三工
Posts Tags Categories
三工

Contents

Elliptic Curve Cryptography

 included in CS
   536 words   3 minutes 

y2=x3+ax+by^2 = x^3 + ax + b

  • The point has to be reflected on the x-axis to keep the associactivity of addition

  • Naturally consider the tangent line

  • To guess the private key nn is super super hard

  • The consecutive points of curve y2=x3+x+1y^2 = x^3 + x + 1 with the beginning point (0,1)(0,1) are as follows. For just few steps, the numerator or denominator are going to be too large for computers

  • Suppose private key k=13k=13 and given the start point GG. The steps of calculating the public key 13G13⋅G is as follows. What is supposed to be mentioned is that the intermidiate resutl of each step has been calculated

  • Take secp256k1 curve as an example:

{y2=x3+7y=ax+bx3a2x22abx+7b2=0 \begin{cases}y^2 = x^3 + 7 \\ y = ax + b \end{cases}\Rightarrow x^3-a^2x^2-2abx+7-b^2 = 0

  • According to the Vieta’s formulas

    x3=a2x1x2modp x_3 = a^2-x_1-x_2 \bmod p

    then reflect y3y_3

    y3=ax3bmodp y_3^\prime = -ax_3-b \bmod p

    where a=y1y2x1x2modpa = \frac{y_1-y_2}{x_1-x_2} \bmod p, b=y1ax1modpb=y_1-ax_1 \bmod p.

  • According to the point addition section, x1=x2x_1=x_2, y1=y2y_1=y_2 and

    a=3x12(2y1)1modpa = 3x_1^2 (2y_1)^{-1} \bmod p

Since 3×5mod7=13 \times 5 \bmod 7 = 1, 33 and 55 are modular inverse for each other with modulo 77.

  • The curve equation, prime order of the elliptic curve and the x-coordinate of the base point are as follows.

  • Sign (how to calculate signature r,s,vr, s, v)

    • given dd (private key), zz (message hash), GG (base point)
    • choose a random number k(0<k<p)k ( 0 \lt k \lt p), derive point R=kG=(Rx,Ry)R = kG = (R_x, R_y)
    • r=Rxmodpr = R_x \bmod p
    • s=(z+rd)k1modps = (z + rd)k^{-1} \bmod p
    • v=Rymod2v = R_y \bmod 2

  • Send transaction

    • given r,s,v,z,Gr, s, v, z, G
    • dervive RyR_y and RyR_y^\prime with r r and curve ( curve is symmetric)
    • determine one of RyR_y and RyR_y^\prime with v, then derive RR
    • dervive QQ (public key) according skz+rdmodpsRzG+rQmodpsk \equiv z + rd \bmod p \Rightarrow sR \equiv zG + rQ \bmod p
    • derive from address according QQ
    • check balance and nonce of from address
    • send transaction

  • Verify signature

    • given r,s,z,G,Qr, s, z, G, Q
    • derive RR according sRzG+rQmodpsR \equiv zG + rQ \bmod p
    • check RxrmodpR_x \equiv r \bmod p

  • Signature malleability

    • given r,s,z,G,Qr, s^\prime, z, G, Q, where s=pss^\prime = p - s
    • notice that ssmodps^\prime \equiv -s \bmod p
    • so RRmodpR^\prime \equiv -R \bmod p according to (s)(R)zG+rQmodp(-s)(-R) \equiv zG + rQ \bmod p
    • so RxRxrmodpR^\prime_x \equiv -R_x \equiv r \bmod p

  • RFC-6979

    • k=k = HMAC(d,z)(d, z)

Given r=Rxr = R_x and curve, two points (Rx,Ry)(R_x, R_y) and (Rx,Ry)(R_x, R_y^\prime) can be derived, where Ry+Ry=pR_y + R_y^\prime = p. It is known that pp is a big prime number which is odd. So for RyR_y and RyR_y^\prime, one is odd and the other is even. Given vv, the correct y-coordinate is determmined.

If any of r,s,v,zr, s, v, z is corrupted, a different from address will be derived. Usually, the address has no balance and the transaction will be rejected.

 Cryptography
Back | Home