Formal Definitions of Elliptic Curves

Formal Definitions of Elliptic Curves
Rong-Jaye Chen
Department of Computer Science, National Chiao Tung University
ECC 2008
Rong-Jaye Chen
Formal Definitions of Elliptic Curves
ECC 2008
1 / 19
1
Cryptanalysis Lab
Outline





(1)
(2)
(3)
(4)
(5)
Definitions
Group Law
The Discriminant and j-Invariant
Curves over K, char(K) ≠ 2, 3
Curves over K, char(K) = 2
Rong-Jaye Chen
Formal Definitions of Elliptic Curves
ECC 2008
2 / 19
Cryptanalysis Lab
Definitions


Fq : the finite field containing q elements, q is prime power
K:the algebraic closure of a field K
i.e. if K = Fq then
K   F qm
m 1

The projective plane P2(K) over K is the set of equivalence
classes of the relation ~ acting on K3 \{(0 , 0, 0)},
where (x1, y1, z1) ~ (x2, y2, z2) iff there exists u  K* such
that x1=ux2, y1=uy2, z1=uz2.
We denote the equivalence class containing (x, y, z) as
(x : y : z).
Rong-Jaye Chen
Formal Definitions of Elliptic Curves
ECC 2008
3 / 19
Cryptanalysis Lab
Definitions - Weierstrass equation


Y 2 Z  a1 XYZ  a3YZ 2  X 3  a2 X 2 Z  a4 XZ 2  a6 Z 3
where a1, a2, a3, a4, a6  K
P  ( X : Y : Z )  P 2 ( K ) satisfying
F ( X , Y , Z )  Y 2 Z  a1 XYZ  a3YZ 2  X 3  a2 X 2 Z  a4 XZ 2  a6 Z 3  0
Smooth (non-singular) :
at least one of
F F F
,
,
X Y Z
is non-zero at P.
Singular :
F
F
F
 0,
 0,
0
X
Y
Z
at P, then P is called a singular point.
Rong-Jaye Chen
Formal Definitions of Elliptic Curves
ECC 2008
4 / 19
Cryptanalysis Lab
Definitions - Elliptic curve



Elliptic curve E: the set of all solutions in P 2 K  of a smooth
Weierstrass equation.
Point at infinity O : there is exactly one point in E with Zcoordinate equal to 0, namely (0:1:0).
For convenience, let x=X/Z, y=Y/Z
y 2  a1 xy  a3 y  x3  a2 x 2  a4 x  a6


(2.1)
E/K : if a1, a2, a3, a4, a6 K, then E is said to be defined over
K.
E(K) :
E ( K )  {( x, y )  K : y 2  a1 xy  a3 y  x 3  a2 x 2  a4 x  a6 }  {O}
Rong-Jaye Chen
Formal Definitions of Elliptic Curves
ECC 2008
5 / 19
Cryptanalysis Lab
Definitions - Isomorphism

Theorem
Two elliptic curves E1/K and E2/K given by the equations
2
3
2
y

a
xy

a
y

x

a
x
 a 4 x  a6
E1:
1
3
2
2
3
2
E2: y  a1 xy  a3 y  x  a2 x  a4 x  a6
are isomorphic over K, denoted by E1 / K  E2 / K , iff there
exists u, r, s, t  K, u  0 ,such that
 : ( x, y)  (u 2 ( x  r ), u 3 ( y  sx  t  rs)) maps E1 onto E 2
 : ( x, y)  (u 2 x  r , u 3 y  u 2 sx  t ) maps E 2 onto E1
Rong-Jaye Chen
Formal Definitions of Elliptic Curves
ECC 2008
6 / 19
Cryptanalysis Lab
Group Law


Theorem
(E,+) is an abelian group with identity element O. If E is
defined over K, then E(K) is a subgroup of E.
Addition rule
For all P,Q  E,
(i) O+P=P+O=P.
(ii) -O=O.
(iii) If P=(x1,y1)  O, then -P=(x1,-y1-a1x1-a3).
(iv) If Q=-P, then P+Q=O.
(v) If P,Q  O, Q  -P, then let R be the third point of
intersection of either the line PQ if P  Q, or the
tangent line to the curve at P if P=Q, with the curve.
Then P+Q=-R.
Rong-Jaye Chen
Formal Definitions of Elliptic Curves
ECC 2008
7 / 19
Cryptanalysis Lab
Group Law
Rong-Jaye Chen
Formal Definitions of Elliptic Curves
ECC 2008
8 / 19
Cryptanalysis Lab
Group Law
Rong-Jaye Chen
Formal Definitions of Elliptic Curves
ECC 2008
9 / 19
Cryptanalysis Lab
Group Law

Formulas for case (v)
The slop λ of PQor tangent line is
 y2  y1
 x  x , if P  Q
 2 1
 2
 3x1  2a2 x1  a4  a1 y1 , if P  Q

2 y1  a1 x1  a3

β=y1-λx1
The line is y=λx+β.
Hence P+Q=(x3,y3) where
Q
P
x3  2  a1  a2  x1  x2
P+Q
y3  (  a1 ) x3    a3
Rong-Jaye Chen
Formal Definitions of Elliptic Curves
ECC 2008
10 / 19
Cryptanalysis Lab
The Discriminant and j -invariant

Define the quantities
d 2  a12  4a2
d 4  2a4  a1a3
d 6  a32  4a6
d8  a12 a6  4a2 a6  a1a3a4  a2 a32  a42
c4  d 22  24d 4
  d 22 d8  8d 43  27d 62  9d 2 d 4 d 6
j ( E )  c43 / 
The quantity Δ is called the discriminant of the Weierstrass
equation, while j(E) is called the j-invariant of E if Δ≠0.
Rong-Jaye Chen
Formal Definitions of Elliptic Curves
ECC 2008
11 / 19
Cryptanalysis Lab
The Discriminant and j -invariant


Theorem
E is an elliptic curve, i.e., the Weierstrass equation is nonsingular, if and only if   0
Theorem
If two elliptic curve E1/K and E2/K are isomorphic over K,
then j(E1)=j(E2). The converse is also true if K is an
algebraically closed field.
Rong-Jaye Chen
Formal Definitions of Elliptic Curves
ECC 2008
12 / 19
Cryptanalysis Lab
Curves over K, char(K)≠2, 3

E/K, if char(K) ≠2 then
a3
a1
( x, y )  ( x, y  x  )
2
2
transforms E/K to the curve
E' /K : y 2  x 3  b2 x 2  b4 x  b6

note that E  E'
Rong-Jaye Chen
Formal Definitions of Elliptic Curves
ECC 2008
13 / 19
Cryptanalysis Lab
Curves over K, char(K)≠2, 3

E/K, if char(K) ≠2,3 then
x  3b2 y
( x, y )  (
,
)
36
216
transforms E’/K to the curve
E' ' /K : y  x  ax  b
2

note that E'  E' '  E  E' '
3
E' ' /K : y 2  x 3  ax  b
E : y 2  x3  ax  b , a,b  K.
Rong-Jaye Chen
Formal Definitions of Elliptic Curves
ECC 2008
14 / 19
(2.11)
Cryptanalysis Lab
Curves over K, char(K)≠2, 3

With equation (2.11),
  16(4a3  27b 2 )  0
j ( E )  1728(4a3 ) / 

Theorem
2
3
2
3
The elliptic curves E1/K : y  x  ax  b and E 2 /K : y  x  a x  b
*
are isomorphic over K iff there exists u  K such that
u 4 a  a and u 6 b  b

If E1  E2 over K, then the isomorphism is given by
 : E1  E2 ,  : x, y   u 2 x, u -3 y 
 : E2  E1 ,  : x, y   u 2 x, u 3 y 
Rong-Jaye Chen
Formal Definitions of Elliptic Curves
ECC 2008
15 / 19
Cryptanalysis Lab
Curves over K, char(K)≠2, 3

Addition formulas
If P=(x1, y1) E, then -P=(x1, -y1).
If Q=(x2, y2) E, Q≠-P, then P+Q=(x3, y3), where
x3  λ 2  x1  x2
y3  λ(x1  x3 )
 y2  y1
 x  x ,if P  Q
 2
1
λ
2
3
x
 1  a ,if P  Q

 2 y1
Rong-Jaye Chen
Formal Definitions of Elliptic Curves
ECC 2008
16 / 19
Cryptanalysis Lab
Curves over K, char(K) = 2

E/K, char(K)=2
E : y 2  a1 xy  a3 y  x 3  a2 x 2  a4 x  a6

If j(E) ≠0, then E is isomorphic to
E1 / K : y 2  xy  x3  a2 x 2  a6
for E1,   a6 and j(E1 )  1 / a6

If j(E) =0, then E is isomorphic to
E2 / K : y 2  a3 y  x3  a4 x  a6
for E2,   a34 and j(E2 )  0
Rong-Jaye Chen
Formal Definitions of Elliptic Curves
ECC 2008
17 / 19
Cryptanalysis Lab
Curves over K, char(K) = 2

Addition formulas when j(E) ≠0
P  ( x1 , y1 )  E1 ,  P  ( x1 , y1  x1 )
Q  ( x2 , y2 )  E1 , Q   P, P  Q  ( x3 , y3 )
 y  y  2 y  y
2
1
2
 1
 x1  x2  a2 , P  Q
 
x1  x2
 x  x2 
x3   1
 2 a6
 x1  x 2 , P  Q
1

 y1  y2 

  x1  x3   x3  y1 , P  Q
 x1  x2 
y3  
 x 2   x  y1  x  x , P  Q
3
 1  1 x  3
1 


Rong-Jaye Chen
Formal Definitions of Elliptic Curves
ECC 2008
18 / 19
Cryptanalysis Lab
Curves over K, char(K) = 2

Addition formulas when j(E) = 0
P  ( x1 , y1 )  E2 ,  P  ( x1 , y1  a3 )
Q  ( x2 , y2 )  E2 , Q   P, P  Q  ( x3 , y3 )
 y  y  2
2
 1
  x1  x2 , P  Q
 x  x2 
x3   1
 x14  a42
 a2 , P  Q
3

 y1  y2 

  x1  x3   y1  a3 , P  Q
 x1  x2 
y3  
2

x
 1  a4  x  x  y  a , P  Q
 1
3
1
3
 a
3


Rong-Jaye Chen
Formal Definitions of Elliptic Curves
ECC 2008
19 / 19
Cryptanalysis Lab