# The Joy of Secs: Part 3

### Posted by Mark Hornsby on 2019-08-08

One of the most widely deployed asymmetric cryptographic algorithms used today (driven by the popularity of blockchain technology) is based on elliptic curves over finite fields. Like all good engineers I struggled to just accept how they work. I needed to dig deeper to better understand the mathematics and in doing so decided to share my experience …

This is part 3 in a series. You can also read part 1 about the basics of Finite Fields and part 2 about more advanced operations and non-prime Finite Fields.

The general equation for an elliptic curve is:

$y^2 = x^3+ax+b$

In addition to having this equation, the curve must also satisfy the requirement to be *non-singular*:

$16(4a^3+27b^2) \ne 0$

If this equation isn’t satisfied then the curve will produce a weak form of elliptic curve that is unsuitable for use in elliptic curve cryptography.

Now we know what the general form of the equation looks like we’ll review the parameters for the curves we’re going to investigate, *secp256r1* and *secp256k1* (remember that both of these use coefficients in a prime field):

Name | Coefficient Field | Equation |
---|---|---|

secp256r1 (aka NIST P-256) | $\Bbb{Z}_{2^{256}-2^{224}+2^{192}+2^{96}-1}$ | $y^2= x^3-3x+b_1$ |

secp256k1 | $\Bbb{Z}_{2^{256}-2^{32}-977}$ | $y^2=x^3+7$ |

$b_1=\textnormal{0xFFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC}$

Now we know the equation for these two curves we have everything we need to calculate $y$ given $x$. Here are some sample values for *secp256k1*:

$\begin{aligned} x=0 & \xRightarrow{} y = \sqrt{0^3+7} = \sqrt{7} \\ x=1 & \xRightarrow{} y = \sqrt{1^3+7} = \sqrt{8} \\ x=2 & \xRightarrow{} y = \sqrt{2^3+7} = \sqrt{15} \end{aligned}$

Similar principles can be applied to *secp256r1*, but due to the large value of $b_1$ the maths isn’t as neat. Rather than try to do the maths by hand it’s a lot easier to switch to some (Typescript) code at this point:

This code loads the *secp256k1* curve from the elliptic library. Every curve has a point, $G$, called the generator point, which is the starting point for all cryptographic operations on this curve. We’ll talk more about what this value is momentarily, but for now just notice that when you run the code above it prints the same value twice:

This proves that if you take the $y$ coordinate of $G$, as defined in the library or calculate it yourself using the equation listed above, they both produce the same value. We could change the code above to calculate $y$ for any arbitrary value of $x$.

We had to utilise the bn.js library to do our calculations for two reasons. Firstly, remember that we are working in a finite field here, so every operation we do to $x$ to calculate $y$ must be done using modular arithmetic; Secondly, our values can be much larger than the native number variables available in Typescript (and most other general purpose languages) and so we need a ‘big number’ library to be able to handle arbitrary precision numbers.

So back to the generator point, $G$, what exactly does it represent? When we previously talked about number lines, we would always start our operations at $0$. We require a similar concept for our elliptic curve, a point from which to start operations, but we shouldn’t draw any further parallels, because as you’ll see shortly there is another point on an elliptic curve which is much more representative of $0$.

To understand how to add points on an elliptic curve, it is helpful to disregard anything you’ve learnt about addition of numbers. You could be forgiven for thinking that to add two points together you would simply add the $x$ coordinates and the $y$ coordinates together. The problem with this is that generally the resultant point wouldn’t be on the curve (i.e. it wouldn’t satisfy the curve equation for that particular curve). So we need to find a different way to ‘add’ points. Some important features of addition (if you did some additional reading around mathematical groups earlier these will be familiar):

- Closure - adding any two points on our curve must produce another point on the curve (this is where our naive solution failed)
- Associativity - the order of adding points should not effect the result
- Additive identity - any point added to the additive identity point should equal itself (this is must more like our numerical concept of $0$)
- Inverse - any point should have an inverse point - I.e. when you add a point to it’s inverse it produces the additive identity point above

One of the nice features of an elliptic curve is that if you pick any two points and draw a line through them you will generally find that that line intercepts the curve in exactly one other spot. (This feature of elliptic curves has been known about for over 1700 years and was mentioned by Diophantus in some of his mathematical works.) If we were to use this principle to represent addition i.e. the third point is considered the sum of the other two, we would certainly fix our issue where the point doesn’t lie on the curve (the third point here always lies on the curve by definition). However this definition of ‘addition’ still fails the inverse property, taking a triple of three points $a$, $b$ and $c$, we would have $a+b=c$, but also $a+c=b$ and $b+c=$, implying that $a=b=c=\textnormal{additive identity}$. If instead we were to reflect the third point in the $x$ axis and treat this as the sum of the other two points this does actually satisfy most of our rules:

- Closure - our third point will always be on the curve
- Associativity - $a+b=b+a$ i.e. switching the definition of the existing two points still produces the same third point
- Inverse - because our elliptic curve is symmetric about the $x$ axis, ever point always has an inverse

The only thing missing is the additive identity. We solve this conundrum by inventing a new point, called the point at infinity. This point, when added to any other point, has no effect. Adding this extra point allows us to satisfy all 4 rules we defined and therefore we have a fully functioning concept of addition on our elliptic curve (which you’ll no doubt agree bares no resemblance to addition in normal arithmetic).

There are a few scenarios where drawing a line through two points doesn’t produce a third and this is where the point at infinity becomes relevant:

The first diagram show what we would consider normal addition, adding points $P$ and $Q$ would result in a point directly below $R$, let’s call this $S$ for now. If we were to then try to add $R$ and $S$ our line would be a perfectly vertical line like in diagram 3. In this scenario we define our third point to be the point at infinity. Another possible awkward situation occurs when two of our points are coincident like in diagram 2 - if you add the point $Q$ to itself then you have to draw a line through two points which are the same, so how do we decide where to draw the line? In this situation we define the line to be tangent to the curve at that point. As you can see in diagram 2 this results in point $P$. The final scenario is the combination of having both points the same (see diagram 4) and the line being perfectly vertical and so our third point is again the point at infinity.

So returning to our definition of what an elliptic curve is, we now know all the possible points on our curve (there is one point for every possible value of $x$ in the finite field) and we can add the points together. If we take our generator point as our start point and add it to itself using our addition rules, we get another point on the curve. If you add $G$ once again you’ll get yet another point. If you keep doing this again and again (remember the order of our finite field is close to $2^{256}$) you’ll eventually visit every point on the curve before returning to the starting point $G$. Given a point on the curve, it is very hard to know how many times you have to add $G$ to itself to get that point and this is what makes elliptic curves useful for cryptography. This challenge has a lot of parallels with the discrete logarithm problem for finite fields that we discussed in part 2 and is appropriately known as the Elliptic Curve Discrete Logarithm Problem.

To translate this in to the terms of public and private keys you will be familiar with, an elliptic curve private key is a number which tells you how many times the generator point, $G$, needs to be added to itself, to produce a public key, which is just the resulting point of the additions. Therefore, if you pick a private key of 1 (a **very** bad idea, always pick private keys randomly!), the resultant public key is simply the point $G$. If you were to pick 2 then your public key would simply be $G+G$. So an elliptic curve public key is just a point, expressed as the $x$ and $y$ coordinates. You’ll often see elliptic curve public keys can be expressed in a compressed form. We can do this because we know the curve equation, so if you know $x$ you can calculate $y$, but the only thing you won’t know is if it is the positive or negative solution to the square root, so that also needs to be specified.

So our final task is now to prove that this method of addition does actually work and produces results that match the elliptic curve library. We’ll try to calculate the public key when our private key is 2 as described above. This simply requires us to calculate $G+G$. To implement this ‘addition’ we’ll need to be able to find the third point on a line that intercepts the curve. Firstly we need the equation for the line (remember that the slope is the tangent to the curve at point $G$). Let $G=(x_G,y_G)$. We have to differentiate the curve equation to get the slope at any point:

$y^2=x^3+7$

$\frac{dy}{dx}= \frac{3x^2}{2\sqrt{x^3+7}} = \frac{3x^2}{2y}$

And putting this in to the equation of a line through point $G$:

$y = \frac{3x_G^2}{2y_G}*(x-x_G)+y_G$

To find where this intercepts the curve equation we can simply set them equal to each other:

$\sqrt{x^3+7}=\frac{3x_G^2}{2y_G}*(x-x_G)+y_G$

To make the maths easier we can square both sides:

$x^3+7=\Big(\frac{3x_G^2}{2y_G}*(x-x_G)+y_G\Big)^2$

Now move the line equation to the left hand side:

$x^3+7-\Big(\frac{3x_G^2}{2y_G}*(x-x_G)+y_G\Big)^2=0$

Now before we go multiplying out all the terms this is a cubic and there is a neat way to solve a cubic equation if you already know two of the roots (which we do because $G$ is on the curve):

$(x-x_1)(x-x_2)(x-x_3) = x^3 - (x_1+x_2+x_3)x^2 + (x_1x_2+x_1x_3+x_2x_3)x - x_1x_2x_3$

So we can simply find the $x^2$ term in the expansion of our equation and set it equal to $(x_1+x_2+x_3)$ to get the answer:

$-\Big(\frac{3x_G^2}{2y_G}\Big)^2=-x_1+x_2+x_3$

And we know that two of the points are $G$:

$x=\Big(\frac{3x_G^2}{2y_G}\Big)^2-2x_G$

Now we have the $x$ coordinate of our third point (the point $G+G$) expressed in terms of the $x$ and $y$ coordinates of $G$, so we can translate this in to code:

If you run this code it produces the following output:

Now how do we validate this? There are a number of online tools that can do this for us. I used Bitcore’s Playground. Set the private key to *02* and you’ll see that the public key is:

This is the compressed form of public key, so dropping the 02 byte at the start you can clearly see that the $x$ coordinate matches. Hooray!

This series of blog posts has turned out to be a lot longer than I expected, but I hope it has helped you to better understand the mathematics of elliptic curve cryptography. We have learnt how finite field maths works (including the more complex polynomial form that we didn’t strictly need), applied this to the coefficients in our elliptic curve equation to prove that we can calculate the $y$ coordinate from any given $x$ coordinate and then finally shown how point addition works on an elliptic curve and calculated the $x$ coordinate of the public key that corresponds to the private key $2$. Now that you know how these calculations were done for *secp256k1* you should be able to apply the same set of principles to convince yourself that they also work on *secp256r1*.