Some Specific Contents of Elliptic Curve Cryptography

(1) Infinite element (infinite point, infinite line)

There are two kinds of positional relationships between any two different straight lines on a plane: intersection and parallel. The introduction of infinity is the unity of two different relations.

AB⊥L 1, L2∑L 1, the straight line AP rotates counterclockwise around point A from AB, and P is the intersection of AP and l 1.

Q=∠BAP→p /2 AP → L2

Imagine that there is a point on L 1 where P∞ is the intersection of L2 and L 1, which is called infinity point.

There can only be one infinity point on the straight line L 1.

(Because there can only be one straight line L2 parallel to L 1 when crossing point A, and two straight lines can only have one intersection point. )

Conclusion:

1*. A set of parallel straight lines on the plane, with infinite points in common * * *.

(In order to distinguish it from infinity, the points on the original plane are called ordinary points)

2*. Any two intersecting straight lines L 1 and L2 on the plane have different infinity points.

Reason: If not, L 1 and L2 have a common point P∞ at infinity, and two different straight lines pass through two different points A and P ∞, which contradicts the axiom.

3*. All infinite points form an infinite straight line.

Note: Euclidean plane naturally forms a projective plane by adding infinity points and infinity lines.

(2) Homogeneous coordinates

Coordinate system is introduced into analytic geometry, and Euclidean space is studied by algebraic method.

Between. This coordinate method can also be extended to establish plane photography on the photographic plane.

Coordinate system.

L2 l 1

l 1:a 1x+b 1y+c 1 = 0

L2: a2x+b2y+c2=0

Where A 1 and B 1 are not 0 at the same time; A2 and B2 are not both 0.

set up

d = a 1 b 1 Dx = b 1 c 1 Dy = c 1 a 1

a2 b2 b2 c2 c2 a2

If D≠0, then two straight lines L 1 intersect with L2 at a common point P(x, y), and its coordinates are x=Dx/D and y = dy/d. 。

This set of solutions can be expressed as: x/dx = y/dy =1/d.

(Convention: When denominators Dx and Dy are 0, the corresponding numerator should also be 0)

The above representation can be abstracted as (Dx, Dy, d).

If D=0, L 1∑L2, then l 1 and L2 intersect at the infinite point P∞.

This point P∞ can be represented by a straight line L passing through the origin O and parallel to L2.

And the equation of this straight line L is: a2x+b2y=0.

In order to unify the coordinates of ordinary points and infinite points, the coordinates of points are used.

(x, y, z) means that x, y and z cannot be zero at the same time. For normal points,

(x, y), Z≠0, x=X/Z, y=Y/Z, so there are:

namely

X / Dx = Y / Dy = Z / D，

There is a better coordinate abstraction, x, y, z), so there is Z=0 for infinity.

Also established.

note:

a)。 If the real number p≠0, (pX, pY, pZ) and (x, y, z) represent the same point. Essentially represented by (X:Y:Z). Only two of these three components are independent.

& ltpre & gt； Coordinates with this characteristic are called homogeneous coordinates.

B) There is a Euclidean straight line L, and its equation on the plane rectangular coordinate system Oxy is:

ax+by+c=0

Then the homogeneous coordinate of any common point (x, y) in L is (x, y, z), Z≠0, and it is substituted:

aX+bY+cZ=0

The coordinates (x, y, z) of the infinity point added to L should satisfy aX+bY=0 and Z = 0；; The equation of an infinite straight line on a plane is naturally: Z=0! !

⑶ Elliptic curve on arbitrary domain

K is a domain, and the photographic plane P2(K) on K is a set of equivalent classes {(X:Y:Z)}. Consider the following Weierstrass equation (cubic homogeneous equation):

Y2Z+a 1x yz+a3yz 2 = X3+a2X2z+a4xz 2+a6z 3

(where the coefficient ai∈K, or ai∈K is an algebraic closed field of k)

The Weisstras equation is called smooth or nonsingular, which means that it applies to all.

For the projection point P=(X:Y:Z) ∈ P2(K) of the following formula,

F(X，Y，Z)= Y2Z+a 1x yz+a3yz 2-X3-a2X2Z-a4xz 2-a6z 3 = 0

At least one of the three partial derivatives of point P is not.

If this equation is called singular, it is 0.

Definition of elliptic curve e:

Elliptic curve E is a smooth Wilstrass equation in P2(K).

All solution sets.

Y2Z+a 1x yz+a3yz 2 = X3+a2X2Z+a4xz 2+a6z 3

note:

A) There is exactly one point on the elliptic curve E, which is called infinity point. That is, (0: 1:0) is expressed by θ.

B) The Wilstrass equation of elliptic curve can be expressed in the form of nonhomogeneous coordinates:

Let x=X/Z and y=Y/Z, then the original equation is transformed into:

y2+a 1xy+a3y = x3+a2 x2+a4x+a6⑴

At this time, the elliptic curve E is the set of all trivial point solutions of the equation (1) on the projection plane P2(K), plus an infinite point θ.

C) If a 1, a2, a2, a4, a6∈K, then the elliptic curve E is defined on K, and expressed by E/K. If E can be defined on K, then k-

& ltpre & gt； The rational point set is expressed as E(K), which is the set of all rational coordinate points in e plus the infinite point θ.

(4) Elliptic curve on real field R.

Let K=R, then the elliptic curve can be expressed as a normal curve on the plane.

Point, plus point θ at infinity.

Addition algorithm of elliptic curve points in real number field r;

Let L ∈ P2(R) be a straight line. Because the equation of E is cubic, L and E have exactly three intersections at P2(R), which are named P, Q, R Q and R respectively.

(Note: If L is tangent to E, then P, Q, R Q and R are not necessarily different). The operation on e is defined as follows:

Let p, Q ∈ E and l be straight lines connecting p and q (if P=Q, l is tangent to point p); Let r be another intersection of l and e;

Then take the straight line L' connecting r and infinity. Then the other intersection of l' and e is defined as p ≥ q q.

The actual image in the previous page is a generalization of the elliptic curve y2 = x3-x and an abstraction of the specific curve. More specifically, explain the operation:

Let P=(x 1, y 1), Q=(x2, y2), P⊙Q=(x3, y3),

Starting from the definition of P Q, let y=αx+β be an equation passing through the straight line L between P and Q, and we can calculate:

α=(y2-y 1)/(x2-x 1)，β=y 1-αx 1

Obviously, the point (x, αx+β) on the straight line L is on the elliptic curve E,

If and only if (α x+β) 2 = x3-x-x.

P⊙Q=(x 1，y 1) (x2，y2)=(x3，y3) =(x3，-αx3+β))

Where x3 = α 2-x1-x2 = ((y2-y1)/(x2-x1)) 2-x1-x2;

y3 =-y 1+((y2-y 1)/(x2-x 1))(x 1-x3)

When P=Q: P⊙Q=(x3, y3) calculation:

x3 =((3x 12- 1)/2y 1)2-2x 1； y3 =-y 1+((3x 12- 1)/2y 1)(x 1-x3)

note:

A) If straight lines L and E intersect with three points (not necessarily different), then (P⊙Q)R=θ (as can be seen from the figure).

B) let P∈E, P⊙θ =P (let Q= θ at this time, it is easy to see that L = L').

C) for p, Q∈E is: p ⊙ q = q ⊙ p

D) Let P∈E, then we can find -P∈E so that P -P= θ.

E) let p, q, R∈E have (P⊙Q)⊙R= P⊙(Q⊙R).

To sum up, we know that E pair operations form an Abelian group.

F) The above rules can be extended to any domain, especially limited domains. suppose

The elliptic curve is defined on the finite field Fq (q=pm), then

E(Fq)={(x，y)∈Fq×Fq | y2+a 1xy+a3y = x3+a2 x2+a4x+a6 }∩{θ}

Right? What about the sea at the end of latitude? Sembel group. Let f q represent a finite field of q elements, and E(Fq) represent the definition on Fq.

Elliptic curve e of.

Theorem 1. (Haas Theorem) If the number of points of E(Fq) is #E(Fq), then

| #E(Fq)-q- 1|≤2q 1/2

Elliptic curve on (1)FP (prime number field, p is a prime number)

Wen p>3 a, b Fp 4a3+27b2 0 a b

An elliptic curve equation on Fp is:

y2=x3+ax+b ⑵

All its solutions (x, y), (x Fp, y Fp), plus a name called "Hang Hang"?

Click? Is it beautiful? Dental caries ┑ brain? Stupid fundraising? Xia Qiao (Fp), through Haas theorem.

Yes: p+1-2p1/2 ≤ # e (FP) ≤ p+1+2p1/2.

The set E(Fp) corresponds to the following addition rules, and the addition holds.

Abel Group:

(i) θ⊙ θ=θ (unit element)

(ii) (x, y)⊙ θ=(x, y), let (x, y) ∈E(Fp)

(iii) (x, y)⊙ (x, -y)=θ, let (x, y) ∈E(Fp), that is, the inverse of point (x, y).

It's (x, -y).

(iv) Let (x 1, y 1) and (x2, y2) be nonreciprocal elements in E(Fp), then

(x 1, y 1) ⊙ (x2, y2) = (x3, y3), where

x3=α2-2x 1，y3= α(x 1-x3)-y 1

And α = (y2-y1)/(x2-x1) (3).

(5) (two-point algorithm)

Let (x 1, y 1) ∈ e (FP), y 1 ≠ 0, then 2(x 1, y 1)=(x3, y3).

x3= α2-2x 1，y3=α(x 1-x3)-y 1

Here α = (3x12+a)/(2y1) (4)

Note: If #E(Fp)=p+ 1, the curve E(Fp) is called hypersingular, otherwise it is called hypersingular.

Not super singular.

Example: Elliptic Curve on F23

Let y2=x3+x+ 1 be an equation on F23 (a=b= 1), then the elliptic curve

The solution of the linear equation on F23 is (point y2=x3+x+ 1):

(0， 1)，(0，22)，( 1，7)，( 1， 16)，(3， 10)，(3， 13)，(4，0)，(5，4)，(5， 19)，(6，4)，& lt/pre & gt；

& ltpre & gt； (6， 19)，(7， 1 1)，(7， 12)，(9，7)，(9， 1 1，3)，( 1 1，20)，( 12，4)，( 12， 19)，( 15438/pre & gt；

& ltpre & gt； ( 13, 16),( 17,3),( 17,20),( 18,3),( 18,20),( 19,5),( 19, 18); θ。

Group E (F23) has 28 points (including point θ at infinity).

Elliptic curve on F2m

Nonsingular ellipse defined by parameters A, b∈F2m and b≠0 on F2m.

The circular curve E(F2m) is an equation.

y2+xy=x3+ax2+b ⑸

The solution set (x, y) of, where x, y∈F2m, together with θ.

The addition rule of E(F2m) is as follows:

(i) θ +θ= θ

(ii) Let (x, y) ∈E(F2m), then (x, y)⊙ θ=(x, y).

(iii) Let (x, y) ∈E(F2m), then (x, y)+(x, x+y)= θ,

That is, the inverse of point (x, y) is (x, x+y).

(iv) Two different and non-peer addition rules:

Make (x 1, y 1), (x2, y2) ∈E(F2m) with x 1≠x2.

(x 1, y 1) (x2, y2) = (x3, y3), where

x3 =α2+α+x 1+x2+a；

y3=α(x 1+x3)+x3+y 1。

Where α= (y2+y 1)/(x2+x 1)

(v) Two-point rule

Order (x 1, y 1) ∈E(F2m), where x 1≠0. rule

2(x 1, y 1)=(x3, y3), where

X3 = α 2+α+a, Y3 = x 12+(α+ 1) x3, where α = (x1+y1/x1).

It is easy to see that group E(F2m) is an Abelian group.

Example: Elliptic Curve on F24

F(x)=x4+x+ 1 is an irreducible polynomial on F2, which is easy to see.

F24=F2[x] / (f(x)) = {(k0，k 1，k2，k3) | (k0，k 1，k2，k3)=k0+k 1α+k2α2+k3α3，& lt/pre & gt；

& ltpre & gt； α is the zero point of f(x), ki∈F2}

Assume that the nonsingular elliptic curve on F24 has the following equation definition:

Y2+xy=x3+α4x2+ 1。 Note that f(α)=0.

The equation should be expressed as:

( 1000)y2+( 1000)xy =( 1000)x3+( 1 100)x2+( 1000) 1985，n/pre & gt；

& ltpre & gt； Its basis is the difficulty of discrete logarithm problem defined on elliptic curve point group.

(1) Know when E(Fq) arrives? Bell group of Yunnan golden monkey at the apex of latitude

Let p∈E(Fq), if the period of p is large, even if

P ⊙ P ⊙...⊙ P = θ (* * * added t P)

Hold the smallest positive integer t, I hope t is very large.

(t = p period, expressed as ∏(p)=t).

For Q∈E(Fq), there must be a positive integer m.

Q = m & ampmiddotP = p ⊙...⊙ P (* * * added t P)

definition

M=㏒pQ (m is the logarithm of q with p as the base).

Group E(Fq) composed of points on elliptic curve and its discrete logarithm.

This problem is very difficult. The elliptic curves of the base fields Fq and Fq are given in a definite form.

Choose a point with a long period in E(Fq), such as point P=(xp, yp).

Its period is a big prime number n, which is marked as ∏ (P)=n (prime number).

Note: In this cryptosystem, the specific curves and points P and N are all.

This is public information. The form of cryptographic system adopts EIGamal system, which is relatively complete.

Analogy.

A) key generation

Bob (user) performed the following calculations:

I) randomly select an integer d in the interval [1, n- 1].

Ii) Calculation point Q:= differential pressure (differential pressure phase)

Iii) Bob disclosed his public key -(E (FQ), P, N, Q)

Iv) Bob's private key is an integer d!

Alice wants to send a message M to Bob, and Alice executes:

I) find bob's public key (E(Fq), p, n, q),

Ii) express m as a domain element m∈Fq,

Iii) Select a random number k in the interval [1, n- 1],

Iv) Calculate the number of points (X 1, y1) according to Bob's public key: = KP (k p phases).

V) Calculate the point (x2, y2): = kq, and if x2=0, return to step iii).

ⅵ) Calculate c: = m&; middotx2

ⅶ) Send encrypted data (x 1, y 1, c) to Bob.

B) Bob's decryption process

Bob receives Alice's ciphertext (x 1, y 1, c) and executes it.

I) using the private key d, calculate the point (x2, y2): = d (x 1, y 1), and then calculate x2- 1= in Fq.

By calculating m: = c&; MiddotX2- 1, recover plaintext data.