Elliptic

Curve
Cryptography









-8tract:
1he pro[ecL glves an lnLroducLlon Lo elllpLlc curve crypLography

(LCC) and how lL ls used ln Lhe lmplemenLaLlon of dlglLal slgnaLure

(LCuSA) and key agreemenL (LCuP) AlgorlLhms 1he pro[ecL dlscusses Lhe

lmplemenLaLlon of LCC on Lwo flnlLe flelds prlme fleld and blnary fleld lL

also glves an overvlew of LCC lmplemenLaLlon on dlfferenL coordlnaLe

sysLems called Lhe pro[ecLlve coordlnaLe sysLems 1he pro[ecL also dlscusses

Lhe baslcs of prlme and blnary fleld arlLhmeLlc



















3troductio3
LlllpLlc Curve CrypLography (LCC) ls a publlc key crypLography ln publlc key
crypLography each user or Lhe devlce Laklng parL ln Lhe communlcaLlon generally have a
palr of keys a publlc key and a prlvaLe key and a seL of operaLlons assoclaLed wlLh Lhe
keys Lo do Lhe crypLographlc operaLlons Cnly Lhe parLlcular user knows Lhe prlvaLe key
whereas Lhe publlc key ls dlsLrlbuLed Lo all users Laklng parL ln Lhe communlcaLlon Some
publlc key algorlLhm may requlre a seL of predeflned consLanLs Lo be known by all Lhe
devlces Laklng parL ln Lhe communlcaLlon 'uomaln parameLers' ln LCC ls an example of
such consLanLs ubllc key crypLography unllke prlvaLe key crypLography does noL
requlre any shared secreL beLween Lhe communlcaLlng parLles buL lL ls much slower Lhan
Lhe prlvaLe key crypLography
1he maLhemaLlcal operaLlons of LCC ls deflned over Lhe elllpLlc curve y x + ax + b
where 4a + 27b 0 Lach value of Lhe 'a' and 'b' glves a dlfferenL elllpLlc curve All
polnLs (x y) whlch saLlsfles Lhe above equaLlon plus a polnL aL lnflnlLy lles on Lhe elllpLlc
curve 1he publlc key ls a polnL ln Lhe curve and Lhe prlvaLe key ls a random number 1he
publlc key ls obLalned by mulLlplylng Lhe prlvaLe key wlLh Lhe generaLor polnL C ln Lhe
curve 1he generaLor polnL C Lhe curve parameLers 'a' and 'b' LogeLher wlLh few more
consLanLs consLlLuLes Lhe domaln parameLer of LCC
Cne maln advanLage of LCC ls lLs small key slze A 160blL key ln LCC ls consldered Lo be
as secured as 1024blL key ln 8SA





i8crete Logarithm Pro-lem
1he securlLy of LCC depends on Lhe dlfflculLy of LlllpLlc Curve ulscreLe LogarlLhm
roblem LeL and C be Lwo polnLs on an elllpLlc curve such LhaL k C where k ls a
scalar Clven and C lL ls compuLaLlonally lnfeaslble Lo obLaln k lf k ls sufflclenLly large
k ls Lhe dlscreLe logarlLhm of C Lo Lhe base
Pence Lhe maln operaLlon lnvolved ln LCC ls polnL mulLlpllcaLlon le mulLlpllcaLlon of a
scalar k wlLh any polnL on Lhe curve Lo obLaln anoLher polnL C on Lhe curve

Poi3t multiplicatio3
ln polnL mulLlpllcaLlon a polnL on Lhe elllpLlc curve ls mulLlplled wlLh a scalar k uslng
elllpLlc curve equaLlon Lo obLaln anoLher polnL C on Lhe same elllpLlc curve
le kC
olnL mulLlpllcaLlon ls achleved by Lwo baslc elllpLlc curve operaLlons
- olnL addlLlon addlng Lwo polnLs ! and k Lo obLaln anoLher polnL L le L ! + k
- olnL doubllng addlng a polnL ! Lo lLself Lo obLaln anoLher polnL L le L 2!
Pere ls a slmple example of polnL mulLlpllcaLlon
LeL be a polnL on an elllpLlc curve LeL k be a scalar LhaL ls mulLlplled wlLh Lhe polnL Lo
obLaln anoLher polnL C on Lhe curve le Lo flnd C k
lf k 23 Lhen k 23 2(2(2(2) + ) + ) +
1hus polnL mulLlpllcaLlon uses polnL addlLlon and polnL doubllng repeaLedly Lo flnd Lhe
resulL 1he above meLhod ls called 'double and add' meLhod for polnL mulLlpllcaLlon 1here
are oLher efflclenL meLhods for polnL mulLlpllcaLlon such as nAl (non Ad[acenL lorm)
and wnAl (wlndowed nAl) meLhod for polnL mulLlpllcaLlon
Poi3t additio3
olnL addlLlon ls Lhe addlLlon of Lwo polnLs ! and k on an elllpLlc curve Lo obLaln anoLher
polnL L on Lhe same elllpLlc curve
GeometricaI expIanation

Conslder Lwo polnLs ! and k on an elllpLlc curve as shown ln flgure (a) lf k ! Lhen a

llne drawn Lhrough Lhe polnLs ! and k wlll lnLersecL Lhe elllpLlc curve aL exacLly one more

polnL L 1he reflecLlon of Lhe polnL L wlLh respecL Lo xaxls glves Lhe polnL L whlch ls

Lhe resulL of addlLlon of polnLs ! and k

1hus on an elllpLlc curve L ! + k

lf k ! Lhe llne Lhrough Lhls polnL lnLersecL aL a polnL aL lnflnlLy C Pence ! + (!) C

1hls ls shown ln flgure (b) C ls Lhe addlLlve ldenLlLy of Lhe elllpLlc curve group

A negaLlve of a polnL ls Lhe reflecLlon of LhaL polnL wlLh respecL Lo xaxls
a|yt|ca| exp|aat|o
Conslder Lwo dlsLlncL polnLs ! and k such LhaL ! (x! y!) and k (xk yk)
LeL L ! + k where L (xL yL) Lhen
xL s x! xk
yL y! + s (x! xL)
s (y! yk)/(x! xk) s ls Lhe slope of Lhe llne Lhrough ! and k
lf k ! le k (x! y!) Lhen ! + k C where C ls Lhe polnL aL lnflnlLy
lf k ! Lhen ! + k 2! Lhen polnL doubllng equaLlons are used
Also ! + k k + !
Poi3t dou-li3g
olnL doubllng ls Lhe addlLlon of a polnL ! on Lhe elllpLlc curve Lo lLself Lo obLaln anoLher
polnL L on Lhe same elllpLlc curve
eometr|ca| exp|aat|o

1o double a polnL ! Lo geL L le Lo flnd L 2! conslder a polnL ! on an elllpLlc curve as

shown ln flgure (a) lf y coordlnaLe of Lhe polnL ! ls noL zero Lhen Lhe LangenL llne aL ! wlll

lnLersecL Lhe elllpLlc curve aL exacLly one more polnL L 1he reflecLlon of Lhe polnL L

wlLh respecL Lo xaxls glves Lhe polnL L whlch ls Lhe resulL of doubllng Lhe polnL !

1hus L 2!

lf y coordlnaLe of Lhe polnL ! ls zero Lhen Lhe LangenL aL Lhls polnL lnLersecLs aL a polnL aL

lnflnlLy C Pence 2! C when y! 0 1hls ls shown ln flgure (b)


a|yt|ca| exp|aat|o
Conslder a polnL ! such LhaL ! (x! y!) where y! 0
LeL L 2! where L (xL yL) 1hen
xL s 2x!
yL y! + s(x! xL)
s (3x + a) / (2y!) s ls Lhe LangenL aL polnL ! and a ls one of Lhe parameLers chosen
wlLh Lhe elllpLlc curve
lf y! 0 Lhen 2! C where C ls Lhe polnL aL lnflnlLy
i3ite ield8
1he elllpLlc curve operaLlons deflned above are on real numbers CperaLlons over Lhe real
numbers are slow and lnaccuraLe due Lo roundoff error CrypLographlc operaLlons need
Lo be fasLer and accuraLe 1o make operaLlons on elllpLlc curve accuraLe and more
efflclenL Lhe curve crypLography ls deflned over Lwo flnlLe flelds
- rlme fleld lp and
- 8lnary fleld lm
1he fleld ls chosen wlLh flnlLely large number of polnLs sulLed for crypLographlc
operaLlons 1he operaLlons are deflned on afflne coordlnaLe sysLem Afflne coordlnaLe sysLem ls Lhe
normal coordlnaLe sysLem LhaL we are famlllar wlLh ln whlch each polnL ln Lhe coordlnaLe
sysLem ls represenLed by Lhe vecLor (x y)
c on Prime fie/d lp

1he equaLlon of Lhe elllpLlc curve on a prlme fleld lp ls y mod p x + ax + b mod p

where 4a + 27b mod p 0 Pere Lhe elemenLs of Lhe flnlLe fleld are lnLegers beLween

0 and p 1 All Lhe operaLlons such as addlLlon subsLaLlon dlvlslon mulLlpllcaLlon

lnvolves lnLegers beLween 0 and p 1 1hls ls modular arlLhmeLlc and ls deflned ln

sesslon 101 1he prlme number p ls chosen such LhaL Lhere ls flnlLely large number of

polnLs on Lhe elllpLlc curve Lo make Lhe crypLosysLem secure SLC speclfles curves wlLh p

ranglng beLween 112321 blLs

1he graph for Lhls elllpLlc curve equaLlon ls noL a smooLh curve Pence Lhe geomeLrlcal
explanaLlon of polnL addlLlon and doubllng as ln real numbers wlll noL work here

Powever Lhe algebralc rules for polnL addlLlon and polnL doubllng can be adapLed for

elllpLlc curves over lp
9o|t dd|t|o
Conslder Lwo dlsLlncL polnLs ! and k such LhaL ! (x! y!) and k (xk yk)
LeL L ! + k where L (xL yL) Lhen
xL s x! xk mod p
yL y! + s (x! xL) mod p
s (y! yk)/(x! xk) mod p s ls Lhe slope of Lhe llne Lhrough ! and k
lf k ! le k (x! y! mod p) Lhen ! + k C where C ls Lhe polnL aL lnflnlLy
lf k ! Lhen ! + k 2! Lhen polnL doubllng equaLlons are used
Also ! + k k + !
9o|t Subtract|o
Conslder Lwo dlsLlncL polnLs ! and k such LhaL ! (x! y!) and k (xk yk)
1hen ! k ! + (k) where k (xk yk mod p)
olnL subLracLlon ls used ln cerLaln lmplemenLaLlon of polnL mulLlpllcaLlon such as nAl
9o|t Doub||
Conslder a polnL ! such LhaL ! (x! y!) where y! 0
LeL L 2! where L (xL yL) 1hen
xL s 2x! mod p
yL y! + s(x! xL) mod p
s (3x[ + a) / (2y!) mod p s ls Lhe LangenL aL polnL ! and a ls one of Lhe parameLers

chosen wlLh Lhe elllpLlc curve

lf y! 0 Lhen 2! C where C ls Lhe polnL aL lnflnlLy






c on 8inory fie/d l
m
2

1he equaLlon of Lhe elllpLlc curve on a blnary fleld l2

m ls y
2
+ xy x
3
+ ax
2
+ b where

b 0 Pere Lhe elemenLs of Lhe flnlLe fleld are lnLegers of lengLh aL mosL m blLs 1hese

numbers can be consldered as a blnary polynomlal of degree m 1 ln blnary polynomlal

Lhe coefflclenLs can only be 0 or 1 All Lhe operaLlon such as addlLlon subsLaLlon dlvlslon

mulLlpllcaLlon lnvolves polynomlals of degree m 1 or lesser

1he m ls chosen such LhaL Lhere ls flnlLely large number of

polnLs on Lhe elllpLlc curve Lo make Lhe crypLosysLem secure SLC speclfles curves wlLh m

ranglng beLween 113371 blLs

1he graph for Lhls equaLlon ls noL a smooLh curve Pence Lhe geomeLrlcal explanaLlon of

polnL addlLlon and doubllng as ln real numbers wlll noL work here Powever Lhe algebralc

rules for polnL addlLlon and polnL doubllng can be adapLed for elllpLlc curves over l
m
2



9o|t dd|t|o
Conslder Lwo dlsLlncL polnLs ! and k such LhaL ! (x! y!) and k (xk yk)

LeL L ! + k where L (xL yL) Lhen

xL s
2
+ s + x! + xk + a

yL s (x! + xL) + xL + y!

s (y! + yk)/(x! + xk) s ls Lhe slope of Lhe llne Lhrough ! and k

lf k ! le k (x! x! + y!) Lhen ! + k C where C ls Lhe polnL aL lnflnlLy

lf k ! Lhen ! + k 2! Lhen polnL doubllng equaLlons are used

Also ! + k k + !

9o|t Subtract|o
Conslder Lwo dlsLlncL polnLs ! and k such LhaL ! (x! y!) and k (xk yk)

1hen ! k ! + (k) where k (xk xk + yk)

olnL subLracLlon ls used ln cerLaln lmplemenLaLlon of polnL mulLlpllcaLlon such as nAl

9o|t Doub||
Conslder a polnL ! such LhaL ! (x! y!) where x! 0

LeL L 2! where L (xL yL) 1hen

xL s
2
+ s + a

yL x!
2
+ (s + 1)*xL

s x! + y!/ x! s ls Lhe LangenL aL polnL ! and a ls one of Lhe parameLers chosen wlLh Lhe

elllpLlc curve

lf x! 0 Lhen 2! C where C ls Lhe polnL aL lnflnlLy





Elliptic Curve omai3 parameter8

AparL from Lhe curve parameLers a and b Lhere are oLher parameLers LhaL musL be

agreed by boLh parLles lnvolved ln secured and LrusLed communlcaLlon uslng LCC 1hese

are domaln parameLers 1he domaln parameLers for prlme flelds and blnary flelds are

descrlbed below 1he generaLlon of domaln parameLers ls ouL of scope of Lhls paper

1here are several sLandard domaln parameLers deflned by SLC

Cenerally Lhe proLocols lmplemenLlng Lhe LCC speclfy Lhe domaln parameLers Lo be used

Doma| parameters for LC over f|e|d Ip

1he domaln parameLers for LlllpLlc curve over lp are p a b C n and h

p ls Lhe prlme number deflned for flnlLe fleld lp a and b are Lhe parameLers deflnlng Lhe

curve y
2
mod p x
3
+ ax + b mod p C ls Lhe generaLor polnL (xC yC) a polnL on Lhe

elllpLlc curve chosen for crypLographlc operaLlons n ls Lhe order of Lhe elllpLlc curve 1he

scalar for polnL mulLlpllcaLlon ls chosen as a number beLween 0 and n 1 h ls Lhe

cofacLor where h #L(lp)/n #L(lp) ls Lhe number of polnLs on an elllpLlc curve




Doma| parameters for LC over f|e|d I
2
m


1he domaln parameLers for elllpLlc curve over I
2
m


are m f(x) a b C n and h

m ls an lnLeger deflned for flnlLe fleld I
2
m


1he elemenLs of Lhe flnlLe fleld I
2
m
are lnLegers of lengLh aL mosL m blLs f(x) ls Lhe lrreduclble

polynomlal of degree m used for elllpLlc curve operaLlons whlch ls dlscussed ln secLlon 102 a and b

are Lhe parameLers deflnlng Lhe curve y
2
+ xy x
3
+ ax
2
+ b C ls Lhe generaLor polnL (xC yC) a polnL

on Lhe elllpLlc curve chosen for crypLographlc operaLlons n ls Lhe order of Lhe elllpLlc curve 1he

scalar for polnL mulLlpllcaLlon ls chosen as a number beLween 0 and n 1 h ls Lhe cofacLor

where h #L (I
2
m
)/n #L(I
2
m
) ls Lhe number of polnLs on an elllpLlc curve



ield rithmetic

LCC uses modular arlLhmeLlc or polynomlal arlLhmeLlc for lLs operaLlons dependlng on Lhe

fleld chosen 1he arlLhmeLlc lnvolves blg numbers ln Lhe range of 100s of blLs 1hls

secLlon glves a brlef overvlew for Lhese Lwo flnlLe fleld operaLlons

,odu|ar r|thmet|c

,odular arlLhmeLlc over a number p lnvolves arlLhmeLlc beLween numbers 0 and p 1 lf

Lhe number happens Lo be ouL of Lhls range ln any of Lhe operaLlon Lhe resulL ls wrapped

around ln Lo Lhe range 0 and p 1

dd|t|o

LeL p 23 a 13 b 20
a + b (mod p) 13 + 20 (mod 23) 33 mod 23 12
Slnce Lhe resulL of a + b 33 whlch ls ouL of Lhe range 0 22 1he resulL ls wrapped
around ln Lo Lhe range 0 22 by subLracLlng 33 wlLh 23 Llll Lhe resulL ls ln range 0 22
a mod b ls Lhus explalned as remalnder of dlvlslon a/b

Subtract|o

LeL p 23 a 13 b 20
a b (mod p) 13 20 (mod 23) 3 mod 23 18
Slnce Lhe resulL of a b 3 whlch ls negaLlve and ouL of Lhe range 0 22 1he resulL ls
wrapped around ln Lo Lhe range 0 22 by addlng 3 wlLh 23 Llll Lhe resulL ls ln range
0 22

,u|t|p||cat|o

LeL p 23 a 13 b 20
a * b (mod p) 13 * 20 (mod 23) 300 mod 23 1
Slnce Lhe resulL of a * b 300 whlch ls ouL of Lhe range 0 22 1he resulL ls wrapped
around ln Lo Lhe range 0 22 by subLracLlng 300 wlLh 23 Llll Lhe resulL ls ln range 0 22


D|v|s|o

1he dlvlslon a/b (mod p) ls deflned as a * b
1
(mod p) 8
1
ls Lhe mulLlpllcaLlve lnverse of
b over p

,u|t|p||cat|ve Iverse

,ulLlpllcaLlve lnverse of number b wlLh respecL Lo mod p ls deflned as a number b
1
such
LhaL b*b
1
(mod p) 1 ,ulLlpllcaLlve lnverse exlsLs only lf b and n are relaLlvely prlme
1he algorlLhm such as exLended Luclldean algorlLhm 7 can be used Lo flnd Lhe
mulLlpllcaLlve lnverse of a number efflclenLly llndlng mulLlpllcaLlve lnverse ls a cosLly
operaLlon

I|d| x mod y

x mod y ls Lhe remalnder of Lhe dlvlslon x/y llndlng x mod y by repeaLedly subLracLlng y
wlLh x Llll Lhe resulL ls ln range 0 y1 ls a cosLly operaLlon ,eLhods such as 8arreLL
8educLlon 7 can be used Lo flnd modulus of a number ln efflclenL manner

!oIynomiaI Arithmetic

LlllpLlc curve over fleld l2
m
lnvolves arlLhmeLlc of lnLeger of lengLh m blLs 1hese numbers

can be consldered as blnary polynomlal of degree m 1 1he blnary sLrlng (am1 a1 a0)

can be expressed as polynomlal a
m
1x
m1
+ a
m2
x
m2
+ + ax + a0 where al 0 or

lor eg a 4 blL number 1101
2
can be represenLed by polynomlal as x
3
+ x
2
+ 1

Slmllar Lo Lhe modulus p on modular arlLhmeLlc Lhere ls an lrreduclble polynomlal of

degree m ln polynomlal arlLhmeLlc lf ln any operaLlon Lhe degree of polynomlal ls greaLer

Lhan or equal Lo m Lhe resulL ls reduced Lo a degree less Lhan m uslng lrreduclble

polynomlal also called as reducLlon polynomlal

ln blnary polynomlal Lhe coefflclenLs of Lhe polynomlal can be elLher 0 or 1 lf ln any

operaLlon Lhe coefflclenL becomes greaLer Lhan 1 lL can be reduced Lo 0 or 1 by modulo 2

operaLlon on Lhe coefflclenL

All Lhe operaLlons below are deflned ln fleld l2

4 are on lrreduclble polynomlal f(x) x
4
+ x

+ 1 Slnce m 4 Lhe operaLlon lnvolves polynomlal of degree 3 or lesser



EC Cryptography

LCDS L|||pt|c Curve D||ta| S|ature |or|thm

SlgnaLure algorlLhm ls used for auLhenLlcaLlng a devlce or a message senL by Lhe devlce

lor example conslder Lwo devlces A and 8 1o auLhenLlcaLe a message senL by A Lhe

devlce A slgns Lhe message uslng lLs prlvaLe key 1he devlce A sends Lhe message and

Lhe slgnaLure Lo Lhe devlce 8 1hls slgnaLure can be verlfled only by uslng Lhe publlc key

of devlce A Slnce Lhe devlce 8 knows A's publlc key lL can verlfy wheLher Lhe message ls

lndeed send by A or noL

LCuSA ls a varlanL of Lhe ulglLal SlgnaLure AlgorlLhm (uSA) LhaL operaLes on elllpLlc

curve groups lor sendlng a slgned message from A Lo 8 boLh have Lo agree up on

LlllpLlc Curve domaln parameLers

Sender 'A' have a key palr conslsLlng of a prlvaLe key dA (a randomly selecLed lnLeger less

Lhan n where n ls Lhe order of Lhe curve an elllpLlc curve domaln parameLer) and a

publlc key CA dA * C (C ls Lhe generaLor polnL an elllpLlc curve domaln parameLer) An

overvlew of LCuSA process ls deflned below








S|ature eerat|o

lor slgnlng a message m by sender A uslng A's prlvaLe key dA
1 CalculaLe e PASP (m) where PASP ls a crypLographlc hash funcLlon such as
SPA1
2 SelecL a random lnLeger k from 1n - 1
3 CalculaLe r x1 (mod n) where (x1 y1) k * C lf r 0 go Lo sLep 2
4 CalculaLe s k
1
(e + dAr)(mod n) lf s 0 go Lo sLep 2
3 1he slgnaLure ls Lhe palr (r s)


S|ature Ver|f|cat|o

lor 8 Lo auLhenLlcaLe As slgnaLure 8 musL have A's publlc key CA
1 verlfy LhaL r and s are lnLegers ln 1n - 1 lf noL Lhe slgnaLure ls lnvalld
2 CalculaLe e PASP (m) where PASP ls Lhe same funcLlon used ln Lhe slgnaLure
generaLlon
3 CalculaLe w s
1
(mod n)
4 CalculaLe u1 ew (mod n) and u2 rw (mod n)
3 CalculaLe (x1 y1) u1C + u2CA
6 1he slgnaLure ls valld lf x1 r(mod n) lnvalld oLherwlse


LCDn L|||pt|c Curve D|ff|e ne||ma

LCuP ls a key agreemenL proLocol LhaL allows Lwo parLles Lo esLabllsh a shared secreL key

LhaL can be used for prlvaLe key algorlLhms 8oLh parLles exchange some publlc

lnformaLlon Lo each oLher uslng Lhls publlc daLa and Lhelr own prlvaLe daLa Lhese parLles

calculaLes Lhe shared secreL Any Lhlrd parLy who doesn'L have access Lo Lhe prlvaLe

deLalls of each devlce wlll noL be able Lo calculaLe Lhe shared secreL from Lhe avallable

publlc lnformaLlon An overvlew of LCuP process ls deflned below

lor generaLlng a shared secreL beLween A and 8 uslng LCuP boLh have Lo agree up on

LlllpLlc Curve domaln parameLers 8oLh end have a key palr conslsLlng of a prlvaLe key d (a randomly

selecLed lnLeger less Lhan n where n ls Lhe order of Lhe curve an elllpLlc curve domaln parameLer)

and a publlc key C d * C (C ls Lhe generaLor polnL an elllpLlc curve domaln parameLer) LeL (dACA)

be Lhe prlvaLe key publlc key palr of A and (d8 C8) be Lhe prlvaLe key publlc key palr of

8



1 1he end A compuLes k (xk yk) dA * C8
2 1he end 8 compuLes L (xL yL) d8 * CA
3 Slnce dAC8 dAd8C d8dAC d8CA 1herefore k L and hence xk xL
4 Pence Lhe shared secreL ls xk

Slnce lL ls pracLlcally lmposslble Lo flnd Lhe prlvaLe key dA or d8 from Lhe publlc key k or L
lLs noL posslble Lo obLaln Lhe shared secreL for a Lhlrd parLy

c operotions in Projective coordinote system

LC on varlous pro[ecLlve coordlnaLes have been proposed ouL of whlch one each for

blnary fleld and prlme fleld are explalned below

9ro[ect|ve coord|ate | f|e|d I
m
2

Pere Lhe polnL (x ? Z) ln pro[ecLlve coordlnaLe corresponds Lo Lhe polnL (x/Z ?/Z
2
) ln

afflne coordlnaLe 1he equaLlon for Lhe elllpLlc curve ls ?
2
+ x?Z x
3
z+ ax
2
Z
2
+ bZ
4


lor polnL mulLlpllcaLlon converL Lhe polnL (x ?) ln afflne coordlnaLe Lo (x ? 1) ln

pro[ecLlve coordlnaLe AfLer mulLlpllcaLlon Lhe resulL (x ? Z) ls converLed back Lo Lhe

afflne coordlnaLe as (x/Z ?/Z
2
) where Z 0 lf Z 0 Lhen Lhe polnL ls consldered as Lhe

polnL aL lnflnlLy


!oint addition

For adding two points in projective coordinate Let (X1, Y1, Z1) + (X2, Y2, 1) = (X3, Y3, Z3)

Then

A = Y2. Z1
2
+ Y1
B = X2. Z1 + X1
C = Z1. B
D = B
2
.(C + a. Z1
2
)
Z3 = C2
E = A.C
X3 = A2 + D + E
F = X3 + X2. Z3
G = X3 + Y2. Z3
Y3 = E. F + Z3.G
Z2 = 1,
since one operand in point addition will always be the input point in point

multiplication operation, which is an affine coordinate point.






!oint doubIing

For doubling a point in projective coordinate Let 2(X1, Y1, Z1) = (X3, Y3, Z3) then
Z3 = X1
2
. Z1
2
X3 = X1
4
+ b. Z1
4
Y3 = b. Z1
4
. Z3 + X3.(a. Z3 + Y1
2
+ b.Z1
4
)



acob|a 9ro[ect|ve coord|ate | f|e|d Ip


ere the point (X, Y, Z) in Jacobian projective coordinate corresponds to the point

(X/Z2, Y/Z3) in affine coordinate. The equation for the elliptic curve is Y
2
= X
3
- 3.XZ
4
+

bZ
6
. For point multiplication, convert the point (X, Y) in affine coordinate to (X, Y, 1) in

Jacobian projective coordinate. After multiplication the result (X, Y, Z) is converted back

to the affine coordinate as (X/Z
2
, Y/Z
3
) where Z . If Z = , then the point is considered

as the point in infinity.


!oint addition
For adding two points in projective coordinate Let (X1, Y1, Z1) + (X2, Y2, 1) = (X3, Y3, Z3)
then
A = X2. Z1
2
B = Y2. Z1
3
C = A - X1
D = B - Y1
X3 = D2 - (C3 + 2X1.C2)
Y3 = D.(X1.C2 - X3) - Y1.C3
Z3 = Z1. C


Z2 = 1, since one operand in point addition will always be the input point in point

multiplication operation, which is an affine coordinate point.

Point doubling

For doubling a point in Jacobian projective coordinate Let 2(X1, Y1, Z1) = (X3, Y3, Z3) then

A = 4X1 + Y1
2

B = 8Y1
4

C = 3(X1 - Z1
2
).(X1 + Z1
2
)

D = -2A + C2

X3 = D

Y3 = C. (A - D) - B

Z3 = 2Y1.Z1





3put a3d Output ormat8

1hls secLlon specl_es daLa sLrucLures and ob[ecL ldenLl_ers for ln and ouLpuL of publlc keys

slgnaLures and key agreemenL

1he ob[ecL ldenLl_er bslde represenLs Lhe rooL of Lhe subLree conLalnlng all ob[ecLs de_ned

ln Lhls specl_caLlon

bslde C8!LC1 luLn1lllL8

lLuL(0) ldenLlfledorganlzaLlon(4) eLsl(0)

reserved(127) eLslldenLlfledorganlzaLlon(0) 7

1he rooL ldenLl_er for elllpLlc curve crypLography ls

ldecc C8!LC1 luLn1lllL8 bslde algorlLhms(1) 1

1hls guldellne also supporLs Lhe daLa sLrucLures and ob[ecL ldenLl_ers specl_ed ln AnSl x962

3 1he rooL ldenLl_er for AnSl x962 ls

anslx962 C8!LC1 luLn1lllL8

lso(1) memberbody(2) us(840) 10043



9ub||c key Iormat

lL ls 8LCC,,LnuLu Lo sLore and exchange elllpLlc curve publlc keys ln x962 formaL ln

Lhls case Lhe daLa sLrucLures and ob[ecL ldenLl_ers specl_ed by x962 3 SPALL be used

k962 Iormat

ubllc keys represenLed ln x309 synLax have Lhe followlng sLrucLure

Sub[ecLubllckeylnfo SLCuLnCL
algorlLhm AlgorlLhmldenLlfler
sub[ecLubllckey 8l1 S18lnC


1he componenL algorlLhm of Lype AlgorlLhmldenLlfler specl_es Lhe Lype of Lhe publlc key
and lLs assoclaLed parameLers 1he componenL sub[ecLubllckey of Lype 8l1 S18lnC specl_es
Lhe acLual value of Lhe publlc key


1he elllpLlc curve publlc key ls a value of Lype LColnL whlch ls slmply an CC1L1 S18lnC
1he converslon rouLlne CS28S SPALL be used Lo map Lhe value Lo a
8l1 S18lnC

ubllc keys ln x962 formaL are ldenLl_ed by Lhe ob[ecL ldenLl_er ldecubllckey whlch ls
specl_ed as follows
ldpubllckey1ype C8!LC1 luLn1lllL8 anslx962 key1ype(2)
ldecubllckey C8!LC1 luLn1lllL8 ldpubllckey1ype 1

1he publlc key parameLers conLalned ln Lhe AlgorlLhmldenLlfler are de_ned as a cholce of
Lhree alLernaLlves
arameLers CPClCL
ecarameLers LCarameLers
namedCurve C8!LC1 luLn1lllL8
lmpllclLlyCA nuLL



ec9arameters 1he domaln parameLers are expllclLly descrlbed
amedCurve SLandardlzed domaln parameLers ldenLl_ed by an ob[ecL ldenLl_er are used
|mp||c|t|yC 1he domaln parameLers are lnherlLed or lmpllclLly known
lL ls 8LCC,,LnuLu Lo use Lhe alLernaLlve ecarameLers unless ephemeral publlc keys are
exchanged ln Lhls case lmpllclLlyCA SPCuLu be used lnsLead 1he alLernaLlve namedCurve
SPCuLu nC1 be used
1he sLrucLure LCarameLers ls used Lo descrlbe domaln parameLers expllclLly verslon 1
LCarameLers ,uS1 be used lL ls specl_ed as follows
LCarameLers SLCuLnCL
verslon ln1LCL8ecpver1(1) (ecpver1)
fleldlu lleldlu
curve Curve
base LColnL
order ln1LCL8
cofacLor ln1LCL8 C1lCnAL


Curve SLCuLnCL
a lleldLlemenL
b lleldLlemenL
seed 8l1 S18lnC C1lCnAL

lleldLlemenL CC1L1 S18lnC
LColnL CC1L1 S18lnC
lleldlu SLCuLnCL
fleld1ype C8!LC1 luLn1lllL8
parameLers An? uLllnLu 8? fleld1ype

ldfleld1ype C8!LC1 luLn1llL8 anslx962 fleld1ype(1)
prlmefleld C8!LC1 luLn1lllL8 ldfleld1ype 1
rlmep ln1LCL8
lf lleldlu refers Lo a prlmefleld rlmep SPALL be used as parameLer



Co3clu8io3

lor efflclenL lmplemenLaLlon of LCC lL ls lmporLanL for Lhe polnL mulLlpllcaLlon algorlLhm

and Lhe underlylng fleld arlLhmeLlc Lo be efflclenL 1here are dlfferenL meLhods for

efflclenL lmplemenLaLlon polnL mulLlpllcaLlon and fleld arlLhmeLlc sulLed for

dlfferenL hardware conflguraLlons

lmplemenLaLlon of LCC uslng pro[ecLlve coordlnaLes has shown conslderable

lmprovemenL ln efflclency compared Lo Lhe afflne coordlnaLe lmplemenLaLlon 1hls

lmprovemenL ln efflclency ls due Lo Lhe ellmlnaLlon of mulLlpllcaLlve lnverse operaLlon ln

polnL addlLlon and doubllng LhaL would oLherwlse cosL conslderable processor cycles

lf Lhe lrreduclble polynomlal ln blnary fleld lmplemenLaLlon ls chosen Lo be Lrlnomlal or

penLanomlal Lhe lmplemenLaLlon of LCC on blnary fleld can be made efflclenL Lhan Lhe

prlme fleld lmplemenLaLlon ln SLC speclfled domaln parameLers 4 Lhe lrreduclble

polynomlals are elLher Lrlnomlal or penLanomlal 1hese chosen polynomlals cause Lhe

polynomlal reducLlon ln blnary fleld Lo run much fasLer Lhan Lhe modular reducLlon ln

prlme fleld


























eference
uarrel Pankerson !ullo Lopez Pernandez Alfred ,enezes 5oftwote lmplemeototloo of
lllptlc cotve ctyptoqtopby ovet 8looty llelJs 2000 Avallable aL
hLLp//clLeseerlsLpsuedu/hankerson00sofLwarehLml

CerLlcom SLandards for LfflclenL CrypLography 5c 1 lllptlc cotve ctyptoqtopby
vetsloo 10 SepLember 2000 Avallable aL hLLp//wwwsecgorg/download/ald
383/sec1_flnalpdf

CerLlcom SLandards for LfflclenL CrypLography 5c 2 kecommeoJeJ lllptlc cotve
uomolo lotometets vetsloo 10 SepLember 2000 Avallable aL
hLLp//wwwsecgorg/download/ald386/sec2_flnalpdf

Cpenssl hLLp//wwwopensslorg

CerLlcom hLLp//wwwcerLlcomcom/lndexphp?acLlonecc_LuLorlalhome


8Sl 1802102 krypLographlsche verfahren Lmpfehlungen und Schlrussellrangen verslon
10 lederal C_ce for lnformaLlon SecurlLy 2008 Avallable aL hLLp//wwwbslde/
llLeraL/Lr/Lr02102/8Sl1802102pdf


lederal lnformaLlon rocesslng SLandards ubllcaLlon 1862 (llS u8 1862 + Change
noLlce) ulglLal SlgnaLure SLandard (uSS) 2001 Avallable aL hLLp//csrcnlsLgov/
publlcaLlons/flps/flps1862/flps1862change1pdf