Introduction to Elliptic Curve Cryptography
-
Upload
david-evans -
Category
Spiritual
-
view
724 -
download
8
Transcript of Introduction to Elliptic Curve Cryptography
![Page 1: Introduction to Elliptic Curve Cryptography](https://reader036.fdocuments.us/reader036/viewer/2022081721/55a4fb021a28ab6a2e8b4571/html5/thumbnails/1.jpg)
Cryptocurrency Cafeacutecs4501 Spring 2015David EvansUniversity of Virginia
Class 3Elliptic Curve Cryptography
y2 = x3 + 7
Project 1 will be posted by midnight tonight and is due on January 30
Plan for Today
Bitcoin Wallets and Passwords
Asymmetric Cryptography Recap
Transferring a Coin
Crash Course in Number Theory
Elliptic Curve Cryptography
1
Buying Bitcoin
2
3
4
5
My Advice
6
Donrsquot waste brainpowerspace on passwords that donrsquot matterldquosillyrdquo is a fine password for most things than need one
Donrsquot follow any widely-available advicepassword cracker authors can read too
Humans cannot generate randomness and neither can youGenerate a random password
Share your password(but only with people with whom you are willing to raise children)
Write down your important passwordsStore them somewhere safe and write down in a way that someone who steals it wouldnrsquot be able to use
Using Bitcoin in This Class
7
It is ldquorealrdquo money try not lose (all of) it (But you can do everything in this class with very small amounts)
If you do Irsquoll send you more (so long as you learned something from the loss) Everyone gets one embarrassment-free transfer
Using Asymmetric Crypto Signatures
8
E DVerified Message
Signed MessageMessage
Insecure Channel
KUBKRB
Bob
Generates key pair KUB KRB
Publishes KUB
Anyone
Get KUB from trusted provider
Transferring a Coin
9
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
How does Bob transfer x to Colleen (KUC)
Transferring a Coin
10
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB
Transferring a Coin
11
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB
Colleen signs m2 = ldquoI give coin x = KUA t given to me by m2to address KUDrdquo with KRC
hellipThis does not prevent double spending (Next week)
Asymmetry RequiredNeed a function f that isEasy to compute
given x easy to compute f (x)
Hard to invertgiven f (x) hard to compute x
Has a trap-doorgiven f (x) and t
easy to compute x
12
Elliptic Curve Cryptography
13
14
Real numbers are useless
Groups
15
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 0
16
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Integers + a group
17
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Naturals + a group
18
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Rationals a group
Abelian Groups
19
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
20
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
Is Rationals ndash 0 an abelian group
Finite Fields
21
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under
the oplus operation2 The set F - 0 is an abelian group with identity 1
under the times operation3 Distributive For all a b c isin F
(a oplus b) times c = (a times c) oplus (b times c)
Know any finite
fields
22
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times
operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)
23
0
1
2
34
5
6
GF(7)
Eacutevariste GaloisKilled in duel at 20
Prime Fields
24
Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
![Page 2: Introduction to Elliptic Curve Cryptography](https://reader036.fdocuments.us/reader036/viewer/2022081721/55a4fb021a28ab6a2e8b4571/html5/thumbnails/2.jpg)
Plan for Today
Bitcoin Wallets and Passwords
Asymmetric Cryptography Recap
Transferring a Coin
Crash Course in Number Theory
Elliptic Curve Cryptography
1
Buying Bitcoin
2
3
4
5
My Advice
6
Donrsquot waste brainpowerspace on passwords that donrsquot matterldquosillyrdquo is a fine password for most things than need one
Donrsquot follow any widely-available advicepassword cracker authors can read too
Humans cannot generate randomness and neither can youGenerate a random password
Share your password(but only with people with whom you are willing to raise children)
Write down your important passwordsStore them somewhere safe and write down in a way that someone who steals it wouldnrsquot be able to use
Using Bitcoin in This Class
7
It is ldquorealrdquo money try not lose (all of) it (But you can do everything in this class with very small amounts)
If you do Irsquoll send you more (so long as you learned something from the loss) Everyone gets one embarrassment-free transfer
Using Asymmetric Crypto Signatures
8
E DVerified Message
Signed MessageMessage
Insecure Channel
KUBKRB
Bob
Generates key pair KUB KRB
Publishes KUB
Anyone
Get KUB from trusted provider
Transferring a Coin
9
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
How does Bob transfer x to Colleen (KUC)
Transferring a Coin
10
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB
Transferring a Coin
11
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB
Colleen signs m2 = ldquoI give coin x = KUA t given to me by m2to address KUDrdquo with KRC
hellipThis does not prevent double spending (Next week)
Asymmetry RequiredNeed a function f that isEasy to compute
given x easy to compute f (x)
Hard to invertgiven f (x) hard to compute x
Has a trap-doorgiven f (x) and t
easy to compute x
12
Elliptic Curve Cryptography
13
14
Real numbers are useless
Groups
15
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 0
16
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Integers + a group
17
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Naturals + a group
18
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Rationals a group
Abelian Groups
19
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
20
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
Is Rationals ndash 0 an abelian group
Finite Fields
21
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under
the oplus operation2 The set F - 0 is an abelian group with identity 1
under the times operation3 Distributive For all a b c isin F
(a oplus b) times c = (a times c) oplus (b times c)
Know any finite
fields
22
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times
operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)
23
0
1
2
34
5
6
GF(7)
Eacutevariste GaloisKilled in duel at 20
Prime Fields
24
Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
![Page 3: Introduction to Elliptic Curve Cryptography](https://reader036.fdocuments.us/reader036/viewer/2022081721/55a4fb021a28ab6a2e8b4571/html5/thumbnails/3.jpg)
Buying Bitcoin
2
3
4
5
My Advice
6
Donrsquot waste brainpowerspace on passwords that donrsquot matterldquosillyrdquo is a fine password for most things than need one
Donrsquot follow any widely-available advicepassword cracker authors can read too
Humans cannot generate randomness and neither can youGenerate a random password
Share your password(but only with people with whom you are willing to raise children)
Write down your important passwordsStore them somewhere safe and write down in a way that someone who steals it wouldnrsquot be able to use
Using Bitcoin in This Class
7
It is ldquorealrdquo money try not lose (all of) it (But you can do everything in this class with very small amounts)
If you do Irsquoll send you more (so long as you learned something from the loss) Everyone gets one embarrassment-free transfer
Using Asymmetric Crypto Signatures
8
E DVerified Message
Signed MessageMessage
Insecure Channel
KUBKRB
Bob
Generates key pair KUB KRB
Publishes KUB
Anyone
Get KUB from trusted provider
Transferring a Coin
9
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
How does Bob transfer x to Colleen (KUC)
Transferring a Coin
10
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB
Transferring a Coin
11
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB
Colleen signs m2 = ldquoI give coin x = KUA t given to me by m2to address KUDrdquo with KRC
hellipThis does not prevent double spending (Next week)
Asymmetry RequiredNeed a function f that isEasy to compute
given x easy to compute f (x)
Hard to invertgiven f (x) hard to compute x
Has a trap-doorgiven f (x) and t
easy to compute x
12
Elliptic Curve Cryptography
13
14
Real numbers are useless
Groups
15
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 0
16
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Integers + a group
17
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Naturals + a group
18
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Rationals a group
Abelian Groups
19
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
20
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
Is Rationals ndash 0 an abelian group
Finite Fields
21
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under
the oplus operation2 The set F - 0 is an abelian group with identity 1
under the times operation3 Distributive For all a b c isin F
(a oplus b) times c = (a times c) oplus (b times c)
Know any finite
fields
22
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times
operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)
23
0
1
2
34
5
6
GF(7)
Eacutevariste GaloisKilled in duel at 20
Prime Fields
24
Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
![Page 4: Introduction to Elliptic Curve Cryptography](https://reader036.fdocuments.us/reader036/viewer/2022081721/55a4fb021a28ab6a2e8b4571/html5/thumbnails/4.jpg)
3
4
5
My Advice
6
Donrsquot waste brainpowerspace on passwords that donrsquot matterldquosillyrdquo is a fine password for most things than need one
Donrsquot follow any widely-available advicepassword cracker authors can read too
Humans cannot generate randomness and neither can youGenerate a random password
Share your password(but only with people with whom you are willing to raise children)
Write down your important passwordsStore them somewhere safe and write down in a way that someone who steals it wouldnrsquot be able to use
Using Bitcoin in This Class
7
It is ldquorealrdquo money try not lose (all of) it (But you can do everything in this class with very small amounts)
If you do Irsquoll send you more (so long as you learned something from the loss) Everyone gets one embarrassment-free transfer
Using Asymmetric Crypto Signatures
8
E DVerified Message
Signed MessageMessage
Insecure Channel
KUBKRB
Bob
Generates key pair KUB KRB
Publishes KUB
Anyone
Get KUB from trusted provider
Transferring a Coin
9
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
How does Bob transfer x to Colleen (KUC)
Transferring a Coin
10
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB
Transferring a Coin
11
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB
Colleen signs m2 = ldquoI give coin x = KUA t given to me by m2to address KUDrdquo with KRC
hellipThis does not prevent double spending (Next week)
Asymmetry RequiredNeed a function f that isEasy to compute
given x easy to compute f (x)
Hard to invertgiven f (x) hard to compute x
Has a trap-doorgiven f (x) and t
easy to compute x
12
Elliptic Curve Cryptography
13
14
Real numbers are useless
Groups
15
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 0
16
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Integers + a group
17
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Naturals + a group
18
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Rationals a group
Abelian Groups
19
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
20
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
Is Rationals ndash 0 an abelian group
Finite Fields
21
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under
the oplus operation2 The set F - 0 is an abelian group with identity 1
under the times operation3 Distributive For all a b c isin F
(a oplus b) times c = (a times c) oplus (b times c)
Know any finite
fields
22
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times
operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)
23
0
1
2
34
5
6
GF(7)
Eacutevariste GaloisKilled in duel at 20
Prime Fields
24
Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
![Page 5: Introduction to Elliptic Curve Cryptography](https://reader036.fdocuments.us/reader036/viewer/2022081721/55a4fb021a28ab6a2e8b4571/html5/thumbnails/5.jpg)
4
5
My Advice
6
Donrsquot waste brainpowerspace on passwords that donrsquot matterldquosillyrdquo is a fine password for most things than need one
Donrsquot follow any widely-available advicepassword cracker authors can read too
Humans cannot generate randomness and neither can youGenerate a random password
Share your password(but only with people with whom you are willing to raise children)
Write down your important passwordsStore them somewhere safe and write down in a way that someone who steals it wouldnrsquot be able to use
Using Bitcoin in This Class
7
It is ldquorealrdquo money try not lose (all of) it (But you can do everything in this class with very small amounts)
If you do Irsquoll send you more (so long as you learned something from the loss) Everyone gets one embarrassment-free transfer
Using Asymmetric Crypto Signatures
8
E DVerified Message
Signed MessageMessage
Insecure Channel
KUBKRB
Bob
Generates key pair KUB KRB
Publishes KUB
Anyone
Get KUB from trusted provider
Transferring a Coin
9
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
How does Bob transfer x to Colleen (KUC)
Transferring a Coin
10
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB
Transferring a Coin
11
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB
Colleen signs m2 = ldquoI give coin x = KUA t given to me by m2to address KUDrdquo with KRC
hellipThis does not prevent double spending (Next week)
Asymmetry RequiredNeed a function f that isEasy to compute
given x easy to compute f (x)
Hard to invertgiven f (x) hard to compute x
Has a trap-doorgiven f (x) and t
easy to compute x
12
Elliptic Curve Cryptography
13
14
Real numbers are useless
Groups
15
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 0
16
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Integers + a group
17
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Naturals + a group
18
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Rationals a group
Abelian Groups
19
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
20
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
Is Rationals ndash 0 an abelian group
Finite Fields
21
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under
the oplus operation2 The set F - 0 is an abelian group with identity 1
under the times operation3 Distributive For all a b c isin F
(a oplus b) times c = (a times c) oplus (b times c)
Know any finite
fields
22
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times
operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)
23
0
1
2
34
5
6
GF(7)
Eacutevariste GaloisKilled in duel at 20
Prime Fields
24
Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
![Page 6: Introduction to Elliptic Curve Cryptography](https://reader036.fdocuments.us/reader036/viewer/2022081721/55a4fb021a28ab6a2e8b4571/html5/thumbnails/6.jpg)
5
My Advice
6
Donrsquot waste brainpowerspace on passwords that donrsquot matterldquosillyrdquo is a fine password for most things than need one
Donrsquot follow any widely-available advicepassword cracker authors can read too
Humans cannot generate randomness and neither can youGenerate a random password
Share your password(but only with people with whom you are willing to raise children)
Write down your important passwordsStore them somewhere safe and write down in a way that someone who steals it wouldnrsquot be able to use
Using Bitcoin in This Class
7
It is ldquorealrdquo money try not lose (all of) it (But you can do everything in this class with very small amounts)
If you do Irsquoll send you more (so long as you learned something from the loss) Everyone gets one embarrassment-free transfer
Using Asymmetric Crypto Signatures
8
E DVerified Message
Signed MessageMessage
Insecure Channel
KUBKRB
Bob
Generates key pair KUB KRB
Publishes KUB
Anyone
Get KUB from trusted provider
Transferring a Coin
9
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
How does Bob transfer x to Colleen (KUC)
Transferring a Coin
10
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB
Transferring a Coin
11
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB
Colleen signs m2 = ldquoI give coin x = KUA t given to me by m2to address KUDrdquo with KRC
hellipThis does not prevent double spending (Next week)
Asymmetry RequiredNeed a function f that isEasy to compute
given x easy to compute f (x)
Hard to invertgiven f (x) hard to compute x
Has a trap-doorgiven f (x) and t
easy to compute x
12
Elliptic Curve Cryptography
13
14
Real numbers are useless
Groups
15
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 0
16
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Integers + a group
17
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Naturals + a group
18
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Rationals a group
Abelian Groups
19
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
20
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
Is Rationals ndash 0 an abelian group
Finite Fields
21
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under
the oplus operation2 The set F - 0 is an abelian group with identity 1
under the times operation3 Distributive For all a b c isin F
(a oplus b) times c = (a times c) oplus (b times c)
Know any finite
fields
22
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times
operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)
23
0
1
2
34
5
6
GF(7)
Eacutevariste GaloisKilled in duel at 20
Prime Fields
24
Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
![Page 7: Introduction to Elliptic Curve Cryptography](https://reader036.fdocuments.us/reader036/viewer/2022081721/55a4fb021a28ab6a2e8b4571/html5/thumbnails/7.jpg)
My Advice
6
Donrsquot waste brainpowerspace on passwords that donrsquot matterldquosillyrdquo is a fine password for most things than need one
Donrsquot follow any widely-available advicepassword cracker authors can read too
Humans cannot generate randomness and neither can youGenerate a random password
Share your password(but only with people with whom you are willing to raise children)
Write down your important passwordsStore them somewhere safe and write down in a way that someone who steals it wouldnrsquot be able to use
Using Bitcoin in This Class
7
It is ldquorealrdquo money try not lose (all of) it (But you can do everything in this class with very small amounts)
If you do Irsquoll send you more (so long as you learned something from the loss) Everyone gets one embarrassment-free transfer
Using Asymmetric Crypto Signatures
8
E DVerified Message
Signed MessageMessage
Insecure Channel
KUBKRB
Bob
Generates key pair KUB KRB
Publishes KUB
Anyone
Get KUB from trusted provider
Transferring a Coin
9
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
How does Bob transfer x to Colleen (KUC)
Transferring a Coin
10
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB
Transferring a Coin
11
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB
Colleen signs m2 = ldquoI give coin x = KUA t given to me by m2to address KUDrdquo with KRC
hellipThis does not prevent double spending (Next week)
Asymmetry RequiredNeed a function f that isEasy to compute
given x easy to compute f (x)
Hard to invertgiven f (x) hard to compute x
Has a trap-doorgiven f (x) and t
easy to compute x
12
Elliptic Curve Cryptography
13
14
Real numbers are useless
Groups
15
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 0
16
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Integers + a group
17
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Naturals + a group
18
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Rationals a group
Abelian Groups
19
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
20
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
Is Rationals ndash 0 an abelian group
Finite Fields
21
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under
the oplus operation2 The set F - 0 is an abelian group with identity 1
under the times operation3 Distributive For all a b c isin F
(a oplus b) times c = (a times c) oplus (b times c)
Know any finite
fields
22
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times
operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)
23
0
1
2
34
5
6
GF(7)
Eacutevariste GaloisKilled in duel at 20
Prime Fields
24
Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
![Page 8: Introduction to Elliptic Curve Cryptography](https://reader036.fdocuments.us/reader036/viewer/2022081721/55a4fb021a28ab6a2e8b4571/html5/thumbnails/8.jpg)
Using Bitcoin in This Class
7
It is ldquorealrdquo money try not lose (all of) it (But you can do everything in this class with very small amounts)
If you do Irsquoll send you more (so long as you learned something from the loss) Everyone gets one embarrassment-free transfer
Using Asymmetric Crypto Signatures
8
E DVerified Message
Signed MessageMessage
Insecure Channel
KUBKRB
Bob
Generates key pair KUB KRB
Publishes KUB
Anyone
Get KUB from trusted provider
Transferring a Coin
9
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
How does Bob transfer x to Colleen (KUC)
Transferring a Coin
10
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB
Transferring a Coin
11
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB
Colleen signs m2 = ldquoI give coin x = KUA t given to me by m2to address KUDrdquo with KRC
hellipThis does not prevent double spending (Next week)
Asymmetry RequiredNeed a function f that isEasy to compute
given x easy to compute f (x)
Hard to invertgiven f (x) hard to compute x
Has a trap-doorgiven f (x) and t
easy to compute x
12
Elliptic Curve Cryptography
13
14
Real numbers are useless
Groups
15
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 0
16
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Integers + a group
17
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Naturals + a group
18
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Rationals a group
Abelian Groups
19
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
20
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
Is Rationals ndash 0 an abelian group
Finite Fields
21
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under
the oplus operation2 The set F - 0 is an abelian group with identity 1
under the times operation3 Distributive For all a b c isin F
(a oplus b) times c = (a times c) oplus (b times c)
Know any finite
fields
22
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times
operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)
23
0
1
2
34
5
6
GF(7)
Eacutevariste GaloisKilled in duel at 20
Prime Fields
24
Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
![Page 9: Introduction to Elliptic Curve Cryptography](https://reader036.fdocuments.us/reader036/viewer/2022081721/55a4fb021a28ab6a2e8b4571/html5/thumbnails/9.jpg)
Using Asymmetric Crypto Signatures
8
E DVerified Message
Signed MessageMessage
Insecure Channel
KUBKRB
Bob
Generates key pair KUB KRB
Publishes KUB
Anyone
Get KUB from trusted provider
Transferring a Coin
9
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
How does Bob transfer x to Colleen (KUC)
Transferring a Coin
10
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB
Transferring a Coin
11
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB
Colleen signs m2 = ldquoI give coin x = KUA t given to me by m2to address KUDrdquo with KRC
hellipThis does not prevent double spending (Next week)
Asymmetry RequiredNeed a function f that isEasy to compute
given x easy to compute f (x)
Hard to invertgiven f (x) hard to compute x
Has a trap-doorgiven f (x) and t
easy to compute x
12
Elliptic Curve Cryptography
13
14
Real numbers are useless
Groups
15
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 0
16
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Integers + a group
17
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Naturals + a group
18
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Rationals a group
Abelian Groups
19
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
20
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
Is Rationals ndash 0 an abelian group
Finite Fields
21
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under
the oplus operation2 The set F - 0 is an abelian group with identity 1
under the times operation3 Distributive For all a b c isin F
(a oplus b) times c = (a times c) oplus (b times c)
Know any finite
fields
22
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times
operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)
23
0
1
2
34
5
6
GF(7)
Eacutevariste GaloisKilled in duel at 20
Prime Fields
24
Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
![Page 10: Introduction to Elliptic Curve Cryptography](https://reader036.fdocuments.us/reader036/viewer/2022081721/55a4fb021a28ab6a2e8b4571/html5/thumbnails/10.jpg)
Transferring a Coin
9
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
How does Bob transfer x to Colleen (KUC)
Transferring a Coin
10
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB
Transferring a Coin
11
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB
Colleen signs m2 = ldquoI give coin x = KUA t given to me by m2to address KUDrdquo with KRC
hellipThis does not prevent double spending (Next week)
Asymmetry RequiredNeed a function f that isEasy to compute
given x easy to compute f (x)
Hard to invertgiven f (x) hard to compute x
Has a trap-doorgiven f (x) and t
easy to compute x
12
Elliptic Curve Cryptography
13
14
Real numbers are useless
Groups
15
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 0
16
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Integers + a group
17
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Naturals + a group
18
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Rationals a group
Abelian Groups
19
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
20
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
Is Rationals ndash 0 an abelian group
Finite Fields
21
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under
the oplus operation2 The set F - 0 is an abelian group with identity 1
under the times operation3 Distributive For all a b c isin F
(a oplus b) times c = (a times c) oplus (b times c)
Know any finite
fields
22
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times
operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)
23
0
1
2
34
5
6
GF(7)
Eacutevariste GaloisKilled in duel at 20
Prime Fields
24
Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
![Page 11: Introduction to Elliptic Curve Cryptography](https://reader036.fdocuments.us/reader036/viewer/2022081721/55a4fb021a28ab6a2e8b4571/html5/thumbnails/11.jpg)
Transferring a Coin
10
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB
Transferring a Coin
11
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB
Colleen signs m2 = ldquoI give coin x = KUA t given to me by m2to address KUDrdquo with KRC
hellipThis does not prevent double spending (Next week)
Asymmetry RequiredNeed a function f that isEasy to compute
given x easy to compute f (x)
Hard to invertgiven f (x) hard to compute x
Has a trap-doorgiven f (x) and t
easy to compute x
12
Elliptic Curve Cryptography
13
14
Real numbers are useless
Groups
15
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 0
16
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Integers + a group
17
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Naturals + a group
18
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Rationals a group
Abelian Groups
19
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
20
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
Is Rationals ndash 0 an abelian group
Finite Fields
21
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under
the oplus operation2 The set F - 0 is an abelian group with identity 1
under the times operation3 Distributive For all a b c isin F
(a oplus b) times c = (a times c) oplus (b times c)
Know any finite
fields
22
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times
operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)
23
0
1
2
34
5
6
GF(7)
Eacutevariste GaloisKilled in duel at 20
Prime Fields
24
Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
![Page 12: Introduction to Elliptic Curve Cryptography](https://reader036.fdocuments.us/reader036/viewer/2022081721/55a4fb021a28ab6a2e8b4571/html5/thumbnails/12.jpg)
Transferring a Coin
11
Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA
Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB
Colleen signs m2 = ldquoI give coin x = KUA t given to me by m2to address KUDrdquo with KRC
hellipThis does not prevent double spending (Next week)
Asymmetry RequiredNeed a function f that isEasy to compute
given x easy to compute f (x)
Hard to invertgiven f (x) hard to compute x
Has a trap-doorgiven f (x) and t
easy to compute x
12
Elliptic Curve Cryptography
13
14
Real numbers are useless
Groups
15
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 0
16
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Integers + a group
17
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Naturals + a group
18
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Rationals a group
Abelian Groups
19
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
20
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
Is Rationals ndash 0 an abelian group
Finite Fields
21
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under
the oplus operation2 The set F - 0 is an abelian group with identity 1
under the times operation3 Distributive For all a b c isin F
(a oplus b) times c = (a times c) oplus (b times c)
Know any finite
fields
22
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times
operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)
23
0
1
2
34
5
6
GF(7)
Eacutevariste GaloisKilled in duel at 20
Prime Fields
24
Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
![Page 13: Introduction to Elliptic Curve Cryptography](https://reader036.fdocuments.us/reader036/viewer/2022081721/55a4fb021a28ab6a2e8b4571/html5/thumbnails/13.jpg)
Asymmetry RequiredNeed a function f that isEasy to compute
given x easy to compute f (x)
Hard to invertgiven f (x) hard to compute x
Has a trap-doorgiven f (x) and t
easy to compute x
12
Elliptic Curve Cryptography
13
14
Real numbers are useless
Groups
15
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 0
16
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Integers + a group
17
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Naturals + a group
18
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Rationals a group
Abelian Groups
19
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
20
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
Is Rationals ndash 0 an abelian group
Finite Fields
21
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under
the oplus operation2 The set F - 0 is an abelian group with identity 1
under the times operation3 Distributive For all a b c isin F
(a oplus b) times c = (a times c) oplus (b times c)
Know any finite
fields
22
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times
operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)
23
0
1
2
34
5
6
GF(7)
Eacutevariste GaloisKilled in duel at 20
Prime Fields
24
Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
![Page 14: Introduction to Elliptic Curve Cryptography](https://reader036.fdocuments.us/reader036/viewer/2022081721/55a4fb021a28ab6a2e8b4571/html5/thumbnails/14.jpg)
Elliptic Curve Cryptography
13
14
Real numbers are useless
Groups
15
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 0
16
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Integers + a group
17
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Naturals + a group
18
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Rationals a group
Abelian Groups
19
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
20
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
Is Rationals ndash 0 an abelian group
Finite Fields
21
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under
the oplus operation2 The set F - 0 is an abelian group with identity 1
under the times operation3 Distributive For all a b c isin F
(a oplus b) times c = (a times c) oplus (b times c)
Know any finite
fields
22
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times
operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)
23
0
1
2
34
5
6
GF(7)
Eacutevariste GaloisKilled in duel at 20
Prime Fields
24
Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
![Page 15: Introduction to Elliptic Curve Cryptography](https://reader036.fdocuments.us/reader036/viewer/2022081721/55a4fb021a28ab6a2e8b4571/html5/thumbnails/15.jpg)
14
Real numbers are useless
Groups
15
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 0
16
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Integers + a group
17
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Naturals + a group
18
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Rationals a group
Abelian Groups
19
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
20
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
Is Rationals ndash 0 an abelian group
Finite Fields
21
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under
the oplus operation2 The set F - 0 is an abelian group with identity 1
under the times operation3 Distributive For all a b c isin F
(a oplus b) times c = (a times c) oplus (b times c)
Know any finite
fields
22
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times
operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)
23
0
1
2
34
5
6
GF(7)
Eacutevariste GaloisKilled in duel at 20
Prime Fields
24
Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
![Page 16: Introduction to Elliptic Curve Cryptography](https://reader036.fdocuments.us/reader036/viewer/2022081721/55a4fb021a28ab6a2e8b4571/html5/thumbnails/16.jpg)
Groups
15
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 0
16
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Integers + a group
17
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Naturals + a group
18
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Rationals a group
Abelian Groups
19
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
20
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
Is Rationals ndash 0 an abelian group
Finite Fields
21
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under
the oplus operation2 The set F - 0 is an abelian group with identity 1
under the times operation3 Distributive For all a b c isin F
(a oplus b) times c = (a times c) oplus (b times c)
Know any finite
fields
22
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times
operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)
23
0
1
2
34
5
6
GF(7)
Eacutevariste GaloisKilled in duel at 20
Prime Fields
24
Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
![Page 17: Introduction to Elliptic Curve Cryptography](https://reader036.fdocuments.us/reader036/viewer/2022081721/55a4fb021a28ab6a2e8b4571/html5/thumbnails/17.jpg)
16
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Integers + a group
17
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Naturals + a group
18
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Rationals a group
Abelian Groups
19
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
20
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
Is Rationals ndash 0 an abelian group
Finite Fields
21
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under
the oplus operation2 The set F - 0 is an abelian group with identity 1
under the times operation3 Distributive For all a b c isin F
(a oplus b) times c = (a times c) oplus (b times c)
Know any finite
fields
22
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times
operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)
23
0
1
2
34
5
6
GF(7)
Eacutevariste GaloisKilled in duel at 20
Prime Fields
24
Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
![Page 18: Introduction to Elliptic Curve Cryptography](https://reader036.fdocuments.us/reader036/viewer/2022081721/55a4fb021a28ab6a2e8b4571/html5/thumbnails/18.jpg)
17
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Naturals + a group
18
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Rationals a group
Abelian Groups
19
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
20
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
Is Rationals ndash 0 an abelian group
Finite Fields
21
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under
the oplus operation2 The set F - 0 is an abelian group with identity 1
under the times operation3 Distributive For all a b c isin F
(a oplus b) times c = (a times c) oplus (b times c)
Know any finite
fields
22
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times
operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)
23
0
1
2
34
5
6
GF(7)
Eacutevariste GaloisKilled in duel at 20
Prime Fields
24
Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
![Page 19: Introduction to Elliptic Curve Cryptography](https://reader036.fdocuments.us/reader036/viewer/2022081721/55a4fb021a28ab6a2e8b4571/html5/thumbnails/19.jpg)
18
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0
Is Rationals a group
Abelian Groups
19
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
20
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
Is Rationals ndash 0 an abelian group
Finite Fields
21
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under
the oplus operation2 The set F - 0 is an abelian group with identity 1
under the times operation3 Distributive For all a b c isin F
(a oplus b) times c = (a times c) oplus (b times c)
Know any finite
fields
22
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times
operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)
23
0
1
2
34
5
6
GF(7)
Eacutevariste GaloisKilled in duel at 20
Prime Fields
24
Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
![Page 20: Introduction to Elliptic Curve Cryptography](https://reader036.fdocuments.us/reader036/viewer/2022081721/55a4fb021a28ab6a2e8b4571/html5/thumbnails/20.jpg)
Abelian Groups
19
A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such
that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
20
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
Is Rationals ndash 0 an abelian group
Finite Fields
21
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under
the oplus operation2 The set F - 0 is an abelian group with identity 1
under the times operation3 Distributive For all a b c isin F
(a oplus b) times c = (a times c) oplus (b times c)
Know any finite
fields
22
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times
operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)
23
0
1
2
34
5
6
GF(7)
Eacutevariste GaloisKilled in duel at 20
Prime Fields
24
Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
![Page 21: Introduction to Elliptic Curve Cryptography](https://reader036.fdocuments.us/reader036/viewer/2022081721/55a4fb021a28ab6a2e8b4571/html5/thumbnails/21.jpg)
20
1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that
for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a
Is Rationals ndash 0 an abelian group
Finite Fields
21
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under
the oplus operation2 The set F - 0 is an abelian group with identity 1
under the times operation3 Distributive For all a b c isin F
(a oplus b) times c = (a times c) oplus (b times c)
Know any finite
fields
22
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times
operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)
23
0
1
2
34
5
6
GF(7)
Eacutevariste GaloisKilled in duel at 20
Prime Fields
24
Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
![Page 22: Introduction to Elliptic Curve Cryptography](https://reader036.fdocuments.us/reader036/viewer/2022081721/55a4fb021a28ab6a2e8b4571/html5/thumbnails/22.jpg)
Finite Fields
21
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under
the oplus operation2 The set F - 0 is an abelian group with identity 1
under the times operation3 Distributive For all a b c isin F
(a oplus b) times c = (a times c) oplus (b times c)
Know any finite
fields
22
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times
operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)
23
0
1
2
34
5
6
GF(7)
Eacutevariste GaloisKilled in duel at 20
Prime Fields
24
Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
![Page 23: Introduction to Elliptic Curve Cryptography](https://reader036.fdocuments.us/reader036/viewer/2022081721/55a4fb021a28ab6a2e8b4571/html5/thumbnails/23.jpg)
Know any finite
fields
22
A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times
operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)
23
0
1
2
34
5
6
GF(7)
Eacutevariste GaloisKilled in duel at 20
Prime Fields
24
Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
![Page 24: Introduction to Elliptic Curve Cryptography](https://reader036.fdocuments.us/reader036/viewer/2022081721/55a4fb021a28ab6a2e8b4571/html5/thumbnails/24.jpg)
23
0
1
2
34
5
6
GF(7)
Eacutevariste GaloisKilled in duel at 20
Prime Fields
24
Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
![Page 25: Introduction to Elliptic Curve Cryptography](https://reader036.fdocuments.us/reader036/viewer/2022081721/55a4fb021a28ab6a2e8b4571/html5/thumbnails/25.jpg)
Prime Fields
24
Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
![Page 26: Introduction to Elliptic Curve Cryptography](https://reader036.fdocuments.us/reader036/viewer/2022081721/55a4fb021a28ab6a2e8b4571/html5/thumbnails/26.jpg)
Elliptic Curves in Finite Fields
25
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
![Page 27: Introduction to Elliptic Curve Cryptography](https://reader036.fdocuments.us/reader036/viewer/2022081721/55a4fb021a28ab6a2e8b4571/html5/thumbnails/27.jpg)
Elliptic Curves in Finite Fields
26
y2 = x3 + 7 in GF(3)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
![Page 28: Introduction to Elliptic Curve Cryptography](https://reader036.fdocuments.us/reader036/viewer/2022081721/55a4fb021a28ab6a2e8b4571/html5/thumbnails/28.jpg)
Elliptic Curves in Finite Fields
27
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
![Page 29: Introduction to Elliptic Curve Cryptography](https://reader036.fdocuments.us/reader036/viewer/2022081721/55a4fb021a28ab6a2e8b4571/html5/thumbnails/29.jpg)
28
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
![Page 30: Introduction to Elliptic Curve Cryptography](https://reader036.fdocuments.us/reader036/viewer/2022081721/55a4fb021a28ab6a2e8b4571/html5/thumbnails/30.jpg)
Addition on Elliptic Curves
29
y2 = x3 ndash 7 (mod p)
Addition P + Q= negate intersection of curve
with line through P and Q
P
Q
P + Q
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
![Page 31: Introduction to Elliptic Curve Cryptography](https://reader036.fdocuments.us/reader036/viewer/2022081721/55a4fb021a28ab6a2e8b4571/html5/thumbnails/31.jpg)
Addition
30Image from httpwwwcoindeskcommath-behind-bitcoin
P + Q = R
What should we do if P = Q
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
![Page 32: Introduction to Elliptic Curve Cryptography](https://reader036.fdocuments.us/reader036/viewer/2022081721/55a4fb021a28ab6a2e8b4571/html5/thumbnails/32.jpg)
Addition
31Image from httpwwwcoindeskcommath-behind-bitcoin
Same idea for finite fields (just more complex)
Picture is for F67
How would this look for Fhuge
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
![Page 33: Introduction to Elliptic Curve Cryptography](https://reader036.fdocuments.us/reader036/viewer/2022081721/55a4fb021a28ab6a2e8b4571/html5/thumbnails/33.jpg)
Density of Elliptic Curve
32
y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
![Page 34: Introduction to Elliptic Curve Cryptography](https://reader036.fdocuments.us/reader036/viewer/2022081721/55a4fb021a28ab6a2e8b4571/html5/thumbnails/34.jpg)
(Believed to be) Hard Problem
Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP
34
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending
![Page 35: Introduction to Elliptic Curve Cryptography](https://reader036.fdocuments.us/reader036/viewer/2022081721/55a4fb021a28ab6a2e8b4571/html5/thumbnails/35.jpg)
Charge
bull Investigate the bitcoin you received
bull Project 1 will be posted before midnight tonight and due on Jan 30
bull Readings Satoshirsquos original bitcoin paper Chapter 5
35
Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation
Next week preventing double spending