Elliptic curve group

y² = x³ + ax + b over F_p. Point addition via chord + tangent. Infinity point = identity.

Advertisement

Scalar multiplication

kP via double-and-add. O(log k) additions. Security relies on ECDLP hardness.

Advertisement

Standard curves

NIST P-256, curve25519 (Bernstein), secp256k1 (Bitcoin). Different security + patent + trust histories.

Attacks

Pohlig-Hellman: group order should have large prime factor. MOV attack: avoid supersingular curves. Side-channel: constant-time implementation.