Modern Cryptography Series — 02

Elliptic Curve
Cryptography

From the mathematics of elliptic curves over finite fields through NIST/IETF standards to hardware accelerator design and side-channel resistant implementations.

Mathematics Standards Hardware Code Attacks Interactive

Arrow keys or swipe to navigate · Esc for overview · F fullscreen

Roadmap

I. Foundations

Elliptic curves over ℝ, the group law, geometric intuition, algebraic addition formulas

II. Curves over Finite Fields

𝔽_p arithmetic, ECDLP, Hasse's theorem, scalar multiplication algorithms

III. Curve Forms

Short Weierstrass, Montgomery, twisted Edwards — coordinate systems & birational maps

IV. Standards & Protocols

NIST P-256/P-384/P-521, Curve25519, Curve448, ECDH, ECDSA, EdDSA

V. Attacks & Security

BSGS, Pollard's ρ, Pohlig-Hellman, MOV, Smart's attack, invalid curve attacks

VI. Hardware & Implementation

FPGA/ASIC accelerators, Montgomery ladder, projective coordinates, side-channel countermeasures

Why Elliptic Curve Cryptography?

The core advantage: equivalent security with dramatically smaller keys.

Security Level	RSA Key	ECC Key	Ratio
80 bits	1024 bits	160 bits	6:1
112 bits	2048 bits	224 bits	9:1
128 bits	3072 bits	256 bits	12:1
192 bits	7680 bits	384 bits	20:1
256 bits	15360 bits	521 bits	30:1

No subexponential algorithm is known for the ECDLP on properly chosen curves — unlike integer factorization (GNFS) or the DLP in 𝔽_p* (index calculus).

ECC is deployed in TLS 1.3, SSH, Bitcoin/Ethereum, Signal Protocol, Apple iMessage, WhatsApp, code signing, passkeys/FIDO2, and virtually all modern PKI.

Elliptic Curves over ℝ

Mathematics

An elliptic curve in short Weierstrass form:

y² = x³ + ax + b

where 4a³ + 27b² ≠ 0 (non-singular condition — no cusps or self-intersections).

The set of points (x, y) satisfying this equation, together with a special point at infinity 𝒪, forms an abelian group under a geometric addition law.

Discriminant

Δ = −16(4a³ + 27b²)

Δ > 0 → two connected components
Δ < 0 → one connected component

y² = x³ − x + 1 over ℝ

The Group Law — Geometric

Mathematics

Point Addition (P ≠ Q)

Draw a line through P and Q
The line intersects the curve at a third point R′
Reflect R′ over the x-axis to get R = P + Q

Point Doubling (P = Q)

Draw the tangent to the curve at P
The tangent intersects the curve at R′
Reflect R′ to get R = 2P

Identity element: The point at infinity 𝒪.
Inverse: −(x, y) = (x, −y) (reflection across x-axis).
Closure, associativity, commutativity all hold → abelian group.

Click canvas to cycle: add → double → inverse

The Group Law — Algebraic Formulas

Mathematics

For the curve y² = x³ + ax + b with P = (x₁, y₁) and Q = (x₂, y₂):

Addition (P ≠ Q)

λ = (y₂ - y₁) / (x₂ - x₁) x₃ = λ² - x₁ - x₂ y₃ = λ(x₁ - x₃) - y₁

Slope of secant line through P and Q

Doubling (P = Q)

λ = (3x₁² + a) / (2y₁) x₃ = λ² - 2x₁ y₃ = λ(x₁ - x₃) - y₁

Slope of tangent at P (implicit differentiation)

Special Cases

P + 𝒪 = P (identity)
P + (−P) = 𝒪 where −P = (x₁, −y₁) (inverse)
If y₁ = 0 when doubling → 2P = 𝒪 (point of order 2)

Cost: addition ≈ 1I + 2M + 1S in affine coordinates (I = field inversion, M = multiplication, S = squaring)

Elliptic Curves over Finite Fields

Mathematics

Replace ℝ with the prime field 𝔽_p = {0, 1, …, p−1}. All arithmetic is mod p.

y² ≡ x³ + ax + b (mod p)

The set E(𝔽_p) consists of all pairs (x, y) ∈ 𝔽_p × 𝔽_p satisfying the curve equation, plus 𝒪.

Hasse's Theorem: The number of points on E(𝔽_p) satisfies
|#E(𝔽_p) − (p + 1)| ≤ 2√p

The same algebraic formulas apply — just replace division with modular inverse (via extended Euclidean algorithm or Fermat's little theorem: a⁻¹ ≡ a^p−2 mod p).

Key insight: Over 𝔽_p, the points form a finite abelian group. The geometric "line-intersect-reflect" still applies algebraically even though the visual geometry is lost.

y² ≡ x³ + 2x + 3 (mod 97) — 100 points shown

The Elliptic Curve Discrete Logarithm Problem

Mathematics

Definition (ECDLP): Given an elliptic curve E over 𝔽_p, a generator point G of order n, and a point Q = kG, find the scalar k.

The Trapdoor

Easy (forward): Given k and G, compute Q = kG in O(log k) group operations using double-and-add
Hard (reverse): Given Q and G, find k — best known generic algorithm is O(√n) with Pollard's ρ

Security Levels

Curve Size	ECDLP Work	≈ Security
160 bits	2⁸⁰	80-bit
256 bits	2¹²⁸	128-bit
384 bits	2¹⁹²	192-bit
521 bits	2²⁶⁰	256-bit

No subexponential classical algorithm exists for properly chosen curves. Compare: RSA-3072 has security ~2¹²⁸ but uses the GNFS which is subexponential — this is why ECC keys are so much shorter.

Scalar Multiplication Algorithms

Mathematics Hardware

Computing Q = kG efficiently is the critical operation in every ECC protocol.

Double-and-Add (Binary Method)

def scalar_mult(k, P):
    """Left-to-right binary method"""
    R = INFINITY
    for bit in bin(k)[2:]:  # MSB to LSB
        R = point_double(R)
        if bit == '1':
            R = point_add(R, P)
    return R

Cost: ≈ log₂(k) doublings + (HW(k)−1) additions, where HW = Hamming weight

NAF (Non-Adjacent Form)

Recode k using digits {−1, 0, 1} with no two consecutive non-zero digits. Average density: 1/3 vs 1/2 for binary.

Example: k = 7 Binary: 111 \to 3 adds NAF: 100̄1 (= 8 - 1) \to 1 add + 1 sub

Windowed Methods

w-NAF: precompute {G, 3G, 5G, …, (2^w−1)G}, then scan k in windows of w bits. Reduces additions to ≈ n/(w+1).

The Montgomery Ladder

Hardware Constant-Time

Peter Montgomery (1987): a constant-time scalar multiplication using only x-coordinates.

def montgomery_ladder(k, P):
    """Constant-time scalar mult"""
    R0 = INFINITY
    R1 = P
    for bit in bin(k)[2:]:  # MSB first
        if bit == '0':
            R1 = point_add(R0, R1)
            R0 = point_double(R0)
        else:
            R0 = point_add(R0, R1)
            R1 = point_double(R1)
    return R0

Key Properties

Constant-time: always performs 1 add + 1 double per bit — no branching on secret data
x-only: works with projective X:Z coordinates on Montgomery curves — no y needed until recovery
Differential: maintains R1 − R0 = P at every step
Side-channel resistant: uniform execution pattern defeats SPA

Cost on Montgomery curve: ≈ 5M + 4S + 1×(a24) per bit, where a24 = (A−2)/4. For Curve25519, a24 = 121665.

Curve Forms: Short Weierstrass

Mathematics

y² = x³ + ax + b over 𝔽_p, char ≠ 2, 3

Properties

Most general standard form
Used by NIST P-curves and secp256k1
Can represent any elliptic curve (up to isomorphism) when char(K) ≠ 2, 3
Prime-order groups possible (cofactor h = 1)

Coordinate Systems

Coordinates	Addition	Doubling
Affine	1I+2M+1S	1I+2M+2S
Projective	12M+2S	5M+6S
Jacobian	11M+5S	1M+8S
Mixed Jacobian	7M+4S	—

NIST P-256 Optimization: a = −3

All NIST prime curves use a = −3, which saves one multiplication in the doubling formula:

λ = 3(x₁ - Z₁²)(x₁ + Z₁²) instead of 3x₁² + a\cdotZ₁⁴

Limitation: Addition formulas have exceptional cases — P = Q, P = −Q, P = 𝒪 — requiring conditional branches, which leak via side-channels.

Complete addition formulas for prime-order Weierstrass curves exist (Renes, Costello, Batina 2016) but cost more: 12M + 2S + 6a + 1b.

Curve Forms: Montgomery

Mathematics

Bv² = u³ + Au² + u A ≠ ±2, B ≠ 0

Properties

Introduced by Peter Montgomery (1987) for ECM factorization
Group order always divisible by 4 (cofactor h ≥ 4)
x-only arithmetic: differential addition uses only X:Z projective coords
Naturally constant-time via the Montgomery ladder

Differential Addition (x-only)

Given x(P), x(Q), x(P-Q): X₊ = Z₋ \cdot (X_P\cdotX_Q - Z_P\cdotZ_Q)² Z₊ = X₋ \cdot (X_P\cdotZ_Q - Z_P\cdotX_Q)²

Cost: 4M + 2S per step. Doubling: 2M + 2S + 1×a24

Key Curves

Curve	A	p	Security
Curve25519	486662	2²⁵⁵ − 19	~128 bit
Curve448	39081	2⁴⁴⁸ − 2²²⁴ − 1	~224 bit

Why these primes? Pseudo-Mersenne form enables fast modular reduction with a few additions/shifts instead of expensive division.

Curve25519: p = 2²⁵⁵ − 19 → reduction costs ~1 multiplication by 19.
Curve448: Goldilocks prime → Karatsuba-friendly 2×224-bit limb decomposition.

Curve Forms: (Twisted) Edwards

Mathematics

ax² + y² = 1 + dx²y² (twisted Edwards, a ≠ d)

Addition Law

(x₁, y₁) + (x₂, y₂) = ( (x₁y₂ + y₁x₂) / (1 + dx₁x₂y₁y₂), (y₁y₂ - ax₁x₂) / (1 - dx₁x₂y₁y₂) )

Complete addition law: When d is not a square in 𝔽_p, the denominators are never zero for any inputs on the curve. No exceptional cases — the same formula handles addition, doubling, identity, and inverses.

Neutral element: (0, 1)
Inverse: −(x, y) = (−x, y)

Why Edwards Curves Matter

Complete: No branches on secret data → inherently side-channel resistant
Unified: Same formula for add and double → simplifies hardware
Fast: Extended coordinates: 8M for add, 4M+4S for double

edwards25519

−x² + y² = 1 + d·x²y²
d = −121665/121666 mod p
Birationally equivalent to Curve25519
Used by Ed25519 (EdDSA signatures)

Birational Equivalences

Mathematics

The three curve forms are related by rational maps that preserve the group structure.

Montgomery
Bv² = u³ + Au² + u ⟷ Twisted Edwards
ax² + y² = 1 + dx²y² ⟷ Weierstrass
Y² = X³ + aX + b

Montgomery ↔ Twisted Edwards

(u, v) \to (x, y) = (u/v, (u-1)/(u+1)) a = (A+2)/B, d = (A-2)/B

Exceptions: points where v = 0 or u = −1

Montgomery → Weierstrass

(u, v) \to (X, Y) = (u/B + A/(3B), v/B) a W = (3 - A²)/(3B²) b W = (2A³ - 9A)/(27B³)

Practical Implications

X25519 (ECDH): Uses Montgomery x-only ladder on Curve25519
Ed25519 (EdDSA): Uses twisted Edwards addition on edwards25519
Same underlying curve — keys can be converted between the two forms

Coordinate Systems in Practice

Hardware

Avoiding field inversions is crucial — 1 inversion ≈ 80–100 multiplications.

System	Representation	Add Cost	Double Cost	Notes
Affine	(x, y)	1I+2M+1S	1I+2M+2S	Inversion per operation
Projective	(X:Y:Z), x=X/Z, y=Y/Z	12M+2S	5M+6S	Weierstrass
Jacobian	(X:Y:Z), x=X/Z², y=Y/Z³	11M+5S	1M+8S	Fast doubling; NIST P-curves
Extended	(X:Y:Z:T), xy=T/Z	8M	4M+4S	Twisted Edwards; Ed25519
Montgomery x-only	(X:Z), x=X/Z	4M+2S*	2M+2S+1D	Differential; X25519
Co-Z	Shared Z coordinate	5M+2S	—	NIST P-256 ladder

*Montgomery addition requires the difference point. D = multiplication by curve constant a24.

Strategy: Perform all intermediate operations in projective/Jacobian/extended coordinates, paying zero inversions, then convert back to affine at the very end with a single inversion.

Standard Elliptic Curves

Standards

Curve	Form	Field	Order Bits	Cofactor	Security	Standards
P-256	Weierstrass	𝔽_p, p = 2²⁵⁶ − 2²²⁴ + 2¹⁹² + 2⁹⁶ − 1	256	1	128	FIPS 186-5, SP 800-186, Suite B
P-384	Weierstrass	𝔽_p, 384-bit NIST prime	384	1	192	FIPS 186-5, CNSA 1.0
P-521	Weierstrass	𝔽_p, p = 2⁵²¹ − 1	521	1	256	FIPS 186-5
Curve25519	Montgomery	𝔽_p, p = 2²⁵⁵ − 19	253	8	~128	RFC 7748, SP 800-186
Curve448	Montgomery	𝔽_p, p = 2⁴⁴⁸ − 2²²⁴ − 1	446	4	~224	RFC 7748, SP 800-186
edwards25519	Twisted Edwards	(same as Curve25519)	253	8	~128	RFC 8032 (Ed25519)
edwards448	Edwards	(same as Curve448)	446	4	~224	RFC 8032 (Ed448)
secp256k1	Weierstrass	𝔽_p, p = 2²⁵⁶ − 2³² − 977	256	1	128	SEC 2 (Bitcoin)
BrainpoolP256r1	Weierstrass	256-bit random prime	256	1	128	RFC 5639

NIST SP 800-186 (2023): Adds Curve25519/Curve448 and their Edwards forms. Deprecates all binary field curves. Recommends prime-field curves only for new implementations.

Deep Dive: Curve25519 / X25519 / Ed25519

Standards

Design Principles (Bernstein, 2006)

Prime shape: p = 2²⁵⁵ − 19 enables fast reduction (multiply high limbs by 19 and add to low limbs)
Laddering: Montgomery form → constant-time x-only ladder
Cofactor 8: Clamping clears low 3 bits of scalar (multiple of 8) and sets bit 254 — prevents small-subgroup attacks and ensures constant-time
Twist security: Both curve and quadratic twist have large prime-order subgroups — protects against invalid-curve faults
A = 486662: Smallest A satisfying all security criteria

Performance

Operation	Time (Haswell)
X25519 ECDH	~145,000 cycles
Ed25519 sign	~87,000 cycles
Ed25519 verify	~207,000 cycles
P-256 ECDH	~260,000 cycles

Deployment

TLS 1.3 (default key exchange), Signal Protocol, WhatsApp, SSH (Ed25519 keys), WireGuard, age encryption, FIDO2/Passkeys, Tor

ECDH: Elliptic Curve Diffie-Hellman

Protocol

Alice	Channel	Bob
Choose private key a ∈ [1, n−1]		Choose private key b ∈ [1, n−1]
Compute A = aG	A →
	← B	Compute B = bG
Compute S = aB = abG		Compute S = bA = baG
Shared secret: S = abG

X25519 (RFC 7748)

Clamp 32-byte private key (clear bits 0–2, set bit 254, clear bit 255)
Montgomery ladder on u-coordinate only
Output: 32-byte shared secret
Derive symmetric key via HKDF

ECDH on NIST P-256

Validate peer's public key is on curve
Scalar multiply with private key
Output: x-coordinate of shared point
Feed into KDF (SP 800-56C)

Must validate public key — otherwise invalid curve attacks!

ECDSA: Elliptic Curve Digital Signature Algorithm

Protocol

Key Generation

Private key: d ∈ [1, n−1] random
Public key: Q = dG

Signing (message m)

e = HASH(m), truncate to bitlength of n
Choose random k ∈ [1, n−1]
Compute (x₁, y₁) = kG
r = x₁ mod n (if r = 0, restart)
s = k⁻¹(e + rd) mod n (if s = 0, restart)
Signature = (r, s)

Verification

Check r, s ∈ [1, n−1]
e = HASH(m)
w = s⁻¹ mod n
u₁ = ew mod n, u₂ = rw mod n
Compute (x₁, y₁) = u₁G + u₂Q
Accept if x₁ mod n = r

Critical: The nonce k must be truly random and unique per signature. Reusing k leaks the private key directly:
d = (s·k − e) · r⁻¹ mod n

RFC 6979: Deterministic ECDSA — derives k = HMAC-DRBG(d, HASH(m)), eliminating random nonce failures.

EdDSA: Edwards-Curve Digital Signature Algorithm

Protocol

RFC 8032 — deterministic Schnorr-type signatures on twisted Edwards curves.

Ed25519 Signing

Private seed: 32 random bytes → SHA-512 → (a, prefix)
a = scalar (clamped), prefix = 32 bytes
r = SHA-512(prefix ‖ m) mod ℓ
Deterministic nonce — no RNG needed!
R = rB (B = base point on edwards25519)
S = (r + SHA-512(R ‖ A ‖ m) · a) mod ℓ
Signature: (R, S) = 64 bytes

Verification

Check: 8·S·B = 8·R + 8·SHA-512(R‖A‖m)·A
(cofactor 8 multiplication clears small-order components)

EdDSA vs ECDSA

Property	ECDSA	EdDSA
Nonce	Random (or RFC 6979)	Deterministic
Curve form	Weierstrass	Twisted Edwards
Addition law	Incomplete	Complete
Signature size	~72 bytes (DER)	64 bytes (fixed)
Batch verify	Limited	Native support
Malleability	s ↔ n−s	Canonical S
Standards	FIPS 186-5	RFC 8032

Attacks on the ECDLP

Attacks

Attack	Complexity	Requirements	Countermeasure
Baby-Step Giant-Step	O(√n) time, O(√n) space	Generic group	n ≥ 2²⁵⁶
Pollard's ρ	O(√(πn/2)) time, O(1) space	Generic group	n ≥ 2²⁵⁶
Pohlig-Hellman	O(√p_max)	n has small prime factors	Use (near-)prime order n
MOV / Frey-Rück	Subexponential (via pairings)	Low embedding degree	Embedding degree k ≥ 20
Smart's Attack	O(n) — linear!	Anomalous curve: #E = p	Ensure #E ≠ p
Invalid Curve	Varies	No point validation	Validate public keys
Small Subgroup	O(√h)	Large cofactor + no cofactor mult	Cofactor validation / clamping
Shor's (Quantum)	Polynomial	CRQC (~2330 qubits for 256-bit)	Post-quantum migration

SafeCurves Criteria

Daniel Bernstein & Tanja Lange's SafeCurves project evaluates curves against: ECDLP security, twist security, completeness, indistinguishability, and implementation safety. Curve25519 and Curve448 pass all criteria. Several NIST curves do not pass all (e.g., twist security, rigidity).

Real-World ECC Failures

Case Studies

Sony PS3 ECDSA Nonce Reuse (2010)

Sony used a static value of k for all ECDSA signatures on PS3 firmware. fail0verflow recovered the private key with basic algebra: d = (s·k − e)·r⁻¹ mod n. Complete compromise of PS3 code signing.

Android Bitcoin Wallet RNG Failure (2013)

Android's SecureRandom produced duplicate ECDSA nonces across different transactions. Attackers extracted private keys from the blockchain, stealing ~55 BTC.

Minerva Timing Attack (2019)

Timing leakage in scalar multiplication on smart cards allowed recovery of ECDSA private keys via lattice-based analysis of biased nonces. Affected Athena IDProtect and other JavaCard implementations.

Dual_EC_DRBG NSA Backdoor (2013)

The NIST-standardized PRNG used two EC points P and Q. If Q = eP for a secret e known to NSA, the output could predict future random numbers, compromising any ECC keys generated with it.

ECC Hardware Accelerator Architecture

Hardware

Three-level hierarchy for scalar multiplication Q = kP:

Level 3: Scalar Multiplication
Montgomery Ladder / Double-and-Add / w-NAF

Level 2: Point Operations
Point Addition · Point Doubling · Mixed Addition

Level 1: Modular Arithmetic
Mod Multiply · Mod Square · Mod Add/Sub · Mod Inverse

Level 0: Multi-Precision Arithmetic
Big-integer multiply (Karatsuba / Schoolbook) · Reduction (Barrett / Montgomery)

Performance Bottleneck

Modular multiplication dominates: ~90% of total computation. One 256-bit scalar multiplication requires ~3000-4000 modular multiplications.

Parallelism Opportunity

Point add needs 11-16 sequential field multiplications. Pipelining & parallel multiplier banks (2× or 4×) can cut latency significantly.

Montgomery Modular Multiplication

Hardware

The workhorse of ECC hardware — avoids expensive trial division.

Algorithm

Work in "Montgomery domain": ā = a·R mod p, where R = 2ⁿ.

MonPro(ā, b̄) = ā\cdotb̄\cdotR⁻¹ mod p 1. t = ā \cdot b̄ 2. u = (t \cdot (-p⁻¹ mod R)) mod R 3. result = (t + u\cdotp) / R 4. if result \geq p: result -= p

The division by R is a simple right-shift since R = 2ⁿ

Hardware Variants

Architecture	Latency	Area
Bit-serial	O(n²)	O(n)
Word-serial (w bits)	O(n²/w)	O(n·w)
Systolic array	O(n)	O(n²)
Full parallel	O(1)*	O(n²)

*Pipelined — one result per clock after filling

For Curve25519: the prime p = 2²⁵⁵ − 19 allows multiplier-less reduction — multiply overflow by 19 (shift + add).

Implementation Results: FPGA & ASIC

Hardware

Design	Curve	Platform	Area	Freq	Latency	Throughput
Hossain 2016	P-256	Virtex-5	5,710 slices	256 MHz	5.26 ms	48.7 kbps
Marzouqi 2019	P-256	Virtex-7	3,200 LUTs	285 MHz	1.39 ms	184 kbps
Amiet 2021	P-256	Virtex-7	23.7k LUTs	225 MHz	0.56 ms	457 kbps
Scientific Reports 2025	Ed25519	Virtex-5	—	117.8 MHz	1.4 ms	183 kbps

Unified Curve25519+Curve448	Both	28nm ASIC	1096 kGE	100 MHz	0.43 ms (Curve25519)	—
Low-power ASIC	Curve25519	65nm	49 kGE	65 MHz	3.9 ms	—
ANSSI IPECC	Any GF(p)	Zynq-7000	~8k LUTs + DSPs	100 MHz	~3 ms	Flexible

Design Trade-offs

Area-optimized: Single multiplier, sequential scheduling. Good for IoT/smartcards (~50 kGE).

Performance-optimized: 4× parallel multiplier banks, pipelined. Good for TLS offload (~1000 kGE).

Side-Channel Countermeasures for ECC

Hardware Defense

Attack	Countermeasure	Cost
SPA (Simple Power Analysis)	Montgomery ladder / unified formulas / regular execution patterns	Minimal
DPA (Differential Power Analysis)	Scalar blinding: k′ = k + r·n (random r)	+1 big multiply
DPA	Point blinding: add random point, subtract at end	+2 point adds
DPA	Projective coordinate randomization: (X:Y:Z) → (λX:λY:λZ)	+3 field mults
Timing	Constant-time field operations (no branches on secret data)	Design discipline
Fault injection	Point-on-curve checks, redundant computation, error detection	~2× area
EM emanation	Dual-rail logic (WDDL/SABL), shuffle, random delays	2-3× area
Invalid curve	Validate input points: check y² = x³+ax+b, check nQ = 𝒪	1 scalar mult

Edwards Curves: Inherent Advantages

Complete addition law → no exceptional cases → no conditional branches → SPA-resistant by construction. Combined with projective coordinate randomization and scalar blinding → strong multi-countermeasure profile with lower overhead than Weierstrass implementations.

RTL: Montgomery Modular Multiplier

SystemVerilog

module mont_mul #(
    parameter N = 256   // Bit width
)(
    input  logic         clk, rst, start,
    input  logic [N-1:0] a, b, p,  // a, b in Montgomery domain
    input  logic [N-1:0] p_inv,    // -p^(-1) mod 2^N
    output logic [N-1:0] result,
    output logic         done
);
    logic [2*N:0] t, u_full;
    logic [N:0]   res;
    
    typedef enum logic [1:0] {IDLE, COMPUTE, REDUCE, DONE} state_t;
    state_t state;
    
    always_ff @(posedge clk or posedge rst) begin
        if (rst) begin
            state  <= IDLE;
            done   <= 0;
        end else case (state)
            IDLE: if (start) begin
                t     <= a * b;                    // Step 1: full product
                state <= COMPUTE;
                done  <= 0;
            end
            COMPUTE: begin
                u_full <= (t[N-1:0] * p_inv);      // Step 2: u = t * (-p^-1) mod R
                state  <= REDUCE;
            end
            REDUCE: begin
                res   <= (t + u_full[N-1:0] * p) >> N; // Step 3: (t + u*p) / R
                state <= DONE;
            end
            DONE: begin
                result <= (res >= p) ? res - p : res[N-1:0];
                done   <= 1;
                state  <= IDLE;
            end
        endcase
    end
endmodule

Simplified 3-cycle design. Production versions use word-serial or systolic architectures for area efficiency.

RTL: Jacobian Point Addition Scheduler

SystemVerilog

// Jacobian point addition: P3 = P1 + P2
// P1 = (X1:Y1:Z1), P2 = (X2:Y2:1) [mixed add]
// Cost: 7M + 4S  (a = -3 optimization)
// 
// Schedule (7 rounds with single multiplier):
//   R1: U2 = X2*Z1^2         S2 = Y2*Z1^3
//   R2: H  = U2 - X1         R  = S2 - Y1
//   R3: H2 = H^2             H3 = H*H2
//   R4: X1H2 = X1*H2
//   R5: X3 = R^2 - H3 - 2*X1H2
//   R6: Y3 = R*(X1H2 - X3) - Y1*H3
//   R7: Z3 = Z1 * H

module ecc_point_add_ctrl (
    input  logic clk, rst, start,
    input  logic mul_done,          // from Montgomery multiplier
    output logic [2:0] mul_sel_a,   // register file address for operand A
    output logic [2:0] mul_sel_b,   // register file address for operand B  
    output logic [2:0] result_dst,  // where to store result
    output logic mul_start,
    output logic done
);
    // FSM with 11 states for 7M + 4S operations
    // Parallelism: dual multipliers can overlap rounds
    // ... (full FSM omitted for clarity)
endmodule

Production ECC accelerators schedule 11M+5S (Jacobian) or 8M (extended Edwards) across 2-4 parallel multiplier units, achieving 4-6 rounds of computation per point operation.

Python: ECDH on a Toy Curve

Code

"""Elliptic Curve Diffie-Hellman on y^2 = x^3 + 2x + 3 mod 97"""
p = 97; a = 2; b = 3

def modinv(x, m=p):
    return pow(x, m - 2, m)  # Fermat's little theorem

def point_add(P, Q):
    if P is None: return Q
    if Q is None: return P
    x1, y1 = P; x2, y2 = Q
    if x1 == x2 and y1 != y2: return None  # P + (-P)
    if P == Q:
        lam = (3 * x1 * x1 + a) * modinv(2 * y1) % p
    else:
        lam = (y2 - y1) * modinv(x2 - x1) % p
    x3 = (lam * lam - x1 - x2) % p
    y3 = (lam * (x1 - x3) - y1) % p
    return (x3, y3)

def scalar_mult(k, P):
    R = None
    for bit in bin(k)[2:]:
        R = point_add(R, R)
        if bit == '1': R = point_add(R, P)
    return R

G = (3, 6)     # Generator point
n = 5           # Order of G (toy example)

# Alice & Bob
a_priv = 3;  A_pub = scalar_mult(a_priv, G)  # (80, 87)
b_priv = 4;  B_pub = scalar_mult(b_priv, G)  # (80, 10)

shared_A = scalar_mult(a_priv, B_pub)  # Alice computes
shared_B = scalar_mult(b_priv, A_pub)  # Bob computes
assert shared_A == shared_B            # Same point!
print(f"Shared secret: {shared_A}")    # (3, 91)

Interactive: Point Addition on E(𝔽_p)

Interactive

Curve: y² ≡ x³ + 2x + 3 (mod 97)

Click a point on the canvas to select P, then click again for Q. The sum P + Q will be shown.

All 100 points on E(𝔽₉₇):

Interactive: Scalar Multiplication kG

Interactive

Curve: y² ≡ x³ + 2x + 3 (mod 97)

Generator G: (3, 6)

k = 1

ECC in TLS 1.3

Deployment

TLS 1.3 mandates ECC — X25519 is the most common key exchange.

TLS 1.3 Handshake (1-RTT)

Client		Server
Generate ephemeral X25519 keypair	→ ClientHello + key_share(X25519 public)
	← ServerHello + key_share(X25519 public)	Generate ephemeral X25519 keypair
Both compute: shared_secret = X25519(my_private, peer_public)
→ HKDF-Expand → handshake keys → application keys
	← {Certificate, CertificateVerify} Ed25519 or ECDSA-P256 signature	Sign transcript with long-term key

Key exchange groups in TLS 1.3: x25519 (0x001D, most popular), secp256r1 (0x0017), x448 (0x001E), secp384r1 (0x0018), secp521r1 (0x0019). Post-quantum hybrids (X25519+ML-KEM-768) are being deployed.

ECC Deployment Landscape

Deployment

Application	Curve(s)	Protocol	Use
TLS 1.3	X25519, P-256	ECDHE + ECDSA/EdDSA	Key exchange + server auth
SSH	Ed25519, P-256	EdDSA, ECDSA	User/host authentication
Bitcoin	secp256k1	ECDSA	Transaction signing
Ethereum	secp256k1	ECDSA (+ BLS on beacon)	Transaction + consensus
Signal / WhatsApp	Curve25519	X3DH + Double Ratchet	E2E encrypted messaging
WireGuard VPN	Curve25519	Noise_IK(X25519)	Tunnel establishment
FIDO2 / Passkeys	P-256, Ed25519	WebAuthn ECDSA/EdDSA	Passwordless auth
Apple iMessage	P-256	ECDH + ECDSA	E2E encryption + signing
Tor	Curve25519 (ntor)	X25519	Circuit establishment
Code Signing	P-256, Ed25519	ECDSA, EdDSA	Software integrity
IoT / Embedded	P-256, Curve25519	ECDH, ECDSA	Constrained-device TLS
Smart Cards	P-256, BrainpoolP256	ECDSA, ECDH	EMV, ePassport, PIV

ECC vs RSA: Performance Comparison

Analysis

At the 128-bit security level (P-256 / Curve25519 vs RSA-3072):

Operation	RSA-3072	ECDSA P-256	Ed25519	X25519
Key generation	~50 ms	~0.1 ms	~0.05 ms	~0.05 ms
Public key size	384 bytes	33 bytes	32 bytes	32 bytes
Private key size	~1.5 KB	32 bytes	32 bytes	32 bytes
Signature size	384 bytes	64 bytes	64 bytes	—
Sign	~1.5 ms	~0.15 ms	~0.08 ms	—
Verify	~0.04 ms	~0.4 ms	~0.2 ms	—
Key exchange	~1.5 ms	~0.3 ms	—	~0.14 ms

Approximate timings on modern x86-64 (Haswell/Skylake). RSA verify is fast due to small public exponent e = 65537.

Bandwidth matters: In TLS, ECC's 32-byte keys vs RSA's 384-byte keys compound across billions of connections per day. This is why TLS 1.3 favors X25519+Ed25519.

The Quantum Threat to ECC

Quantum

Shor's Algorithm

A quantum computer running Shor's algorithm can solve ECDLP in polynomial time.

Quantum resources for 256-bit ECC:

~2,330 logical qubits
~126 billion Toffoli gates
Far exceeds current quantum hardware

Compare: RSA-2048 needs ~4,098 qubits — ECC is actually easier for quantum computers than RSA at equivalent classical security.

Migration Timeline

Milestone	Date
NIST PQC standards finalized	Aug 2024
CNSA 2.0: PQ for firmware/software signing	2025
CNSA 2.0: PQ for web/cloud	2025-2030
NIST deprecate ECC-only	2030
NIST disallow ECC-only	2035

Hybrid Approach

X25519 + ML-KEM-768 in TLS 1.3 — combine classical and post-quantum security. Already deployed in Chrome, Firefox, Cloudflare.

Curve Form Comparison Summary

Property	Short Weierstrass	Montgomery	Twisted Edwards
Equation	y² = x³ + ax + b	Bv² = u³ + Au² + u	ax² + y² = 1 + dx²y²
Prime order possible?	Yes	No (h ≥ 4)	No (h ≥ 4)
Complete addition law?	Yes (Renes 2016, costly)	N/A (x-only)	Yes (when d non-square)
Best add cost	7M + 4S (mixed Jacobian)	4M + 2S (diff.)	8M (extended)
Best double cost	1M + 8S (Jacobian, a=-3)	2M + 2S + 1D	4M + 4S (extended)
Constant-time ease	Requires care	Natural (ladder)	Natural (complete)
Key curves	P-256, P-384, secp256k1	Curve25519, Curve448	edwards25519, edwards448
Primary use	ECDSA, ECDH (NIST)	X25519/X448 (ECDH)	Ed25519/Ed448 (EdDSA)
FIPS approved?	Yes	Yes (SP 800-186)	Yes (SP 800-186)

Modern best practice: Use X25519 for key exchange (Montgomery ladder, constant-time) and Ed25519 for signatures (complete Edwards addition, deterministic nonces). Fall back to P-256 for FIPS compliance where Curve25519 is not yet approved in your specific protocol.

References

Standards: FIPS 186-5 (DSS) · NIST SP 800-186 (ECC Curves, 2023) · RFC 7748 (X25519/X448) · RFC 8032 (EdDSA) · RFC 6979 (Deterministic ECDSA) · SEC 2 (SECG Curves) · RFC 5639 (Brainpool) · NIST IR 8547 (PQC Transition)

Foundations: Koblitz, "Elliptic Curve Cryptosystems" (1987) · Miller, "Use of Elliptic Curves in Cryptography" (CRYPTO 1985) · Montgomery, "Speeding the Pollard and EC Methods of Factorization" (1987) · Edwards, "A Normal Form for Elliptic Curves" (2007) · Bernstein & Lange, "Faster Addition and Doubling on Elliptic Curves" (ASIACRYPT 2007)

Curves: Bernstein, "Curve25519: New Diffie-Hellman Speed Records" (2006) · Hamburg, "Ed448-Goldilocks" (2015) · Bernstein & Lange, SafeCurves (safecurves.cr.yp.to)

Implementation: Renes, Costello, Batina, "Complete Addition Formulas for Prime Order Elliptic Curves" (2016) · Bernstein & Lange, "Montgomery Curves and the Montgomery Ladder" (2017) · Hankerson, Menezes, Vanstone, "Guide to Elliptic Curve Cryptography" (Springer, 2004)

Hardware: High-Performance Curve25519 & Curve448 Unified Accelerator (2025) · ANSSI IPECC VHDL IP · Low-Latency Twisted Edwards FPGA (Scientific Reports, 2025) · Area-Efficient ECSM over Prime Field (Microprocessors & Microsystems, 2023)

Attacks: Pohlig & Hellman (1978) · Pollard, "Monte Carlo Methods for Index Computation" (1978) · Smart, "The Discrete Logarithm Problem on Elliptic Curves of Trace One" (1999) · Menezes, Okamoto, Vanstone, "Reducing ECDLP to DLP over Extension Fields" (1993)

Modern Cryptography Series — 02

Elliptic Curve
Cryptography

38 slides · Mathematics · Standards · Hardware · Code · Attacks · Interactive

Key Takeaways:

ECC provides equivalent security to RSA with 10-30× smaller keys
Edwards curves offer complete addition laws — inherently side-channel resistant
X25519 + Ed25519 represent the modern state of the art
Quantum computers will break ECC — hybrid PQ migration is underway

← Back to Series · Next: 03 — AES Design & Implementation

Elliptic CurveCryptography

Roadmap

I. Foundations

II. Curves over Finite Fields

III. Curve Forms

IV. Standards & Protocols

V. Attacks & Security

VI. Hardware & Implementation

Why Elliptic Curve Cryptography?

Elliptic Curves over ℝ

Discriminant

The Group Law — Geometric

Point Addition (P ≠ Q)

Point Doubling (P = Q)

The Group Law — Algebraic Formulas

Addition (P ≠ Q)

Doubling (P = Q)

Special Cases

Elliptic Curves over Finite Fields

The Elliptic Curve Discrete Logarithm Problem

The Trapdoor

Security Levels

Scalar Multiplication Algorithms

Double-and-Add (Binary Method)

NAF (Non-Adjacent Form)

Windowed Methods

The Montgomery Ladder

Key Properties

Curve Forms: Short Weierstrass

Properties

Coordinate Systems

NIST P-256 Optimization: a = −3

Curve Forms: Montgomery

Properties

Differential Addition (x-only)

Key Curves

Curve Forms: (Twisted) Edwards

Addition Law

Why Edwards Curves Matter

edwards25519

Birational Equivalences

Montgomery ↔ Twisted Edwards

Montgomery → Weierstrass

Practical Implications

Coordinate Systems in Practice

Standard Elliptic Curves

Deep Dive: Curve25519 / X25519 / Ed25519

Design Principles (Bernstein, 2006)

Performance

Deployment

ECDH: Elliptic Curve Diffie-Hellman

X25519 (RFC 7748)

ECDH on NIST P-256

ECDSA: Elliptic Curve Digital Signature Algorithm

Key Generation

Signing (message m)

Verification

EdDSA: Edwards-Curve Digital Signature Algorithm

Ed25519 Signing

Verification

EdDSA vs ECDSA

Attacks on the ECDLP

SafeCurves Criteria

Real-World ECC Failures

Sony PS3 ECDSA Nonce Reuse (2010)

Android Bitcoin Wallet RNG Failure (2013)

Minerva Timing Attack (2019)

Dual_EC_DRBG NSA Backdoor (2013)

ECC Hardware Accelerator Architecture

Performance Bottleneck

Parallelism Opportunity

Montgomery Modular Multiplication

Algorithm

Hardware Variants

Implementation Results: FPGA & ASIC

Design Trade-offs

Side-Channel Countermeasures for ECC

Edwards Curves: Inherent Advantages

RTL: Montgomery Modular Multiplier

RTL: Jacobian Point Addition Scheduler

Elliptic Curve
Cryptography

Interactive: Point Addition on E(𝔽_p)

Elliptic Curve
Cryptography