1

this is maybe a basic question but I'm trying to better understand elliptic curve cryptography at a fundamental level.

I understand that a finite field is required in order to define a boundary for an elliptic curve.

Then, x,y values that satisfy the curve over this field represent the ec group of the curve.

My question is simple, how are the finite fields defined? They seem so arbitrary...

Example,

The finite fields for secp256k1 and curve25519 are

2^256 - 2^32 - 977

and

2^255 - 19 respectively...

My naive question is, how are these fields defined? The seem to be arbitrary bounds on the size of the ec group for the curves defined inside them.

I'm not asking why they are prime, but more why these numbers are chosen, and how the right size group is selected?

I did consider it was something to do with all of the elements satisfying some criteria, but really the values seem too large and arbitrary for that.

yyyyyyy
  • 12,261
  • 4
  • 48
  • 68
Woodstock
  • 1,454
  • 1
  • 15
  • 26

1 Answers1

3

First, the size: the best attacks for breaking elliptic curve cryptography are algorithms that break the discrete log (given a point $P = kG$, find the integer $k$; which in ECC translates to: given the public key, find the private key). These attacks have complexity of $O(2^{n/2})$, where $n$ is the size of the field. So, in a 256-bit field (i.e. with a 256-bit $p$), the best attacks can break the algorithm with $2^{128}$ steps, which is similar to what is needed to break a single instance of a 128-bit key symmetric algorithm by brute force. This is usually called "128-bit level of security". In short: the field size must be the double of the desired security level. (I've omitted some details about cofactors, but they don't change the picture that much for commonly used curves)

Now, the particular primes chosen: the computationally expensive part of ECC is field multiplication, which is composed of integer multiplication followed by reduction modulo $p$. Depending on the structure of $p$ this reduction can be computed faster. One example are primes having the form $2^k-c$ for small $c$ (Crandall primes), which is the case of secp256k1 and curve25519. The best case is a Mersenne prime, $2^k-1$, which is used by the NIST curve P-521 ($2^{521}-1$). Other common case is when the prime is composed of powers of multiples of a word size, such as P-256 ($2^{256}-2^{224}+2^{192}+2^{96}-1$), which are all multiple of 32. The reason why these lead to a faster implementation would probably required another question on the site, though; but for example, when $p = 2^k-1$, then $2^k \equiv 1 \pmod p$. If you write the result of the integer multiplication as $H + 2^kL$, then the reduction modulo $p$ will be simply $H + L \bmod p$.

Conrado
  • 6,614
  • 1
  • 30
  • 45