July 14, 2010
Lesson 1
1
Introduction
Geometry gives right away equations.
Problem 1.1 Given an integer n is there a right triangle with rational sides and area
n?
The equation of such a triangle would be
a2 + b2 = c2
2ab = 4n.
Adding and substracting both equations we get an equivalent system
(a + b)2 = c2 + 4n
(a − b)2 = c2 − 4n.
Hence, each triangle give me a square of a rational number x = c2 such that x − 4n and
x + 4n are also squares. And multiplying the three of them we get
y2 = x(x − 4n)(x + 4n) = x3 − 16n2 x2
For each n (small) we could run Mathematica to see if it has solutions or not. If we do
not find nontrivial solutions to the equation, we are done. If we find one, (x, y), still it
should be true that x, x − 4n and x + 4n should be squares. We will build a procedure
to find such a solution from any given non-trivial one.
The advantage is the the infinitude of possible triples (a, b, c) give just one equation.
Problem 1.2 Is there an integer solution to x4 + y4 = z4 ?
1
Divide by z4 to get X 4 = 1 − Y 4 . Multiply by X 2 and make the change of variables
X 2 = −x, XY 2 = y to get
y2 = x3 − x
Mathematica, no points except (0, 0), (1, 0), (−1, 0) and so no nontrivial solutions to
the equation. Again the infinitude of possible solutions gave just one equation.
How Mathematica knows if there are solutions or not?
1.1
Pytaghorean triples
But before solving Problem 1.1 we should ask, is there a right triangle with rational
sides? Otherwise the problem does not even has sense. Well, since 352 = 25×1×49 =
253 − 144 × 25, we see that (3, 4, 5) form a right triangle with area 6. It might be fun
to find the sides (a, b, c) from the solution. For example as follows: from the soltion to
the equation of the elliptic curve we know n = 6 and c = 5. Then we know that
a2 + b2 = 25
ab = 12.
√
The first tells us that a, b are less than 25 = 5 and since they are divisors of 12 the
unique solution is a = 3, b = 4 or viceversa.
Are there many right triangles with rational sides? These are the solutions to
X 2 +Y 2 = Z 2 .
Dividing by Z 2 we get
x2 + y2 = 1,
the equation of the circle with the trivial solution (1, 0). Draw the line y = t(x − 1).
The other point of intersection with the circle has rational coordinates if and only if t
is rational. Substituting into the equation we get
x=
For each rational value of t =
m
n
x=
1 − t2
,
1 + t2
y=
−2t
.
1 + t2
we get the solution
n2 − m2
,
n2 + m2
y=
2nm
n2 + m2
,
and so
X = D(a2 − b2 ),
Y = D(2ab),
for (a, b) = 1 a 6≡ b (mod 2).
2
Z = D(a2 + b2 )
2
Elliptic curves
An elliptic curve is a set. To define it, we first need to fix a field K. Then, an elliptic
curve E is the set of pairs of elements of K which are solutions to a polnomial equation
in two variables and, hence, is a subset of the plane K × K. To begin, we start with the
most simple of the equations, the Weierstrass equations.
E := {(x, y) ∈ K × K : y2 = x3 + Ax + B}U{O},
(1)
where O is an extra point at infinity and the coefficients A, B ∈ K. In order to call it an
elliptic curve, we do not allow singular equations, which means that
((e1 − e2 )(e3 − e2 )(e1 − e3 ))2 = −(4A3 + 27B2 ) 6= 0,
where e1 , e2 , e3 are the roots of x3 + Ax + B. Sometimes, even if the curve is defined
over a field K, meaning that A, B ∈ K, we are interested in finding the solutions in
certain extension of the field. When this happen we will make reference to both, the
elliptic curve and the field as E(L) to denote the solutions to the equation describing E
in the field L.
If we have the equation y2 − 2y + 1 = x3 + Ax + B, cleary the solutions are the
same as those of y2 = x3 + Ax + B adding 1 to the y coordinate. In general we will
consider E 0 to be “the same” elliptic curve as E if we can go from one to the other,
and backwards, by a change of variables. This allow us to consider much more general
equations. Indeed, if char(K) 6= 2, 3 then with a change of variables we can go from
any generalized Weierstrass equation
y2 + a1 xy + a3 y = x3 + a2 x2 + a4 x + a6 ,
with a1 , a2 , a3 , a4 , a6 ∈ K to
(2)
Y 2 = X 3 + AX + B
where
a1 x a3
+ ,
2
2
and A, B are some constant in K.
X = x+
Y = y+
a2 + a21 /4
3
Exercise: Many generalized Weierstrass equations correspond to the same Weierstrass
equation. Which ones?
There is a way of recognized curves which are the same, through the j invariant.
This, by definition, is the number
j = 1728
4A3
.
4A3 + 27B2
3
Theorem 2.1 Two elliptic curves are isomorphic over K, if and only if they have the
same j invariant. In fact, there exist µ ∈ K so that the change of variables (X,Y ) =
(µ 4 x, µ 3 y) brings one to the other.
Remark. There are curve which are isomorphic, but they are not the same over
their field of definition for example y2 = x3 − 25x has infinitely many points, while
y2 = x3 − 4x has only four. Both have j invariant 1728.
Remark. It is important to observe that every number is the j invariant of a curve
2j
3j
in fact the curve y2 = x3 + 1728−
j x + 1728− j has j.invariant j. Moreover the curves
y2 = x3 + 1 and y2 = x3 + x have 0 and 1728 as their respective j invariants. These
curves have more automorphisms than the trivial (x, y) → (x, −y).
There are some other equations which can be reduced to Weierstrass form. We list
them here.
1
, Y = (e2 −e1 )−3/2 y,
• Legendre form The change of variables given by X = ex−e
2 −e1
transforms y2 = (x − e1 )(x − e2 )(x − e3 ) into Y 2 = (X)(X − 1)(X − λ ) where
1
λ = ee32 −e
−e1 .
• Cubic equations Every cubic equation C(x, y) = 0 over K with a point over K
and char(K) 6= 2, 3, can be transformed into Weierstrass equation by an invertible
change of variables. Example y3 + x3 = 1.
• Quartic equations When the equation v2 = au4 + bu3 + cu2 + du + e has a finite
point defined on K, and char(K) 6= 2, there is an invertible change of variables
that transform the equation into Weierstrass form.
• Interserction of two Quadric surfaces The intersection of the two surfaces
au2 + bv2 = e and cu2 + dw2 = f is an elliptic curve, whenever the intersection
is nonempty in a field K of char(K) 6= 2.
2.1
Group law
The most important feature about elliptic curves is that, in fact, they are finitely
generated communtative groups. This, among very many other things, allow us
to build new solutions from given ones. The equations for the addition are the
generalization of the process given in Section 1.1. Let P1 = (x1 , y1 ), P2 = (x2 , y2 )
points on E and denote P3 = P1 + P2 = (x3 , y3 ). Then, the equations are given by
−P1 = (x1 , −y1 ).
x3 = m2 − x2 − x1 ,
y3 = m(x1 − x3 ) − y1 ,
4
(3)
where
2 −y1
x2 −x1
3x12 +A
2y1
(y
m=
if P1 6= ±P2 ,
if P1 = P2 and y1 6= 0.
Observe that if y1 = 0, then P1 = −P1 and then 2P1 = O.
Theorem 2.2 Let E := y2 = x3 +Ax+B be an elliptic curve. Then, the equations
in (3) give structure of group to the curve E.
The computations of the group law depend heavily in the coordinates. Then,
changing the coordinates we obtain new equation that have advantages in some
situations, for example they can improve the speed of computation.
Remark In order to find kP we can just write k in base two and only use the
doubling formula.
• Edward coordinates The curve C := u2 + v2 = c2 (1 + du2 v2 ) is the same as the
elliptic curve E := y2 = (x − c4 d − 1)(x2 − 4c4 d) via the change of variables
x=
−2c(v − c)
,
u2
y=
4c2 (v − c) + 2c(c4 d + 1)u2
.
u3
In this case O = (0, c) and the sum is given by
v1 v2 − u1 u2
u1 v2 + u2 v1
(u1 , v1 ) + (u2 , v2 ) =
,
,
c(1 + du1 u2 v1 v2 ) c(1 − du1 u2 v1 v2 )
the negative being −(u, v) = (−u, v).
• Projective coordinates Adding two points requieres 1 inversion in the field.
This is between 9 and 40 times as long as multiplication. To avoid it, we can
use projective coordinates, which, basically deals with denominators as another
variable. We define PK2 to be the set of equivalence classes of triples(x, y, z) ∈
K 3 − (0, 0, 0) such that two triples (x1 , y1 , z1 ) ∼ (x2 , y2 , z2 ) are the same if there
exist λ ∈ K ∗ such that (x1 , y1 , z1 ) = λ (x2 , y2 , z2 ). We will write (x : y : z) for the
equivalence class of the triple (x, y, z). We can identify the affine plane of pairs
of numbers in K, namely A2K = {(x, y ∈ K × K)}. with a subset of the projective
plane as follows
(x, y) → (x : y : 1).
(4)
We call the rest of points in PK2 , those with z = 0, the points at infinity. In particular O will be one of this points. We can translate the elliptic curve equation
into the projective plane, because multiplying by a constant does not vary the
5
solutions of a polynomial equation F(x) = 0. In projective coordinates every
equation is homogeneus and we can go from affine to projective by
x y
F(x, y, z) = zn f ( , ),
z z
f (x, y) = F(x, y, 1),
where n is the degree of the polynomial. Then rational functions can also be
translated and, hence we have our set of equations for addition in projective
space.
• Jacobian coordinates If rather than (4) we use the map J : PK2 → A2K given by
J(x : y : z) = (x/z2 , y/z3 ), then doubling gets much easier even up to 4 squarings
and 4 multiplications. In projective is 5 squarings and 7 multiplications. (This is
because of the weight of x and y is different).
Remark. For fields of characteristic 2, the equation for a nonsingular curve, and
for addition are different and can be splitted into two different cases basically
depending on a1 = 0 or not.
2.2
Endomorphisms
Definition 2.1 An endomorphism of an elliptic curve E defined over K is a map α :
E(K) → E(K) such that α(O) = O and
α(x, y) = (r1 (x), yr2 (x)).
Remark. If r1 (x) =
p1 (x)
q1 (x)
and q1 (x) = 0, then α(x, y) = O. If q1 (x) 6= 0, then q2 (x) 6= 0.
Definition 2.2 We call Degree of α to be Max{deg(p1 (x)), deg(q1 (x))}.
Definition 2.3 An endomorphism is separable if one of p01 (x), q01 (x) is not identically
zero. Otherwise is inseparable.
Remark. If the characteristic is 0 there are no inseparable polynomials. If char(K) = p
the inseparable polynomials are g(x p ).
Examples. Multiplication by an integer n is an endomorphism for any elliptic curve,
simply because its group structure. In the particular case of n = 2, the equations are
given by the Doubling equations.
x4 − 2Ax2 − 8Bx + A2
,
4(x3 + Ax + B)
−(8B2 − 5Ax4 + 5x2 A2 + 4AxB − 20x3 B − x6 + A3 )
r2 (x) =
.
8(x3 + Ax + B)2
r1 (x) =
6
We note that it sends O to O by observing that y2 z = x3 + Axz2 + Bz3 in projective
coordinates, and so
x6 = (y2 z − Axz2 − Bz3 )2 = z2 (y2 − Axz − Bz2 )2 .
When we are in the finite field Fq , with characteristic p and q = pr elements, the most
important endomorphism is called the Frobenius endomorphism and is giving by the
equations
φq (x, y) = (xq , yq ).
(5)
Theorem 2.3 Let E be an elliptic curve defined over the finite field Fq . The Frobenius
map is an inseparable endomorphism of E of degree q.
First, observe that any element x on the field verifies xq = x, and so the image is on E
since the curve is defined over Fq , and there (a + b)q = aq + bq . Now, we have to prove
that φ (P + Q) = φ (P) + φ (Q). This is again consequence of plugging the previous
identity into the formulas for addition. The degree and separability are consequences
of the definition.
The following proposition is one of the most important facts about endomorphisms.
Proposition 2.1 Let E be and elliptic curve, and α a non trivial endomorphism of E.
Then, if it is separable then deg(α) = |Ker(α)| and deg(α) > |Ker(α)| otherwise.
Proof. Let α = (r1 (x), yr2 (x)) and r1 (x) = p/q(x). Since it is an endomorphism it is
enough to see that |α −1 (P)| =deg(α) for any P in the image of α. Now it is enough
to find a so that r1 (x) = a and r100 (a) 6= 0. This guaranties that p − aq does not have
multiple roots, and hence, with a suitable a it will have precisely degα roots. For each
of them, the second coordinate is fixed by the definition of the endomorphism.
Observe that the conditions can be attained since clearly p/q gets infinitely many
values. It cannot be constant since it is homomorphism moreover we are saying r10 6= 0.
In the case that r10 = 0, then the same applies, but now p−aq always has multiple roots,
and so the inequality of the theorem is clear.
For the proof, we needed the easy fact that r1 (x) takes infinitely many values. In
fact, it takes them all.
Theorem 2.4 Let E be and elliptic curve, and α a non trivial endomorphism of E.
Then, α(E(K)) = E(K).
Proof. If p − aq is not constant the result is trivial. But it can only be constant for one
value of a. Take another point, and add it to get a in the image.
We now state a condition on separability. For that purpose we need to lemmas of
interest on their own.
7
Lemma 2.1 The differential 1y dx of the curve y2 = x3 +Ax+B is invariant under translations.
Proof. We have to prove that if (x̃, ỹ) = (x, y) + (u, v) for some fix (u, v) of the curve,
then 1ỹ d x̃ = 1y dx. This is an straighforward computation with the addition formulas and
implicit derivation.
Remark. Up to scalars, this is the only differential with this property.
Lemma 2.2 Let α1 = (R1 (x), yS1 (x)), α2 = (R2 (x), yS2 (x)) endomorphims and let
α3 = α1 + α2 = (R3 (x), yS3 (x)). If
R01 (x)/S1 (x)) = c1
and
(R2 (x), yS2 (x)) = c2 ,
then (R03 (x)/S3 (x)) = c1 + c2 .
Calling (xi , yi ) = αi , then the hypothesis are
∂ x3 ∂ x3 dy1 y3
+
= ,
∂ x1 ∂ y1 dx1 y1
and
∂ x3 ∂ x3 dy2 y3
+
= .
∂ x2 ∂ y2 dx2 y2
The chain rule ends the result.
Remark. Every endomorphism is invariant under translations and, hence, its diferential is a scalar times 1/y, which means that every endomorphism has the property on
the lemma.
Corollary 2.1 Let n(x, y) = (Rn (x), ySn (x)), the multiplication by n in E. Then
R0n (x)/Sn (x) = n.
Proof. For positive n it is an straighforward application of the previous lemma and
induction. For negative n recall that −n(x, y) = (Rn (x), −ySn (x)).
Proposition 2.2 Let E be an elliptic curve over q a power of the prime p, and r, s
integers not both zero. Then rφ + s is separable if and only if p - s.
Proof. Direct implication of the previous corollary, Lemma 2.2, and the definition of
Frobenius.
8
2.3
Singular curves
Two results are important in case the discrimant of the curve vanishes.
Theorem 2.5 Let E := y2 = x3 be defined over K. Then, the map α from E(K) − (0, 0)
to (K, +) given by
x
α(x, y) = ,
α(O) = 0,
y
is an isomorphism. The inverse is α −1 (t) = ( t12 , t13 ).
Theorem 2.6 Let E := y2 = x3 + a2 x2 be defined over K. Consider the map α from
E(K) − (0, 0) given by
α(x, y) =
y + ax
,
y − ax
α(O) = 1.
i) if a ∈ K ∗ then α is an isomorphism with to (K ∗ , ×). The inverse is
4a2t 4a3t(t + 1)
−1
α (t) =
,
.
(t − 1)2 (t − 1)3
ii) If a ∈
/ K, then α gives an isomorphism with the multiplicative group
{u + av : (v, v) ∈ K × K, u2 − a2 v2 = 1},
with inverse
α −1 (u, v) =
u+1
v
2
− a,
u+1
x
v
!
The proofs are consequences of the parametrizations exhibited and the addition
laws. When the curve in Theorem 2.5 arises from reducing a curve modulo a prime, se
say that the curve have additive reduction. If it is the case i) or ii) of Theorem 2.6, we
say that the reduction is split or nonsplit multiplicative respectively.
2.4
Curves modulo composite integers.
The problem when working modulo composite integers is the we are working with
rings that have divisors of zero. To avoid this problem, we have to work on the projectie
spares so we can somehow forget about denominators. The notion of primitive is
important.
Definition 2.4 Let R be a commutative ring 1 with 1. An n-tuple (r1 , . . . , rn ) is primitive if there are no elements (x1 , . . . xn )of R so that x1 r1 + · · · + xn rn = 1.
1 For technical reasons we have to work with rings with free projective modules of rank 1.
for any field of our interest. We also impose 2, 3 ∈ R∗ .
9
This holds
Definition 2.5 Let R be a commutative ring with 1. We say that two primitive triples
(x, y, z) and (x0 , y0 , z0 ) are equivalent if there exist u ∈ R∗ so that (x0 , y0 , z0 ) = u(x, y, z).
PR2 are the primitive triples modulo the equivalence relation, and we denote (x : y : z)
the class of the triple (x, y, z).
Definition 2.6 An elliptic curve E defined over R is an homogeneous equation y2 z =
x3 + Axz2 + Bz3 with A, B ∈ R and so that 4A3 + 27B2 ∈ R∗ .
Theorem 2.7 Let E := y2 z = x3 + Axz2 + Bz3 be an elliptic curve defined in PR2 . There
exist three sets of equation wich give group structure to E(R).
Remark The equation are in [5]. The theorem ensures that some of the equations in
the set allow to define the addition of two points avoiding the problems in the denominators.
See Example 2.10 in [5].
Corollary 2.2 Let n1 , n2 odd coprime integers and let E an elliptic curve defined over
Z/n1 n2 Z. Then, the chinese remainder theorem gives a group isomorphism
E(Z/n1 n2 Z) ' E(Z/n! Z) × E(Z/n2 Z).
Corollary 2.3 Let , E/Q be an elliptic curve with integer coefficients, and n an integer
coprime with the discriminant. Then
redn : (x : y : z) → (x : y : z) (mod n)
gives a group homomorphism between E(Q) and E(Z/nZ).
Corollary 2.4 Let R a ring and I an ideal so that R/I is as in Definition 2.4. Then,
redI : (x : y : z) → (x : y : z) (mod I)
gives a group homomorphism between E(R) and E(R/I).
10
Lesson 2
3
3.1
Points of torsion and pairings
Division polynomials
Given an elliptic curve E/K we want to study
E[n] = {P ∈ E(K) : nP = O}.
The torsion part of the group E(K) is clearly ∪n E[n]. To study it, we will have to
understand the endomorphism multiplication by n. These maps are described by the
so called division polynomials. For given A, B, we define the Division polynomial
ψn (x, y) by the following recursive formula.
ψ1 = 1
ψ2 = 2y
ψ3 = 3x4 + 6AX ” + 12Bx − A2
ψ4 = 4y(x6 + 5Ax4 + 20Bx3 − 5A2 x2 − 4ABx − 8B2 − A3 )
3
ψ2m+1 = ψm+2 ψm3 − ψm−1 ψm+1
, for m ≥ 2
2
2
ψ2m = (2y)−1 ψm (ψm+2 ψm−1
− ψm−2 ψm+1
),
for m ≥ 3.
(6)
From here, one can see that ψ2n+1 ∈ Z[x, y2 ], ψ2n ∈ 2yZ[x, y2 ], and the polynomials
ϕm = xψm2 − ψm−1 ψm+1 ,
2
2
ωm = (4y)−1 (ψm+2 ψm−1
− ψm−2 ψm+1
),
(7)
are indeed polynomials and {ϕm , ω2m+1 } ⊂ Z[x, y2 ] while ω2m ∈ yZ[x, y2 ].
Theorem 3.1 Let P = (x, y) be a point on the elliptic curve y2 = x3 + Ax + B, and let
n be a positive integer. Then,
ϕn ωn
,
.
nP =
ψn2 ψn3
Remark The proof needs to introduce the Weierstrass P function and lattices. (See
chapter 9 of [5]).
When considering the polynomials in (7) as functions on the elliptic curve with
equation y2 = x3 + Ax + B, we get the following.
Lemma 3.1
2
ϕm (x) = xm + lower degree terms,
ψm (x)2 = m2 xm
2 −1
+ lower degree terms.
11
Proof. Use induction and Mathematica
Corollary 3.1 Multiplication by n is anendomorphism of degree n2 .
Proof. The only thing to see is that the fraction in Theorem 3.1 are in reduced
form. This can be done by induction and Bezout. Note that for m even we have
ϕ2m
ϕm4 − 2Aϕm2 ψm4 − 8Bϕm ψm6 + A2 ψm8
=
,
ψ2m2
4ψm2 (ϕm3 + Aϕm ψm4 + Bψm6 )
and the case m odd can be deduced from the even case and the recursive formula.
Theorem 3.2 Let E/K be an elliptic curve and char(K) = p.
a) If p - n then E[n] ' Z/nZ × Z/nZ.
b)If p|n then E[n] ' Z/n0 Z × Z/n0 Z. or E[n] ' Z/n0 Z × Z/nZ, where n0 is the
greatest divisor of n coprime with p.
Remark. When E[p] = Z/pZ the curve is called ordinary. If E[p] = O then it is
supersingular. In the rest of the cases, p - n, we can associate a GL2 (Z/nZ) matrix to
each endomorphism of the curve, or to any automorphism of the field K.
Proof
• n = 2. In odd characteristic the 2-torsion points are the roots of the polynomial
defining the elliptic curve. We leave as an exercise the even characteristic.
• n = 3 We can see that the points of 3 torsion are the roots of the polynomial x4 +
6Ax2 + 12Bx − A2 . Its discriminant is −6912(4A3 + 27B2 )2 and hence does not have
multiple roots. If the field has characteristic 3 we must use the generalized Weierstrass
equation.
• n ≥ 4. Suposse char(K) = p and p - n. From Proposition 2.2 we see that multiplication by n is separable and then Proposition 2.1 says that |Ker(n)| = n2 . The structure
theorem of finite groups says that
k
E[n] ' ∏ Z/ni Z,
i=1
where ni |ni+1 . But we have proved that |E[l]| = l 2 , meahwhile from the structure
theorem |E[l]| ≥ l k . Hence, k = 2. Since n kills every element, n1 |n2 |n and n1 n2 = n2 ,
and we deduce part a) of the theorem..
Now suppose p|n then E[n] ' E[n0 ] × E[pr ], since multiplication by n0 kills E[n0 ].
If there is no points of order p then E[pr ] is trivial. Otherwise, pr is a surjective
endomorphism, and we see that there are points of any order up to pr , so E[pr ] is
cyclic of order pr , which proves part b) of the theorem.
12
3.2
Pairings
We call µn the grouo of n-th roots of unity in K.
Theorem 3.3 Let E/K be an elliptic curve, and char(K) - n. There exist a pairing
en : E[n] × E[n] → µn ,
which is bilinear, non-degenerate, Galois invariant, and such that en (P, P) = 1 and
en (α(P), α(Q)) = en (P, Q)deg(α) .
Proof Starting with T ∈ E[n] we construct a function gT so that gnT = fT ◦ n. Hence, for
any point S ∈ E[n] and nP = T , we get that gT (S + P)/gT (P) ∈ µn and it is independent
of P. This is the Weil pairing en (S, T ).
The proof needs the introduction of divisors and the explicit construction of a function defining the pairing. See Chapter 11 of [5].
Corollary 3.2 If T1 , T2 is a basis of E[n], then en (T1 , T2 ) is a primitive n-th root of
unity.
Corollary 3.3 If E[n] ∈ E(K), then µn ∈ K.
Proof Apply Galois invariance.
Corollary 3.4 Let E/Q be an elliptic curve. E[n] ∈
/ E(Q) for n ≥ 3.
To any endomorphism α we can associate a 2 × 2 matrix αn with entries in Z/nZ.
Proposition 3.1 Let E be an elliptic curve over K with char(K) = p. Let α be an
endomorphism of E and n an integer not divisible by p. Then degα ≡det(αn ) (mod n).
Proof.
ζ degα = en (α(T1 ), α(T2 )) = en (aT1 + bT2 , cT1 + dT2 ) = en (T1 , T2 )ad−bc .
Proposition 3.2
deg(aα + bβ ) = a2 degα + b2 degβ + ab(deg(α + β − degα − degβ )).
Proof. The same identity is true for determinants of the matrizes associated to α on
E[n]. This gives a congruence modulo n for infinitely many n and, hence, an identity.
Sometimes the Weil paring cannot be used. It needs E[n] ∈ E(Fq ). The next pairing
only requires a point of order n to be in E(Fq ), plus mun ∈ F∗q , as in the Weil pairing.
Theorem 3.4 Let E/K be an elliptic curve over Fq and , n|q − 1. There exist a pairing
τn : E(Fq )[n] × E(Fq )/nE(Fq ) → µn ,
well defined, nondegenerate and bilinear.
These pairing uses a constant times log q point additions on E to be computed. See
Chaper 11 of [5].
13
4
Finite Fields
The points over finite fields also form a group, in this case finite, that could be computed by hand. However, when q is large, making a complete list could be unfeasible.
We give some important results on the number of points of E(Fq ) and its structure, and
then an algorithm, due to Schoof, that computes the number of points in polynomial
time. Elliptic curves over finite fields have very important applications for factorization
and Cryptography.
Examples. See Chapter 4 of [5].
4.1
Hasse’s Theorem
Theorem 4.1 Let E/Fq be an elliptic curve. Then
E(Fq ) ' Z/n1 Z × Z/n2 Z,
for some n1 |n2 .
This is a trivial consequence of Theorem 3.2 since every point is a torsion point of
order dividing |E(Fq )|.
Theorem 4.2 Let E/Fq be an elliptic curve. Then
√
|#E(Fq ) − q − 1| ≤ 2 q.
Proof We have clearly that E(Fq ) =Ker(φq − 1). Moreover, Proposition 2.2 tells that
φq − 1 is separable, hence, #E(Fq ) = deg(φq − 1) by Proposition 2.1. Now, we get
from Proposition 3.2 r2 q + s2 − rsa = deg(rφq − s) ≥ 0, where a = q + 1 − #E(Fq ).
Since this is true for any r, s, we get qx2 − ax + 1 ≥ 0 for any real x. The result follows.
Theorem 4.3 Let E/Fq be an elliptic curve and a = q + 1 − #E(Fq ). Then, a is the
unique integer so that
φq2 − aφq + q = 0.
Moreover, a ≡Trace((φq )m ) (mod m) for any (m, q) = 1.
Proof Follows from
Ker(φq − 1) ≡ det(φq − 1)m ≡ q + 1 − Trace(φq )m
(mod m),
for infinitely many m. Morover, if it is true for any other integer k, then
(k − a)φq = (φq2 − aφq + q) − (φq2 − kφq + q) = 0.
The following two theorems give the possible structures of the group of points E(Fq ).
For the proofs see [3] and [4].
14
Theorem 4.4 Let q = pn and N = q + 1 − a There exist an elliptic curve over E/Fq
√
with N = #E(Fq ) if and only if a ≤ 2 q and
• p - a.
√
• n is even and a = ±2 q
√
• n is even, p 6≡ 1 (mod 3) and a = ± q.
• n is odd, p = 2, 3 and a = ±p(n+1)/2
• n is even, p 6≡ 1 (mod 4) and a = 0
• n is odd and a = 0.
Theorem 4.5 Let the conditions of the above theorem and N = pe n1 n2 with n1 |n2 and
p - n2 . There is an elliptci curve E/Fq such that
E(Fq ) ' Z/pe Z × Z/n1 Z × Z/n2 Z
if and only if,
• n1 |q − 1 in and we are not in the second case of the previous theorem,
• n1 = n2 in the second case of the previous theorem.
4.2
Determining the group order
Theorem 4.6 Let #E(Fq ) = q + 1 − a and x2 − ax + q = (x − α)(x − β ). Then
#E(Fqn ) = q + 1 − sn
where sn = α n + β n .
We first see that s0 = 2, s1 = a and sn+1 = asn − qsn−1 and, in particular sn is an integer.
Moreover, x2 −ax+q|x2n −sn xn +qn , and so φq2n −sn φqn +qn = 0. The theorem follows
by the unicity in Theorem 4.3.
Examples.
Theorem 4.7
#E(Fq ) = q + 1 +
∑
x∈Fq
where
x
Fq
x3 + Ax + B
Fq
is 1 if x is a square in F∗q −1 if not and 0 if x = 0.
15
3
√
Remark The bound ∑x∈Fq x +Ax+B
≤ 2 q is true for any polynomial.
Fq
Examples.
Let P ∈ E(Fq ). The order of P is the smallest positive integer k such that kP = O.
A fundamental result from group theory (a corollary of LagrangeÕs theorem) is that
the order of a point always divides the order of the group E(Fq ). Also, for an integer
n, we have nP = O if and only if the order of P divides n. By Hasse’s theorem, #E(Fq )
√
lies in an interval of length 4 q Therefore, if we can find a point of order greater than
√
4 q, there can be only one multiple of this order in the correct interval, and it must be
√
#E(Fq ). Even if the order of the point is smaller than 4 q, we obtain a small list of
possibilities for #E(Fq ). Using a few more points often shortens the list enough that
there is a unique possibility for #E(Fq ).
How do we find the order of a point? If we know the order of the full group of
points, then we can look at factors of this order. But, at present, the order of the group
is what we are trying to find.
Examples
Proposition 4.1 Let E(Fq ) ' Z/nZ × Z/nZ. Then, q = n2 + 1, q = n2 ± n + 1 or
q = (n ± 1)2 .
Proof Observe that E[n] ⊂ E(Fq ), and so µn ∈ Fq by Corollary 3.2. Hence, n|q − 1,
and so n2 = q + 1 − a gives a = 2 + kn for some integer k. Hasse’s Theorem gives now
the result.
Proposition 4.2 Let E/F p be an elliptic curve and p > 229. Then, either E or his
twist have a point which order has just one multiple in the Hasse’s interval.
Proof The proof is based on the fact that if E(F p ) = p + 1 − a, then Ed (F p ) = p +
1 + a for any quadratic twist Ed , (this fact follows from Theorem 4.7). This produces
severe restrictions on the integers, m, n, M, N such that E(F p ) ' Z/mZ × Z/MZ, and
√
Ed (F p ) ' Z/nZ × Z/NZ simultaneously, if we further want to assume M, N < 4 p.
Mathematika
Suppose E(Fq ) ' Z/n1 Z × Z/n2 Z with n1 |n2 . Then the order of every element
divides n2 . If we choose some random points and compute their orders, what is the
chance that the least common multiple of these orders is n2 ? Let P1 , P2 be points
of orders n1 , n2 such that every point P ∈ E(Fq ) is uniquely expressible in the form
P = a1 P1 + a2 P2 with 0 ≤ ai < ni . Let p be a prime dividing n2 . If we take a random
point P, then the probability is 1 − 1/p that p - a2 . If p - a2 , then the order of P contains
the highest power of p possible. If p is large, then this means that it is very likely that
the order of one randomly chosen point will contribute the correct power of p to the
16
least common multiple of the orders of the points. If p is small, say p = 2, then the
probability is at least 1/2. This means that if we choose several randomly chosen
points, the least common multiples of their orders should still have the correct power
of p. The conclusion is that if we choose several random points and compute the least
common multiple of their orders, it is very likely that we will obtain n2 , which is as
large as possible. The following result of Cremona and Harley shows that knowledge
of n2 usually determines the group structure.
Proposition 4.3 Let E/Fq be an elliptic curve. Write E(Fq ) ' Z/n1 Z × Z/n2 Z with
n1 |n2 . Suppose that q is not one ofthe following:
3, 4, 5, 7, 9, 11, 13, 17, 19, 23, 25, 27, 29, 31, 37, 43, 61, 73, 181, 331, 547.
Then n2 uniquely determines n1 .
Proof. The existence of two integers, x, y so that xy|n2 , would not allow n2 x to be in
the Hasse Interval for q big. The smaller values can be checked by computer.
Mathematika
It is worth to mention the Baby Step Giant Step method to compute de order of
points in a group. Although it is not extremely efficient, it highly improves brute force
and works for a general group.
√
Baby Step Giant Step Algorithm We choose an integer m > 2q1/4 . Then, since
√
|a| < 2 q, we can express it on base m as a = u + vm with 0 ≤ u < m, −m ≤ v < m.
Observe that, if a positive integer a = u + vm, then −a = −u − vm = m − u − (v + 1)m.
• Baby Step. From Pj = jP compute ( j + 1)P for j = 1 up to (m − 1)P.
• Giant Step. From Qk = (q + 1 + km)P compute q + 1 + (k + 1)mP for k = −m
up to m − 1.
• Factor N = q + 1 − u − vm and let p1 , . . . , pr its prime factors.
• Compute N/pi P if it is O repeat with N = N/pi . Otherwise N = ord(P).
√
There will be a match Pm−u = Qv+1 and we have done 3m ∼ 3 2q1/4 additions and
two multiplitacions (q + 1)P and mP.
Example Mathematika
4.3
Schoof Algorithm
But when considering the group of points on an elliptic curve, Schoof algorithm is
the best we have, and it works in polynomial time in the number of digits of q. It is
based on computing the numer of points modulo enough prime factors. Each of those
calculations can be done using the congruences on Theorem 4.3 and Proposition 3.2
17
√
1. Choose a set of primes S = {2, 83, 5, ..., L} (with p ∈
/ S) such that ∏l∈S l > 4 q.
2. If l = 2, we have a ≡ 0 (mod 2) if and only if gcd(x3 + Ax + B, xq − x) 6= 1.
3. For each odd prime l ∈ S do the following.
(a) Let ql ≡ q (mod l)) with |ql | < l/2.
2
2
(b) Compute the x-coordinate x0 of (x0 , y0 ) = ((xq , yq ) + ql )(x, y) (mod ψl )
(c) For j = 1, 2, ..., (l − 1)/2, do the following.
i. Compute the x-coordinate x j of (x j , y j ) = j(x, y).
q
ii. If x0 − x j ≡ 0 (mod ψl ), go to step (iii). If not, try the next value of j (in step
(c)). If all values been tried, go to step (d).
q
iii. Compute y0 and y j . If (y0 − y j )/y ≡ 0 (mod ψl ) then a ≡ j (mod l). If not,
then a ≡ − j (mod l).
(d) If all values have been tried without success, let w2 ≡ q (mod l). If w does
not exist, then a ≡ 0 (mod l)
(e) If gcd(numerator(xq − xw ), ψl ) = 1, then a ≡ 0 (mod l)). Otherwise, compute gcd(numerator((yq − yw )/y), ψl ). If this gcd is not 1, then a ≡ 2w (mod l).
Otherwise, a ≡ −2w (mod l).
4. Use the knowledge of a (mod l) for each l ∈ S to compute a (mod ∏l∈S√l)
Choose the value of a that satisfies this congruence and such that |a| < 2 2
The number of points in E(Fq ) is q + 1 − a.
Example Mathematika
4.4
Supersingular Curves
A particular example in which the number of points is easy to compute is the case of
supersingular curves. By defnition,
Definition 4.1 E/Fq is said to be supersingular if E(F p ) = O.
However, we have an alternative definition which is the one we are interested on now.
Proposition 4.4 E/Fq es supersingular if and only if |E(Fq )| ≡ 1 (mod p) which is
the same as a = q + 1 − |E(Fq )| ≡ 0 (mod p).
Proof. Consequence of Theorem 4.6, the recurrence relation of sn , and Fermat’s Little
Theorem.
Corollary 4.1 Let E/F p be an elliptic curve and p ≥ 5 a prime. Then it is supersingular if and only if |E(F p )| = p + 1.
18
Example The curve y2 = x3 + B, for B ∈ Z is supersingular for any q ≡ 2 (mod 3).
Just consider the automorphism of the field x → x3 and count the number of points.
Mathematika
Remark For supersingular elliptic curves, it might be easier to compute multiplication,
2
2
for example when a = 0, since in this case q = (xq , −yq ) and multiplication on the
elliptic curve becomes an operation on the finite field.
By noting that supersingularity is a property over Fq , we can reduce the curve to
its Legendre’s form and build a method to compute all the supersingular elliptic curves
over Fq .
(p−1)/2 (p−1)/22 i
T and λ ∈ F p .
Theorem 4.8 Let p be an odd integer and H p (T ) = ∑0
i
2
Then, the elliptic curve y = x(x − 1)(x − λ ) is supersingular if and only if H p (λ ) = 0.
Proof The proof relies in Theorem 4.7. Indeed, we know that
order to be supersingular we need
∑ (x(x − 1)(x − λ ))(q−1)/2 ≡ 0
x
Fq
= x(q−1)/2 , so in
(mod p).
x∈Fq
Since this a polynomial of degree 3(q − 1)/2, ortogonality of the characters gives that
every coefficient is zero, except the one of order q − 1, Aq . Hence |E(Fq )| = 1 − Aq
r
r
r
in Fq . We have to prove Aq = 0 in Fq However, from (a + b) p = a p + b p , it is easy
r−1
to deduce that A pr = A1+···+p
. Hence, E/Fq is supersingular if and only if A p = 0,
p
where A p is the coefficient of degree p − 1 of (x(x − 1)(x − λ ))(p−1)/2 , but this is just
(−1)(p−1)/2 H p (λ ).
Remark Observe that also from Theorem 4.7 that E is supersingular if and only if
the q − 1 coefficient of (x3 + Ax + B)(p−1)/2 is zero modulo q. We can use this to proof
that y2 = x3 + 1 and y2 = x3 + x are supersingulars if and only if p ≡ 2 (mod 3) in the
first case and p ≡ 3 (mod 4) in the second case.
√
If E is an elliptic curve defined over Z with complex multiplication by Q( ?d),
and p is an odd prime number not dividing d for which E (mod p) is an elliptic curve,
then E (mod p) is supersingular if and only if ?d is not a square modulo p. Therefore
E, is supersingular for approximately half of the primes. If E does not have complex
multiplication, the set of primes for which is supersingular is much more sparse. Elkies
proved that the set of such primes is infinite. Wan [126], improving on an argument
of Serre, plroved that the number of p < x for which is supersingular is less than
2−ε (x). It has been conjectured by Lang and Trotter that the truth would be
Cx/ln
√
C x/ log x. This has been shown to be true ”on average” by Fouvry and Murty.
19
Remark By using the nontrivial fact that H p (T ) has simple roots and the j invariant
2
3
+1)
of the Legendre form 28 (λλ 2 −λ
, one can prove the following
(λ −1)2
Theorem 4.9 For p ≥ 5, the number of j invariants giving supersingular elliptic
curves is
hpi
+ ε p,
12
where ε p = 0, 1 or 2 depending on p (mod 12) is 1, 5 or 7, or 11 respectively.
It is possible to show that a supersingular curve over a perfect field of characteristic p
must have its j-invariant in F2p . Therefore, a supersingular elliptic curve over Fq can
always be transformed via a change of variables (over Fq ) into a curve defined over
Fp2 .
Example Mathematika
20
Lesson 3
5
Discrete Logarithm.
In order to build secure cryposystems, we need to have behind it a difficult mathematical problem that guarantees security. This is, by no means an exact statement and,
sometimes, difficulty is measure simply by the unnumerous number of times that have
been made in the literature to try and solve it without succeed. One of this problems is
the Discrete logarithm.
Definition 5.1 Given a multiplicative group G and to elements a, b ∈ G so that ak = b
for some integer k, find it.
It is bealived that this problem cannot be solve in polynomial time. However, there
are several methods that have been constructed to solve the problem in some cases or,
at least, faster than brute force.
5.1
Index Calculus
When the group is the multiplicative group of a prime finite field, one can proceed
as follows. The discrete logarithm has the property that transform multiplication into
addition. Hence, the idea is to transform the problem into a linear algebra one.
1. Choose a set of small primes B.
2. Find several x so that ax mod p can be factored into primes in B. This will allow
us to solve the DLP for all the primes in B.
3. Find j so that a j ∗ b can be factored into primes of B.
√
The expected running time is exp( 2 log p log log p), which is subexponential. In order to find solutions to ax in B one can use the number field sieve.
Example Mathematika
5.2
Baby Step-Giant Step
p
p
Already mentioned. Works in |G| steps and |G| storage .
Question Why we needed q1/4 to find the order of a point in the elliptic curve case?
5.3
Pollard’s ρ method
For any function, f (Pi ) = Pi+1 is periodic,
√ hence there is a match and, by the Pingeon
hole principle it should be in about N steps. In order to improve the storge, only
keep the pairs (Pi , P2i ). In about the same amount of time, we find a match without
21
the storage problem. Now, once a match is obtained, we need to compute the discrete
logarithm from it, so we should select a good function f .
Divide G into s disjoint subsets S1 , S2 , . . . , Ss of approximately the same size. A
good choice for s seems to be around 20. Choose 2s random integers ai , bi modulo
N. Let Mi = ai P + bi Q. Finally, define f (g) = g + Mi if g ∈ Si . The best way to think
of f is as giving a random walk in G, with the possible steps being the elements Mi .
Finally, choose random integers a0 , b0 and let P0 = a0 P + b0 Q be the starting point for
the random walk.
Remark By choosing several random starting points, one could implement this
method for parallel processing. With two random starting points it is called λ method.
Finally, the main difference √
with the baby step, giant step method is that this is deterministic, and will finish in c N time, while ρ is not and it is only probably that it will
finish in that time.
Example Mathematika.
5.4
The Pohlig-Hellman Method
Given the order of the group, and its prime factorization, the idea is to find the DL
modulo the prime power divisors and then use the CRT.
1. Compute T = { j Nq P , 0 ≤ j ≤ q − 1},
2. Determine kr such that
N
Q = kr
qr+1 r
N
qP
, where Qr = Qr−1 − kr−1 qr−1 P.
i
e
e
3. k ≡ ∑e−1
i=0 ki q (mod q) , where q ||N.
The Pohlig-Hellman method works well if all of the prime numbers dividing N
are small. For this reason, if a cryptographic system is based on discrete logs, the
order of the group should be chosen so it contains a large prime factor. This can be
accomplished by starting with a group that has a large prime q in its order. Pick a
random point P1 and compute its order. With high probability (at least 1 − 1/q), the
order of P1 is divisible by q, so in a few tries, we can find such a point P1 . Write the
order of P1 as qm. Then P = mP1 will have order q.
Example Mathematika.
5.5
Attacks with Pairings: The MOV Attack
The strategy is to reduce the DL in an elliptic curve to an easier DL problem over finite
fields, where index calculus can be used. This can often be done with pairings such as
the Weil pairing. As long as the field Fqm is not much larger than Fq , the attack will
be more efficient. For supersingular curves, we can usually take m = 2, so discrete
logarithms can be computed more easily for these curves than for arbitrary elliptic
22
curves. This is unfortunate from a cryptographic standpoint since an attractive feature
of supersingular curves is that calculations can often be done quickly on them.
Let E be an elliptic curve over Fq . Let P, Q ∈ E(Fq ), and N be the order of P.
Assume that gcd(N, q) = 1. We want to find k such that Q = kP. First, it is worthwhile
to check that k exists.
Lemma 5.1 There exists k such that Q = kP if and only if NQ = O and the Weil paring
eN (P, Q) = 1.
One direction is trivial. For the other, take P̂ so that P, P̂ is a base of the N torsion.
Recall that, since (q, N) = 1, E[N] ' Z/NZ × Z/NZ. Then, Q = aP + bP̂ for some
integers a, b, and 1 = eN (P, Q) = eN (P, P)a eN (P, P̂)b = ζ b for ζ some primitive N-th
root of unity. In particular N|b which finish the result.
The MOV attack follows the previous idea. Choose m so that E[N] ⊂ E(Fm
q ). Then,
by Lemma 3.3, µN ∈ Fqm .
1. Choose a random point T ∈ E(Fqm ).
2. Compute the order M of T .
3. Let d = gcd(M, N), and let T1 = (M/d)T . Then T1 has order d, which divides N,
so T1 ∈ E[N].
4. Compute ζ1 = eN (P, T1 ) and ζ2 = eN (Q, T1 ). Then both ζ1 and ζ2 are in µd ⊂
F∗qm .
5. Solve the discrete log problem ζ2 = ζ1k in F∗qm . This will give k modulo d.
6. Repeat with random points T until the least common multiple of the various d’s
obtained is N. This determines k modulo N.
Remark. Recall that E(Fqm ) ' Zn1 × Zn2 for some integers n1 , n2 with n1 |n2 . Then
N|n2 . Let B1 , B2 be points of orders n1 , n2 , respectively, such that B1 , B2 generate
E(Fqm ). Then T = a1 B1 + a2 B2 . Let l e be a prime power dividing N. Then l f |n2 with
f ≥ e. If (l, a2 ) = 1, then l f divides M, the order of T . Therefore, l e |d =gcd(M, N).
Since the probability that l - a2 is 1 − 1/l, the probability is at least this high that the
full power l e is in d. After a few choices of T , this should be the case.
Proposition 5.1 Let E be an elliptic curve over Fq and suppose a = q + 1 − #E(Fq ) =
0. Let N be a positive integer. If there exists a point P of E(Fq ) of order N, then
E[N] ⊂ E(Fq2 ).
23
Proof. The Frobenius endomorphism satisfies ϕq2 = −q. Since there is a point of order
N, we have N|q + 1. Suposse now S ∈ E[N]. Then S = −qS = ϕq2 S as we wanted to
see.
Remarks. When E is supersingular but a 6= 0, the above ideas work, but possibly
m = 3, 4, or 6. Frey and Rück showed that in some situations, the Tate-Lichtenbaum
pairing can be used to solve discrete logarithm problems and in general in a faster
way than the MOV attack. Finally, let us mention that there exist an special attack for
anomalous curves, |E(Fq )| = q using p-adic valuations, and for a general curve the
xedni method of Silverman.
6
Elliptic curve Cryptography.
Alice wants to send a message, often called the plaintext, to Bob. In order to keep the
eavesdropper Eve from reading the message, she encrypts it to obtain the ciphertext.
When Bob receives the ciphertext, he decrypts it and reads the message. In order to
encrypt the message, Alice uses an encryption key. Bob uses a decryption key to
decrypt the ciphertext. Clearly, the decryption key must be kept secret from Eve.
There are two basic types of encryption. In symmetric encryption, the encryption
key and decryption key are the same, or one can be easily deduced from the other.
Popular symmetric encryption methods include the Data Encryption Standard (DES)
and the Advanced Encryption Standard (AES, often referred to by its original name
Rijndael). In this case, Alice and Bob need to have some way of establishing a key. For
example, Bob could send a messenger to Alice several days in advance. Then, when it
is time to send the message, they both will have the key. Clearly this is impractical in
many situations.
The other type of encryption is public key encryption, or asymmetric encryption.
In this case, Alice and Bob do not need to have prior contact. Bob publishes a public
encryption key, which Alice uses. He also has a private decryption key that allows him
to decrypt ciphertexts. Since everyone knows the encryption key, it should be infeasible to deduce the decryption key from the encryption key. The most famous public
key system is known as RSA and is based on the difficulty of factoring integers into
primes. Another wellknown system is due to ElGamal and is based on the difficulty
of the discrete logarithm problem. Generally, public key systems are slower than good
symmetric systems. Therefore, it is common to use a public key system to establish a
key that is then used in a symmetric system. The improvement in speed is important
when massive amounts of data are being transmitted.
6.1
Diffie-Hellman key exchange
Alice and Bob want to exchange a key so they can then use a symmetric cryptosystem.
24
1. Alice and Bob agree on an elliptic curve E over a finite field Fq such that the
discrete logarithm problem is hard in E(Fq ). They also agree on a point P ∈
E(Fq ) such that the subgroup generated by P has large prime.
2. Alice chooses a secret integer a, computes Pa = aP, and sends it to Bob.
3. Bob chooses a secret integer b, computes Pb = bP , and sends it to Alice.
4. Alice computes aPb = abP .
5. Bob computes bPa = baP .
The public information is E, q, P, Pa , Pb . From here to compute abP would be enough
to solve the DLP on the elliptic curve E. It is not know if one can compute abP without
solving DLP. In fact, it is even thought to be difficult the following
Decision Diffie-Hellman problem Given P, aP, and bP in E(Fq ), and given a point
Q ∈ E(Fq ) determine whether or not Q = abP.
In other words, it is believed that P, aP, and bP do not lick a single bit of information about abP.
DDH problem can be asked in any group. In the case of elliptic curves, it is subtle
since, in some cases, one could use the Weil pairing to solve the problem, as we did to
solve the DLP.
Example Consider the curve y2 = x3 + 1 and q ≡ 2 (mod 3). Then, E(Fq ) = q + 1.
Define the isomorphism β (x, y) = (ωx, y) where ω ∈
/ Fq is a third root of unity. If P
has order n also β (P) has order n, since it is isomorphism. Hence, we can define
ẽn (P1 , P2 ) = en (P1 , β (P2 )),
and prove that it is a pairing so that
Lemma 6.1 Assume 3 - n. If P ∈ E(Fq ) has order exactly n, then ẽn (P, P) is a primitive
n-th root of unity.
Proof. We see that it is impossible to have a relation between P and β (P) unless
x = 0, but the point P = (0, ±1) has order 3|n. Hence, they are independent, and hence
the Weil pairing is a primitive root by Corollary 3.2.
Assume now that Q = tP. One can check this by Lemma 5.1. Then Q = abP if and
only if ab ≡ t (mod n). This is equivalent to ẽn (Q, P) = ẽn (aP, bP), when 3 - n, by the
previous lemma.
Remark This modified pairing can be used to produce tripartite key excahnge in
just one round of communication. Broadcast aP, bP and cP and compute ẽn (bP, cP)a ,
ẽn (aP, cP)b , and ẽn (aP, bP)c .
25
Alice wants to send a message to Bob over public channels. They have not yet
established a private key. One way to do this is the following. Alice puts her message
in a box and puts her lock on it. She sends the box to Bob. Bob puts his lock on it and
sends it back to Alice. Alice then takes her lock off and sends the box back to Bob.
Bob then removes his lock, opens the box, and reads the message.
Exercise Implement this procedure with elliptic curves. It is called the Massey-Omura
Encryption.
6.2
A Public Key Scheme Based on Factoring
The most famous public key cryptosystem is called RSA (for Rivest-Shamir- Adleman)
and proceeds as follows. Alice wants to send a message to Bob. Bob secretly chooses
two large primes p, q and multiplies them to obtain n = pq. Bob also chooses integers
e and d with ed ≡ 1 (mod (p − 1)(q − 1)). He makes n and e public and keeps d
secret. Alice’s message is a number m (mod n). She computes c ≡ me (mod n) and
sends c to Bob. Bob computes m ≡ cd (mod n) to obtain the message. If Eve can
find p and q, then she can solve ed ≡ 1 (mod (p − 1)(q − 1)) to obtain d. It can be
shown that if Eve can find the decryption exponent d, then she probably can factor n.
Therefore, the difficulty of factoring n is the key to the security of the RSA system.
Now, we show a cryptosystem inspired on RSA but in the context of elliptic curves.
1. Bob chooses two distinct large primes p, q with p ≡ q ≡ 2 (mod 3) and computes n = pq.
2. Bob chooses integers e, d with ed ≡ 1 (mod lcm(p + 1, q + 1)).
3. Bob makes n and e public and keeps d, p, q private.
4. Alice represents her message as a pair of integers (m1 , m2 ) (mod n). She regards
(m1 , m2 ) as a point M on the elliptic curve E given by y2 = x3 + b (mod n),
where b = m22 − m31 (mod n) (she does not need to compute b).
5. Alice adds M to itself e times on E to obtain C = (c1, c2) = eM. She sends C to
Bob.
6. Bob computes M = dC on E to obtain M.
Remark. The order of E(Zn ) is |E(F p )||E(Fq )| = (p + 1)(q + 1). By Therefore,
(p + 1)M ≡ O (mod p) and (q + 1)M ≡ O (mod q) This means that the decryption
works.
A key point of the procedure is that the group order is independent of b. Otherwise
If has to be computed and the group order and if p and q are chosen large enough it
26
is infeasible. Also, if Bob fixes the elliptic curve, Alice will have difficulty finding
points M on the curve. If she does the procedure of first choosing the x-coordinate as
the message, then she is faced with the problem of computing square roots mod n. This
is computationally equivalent to factoring n. If Bob fixes only A (the formulas for the
group operations depend only on A) and allows Alice to choose B so that her point lies
on the curve, then his choice of e, d requires that the group order be independent of
B. This is the situation in the above procedure. If Eve factors n as pq, she can decrypt
AliceÕs message. The opposite is also true with high probability.
Suppose that Eve finds out the decryption exponent d.
1. Write ed − 1 = 2k v with v odd and with k ≥ 1.
2. Pick a random pair of integers R = (r1 , r2 ) (mod n), and let b0 = r22 − r13 and
regards R as a point on the elliptic curve E 0 given by y2 = x3 + b0 .
3. Computes R0 = vR. If R0 = O (mod n), start over with a new R. On the other
hand if R0 = O mod p only, then Eve has factored n.
4. For i = 0, 1, 2, ..., k, computes Ri+1 = 2Ri . If Ri+1 ≡ O (mod p) only or some i,
then Ri = (xi , yi ) with yi ≡ 0 (mod p) and gcd(yi , n) = p.
5. If for some i, Ri+1 = O (mod n), then start over with a new random point.
In a few iterations, this should factor n. Since ed − 1 is a multiple of |E(Zn )|, we
have Rk = (ed − 1)R = edR − R = O. Therefore, each iteration of the procedure will
0
eventually end with a point R j that is O modulo at least one of p, q. Let 2k be the
highest power of 2 dividing p + 1. If we take a random point P in E(F p ), then the
0
probability is 1/2 that the order of P is divisible by 2k . This follows easily from the
0
fact that E(F p ) is cyclic. In this case the point Rk0 −1 ≡ 2k −1 vP 6≡ O (mod p), while
0
Rk0 = O (mod p). If the order of P is not divisible by 2k , then Rk0 −1 = O (mod p)
We have a similar situation with q. Since mod p and mod q are independent, it is easy
to see that the sequence R0 , R1 , R2 , . . . . reaches O modulo p and q at different indices i
at least half the time. This means that for at least half of the choices of random starting
points R, we obtain a factorization of n.
There are other public key cryptosystems, for example based on pairings.
6.3
ElGamal Digital Signatures
Another device of cryptography is the ability of building procedures to sign a document
in a secure manner. The idea is to attach the sign of Alice to a document, in a way that
it cannot be used again for somebody else to sign another document. However, it must
be possible for someone to verify that the signature is valid, and it should be possible
to show that Alice must have been the person who signed the document. The solution
27
presented was original built over the multiplicative group of a finite field. Here we
adapt it to elliptic curves.
Alice chooses an elliptic curve E over a finite field Fq such that the DLP is hard.
She also chooses a point A ∈ E(Fq ). Usually with order N a large prime. Alice also
chooses a secret integer a and computes B = aA. Finally, she chooses a function
f : E(Fq ) → Z. The function f needs no special properties, except that its image should
be large and only a small number of inputs should produce any given output. For
example, for f (x, y) = x, at most two points yield a given output.
To sign a document, Alice does the following:
1. Represents the document as an integer m (if m > N, choose a larger curve, or use
a hash function (see below)).
2. Chooses a random integer k with gcd(k, N) = 1 and computes R = kA.
3. Computes s ≡ k−1 (m − a f (R))(modN). The signed message is (m, R, s).
The signed message is (m, R, s). Note that Alice is not trying to keep the document
secret. If she wants to do that, then she needs to use some form of encryption. Bob
verifies the signature as follows:
1. Downloads Alice’s public information, E, Fq , f , A, and B.
2. Computes V1 = f (R)B + sR and V2 = mA.
3. If V1 = V2 , he declares the signature valid.
Observe that If the signature is valid, then V1 = V2 .
Alice must keep a and k secret. Also, she must use a different random k for each
signature. Otherwise Eve could recover k from a linear system of two secrets s, s0 , up to
d =gcd((s − s0 , N). It is perhaps not necessary for Eve to solve discrete log problems in
order to forge Alice’s signature on another message m. All Eve needs to do is produce
R, s such that the verification equation V1 = V2 is satisfied. This means that she needs to
find R and s such that f (R)B + sR = mA. If she chooses some point R (there is no need
to choose an integer k), she needs to solve the discrete log problem sR = mA − f (R)B
for the integer s. If, instead, she chooses s, then she must solve an equation for R. This
equation appears to be at least as complex as a DLP, though it has not been analyzed as
thoroughly. Moreover, no one has been able to rule out the possibility of using some
procedure that finds R and s simultaneously. There are ways of using a valid signed
message to produce another valid signed message. However, the messages produced
are unlikely to be meaningful messages. The general belief is that the security of the
ElGamal system is very close to the security of DLP for the group E(Fq ).
28
A disadvantage of the ElGamal system is that the signed message (m, R, s) is approximately three times as long as the original message. In order to reduce the size we
introduce the Hash function.
Definition 6.1 A cryptographic hash function H, is a function that takes inputs of
arbitrary length, sometimes a message of billions of bits, and outputs values of fixed
length, for example, 160 bits with the following properties:
1. Given a message m, the value H(m) can be calculated very quickly.
2. Given y, it is computationally infeasible to find m with H(m) = y. (H is preimage
resistant.)
3. It is computationally infeasible to find distinct messages m1 and m2 with H(m1 ) =
H(m2 ). (H is strongly collision-free.)
There are several popular hash functions available, for example, MD5 (due to
Rivest; it produces a 128-bit output) and the Secure Hash Algorithm (from NIST;
it produces a 160-bit output), but it seems that there are some weaknesses in them.
The advantage is that a very long message m containing billions of bits has a signature
that requires only a few thousand extra bits. If Alice uses a hash function, the signed
message is then (m, RH , sH ), where (H(m), RH , sH ) is a valid signature.
7
Other Applications
In the 1980’s, about the same time that elliptic curves were being introduced into cryptography, two related applications of elliptic curves were found, one to factoring and
one to primality testing. These are generalizations of classical methods that worked
with multiplicative groups Zn Z∗ . The main advantage of elliptic curves stems from
the fact that there are many elliptic curves mod a number n, so if one elliptic curve
doesnÕt work, another can be tried.
7.1
Factoring Using Elliptic Curves
7.2
p − 1 factorization method
We start with a composite integer n that we want to factor. Choose a random integer a
and a large integer B. Compute a1 ≡ aB! (modn) , and gcd(a1 − 1, n). Note that we do
not compute aB! and then reduce mod n, but we do it recursively. Or we can write B!
in binary and do modular exponentiation by successive squaring.
29
We say that an integer m is B-smooth if all of the prime factors of m are less than or
equal to B. For simplicity, assume n = pq is the product of two large primes. Suppose
that p − 1 is B-smooth. Since B! contains all of the primes up to B, it is likely that B!
is a multiple of p − 1 (the main exception is when p − 1 is divisible by the square of a
prime that is between B/2 and B). Therefore, p|a1 − 1. On the other hand, if l|q − 1
for some prime l > B, then . Among all the elements in the cyclic group Zq∗ , there are
at least ((l − 1)(q − 1)/l that have order divisible by l and at least (?1)(q?1)/ that have
order divisible by l. Therefore, it is very likely that a1 − 1 is a multiple of p but not of
q.
The main problem is choosing B so that p − 1 is B-smooth. If we choose B small,
the probability of this is low. If we choose B very large, then the computation of
a1 becomes too lengthy. what if both p − 1 and q − 1 have prime factors of around
20 decimal digits? We could keep trying various random choices of a, hoping to get
lucky. But the probability that p|a1 − 1 is at most 1/l where l is the maximum prime
dividing p − 1. There seems to be no way to get the method to work.
In 1975 Hendrik Lenstra [2] produced an algorithm based on elliptic curves. It has
a much better chance of success in this case because it allows us to change groups. It
is efficient for factoring numbers of around 60 decimal digits, and, for larger numbers,
finding prime factors having around 20 to 30 decimal digits.
1. Choose several random elliptic curves Ei : y2 = x3 + Ai x + Bi (usually around 10
to 20) and points Pi (mod n).
2. Choose an integer B (perhaps around 108) and compute (B!)Pi on Ei for each i.
3. If step 2 fails because some slope does not exist mod n, then we have found a
factor of n.
4. If step 2 succeeds, increase B or choose new random curves Ei and points Pi and
start over.
A random elliptic curve E (mod n) can be regarded as an elliptic curve mod p and
mod q. We know, by HasseÕs theorem, that p + 1 − 2p < |E(F p )| < p + 1 + 2p. In
fact, each integer in the interval occurs for some elliptic curve. If B is of reasonable
size, then the density of B-smooth integers in this interval is high enough, and the
distribution of orders of random elliptic curves is sufficiently uniform. Therefore, if
we choose several random E, at least one will probably have B-smooth order. If P
lies on this E, then it is likely that (B!)P = O (mod p) (the main exception occurs
when the order is divisible by the square of a prime near B). It is unlikely that the
corresponding point P on E mod q will satisfy the previous identity (If it does, choose
a smaller B). Therefore, when computing (B!)P (mod n), we expect to obtain a slope
whose denominator is divisible by p but not by q.
Remark. It is interesting to note that the elliptic curve method, when applied to
singular curves yields classical factorization methods. When the reduction is multi30
plicative is simply the p − 1 or p + 1 method. For additive reduction is trial division
by small factors.
Example Mathematika
7.3
Primality Testing
Suppose n is an integer of several hundred decimal digits. If n is composite, it is
usually easy to prove it, and the proof can be stated in a form that can be checked
easily. But if n is prime, the situation is more difficult. Saying that n passed several
pseudoprimality tests indicates that n is probably prime, but does not prove that n is
prime. For primes of a thousand digits or more, the most popular method currently in
use involves elliptic curves. The elliptic curve primality test is an elliptic curve version
of the classical Pocklington-Lehmer primality test. But in the case of elliptic curves,
again we can replace n − 1 with a group order near n, but there will be enough choices
for the elliptic curve that we can probably find a number that can be partially factored.
The method is due to Goldwasser and Kilian [1]
Theorem 7.1 Let n > 1 and let E be an elliptic curve modulo n. Suppose there exist
distinct prime numbers l1 , . . . , lk and finite points Pi ∈ E(Zn Z) such that
li Pi = O for 1 ≤ i ≤ k,
k
∏ li ≥ (n1/4 + 1)2.
i=1
Then n is prime.
Proof. Since li Pi = O (mod n), li Pi = O (mod p) for any p|n. Hence, li |E(F p ) for
1 ≤ i ≤ k. Hence, by Hasse’s Theorem, for any prime p|n we have
k
√
(n1/4 + 1)2 ≤ ∏ li ≤ |E(F p ) < ( p + 1)2 .
i=1
Hence, p ≥
√
n for any prime p|n and, in particular, n is prime.
Example Mathematika
For large n, the hardest part of the algorithm is finding an elliptic curve with a
suitable number of points. One possibility is to choose random elliptic curves mod
n and compute their orders, for example, using SchoofÕs algorithm, until an order is
found that has a suitable prime factor l. A more efficient procedure, due to Atkin and
Morain (see [7]), uses the theory of complex multiplication to find suitable curves.
31
References
[1] S. Goldwasser and J. Kilian. Primality testing using elliptic curves. J. ACM,
46(4):450–472, 1999.
[2] H. W. Lenstra, Jr., Factoring integers with elliptic curves. Ann. of Math. (2),
126, (3): 649–673, 1987.
[3] H.-G.Ruck, A note on elliptic curves over finite fields, Math. Comp. 49(179),
301–304,1987.
[4] J.-P. Serre. Complex multiplication. In Algebraic Number Theory (Proc. Instructional Conf., Brighton, 1965), pages 292–296. Thompson, Washington, D.C.,
1967.
[5] L. C. Washington, Elliptic Curves: Number Theory and Cryptography, Second
Edition Series: Discrete Mathematics and Its Applications Volume: 50, CRC
2008.
32
© Copyright 2026 Paperzz