Cryptocurrency Cafeacutecs4501 Spring 2015David EvansUniversity of Virginia

Class 3Elliptic Curve Cryptography

y2 = x3 + 7

Project 1 will be posted by midnight tonight and is due on January 30

Plan for Today

Bitcoin Wallets and Passwords

Asymmetric Cryptography Recap

Transferring a Coin

Crash Course in Number Theory

Elliptic Curve Cryptography

1

Buying Bitcoin

2

3

4

5

My Advice

6

Donrsquot waste brainpowerspace on passwords that donrsquot matterldquosillyrdquo is a fine password for most things than need one

Donrsquot follow any widely-available advicepassword cracker authors can read too

Humans cannot generate randomness and neither can youGenerate a random password

Share your password(but only with people with whom you are willing to raise children)

Write down your important passwordsStore them somewhere safe and write down in a way that someone who steals it wouldnrsquot be able to use

Using Bitcoin in This Class

7

It is ldquorealrdquo money try not lose (all of) it (But you can do everything in this class with very small amounts)

If you do Irsquoll send you more (so long as you learned something from the loss) Everyone gets one embarrassment-free transfer

Using Asymmetric Crypto Signatures

8

E DVerified Message

Signed MessageMessage

Insecure Channel

KUBKRB

Bob

Generates key pair KUB KRB

Publishes KUB

Anyone

Get KUB from trusted provider

Transferring a Coin

9

Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA

How does Bob transfer x to Colleen (KUC)

Transferring a Coin

10

Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA

Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB

Transferring a Coin

11

Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA

Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB

Colleen signs m2 = ldquoI give coin x = KUA t given to me by m2to address KUDrdquo with KRC

hellipThis does not prevent double spending (Next week)

Asymmetry RequiredNeed a function f that isEasy to compute

given x easy to compute f (x)

Hard to invertgiven f (x) hard to compute x

Has a trap-doorgiven f (x) and t

easy to compute x

12

Elliptic Curve Cryptography

13

14

Real numbers are useless

Plan for Today

Bitcoin Wallets and Passwords

Asymmetric Cryptography Recap

Transferring a Coin

Crash Course in Number Theory

Elliptic Curve Cryptography

1

Buying Bitcoin

2

3

4

5

My Advice

6

Donrsquot waste brainpowerspace on passwords that donrsquot matterldquosillyrdquo is a fine password for most things than need one

Donrsquot follow any widely-available advicepassword cracker authors can read too

Humans cannot generate randomness and neither can youGenerate a random password

Share your password(but only with people with whom you are willing to raise children)

Write down your important passwordsStore them somewhere safe and write down in a way that someone who steals it wouldnrsquot be able to use

Using Bitcoin in This Class

7

It is ldquorealrdquo money try not lose (all of) it (But you can do everything in this class with very small amounts)

If you do Irsquoll send you more (so long as you learned something from the loss) Everyone gets one embarrassment-free transfer

Using Asymmetric Crypto Signatures

8

E DVerified Message

Signed MessageMessage

Insecure Channel

KUBKRB

Bob

Generates key pair KUB KRB

Publishes KUB

Anyone

Get KUB from trusted provider

Transferring a Coin

9

Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA

How does Bob transfer x to Colleen (KUC)

Transferring a Coin

10

Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA

Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB

Transferring a Coin

11

Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA

Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB

Colleen signs m2 = ldquoI give coin x = KUA t given to me by m2to address KUDrdquo with KRC

hellipThis does not prevent double spending (Next week)

Asymmetry RequiredNeed a function f that isEasy to compute

given x easy to compute f (x)

Hard to invertgiven f (x) hard to compute x

Has a trap-doorgiven f (x) and t

easy to compute x

12

Elliptic Curve Cryptography

13

14

Real numbers are useless

Buying Bitcoin

2

3

4

5

My Advice

6

Donrsquot waste brainpowerspace on passwords that donrsquot matterldquosillyrdquo is a fine password for most things than need one

Donrsquot follow any widely-available advicepassword cracker authors can read too

Humans cannot generate randomness and neither can youGenerate a random password

Share your password(but only with people with whom you are willing to raise children)

Write down your important passwordsStore them somewhere safe and write down in a way that someone who steals it wouldnrsquot be able to use

Using Bitcoin in This Class

7

It is ldquorealrdquo money try not lose (all of) it (But you can do everything in this class with very small amounts)

If you do Irsquoll send you more (so long as you learned something from the loss) Everyone gets one embarrassment-free transfer

Using Asymmetric Crypto Signatures

8

E DVerified Message

Signed MessageMessage

Insecure Channel

KUBKRB

Bob

Generates key pair KUB KRB

Publishes KUB

Anyone

Get KUB from trusted provider

Transferring a Coin

9

Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA

How does Bob transfer x to Colleen (KUC)

Transferring a Coin

10

Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA

Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB

Transferring a Coin

11

Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA

Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB

Colleen signs m2 = ldquoI give coin x = KUA t given to me by m2to address KUDrdquo with KRC

hellipThis does not prevent double spending (Next week)

Asymmetry RequiredNeed a function f that isEasy to compute

given x easy to compute f (x)

Hard to invertgiven f (x) hard to compute x

Has a trap-doorgiven f (x) and t

easy to compute x

12

Elliptic Curve Cryptography

13

14

Real numbers are useless

3

4

5

My Advice

6

Donrsquot waste brainpowerspace on passwords that donrsquot matterldquosillyrdquo is a fine password for most things than need one

Donrsquot follow any widely-available advicepassword cracker authors can read too

Humans cannot generate randomness and neither can youGenerate a random password

Share your password(but only with people with whom you are willing to raise children)

Write down your important passwordsStore them somewhere safe and write down in a way that someone who steals it wouldnrsquot be able to use

Using Bitcoin in This Class

7

It is ldquorealrdquo money try not lose (all of) it (But you can do everything in this class with very small amounts)

If you do Irsquoll send you more (so long as you learned something from the loss) Everyone gets one embarrassment-free transfer

Using Asymmetric Crypto Signatures

8

E DVerified Message

Signed MessageMessage

Insecure Channel

KUBKRB

Bob

Generates key pair KUB KRB

Publishes KUB

Anyone

Get KUB from trusted provider

Transferring a Coin

9

Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA

How does Bob transfer x to Colleen (KUC)

Transferring a Coin

10

Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA

Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB

Transferring a Coin

11

Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA

Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB

Colleen signs m2 = ldquoI give coin x = KUA t given to me by m2to address KUDrdquo with KRC

hellipThis does not prevent double spending (Next week)

Asymmetry RequiredNeed a function f that isEasy to compute

given x easy to compute f (x)

Hard to invertgiven f (x) hard to compute x

Has a trap-doorgiven f (x) and t

easy to compute x

12

Elliptic Curve Cryptography

13

14

Real numbers are useless

4

5

My Advice

6

Donrsquot waste brainpowerspace on passwords that donrsquot matterldquosillyrdquo is a fine password for most things than need one

Donrsquot follow any widely-available advicepassword cracker authors can read too

Humans cannot generate randomness and neither can youGenerate a random password

Share your password(but only with people with whom you are willing to raise children)

Write down your important passwordsStore them somewhere safe and write down in a way that someone who steals it wouldnrsquot be able to use

Using Bitcoin in This Class

7

It is ldquorealrdquo money try not lose (all of) it (But you can do everything in this class with very small amounts)

If you do Irsquoll send you more (so long as you learned something from the loss) Everyone gets one embarrassment-free transfer

Using Asymmetric Crypto Signatures

8

E DVerified Message

Signed MessageMessage

Insecure Channel

KUBKRB

Bob

Generates key pair KUB KRB

Publishes KUB

Anyone

Get KUB from trusted provider

Transferring a Coin

9

Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA

How does Bob transfer x to Colleen (KUC)

Transferring a Coin

10

Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA

Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB

Transferring a Coin

11

Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA

Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB

Colleen signs m2 = ldquoI give coin x = KUA t given to me by m2to address KUDrdquo with KRC

hellipThis does not prevent double spending (Next week)

Asymmetry RequiredNeed a function f that isEasy to compute

given x easy to compute f (x)

Hard to invertgiven f (x) hard to compute x

Has a trap-doorgiven f (x) and t

easy to compute x

12

Elliptic Curve Cryptography

13

14

Real numbers are useless

5

My Advice

6

Donrsquot waste brainpowerspace on passwords that donrsquot matterldquosillyrdquo is a fine password for most things than need one

Donrsquot follow any widely-available advicepassword cracker authors can read too

Humans cannot generate randomness and neither can youGenerate a random password

Share your password(but only with people with whom you are willing to raise children)

Write down your important passwordsStore them somewhere safe and write down in a way that someone who steals it wouldnrsquot be able to use

Using Bitcoin in This Class

7

It is ldquorealrdquo money try not lose (all of) it (But you can do everything in this class with very small amounts)

If you do Irsquoll send you more (so long as you learned something from the loss) Everyone gets one embarrassment-free transfer

Using Asymmetric Crypto Signatures

8

E DVerified Message

Signed MessageMessage

Insecure Channel

KUBKRB

Bob

Generates key pair KUB KRB

Publishes KUB

Anyone

Get KUB from trusted provider

Transferring a Coin

9

Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA

How does Bob transfer x to Colleen (KUC)

Transferring a Coin

10

Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA

Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB

Transferring a Coin

11

Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA

Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB

Colleen signs m2 = ldquoI give coin x = KUA t given to me by m2to address KUDrdquo with KRC

hellipThis does not prevent double spending (Next week)

Asymmetry RequiredNeed a function f that isEasy to compute

given x easy to compute f (x)

Hard to invertgiven f (x) hard to compute x

Has a trap-doorgiven f (x) and t

easy to compute x

12

Elliptic Curve Cryptography

13

14

Real numbers are useless

My Advice

6

Donrsquot waste brainpowerspace on passwords that donrsquot matterldquosillyrdquo is a fine password for most things than need one

Donrsquot follow any widely-available advicepassword cracker authors can read too

Humans cannot generate randomness and neither can youGenerate a random password

Share your password(but only with people with whom you are willing to raise children)

Write down your important passwordsStore them somewhere safe and write down in a way that someone who steals it wouldnrsquot be able to use

Using Bitcoin in This Class

7

It is ldquorealrdquo money try not lose (all of) it (But you can do everything in this class with very small amounts)

If you do Irsquoll send you more (so long as you learned something from the loss) Everyone gets one embarrassment-free transfer

Using Asymmetric Crypto Signatures

8

E DVerified Message

Signed MessageMessage

Insecure Channel

KUBKRB

Bob

Generates key pair KUB KRB

Publishes KUB

Anyone

Get KUB from trusted provider

Transferring a Coin

9

Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA

How does Bob transfer x to Colleen (KUC)

Transferring a Coin

10

Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA

Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB

Transferring a Coin

11

Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA

Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB

Colleen signs m2 = ldquoI give coin x = KUA t given to me by m2to address KUDrdquo with KRC

hellipThis does not prevent double spending (Next week)

Asymmetry RequiredNeed a function f that isEasy to compute

given x easy to compute f (x)

Hard to invertgiven f (x) hard to compute x

Has a trap-doorgiven f (x) and t

easy to compute x

12

Elliptic Curve Cryptography

13

14

Real numbers are useless

Using Bitcoin in This Class

7

It is ldquorealrdquo money try not lose (all of) it (But you can do everything in this class with very small amounts)

If you do Irsquoll send you more (so long as you learned something from the loss) Everyone gets one embarrassment-free transfer

Using Asymmetric Crypto Signatures

8

E DVerified Message

Signed MessageMessage

Insecure Channel

KUBKRB

Bob

Generates key pair KUB KRB

Publishes KUB

Anyone

Get KUB from trusted provider

Transferring a Coin

9

Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA

How does Bob transfer x to Colleen (KUC)

Transferring a Coin

10

Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA

Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB

Transferring a Coin

11

Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA

Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB

Colleen signs m2 = ldquoI give coin x = KUA t given to me by m2to address KUDrdquo with KRC

hellipThis does not prevent double spending (Next week)

Asymmetry RequiredNeed a function f that isEasy to compute

given x easy to compute f (x)

Hard to invertgiven f (x) hard to compute x

Has a trap-doorgiven f (x) and t

easy to compute x

12

Elliptic Curve Cryptography

13

14

Real numbers are useless

Using Asymmetric Crypto Signatures

8

E DVerified Message

Signed MessageMessage

Insecure Channel

KUBKRB

Bob

Generates key pair KUB KRB

Publishes KUB

Anyone

Get KUB from trusted provider

Transferring a Coin

9

Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA

How does Bob transfer x to Colleen (KUC)

Transferring a Coin

10

Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA

Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB

Transferring a Coin

11

Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA

Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB

Colleen signs m2 = ldquoI give coin x = KUA t given to me by m2to address KUDrdquo with KRC

hellipThis does not prevent double spending (Next week)

Asymmetry RequiredNeed a function f that isEasy to compute

given x easy to compute f (x)

Hard to invertgiven f (x) hard to compute x

Has a trap-doorgiven f (x) and t

easy to compute x

12

Elliptic Curve Cryptography

13

14

Real numbers are useless

Transferring a Coin

9

Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA

How does Bob transfer x to Colleen (KUC)

Transferring a Coin

10

Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA

Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB

Transferring a Coin

11

Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA

Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB

Colleen signs m2 = ldquoI give coin x = KUA t given to me by m2to address KUDrdquo with KRC

hellipThis does not prevent double spending (Next week)

Asymmetry RequiredNeed a function f that isEasy to compute

given x easy to compute f (x)

Hard to invertgiven f (x) hard to compute x

Has a trap-doorgiven f (x) and t

easy to compute x

12

Elliptic Curve Cryptography

13

14

Real numbers are useless

Transferring a Coin

10

Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA

Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB

Transferring a Coin

11

Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA

Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB

Colleen signs m2 = ldquoI give coin x = KUA t given to me by m2to address KUDrdquo with KRC

hellipThis does not prevent double spending (Next week)

Asymmetry RequiredNeed a function f that isEasy to compute

given x easy to compute f (x)

Hard to invertgiven f (x) hard to compute x

Has a trap-doorgiven f (x) and t

easy to compute x

12

Elliptic Curve Cryptography

13

14

Real numbers are useless

Transferring a Coin

11

Alice signs m1 = ldquoI give coin x = KUA t to address KUBrdquo with KRA

Bob signs m2 = ldquoI give coin x = KUA t given to me by m1to address KUCrdquo with KRB

Colleen signs m2 = ldquoI give coin x = KUA t given to me by m2to address KUDrdquo with KRC

hellipThis does not prevent double spending (Next week)

Asymmetry RequiredNeed a function f that isEasy to compute

given x easy to compute f (x)

Hard to invertgiven f (x) hard to compute x

Has a trap-doorgiven f (x) and t

easy to compute x

12

Elliptic Curve Cryptography

13

14

Real numbers are useless

Asymmetry RequiredNeed a function f that isEasy to compute

given x easy to compute f (x)

Hard to invertgiven f (x) hard to compute x

Has a trap-doorgiven f (x) and t

easy to compute x

12

Elliptic Curve Cryptography

13

14

Real numbers are useless

Elliptic Curve Cryptography

13

14

Real numbers are useless

14

Real numbers are useless

Groups

15

A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that

for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such

that a oplus (-a) = 0

16

1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that

for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0

Is Integers + a group

17

1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that

for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0

Is Naturals + a group

18

1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that

for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0

Is Rationals a group

Abelian Groups

19

A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that

for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such

that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a

20

1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that

for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a

Is Rationals ndash 0 an abelian group

Finite Fields

21

A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under

the oplus operation2 The set F - 0 is an abelian group with identity 1

under the times operation3 Distributive For all a b c isin F

(a oplus b) times c = (a times c) oplus (b times c)

Know any finite

fields

22

A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times

operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)

23

0

1

2

34

5

6

GF(7)

Eacutevariste GaloisKilled in duel at 20

Prime Fields

24

Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p

Elliptic Curves in Finite Fields

25

y2 = x3 + 7 in GF(3)

Elliptic Curves in Finite Fields

26

y2 = x3 + 7 in GF(3)

16

1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that

for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0

Is Integers + a group

17

1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that

for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0

Is Naturals + a group

18

1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that

for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0

Is Rationals a group

Abelian Groups

19

A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that

for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such

that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a

20

1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that

for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a

Is Rationals ndash 0 an abelian group

Finite Fields

21

A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under

the oplus operation2 The set F - 0 is an abelian group with identity 1

under the times operation3 Distributive For all a b c isin F

(a oplus b) times c = (a times c) oplus (b times c)

Know any finite

fields

22

A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times

operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)

23

0

1

2

34

5

6

GF(7)

Eacutevariste GaloisKilled in duel at 20

Prime Fields

24

Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p

Elliptic Curves in Finite Fields

25

y2 = x3 + 7 in GF(3)

Elliptic Curves in Finite Fields

26

y2 = x3 + 7 in GF(3)

17

1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that

for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0

Is Naturals + a group

18

1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that

for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0

Is Rationals a group

Abelian Groups

19

A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that

for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such

that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a

20

1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that

for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a

Is Rationals ndash 0 an abelian group

Finite Fields

21

A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under

the oplus operation2 The set F - 0 is an abelian group with identity 1

under the times operation3 Distributive For all a b c isin F

(a oplus b) times c = (a times c) oplus (b times c)

Know any finite

fields

22

A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times

operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)

23

0

1

2

34

5

6

GF(7)

Eacutevariste GaloisKilled in duel at 20

Prime Fields

24

Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p

Elliptic Curves in Finite Fields

25

y2 = x3 + 7 in GF(3)

Elliptic Curves in Finite Fields

26

y2 = x3 + 7 in GF(3)

18

1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that

for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 0

Is Rationals a group

Abelian Groups

19

A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that

for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such

that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a

20

1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that

for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a

Is Rationals ndash 0 an abelian group

Finite Fields

21

A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under

the oplus operation2 The set F - 0 is an abelian group with identity 1

under the times operation3 Distributive For all a b c isin F

(a oplus b) times c = (a times c) oplus (b times c)

Know any finite

fields

22

A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times

operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)

23

0

1

2

34

5

6

GF(7)

Eacutevariste GaloisKilled in duel at 20

Prime Fields

24

Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p

Elliptic Curves in Finite Fields

25

y2 = x3 + 7 in GF(3)

Elliptic Curves in Finite Fields

26

y2 = x3 + 7 in GF(3)

Abelian Groups

19

A group is a set G on which the operation oplus is defined with the following properties1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that

for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such

that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a

20

1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that

for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a

Is Rationals ndash 0 an abelian group

Finite Fields

21

A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under

the oplus operation2 The set F - 0 is an abelian group with identity 1

under the times operation3 Distributive For all a b c isin F

(a oplus b) times c = (a times c) oplus (b times c)

Know any finite

fields

22

A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times

operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)

23

0

1

2

34

5

6

GF(7)

Eacutevariste GaloisKilled in duel at 20

Prime Fields

24

Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p

Elliptic Curves in Finite Fields

25

y2 = x3 + 7 in GF(3)

Elliptic Curves in Finite Fields

26

y2 = x3 + 7 in GF(3)

20

1 Closure for all a b isin G a oplus b isin G2 Associative for all a b c isin G (a oplus b) oplus c = a oplus (b oplus c)3 Identity there is some element 0 isin G such that

for all a isin G a oplus 0 = 0 oplus a = a4 Inverse for all a isin G there exists an inverse -a isin G such that a oplus (-a) = 05 Commutative for all a b isin G a oplus b = b oplus a

Is Rationals ndash 0 an abelian group

Finite Fields

21

A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under

the oplus operation2 The set F - 0 is an abelian group with identity 1

under the times operation3 Distributive For all a b c isin F

(a oplus b) times c = (a times c) oplus (b times c)

Know any finite

fields

22

A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times

operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)

23

0

1

2

34

5

6

GF(7)

Eacutevariste GaloisKilled in duel at 20

Prime Fields

24

Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p

Elliptic Curves in Finite Fields

25

y2 = x3 + 7 in GF(3)

Elliptic Curves in Finite Fields

26

y2 = x3 + 7 in GF(3)

Finite Fields

21

A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under

the oplus operation2 The set F - 0 is an abelian group with identity 1

under the times operation3 Distributive For all a b c isin F

(a oplus b) times c = (a times c) oplus (b times c)

Know any finite

fields

22

A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times

operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)

23

0

1

2

34

5

6

GF(7)

Eacutevariste GaloisKilled in duel at 20

Prime Fields

24

Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p

Elliptic Curves in Finite Fields

25

y2 = x3 + 7 in GF(3)

Elliptic Curves in Finite Fields

26

y2 = x3 + 7 in GF(3)

Know any finite

fields

22

A finite field is a set F of N ge 2 elements on which the operators oplus and times are defined with these properties1 The set F is an abelian group with identity 0 under the oplus operation2 The set F - 0 is an abelian group with identity 1 under the times

operation3 Distributive For all a b c isin F (a oplus b) times c = (a times c) oplus (b times c)

23

0

1

2

34

5

6

GF(7)

Eacutevariste GaloisKilled in duel at 20

Prime Fields

24

Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p

Elliptic Curves in Finite Fields

25

y2 = x3 + 7 in GF(3)

Elliptic Curves in Finite Fields

26

y2 = x3 + 7 in GF(3)

23

0

1

2

34

5

6

GF(7)

Eacutevariste GaloisKilled in duel at 20

Prime Fields

24

Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p

Elliptic Curves in Finite Fields

25

y2 = x3 + 7 in GF(3)

Elliptic Curves in Finite Fields

26

y2 = x3 + 7 in GF(3)

Prime Fields

24

Prime Field Theorem For every prime number p the set 0 1 hellip p - 1 forms a finite field with the operations addition and multiplication modulo p

Elliptic Curves in Finite Fields

25

y2 = x3 + 7 in GF(3)

Elliptic Curves in Finite Fields

26

y2 = x3 + 7 in GF(3)

Elliptic Curves in Finite Fields

25

y2 = x3 + 7 in GF(3)

Elliptic Curves in Finite Fields

26

y2 = x3 + 7 in GF(3)

Elliptic Curves in Finite Fields

26

y2 = x3 + 7 in GF(3)

Elliptic Curves in Finite Fields

27

y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)

28

y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)

115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)

28

y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)

115 quattuorvigintillion 792 trevigintillion89 duovigintillion 237 unvigintillion 316 vigintillion 195 novemdecillion 423 octodecillion 570 septendecillion 985 sexdecillion 8 quindecillion 687 quattuordecillion 907 tredecillion 853 duodecillion 269 undecillion 984 decillion665 nonillion 640 octillion 564 septillion 39 sextillion 457 quintillion 584 quadrillion 7 trillion 908 billion 834 million 671 thousand 663(00012 times the number of atoms in the visible universe)

Addition on Elliptic Curves

29

y2 = x3 ndash 7 (mod p)

Addition P + Q= negate intersection of curve

with line through P and Q

P

Q

P + Q

Addition

30Image from httpwwwcoindeskcommath-behind-bitcoin

P + Q = R

What should we do if P = Q

Addition

31Image from httpwwwcoindeskcommath-behind-bitcoin

Same idea for finite fields (just more complex)

Picture is for F67

How would this look for Fhuge

Density of Elliptic Curve

32

y2 = x3 + 7 in GF(2256 - 232 - 29 - 28 - 27 - 26 - 24 - 1)

(Believed to be) Hard Problem

Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP

34

Charge

bull Investigate the bitcoin you received

bull Project 1 will be posted before midnight tonight and due on Jan 30

bull Readings Satoshirsquos original bitcoin paper Chapter 5

35

Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation

Next week preventing double spending

(Believed to be) Hard Problem

Elliptic curve discrete logarithm problem given points P and Q on an elliptic curve it is hard to find an integer k such that Q = kP

34

Charge

bull Investigate the bitcoin you received

bull Project 1 will be posted before midnight tonight and due on Jan 30

bull Readings Satoshirsquos original bitcoin paper Chapter 5

35

Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation

Next week preventing double spending

Charge

bull Investigate the bitcoin you received

bull Project 1 will be posted before midnight tonight and due on Jan 30

bull Readings Satoshirsquos original bitcoin paper Chapter 5

35

Next class how to use Elliptic Curve Crypto for signatures how (not) to use Elliptic Curves for pseudorandom number generation

Next week preventing double spending