Elliptic Curve Weak Class
Identification for the Security
of Cryptosystem
Intan Muchtadi,
Ahmad Muchlis and Fajar Yuliawan
Algebra Research Group,
Institut Teknologi Bandung (ITB),
Indonesia
Elliptic Curve
 In 1985 both Koblitz and Miller independently
suggested the use of Elliptic Curves in the
development of a new type of public key cipher.
 An Elliptic Curve is a simple equation of the form:
y2 = x3 +ax+b
a,b in F of characteristic p  2,3 and 4a3 + 27b2  0
Elliptic curve
y2 = x3 − x
y2 = x3 − ½x + ½
y2 = x3 − 4/3x + 16/27
Elliptic curve over F23
y2 = x3 + x + 1
24
23
22
21
20
19
18
17
16
15
14
13
12
11
10
9
8
7
6
5
4
3
2
1
0
0
1
2
3
4
5
6
7
8
9
10 11
12 13
14 15
16 17
18 19
20
Elliptic Curve Addition
Q
P
P+Q
Multiples in Elliptic Curves 1
 The interest in Elliptic Curve Addition is the
process of adding a point to itself.
 That is given a point P find the point P+P or 2P.
 This is done by drawing a line tangent to P and
reflecting the point at which it intercepts the
curve
 P can be added to itself k times resulting in a
point W = kP.
Multiples in Elliptic Curves 1
P+P = 2P
P
Multiples in Elliptic Curves 2
 Finding the value of 3P:
P+P = 2P
3P
P
Discrete Logarithm Problem
1. A and B agree on a finite group G
and some fixed element g.
2. A selects an integer x at random and
transmits b = gx to B.
3. B selects an integer y at random and
transmits c = gy to A.
4. A determines k = cx , B determines k =
by , k is then used as the secret key.
Elliptic Curve Cryptography
Based on the discrete logarithm
problem applied to Abelian group
E(Fp) formed by the points of an
elliptic curve over a finite field
E(Fp)={(x,y)(Fp)²:y²=x³+ax+b}{O}
Elliptic Curve Cryptosystem
 There are several ways in which the ECDLP
can be imbedded in a cipher system.
 One method begins by selecting an Elliptic Curve
and a point P on the curve and a secret number
d which will be the private key.
 The public key is P and Q where Q = dP
 A message is encrypted by converting the
plaintext into a number m, selecting a random
number k, and finding a point M on the curve
where the difference of the x and the y coordinates equals m.
 the ciphertext consists of two points on the curve:
(C1,C2) = (kP, M + kQ)
Decipher
 The secret key, d is used to decipher
the ciphertext
Multiply the first point by d and subtract
the result from the second point:
M = C2-dC1= M+kQ –dkP= M + kdP - dkP
Elliptic Curve Security
 The security of the Elliptic Curve
algorithm is based on the fact that it is
very difficult (as difficult as factoring)
to solve the Elliptic Curve Discrete
Logarithm Problem:
Given two points P and Q where Q = kP,
find the value of k
Imaginary Quadratic Orders
Maximal Orders and
Non-maximal Orders
 If Δ is squarefree, then OΔ is the maximal order of
the quadratic number field Q(√Δ) and Δ is called a
fundamental discriminant.
 The non-maximal order of conductor p>1 with (nonfundamental) discriminant Δp=Δp² is denoted by
OΔp. Assume that the conductor p is prime.
 Let IΔ = The group of invertible OΔ-ideals and
 PΔ = The set of principal OΔ-ideals.
 The class group of OΔ = Cl(Δ) = IΔ/PΔ is a finite
abelian group with neutral element OΔ
 The class number of OΔ = h(Δ) = | Cl(Δ)|.
Imaginary Quadratic Orders
 In 1988 Buchmann and William use the
class groups of imaginary quadratic
orders Cl for the construction of
cryptosystem.
Reducing the DLP
 Huhnlein et al showed that for totally
non-maximal imaginary quadratic
orders (i.e., h =1), the DLP can be
reduced to the DLP in some finite field.
Problem
 Can we find a condition for elliptic
curves such that the DLP for those
curves can be reduced to the DLP of
some finite fields?
The 1st Relation
 If E is an elliptic curve over Fq, then
endomorphism ring of E is an
imaginary quadratic order O if and
only if |E(Fq)| ≠ q+1.
 Moreover, there exists a   O such
that |E(Fq)| = q + 1 – ( +  ), where 
is the conjugate of , and  is the
Frobenius endomorphism
 (x,y) = (xq,yq) for all (x,y)  E(Fq).
Consequence
 If q satisfies 4q=m²-Δn², for some
m,nZ, then  =±(m+n√Δ)/2,
 As ²-t +q=0, we get t =  +  =±m.
 Therefore |E(Fq)| = q +1 ± m
 If m=1, then |E(Fq)| = q or q+2.
 The case |E(Fq)|=q is
cryptographycally weak
 We consider the case where
|E(Fq)|=q+2.
The Result: Reducing the ECDLP
Main Theorem
Let q be a prime satisfies 4q=1-Δn², for
some nZ, such that p=q+2 is also a
prime, and let E be an elliptic curve
over Fq with |E(Fq)|=p.
Then the DLP in E(Fq) can be reduced to
the DLP in Fp² as additive group.
The method in [Huhnlein et al]
The 2nd Relation
Auxiliary Result
The proof
E(Fq)  O /(-1) O

O /pO  Fp2
 given G and PE(Fq) with P=[m]G,
 compute the corresponding elements +(π-1) O and +(π-1)
O  O /(-1) O
 compute the corresponding  +pO and  +pO  O /pO
 compute the corresponding elements in Fp²
 Then compute the discrete logarithm there or determine that
it does not exist.
Conclusion
 For q a prime satisfies 4q=1-Δn², for
some nZ, such that p=q+2 is also a
prime, the ECDLP in E(Fq) whose order
is p can be reduced to the DLP in finite
field of order p² as additive group.
Question of Existence
 How to construct such
cryptographically weak curves.
Answer
 By using the construction of
anomalous elliptic curves (i.e. where
|E(Fq)|=q).
Recall
 If q satisfies 4q=m²-Δn², for some
m,nZ, then  =±(m+n√Δ)/2,
 As ²-t +q=0, we get t =  +  =±m.
 Therefore |E(Fq)| = q +1 ± m
 If m=1, then |E(Fq)| = q or q+2.
Construction of Anomalous Curves
(based on [Leprevost et al])
 Step 1 :
 Choose  < 0 a fundamental
discriminant of an imaginary
quadratic field K = Q() such that
order of K has class number 1.
  {-3, -4, -7, -8, -11, -19, -43, -67, -163} [Cox,
Theorem 7.30]
Step 1(contd)
 Choose an odd prime q such that
4q = 1- n2 for an integer n.
 We can show that
1. -  3 mod 8 (  {-3, -11, -19, -43, -67, 163} )
2. q = - u(u+1)+ (- +1)/4 for some
integer u
Step 2
 OK = O=Z[( + )/2
 Let j(OK) be the j-invariant of OK. For
class number = 1 the j-invariant is given
as following

j(O )
k
-3
0
-11
-323
-19
-963
-43
-9603
-67
-52803
-163 -6403203
[Cox, p.261]
Step 3
 Choose an elliptic curve over
L=K(j(OK)) with j-invariant j0 = j(OK) :
 Since j(E) = 1728(4a3/(4a3+27b2)), then we
can choose
E: y2 = x3 + ax + b
where a=3j0/(1728-j0) and b=2j0/(1728-j0)
Step 4
 Reduce E to
E : y2 = x3 + [a]x + [b]
over Fq
 We can show that |E(Fq)|{q,q+2}
 If |E(Fq)|=q+2, a prime, then we’re
done.
Step 5
 If |E(Fq)|=q, define
E’:y2=x3+d2[a]x+d3[b],
where d  Fq a non-quadratic element.
 |E’(Fq)| = q+2
 If q+2 is prime, then we’re done.
Problem
 It’s not easy to find a prime q such that
 4q = 1- n2 for an integer n
 q+2 is also a prime
Example
 For  = -11 dan u = 257 743 850 762 632
419 871 495,
 q = 11u(u + 1) +(11+1)/4
= 730 750 818 665 451 459 112 596 905 638
433 048 232 067 471 723
 j(OK)=-323
Example (contd)
 E: y2 = x3 + ax + b
 a= 3(-323)/(1728-(-323))
=425 706 413 842 211 054 102 700 238 164
133 538 302 169 176 474
 b= 2(-323)/(1728-(-323))
= 527 387 882 116 624 522 439 332 460 655
566 708 278 801 941 557
Example(contd)
 #E(Fq) = q+2
BUT
 q + 2 = 730 750 818 665 451 459 112 596
905 638 433 048 232 067 471 725
= 33 x 52 x 4217 x 20 016 645 573 637
x 2413 234 030 223 5314 x607 504 832 341
is not a prime
Twin Prime Conjecture
 There are infinitely many primes q such
that q + 2 is also prime.
Next?
 Find examples of “weak curves”, i.e
twin primes that satisfy the condition in
the Main Theorem.
 Does the result in this work have any
relevance to the ECDLP for elliptic
curves whose endomorphism ring is a
totally non-maximal order?
References
[1] H.Baier (2002), Efficient algorithms for generating elliptic
curves over finite fields suitable for use in cryptography, PhD
Dissertation.
[2] I. F. Blake, G. Seroussi, and N. P. Smart (2000), Elliptic curves in
cryptography, volume 265 of London Mathematical Society
Lecture Note Series,Cambridge University Press, Cambridge.
[3] I. F. Blake, G. Seroussi, and N. P. Smart (2005), Advances in
elliptic curve cryptography, volume 317 of London
Mathematical Society Lecture Note Series, Cambridge
University Press, Cambridge.
[4]J.Buchmann dan H.C.Williams (1988), A key exchange system
based on imaginary quadratic field, Journal of Cryptology, 1,
107-118.
References (contd)
[5] J. Buchmann (2004), Introduction to cryptography, Springer.
[6] H. Cohen and G. Frey (2006), Handbook of elliptic and hyper
elliptic curve cryptography, Hall and Chapman, Taylor and
Francis Group.
[7] D. A. Cox (1989), Primes of the forms x2 + ny2, John Wiley and
Sons, New York.
[8] W. Diffie and M. Hellman (1976), New directions in
cryptography, IEEE Transactions on Information Theory, 22,
472-492.
[9] A. Enge (2001), Elliptic curves and their applications to
cryptography : an introduction, Kluwer Academic Publishers.
[10] D.Hankerson, A.J. Menezes, S. Vanstone (2004), Guide to
elliptic curve cryptography, Springer-Verlag, New York.
References (contd)
[11] D.Huhnlein, M.J. Jacobson, S. Paulus and T.Takagi (1998), A
cryptosystem based on non-maximal imaginary quadratic
order with fast decryption, in Advances in Cryptology, LNCS
1403, Springer, 294-307.
[12] D.Huhnlein, M.J. Jacobson, D. Weber (2003), Towards
Practical Non-Interactive Public-Key Cryptosystems Using NonMaximal Imaginary Quadratics Orders, Designs, Codes and
Cryptography, 30, Issue 3, 281-299.
[13] D.Huhnlein, T.Takagi (1999), Reducing logarithms in totally
non-maximal imaginary quadratic orders to logarithms in nite
elds, ASIACRYPT, 219-231.
[14] N.Koblitz (1987), Elliptic curve cryptosystem, Mathematics of
Computation 48, 203-209.
References (contd)
[15] H.W.Lenstra (1996), Complex multiplication structure of
elliptic curves, Journal of Number Theory, 56, No. 2, 227-241.
[16] F. Leprevost, J.Monnerat, S. Varrette, S.Vaudenay (2005),
Generating anomalous elliptic curves, Information Processing
Letters, 93, 225-230.
[17] K. S. McCurley (1988), A Key Distribution System Equivalent to
Factoring, Journal of Cryptology 1, 95-105.
[18] V.S. Miller (1986), Use of elliptic curve in cryptography, in
Advances in Cryptology - CRYPTO '85, Springer-Verlag, LNCS
218, 417-426.
[19] J.H. Silverman (1986), The arithmetic of elliptic curves,
Springer-Verlag, NewYork.
[20] L.C. Washington (2008) Elliptic curves, number theory and
cryptography,Chapman and Hall/CRC, Taylor and Francis
Group.
Thank you