Elliptic Curve Families

Title: Elliptic Curves Families

Author: Written with the help of OpenAI

Read: 20 min

Description: Provide basic understanding of different elliptic curves families, which is commonly used in cryptography.

Body:

So here are some Elliptic curves:

  • The NIST P-256 curve, which is defined by the equation y^2 = x^3 - 3x + b, where b = 41058363725152142129326129780047268409114441015993725554835256314039467401291.

  • The NIST P-384 curve, which is defined by the equation y^2 = x^3 - 3x + b, where b = 39402006196394479212279040100143613805079739270465446667948293404245721771496870329047266088258938001861606973112316.

  • The secp256k1 curve, which is defined by the equation y^2 = x^3 + 7, where a = 0 and b = 7.

  • The NIST P-521 curve, which is defined by the equation y^2 = x^3 - 3x + b, where b = 0x01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF.

  • The Brainpool P-256r1 curve, which is defined by the equation y^2 = x^3 + ax + b, where a = -3 and b = 0x52036CEE2B6FFE738CC740797779E89800700A4D4141D8AB75EB4DCA135978A3E.

  • The secp192r1 curve, which is defined by the equation y^2 = x^3 + ax + b, where a = -3 and b = 0x64210519E59C80E70FA7E9AB72243049FEB8DEECC146B9B1.

And the differences between these curves:

  1. The main difference between the NIST P-256 and NIST P-384 elliptic curves is the size of the prime number that defines the curve. The P-256 curve is defined using a 256-bit prime, while the P-384 curve is defined using a 384-bit prime. This means that the P-384 curve provides a higher level of security than the P-256 curve, since it is more difficult to find the discrete logarithm of a point on the P-384 curve than on the P-256 curve. However, the increased security of the P-384 curve comes at the cost of slower performance, since operations on the P-384 curve are more computationally intensive than on the P-256 curve. Therefore, the choice of which curve to use depends on the specific security and performance requirements of the application.

  2. The secp256k1 and NIST P-256 elliptic curves are both defined over the same field (the set of integers modulo a prime number), but they have different equations and different values for the constants in those equations. The secp256k1 curve is defined by the equation y^2 = x^3 + 7, while the NIST P-256 curve is defined by the equation y^2 = x^3 - 3x + b, where b = 4105836372515214212932612978004726840911444101599372555483525631403946740129.

The main difference between these two curves is that the secp256k1 curve has a much simpler equation, which makes it more efficient to work with. This makes it well-suited for applications such as cryptocurrencies, where fast and efficient elliptic curve operations are important. On the other hand, the NIST P-256 curve provides a higher level of security than the secp256k1 curve, since it is more difficult to find the discrete logarithm of a point on the NIST P-256 curve than on the secp256k1 curve. Therefore, the choice of which curve to use depends on the specific security and performance requirements of the application.

The above curves are represented in the Weierstrass form, the most common form of representation when you Google ellipitc curve. There are also various other forms of elliptic curve representation, which can provide certain comptuational advantage under certain conditions.

  • The Weierstrass model, which uses a standard cubic equation to define the curve and projective coordinates to represent points on the curve.

  • The Twisted Edwards model, which uses a quadratic equation to define the curve and affine coordinates to represent points on the curve.

  • The Montgomery model, which uses a quartic equation to define the curve and projective coordinates to represent points on the curve.

  • The Edwards model, which uses a quadratic equation to define the curve and projective coordinates to represent points on the curve.

And here are some curves that uses the Twisted Edwards model:

  • The ed25519 curve, which is defined by the equation -x^2 + y^2 = 1 + dx^2y^2, where d = -121665/121666. This curve is commonly used in applications such as digital signatures and key exchange.

  • The curve25519 curve, which is defined by the equation -x^2 + y^2 = 1 + dx^2y^2, where d = 37095705934669439343138083508754565189542113879843219016388785533085940283555. This curve is similar to the ed25519 curve, but is not a standard NIST curve.

  • The Ed448-Goldilocks curve, which is defined by the equation a = 39081 and b = c = 2000000000000000000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed. This curve is a variant of the Ed448 curve, which is defined by the equation a = -39081 and b = c = 2000000000000000000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed.

Moving on from regular elliptic curves, there are also pairing-friendly elliptic curves. Pairing-friendly elliptic curves are a special type of elliptic curve that are well-suited for use in certain cryptographic protocols that involve a mathematical operation known as a "pairing". There are many different types of pairing-friendly curves, and the specific curves used can depend on the specific requirements and preferences of the application. Some examples of pairing-friendly curves include:

  • The Barreto-Naehrig (BN) curve, which is defined by the equation y^2 = x^3 + b, where b = 0x202FEB054934C0AEE7E84DCCFE1E7F9DF25CFDADF7E31E16A2360C1A39C6D3D588A3CC8B9F65784D2917F7042BBBE23E45A2E1D2CE03FE2E1F8F8A9CA46D191B.

  • The Barreto-Lynn-Scott (BLS) curve, which is defined by the equation y^2 = x^3 + b, where b = 0x2. This curve is commonly used in BLS signature schemes.

  • The Boneh-Franklin (BF) curve, which is defined by the equation y^2 = x^3 + b, where b = 0x12C9D9585769C049C5D5B5B5B5B5B5B5B5B5B5B5B5B5B5B5B5B5B5B5B5B5B5B5B5B5B5B5B5B5B5B5B5B5B5B5B5B5B5B5B5B5B5B5B5B5B5B5B5B5B5 And these curves can be used with various pairing functions such as:

  • The Tate pairing, which is a type of pairing that can be used with any elliptic curve.

  • The Weil pairing, which is another type of pairing that can be used with any elliptic curve.

    Things work pretty much the same in pairing-friendly curves, just that they support the extra functionality of pairing. Pairing is a mathematical operation that takes two points on an elliptic curve and maps them to a specific value in a finite field. This operation has specific properties that make it useful for certain cryptographic protocols, such as those used in identity-based cryptography and attribute-based encryption.

    To highlight the power of pairing, let's examine an example BLS aggregation signature protocol. The BLS aggregation signature protocol is a technique for combining multiple individual BLS signatures into a single signature that is smaller and more efficient to verify. This technique is useful in applications where many different parties need to sign a message or document, as it allows the signatures to be combined into a single signature that can be verified more efficiently. The specific steps involved in the BLS aggregation signature protocol can vary depending on the specific implementation and the specific requirements of the application. However, in general, the process for aggregating BLS signatures using the BLS aggregation signature protocol involves the following steps:

  1. Each party who needs to sign the message or document generates a private key and a corresponding public key, using the BLS curve that is being used for the signatures.

  2. Each party then signs the message or document using their private key, resulting in an individual BLS signature.

  3. The individual BLS signatures are then combined into a single signature using a specific aggregation algorithm, such as the BLS threshold signature scheme. This algorithm allows the individual signatures to be combined into a single signature that is smaller and more efficient to verify.

  4. The resulting aggregated signature is then verified using the individual public keys of the parties who signed the message or document. (And the only reason why this is possible, is because of pairing's property)

Overall, the BLS aggregation signature protocol is a technique for combining multiple BLS signatures into a single signature that is more efficient to verify. This technique is useful in applications where many parties need to sign a message or document, as it allows the signatures to be combined into a single signature that can be verified more efficiently.

Another interesting fact is that for Elliptic curves such as BLS curves, there are also various families. As mentioned earlier, BLS is a family of pairing-friendly elliptic curves that are defined by the equation y^2 = x^3 + b, where b is a specific value. For example, the most famous family is the BLS12 curve family, which is a specific subfamily of BLS curves that are defined by the equation y^2 = x^3 + b, where b is chosen such that the resulting curve has specific properties that make it well-suited for use in cryptographic protocols that involve a pairing operation. There are other families of BLS curves besides the BLS12 family that are defined by the equation y^2 = x^3 + b, where b is a specific value. These other families of BLS curves may have different properties and may be well-suited for different applications than the BLS12 family of curves. Some examples of families of BLS curves that are not part of the BLS12 family include:

  • BLS48: This is a family of BLS curves that are defined by the equation y^2 = x^3 + b, where b is chosen such that the resulting curve has specific properties that make it well-suited for use in protocols that require efficient scalar multiplication operations.

  • BLS48-581: This is a specific curve in the BLS48 family that is defined by the equation y^2 = x^3 + b, where b = 0x24AA2B2F08F0A91260805272DC51051C6E47AD4FA403B02B4510B647AE3D1770BAC0326A805BBEFD48056C8C121BDB8. It is commonly used in protocols that require efficient scalar multiplication operations.

  • BLS24: This is a family of BLS curves that are defined by the equation y^2 = x^3 + b, where b is chosen such that the resulting curve has specific properties that make it well-suited for use in protocols that require efficient pairing operations.

  • BLS24-377: This is a specific curve in the BLS24 family that is defined by the equation y^2 = x^3 + b, where b = 0x1A0111EA397FE69A4B1BA7B6434BACD764774B84F38512BF6730D2A0F6B0F6241EABFFFEB153FFFFB9FEFFFFFFFFAAAB. It is commonly used in protocols that require efficient pairing operations.

In conclusion, elliptic curves are a mathematical concept that is used in many different fields, including number theory, algebraic geometry, and cryptography. In cryptography, elliptic curves are used to define specific curves that are well-suited for use in a variety of cryptographic protocols, such as public key cryptography and digital signatures. Elliptic curves are defined by equations of the form y^2 = x^3 + ax + b, where a and b are specific values. These equations have specific properties that make them useful for cryptographic applications, such as the ability to define a group structure on the points on the curve. There are many different types of elliptic curves that are used in cryptography, including Weierstrass curves, twisted Edward curves, and BLS curves. Each of these types of curves has specific properties that make it well-suited for different applications. Overall, elliptic curves are a powerful mathematical concept that is used in many different fields, including cryptography. These curves have specific properties that make them useful for cryptographic applications, and they are commonly used in a variety of cryptographic protocols.