Comp 163 Week 14 notes

Week of April 25

Final Formulas

Elliptic curve cryptography

Graph of y2 = x3 + Ax + B (the (short) Weierstrass form)

What does this have to do with an ellipse? Elliptic curves come up when trying to find the arc length of an ellipse.

Early goal for elliptic curves: find all the rational (or integral) solutions.

Rational solutions for x3 + y3 = 1 would correspond to solutions of u3 + v3 = w3, which do not exist by the Fermat-Wiles theorem.

Elliptic product a⊕b: the graphical construction over R (the "chord and tangent" algorithm); see

Adding a point at infinity


Formula for elliptic product: Boneh & Shoup p 614 (of version 0.5): "The Addition Law" (, chapter 14 "Elliptic curve cryptography")

If you are looking for rational solutions of an elliptic curve, the chord-and-tangent product is a way of generating lots of them.

Note that if you have two roots r1 and r2 of a cubic ax3 + bx2 + cx +d, then the product of all the roots is d/a, and so r3 = d/ar1r2.

Finite fields:

An elliptic curve is a cubic equation, and the product idea comes down to the fact that with two roots of a cubic, you can find a third. This gives a binary operation only for cubics, though some of the ideas do generalize to other degrees.

Find the finite-field generator g (or base b)

Taking multiples of g: k*g = g⊕g⊕...⊕g, k times. Repeated-squaring algorithm for very large k, working in O(log k) time

Size of E(Fp) solution set: roughly p. Here's a justification, though not a proof: for each x, half the time there are no solutions for y and half the time there are two (+y, -y). On average there is one, so total number of solutions is ~p.

Group Structure of E(Fp): if you are looking at the group Zp+ of integers modulo p under multiplication, this is always cyclic: that is, there is a generator. This is often not true for E(Fp); a common structure is a generator that generates only 1/8 of all the elements.

Montgomery form: y2 = x3 + Ax2 + x. You can convert to the Weierstrass form with a change of variable x -> (x-c).

Diffie-Hellman-Merkle for basic elliptic curve

For classic Diffie-Hellman-Merkle, Alice chooses an integer a<p, and Bob chooses b<p. Alice and Bob publish ga and gb respectively, where g is the chosen generator. If Alice wants to create a key to use for encrypting a message to Bob, she calculates (gb)a = gab. Similarly, Bob can calculate (ga)b = gab to decrypt. Nobody else can; you have to know either a or b.

For elliptic curves, Alice again chooses an integer a<p, and Bob chooses b<p. Alice and Bob publish a*g and b*g, respectively, where again g is a generator (possibly not of the entire group; see below). Again, knowing g and knowing a*g does not give you a reasonable method for finding a. The rest of the mechanism works exactly as with the classic case.

Edwards form: x2 + y2 = 1 + Dx2y2. The elliptic product here does not involve cases! There is a rational conversion from Edwards to Montgomery, something like (x,y) -> ((1+y)/(1-y), (1+y)/(x-xy)). Once you work it out, it's very fast in software, and the elliptic product simplification is a big deal.


The prime here is p = 2255 - 19, which is easy to find in python. The curve is y2 = x3 + 486662x2 + x. (Where does 486662 come from?)

This same curve, in Edwards form, is x2 + y2 = 1 + (121665/121666)x2y2. (Remember that fraction is evaluated mod p.)

Size of E(Fp) = 8q, where q is prime; q = 2**252 + 27742317777372353535851937790883648493 (I have no idea how to show this). There is a generator for a cycle of q elements.

Basic Encryption

Use Diffie-Hellman-Merkle to choose a common secret, and then use a hash of that secret as a conventional encryption key.

Base point for Curve25519: (9, 14781619447589544791020593568409986887264606134616475288964881837755586237401). This has order q, above, in the group.

How did I get this? RFC8032 page 21, though somewhat indirectly.

If we plug x=9 into the Curve25519 formula, we get x3 + 486662x2 + x = X = 39420360. But how do we solve y2 = X mod p?

Fact: if p is prime, then there is a generator g of Zp+, the non-zero elements under multiplication. That is, for every nonzero a, a=gk for some k.

Solving for y: First try Y1 = X(p+3)/8. If we square this, we get X(p+3)/4. = X * X(p-1)/4. So Y1 would work, if Z = X(p-1)/4 = 1. And we know by Fermat's theorem that, if a solution to y2 = X mod p exists, then X(p-1)/2 = y(p-1) = 1 mod p, so Z= X(p-1)/4 satisfies Z2 = 1, so X(p-1)/4 = +1 or -1 (because we can factor Z2 = 1 as (Z+1)(Z-1)=0)

But what if Z = -1? For this case we have a trick. Let sm1 = 2(p-1)/4 mod p. We know sm14 = 2(p-1) = 1. Could we have sm12 = 1? It is not obvious, but this would imply 2 was a square mod p

Proof: suppose sm12 = 1 and yet 2 is not a square mod p. Let g be a generator. Then g2k+1 = 2 for some odd number 2k+1. Then 1 = sm12 = 2(p-1)/2 = g(2k+1)(p-1)/2  = gk(p-1)*g(p-1)/2 = g(p-1)/2. But this cannot happen for a generator; the smallest positive exponent e for which ge = 1 is p-1.

But 2 is not a square mod p. (This is also not obvious. There is a theorem that says 2 is a square mod p if and only if p = ±1 mod 8, and our 25519 p is 5 mod 8.)

So sm12 = -1 (and the name stands for square root of minus 1). This means that if X(p-1)/4 = -1, we try Y2 = Y1*sm1. Then Y22 = Y12*(-1) = X*(-1)(-1) = X.

We should end up with y = 14781619447589544791020593568409986887264606134616475288964881837755586237401

(This is a general way of finding "square roots" mod p, but we have used 2 here to derive a specific "square root of -1" and for arbitrary primes p, 2 does not necessarily work. Also, for arbitrary primes, (p-3)/8 might not be an integer.)

Why did Bernstein use the Montgomery form? For fast calculation, and to avoid the need to store y. Why did he choose 486662? See the last paragraph of his paper. Why did he use x=9 for the generator? I have no idea

CRC codes

Adding a parity bit is useful for detecting 1-bit errors. Is there a generalization to 2 bits? Not exactly, in that we cannot add two additional bits that will detect all 2-bit errors. But there are CRC codes.