The document discusses elliptic curves in cryptography. It introduces elliptic curves, elliptic curve addition and multiplication, and how they can be used in public key cryptography. It describes elliptic curve Diffie-Hellman key exchange, where two parties establish a shared secret key over an elliptic curve. It also discusses how isogenies, which are rational maps between elliptic curves, can be used in post-quantum cryptographic protocols like the supersingular isogeny Diffie-Hellman key exchange. This protocol allows secure key exchange that is conjectured to be secure against both quantum and classical computers.

1. ELLIPTIC CURVES IN CRYPTOGRAPHY
EMILY STAMM

2. OUTLINE
Cryptography
Elliptic Curves
Elliptic Curve Diffie-Hellman Key Exchange
Quantum Computing
Isogenies
Supersingular Isogeny Diffie-Hellman

3. INTRODUCTION

4. WHAT IS
CRYPTOGRAPHY ?
 Cryptography from Greek kryptós “secret” and graphein ”write”
 Secure communication in the presence of third parties
 Confidentiality:restrict the access of information
 Integrity:verify that data has not been altered (maliciously or
accidentally)
 Authentication:verify the identity of a party
 Hard Math Problems:the strength of the algorithm relies on
the hardness of some underlying math problem

5. WHAT IS GOOD CRYPTOGRAPHY?
Key Secrecy:
secret piece of
information
used to uncover
information
Hard Math
Problems:the strength
of the algorithm relies
on the hardness of
some underlying math
problem
Proper
Implementation:
algorithms must be
correctly implemented
so as not to leak
information

6. PUBLIC KEY CRYPTOGRAPHY
Public Key Cryptography:there is a public key
and a private key
 Asymmetric Encryption: data is encrypted with
public key and can only be decrypted with the
private key
 e.g. RSA
 Key Establishment:parties establish a shared
secret key
 e.g. Diffie-Hellman, RSA
 Digital Signatures:data is signed with a private
key and can be verified with the public key
 e.g. RSA, DSA

7. ELLIPTIC CURVES

8. ELLIPTIC CURVE
 An Elliptic Curve E (inWeierstrass form) is a curve consisting of solutions to the equation
y2 = x3 + ax + b
plus a ‘point at infinity’ denoted 0E where 4a3 + 27b2 nonzero

9. ELLIPTIC CURVE ADDITION
 We define Elliptic CurveAddition,an operation that takes two points P,
Q on the curve and returns another point on the elliptic curve P + Q = R
 Not coordinate-wise addition:adding the coordinates of two points
does not produce another point on the elliptic curve
 Instead, we define Elliptic CurveAddition geometrically by this rule: the
sum of points on a line intersecting an elliptic curve is zero (point
at infinity)
 Points on Elliptic Curve with Elliptic CurveAddition form a group
Hughes, 2019

10. ELLIPTIC CURVE ADDITION
Let’s sum P and Q…

11. ELLIPTIC CURVE ADDITION
We draw a line through P and Q
P + Q + R = 0E
So P + Q = - R

12. ELLIPTIC CURVE ADDITION
We draw a vertical line through R
R + (-R) + 0E = 0E
- R = (-R)
P + Q = - R

13. ELLIPTIC CURVE ADDITION
Lets sum P and P…

14. ELLIPTIC CURVE ADDITION
Draw a line tangent to P
Intersects at R so
P + P + R = 0E

15. ELLIPTIC CURVE ADDITION
We draw a vertical line through R
R + (-R) + 0E = 0E
- R = (-R)
P + P = - R

16. ELLIPTIC CURVE MULTIPLICATION
 We define elliptic curve multiplication-by-n map that takes a point P and produces a point [n]P = Q on the
elliptic curve by repeatedly adding P to itself
[n]P = P + P + … + P (n times)
Leuven, 2019

17. ELLIPTIC CURVES OVER FINITE FIELDS
 In cryptography,we care about Elliptic Curves over finite fields,
meaning we look at the same equation but modulo q
 An (Weierstrass) Elliptic Curve E over finite field Fq consists of
points satisfying
y2 = x3 + ax + b (mod q)
along with point at infinity 0E where 4a3 + 27b2 nonzero modulo q
 Each x-coordinate has 2 y-coordinates equally spaced from from
horizontal line y = q/2
Corbellini, 2015
Graph of E:y2
= x3
- 7x + 10 (mod q)
where q = 19,97,127,487

18. ELLIPTIC CURVES
OVER FINITE FIELDS
TORUS
 The symmetries are better
understood when viewed as
points on a torus
 We can still perform EC
Addition (and hence EC
Multiplication) by drawing a line
through points
Hughes, 2019

19. ELLIPTIC CURVE
CRYPTOGRAPHY

20. ELLIPTIC CURVE CRYPTOGRAPHY
 Public key cryptography based on elliptic curves includes
 Elliptic Curve Digital Signature Algorithm (ECDSA)
 Elliptic Curve Diffie-Hellman (ECDH)
 Elliptic Curve Integrated Encryption Scheme (ECIES)
 Classical Cryptography,very similar to RSA,but instead of multiplicative group of integers using additive elliptic curve group
 Hardness is based on solving the Elliptic Curve Discrete Log Problem
 ECC compared to RSA has
 Smaller key sizes for the same security parameters
 Flexible: many parameters can be switched or adjusted including the curve used and modulus
 Better security,as there is a classical sub-exponential algorithm for regular Discrete Log but not for solving EC Discrete Log
 Libraries
 PyCryptodome
 NaCl
 OpenSSL
de Quehen, 2018

21. Alice
Bob
Alice Private Key
Integer a
Bob Private Key
Integer b
A B
K
Bob sends B to Alice
Alice sends A to Bob
Alice compute A = a[G]
Bob compute secret point
K = b[A]
Bob compute B = b[G]
Alice computes secret point
K = a[B]
Eve can only find K if she can solve
Elliptic Curve Discrete Log Problem:
Given A, G, find a such that A = a[G]
Eve
Public Key
• Prime q
• Elliptic Curve E: y2 = x3+ax+b
• Generator G of E(Fq)G
Elliptic Curve Diffie-Hellman

22. JANUARY 2020 CRITICAL WINDOWSVULNERABILITY
 CriticalVulnerability in Windows
Crypt32.dll
 Allows for devastating spoofing attack on
ECDSA
 This is an attack on an incorrect
implementation of ECDSA, not elliptic
the algorithm or mathematics itself
 The SignatureVerification algorithm does
not verify that the correct generating point
G is used
 Allowing an attacker to create their own
public point G’ for the same curve and
other public parameters,but they now have
their own private key

23. QUANTUM COMPUTING

24. QUANTUM COMPUTING &
CRYPTOGRAPHY
 A Quantum Computer is a new type of computer based
on quantum physics rather than classical physics
 Fundamental unit is a qubit or quantum bit that can be any linear
combination of 0 and 1
 Take advantage of quantum phenomenon to perform some
tasks much more efficiently
 E.g. entanglement, parallelism, interference
 Quantum algorithms exist that can break our current public
key cryptography (RSA, ECC) based on the abelian hidden
subgroup problem by efficiently finding the period
IBM
Q Cryostat
used to
keep IBM’s
50-qubit
quantum
computer
cold
DWAVE
Quantum
Computer

25. POST-QUANTUM
CRYPTOGRAPHY
NIST competition to choose new
Public Key Cryptography,
cryptography that runs on our current
computers but is conjectured to be
secure against quantum and classical
attacks
 Lattice-Based Cryptography: learning with errors;find
the shortest vector on a lattice
 Code-Based Cryptography:error correcting codes
 Multivariate Cryptography:equations in multiple variables
 Hash-Based Cryptography:hashed functions
 Isogeny-Based Cryptography:maps between elliptic
curves

26. ISOGENIES
MAPS BETWEEN ELLIPTIC CURVES

27. ISOGENY
 An isogeny is a rational map f : E1 → E2 between elliptic curves
 Group Morphism: f preserves the elliptic curve group structure
 If an isogeny exists, we say that E1 and E2 are isogenous
 Being isogenous is an equivalence relation
 Isogenies f : E1 → E2  correspondence→kernel of i.e. ker(f) = {P in E1 : f(P) = 0}
 We say an isogeny f is of degree l (or l -isogeny) if kernel of f contains l points (# ker(f) = l )

28. ORDINARY AND SUPERSINGULAR
 We define the endomorphism ring of E to be all the isogenies from E to E:
End(E) = {f : E → E | f is an isogeny}
 We can classify elliptic curves as
 Ordinary:End(E) is an order in a quadratic imaginary number field – abelian
 Supersingular:End(E) is a maximal order in a quaternion algebra – non-abelian
 Isogenies graphs
 Nodes: Elliptic Curves (labeled by j-invariant)
 Edges: l–Isogenies
 Note: any two curves on the graph are isogenous (because being isogenous is
an equivalence relation) but neighbors are l –isogenous
 Ordinary isogeny graphs have a nice volcano structure
 Supersingular isogeny graphs are messy Ramanujan graphs
 l + 1 regular graphs
Supersingular IsogenyGraph
Lauter, 2017
Ordinary Isogeny Graph
De Feo, Kieffer, Smith, 2018

29. SIDH
SUPERSINGULAR ISOGENY DIFFIE-
HELLAN

30. ISOGENY-BASED CRYPTOGRAPHY
 Public key cryptography based on maps between elliptic curves
 Post-Quantum Cryptography:conjectured to be secure against quantum attacks
 Hardness based on Path Finding in Supersingular Isogeny Graphs
 i.e. given elliptic Curves E1, E2, find an isogeny between them
 Compared to other forms of cryptography
 Very new technology based on a very different but well understood math problem
 Small key sizes
 Slower than other post-quantum cryptography, but has not been optimized
 Libraries
 Microsoft PQCrypto-SIDH
 CloudFlare
Leuven, 2019

31. Alice
Bob
Alice Private Key
Point on E: A
Isogeny f : E → E/<A>
Bob Private Key
Point on E: B
Isogeny g : E → E/<B>=EB
E/<A> E/<B>
(E/<B>)/<A> = E/<A,B> = (E/<A>)/<B>
E, supersingular elliptic curve
f’ : E/ <B> → (E/<B>)/<A>
E/<B>
E/<A>,
g' : E /<A> → (E/<A>)/<B>
Supersingular Elliptic Curve DH (Wrong)

32. Alice
Alice Private Key
Point on E: A
Isogeny f : E → E/<A>
E/<A>
E/<A,B>
f’ : E/ <B> → E/<A,B> = (E/<B>)/<A>
E/<B> • Problem: <A> is a subgroup of E, not E/<B>
• <g(A)> is a subgroup of E/<B>
• So really,E/<A,B> = (E/<B>)/<g(A)>
• But Alice doesn’t know g – that’s Bob’s private key.
Alice doesn’t want to sendA – that’s her private key
• How do we compute g(A) ?
Bob Private Key
Point on E: B
Isogeny g : E → E/<B>=EB
E
Supersingular Elliptic Curve DH (Wrong)

33. Alice
Alice Private Key
Integers m and n
Point A = [m]P +[n]Q
Isogeny f : E → E/<A>
E/<A>
E/<A,B>
E
f’ : E/ <B> → E/<A,B> = (E/<B>)/< g( A)>
E/<B>, g(P), g(Q)
• Solution:Create private point A as a secret
linear combination of two public points P, Q
• Now Bob can send Alice g(P), g(Q)
• Which Alice can use to compute g(A) as
follows:
• g(A) = g(mP + nQ) = [m]g(P)+ [n] g(Q)
because g preserves group structure
• Now Alice can get
• E/<A,B> = (E/<B>)/< g( A)>
Bob Private Key
Integers mB, nB
Point B = [mB]PB +[nB]QB
Isogeny g : E → E/<B>
Supersingular Elliptic Curve DH

34. Alice
Bob
E/<A> E/<B>
Velu’s Formula to get f’
f’ : E/ <B> → (E/<B>)/<g(A)>
E/<B>, PB, QB , g(P), g(Q)
E/<A>, P, Q, f(PB ), f(QB)
g' : E /<A> → (E/<A>)/<f(B)>
Alice Private Key
Integers m and n
Point A = [m]P +[n]Q
Isogeny f : E → E/<A>
Bob Private Key
Integers mB, nB
Point B = [mB]PB +[nB]QB
Isogeny g : E → E/<B>
(E/<B>)/<g(A)> = E/<A,B> = (E/<A>)/<f(B)>
E, supersingular elliptic curve
E/<B> E/<A>
Supersingular Elliptic Curve DH

35. Alice
Bob
Alice Private Key
Integers mA, nA
Point A = [mA]PA +[nA]QA
Isogeny f : E → E/<A>=EA
Alice sends curve EA and points RA,SA
Bob compute new points on EB
RB = g(PA) and SB= g(QA)
Eve
Supersingular Isogeny Diffie-Hellman
Shared Secret Key K
K = j-invariant of E/<A,B>
Alice compute new isogeny with
kernel = <A,B>
E → EB/ <g(A)> = E/<A,B>
Eve can only find K if she can
compute g(A) or f(B) which she can
get g or f she can find the isogeny
between E and EA or EB
• Primes lA, lB, and p = lA
d lB
e f + 1
• Supersingular Elliptic Curve E over Fq, q = p2
• Points PA, QA (basis for lA
d torsion subgroup)
• Points PB, QB (basis for lB
e torsion subgroup)
Bob Private Key
Integers mB, nB
Point B = [mB]PB +[nB]QB
Isogeny g : E → E/<B>=EB
Alice compute new points on EA
RA = f(PB) and SA= f(QB)
Bob sends curve EB and points RB, SB
Bob compute new isogeny with
kernel = <A,B>
E → EA/ <f(B)> = E/<A,B>
Shared Secret Key K
K = j-invariant of E/<A,B>
Public Key

36. WHAT DOES
THIS HAVETO
DO WITH PATH
FINDING?
Leuven, 2019

37. CONCLUSIONS
Cryptography:
Secure communication in the presence of third
parties.
Public Key Cryptography: cryptography using
two keys,a public and private key (or two private
in DH)
Elliptic Curves: a mathematical curve
represented by equation in two variable (x cubic, y
quadratic).
Can define elliptic curve addition by stating that the
sum of points on a line is 0. This forms an additive
group.
Elliptic Curve Diffie-Hellman: a way
to create a shared secret using elliptic
curve additive group instead of the usual
integers mod m.
Hardness is based on Elliptic Curve
Discrete Log Problem
Quantum Computing: A new form of computing
that uses quantum physics.
Can perform certain tasks much more efficiently,
such as solving the (EC) Discrete Log Problem and
hence breaks classical public key cryptography.
Isogenies:maps between elliptic curves that
preserve structure.
We can create Isogeny Graphs, the
nodes = elliptic curves
edges = isogenies
Ordinary (simple volcano graph)
Supersingular (messy graph)
Supersingular Isogeny Diffie-Hellman:
does not have the same abelian structure
and is conjectured to be quantum –resistant.
Public Key:Elliptic curve, primes, points
Private Key: secret isogeny (map) with
kernel generated by secret point

38. THANK YOU
 Emily Stamm
 Security Researcher at Allstate
 CSNPVice President
 For more information on
CSNP:
 Websitecsnp.org
 Instagram: cybersecuritynp
Contact Info
• Email:emily.stamm@cnsp.org
• LinkedIn: linkedin.com/in/emily-stamm/
• Instagram:instagram.com/crypto.emily

39. REFERENCES
 Mark Hughes, How Elliptic Curve CryptographyWorks,2019 https://www.allaboutcircuits.com/technical-
articles/elliptic-curve-cryptography-in-embedded-systems/
 Andrea Corbellini, Elliptic Curve Cryptography:finite fields and discrete logarithms, 2015
https://andrea.corbellini.name/2015/05/23/elliptic-curve-cryptography-finite-fields-and-discrete-logarithms/
 Ku Leuven,ELLIPTIC CURVESARE QUANTUM DEAD, LONG LIVE ELLIPTIC CURVES, 2019
CURVEShttps://www.esat.kuleuven.be/cosic/elliptic-curves-are-quantum-dead-long-live-elliptic-curves/
 Kristen Lauter,“Where cryptography and quantum computing intersect”, Microsoft Research Blog, 2017
https://www.microsoft.com/en-us/research/blog/tag/supersingular-isogeny-graphs/
 Victoria de Quehen, Security Researcher,ISARA Corporation,2018 https://www.isara.com/isogeny-based-cryptography/
 https://arstechnica.com/information-technology/2020/01/researcher-develops-working-exploit-for-critical-
windows-10-vulnerability/