CS 259C/Math 250: Elliptic Curves in Cryptography

Elliptic Curves in Cryptography

Fall 2011


Lecture Notes

Lucas Garron has graciously agreed to share his lecture notes with the class. These notes are intended to serve as a guide to the topics covered and not as an authoritative source. Neither Lucas nor the course staff shall be held responsible for any errors or omissions.


The syllabus below will be updated periodically throughout the course to indicate the topics and readings for each lecture. Click here for an overview of the topics to be covered.
Lecture 1:
Introduction to ECC
What is cryptography?
What is an elliptic curve?

Reading: Washington Appendices B and C

Fundamentals of elliptic curves
Lecture 2:
Computing on elliptic curves   [SAGE worksheet]
Why do we use elliptic curves in crypto?
Group law and the point at infinity.
Elliptic curves in SAGE.

Reading: Washington 2.1-2.4.

Lecture 3:
10/ 3/11
Isomorphisms of elliptic curves
Singular curves.
Definition and examples of isomorphisms.

Reading: Washington 2.7, 2.8, 2.10.

Lecture 4:
10/ 5/11
Endomorphisms and torsion
Endomorphisms, degree, separability.
Examples: multiplication by n, Frobenius.
Torsion points.

Reading: Washington 2.9, 3.1, 3.2.

Elliptic curves over finite fields
Lecture 5:
Size and structure of E(Fq)   [SAGE worksheet]
Structure of n-torsion.
Legendre symbols and point counting.
Hasse's theorem

Reading: Washington 4.1, 4.2.
Basic facts about finite fields.

Lecture 6:
Determining the group order and structure
Characteristic polynomial of Frobenius
Subfield curves
Supersingular curves

Reading: Washington 4.3, 4.6.

Elliptic curve cryptosystems
Lecture 7:
Definition of secure encryption
Equivalence of semantic security and real-or-random security
ElGamal encryption
Attacks on ElGamal

Reading: Washington 6.1, 6.2, 6.4.
Definition of public key encryption (by Dan Boneh and Victor Shoup).

Lecture 8:
Encryption and Signatures
Security of ElGamal encryption
Hybrid encryption
Definition of secure signatures
Schnorr identification and signatures

Reading: Definition of digital signatures (by Dan Boneh and Victor Shoup).
Notes on Schnorr identification and signatures. (Complete version posted 10/20.)

Lecture 9:
Security of Schnorr signatures

Reading: Washington 6.5, 6.6.

Discrete logarithm attacks
Lecture 10:
General attacks on the DLP
Baby step-giant step
Pollard rho and lambda

Reading: Washington 5.2.

Lecture 11:
The Menezes-Okamoto-Vanstone attack
Index calculus in finite fields
Weil pairing
MOV attack

Reading: Washington 3.3, 5.1, 5.3.

Lecture 12:
11/ 2/11
Weak elliptic curves   [SAGE worksheet]
Embedding degree
Supersingular curves
Anomalous curves

Reading: Washington 5.4.
Smart's paper on the anomalous attack.

Pairing-based cryptography
Lecture 13:
11/ 7/11
Key exchange and identity-based encryption   [pdf]
Joux 3-party key exchange
IBE definitions
Boneh-Franklin IBE scheme

Reading: Washington 6.9
Boneh-Franklin paper, sections 1-4.1. You can skip the discussions of "chosen-ciphertext security."

Lecture 14:
11/ 9/11
IBE and Signatures
Security of Boneh-Franklin variant
Boneh-Lynn-Shacham signature scheme

Reading: Boneh-Lynn-Shacham paper.
Ordinary pairing-friendly elliptic curves

Lecture 15:
Homomorphic Encryption   [pdf]
Homomorphic ElGamal
Boneh-Goh-Nissim encryption

Reading: Boneh-Goh-Nissim paper, sections 1-3.

Algorithms for ECC
Lecture 16:
Computing the Weil and Tate pairings
Divisors and functions
Defining the pairings
Properties of the pairings
Miller's algorithm

Reading: Washington 11.1, 11.3, 11.4.

Thanksgiving break
Thanksgiving break
Lecture 17:
The CM Method of curve construction
Elliptic curves over C
Complex multiplication
Computing Hilbert class polynomials

Reading: Washington 9.2, 9.3, 10.1-10.4.

Advanced topics
Lecture 18:
Fast factoring and discrete log algorithms on a quantum computer
Guest lecture by Mark Zhandry

Reading: Shor's paper

Lecture 19:
12/ 5/11
Factoring and primality proving using elliptic curves
Guest lecture by Dan Boneh

Reading: Washington 7.1, 7.2.

Lecture 20:
12/ 7/11
Weil descent: Attacking elliptic curves over extension fields
Guest lecture by Ed Schaefer

Reading: Washington 13.1-13.4