Elliptic curve group
y² = x³ + ax + b over F_p. Point addition via chord + tangent. Infinity point = identity.
Advertisement
Scalar multiplication
kP via double-and-add. O(log k) additions. Security relies on ECDLP hardness.
Advertisement
Standard curves
NIST P-256, curve25519 (Bernstein), secp256k1 (Bitcoin). Different security + patent + trust histories.
Attacks
Pohlig-Hellman: group order should have large prime factor. MOV attack: avoid supersingular curves. Side-channel: constant-time implementation.