E LLIPTIC CURVES C RYPTOGRAPHY F RANCESCO P APPALARDI #3 - T HIRD L ECTURE . J UNE 18 TH 2019 WAMS S CHOOL : O I NTRODUCTORY TOPICS IN N UMBER T HEORY AND D IFFERENTIAL G EOMETRY King Khalid University Abha, Saudi Arabia
A Finite Field Example Over F p geometric pictures don’t make sense. Example Let E : y 2 = x 3 − 5 x + 8 / F 37 , P = (6 , 3) , Q = (9 , 10) ∈ E ( F 37 ) r P , Q : y = 27 x +26 r P , P : y = 11 x +11 y 2 = x 3 − 5 x + 8 � r P , Q ∩ E ( F 37 ) = = { (6 , 3) , (9 , 10) , (11 , 27) } y = 27 x + 26 y 2 = x 3 − 5 x + 8 � r P , P ∩ E ( F 37 ) = = { (6 , 3) , (6 , 3) , (35 , 26) } y = 11 x + 11 P + E Q = (11 , 10) 2 P = (35 , 11) 3 P = (34 , 25) , 4 P = (8 , 6) , 5 P = (16 , 19) , . . . 3 P + 4 Q = (31 , 28) , . . . Exercise • Compute the order and the Group Structure of E ( F 37 )
EXAMPLE: Elliptic curves over F 5 ∀ E / F 5 (12 elliptic curves), # E ( F 5 ) ∈ { 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , 10 } . ∀ n , 2 ≤ n ≤ 10 ∃ ! E / F 5 : # E ( F 5 ) = n with the exceptions: Example (Elliptic curves over F 5 ) • E 1 : y 2 = x 3 + 1 and E 2 : y 2 = x 3 + 2 both order 6 and E 1 ( F 5 ) ∼ = E 2 ( F 5 ) ∼ = C 6 • E 3 : y 2 = x 3 + x and E 4 : y 2 = x 3 + x + 2 order 4 E 3 ( F 5 ) ∼ E 4 ( F 5 ) ∼ = C 2 ⊕ C 2 = C 4 • E 5 : y 2 = x 3 + 4 x and E 6 : y 2 = x 3 + 4 x + 1 both order 8 E 5 ( F 5 ) ∼ E 6 ( F 5 ) ∼ = C 2 ⊕ C 4 = C 8 • E 7 : y 2 = x 3 + x + 1 order 9 and E 7 ( F 5 ) ∼ = C 9
Determining points of order 2 Definition 2–torsion points E [2] = { P ∈ E ( F p ) : 2 P = ∞} . FACTS: C 2 ⊕ C 2 if p > 2 E [2] ∼ if p = 2 , E : y 2 + xy = x 3 + a 4 x + a 6 = C 2 if p = 2 , E : y 2 + a 3 y = x 3 + a 2 x 2 + a 6 {∞} Each curve / F 2 has cyclic E ( F 2 ) . E E ( F 2 ) | E ( F 2 ) | y 2 + xy = x 3 + x 2 + 1 {∞ , (0 , 1) } 2 y 2 + xy = x 3 + 1 {∞ , (0 , 1) , (1 , 0) , (1 , 1) } 4 y 2 + y = x 3 + x {∞ , (0 , 0) , (0 , 1) , (1 , 0) , (1 , 1) } 5 y 2 + y = x 3 + x + 1 {∞} 1 y 2 + y = x 3 {∞ , (0 , 0) , (0 , 1) } 3
Determining points of order 3 FACTS (from yesterday): 1 ψ 3 ( x ) := 3 x 4 + 6 Ax 2 + 12 Bx − A 2 called the 3 rd division polynomial 2 ( x 1 , y 1 ) ∈ E ( F p ) has order 3 ⇒ ψ 3 ( x 1 ) = 0 3 E ( F p ) has at most 8 points of order 3 4 If p � = 3, E [3] := { P ∈ E ( F p ) : 3 P = ∞} ∼ = C 3 ⊕ C 3 5 If p = 3, E : y 2 = x 3 + Ax 2 + Bx + C and P = ( x 1 , y 1 ) has order 3, then 1 + AC − B 2 = 0 • Ax 3 • E [3] ∼ = C 3 if A � = 0 and E [3] = {∞} otherwise
Determining points of order 3 (continues) FACTS: C 3 ⊕ C 3 if p � = 3 E [3] ∼ if p = 3 , E : y 2 = x 3 + Ax 2 + Bx + C , A � = 0 = C 3 if p = 3 , E : y 2 = x 3 + Bx + C {∞} Example: inequivalent curves / F 7 with # E ( F 7 ) = 9 . E ( F 7 ) ∼ E ψ 3 ( x ) E [3] ∩ E ( F 7 ) = y 2 = x 3 + 2 x ( x + 1)( x + 2)( x + 4) {∞ , (0 , ± 3) , ( − 1 , ± 1) , (5 , ± 1) , (3 , ± 1) } C 3 ⊕ C 3 y 2 = x 3 + 3 x + 2 ( x + 2)( x 3 + 5 x 2 + 3 x + 2) {∞ , (5 , ± 3) } C 9 y 2 = x 3 + 5 x + 2 ( x + 4)( x 3 + 3 x 2 + 5 x + 2) {∞ , (3 , ± 3) } C 9 y 2 = x 3 + 6 x + 2 ( x + 1)( x 3 + 6 x 2 + 6 x + 2) {∞ , (6 , ± 3) } C 9
One count the number of inequivalent E / F p with # E ( F p ) = r Example (A curve over F 4 = F 2 ( ξ ) , ξ 2 = ξ + 1; E : y 2 + y = x 3 ) We know E ( F 2 ) = {∞ , (0 , 0) , (0 , 1) } ⊂ E ( F 4 ) . E ( F 4 ) = {∞ , (0 , 0) , (0 , 1) , (1 , ξ ) , (1 , ξ + 1) , ( ξ, ξ ) , ( ξ, ξ + 1) , ( ξ + 1 , ξ ) , ( ξ + 1 , ξ + 1) } ψ 3 ( x ) = x 4 + x = x ( x + 1)( x + ξ )( x + ξ + 1) ⇒ E ( F 4 ) ∼ = C 3 ⊕ C 3
Determining points of order (dividing) m Definition ( m –torsion point) Let E / K and let K an algebraic closure of K . E [ m ] = { P ∈ E ( K ) : mP = ∞} Theorem (Structure of Torsion Points) Let E / K and m ∈ N . If p = char( K ) ∤ m, E [ m ] ∼ = C m ⊕ C m If m = p r m ′ , p ∤ m ′ , E [ m ] ∼ E [ m ] ∼ = C m ⊕ C m ′ or = C m ′ ⊕ C m ′ if E [ p ] ∼ � ordinary = C p E / F p is called supersingular if E [ p ] = {∞}
Group Structure of E ( F p ) Corollary Let E / F p . ∃ n , k ∈ N are such that E ( F p ) ∼ = C n ⊕ C nk Proof. From classification Theorem of finite abelian group E ( F p ) ∼ = C n 1 ⊕ C n 2 ⊕ · · · ⊕ C n r with n i | n i +1 for i ≥ 1. Hence E ( F p ) contains n r 1 points of order dividing n 1 . From Structure of Torsion Theorem , # E [ n 1 ] ≤ n 2 1 . So r ≤ 2 Theorem Let E / F p and n , k ∈ N s.t. E ( F p ) ∼ = C n ⊕ C nk . Then n | p − 1 .
The division polynomials Definition (Division Polynomials of E : y 2 = x 3 + Ax + B ( p > 3 )) ψ 0 =0 , ψ 1 = 1 , ψ 2 = 2 y , ψ 3 = 3 x 4 + 6 Ax 2 + 12 Bx − A 2 ψ 4 =4 y ( x 6 + 5 Ax 4 + 20 Bx 3 − 5 A 2 x 2 − 4 ABx − 8 B 2 − A 3 ) . . . ψ 2 m +1 = ψ m +2 ψ 3 m − ψ m − 1 ψ 3 for m ≥ 2 m +1 � ψ m � · ( ψ m +2 ψ 2 m − 1 − ψ m − 2 ψ 2 ψ 2 m = m +1 ) for m ≥ 3 2 y The polynomial ψ m ∈ Z [ x , y ] is called the m th division polynomial FACTS: y ( mx ( m 2 − 4) / 2 + · · · ) � if m is even • ψ 2 m +1 ∈ Z [ x ] ψ 2 m ∈ 2 y Z [ x ] ψ m = and mx ( m 2 − 1) / 2 + · · · if m is odd. m = m 2 x m 2 − 1 + · · · • ψ 2
Remark. • E [2 m + 1] \ {∞} = { ( x , y ) ∈ E ( ¯ K ) : ψ 2 m +1 ( x ) = 0 } • E [2 m ] \ E [2] = { ( x , y ) ∈ E ( ¯ K ) : y − 1 ψ 2 m ( x ) = 0 } Example ψ 4 ( x ) =2 y ( x 6 + 5 Ax 4 + 20 Bx 3 − 5 A 2 x 2 − 4 BAx − A 3 − 8 B 2 ) ψ 5 ( x ) =5 x 12 + 62 Ax 10 + 380 Bx 9 − 105 A 2 x 8 + 240 BAx 7 + � − 300 A 3 − 240 B 2 � x 6 − 696 BA 2 x 5 + � − 125 A 4 − 1920 B 2 A � x 4 + � − 80 BA 3 − 1600 B 3 � x 3 + � − 50 A 5 − 240 B 2 A 2 � x 2 + � − 100 BA 4 − 640 B 3 A � x + � A 6 − 32 B 2 A 3 − 256 B 4 � ψ 6 ( x ) =2 y (6 x 16 + 144 Ax 14 + 1344 Bx 13 − 728 A 2 x 12 + � − 2576 A 3 − 5376 B 2 � x 10 − 9152 BA 2 x 9 + � − 1884 A 4 − 39744 B 2 A � x 8 + � 1536 BA 3 − 44544 B 3 � x 7 + � − 2576 A 5 − 5376 B 2 A 2 � x 6 + � − 6720 BA 4 − 32256 B 3 A � x 5 + � − 728 A 6 − 8064 B 2 A 3 − 10752 B 4 � x 4 + � − 3584 BA 5 − 25088 B 3 A 2 � x 3 + � 144 A 7 − 3072 B 2 A 4 − 27648 B 4 A � x 2 + � 192 BA 6 − 512 B 3 A 3 − 12288 B 5 � x + � 6 A 8 + 192 B 2 A 5 + 1024 B 4 A 2 � )
Theorem ( E : Y 2 = X 3 + AX + B elliptic curve, P = ( x , y ) ∈ E ) x − ψ m − 1 ψ m +1 , ψ 2 m ( x , y ) � φ m ( x ) m ( x ) , ω m ( x , y ) � � � m ( x , y ) = = ψ 2 2 ψ 4 ψ 2 ψ 3 m ( x ) m ( x ) m ( x , y ) where ψ m +2 ψ 2 m − 1 − ψ m − 2 ψ 2 φ m = x ψ 2 m − ψ m +1 ψ m − 1 , ω m = m +1 4 y FACTS: • φ m ( x ) = x m 2 + · · · ψ m ( x ) 2 = m 2 x m 2 − 1 + · · · ∈ Z [ x ] • ω 2 m +1 ∈ y Z [ x ], ω 2 m ∈ Z [ x ] ω m ( x , y ) • m ( x , y ) ∈ y Z ( x ) ψ 3 • gcd( ψ 2 m ( x ) , φ m ( x )) = 1 • E [2 m + 1] \ {∞} = { ( x , y ) ∈ E ( K ) : ψ 2 m +1 ( x ) = 0 } • E [2 m ] \ E [2] = { ( x , y ) ∈ E ( K ) : y − 1 ψ 2 m ( x ) = 0 }
Theorem (Hasse) Let E be an elliptic curve over the finite field F q . Then the order of E ( F q ) satisfies | q + 1 − # E ( F q ) | ≤ 2 √ q . So # E ( F q ) ∈ [( √ q − 1) 2 , ( √ q + 1) 2 ] the Hasse interval I q Example (Hasse Intervals) q I q { 1 , 2 , 3 , 4 , 5 } 2 3 { 1 , 2 , 3 , 4 , 5 , 6 , 7 } 4 { 1 , 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 } 5 { 2 , 3 , 4 , 5 , 6 , 7 , 8 , 9 , 10 } 7 { 3 , 4 , 5 , 6 , 7 , 8 , 9 , 10 , 11 , 12 , 13 } 8 { 4 , 5 , 6 , 7 , 8 , 9 , 10 , 11 , 12 , 13 , 14 } 9 { 4 , 5 , 6 , 7 , 8 , 9 , 10 , 11 , 12 , 13 , 14 , 15 , 16 } 11 { 6 , 7 , 8 , 9 , 10 , 11 , 12 , 13 , 14 , 15 , 16 , 17 , 18 } 13 { 7 , 8 , 9 , 10 , 11 , 12 , 13 , 14 , 15 , 16 , 17 , 18 , 19 , 20 , 21 } 16 { 9 , 10 , 11 , 12 , 13 , 14 , 15 , 16 , 17 , 18 , 19 , 20 , 21 , 22 , 23 , 25 } 17 { 10 , 11 , 12 , 13 , 14 , 15 , 16 , 17 , 18 , 19 , 20 , 21 , 22 , 23 , 24 , 25 , 26 } 19 { 12 , 13 , 14 , 15 , 16 , 17 , 18 , 19 , 20 , 21 , 22 , 23 , 24 , 25 , 26 , 27 , 28 } 23 { 15 , 16 , 17 , 18 , 19 , 20 , 21 , 22 , 23 , 24 , 25 , 26 , 27 , 28 , 29 , 30 , 31 , 32 , 33 } 25 { 16 , 17 , 18 , 19 , 20 , 21 , 22 , 23 , 24 , 25 , 26 , 27 , 28 , 29 , 30 , 31 , 32 , 33 , 34 , 35 , 36 } 27 { 18 , 19 , 20 , 21 , 22 , 23 , 24 , 25 , 26 , 27 , 28 , 29 , 30 , 31 , 32 , 33 , 34 , 35 , 36 , 37 , 38 } 29 { 20 , 21 , 22 , 23 , 24 , 25 , 26 , 27 , 28 , 29 , 30 , 31 , 32 , 33 , 34 , 35 , 36 , 37 , 38 , 39 , 40 } 31 { 21 , 22 , 23 , 24 , 25 , 26 , 27 , 28 , 29 , 30 , 31 , 32 , 33 , 34 , 35 , 36 , 37 , 38 , 39 , 40 , 41 , 42 , 43 } 32 { 22 , 23 , 24 , 25 , 26 , 27 , 28 , 29 , 30 , 31 , 32 , 33 , 34 , 35 , 36 , 37 , 38 , 39 , 40 , 41 , 42 , 43 , 44 }
Recommend
More recommend
