### UC Berkeley, MICS, W202-Cryptography
### Week 05 Breakout 4
### Elliptic Curves - Prime Curves - Hasse's Theorem and the Trace of Frobenius - survey of industry standard prime curves

We will see in coming weeks that the computational intractability of the Elliptic Curve Discrete Logarithm problem forms the basis for Elliptic Curve Cryptography.  In order to achieve this, the prime curve must have a large prime p value which means it will have a large number of points.  We must also have well chosen values for A and B to ensure the period for scalar multiplication is long. 

We learned in our lecture that the number of points is approximately:

number of points = 50% * 2 * p + 1 = p + 1

Hasse's Theorem gives us a boundary for the number of points:

number of points = p + 1 - tp

where tp is the Trace of Frobenius with absolute value (tp) <= 2 * square root of p

There is a polynomial time algorithm with computational complexity of O((log p)^6), known as SEA, developed by Elkies and Atkin, improved by Schoof that can determine the number of points on a prime curve of large order.  In SageMath, SEA is implemented in the cardinality() method of the EllipticCurve() class.

There are published industry standard prime curves of large order published by various government standards and private organizations.   These published curves typically give A, B, p and a starting point (it can be very hard to find a starting point)  We will take a look at the number of points for these and do some scalar multiplcations from the starting point.

Remember, for a good published industry standard curve:

* Large p value ensures a lot of points (note the number of points is independent of A and B)

* A and B determine the period for scalar multiplication of points. Back in breakout 2, we saw the period for scalar multiplications.  Even with a large p value, and large values for x and y in a point, if A and B are chosen poorly, the period can be very short and easy to break.

* Published industry standard curves tend to have a very small A absolute value and a very large B absolute value.  This is because A is used in the slope formula, while B is not used in the slope formula.  With a small A absolute value, it's very important to select a large B absolute value that will yield a large period for scalar multiplication.

Here are some published industry standard elliptic curve prime curves we will take a look at:

FIPS PUB 186-4

* Curve P-192

* Curve P-224

* Curve P-256

* Curve P-384

* Curve P-521

In [1]:
from sage.all import *

In [2]:
def my_sea_hasse_frobenius(A, B, p):
    "Given an elliptic curve prime curve defined by A, B, p, count the number of point by various methods and estimates"
    
    E = EllipticCurve(GF(p), [A,B])
    
    print ("A: " + str(A))
    
    print ("B: " + str(B))
    
    print ("p: " + str(p))
    
    print ("SEA: " + str(E.cardinality()))
   
    print ("Hasse upper bound: " + "{:.3g}".format(float(2.0) * float(sqrt(p))))
    
    print ("Trace of Frobenius: " + str(E.trace_of_frobenius()))

In [3]:
A = 4
B = 6
p = 3

my_sea_hasse_frobenius(A, B, p)

A: 4
B: 6
p: 3
SEA: 4
Hasse upper bound: 3.46
Trace of Frobenius: 0


In [4]:
A = 4
B = 6
p = 5

my_sea_hasse_frobenius(A, B, p)

A: 4
B: 6
p: 5
SEA: 8
Hasse upper bound: 4.47
Trace of Frobenius: -2


In [5]:
A = 4
B = 6
p = 7

my_sea_hasse_frobenius(A, B, p)

A: 4
B: 6
p: 7
SEA: 11
Hasse upper bound: 5.29
Trace of Frobenius: -3


In [6]:
A = 4
B = 6
p = 11

my_sea_hasse_frobenius(A, B, p)

A: 4
B: 6
p: 11
SEA: 16
Hasse upper bound: 6.63
Trace of Frobenius: -4


In [7]:
A = 4
B = 6
p = 13

my_sea_hasse_frobenius(A, B, p)

A: 4
B: 6
p: 13
SEA: 14
Hasse upper bound: 7.21
Trace of Frobenius: 0


In [8]:
A = 4
B = 6
p = 17

my_sea_hasse_frobenius(A, B, p)

A: 4
B: 6
p: 17
SEA: 15
Hasse upper bound: 8.25
Trace of Frobenius: 3


In [9]:
def my_standard_prime_curve(A, B, p, P_x, P_y):
    "Given a published industry standard elliptic curve prime curve, print info plus scalar multiplication examples"
    
    E = EllipticCurve(GF(p), [A,B])
    
    P = E(P_x,P_y)
    
    print ("\n")
    print ("A:" + str(A) + "\n")
    print ("B:\n" + str(B.hex()) + "\n" + "{:,}".format(B) + "\ndigits:" + str(B.ndigits()) + "\n")
    print ("p:\n" + str(p.hex()) + "\n" + "{:,}".format(p) + "\ndigits:" + str(p.ndigits()) + "\n")
    
    hasse = 2 * floor(sqrt(p))
    
    print ("Hasse upper bound:\n" + str(hasse.hex()) + "\n" + "{:,}".format(hasse) + "\ndigits:" + str(hasse.ndigits()) + "\n")
    
    
    print ("Base Point:\n" + str(P_x.hex()) + "\n" + str(P_y.hex()) + "\n")
    
    for i in range(2, 11):
        
        Q = P * i
        
        Q_x = Integer(Q[0])
        Q_y = Integer(Q[1])
        
        
        print (str(i) + " * Base Point:\n" + str(Q_x.hex()) + "\n" + str(Q_y.hex()) + "\n")
    

In [10]:
# FIPS Curve P-192

p = 0xfffffffffffffffffffffffffffffffeffffffffffffffff

A = -3
B = 0x64210519e59c80e70fa7e9ab72243049feb8deecc146b9b1

P_x = 0x188da80eb03090f67cbf20eb43a18800f4ff0afd82ff1012
P_y = 0x07192b95ffc8da78631011ed6b24cdd573f977a11e794811

my_standard_prime_curve(A, B, p, P_x, P_y)



A:-3

B:
64210519e59c80e70fa7e9ab72243049feb8deecc146b9b1
2,455,155,546,008,943,817,740,293,915,197,451,784,769,108,058,161,191,238,065
digits:58

p:
fffffffffffffffffffffffffffffffeffffffffffffffff
6,277,101,735,386,680,763,835,789,423,207,666,416,083,908,700,390,324,961,279
digits:58

Hasse upper bound:
1fffffffffffffffffffffffe
158,456,325,028,528,675,187,087,900,670
digits:30

Base Point:
188da80eb03090f67cbf20eb43a18800f4ff0afd82ff1012
7192b95ffc8da78631011ed6b24cdd573f977a11e794811

2 * Base Point:
dafebf5828783f2ad35534631588a3f629a70fb16982a888
dd6bda0d993da0fa46b27bbc141b868f59331afa5c7e93ab

3 * Base Point:
76e32a2557599e6edcd283201fb2b9aadfd0d359cbb263da
782c37e372ba4520aa62e0fed121d49ef3b543660cfd05fd

4 * Base Point:
35433907297cc378b0015703374729d7a4fe46647084e4ba
a2649984f2135c301ea3acb0776cd4f125389b311db3be32

5 * Base Point:
10bb8e9840049b183e078d9c300e1605590118ebdd7ff590
31361008476f917badc9f836e62762be312b72543cceaea1

6 * Base Point:
a37abc6c431f9ac398bf5bd1aa66

In [11]:
# FIPS Curve P-224

p = 0xffffffffffffffffffffffffffffffff000000000000000000000001

A = -3
B = 0xb4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4

P_x = 0xb70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21
P_y = 0xbd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e34

my_standard_prime_curve(A, B, p, P_x, P_y)



A:-3

B:
b4050a850c04b3abf54132565044b0b7d7bfd8ba270b39432355ffb4
18,958,286,285,566,608,000,408,668,544,493,926,415,504,680,968,679,321,075,787,234,672,564
digits:68

p:
ffffffffffffffffffffffffffffffff000000000000000000000001
26,959,946,667,150,639,794,667,015,087,019,630,673,557,916,260,026,308,143,510,066,298,881
digits:68

Hasse upper bound:
1fffffffffffffffffffffffffffe
10,384,593,717,069,655,257,060,992,658,440,190
digits:35

Base Point:
b70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21
bd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e34

2 * Base Point:
706a46dc76dcb76798e60e6d89474788d16dc18032d268fd1a704fa6
1c2b76a7bc25e7702a704fa986892849fca629487acf3709d2e4e8bb

3 * Base Point:
df1b1d66a551d0d31eff822558b9d2cc75c2180279fe0d08fd896d04
a3f7f03cadd0be444c0aa56830130ddf77d317344e1af3591981a925

4 * Base Point:
ae99feebb5d26945b54892092a8aee02912930fa41cd114e40447301
482580a0ec5bc47e88bc8c378632cd196cb3fa058a7114eb03054c9

5 * Base Point:
31c49ae75bce7807cdff22055d

In [12]:
# FIPS Curve P-256

p = 0xffffffff00000001000000000000000000000000ffffffffffffffffffffffff

A = -3
B = 0x5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b

P_x = 0x6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296
P_y = 0x4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5

my_standard_prime_curve(A, B, p, P_x, P_y)



A:-3

B:
5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b
41,058,363,725,152,142,129,326,129,780,047,268,409,114,441,015,993,725,554,835,256,314,039,467,401,291
digits:77

p:
ffffffff00000001000000000000000000000000ffffffffffffffffffffffff
115,792,089,210,356,248,762,697,446,949,407,573,530,086,143,415,290,314,195,533,631,308,867,097,853,951
digits:78

Hasse upper bound:
1ffffffff00000000c000000060000000
680,564,733,762,648,764,426,319,935,326,885,249,024
digits:39

Base Point:
6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296
4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5

2 * Base Point:
7cf27b188d034f7e8a52380304b51ac3c08969e277f21b35a60b48fc47669978
7775510db8ed040293d9ac69f7430dbba7dade63ce982299e04b79d227873d1

3 * Base Point:
5ecbe4d1a6330a44c8f7ef951d4bf165e6c6b721efada985fb41661bc6e7fd6c
8734640c4998ff7e374b06ce1a64a2ecd82ab036384fb83d9a79b127a27d5032

4 * Base Point:
e2534a3532d08fbba02dde659ee62bd0031fe2db785596ef509302446b0

In [13]:
# FIPS Curve P-384

p = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff

A = -3
B = 0xb3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef

P_x = 0xaa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7
P_y = 0x3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f 

my_standard_prime_curve(A, B, p, P_x, P_y)



A:-3

B:
b3312fa7e23ee7e4988e056be3f82d19181d9c6efe8141120314088f5013875ac656398d8a2ed19d2a85c8edd3ec2aef
27,580,193,559,959,705,877,849,011,840,389,048,093,056,905,856,361,568,521,428,707,301,988,689,241,309,860,865,136,260,764,883,745,107,765,439,761,230,575
digits:116

p:
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff
39,402,006,196,394,479,212,279,040,100,143,613,805,079,739,270,465,446,667,948,293,404,245,721,771,496,870,329,047,266,088,258,938,001,861,606,973,112,319
digits:116



Hasse upper bound:
1fffffffffffffffffffffffffffffffffffffffffffffffe
12,554,203,470,773,361,527,671,578,846,415,332,832,204,710,888,928,069,025,790
digits:59

Base Point:
aa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a385502f25dbf55296c3a545e3872760ab7
3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f

2 * Base Point:
8d999057ba3d2d969260045c55b97f089025959a6f434d651d207d19fb96e9e4fe0e86ebe0e64f85b96a9c75295df61
8e80f1fa5b1b3cedb7bfe8dffd6dba74b275d875bc6cc43e904e505f256ab4255ffd43e94d39e22d61501e700a940e80

3 * Base Point:
77a41d4606ffa1464793c7e5fdc7d98cb9d3910202dcd06bea4f240d3566da6b408bbae5026580d02d7e5c70500c831
c995f7ca0b0c42837d0bbe9602a9fc998520b41c85115aa5f7684c0edc111eacc24abd6be4b5d298b65f28600a2f1df1

4 * Base Point:
138251cd52ac9298c1c8aad977321deb97e709bd0b4ca0aca55dc8ad51dcfc9d1589a1597e3a5120e1efd631c63e1835
cacae29869a62e1631e8a28181ab56616dc45d918abc09f3ab0e63cf792aa4dced7387be37bba569549f1c02b270ed67

5 *

In [14]:
# FIPS Curve P-521

p = 0x1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
A = -3
B = 0x051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00

P_x = 0xc6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dbaa14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66
P_y = 0x11839296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650

my_standard_prime_curve(A, B, p, P_x, P_y)



A:-3

B:
51953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00
1,093,849,038,073,734,274,511,112,390,766,805,569,936,207,598,951,683,748,994,586,394,495,953,116,150,735,016,013,708,737,573,759,623,248,592,132,296,706,313,309,438,452,531,591,012,912,142,327,488,478,985,984
digits:157

p:
1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
6,864,797,660,130,609,714,981,900,799,081,393,217,269,435,300,143,305,409,394,463,459,185,543,183,397,656,052,122,559,640,661,454,554,977,296,311,391,480,858,037,121,987,999,716,643,812,574,028,291,115,057,151
digits:157

Hasse upper bound:
2d413cccfe779921165f626cdd52afa7c75bd82ea24eea133b45eb2160cce64552
5,240,151,776,477,704,167,523,276,898,750,696,211,680,475,678,159,567,171,956,598,630,448,432,306,079,058
digits:79

Base Point:
c6858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3d