The Magic of Elliptic Curves and Public-Key Cryptography

  • Florian Heß
  • Andreas Stein
  • Sandra Stein
  • Manfred Lochter
Survey Article


Elliptic curves are beautiful mathematical objects that again and again appear in the most surprising places. Their history certainly originates at least in ancient Greece, whereas the study of arithmetic properties of elliptic curves as objects in algebra, geometry, and number theory traces back to the nineteenth century. Curiously, the earliest use of the term “elliptic curve” in the literature seems to have been by James Thomson in 1727 in “A Poem sacred to the Memory of Sir Isaac Newton”:

“He, first of Men, with awful Wing pursu’d the Comet tro’ the long Elliptic Curve.”

In 1985, Koblitz and Miller independently proposed to use elliptic curves in cryptography which can only be described as a magnificent and practical application of elliptic curves. This paper intends to mostly present a low-brow introduction of elliptic curves and their use in real-world applications of public-key cryptography.


Cryptography Elliptic curves Discrete logarithm problem Public-key cryptography Pairing-based cryptosystem Weil pairing Tate-Lichtenbaum pairing Side channel analysis 

Mathematics Subject Classification

94A60 14H52 11T71 14G50 68P25 11Y40 11Y16 



The authors wish to thank several colleagues for carefully proofreading several versions of this paper. We also wish to thank Gabriele Nebe for her patience with this project and for making valuable suggestions.


  1. 1.
    Bosma, W., Cannon, J., Playoust, C.: The Magma algebra system I: The user language. J. Symbolic Comp. 24(3/4), 235–265 (1997) MathSciNetMATHCrossRefGoogle Scholar
  2. 2.
    Boneh, D., Franklin, M.: Identity-based encryption from the Weil pairing. In: Kilian, J. (ed.) Advances in Cryptology (CRYPTO 2001). Lecture Notes in Computer Science, vol. 2139, pp. 213–229. Springer Berlin (2001) CrossRefGoogle Scholar
  3. 3.
    Bender, J., Fischlin, M., Kügler, D.: Security analysis of the PACE key-agreement protocol. In: Proceedings of the 12th International Conference on Information Security, Pisa, Italy, 7–9 September, 2009. Lecture Notes in Computer Science, vol. 5735, pp. 33–48. Springer Berlin (2009) Google Scholar
  4. 4.
    Barreto, P., Galbraith, S., O’hEigeartaigh, C., Scott, M.: Efficient pairing computation on supersingular abelian varieties. Designs, Codes and Cryptography 42(3), 239–271 (2007) MathSciNetMATHCrossRefGoogle Scholar
  5. 5.
    Boneh, D., Joux, A., Nguyen, P.Q.: Why textbook ElGamal and RSA encryption are insecure. In: Proceedings of the 6th International Conference on the Theory and Application of Cryptology and Information Security (ASIACRYPT’00), pp. 30–43. Springer Berlin (2000) Google Scholar
  6. 6.
    Barreto, P., Kim, H., Lynn, B., Scott, M.: Efficient algorithms for pairing-based cryptosystems. In: Yung, M. (ed.) Advances in Cryptology (CRYPTO 2002), Santa Barbara. Lecture Notes in Computer Science, vol. 2442, pp. 354–369. Springer, Berlin (2002) CrossRefGoogle Scholar
  7. 7.
    Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. In: Boyd, C. (ed.) Advances in Cryptology (ASIACRYPT 2001), Gold Coast, Australia. Lecture Notes in Computer Science, vol. 2248, pp. 514–532. Springer, Berlin (2001) CrossRefGoogle Scholar
  8. 8.
    Barreto, P., Naehrig, M.: Pairing-friendly elliptic curves of prime order. In: Preneel, B., Tavares, S. (eds.) Selected Areas in Cryptography (SAC 2005), Kingston, ON, Canada. Lecture Notes in Computer Science, vol. 3897, pp. 319–331. Springer, Berlin (2006) CrossRefGoogle Scholar
  9. 9.
    Bisson, G., Satoh, T.: More discriminants with the Brezing-Weng method. In: Chowdhury, D.R., Rijmen, V., Das, A. (eds.) Progress in Cryptology (INDOCRYPT 2009), Kharagpur, India. Lecture Notes in Computer Science, vol. 5365, pp. 389–399. Springer, Berlin (2008) Google Scholar
  10. 10.
    BSI: Elliptic Curve Cryptography. Technical guideline TR-03111, Version 1.11 (2009) Google Scholar
  11. 11.
    BSI: Advanced security mechanisms for machine readable travel documents—extended access control (EAC), password authenticated connection establishment (PACE), and restricted identification (RI). Technical guideline TR-03110 (2010) Google Scholar
  12. 12.
    Blake, I., Seroussi, G., Smart, N.: Elliptic Curves in Cryptography. London Mathematical Society, vol. 265. Cambridge University Press, Cambridge (2000) Google Scholar
  13. 13.
    Blake, I., Seroussi, G., Smart, N. (eds.): Advances in Elliptic Curve Cryptography. Cambridge University Press, Cambridge (2005) MATHGoogle Scholar
  14. 14.
    Blake, I., Seroussi, G., Smart, N., Cassels, J. W. S. (eds.): Advances in Elliptic Curve Cryptography. London Mathematical Society Lecture Note Series, vol. 317. Cambridge University Press, Cambridge (2005) MATHGoogle Scholar
  15. 15.
    Buchmann, J.: Introduction to Cryptography, 2 edn. Springer, Berlin (2004) CrossRefGoogle Scholar
  16. 16.
    Boneh, D., Venkatesan, R.: Hardness of computing the most significant bits of secret keys in Diffie-Hellman and related schemes. In: CRYPTO. Lecture Notes in Computer Science, vol. 1109, pp. 129–142. Springer, Berlin (1996) Google Scholar
  17. 17.
    Brezing, F., Weng, A.: Elliptic curves suitable for pairing based cryptography. Designs, Codes and Cryptography 37, 133–141 (2005) MathSciNetMATHCrossRefGoogle Scholar
  18. 18.
    Cohen, H., Frey, G., Avanzi, R., Doche, C., Lange, T., Nguyen, K., Vercauteren, F. (eds.): Handbook of Elliptic and Hyperelliptic Curve Cryptography. Discrete Mathematics and Its Applications, vol. 34. Chapman & Hall/CRC, London (2005) Google Scholar
  19. 19.
    Chatterjee, S., Hankerson, D., Menezes, A.: On the efficiency and security of pairing-based protocols in the type 1 and type 4 settings. In: Hasan, M., Helleseth, T. (eds.) Arithmetic of Finite Fields, Istanbul, Turkey. Lecture Notes in Computer Science, vol. 6087, pp. 114–134. Springer, Berlin (2010) CrossRefGoogle Scholar
  20. 20.
    Costello, C., Lauter, K., Naehrig, M.: Attractive subfamilies of BLS curves for implementing high-security pairings. In: Bernstein, D., Chatterjee, S. (eds.) Progress in Cryptology (INDOCRYPT 2011), Chennai, India. Lecture Notes in Computer Science, vol. 7107, pp. 320–342. Springer, Berlin (2011) CrossRefGoogle Scholar
  21. 21.
    Cohen, H.: A Course in Computational Algebraic Number Theory. Springer, Berlin (1993) MATHGoogle Scholar
  22. 22.
    Crandall, R., Pomerance, C.: Prime Numbers: A Computational Perspective, 2nd edn. Springer, Berlin (2005) MATHGoogle Scholar
  23. 23.
    Duan, P., Cui, S., Chan, C.: Special polynomial families for generating more suitable elliptic curves for pairing-based cryptosystems. In: Proceedings of the 5th WSEAS International Conference on Electronics, Hardware, Wireless and Optical Communications EHAC’06 (2006) Google Scholar
  24. 24.
    Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22, 644–654 (1976) MathSciNetMATHCrossRefGoogle Scholar
  25. 25.
    Diem, C.: On the discrete logarithm problem in elliptic curves. Compositio Mathematica 147(01), 75–104 (2011) MathSciNetMATHCrossRefGoogle Scholar
  26. 26.
    ECC Brainpool: ECC brainpool standard curves and curve generation. Internet Draft, (October 2005)
  27. 27.
    ElGamal, T.: A public-key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theory IT-31, 469 (1985) MathSciNetCrossRefGoogle Scholar
  28. 28.
    Fumy, W., Paeschke, M. (eds.): Handbook of eID Security. Publicis Publishing, Erlangen (2011) Google Scholar
  29. 29.
    Frey, G., Rück, H.-G.: A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves. Math. Comp. 62, 865–874 (1994) MathSciNetMATHGoogle Scholar
  30. 30.
    Frey, G.: The arithmetic behind cryptography. Notices Am. Math. Soc. 57(3), 366–374 (2010) MathSciNetMATHGoogle Scholar
  31. 31.
    Freeman, D., Scott, M., Teske, E.: A taxonomy of pairing-friendly elliptic curves. J. Cryptology 23(2), 224–280 (2010) MathSciNetMATHCrossRefGoogle Scholar
  32. 32.
    Galbraith, S.: Pairings (book chapter). In Blake et al. [13] Google Scholar
  33. 33.
    Gaudry, P.: Index calculus for abelian varieties of small dimension and the elliptic curve discrete logarithm problem. J. Symb. Comput. 44, 1690–1702 (2009) MathSciNetMATHCrossRefGoogle Scholar
  34. 34.
    Galbraith, S., Harrison, K., Soldera, S.: Implementing the Tate pairing. In: Fieker, C., Kohel, D.R. (eds.) Proceedings of the Fifth Symposium on Algorithmic Number Theory (ANTS-V), Sydney, Australia. Lecture Notes in Computer Science, vol. 2369, pp. 324–337. Springer, Berlin (2002) CrossRefGoogle Scholar
  35. 35.
    Gaudry, P., Hess, F., Smart, N.P.: Constructive and destructive facets of Weil descent on elliptic curves. J. Cryptology 15(1), 19–46 (2002) MathSciNetCrossRefGoogle Scholar
  36. 36.
    Galbraith, S., Menezes, A.: Algebraic curves and cryptography. Finite Fields and Applications 11(3), 544–577 (2005) MathSciNetMATHCrossRefGoogle Scholar
  37. 37.
    Galbraith, S.D., McKee, J.F., Valenca, P.C.: Ordinary abelian varieties having small embedding degree. Finite Fields Appl. 13(4), 800–814 (2007) MathSciNetMATHCrossRefGoogle Scholar
  38. 38.
    Galbraith, S.D., Paterson, K.G., Smart, N.P.: Pairings for cryptographers. Discrete Appl. Math. 156(16), 3113–3121 (2008) MathSciNetMATHCrossRefGoogle Scholar
  39. 39.
    Galbraith, S., Rotger, V.: Easy decision Diffie-Hellman groups. LMS J. Comput. Math. 7, 201–218 (2004) MathSciNetMATHGoogle Scholar
  40. 40.
    Galbraith, S., Smart, N.P.: A cryptographic application of Weil descent. In: Walker, M. (ed.) Cryptography and Coding, Cirencester. Lecture Notes in Computer Science, vol. 1746, pp. 191–200. Springer, Berlin (1999) CrossRefGoogle Scholar
  41. 41.
    Hess, F.: A note on the Tate pairing of curves over finite fields. Arch. Math. 82, 28–32 (2004) MathSciNetMATHCrossRefGoogle Scholar
  42. 42.
    Hess, F.: Weil descent attacks. In: Blake et al. [14] Google Scholar
  43. 43.
    Hess, F.: Pairing lattices. In: Galbraith, S., Paterson, K. (eds.) Progress in Cryptology (INDOCRYPT 2009), Egham, UK. Lecture Notes in Computer Science, vol. 5208, pp. 18–38. Springer, Berlin (2008) Google Scholar
  44. 44.
    Hankerson, D., Menezes, A., Vanstone, S.: Guide to Elliptic Curve Cryptography. Springer Professional Computing (2004) Google Scholar
  45. 45.
    Hess, F., Smart, N., Vercauteren, F.: The Eta pairing revisited. IEEE Transactions on Information Theory 52(10), 4595–4602 (2006) MathSciNetMATHCrossRefGoogle Scholar
  46. 46.
    Jacobson, M.J. Jr., Koblitz, N., Silverman, J.H., Stein, A., Teske, E.: Analysis of the xedni calculus attack. Designs, Codes and Cryptography 20(1), 41–64 (2000) MathSciNetMATHCrossRefGoogle Scholar
  47. 47.
    Jacobson, M.J. Jr., Menezes, A.J., Stein, A.: Hyperelliptic curves and cryptography. In: High Primes and Misdemeanours: Lectures in Honour of the 60th Birthday of Hugh Cowie Williams. Fields Institute Communications Series, vol. 41, pp. 255–282. Am. Math. Soc., Providence (2004) Google Scholar
  48. 48.
    Joux, A.: A one round protocol for tripartite Diffie–Hellman. In: Bosma, W. (ed.) Proceedings of the Fourth Symposium on Algorithmic Number Theory (ANTS-IV), Leiden, Netherlands. Lecture Notes in Computer Science, vol. 1838, pp. 385–394. Springer, Berlin (2000) Google Scholar
  49. 49.
    Killmann, W., Lange, T., Lochter, M., Thumser, W., Wicke, G.: Minimum requirements for evaluating side-channel attack resistance of elliptic curve implementations. Downloadable via (2011)
  50. 50.
    Koblitz, N.: Elliptic curve cryptosystems. Math. Comput. 48, 203–209 (1987) MathSciNetMATHCrossRefGoogle Scholar
  51. 51.
    Lochter, M., Merkle, J.: Elliptic curve cryptography (ecc) brainpool standard curves and curve generation. IETF internet draft, RFC 5639 (March 2010) Google Scholar
  52. 52.
    Miller, V.: Use of elliptic curves in cryptography. In: Advances in Cryptology (CRYPTO’85). Lecture Notes in Computer Science, vol. 218, pp. 417–426. Springer, Berlin (1986) Google Scholar
  53. 53.
    Miller, V.: The Weil pairing, and its efficient calculation. J. Cryptology 17, 235–261 (2004) MathSciNetMATHCrossRefGoogle Scholar
  54. 54.
    Miyaji, A., Nakabayashi, M., Takano, S.: New explicit conditions of elliptic curve traces for FR-reduction. IEICE Trans. Fundamentals E 84, 1234–1243 (2001) Google Scholar
  55. 55.
    Menezes, A.J., Okamoto, T., Vanstone, S.A.: Reducing elliptic curve logarithms to a finite field. IEEE Trans. on Inform. Theory 39, 1639–1646 (1993) MathSciNetMATHCrossRefGoogle Scholar
  56. 56.
    NIST: Digital signature standard. FIPS publication 186-3 (2009) Google Scholar
  57. 57.
    NIST: Recommendation for key derivation through extraction-then-expansion. NIST special publication 800-56C (November 2011) Google Scholar
  58. 58.
    Nguyen, P.Q., Shparlinski, I.E.: The insecurity of the elliptic curve digital signature algorithm with partially known nonces. Des. Codes Cryptography 30(2), 201–217 (2003) MathSciNetMATHCrossRefGoogle Scholar
  59. 59.
    Paterson, K.: Cryptography from pairings (book chapter). In: Blake et al. [13] Google Scholar
  60. 60.
    Paterson, K.: Identity-based cryptography—panacea or pandemonium? Invited talk at 9th Workshop on Elliptic Curve Cryptography (ECC 2005). Available under, 2005
  61. 61.
    Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21, 120–126 (1978) MathSciNetMATHCrossRefGoogle Scholar
  62. 62.
    Shamir, A.: Identity based cryptosystems and signature schemes. In: Blakley, G.R., Chaum, D. (eds.) Advances in Cryptology (CRYPTO 1984), Santa Barbara. Lecture Notes in Computer Science, vol. 196, pp. 47–53. Springer, Berlin (1985) Google Scholar
  63. 63.
    Silverman, J.H.: Advanced Topics in the Arithmetic of Elliptic Curves. Graduate Texts in Mathematics, vol. 151. Springer, Berlin (1994) MATHCrossRefGoogle Scholar
  64. 64.
    Silverman, J.H.: The xedni calculus and the elliptic curve discrete logarithm problem. Des. Codes Cryptography 20, 5–40 (2000) MATHCrossRefGoogle Scholar
  65. 65.
    Silverman, J.H.: The Arithmetic of Elliptic Curves, 2nd edn. Graduate Texts in Mathematics, vol. 106. Springer Berlin (2009) MATHCrossRefGoogle Scholar
  66. 66.
    Sakai, R., Ohgishi, K., Kasahara, M.: Cryptosystems based on pairing. In: Symposium on Cryptography and Information Security (SCIS2000), Okinawa (2000) Google Scholar
  67. 67.
    Stinson, D.R.: Cryptography: Theory and Practice, 3rd edn. Chapman & Hall/CRC, London (2005) Google Scholar
  68. 68.
    Stichtenoth, H.: Algebraic Function Fields and Codes, 2 edn. Springer, Berlin (2008) Google Scholar
  69. 69.
    Urroz, J., Luca, F., Shparlinski, I.: On the number of isogeny classes of pairing-friendly elliptic curves and statistics of mnt curves. Math. Comput. 81, 1093–1110 (2012) MATHCrossRefGoogle Scholar
  70. 70.
    Verheul, E.: Evidence that XTR is more secure than supersingular elliptic curve cryptosystems. J. Cryptology 17, 277–296 (2004) MathSciNetMATHGoogle Scholar
  71. 71.
    Vercauteren, F.: Optimal pairings. IEEE Trans. Inf. Theory 56(1), 455–461 (2010) MathSciNetCrossRefGoogle Scholar
  72. 72.
    Velichka, M.D., Jacobson, M.J. Jr., Stein, A.: Computing discrete logarithms in the jacobian of high-genus hyperelliptic curves over even characteristic finite fields. IACR Cryptol. ePrint Arch. 2011, 98 (2011) Google Scholar
  73. 73.
    Washington, L.C.: Elliptic Curves. Number Theory and Cryptography, 2nd edn. Chapman & Hall/CRC, Boca Raton (2008). xviii, 513 p. MATHCrossRefGoogle Scholar

Copyright information

© Deutsche Mathematiker-Vereinigung and Springer Verlag 2012

Authors and Affiliations

  • Florian Heß
    • 1
  • Andreas Stein
    • 1
  • Sandra Stein
    • 1
  • Manfred Lochter
    • 2
  1. 1.Institut für MathematikCarl von Ossietzky Universität OldenburgOldenburgGermany
  2. 2.Bundesamt für Sicherheit in der Informationstechnik (BSI)BonnGermany

Personalised recommendations