Curve25519 are faster than the standards!
2010.03 Adam Langley, TLS mailing list:
“Curve25519 doesn’t currently
appear on IANA’s list : : : and we
[Google] would like to see it included.”
2013.05 Bernstein–Krasnova–Lange
specify a procedure to generate a
next-generation curve at any security level.
2013.09 Patrick Pelletier: “Given the doubt
that’s recently been cast on the NIST
curves, is it time to revive the idea of
adding curve25519 as a named curve?”
![Page 194: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/194.jpg)
ECC standards: the next generation
Fix the standard curves and protocols
so that simple implementations
are secure implementations.
Bonus: next-generation curves such as
Curve25519 are faster than the standards!
2010.03 Adam Langley, TLS mailing list:
“Curve25519 doesn’t currently
appear on IANA’s list : : : and we
[Google] would like to see it included.”
2013.05 Bernstein–Krasnova–Lange
specify a procedure to generate a
next-generation curve at any security level.
2013.09 Patrick Pelletier: “Given the doubt
that’s recently been cast on the NIST
curves, is it time to revive the idea of
adding curve25519 as a named curve?”
2013.09 Douglas Stebila: Reasons to
support Curve25519 are “efficiency
and resistance to side-channel attacks”
rather than concerns about backdoors.
2013.09 Nick Mathewson: “In the
FOSS cryptography world nowadays, I see
many more new users of curve25519 than
of the NIST curves, because of efficiency
and ease-of-implementation issues.”
![Page 195: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/195.jpg)
ECC standards: the next generation
Fix the standard curves and protocols
so that simple implementations
are secure implementations.
Bonus: next-generation curves such as
Curve25519 are faster than the standards!
2010.03 Adam Langley, TLS mailing list:
“Curve25519 doesn’t currently
appear on IANA’s list : : : and we
[Google] would like to see it included.”
2013.05 Bernstein–Krasnova–Lange
specify a procedure to generate a
next-generation curve at any security level.
2013.09 Patrick Pelletier: “Given the doubt
that’s recently been cast on the NIST
curves, is it time to revive the idea of
adding curve25519 as a named curve?”
2013.09 Douglas Stebila: Reasons to
support Curve25519 are “efficiency
and resistance to side-channel attacks”
rather than concerns about backdoors.
2013.09 Nick Mathewson: “In the
FOSS cryptography world nowadays, I see
many more new users of curve25519 than
of the NIST curves, because of efficiency
and ease-of-implementation issues.”
2013.09 Nico Williams:
“Agreed, we need curve25519 cipher suites
because of its technical advantages,
not due to any FUD about the other
ECDH curves that we have.”
![Page 196: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/196.jpg)
ECC standards: the next generation
Fix the standard curves and protocols
so that simple implementations
are secure implementations.
Bonus: next-generation curves such as
Curve25519 are faster than the standards!
2010.03 Adam Langley, TLS mailing list:
“Curve25519 doesn’t currently
appear on IANA’s list : : : and we
[Google] would like to see it included.”
2013.05 Bernstein–Krasnova–Lange
specify a procedure to generate a
next-generation curve at any security level.
2013.09 Patrick Pelletier: “Given the doubt
that’s recently been cast on the NIST
curves, is it time to revive the idea of
adding curve25519 as a named curve?”
2013.09 Douglas Stebila: Reasons to
support Curve25519 are “efficiency
and resistance to side-channel attacks”
rather than concerns about backdoors.
2013.09 Nick Mathewson: “In the
FOSS cryptography world nowadays, I see
many more new users of curve25519 than
of the NIST curves, because of efficiency
and ease-of-implementation issues.”
2013.09 Nico Williams:
“Agreed, we need curve25519 cipher suites
because of its technical advantages,
not due to any FUD about the other
ECDH curves that we have.”
![Page 197: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/197.jpg)
ECC standards: the next generation
Fix the standard curves and protocols
so that simple implementations
are secure implementations.
Bonus: next-generation curves such as
Curve25519 are faster than the standards!
2010.03 Adam Langley, TLS mailing list:
“Curve25519 doesn’t currently
appear on IANA’s list : : : and we
[Google] would like to see it included.”
2013.05 Bernstein–Krasnova–Lange
specify a procedure to generate a
next-generation curve at any security level.
2013.09 Patrick Pelletier: “Given the doubt
that’s recently been cast on the NIST
curves, is it time to revive the idea of
adding curve25519 as a named curve?”
2013.09 Douglas Stebila: Reasons to
support Curve25519 are “efficiency
and resistance to side-channel attacks”
rather than concerns about backdoors.
2013.09 Nick Mathewson: “In the
FOSS cryptography world nowadays, I see
many more new users of curve25519 than
of the NIST curves, because of efficiency
and ease-of-implementation issues.”
2013.09 Nico Williams:
“Agreed, we need curve25519 cipher suites
because of its technical advantages,
not due to any FUD about the other
ECDH curves that we have.”
![Page 198: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/198.jpg)
2013.09 Patrick Pelletier: “Given the doubt
that’s recently been cast on the NIST
curves, is it time to revive the idea of
adding curve25519 as a named curve?”
2013.09 Douglas Stebila: Reasons to
support Curve25519 are “efficiency
and resistance to side-channel attacks”
rather than concerns about backdoors.
2013.09 Nick Mathewson: “In the
FOSS cryptography world nowadays, I see
many more new users of curve25519 than
of the NIST curves, because of efficiency
and ease-of-implementation issues.”
2013.09 Nico Williams:
“Agreed, we need curve25519 cipher suites
because of its technical advantages,
not due to any FUD about the other
ECDH curves that we have.”
![Page 199: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/199.jpg)
2013.09 Patrick Pelletier: “Given the doubt
that’s recently been cast on the NIST
curves, is it time to revive the idea of
adding curve25519 as a named curve?”
2013.09 Douglas Stebila: Reasons to
support Curve25519 are “efficiency
and resistance to side-channel attacks”
rather than concerns about backdoors.
2013.09 Nick Mathewson: “In the
FOSS cryptography world nowadays, I see
many more new users of curve25519 than
of the NIST curves, because of efficiency
and ease-of-implementation issues.”
2013.09 Nico Williams:
“Agreed, we need curve25519 cipher suites
because of its technical advantages,
not due to any FUD about the other
ECDH curves that we have.”
2013.09 Simon Josefsson writes an Internet-
Draft. Active discussion on TLS mailing list.
![Page 200: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/200.jpg)
2013.09 Patrick Pelletier: “Given the doubt
that’s recently been cast on the NIST
curves, is it time to revive the idea of
adding curve25519 as a named curve?”
2013.09 Douglas Stebila: Reasons to
support Curve25519 are “efficiency
and resistance to side-channel attacks”
rather than concerns about backdoors.
2013.09 Nick Mathewson: “In the
FOSS cryptography world nowadays, I see
many more new users of curve25519 than
of the NIST curves, because of efficiency
and ease-of-implementation issues.”
2013.09 Nico Williams:
“Agreed, we need curve25519 cipher suites
because of its technical advantages,
not due to any FUD about the other
ECDH curves that we have.”
2013.09 Simon Josefsson writes an Internet-
Draft. Active discussion on TLS mailing list.
2013.09 We announce next-generation
Curve41417, computed for Silent Circle.
![Page 201: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/201.jpg)
2013.09 Patrick Pelletier: “Given the doubt
that’s recently been cast on the NIST
curves, is it time to revive the idea of
adding curve25519 as a named curve?”
2013.09 Douglas Stebila: Reasons to
support Curve25519 are “efficiency
and resistance to side-channel attacks”
rather than concerns about backdoors.
2013.09 Nick Mathewson: “In the
FOSS cryptography world nowadays, I see
many more new users of curve25519 than
of the NIST curves, because of efficiency
and ease-of-implementation issues.”
2013.09 Nico Williams:
“Agreed, we need curve25519 cipher suites
because of its technical advantages,
not due to any FUD about the other
ECDH curves that we have.”
2013.09 Simon Josefsson writes an Internet-
Draft. Active discussion on TLS mailing list.
2013.09 We announce next-generation
Curve41417, computed for Silent Circle.
2013.10 Aranha–Barreto–Pereira–Ricardini
announce next-generation curves
computed at various security levels.
![Page 202: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/202.jpg)
2013.09 Patrick Pelletier: “Given the doubt
that’s recently been cast on the NIST
curves, is it time to revive the idea of
adding curve25519 as a named curve?”
2013.09 Douglas Stebila: Reasons to
support Curve25519 are “efficiency
and resistance to side-channel attacks”
rather than concerns about backdoors.
2013.09 Nick Mathewson: “In the
FOSS cryptography world nowadays, I see
many more new users of curve25519 than
of the NIST curves, because of efficiency
and ease-of-implementation issues.”
2013.09 Nico Williams:
“Agreed, we need curve25519 cipher suites
because of its technical advantages,
not due to any FUD about the other
ECDH curves that we have.”
2013.09 Simon Josefsson writes an Internet-
Draft. Active discussion on TLS mailing list.
2013.09 We announce next-generation
Curve41417, computed for Silent Circle.
2013.10 Aranha–Barreto–Pereira–Ricardini
announce next-generation curves
computed at various security levels.
2013.10 We announce SafeCurves site.
![Page 203: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/203.jpg)
2013.09 Patrick Pelletier: “Given the doubt
that’s recently been cast on the NIST
curves, is it time to revive the idea of
adding curve25519 as a named curve?”
2013.09 Douglas Stebila: Reasons to
support Curve25519 are “efficiency
and resistance to side-channel attacks”
rather than concerns about backdoors.
2013.09 Nick Mathewson: “In the
FOSS cryptography world nowadays, I see
many more new users of curve25519 than
of the NIST curves, because of efficiency
and ease-of-implementation issues.”
2013.09 Nico Williams:
“Agreed, we need curve25519 cipher suites
because of its technical advantages,
not due to any FUD about the other
ECDH curves that we have.”
2013.09 Simon Josefsson writes an Internet-
Draft. Active discussion on TLS mailing list.
2013.09 We announce next-generation
Curve41417, computed for Silent Circle.
2013.10 Aranha–Barreto–Pereira–Ricardini
announce next-generation curves
computed at various security levels.
2013.10 We announce SafeCurves site.
![Page 204: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/204.jpg)
2013.09 Patrick Pelletier: “Given the doubt
that’s recently been cast on the NIST
curves, is it time to revive the idea of
adding curve25519 as a named curve?”
2013.09 Douglas Stebila: Reasons to
support Curve25519 are “efficiency
and resistance to side-channel attacks”
rather than concerns about backdoors.
2013.09 Nick Mathewson: “In the
FOSS cryptography world nowadays, I see
many more new users of curve25519 than
of the NIST curves, because of efficiency
and ease-of-implementation issues.”
2013.09 Nico Williams:
“Agreed, we need curve25519 cipher suites
because of its technical advantages,
not due to any FUD about the other
ECDH curves that we have.”
2013.09 Simon Josefsson writes an Internet-
Draft. Active discussion on TLS mailing list.
2013.09 We announce next-generation
Curve41417, computed for Silent Circle.
2013.10 Aranha–Barreto–Pereira–Ricardini
announce next-generation curves
computed at various security levels.
2013.10 We announce SafeCurves site.
![Page 205: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/205.jpg)
2013.09 Nico Williams:
“Agreed, we need curve25519 cipher suites
because of its technical advantages,
not due to any FUD about the other
ECDH curves that we have.”
2013.09 Simon Josefsson writes an Internet-
Draft. Active discussion on TLS mailing list.
2013.09 We announce next-generation
Curve41417, computed for Silent Circle.
2013.10 Aranha–Barreto–Pereira–Ricardini
announce next-generation curves
computed at various security levels.
2013.10 We announce SafeCurves site.
![Page 206: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/206.jpg)
2013.09 Nico Williams:
“Agreed, we need curve25519 cipher suites
because of its technical advantages,
not due to any FUD about the other
ECDH curves that we have.”
2013.09 Simon Josefsson writes an Internet-
Draft. Active discussion on TLS mailing list.
2013.09 We announce next-generation
Curve41417, computed for Silent Circle.
2013.10 Aranha–Barreto–Pereira–Ricardini
announce next-generation curves
computed at various security levels.
2013.10 We announce SafeCurves site.
2013.11 Aranha–Barreto–Pereira–Ricardini
announce next-generation E-521.
![Page 207: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/207.jpg)
2013.09 Nico Williams:
“Agreed, we need curve25519 cipher suites
because of its technical advantages,
not due to any FUD about the other
ECDH curves that we have.”
2013.09 Simon Josefsson writes an Internet-
Draft. Active discussion on TLS mailing list.
2013.09 We announce next-generation
Curve41417, computed for Silent Circle.
2013.10 Aranha–Barreto–Pereira–Ricardini
announce next-generation curves
computed at various security levels.
2013.10 We announce SafeCurves site.
2013.11 Aranha–Barreto–Pereira–Ricardini
announce next-generation E-521.
2014.01 Discussion spreads to IRTF CFRG.
![Page 208: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/208.jpg)
2013.09 Nico Williams:
“Agreed, we need curve25519 cipher suites
because of its technical advantages,
not due to any FUD about the other
ECDH curves that we have.”
2013.09 Simon Josefsson writes an Internet-
Draft. Active discussion on TLS mailing list.
2013.09 We announce next-generation
Curve41417, computed for Silent Circle.
2013.10 Aranha–Barreto–Pereira–Ricardini
announce next-generation curves
computed at various security levels.
2013.10 We announce SafeCurves site.
2013.11 Aranha–Barreto–Pereira–Ricardini
announce next-generation E-521.
2014.01 Discussion spreads to IRTF CFRG.
2014.01 Mike Hamburg announces
next-generation Ed448-Goldilocks.
![Page 209: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/209.jpg)
2013.09 Nico Williams:
“Agreed, we need curve25519 cipher suites
because of its technical advantages,
not due to any FUD about the other
ECDH curves that we have.”
2013.09 Simon Josefsson writes an Internet-
Draft. Active discussion on TLS mailing list.
2013.09 We announce next-generation
Curve41417, computed for Silent Circle.
2013.10 Aranha–Barreto–Pereira–Ricardini
announce next-generation curves
computed at various security levels.
2013.10 We announce SafeCurves site.
2013.11 Aranha–Barreto–Pereira–Ricardini
announce next-generation E-521.
2014.01 Discussion spreads to IRTF CFRG.
2014.01 Mike Hamburg announces
next-generation Ed448-Goldilocks.
2014.02 Microsoft announces 26 “chosen
curves”, including 13 next-generation curves.
![Page 210: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/210.jpg)
2013.09 Nico Williams:
“Agreed, we need curve25519 cipher suites
because of its technical advantages,
not due to any FUD about the other
ECDH curves that we have.”
2013.09 Simon Josefsson writes an Internet-
Draft. Active discussion on TLS mailing list.
2013.09 We announce next-generation
Curve41417, computed for Silent Circle.
2013.10 Aranha–Barreto–Pereira–Ricardini
announce next-generation curves
computed at various security levels.
2013.10 We announce SafeCurves site.
2013.11 Aranha–Barreto–Pereira–Ricardini
announce next-generation E-521.
2014.01 Discussion spreads to IRTF CFRG.
2014.01 Mike Hamburg announces
next-generation Ed448-Goldilocks.
2014.02 Microsoft announces 26 “chosen
curves”, including 13 next-generation curves.
2014.06 CFRG announces change of
leadership.
![Page 211: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/211.jpg)
2013.09 Nico Williams:
“Agreed, we need curve25519 cipher suites
because of its technical advantages,
not due to any FUD about the other
ECDH curves that we have.”
2013.09 Simon Josefsson writes an Internet-
Draft. Active discussion on TLS mailing list.
2013.09 We announce next-generation
Curve41417, computed for Silent Circle.
2013.10 Aranha–Barreto–Pereira–Ricardini
announce next-generation curves
computed at various security levels.
2013.10 We announce SafeCurves site.
2013.11 Aranha–Barreto–Pereira–Ricardini
announce next-generation E-521.
2014.01 Discussion spreads to IRTF CFRG.
2014.01 Mike Hamburg announces
next-generation Ed448-Goldilocks.
2014.02 Microsoft announces 26 “chosen
curves”, including 13 next-generation curves.
2014.06 CFRG announces change of
leadership. Previous co-chair from NSA
“will work with the two new chairs
until he retires next year”.
![Page 212: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/212.jpg)
2013.09 Nico Williams:
“Agreed, we need curve25519 cipher suites
because of its technical advantages,
not due to any FUD about the other
ECDH curves that we have.”
2013.09 Simon Josefsson writes an Internet-
Draft. Active discussion on TLS mailing list.
2013.09 We announce next-generation
Curve41417, computed for Silent Circle.
2013.10 Aranha–Barreto–Pereira–Ricardini
announce next-generation curves
computed at various security levels.
2013.10 We announce SafeCurves site.
2013.11 Aranha–Barreto–Pereira–Ricardini
announce next-generation E-521.
2014.01 Discussion spreads to IRTF CFRG.
2014.01 Mike Hamburg announces
next-generation Ed448-Goldilocks.
2014.02 Microsoft announces 26 “chosen
curves”, including 13 next-generation curves.
2014.06 CFRG announces change of
leadership. Previous co-chair from NSA
“will work with the two new chairs
until he retires next year”.
[: : :more than 1000 email messages : : : ]
![Page 213: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/213.jpg)
2013.09 Nico Williams:
“Agreed, we need curve25519 cipher suites
because of its technical advantages,
not due to any FUD about the other
ECDH curves that we have.”
2013.09 Simon Josefsson writes an Internet-
Draft. Active discussion on TLS mailing list.
2013.09 We announce next-generation
Curve41417, computed for Silent Circle.
2013.10 Aranha–Barreto–Pereira–Ricardini
announce next-generation curves
computed at various security levels.
2013.10 We announce SafeCurves site.
2013.11 Aranha–Barreto–Pereira–Ricardini
announce next-generation E-521.
2014.01 Discussion spreads to IRTF CFRG.
2014.01 Mike Hamburg announces
next-generation Ed448-Goldilocks.
2014.02 Microsoft announces 26 “chosen
curves”, including 13 next-generation curves.
2014.06 CFRG announces change of
leadership. Previous co-chair from NSA
“will work with the two new chairs
until he retires next year”.
[: : :more than 1000 email messages : : : ]
![Page 214: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/214.jpg)
2013.09 Nico Williams:
“Agreed, we need curve25519 cipher suites
because of its technical advantages,
not due to any FUD about the other
ECDH curves that we have.”
2013.09 Simon Josefsson writes an Internet-
Draft. Active discussion on TLS mailing list.
2013.09 We announce next-generation
Curve41417, computed for Silent Circle.
2013.10 Aranha–Barreto–Pereira–Ricardini
announce next-generation curves
computed at various security levels.
2013.10 We announce SafeCurves site.
2013.11 Aranha–Barreto–Pereira–Ricardini
announce next-generation E-521.
2014.01 Discussion spreads to IRTF CFRG.
2014.01 Mike Hamburg announces
next-generation Ed448-Goldilocks.
2014.02 Microsoft announces 26 “chosen
curves”, including 13 next-generation curves.
2014.06 CFRG announces change of
leadership. Previous co-chair from NSA
“will work with the two new chairs
until he retires next year”.
[: : :more than 1000 email messages : : : ]
![Page 215: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/215.jpg)
2013.10 We announce SafeCurves site.
2013.11 Aranha–Barreto–Pereira–Ricardini
announce next-generation E-521.
2014.01 Discussion spreads to IRTF CFRG.
2014.01 Mike Hamburg announces
next-generation Ed448-Goldilocks.
2014.02 Microsoft announces 26 “chosen
curves”, including 13 next-generation curves.
2014.06 CFRG announces change of
leadership. Previous co-chair from NSA
“will work with the two new chairs
until he retires next year”.
[: : :more than 1000 email messages : : : ]
![Page 216: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/216.jpg)
2013.10 We announce SafeCurves site.
2013.11 Aranha–Barreto–Pereira–Ricardini
announce next-generation E-521.
2014.01 Discussion spreads to IRTF CFRG.
2014.01 Mike Hamburg announces
next-generation Ed448-Goldilocks.
2014.02 Microsoft announces 26 “chosen
curves”, including 13 next-generation curves.
2014.06 CFRG announces change of
leadership. Previous co-chair from NSA
“will work with the two new chairs
until he retires next year”.
[: : :more than 1000 email messages : : : ]
2014.12 CFRG discussion is continuing.
![Page 217: ECCHacks: Cryptography a gentle introduction …...2014/12/27 · a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische](https://reader035.vdocuments.net/reader035/viewer/2022070723/5f0200f87e708231d40219db/html5/thumbnails/217.jpg)
2013.10 We announce SafeCurves site.
2013.11 Aranha–Barreto–Pereira–Ricardini
announce next-generation E-521.
2014.01 Discussion spreads to IRTF CFRG.
2014.01 Mike Hamburg announces
next-generation Ed448-Goldilocks.
2014.02 Microsoft announces 26 “chosen
curves”, including 13 next-generation curves.
2014.06 CFRG announces change of
leadership. Previous co-chair from NSA
“will work with the two new chairs
until he retires next year”.
[: : :more than 1000 email messages : : : ]
2014.12 CFRG discussion is continuing.
Sage scripts to verify criteria for
ECDLP security and ECC security:
safecurves.cr.yp.to
Analysis of manipulability of various
curve-generation methods:
safecurves.cr.yp.to/bada55.html
Many computer-verified addition formulas:
hyperelliptic.org/EFD/
Python scripts for this talk:
ecchacks.cr.yp.to