xMatthew England MSc Dissertation

7/28/2019 xMatthew England MSc Dissertation

1/175

Elliptic curve cryptography

Matthew EnglandMSc Applied Mathematical Sciences

Heriot-Watt University

Summer 2006


2/175

Abstract

This project studies the mathematics of elliptic curves, starting with theirderivation and the proof of how points upon them form an additive abeliangroup. We then work on the mathematics neccessary to use these groupsfor cryptographic purposes, specifically results for the group formed by anelliptic curve over a finite field, E(Fq). We examine the mathematics behindthe group of torsion points, to which every point in E(Fq) belongs, andprove Hasses theorem along with a number of other useful results. We finishby describing how to define a discrete logarithm problem using E(Fq) andshowing how this can form public key cryptographic systems for use in bothencryption and key exchange.

Acknowledgments

Many thanks to Dr. Mark Lawson, for his help, supervision and enthusiasmfor this project.


3/175

Contents

1 Introduction 1

2 Elliptic curves 22.1 A class of algebraic curves . . . . . . . . . . . . . . . . . . . . 22.2 Group law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2.2.1 Prime curve examples . . . . . . . . . . . . . . . . . . 10

3 Torsion points and endomorphisms of elliptic curves 153.1 Endomorphisms of elliptic curves . . . . . . . . . . . . . . . . 153.2 Torsion points . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

3.2.1 Successive doubling . . . . . . . . . . . . . . . . . . . . 353.2.2 The basis for E[n] . . . . . . . . . . . . . . . . . . . . 36

3.3 Division polynomials . . . . . . . . . . . . . . . . . . . . . . . 38

3.4 The Weil pairing . . . . . . . . . . . . . . . . . . . . . . . . . 44

4 Elliptic curves over finite fields 474.1 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474.2 Hasses theorem . . . . . . . . . . . . . . . . . . . . . . . . . . 50

4.2.1 The Frobenius endomorphism . . . . . . . . . . . . . . 514.3 Orders of points . . . . . . . . . . . . . . . . . . . . . . . . . . 55

4.3.1 Baby Step, giant step . . . . . . . . . . . . . . . . . . . 58

5 Elliptic curve cryptography 615.1 The basics of cryptography . . . . . . . . . . . . . . . . . . . . 61

5.2 Public key cryptography . . . . . . . . . . . . . . . . . . . . . 645.3 The discrete logarithm problem . . . . . . . . . . . . . . . . . 67

5.3.1 Diffie-Hellman key exchange . . . . . . . . . . . . . . . 685.3.2 The El Gamal cryptosystem . . . . . . . . . . . . . . . 69

i


4/175

5.4 Elliptic curve cryptography . . . . . . . . . . . . . . . . . . . 70

5.4.1 The discrete logarithm problem forelliptic curves . . . . . . . . . . . . . . . . . . . . . . . 705.4.2 Diffie-Hellman key exchange for elliptic curves . . . . . 715.4.3 El Gamal cryptosystem for elliptic curves . . . . . . . . 73

6 Summary and conclusions 75

Bibliography 77

APPENDIX 78

A Elliptic curve material 78A.1 Singular curves . . . . . . . . . . . . . . . . . . . . . . . . . . 78

A.1.1 The relationship between multiple rootsand singular points . . . . . . . . . . . . . . . . . . . . 78

A.1.2 Triple root . . . . . . . . . . . . . . . . . . . . . . . . . 80A.1.3 Double root . . . . . . . . . . . . . . . . . . . . . . . . 84

A.2 Deriving the condition for distinct roots . . . . . . . . . . . . 94A.2.1 Determining the roots . . . . . . . . . . . . . . . . . . 94A.2.2 The discriminant . . . . . . . . . . . . . . . . . . . . . 97A.2.3 Relating back to elliptic curves . . . . . . . . . . . . . 100

A.3 Elliptic curves in characteristic 2 . . . . . . . . . . . . . . . . 101

A.4 Elliptic curves in characteristic 3 . . . . . . . . . . . . . . . . 105A.5 The proof of associativity . . . . . . . . . . . . . . . . . . . . 106

A.5.1 Projective geometry and the point at infinity . . . . . . 106A.5.2 Lines in P2K . . . . . . . . . . . . . . . . . . . . . . . . 108A.5.3 The proof of associativity . . . . . . . . . . . . . . . . 114

A.6 The proofs omitted from Chapter 3 . . . . . . . . . . . . . . . 122A.7 Methods to determine the order ofE(Fq) exactly . . . . . . . 129

A.7.1 Subfield curves . . . . . . . . . . . . . . . . . . . . . . 129A.7.2 Legendre symbols . . . . . . . . . . . . . . . . . . . . . 131

A.8 Supersingular curves . . . . . . . . . . . . . . . . . . . . . . . 135

B Mathematical background material 137B.1 Algebraic curves . . . . . . . . . . . . . . . . . . . . . . . . . . 137B.2 Fractions in polynomial rings . . . . . . . . . . . . . . . . . . 140B.3 Number theory . . . . . . . . . . . . . . . . . . . . . . . . . . 141

ii


5/175

B.4 Group theory . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

B.5 Field theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147B.5.1 Finite fields . . . . . . . . . . . . . . . . . . . . . . . . 150B.5.2 Constructing F9 . . . . . . . . . . . . . . . . . . . . . . 153B.5.3 Constructing F8 . . . . . . . . . . . . . . . . . . . . . . 156B.5.4 Addition and multiplication tables ofF4 . . . . . . . . 157

B.6 Miscellaneous . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

C Matlab Code 161C.1 The Matlab code for ECAD.m . . . . . . . . . . . . . . . . . . 161C.2 The Matlab code for PC.m . . . . . . . . . . . . . . . . . . . . 163C.3 The Matlab code for ECADP.m . . . . . . . . . . . . . . . . . 165

C.4 The Matlab code for inve.m . . . . . . . . . . . . . . . . . . . 167C.5 The Matlab code for SUCDOB.m . . . . . . . . . . . . . . . . 167C.6 The Matlab code for check.m . . . . . . . . . . . . . . . . . . 169C.7 The Matlab code for RR44.m . . . . . . . . . . . . . . . . . . 170

iii


6/175

Chapter 1

Introduction

An elliptic curve is usually defined to be the graph of an equation

y2 = x3 + Ax + B

where x,y,A and B belong to a specified field. These curves are of greatuse in a number of applications, largely because it possible to take two pointson such a curve and generate a third. In fact, we will show that by definingan addition operation and introducing an extra point, , the points on anelliptic curve form an additive abelian group.

Such a group can then be used to create an analogue of the discretelogarithm problem which is the basis for several public key cryptosystems.

This project will introduce the mathematics behind elliptic curves and thendemonstrate how to use them for cryptography.

The project loosely follows and adds to the work in Chapters 2 to 6 of[9]. If not otherwise stated the material has been adapted from this source.Chapter 2 of the project introduces the basic mathematics behind ellipticcurves, such as the proof that the points upon them form an abelian group.Chapter 3 then considers those points in the group which are torsion whileChapter 4 considers elliptic curves defined over finite fields. Here we proveHasses theorem to give a bound on the size of the group. Chapter 5 demon-strates how the mathematics of the previous chapters can be employed in acryptographic algorithm for use in key exchange or encryption of messages.

Appendix A contains some further results on elliptic curves while Ap-pendix B contains the mathematical background material that is employedthroughout the project. We also make use of Matlab to speed up calculationswith elliptic curves and the relevant codes can be found in Appendix C.

1


7/175

Chapter 2

Elliptic curves

Elliptic curves have, over the last three decades, become an increasinglyimportant subject of research in number theory and related fields such ascryptography. They have also played a part in numerous other mathematicalproblems over hundreds of years. For example, the congurant number problemof finding which integers n can occur as the area of a right angled triangle withrational sides can be expressed using elliptic curves (see Chapter 1 of [9]).In this chapter we set out the basic mathematics of elliptic curves, startingwith their derivation and definition followed by the proof that points uponthem form an additive abelian group.

2.1 A class of algebraic curves

Elliptic curves are a specific class of algebraic curves. In this section we showhow we arrive at their standard definition, seen in the introduction, from themore general case. First consider an algebraic curve formed from a conic onthe left and a cubic on the right:

y2 + 1xy + 2y + 3x + 4 = x3 + 1x

2 + 2x + 3

where i, i are constants. We can then combine the constant and linear

terms to form what is known as the generalised Weierstrass equation:y2 + a1xy + a3y = x

3 + a2x2 + a4x + a6 (2.1)

where a1,...,a6 are constants. In practice we must specify which field theseconstants and the variables, x, y belong to. So long as this field does not have

2


8/175

characteristic 2 then we can divide the above equation by 2 and complete

the square. This givesy +

a1x

2+

a32

2= x3 +

a2 +

a214

x2 +

a4 +

a1a32

x +

a234

+ a6

which can be written as

y21 = x3 + a2x

2 + a4x + a6

with y1 = y +a1x/2+ a3/2 and some constants a2, a

4, a

6. If the characteristic

were 2 then 2 would be equivalent to 0 in this field. We would then not beable to perform the above operation as we cannot divide by zero.

If the characteristic was neither 3 or 2, then we could perform a furthersubstitution letting x1 = x + a

2/3 to obtain

y21 = x31 + Ax1 + B

for some constants A, B. This equation is known as the Weierstrass equationfor an elliptic curve and is used in all cases, except those where the charac-teristic of the field is either 2 or 3. If the characteristic is 2 then we use thegeneralised Weierstrass equation and if it is 3 we use Equation (2.1).

Notice that we assume the coefficients of the y2 and x3 terms are one.

Suppose we start with an equation

cy2 = dx3 + ax + b

with c, d = 0. Then multiply both sides of the equation by c3d2 to obtain

(c2dy)2 = (cdx)3 + (ac2d)(cdx) + (bc3d2)

and so if we use the change of variables

y1 = c2dy, x1 = cdx

then we have an equation in Weierstrass form.

We cannot draw meaningful pictures of such curves over most fields, butfor intuition we can think of graphs over the real numbers of which there aretwo main types.

3


9/175

Figure 2.1: Some examples of elliptic curves defined over the real numbers.On the left is y2 = x3 x and on the right y2 = x3 + x

The first example has three real roots, while the second has one. Weprove in Appendix A.1 that when an elliptic curve has a multiple root itwill have a singular point, which causes problems when defining the additionoperation. We investigate the singular cases in Appendix A.1 but otherwiseassume that all the roots are distinct.

In Appendix A.2 we use the definition of the discriminant applied to thiscase when the characteristic is neither 2 or 3 to derive the following conditionfor distinct roots.

4A3 + 27B2 = 0The general definition for an elliptic curve will be the Weierstrass equationapplied with the above condition.

As mentioned above we must specify what set A,B,x and y belong to.Usually they will belong to a field such as R,C or Q, one of the finite fieldsFp(= Zp) for a prime p or one of the finite fields Fq where q = p

k with k 1.If K is a field with A, B K then we say the elliptic curve E is defined

over K. In general we use E and K to represent an elliptic curve and thefield over which it is defined. If we wish to consider points in a field L Kwe write E(L), which is defined as below.

E(L) = {}{(x, y) L L | y2 = x3 + Ax + B}We include this point of infinity on elliptic curves for use in the group op-eration defined in the following section. It is easiest to regard it as a point

4


10/175

(, ) and denote it simply by sitting at the top of the y-axis. A lineis said to pass through when it is exactly verticle (i.e. x = constant),and so two verticle lines will meet at . We make sense of this concept andinterpret as being on an elliptic curve in Appendix A.5.1. We also thinkof as sitting at the bottom of the y-axis, but this would imply two straightlines meet at two points. Instead we require this top and bottom to bethe same point, (as if the y-axis were wrapped around to form a circle).

2.2 Group law

As stated in the introduction, we can start with two points on an elliptic curve

(or even one) and produce another. In this section we describe how to carryout this process and derive the formula for use with the Weierstrass equation.We then show that by defining this process as an addition operation we cangenerate an additive abelian group.

Suppose we have a point P = (x0, y0) on an elliptic curve (in any char-acteristic). If L is a line through P and then it is a verticle line x = x0.We denote the other point of intersection between L and E as P. For theWeierstrass equation, P = (x0, y0) since this curve is symmetric about thex-axis. For the generalised Weierstrass equation it is as calculated as in thelemma below.

Lemma 2.1. If P = (x0, y0) lies on the curve, E, given byy2 + a1xy + a3y = x

3 + a2x2 + a4x + a6

then the other point of intersection between E and x = x0 is

P = (x0, a1x0 a3 y0)Proof We know that when x = x0 there are two points on E, y0 and y1 so:

y2 + a1x0y + a3y = x30 + a2x

20 + a4x0 + a6

0 = y2 + y(a1x1 + a3) + (x30 a2x20 a4x0 + a6) (y y0)(y y1) = y2 y(y0 + y1) + y0y1

We can see that the negative of the coefficient of the linear term is the sumof the roots. Therefore

y0 + y1 = a1x0 a3y1 = a1x0 a3 y0

5


11/175

So P = (x0, a1x0 a3 y0) as required.

So if P = (x0, y0) then P as defined above is (x0, a1x0 a3 y0) if

the characteristic of K is 2 and (x0, y0) otherwise. Later we conclude thatP = P in group notation.

We can now define elliptic curve addition. Suppose we are on an ellipticcurve, E, defined over a field K of any characteristic. If we start with twopoints, P1 = (x1, y1) and P2 = (x2, y2) on E then we can find a third point,P3 as follows. Draw the line L between P1 and P2, find the third pointof intersection, denoted P3. Finally calculate (P

3) = P3 using the method

above. The addition operation is then defined as

P1 + P2 = P3

Figure 2.2: Adding points on an elliptic curve

We now find explicit formula for P3 by looking at the different possibilitiesfor P1 and P2. Suppose that we are on an elliptic curve E given by theWeierstrass equation y2 = x3 + Ax + B.

First assume P1 = P2 and that neither point is . We then know thatthe slope of the line L is

m =y2 y1x2 x16


12/175

Now assume that x2 = x1 in which case the equation of L is

y = m(x x1) + y1 (2.2)To find the intersection with E substitute (2.2) into the equation for E:

(m(x x1) + y1)2 = x3 + Ax + B x3 m2x2 + ... = 0

where the three roots of this cubic are the three points where L intersectsE. Note from Theorem B.16 that the sum of the roots is the negative of thecoefficient of the x2 term in the cubic. We know two of the roots are x1 andx2 and so we can conclude that x

3

= m2

x1

x2. We can then substitute

back to get y3 = m(x3 x1) + y1. Finally we can reflect in the x-axis to find

P3 = (x3, y3)

x3 = m2 x1 x2, y3 = m(x1 x3) y1

In the case that x1 = x2 but y1 = y2 the line through P1 and P2 isverticle and so intersects E at . Reflecting in the x-axis gives andso P1 + P2 =

In the case where P1 = P2 = (x1, y1) the line, L, is the tangent at (x1, y1).Implicit differentiation allows us to find m, the slope of L

2y dydx

= 3x2 + A = m = dydx

= 3x21 + A2y1

If y1 = 0 then L is verticle so we set P1 + P2 = . Otherwise the equationof L is

y = m(x x1) + y1as before. We can substitute in to obtain the same cubic and then use thefact that x1 is a double root to obtain P3 = (x3, y3)

x3 = m2 2x1, y3 = m(x1 x3) y1

Finally suppose P2 = in which case the line between P1 and is averticle line that intersects E at P1 the reflection ofP1 in the x-axis. Thenwhen we reflect this back we get P1 so

P1 + = P1

7


13/175

we can extend this to include + = .We can now begin to see why elliptic curves are suited for the definition of

such an operation. The right hand side of the Weierstrass equation is cubicwhich ensures that the line between any two points will intersect at a thirdpoint, the first step in the operation. Then the y2 term on the left hand sidemakes the curve symmetric about the x-axis, which is vital for the reflectionpart. The addition operation is summarised in the box below.

SUMMARY

Let E be an elliptic curve defined by y2

= x3

+ Ax + B.Let P1 = (x1, y1) and P2 = (x2, y2) be points on E with P1, P2 = .We then define P1 + P2 = P3 = (x3, y3) as follows

1. Ifx1 = x2 then

x3 = m2 x1 x2, y3 = m(x1 x3) y1

where m = y2y1x2x1

2. Ifx1 = x2 but y1 = y2 then P1 + P2 =

3. IfP1 = P2 and y1 = 0 thenx3 = m

2 2x1, y3 = m(x1 x3) y1

where m =3x2

1+A

2y1

4. IfP1 = P2 and y1 = 0, then P1 + P2 =

Also we define P + = P for all points P on E

If the characteristic ofK is 2 or 3 then we use the same method for ellipticcurve addition but the formula are different. We consider the characteristic2 and 3 cases in Appendix A.3 and Appendix A.4 respectively.

Theorem 2.2. The points on E form an additive abelian group with asthe identity element and elliptic curve addition as the group operator.

8


14/175

Proof Recall the definition of a group from Appendix B.4. The commuta-

tivity is obvious from the formulas and the intuition of drawing a straightline through two points, while the identity property holds by definition. It isalso clear from the formulas that the sum of any two points will also be onthe elliptic curve, and if those original points had coordinated in a field L,then so does the sum.

For inverses we define P as P, (the reflection of P in the x-axis inthe characteristic not 2 case). Then P + P = for all P. Associativitycan be proved with the formulas, trying all cases, or with a number of otherapproaches. We use projective space to prove this property in Appendix A.5.

This theorem will also hold for the characteristic not 2 case similarly(defining

P as P given by Equation (2.1)).

Example 2.1. Let E be the curve y2 = x3 25x and suppose we know thepoint (4, 6) lies on the curve. To find another point on E we can add thispoint to itself. In the notation of elliptic curve addition we have:

m =3(4)2 25

2(6)=

23

12

Hence

2(4, 6) = (4, 6) + (4, 6) = 23122

2(4),23

12(4 x3) 6=

1681

144,62279

1728

A Matlab m-file was constructed to perform elliptic curve addition over

the real numbers. Suppose we have an elliptic curve, E, given by y2 =x3 + Ax + B and two points P1 = (x1, y1), P2 = (x2, y2). The m-file will findthe sum, P1 + P2 = P3 = (x3, y3), where + represents elliptic curve addition.It takes as its inputs x1, y1, x2, y2 and A and produces x3, y3 and, if requested,m. In future examples elliptic curve addition is performed with this m-fileto save calculation.

The file is stored in ECAD.m and can be found in Appendix C.1

Note that if P is a point on an elliptic curve and k is a positive integer,then kP denotes P + P + ... + P (with k summands). If k < 0 thenkP = (P) + (P) + ... + (P), (with |k| summands).

9


15/175

2.2.1 Prime curve examples

This section contains some examples of working with elliptic curves whichare defined over Zp. These are often called the prime curves and can befar simpler to work with as we can reduce modulo p at each stage. Theseexamples are derived from those in Section 10.3 of [8].

Suppose we have an elliptic curve, E, over Zp. In this case we have acubic equation in which the variables and coefficients take values on the setof integers 0, 1,...(p 1) and all calculations are performed modulo p.

y2 x3 + Ax + B (mod p)

We write Ep(A, B) for the set of integers (x, y) that satisfy the above equa-tion, together with a point at infinity, .Example 2.2. The set E11(1, 6) is the set of integers (x, y) that satisfy

y2 x3 + x + 6 (mod 11)We can see that (x, y) = (7, 9) is in this set as

92 (mod 11) = (73 + 7 + 6) (mod 11)

81 (mod 11) = 356 (mod 11) 4 = 4

To find all the points in E11(1, 6) we find all the possible values x3 + x + 6(mod p) and then see what values of y2 will match. There are 11 choices ofx, the integers {0, 1,..., 10}. Subbing these values in turn into the cubic andreducing modulo 11 will give us the possible values of y2:

x = 0 = RHS = 6 x = 6 = RHS = 228 8x = 1 = RHS = 8 x = 7 = RHS = 356 4x = 2 = RHS = 16 5 x = 8 = RHS = 526 9x = 3 = RHS = 36 3 x = 9 = RHS = 744 7x = 4 = RHS = 74 8 x = 10 = RHS = 1016 4x = 5 =

RHS = 136

4

So we can see that the possible values of y2 are {3, 4, 5, 6, 7, 8, 9}i.e. y2 cannot be 0,1,2 or 10.

Next examine the 10 possible values of y and identify which values of xthey could be paired with to give a point on the curve.

10


16/175

y = 0

y2 = 0

No Points y = 6

y2 = 36

3

x = 3y = 1 y2 = 1 No Points y = 7 y2 = 49 5 x = 2y = 2 y2 = 4 x = 5, 7, 10 y = 8 y2 = 64 9 x = 8y = 3 y2 = 9 x = 8 y = 9 y2 = 81 4 x = 5, 7, 10y = 4 y2 = 16 5 x = 2 y = 10 y2 = 100 1 No Pointsy = 5 y2 = 25 3 x = 3

So there are 13 points in E11(1, 6) (the 12 found above and ):

E11(1, 6) = {(2, 4), (2, 7), (3, 5), (3, 6), (5, 2), (5, 9), (7, 2), (7, 9), (8, 3), (8, 8), (10, 2), (10, 9), An m-file, PC.m, to find and plot all the points on a prime curve was con-

structed and is stored in Appendix C.2. This m-file takes as its inputs, A, Band p and produces two vectors X, Y which contain all the points (x, y) thatlie on y2 x3 + Ax + B (mod p).

When run on this example it verified that we had found found all thepoints in E11(1, 6) and plotted the graph below. We can see that the pointsare symmetric about the line y = 5.5

11


17/175

We can perform the elliptic curve addition operation on prime curves,

however we reduce modulo p at each step. For example, still consideringE11(1, 6):

IfP = (8, 3) then we know that P = (8, 3). Working modulo 11 wesee that P = (8, 8) which is also a point in E11(1, 6).

Let P = (8, 3) and Q = (3, 5). Then to find R = P + Q:

m =5 33 8 =

2

5 2

6=

1

3= 1 4 = 4

The penultimate step involved taking the multiplicative inverse of 3 in

Z11. We now proceed to show that

xR = 42 8 3 = 5, yR = 4(8 5) 3 = 9

So in E11(1, 6) we find (8, 3) + (3, 5) = (5, 9).

Again let P = (8, 3). To calculate 2P = P + P:

m =3(82) + 1

2 3 =193

6 6

6= 1 (mod 11)

Then x2P = 12 2(8) = 15 7 (mod 11)

y2P = 1(8

7)

3 =

2

9 (mod 11)

So in E11(1, 6) we find 2(8, 3) = (7, 9).

The earlier m-file for performing elliptic curve addition was modified for usewith prime curves. It now reduces modulo p at each stage using Matlabs modfunction and find the inverse of elements so the final answer is an element ona prime curve.

This new m-file is ECADP.m and can be found in Appendix C.3. Itcontains the same inputs and outputs as ECAD.m but the user must input

p in addition. It makes use of the m-file inve.m which is stored in AppendixC.4. This m-file takes as its inputs a number N and a prime p and outputs

the inverse of N in the group Zp.The m-file ECADP.m was used to calculate the remaining entries in the

addition table overleaf (Table 2.1). In Example 3.4 we show that (2, 7) is agenerator of this group and so it is isomorphic to Z13.

12


18/175

+

(2,4)

(2,7

)

(3,5

)

(3,6

)

(5,2

)

(5,9

)

(7,2

)

(7,9

)

(8,3

)

(8,8

)

(10

,2)

(10

,9)

(2,4

)

(5,9)

(7,2

)

(10

,2)

(2,7

)

(8,8

)

(7,9

)

(3,6

)

(5,2

)

(10

,9)

(8,3

)

(3,

5)

(2,4

)

(2,7

)

(5,2

)

(10

,9)

(7,9

)

(8,3

)

(2,4

)

(3,5

)

(7,2

)

(10

,2)

(5,9

)

(3,6

)

(8,

8)

(2,7

)

(3,5

)

(7,2)

(10

,9)

(8,3

)

(8,8

)

(7,9

)

(5,2

)

(2,7

)

(5,9

)

(3,6

)

(2,4

)

(10

,2)

(3,5

)

(3,6

)

(10

,2)

(7,9

)

(8,8

)

(7,2

)

(8,3

)

(2,4

)

(5,9

)

(3,5

)

(5,2

)

(10

,9)

(2,

7)

(3,6

)

(5,2

)

(2,7)

(8,3

)

(8,8

)

(7,2

)

(10

,2)

(10

,9)

(3,5

)

(3,6

)

(2,4

)

(7,9

)

(5,

9)

(5,2

)

(5,9

)

(8,8)

(2,4

)

(7,9

)

(8,3

)

(10

,9)

(3,6

)

(10

,2)

(2,7

)

(3,5

)

(5,2

)

(7,

2)

(5,9

)

(7,2

)

(7,9)

(3,5

)

(5,2

)

(2,4

)

(10

,9)

(3,6

)

(2,7

)

(8,8

)

(10

,2)

(5,9

)

(8,

3)

(7,2

)

(7,9

)

(3,6)

(7,2

)

(2,7

)

(5,9

)

(3,5

)

(10

,2)

(2,4

)

(10

,9)

(8,3

)

(8,8

)

(5,

2)

(7,9

)

(8,3

)

(5,2)

(10

,2)

(5,9

)

(3,5

)

(3,6

)

(2,7

)

(8,8

)

(10

,9)

(7,9

)

(7,2

)

(2,

4)

(8,3

)

(8,8

)

(10

,9)

(5,9

)

(3,6

)

(5,2

)

(2,4

)

(3,5

)

(10

,2)

(8,3

)

(7,2

)

(2,7

)

(7,

9)

(8,8

)

(10

,2)

(8,3)

(3,6

)

(2,4

)

(10

,9)

(7,9

)

(5,2

)

(5,9

)

(8,8

)

(7,2

)

(2,7

)

(3,5

)

(10

,2)

(10

,9)

(3,5)

(8,8

)

(10

,2)

(2,7

)

(5,9

)

(7,2

)

(8,3

)

(5,2

)

(2,4

)

(7,9

)

(3,

6)

(10

,9)

(2,4)

(2,7

)

(3,5

)

(3,6

)

(5,2

)

(5,9

)

(7,2

)

(7,9

)

(8,3

)

(8,8

)

(10

,2)

(10

,9)

Ta

ble2

.1:

Th

ea

dditio

nta

blefo

rE11

(1,

6)

. Thisistheg

roupo

fpo

ints

(x,

y)tha

tsa

tisfyy2

=

x3

+

x+

6w

ithinthe

fie

ldZ11

alo

ngw

iththepoin

t

.

This

groupc

an

beshown

tob

eis

omorp

hic

toZ13

an

dgenera

tedb

ythe

po

int

(2,7

).

13


19/175

Example 2.3. Consider E23(1, 1), the set of integers (x, y) that satisfy

y2 x3 + x + 1 (mod 23)

Running PC.m with A = B = 1 and p = 23 produced:

Note that all the point with the exception of (4,0) are symmetric aboutthe line y = 11.5. If there were another point, symmetric to (4,0) then therewould be a point at (4,23). However this is equivalent to (4,0) in modulo 23,so its as if the y-axis was wrapped around to form a circle the analogygiven earlier.

An m-file to check whether a point lies on a prime curve, (check.m),was created and stored in Appendix C.6. This m-file takes as its inputsx,y,A,B,p and checks whether the point (x, y) lies on the curve


14


20/175

Chapter 3

Torsion points andendomorphisms of ellipticcurves

The order, of an element, a, in any additive abelian group defined by anelliptic curve, is the smallest positive integer m such that ma = . If no suchm exists, we say that a has infinite order. Finitely generated abelian groupscan be split into the torsion and torsion free subgroups where the formercontain the torsion points which are those points whose orders are finite.These points play a large role in the theory of elliptic curves, especially inelliptic curves defined over finite fields, where all points are torsion. In generalthe torsion subgroup is simpler to work with, which is another reason whyelliptic curves over finite fields are of such great interest. In this chapter weexamine the properties of the torsion points as well as deriving some resultsfor use in Chapter 4. We start by considering endomorphisms of ellipticcurves, which help in our study of the torsion points since multiplication byn on an elliptic curve can be described as an endomorphism.

3.1 Endomorphisms of elliptic curves

Recall that a homomorphism is a structure-preserving map between two al-gebraic structures (in this case, groups). Here we use endomorphism to meana homomorphism : E(K) E(K) that is given by rational functions. Inother words, (P1 + P2) = (P1) + (P2), and there are rational functions

15


21/175

R1(x, y), R2(x, y) with coefficients in K such that

(x, y) = (R1(x, y), R2(x, y))

for all (x, y) E(K). Since is a homomorphism we have () = . Alsoassume that is not the trivial endomorphism that maps every point to ,denoted by = 0.

Example 3.1. Let E be given by y2 = x3 + Ax + B and let (P) = 2P.Then is a homomorphism and (x, y) = (R1(x, y), R2(x, y)) where

R1(x, y) =

3x2 + A

2y 2

2x

R2(x, y) =3x2 + A

2y

3x

3x2 + A2y

2 y

Since is a homomorphism given by rational functions, it is an endomor-phism of E.

The following theorem will allow us to use a standard form for the rationalfunctions that describe an endomorphism.

Theorem 3.1. LetE be given by y2 = x3 + Ax + B, and defined over a fieldK. Any endomorphism, , can be completely defined by the following, where

p(x), q(x) are polynomials with no common factors and s(x), t(x) likewise.

(x, y) = (r1(x), r2(x)y) =

p(x)

q(x), y

s(x)

t(x)

Proof is an endomorphism and so can be expressed with rational functions,(x, y) = (R1(x, y), R2(x, y)). Now, since y

2 = x3 + Ax + B for all (x, y) E(K) we can replace any even power of y by a polynomial in x, and any oddpower of y by y times a polynomial in x:

R(x, y) =p1(x) +p2(x)y

p3(x) +p4(x)y

We could then rationalize the denominator and replace y2 to get

R(x, y) =q1(x) + q2(x)y

q3(x)(3.1)

16


22/175

Since is a homomorphism it will preserve the structure of the curve so

(x, y) = ((x, y)) = (x, y)

This means that

R1(x, y) = R1(x, y), and R2(x, y) = R2(x, y)

By writing R1 in the form of Equation (3.1) we can see that q2(x) = 0, andsimilarly with R2, we find that q1(x) = 0. Therefore we may assume that

(x, y) = (r1(x), r2(x)y)

for rational functions r1(x), r2(x).We must still consider what happens when one of the rational functions

is not defined at a point. Write

r1(x) =p(x)

q(x), and r2(x) = y

s(x)

t(x)

with polynomials p(x), q(x) that do not have a common factor and s(x), t(x)likewise. If q(x) = 0 at some point (x, y) then we assume that (x, y) = .If q(x) = 0 then part (ii) of Lemma 3.2 below shows that r2(x) will also bedefined. This completes the proof of Theorem 3.1

Lemma 3.2. Let

(x, y) =

p(x)

q(x), y

s(x)

t(x)

be an endomorphism of the elliptic curve E given by y2 = x3 + Ax + B. Let

p, q be polynomials with no common root, and s, t likewise. Then

(i) For a polynomial u(x), such that u and q have no common root

(x3 + Ax + B)s(x)2

t(x)2 =u(x)

q(x)3

(ii) t(x0) = 0 if and only if q(x0) = 0.

17


23/175

Proof (i) Because is a endomorphism, the point (x, y) also lies on the

elliptic curve E. Hence

(x3 + Ax + B)s(x)2

t(x)2=

y2s(x)2

t(x)2=

y

s(x)

t(x)

2=

p(x)

q(x)

3+ A

p(x)

q(x)+ B

=p(x)3 + Ap(x)q(x)2 + Bq(x)3

q(x)3 u(x)

q(x)3

where u(x) = p(x)3 + Ap(x)q(x)2 + Bq(x)3. We still need to show that u(x)and q(x) do not share a root.

Suppose q(a) = 0. Ifu(a) = 0 also, then

u(a) = p(a)3 + Ap(a)q(a)2 + Bq(a)3 = 0

p(a)3 = 0 = p(a) = 0We assumed p(x) and q(x) shared no common roots so this cannot happen.Therefore ifq(a) = 0 then u(a) = 0 meaning u and q have no common roots.(ii) From part (i) we know that

(x3 + Ax + B)s(x)2q(x)3 = t(x)2u(x)

Then if q(x0) = 0 we have

t(x0)2u(x0) = 0

Now we know that u and qdo not share a common root so u(x0) = 0 thereforet(x0) = 0 as required.

To prove the converse, suppose t(x0) = 0, then

(x30 + Ax0 + B)s(x0)2q(x0)

3 = 0

But s(x0) = 0 because t and s are assumed to have no common roots so(x30 + Ax0 + B)q(x0)

3 = 0

We now consider the following two cases

a) Ifx30 + Ax0 + B = 0 then q(x0)3 = 0 so q(x0) = 0 and we are done.

18


24/175

b) Ifx30 + Ax0 + B = 0 then (x x0) divides (x3 + Ax + B) so

x3 + Ax + B = (x x0)Q(x)

where Q(x0) = 0 as we have assumed no multiple roots. Now becauset(x0) = 0 we can make a similar factorisation to get t(x) = (x x0)T(x)for some polynomials T(x). Now we can consider again the equation frompart (i)

(x3 + Ax + B)s(x)2q(x)3 = t(x)2u(x)

(x x0)Q(x)s(x)2q(x)3 = [(x x0)T(x)]2q(x)3Q(x)s(x)2 = (x

x0)T(x)

2u(x)

Now when x = x0 we get

q(x0)3Q(x0)s(x0)

2 = 0

We have already shown that s(x0) = 0 and that Q(x0) = 0 so we haveq(x0) = 0 as required.

Define the degree of to be, deg() = Max {deg(p(x)), deg(q(x))} if is non trivial. If = 0 then define deg() = 0.

Define = 0 to be a separable endomorphism if the derivative r1(x) isnot identically zero. (Recall that if a function is identically zero then it is thezero function as opposed to merely zero at a particular point.) By Lemma3.3 below, this is equivalent to saying that at least one of p(x) and q(x) isnot identically zero.

Lemma 3.3. Letp(x), q(x) be polynomials with no common roots. Then

d

dx

p(x)

q(x)

= 0 if and only if p(x) = 0 and q(x) = 0

Proof Using the quotient rule

d

dx

p(x)

q(x)

=

q(x)p(x) p(x)q(x)q(x)2

19


25/175

So if r1(x) = 0 then q(x)p(x) p(x)q(x) = 0. Suppose for a contradiction

that p

(x) = 0. We can then writeq(x) =

p(x)q(x)

p(x)

Let x0 be a root ofq(x), then by assumption p(x0) = 0. We can then considerthe following two cases.

(i) Ifx0 is not a root of q(x), then q(x0) = 0. Now setting x = x0 gives

q(x0) =p(x0)q(x0)

p(x0)

0 = p(x0)q(x0)

But p(x0) = 0 and q(x0) = 0 so we have a contradiction.(ii) Ifx0 is a root ofq

(x0) then

q(x) = (x x0)nQ(x)q(x) = (x x0)mR(x)

where Q(x0) = 0, R(x0) = 0 and m < n. Then substituting gives

(x x0)nQ(x) = p(x)(x x0)m

R(x)p(x)

(x x0)rQ(x) = p(x)R(x)p(x)

where r > 0. Now let x = x0

0 = p(x0)R(x0)

But p(x0) = 0 and R(x0) = 0 so we have a contradiction.

So we must assume that p

(x) = 0. The proof that q

(x) = 0 is similar withthe roles of p and q reversed.

20


26/175

Example 3.2. Consider again (P) = 2P which had

R1(x, y) =3x2 + A

2y

2 2xSubbing in for y2 and simplifying yields

r1 =x4 2Ax2 8Bx + A2

4(x3 + Ax + B)

Therefore deg() = 4. Note that q(x) = 4(3x2 + A) which is not zero. Thisis true even in characteristic 3 when we set A = 0 because a curve x3 + Bwill have multiple roots in characteristic 3 (27B2 0), which is contrary toassumption. Therefore is a separable endomorphism.

Example 3.3. We now repeat the previous example in characteristic 2, usingthe formula from Appendix A.3 for doubling a point.

If y2 + xy = x3 + a2x2 + a6 we have

(x, y) = (r1(x), R2(x, y))

with r1(x) = (x4 + a6)/x

2. Therefore deg() = 4. Since p(x) = 4x3 0 andq(x) = 2x 0 the endomorphism is not separable.

Similarly in the case y2+a3y = x3+a4x+a6, we have r1(x) = (x

4+a24)/a23.

Therefore deg() = 4 but is not separable.

In general, when in characteristic p, the map (Q) = pQ has degree p2

and is not separable.Suppose E is defined over the finite field Fq. Then we define the

Frobenius Map asq(x, y) = (x

q, yq)

Lemma 3.4. Let E be defined overFq. Then q is an endomorphism of Ewith degree q, and q is not separable.

Proof The main task of this proof is to show that q : E(Fq) E(Fq) isa homomorphism. So we need to show that if (x1, y1) + (x2, y2) = (x3, y3)then q(x1, y1) + q(x2, y2) = q(x3, y3) for all the possible combinations of

(x1, y1) and (x2, y2) E(Fq). Throughout the proof we can use PropositionB.14 because E is defined over Fq. This stated that

q(x + y) = q(x) + q(y)

q(xy) = q(x)q(y)

21


27/175

(i) Ifx1 = x2 then (x3, y3) is given by

x3 = m2 x1 x2, y3 = m(x1 x2) y1, m = y2 y1

x2 x1Now consider the sum ofq(x1, y1) and q(x2, y2) given by (X, Y) where

X =

yq2 yq1xq2 xq1

2 xq1 xq2 =

(y2 y1)q(x2 x1)q

2 xq1 xq2

=

y2 y1x2 x1

2 x1 x2

q= xq3

Y = yq2 yq1xq2 xq1 (xq1 xq3) yq1 = y2 y1x2 x1q

(x1 x3)q yq1

=

y2 y1x2 x1

(x1 x3) y1

q= yq3

So q(x1, y1) + q(x2, y2) = (xq3, y

q3) = q(x3, y3) as required.

(ii) If (x1, y1) = (x2, y2) and y1 = 0 then (x3, y3) is given by

x3 = m2 2x1, y3 = m(x1 x3) y1, m = 3x

21 + A

2y1

We now show that the sum ofq(x1, y1) and q(x2, y2) given by (X, Y)is q(x3, y3) as before. We use 2

q = 2, 3q = 3, Aq = A, since 2,3,A Fq.

X =

3x2q1 + A

2yq1

2 2xq1 =

3qx2q1 + A

q

2qyq1

2 2xq1

=

(3x21 + A)

q

(2y1)q

2 2xq1 =

3x21 + A

2y1

2 2x1

q= xq3

Y =

3x2q1 + A

2yq1

(xq1 xq3) yq1 =

3x21 + A

2y1

q(x1 x3)q yq1

= 3x21 + A2y1

(x1 x3) y1q = yq3So q(x1, y1) + q(x2, y2) = (x

q3, y

q3) = q(x3, y3) as required.

22


28/175

(iii) Ifx1 = x2 but y1 = y2 (so y2 = y1) then (x3, y3) = . Soq(x1, y1) + q(x2, y2) = q(x1, y1) + q(x1, y1) = (xq1, yq1) + (xq1, yq1)The final equality uses the fact that q is a power of a prime and so odd,meaning (y)q = yq. Now, by definition the sum of a point on anelliptic curve and its reflection in the x-axis is the point so

q(x1, y1) + q(x2, y2) = Finally we note that

q() = q((X, Y)+(X, Y)) = q(X, Y)+q(X, Y) = (Xq, Yq)+(Xq, Yq) =

So q(x1, y1) + q(x2, y2) = = q(x3, y3) as required.(iv) If (x1, y1) = (x2, y2) and y1 = 0, then (x3, y3) = by definition. Then

q(x1, y1) + q(x2, y2) = (xq1, 0) + (x

q1, 0) =

We showed in the case above that q() = soq(x1, y1) + q(x2, y2) = = q() = q(x3, y3)

as required.

(v) If one of the points, say (x2, y2) =

then (x3, y3) = (x1, y1). So

q(x1, y1) + q(x2, y2) = q(x1, y1) + = q(x1, y1) = q(x3, y3)as required

So we have shown that q is a homomorphism. Since q(x, y) = (xq, yq),

the map is given by rational functions, making q an endomorphism. Wecan clearly see that the degree is q, and since q 0 in Fq, the derivative ofr1(x) = x

q is identically zero, meaning q is not separable.

The following is the key result of this section which allows us to relate

the degree of an endomorphism to the size of its kernel. If a homomorphismmaps from G to H then the kernel is the set of elements mapped to, eH,the identity ofH. Since a group homomorphism preserves identity elements,the identity element, eG, of G must belong to the kernel. If this is the onlyelement of the kernel then the homomorphism is injective.

23


29/175

Theorem 3.5. Let = 0 be a separable endomorphism of an elliptic curve,E. Then deg() = #Ker()

where Ker() is the kernel of the homomorphism : E(K) E(K)If is not separable then

deg() > #Ker()

Proof Write (x, y) = (r1(x), yr2(x)) with r1(x) = p(x)/q(x), as above.Assume first that is a separable endomorphism so r1 = 0.

r1 = [p(x)q(x)1] = p(x)q(x)1

p(x)q(x)2q(x)

= 0

So we can multiply by q(x)2 to see that pqpq is not the zero polynomial.Let S be the set of x K such that (pq pq)(x)q(x) = 0. Since both

pq pq and q(x) are not the zero polynomial we know that S is a set ofzeros to a non zero polynomial and hence finite. Its image under r1(x) willhence be finite as well.

Let (a, b) E(K) be such that(i) a = 0, b = 0, (a, b) = .

(ii) deg(p(x) aq(x)) = Max{deg(p), deg(q)} = deg()(iii) a r1(S).(iv) (a, b) (E(K))

We must prove that such an (a, b) exists. Consider each of the conditions inturn:

(i) There are infinitely many (a, b) E(K) since K is algebraically closed.So clearly we can exclude those when a = 0, b = 0 and (a, b) = .

(ii) Let p(x) = cxn+ lower order terms and q(x) = dxm+ lower order terms.

If the deg(p) > deg(q) then n > m so p aq will clearly have deg(n)as required. Similarly if deg(p) < deg(q) then the condition will alwayshold. So consider what happens when n = m. The condition will onlyfail ifcad = 0. But if this were the case then multiply a by an integergreater than one, to find a point for which the condition holds.

24


30/175

(iii) We can always find a point that satisfies this condition as r1(S) is finite,

but we have an infinite number of points.(iv) There are infinitely many points in E(K). If the set {r1(x)|x E(K)}

was finite then for at least some k Kthere are infinitely many k so k =r1(x). This would mean that r1(x) k = 0 for infinitely many k. Thisimplies that r1(x) is a constant, which would make its derivative zeroand give us a contradiction. Hence r1(x) is infinite, making (E(K))an infinite set. So we can always find (a, b) (E(K)).

So such a point (a, b) exists. We want to prove that there are exactlydeg() points (x1, y1) E(K) such that (x1, y1) = (a, b). For such a pointwe have

p(x1)q(x1)

= a, y1r2(x1) = b

Since (a, b) = we must have q(x1) = 0, so by Lemma 3.2 r2(x1) is defined.Since b = 0 and y1r2(x1) = b we know that r2(x1) = 0 so we can set y1 =b/r2(x1). Therefore x1 determines y1 so we need only count how many valuesof x1 satisfy

p(x1) = aq(x1) p(x1) aq(x1) = 0By assumption (ii) p(x)aq(x) = 0 has deg() roots, counting multiplic-

ities, so if all the roots are distinct we are done. We must show that p aqhas no multiple roots. Suppose that x

0is a multiple root ofp

aq. Then we

know that both the curve and its derivative are zero here:

p(x0) aq(x0) = 0 = p(x0) = aq(x0)p(x0) aq(x0) = 0 = aq(x0) = p(x0)

Multiplying the two equations yields

ap(x0)q(x0) = ap

(x0)q(x0)

Since a = 0p(x0)q

(x0)

p(x0)q(x0) = 0

which implies that x0 is a root ofpqpqso x0 S. Therefore a = r1(x0) S

which is contrary to assumption. Therefore p aq has deg() distinct rootsand hence there are deg() points (x1, y1) E(K) such that (x1, y1) =(a, b).

25


31/175

Since is a homomorphism and this holds for the point (a, b), it will hold

for all (a, b) (E(K)), including the identity meaning the kernel of hasdeg() elements.If is not separable then the above steps hold, but p aq is always the

zero polynomial so p(x) aq(x) = 0 always has multiple roots and so fewerthan deg() solutions.

Theorem 3.6. LetE be an elliptic curve defined over a field K. Let = 0be an endomorphism of E. Then : E(K) E(K) is surjective.Proof Let (a, b)

E(K). We want to prove that there is a point (x, y)

E(K) that maps to it. Since () = , we may assume that (a, b) = .Let r1(x) = p(x)/q(x) as above. We consider the two cases:

(i) If p(x) aq(x) is not a constant then it has a root, at x0 say. Sincep and q have no common roots we know q(x0) = 0 (if it were, then itwould imply p(x0) = 0 which is contrary to assumptions.) So

p(x0) aq(x0) = 0 = a = p(x0)q(x0)

Choose y0

K to be either square root ofx30 + Ax0 + B. Then (x0, y0)

is defined and equals (a, b) for some b. Since (b)2 = a3 + Aa + B = b2

we have b = b. Ifb = b then we have found our point (x, y) that mapsto (a, b) and we are done. Ifb = b then (x0, y0) = (a, b) = (a, b).

(ii) Now consider the case when p aq is constant. Since E(K) is infiniteand the kernel of is finite, only finitely many points of E(K) canmap to a point with a given x coordinate. So either p(x) or q(x) is notconstant.

If p and q are two non constant polynomials then there is at most onevalue ofa so p aq is constant. Therefore there are at most two points(a, b) and (a, b) that are not mapped to by . Let (a1, b1) = (P1) beany other point. We can choose it such that (a1, b1) + (a, b) = (a, b).So there exists P2 with (P2) = (a1, b1)+(a, b). Then (P2P1) = (a, b)and (P1 P2) = (a, b). So every point (a, b) is mapped to by .

26


32/175

We have shown that if = 0 is an endomorphism of E then every point(a, b) E(K) is mapped to by a point (x, y) E(K). Therefore issurjective.

We next want to derive a criterion for separability (Proposition 3.10). If(x, y) is a point on y2 = x3 + Ax + B, then we can differentiate to get

2yy = 3x2 + A

Similarly we can differentiate a rational function to get

d

dxf(x, y) = fx(x, y) + fy(x, y)y

where fx and fy are the partial derivatives.

Lemma 3.7. LetE be the elliptic curve y2 = x3 + Ax + B. Fix a point(u, v)on E. For any point (x, y) so x = u

(u, v) + (x, y) = (f(x, y), g(x, y))

where f(x, y) and g(x, y) are rational functions whose coefficients depend on(u, v). Then

ddxf(x, y)

g(x, y)=

1

y

Proof From the addition formulas we have

f(x, y) = y v

x u2

u x

g(x, y) =

y vx u

u

y vx u

+ u + x

v

=

y vx u

2u(x u)2 (y v)2 + x(x u)2

(x u)2

v

=(y v)3 + x(y v)(x u)2 + 2u(y v)(x u)2 v(x u)3

(x u)3Then using the quotient rule we can calculate

d

dxf(x, y) =

2(x u)2(y v)y 2(y v)2(x u)(1)(x u)4 1

=2y(y v)(x u) 2(y v)2 (x u)3

(x u)3

27


33/175

Because 2yy = 3x2 + A we can substitute for y to give

d

dxf(x, y) =

2(3x2+A2y )(y v)(x u) 2(y v)2 (x u)3

(x u)3

=(3x2 + A)(y v)(x u) 2y(y v)2 y(x u)3

y(x u)3

yd

dxf(x, y) g(x, y) = (3x

2 + A)(y v)(x u) 2y(y v)2 y(x u)3(x u)3

+(y v)3 x(y v)(x u)2 2u(y v)(x u)2 + v(x u)3

(x

u)3

Then

(x u)3y ddx

f(x, y) g(x, y) = (3x2 + A)(y v)(x u) 2y(y v)2 y(x u)3

+(y v)3 x(y v)(x u)2 2u(y v)(x u)2 + v(x

= Avx + vu3 yu3 + yv2 + y2v Ayu + Avu y3 v3 + x3y x3v + Ayx= v[Au + u3 v2 Ax x3 + y2] + y[Au u3 + v2 + Ax + x3 y2]

Because (u, v) and (x, y) lie on E we can use v2

= u3

+ Au + B andy2 = x3 + Ax + B to reduce the above expression

(x u)3y ddx

f(x, y) g(x, y) = v[Au + u3 (u3 + Au + B) Ax x3 + (x3 + Ax + B)]+y[Au u3 + (u3 + Au + B) + Ax + x3 (x3 + Ax +

= v[B + B] + y[+B B] = 0

Then because x = u this implies

yd

dx

f(x, y) = g(x, y)

which can be rearranged to give the desired result

28


34/175

Lemma 3.8. Let 1, 2, 3 be non-zero endomorphisms of an elliptic curve

E with 1 + 2 = 3. Write j(x, y) = (Rj (x), ySj(x)). Suppose there areconstants c1 , c2 such that

R1(x)

S1(x)= c1 and

R2(x)

S2(x)= c2. Then

R3(x)

S3(x)= c1 + c2

Proof Let (x1, y1) and (x2, y2) be variable points on E, so x1 = x2. Write(x3, y3) = (x1, y1) + (x2, y2)

where(x1, y1) = 1(x, y), (x2, y2) = 2(x, y)

Then x3 and y3 are rational functions of x1, y1, x2, y2 which in turn are ratio-

nal functions ofx, y. By Lemma 3.7 with (x, y) = (x1, y1) and (u, v) = (x2, y2)x3x1

=y3y1

Similarly with (x, y) = (x2, y2) and (u, v) = (x1, y1)

x3x2

=y3y2

By assumptionxjx

= cjyjy

for j = 1, 2. So by the chain ruledx3dx

=x3x1

x1x

+x3x2

x2x

=y3y1

c1y1y

+y3y2

c2y2y

= (c1 + c2)y3y

Then dividing by y3/y gives the result

Proposition 3.9. LetE be an elliptic curve defined over a field K, and letn be a nonzero integer. Suppose that multiplication by n on E is given by

n(x, y) = (Rn(x), ySn(x))

for all (x, y)

E(K), where Rn and Sn are rational functions. Then

Rn(x)

Sn(x)= n

This then implies that multiplication by n is separable if and only if n is nota multiple of the characteristic p of the field.

29


35/175

Proof We showed earlier that Rn = Rn and Sn = Sn and so we haveR

n/Sn = R

n/Sn. Therefore the result for positive n will imply the resultfor negative n.We will prove that Rn(x)/Sn(x) = n for all positive n using proof by

mathematical induction (PMI). We can see this is trivially true for n = 0and n = 1. Suppose that it is true for n, then Lemma 3.8 will imply that itis true for the sum, n + 1. Therefore

Rn(x)

Sn(x)= n

n 1 by PMI. This coupled with the fact that if it holds for positive n,then it holds for negative n implies the result for all integers n.

Now for multiplication by n to be separable we need R

n(x) = 0. This willbe the case if and only ifn = Rn(x)/Sn(x) = 0, which is equivalent to p notdividing n. So this proves the second part of the proposition, multiplicationby n is separable if and only if n p.

Proposition 3.10. LetE be an elliptic curve defined overFq, whereq is thepower of the primep. Letr and s be integers, not both 0. The endomorphismrq + s is separable if and only if p s. (q the Frobenius map)

Proof Let the endomorphism that describes multiplication by r be

r(x, y) = (Rr(x), ySr(x))Then the endomorphism for multiplication by rq is

(Rrq(x), ySrq(x)) = (rq)(x, y) = (Rqr(x), y

qSqr (x))

= (Rqr(x), y(x3 + Ax + B)(q1)/2Sqr (x))

Therefore

crq =RrqSrq

=qRq1r R

r

Srq= 0

Also cs = Rs/Ss = s by Proposition 3.9. So by Lemma 3.8

Rrq+s

Srq+s = crq+s = crq + cs = 0 + s = s

Therefore Rrq+s = 0, (and hence the endomorphism is separable), if andonly if p s.

30


36/175

3.2 Torsion points

The torsion points are those points in E whose orders are finite. Let E bean elliptic curve defined over a field K, with algebraic closure K and let nbe a positive integer. For a given n we define the subgroup

E[n] = {P E(K) | nP = }

This group acts as the kernel of the multiplication by n endomorphism, whichmaps x nx. We will start by looking at the form of E[2] and E[3] beforemoving on to the general case.

When the characteristic is not two E can be expressed in the form

y2 = x3 + a2x2 + a4x + a6 = (x e1)(x e2)(x e3)

with e1, e2, e3 K. It is easy to calculate E[2], as a point satisfies 2P = if and only if the tangent line at P is verticle. When we have a curve incharacteristic not 2 this only happens when y = 0 so

E[2] = {, (e1, 0), (e2, 0), (e3, 0)}

Because E[n] is a finite abelian group we can apply Theorem B.6 here. Whenthe characteristic is not 2, E[2] is a group of order 4 and so isomorphic to

either Z4 or Z2Z2. We know the group is not cyclic as all points have order2, so we conclude that in this case

E[2] Z2 Z2If the characteristic is 2 then, from Appendix A.3 E has one of the followingforms

(I) y2 + xy + x3 + a2x2 + a6 = 0

(II) y2 + a3y + x3 + a4x + a6 = 0

In the first case a6 = 0 and in the second case a3 = 0, otherwise the curveswould be singular. If P = (x, y) is a point of order 2 then once again thetangent at P must be verticle. This time, however, the curve is not symmetricabout the x-axis so we look for the points when the partial derivative withrespect to y vanishes:

31


37/175

(I) fy = 2y + x x (mod 2)(II) fy = 2y + a3 a3 (mod 2)

So in the first case we need x = 0 meaning 0 = y2 + a6 = (y +

a6)2.

Therefore (0,

a6) is the only point of order 2 and

E[2] = {, (0, a6)} Z2In the second case the partial derivative with respect to y is a3 = 0. Thereforethere is no point of order 2 so

E[2] =

{}Z1

We denote the set of only one element by 0. The following propositionsummarises these results.

Proposition 3.11. LetE be an elliptic curve over a field K. If the charac-teristic of K is not 2 then

E[2] Z2 Z2If the characteristic of K is 2 then E[2] 0 orZ2

Now consider E[3]. Assume first that the characteristic is neither 2 nor

3, in which case E is given by y2 = x3 + Ax + B. A point P satisfies3P = if and only if 2P = P. This means that the x-coordinate of 2Pequals the x-coordinate of P while the y-coordinate will differ in sign. (Ifthe y-coordinates were equal then 2P = P implying P = .) So using theaddition equations

m2 2x = x, m = 3x2 + A

2y

Hence

(3x2

+ A)2

4y2= 3x

(3x2 + A)2 = 12x(x3 + Ax + B)

3x4 + 6Ax2 + 12Bx A2 = 0

32


38/175

The discriminant of this polynomial is 6912(4A3 + 27B2)2 which is clearlynon-zero since we assumed the roots of the Weierstrass equation were distinct.So this polynomial has no multiple roots, meaning there are 4 distinct valuesof x K each yielding 2 values of y, summing to 8 points of order 3. Since is also in E[3] we see that E[3] is a group of order 9, so from Theorem B.6we know that it is isomorphic to either Z9 or Z3 Z3. But, every element is3-torsion, so no point has order 9, meaning the group is not cyclic. Therefore

E[3] Z3 Z3Next assume we are in characteristic 3 meaning we have an equation of theform y2 = x3 + a2x

2 + a4x + a6. We can compute the x-coordinate of 2Pin the usual method. We first use implicit differentiation to calculate the

gradient of the tangent, m = (2a2x + a4)2/4y2 and then we substitute in Eand note that the x2 coefficient has an extra term this time. So setting thex-coordinate of 2P to that of P gives

2a2x + a42y

2 a2 = 3x 0

(4a22x2 + a24 + 4a2a4x) 4a2y2 = 0

a22x2 + a24 + a2a4x a2(x3 + a2x2 + a4x + a6) = 0

a2x3 + a2a6 a24 = 0

Recall that 3

0, 4

1 in characteristic 3.

Note that we cannot have a2 = a4 = 0 as then y2 = (x+a1/26 )3 has multipleroots. Ifa2 = 0 then we get a24 = 0 which cannot happen, so E[3] = {}Z1 in this case. Ifa2 = 0 then the equation becomes a2(x3 + a) = 0 for someconstant a. This has a single triple root so there is one value of x and 2corresponding values of y meaning two points of order 3. Since is also apoint we see that E[3] has order 3 so E[3] Z3.

Finally assumes that we are in characteristic 2. We can use the additionformulas from Appendix A.3 to show that E[3] Z3Z3. As before we havetwo possibilities:

(I) If y2 + xy = x3 + a2x2 + a

6then calculating 2P and setting the x-

coordinate equal to the x-coordinate of P gives

x =x4 + a6

x2

0 = x4 x3 + a6

33


39/175

The discriminant if this polynomial is 256a36 27a26 a26 (mod 2). Wecannot have a6 = 0 as then the curve would be singular, so we concludethe discriminant is non zero. So the polynomial has 4 roots, and so 8points of order 3. Therefore as before E[3] Z3 Z3.

(II) Ify2 + a3y = x3 + a4x + a6 then we get

x =x4 + a24

a230 = x4 + a24 xa23

The discriminant of this polynomial is 27(a23)4 +256(a24)3 a23 (mod2). We cannot have a3 = 0 as then the curve would be singular, so weconclude the discriminant is non-zero and hence E[3] Z3 Z3.

So to conclude, if we are in characteristic not 3, then E[3] Z3 Z3, whileif we are in characteristic 3, then E[3] Z3 or Z1. The following theoremdescribes the general case.

Theorem 3.12. Let E be an elliptic curve over a field K, and let n be apositive integer. If the characteristic of K does not divide n, or is zero then

E[n] Zn ZnIf the characteristic of K is p > 0 and p|n write n = prn with p n. Then

E[n] Zn Zn or Zn Zn

This theorem will be proved in the next section, but notice how it coversthe two example we have just looked at. For example, when n = 3 as longas the characteristic did not divide 3 (ie was not 3) then E[3] Zn Zn =Z3 Z3. While when the characteristic was 3, we could write 3 = 31 1 andthen E[3] Z1 Z1 = Z1 or Z3 Z1 = Z3.

An elliptic curve E in characteristic p is called ordinary if E[p] Zp. Itis called supersingular if E[p] 0 and so only contains the point . Asexpected, this was one of the possibilities for E[3] in the characteristic 3 caseabove.

34


40/175

3.2.1 Successive doubling

Recall that if P is a point on an elliptic curve and k is a positive integer,then kP denotes P + P + ... + P (with k summands). If k is a large integerit is more efficient to use successive doubling, as used below to compute 19P.

2P = P + P, 4P = 2P + 2P, 8P = 4P = 4P,

16P = 8P + 8P, 19P = 16P + 2P + P

The only problem is that if we are working in the rational numbers the size ofthe coordinates increases rapidly. This is not a problem when working withfinite fields though as we can continually reduce modulo p. The followingalgorithm uses successive doubling to calculate kP.

The Successive Doubling Algorithm

Let k be a positive integer and let P be a point on an elliptic curve.The following procedure computes kP.

1. Set a = k, B = and C = P.2. Ifa is even let a = a/2, and let B = B, C = 2C.

3. Ifa is odd let a = a

1, and let B

B + C, C = C.

4. Ifa = 0 go to step 25. Output B.

The output, B, is kP.

Example 3.4. Consider E11(1, 6) from Example 2.2 which was defined by

y2 x3 + x + 6 (mod 11)Let G = (2, 7) and suppose we wish to compute G, 2G, ..., 13G. Working

from the addition formulas:2G = 1G + 1G =

615196

,61172744

1

9,

10

2

(5, 2) (mod 11)

3G = 2G + 1G =

389

,469

27

6

9,

4

5

(6 5, 4 9) (8, 3) (mod 11)

35


41/175

We perform the rest of the calculations with ECADP.m

4G = 2G + 2G = (10,2) 9G = 5G + 4G = (10,9)5G = 4G + 1G = (3,6) 10G = 5G + 5G = (8,8)6G = 3G + 3G = (7,9) 11G = 8G + 3G = (5,9)7G = 4G + 3G = (7,2) 12G = 6G + 6G = (2,4)8G = 4G + 4G = (3,5) 13G = 6G + 7G = (, )

As expected all of these points lie on E11(1, 6), however this has in factgenerated E11(1, 6). This means that E11(1, 6) is a cyclic group withG = (2, 7) a generator.

If we had just wanted to calculate 13G, however, we could have usedthe successive doubling algorithm. This would have taken only 6 steps asopposed to the 12 used above:

(1) a = 13, B = , C = G (5) a = 2, B = 5G, C = 4G(2) a = 12, B = G, C = G (6) a = 1, B = 5G, C = 8G(3) a = 6, B = G, C = 2G (7) a = 0, B = 13G, C = 8G(4) a = 3, B = G, C = 4G

An m-file to perform the successive doubling algorithm over prime curves(SUCDOB.m) was created and can be found in Appendix C.5. This m-filetakes as its inputs X1, Y1,k,A,p and outputs X2, Y2 where

(X2, Y2) = k(X1, Y1) = (X1, Y1)+(X1, Y1)+...+(X1, Y1) (k summands)

and addition is performed over the elliptic curve


Testing this m-file on the example above gives 12G = (2, 4) and 13G = asexpected.

3.2.2 The basis for E[n]

Let n be a positive integer not divisible by the characteristic of K. Weshow here (for use in the following sections) that we can find a basis {1, 2}for E[n] Zn Zn. Every element of E[n] can be expressed in the formm11 + m22 with integers m1, m2 that are uniquely determined mod n. Let

36


42/175

: E(K) E(K) be a homomorphism. maps E[n] to E[n] so there existsa,b,c,d Zn such that

(1) = a1 + c2, (2) = b1 + d2

Therefore each homomorphism is represented by a 2 2 matrix

n =

a bc d

So now composition of homomorphisms corresponds to multiplication of thecorresponding matrices.

Example 3.5. Let E be the elliptic curve defined over R by y2 = x3 2 andlet n = 2. Then

E[2] = {, (21/3, 0), (21/3, 0), (221/3, 0)}

where is a non trivial cube root of unity. Let

1 = (21/3, 0), 2 = (2

1/3, 0)

Then {1, 2} is a basis for E[2], and 3 = (221/3, 0) = 1 + 2.Let : E(C) E(C) represent complex conjugation: (x, y) = (x, y)

where x is the complex conjugate of x. It is easy to verify is a homomor-phism and that P1 + P2 = P1 + P2, which is the same as (P1) + (P2) =(P1 + P2). We have

(1) = 1 1 + 0 2, (2) = 1 1 + 1 2 = 3Therefore

2 =

1 10 1

Note that 22 is the identity matrix mod 2, which corresponds to the factthat

is the identity homomorphism.

37


43/175

3.3 Division polynomials

This section aims to prove Theorem 3.12 as well as obtain other results foruse in Chapter 4. Define the division polynomials m Z[x,y,A,B] by

0 = 0

1 = 1

2 = 2y

3 = 3x4 + 6Ax2 + 12Bx A2

4 = 4y(x6 + 5Ax4 + 20Bx3 5A2x2 4ABx 8B2 A3)

2m+1 = m+23m m13m+1, m 2

2m = (2y)

1

(m)(m+2

2

m1 m22

m+1), m 3Lemma 3.13. n is a polynomial in Z[x, y

2, A , B] when n is odd, and apolynomial in 2yZ[x, y2, A , B] when n is even.

Proof We can see the lemma is true for n 4. Assume for induction that thelemma holds for all n < 2m, where 2m > 4, so m > 2. We must now provethat the lemma holds for n = 2m and n = 2m + 1 to prove the lemma withPMI. Because 2m > m + 2 we can see that all polynomials in the definitionof 2m and 2m+1 satisfy the induction assumptions.

First consider the case when m is even: Then m, m+2, m2 are in2yZ[x, y2, A , B] and m1 and m+1 are in Z[x, y

2, A , B] so

m+23m 24y4Z[x, y2, A , B] = Z[x, y2, A , B]m1

3m+1 Z[x, y2,A,B]

2m+1 Z[x, y2,A,B]Similarly

m+22m1 2yZ[x, y2,A,B]

m22m+1 2yZ[x, y2,A,B]

m+22m1 m22m+1 2yZ[x, y2,A,B]

(2y)1(m+22m1 m22m+1) Z[x, y2, A , B]

2m 2yZ[x, y2,A,B]Now consider the case when m is odd: then m1 and m+1 are in

2yZ[x, y2, A , B] while m, m+2, m2 are in Z[x, y2, A , B] so

m+23m Z[x, y2,A,B]

38


44/175

m13m+1 24y4Z[x, y2, A , B] = Z[x, y2, A , B]

2m+1 Z[x, y2

,A,B]

Similarly

m+22m1 22y2Z[x, y2, A , B]

m22m+1 22y2Z[x, y2, A , B]

m+22m1 m22m+1 22y2Z[x, y2, A , B]

(2y)1(m+22m1 m22m+1) 2yZ[x, y2, A , B]

2m 2yZ[x, y2, A , B]

So we have proved the lemma with PMI for both choices of m.

Define the polynomials

n = x2n n+1n1

n = (4y)1(n+2

2n1 n22n+1))

Lemma 3.14. n Z[x, y2, A , B] for alln. Ifn is odd thenn yZ[x, y2, A , B]while if n is even then n Z[x, y2, A , B].Proof This proof is a lengthly but simple application of PMI. The proof can

be found in Appendix A.6.

Next consider an elliptic curve y2 = x3 + Ax + B with no multiple roots(4A3 + 27B2 = 0). We dont specify what field A, B are in so treat themas variables. We regard the polynomials in Z[x, y2,A,B] as polynomials inZ[x,A,B] by substituting for y2. Note that n is not necessarily a polynomialin x alone, but 2n(x) is.

Lemma 3.15. When considering points on the elliptic curvey2 = x3+Ax+B

(i) 2n(x) = n2xn

21 + lower degree terms

(ii) n(x) = xn2

+ lower degree terms

Proof This is another lengthly but simple use of PMI which can be foundin Appendix A.6

39


45/175

Lemma 3.16. Let = 4A3 + 27B2 and let

F(x, z) = x4 2Ax2z2 8Bxz3 + A2z4G(x, z) = 4z(x3 + Axz2 + Bz3)

f1(x, z) = 12x2z+ 16Az3

g1(x, z) = 3x3 5Axz2 27Bz3

f2(x, z) = 4x3 4a2bx2z+ 4A(3A3 + 22B2)xz2 + 12B(A3 + 8B2)z3

g2(x, z) = A2Bx3 + A(5A3 + 32B2)x2z+ 2B(13A3 + 96B2)xz2 3A2(A3 + 8B2)z3

Then by simply multiplying out the brackets we see

F f1 Gg1 = 16A3z7 + 108B2z7 = 4z7

F f2 + Gg2 = 16x7

A3

+ 108x7

B2

= 4x7

Theorem 3.17. Let E be an elliptic curve. The endomorphism of E givenby multiplication by n has degree n2.

Proof By Lemma 3.15 we see that the maximum of the degrees of n(x) and2n(x) is n

2. So we can conclude that n2 is the degree of the endomorphismby definition, provided that n(x) and

2n(x) have no common roots.

Suppose for a contradiction that they share common roots, with n thesmallest index for which this happens. First suppose n = 2m is even.

2(x) = x4

2Ax2

8Bx + A2

22 = 4y2 = 4(x3 + Ax + B)

From Theorem 3.6

2m(x, y) = 2[m(x, y)] = 2

m(x)

2m(x),

m(x, y)

m(x, y)3

=

2(m/

2m)

22(m/2m)

,2(m(x, y))

2(m(x, y))3

So considering the first term gives

2m22m

=2(m/

2m)

22(m/2m)

= 4m

8m 2A

2m

4m 8B

m

2m+ A2 /4(

3m

6m+ A

m

2m+ B)

=4m 2A2m4m 8Bm6m + A28m

(42m)(3m + Am

4m + B

6m)

=U

V

40


46/175

Then using Lemma 3.16

U f1(m, 2m) V g1(m, 2m) = 414m U f2(m, 2m) + V g2(m, 2m) = 47m

If U, V have a common root then so do m and 2m. But since n = 2m is the

first index for which there is a common root this is impossible, so U and Vdo not share a common root.

We need to show that U = 2m and V = 22m. Since U/V = 2m/

22m

and U, V have no common root it follows that 2m is a multiple of U and22m is a multiple of V. But by Lemma 3.15 we can show that both 2m andU equal x4m

2

+ lower order terms, so 2m = U. Therefore V = 22m and they

share no common roots.

Now suppose that n, the smallest index such that there is a commonroots, is odd so n = 2m + 1. Let r be a common root of n and

2n.

n = x2n n1n+1

and since 2n(r) = 0 it follows that n1n+1(r) = 0. Now, 2n+1 and

nn1

are polynomials in x, and their product vanishes in r therefore 2n+(r) = 0where is either 1 or -1.

Since n is odd both n and n+2 are polynomials in x and

(nn+2)2 = 2n

2n+2

vanishes at r, (as 2n

does). Therefore n

n+2

vanishes at r also. Since

n+ = x2n+ 2n2n+2

we find that n+(r) = 0. Therefore n+ and 2n+ have a common root

(where n + is even).When considering the n even case we showed that if2m and

22m have a

common root then so do m and 2m. Since n + is even we can apply this

to 2m = n + . Since n is the smallest index for which there is a commonroot

n +

2 n, = n

The only option would be n = 1 but clearly 1 = x and 2

1= 1 have no

common roots so we have a contradiction.

So n and 2n have no common roots in all cases. Therefore, we can

conclude that the multiplication by n map has degree n2.

41


47/175

Theorem 3.18. (Proof omitted - See Section 9.5 of [9]): Let P be a point

on the elliptic curve y2

= x3

+ Ax + B over a field of characteristic not 2.Letn be a positive integer, then

nP =

n(x)

2n(x),

n(x, y)

n(x, y)3

We now use the above results to prove Theorem 3.12, from the previoussection.

Theorem 3.12 Let E be an elliptic curve over a field K, and let n be apositive integer. If the characteristic of K does not divide n, or is zero then

E[n]Zn

Zn

If the characteristic of K is p > 0 and p|n write n = prn with p n. ThenE[n] Zn Zn or Zn Zn

Proof We first deal with the case when p n. Recall that if (x, y) =(R(x), yS(x)) is an endomorphism on an elliptic curve then is separableif R(x) is not identically zero. From Theorem 3.18 and Lemma 3.15 we seethe multiplication by n map has

R(x) =n(x)

2n(x)=

xn2

+ ...

n2xn2

1 + ...

So using the quotient rule, the numerator of R(x) is

Rnum(x) = (n2xn

21 + ...)(n2xn21 + ...) (xn2 + ...)(n2(n2 1)x2n22 + ...)

= (n4x2n22 + ...) ((n4 n2)x2n22 + ...)

= n2x2n22 + ... = 0

So R(x) = 0 and therefore multiplication by n is separable.As stated earlier, E[n] is the kernel of the multiplication by n endomor-

phism. We have just shown this to be separable so we can apply Theorem

3.5 to show the group has order equal to the degree of the endomorphism.By Theorem 3.17 this is n2. The structure theorem for finite abelian groupsthen says that E[n] is isomorphic to

Zn1 Zn2 ... Znk

42


48/175

for some integers n1, n2,...,nk with ni|ni+1 for all i.By Lemma B.8 E[l] has order l

k

, but since we proved above that E[l] hasorder l2 we must have k = 2. So E[n] Zn1 Zn2 where n1|n2. The orderof E[n] is n2 = n1n2 so it follows that n1 = n2 = n. Therefore

E[n] Zn Znwhen the characteristic p of the field does not divide n.

Now consider the case when p|n. We consider first the p-power torsionon E. By Proposition 3.9 multiplication by p is not separable, and so byTheorem 3.5 the kernel, E[p], of multiplication by p has order less that thedegree of the endomorphism, which is p2 by Theorem 3.17. Every element of

E[p] has order 1 or p, so the order ofE[p] is either 1 or p. If E[p] was trivialthen E[pk] would be for all k, so suppose E[p] has order p.

We will show that E[pk] Zpk for all k. First we must show that theorder can not be smaller than pk. Suppose there exists an element P of order

pj. By Theorem 3.6 multiplication by p is surjective so there exists a pointQ with pQ = P. Since

pjQ = pj1P = , Pj+1Q = pjP = Q has order pj+1. There is an element of order 1, (), so by induction thereare points of order pk for all k. Therefore p will generate E[pk] meaning E[pk]is a cyclic group of order pk, and so E[pk]

Zpk .

Finally write n = prn with r 0 and p n. ThenE[n] E[n] E[pr]

We have E[n] ZnZn , since p n and we have just showed that E[pr] 0or Zpr . So

E[n] Zn Zn 0 or Zn Zn ZprNow since p n we can use the chinese remainder theorem (B.1) to show

Zn Zpr Znpr Zn

Therefore we obtainE[n] Zn Zn or Zn Zn

which completes the proof of Theorem 3.12.

43


49/175

3.4 The Weil pairing

Here we consider the Weil pairing which in itself a worthwhile subject. How-ever, many of its uses are omitted in the project and so we state it herewithout proof in order to derive some useful results for the next chapter. Forthis section we let E be an elliptic curve over a field K and let n be an integernot divisible by the characteristic of K. Then E[n] Zn Zn. Let

n = {x K|xn = 1}be the group of nth roots of unity in K. Since the characteristic of K doesnot divide n, the equation xn = 1 has no multiple roots, and hence n rootsin K. Therefore n is a cyclic group of order n. Any generator, , of nis called a primitive nth root of unity, which in Theorem A.14 we show isequivalent to saying that k = 1 if and only if n divides k.

Theorem 3.19. (Proof omitted - See Chapter 11 of [9]): LetE be an ellipticcurve defined over a field K and let n be a positive integer . Assume that thecharacteristic of K does not divide n. Then there is a pairing

en : E[n] E[n] ncalled the Weil pairing that satisfies the following properties.

1. en is bilinear in each variable. This means

en(S1 + S2, T) = en(S1, T)en(S2, T)

en(S, T1 + T2) = en(S, T1)en(S, T2)

for all S, S1, S2, T , T 1, T2 E[n].2. en is non degenerate in each variable. This means that if en(S, T) = 1

for all T E[n] then S = and also that if en(S, T) = 1 for allS E[n] then T = .

3. en(T, T) = 1 for all T E[n].4. en(T, S) = en(S, T)1 for all S, T E[n].5. en(S,T) = (en(S, T)) for all automorphisms of K such that is

the identity map on the coefficients of E. (IfE is in Weierstrass formthis means that (A) = A and (B) = B.)

44


50/175

6. en((S), (T)) = en(S, T)deg() for all separable endomorphisms of

E. If the coefficients of E lie in the finite fieldFq then the statementalso holds when is the Frobenius endomorphism q. (Note this state-ment holds for all endomorphism , separable or not.)

Corollary 3.20. Let{T1, T2} be a basis of E[n]. Then en(T1, T2) is a prim-itive nth root of unity.

Proof Suppose en(T1, T2) = with d = 1. Then

en(T1, dT2) = en(T1, T2 + ... + T2) = en(T1, T2)d = d = 1

en(T2, dT2) = en(T2, T2 + ... + T2) = en(T2, T2)d = 1d = 1

Let S E[n], then S = aT1 + bT2 for some integers a, b. Thereforeen(S,dT2) = en(T1, dT2)

aen(T2, dT2)b = 1a1b = 1

This holds for all S so Theorem 3.19(2) implies that dT2 = . This canhappen only ifn|d so it follows from Theorem A.14 that is a primitive nthroot of unity.

Corollary 3.21. If E[n] E(K) (as opposed to E(K)) then n K.Proof Let be an automorphism of K such that is the identity on K.Let T1, T2 be a basis on E[n]. Since T1, T2 are assumed to have coordinatesin K we have T1 = T1 and T2 = T2. Then by Theorem 3.19(5)

= en(T1, T2) = en(T1, T2) = (en(T1, T2)) = ()

The fundamental theorem of Galois theory says that if an element x K isfixed by all automorphisms then x K. Therefore K and by Corollary3.20, also a primitive nth root of unity. Hence n K.

We now deduce two propositions for use in the proof of Hasses theorem.

Recall that if is an endomorphism of E then we obtain

n =

a bc d

with entries in Zn, describing the action on on a basis {T1, T2} of E[n].

45


51/175

Proposition 3.22. Let be an endomorphism of an elliptic curve E defined

over a field K. Let n be a positive integer not divisible by the characteristicof K. Then det(n) deg() (mod n).Proof By Corollary 3.20, = en(T1, T2) is a primitive nth root of unity. ByTheorem A.14(6)

deg() = en((T1), (T2)) = en(aT1 + cT2, bT1 + dT2)

= en(T1, T1)aben(T1, T2)

aden(T2, T1)cben(T2, T2)

cd

= adbc

So deg()(adbc) = adbc(adbc)

deg()(adbc) = 1

is a primitive nth root of unity so by Lemma A.14, n|[deg() (ad bc)]Therefore deg() (ad bc) 0 (mod n)

deg() ad bc (mod n)

So we can now reduce questions about the degree to calculations with ma-trices. Propositions 3.22 and 3.23 hold for all endomorphisms (as Theorem3.19(6) holds for all) but we prove Proposition 3.23 for separable endomor-phisms only.

Let and be endomorphisms of E and let a, b be integers. The endo-morphism a + b is defined by

(a + b)(P) = a(P) + b(P)

Proposition 3.23.

deg(a + b) = a2deg() + b2deg() + ab(deg( + ) deg() deg())Proof Let n be any integer not divisible by the characteristic of K. Rep-resent and by matrices n and n, with respect to some bases of E[n].Then an + bn gives the action of a + b on E[n]. By Theorem B.17

det(an+bn) = a2det(n)+b

2det(n)+ab(det(n+n)det(n)det(n))for any matrices n, n. Therefore by Proposition 3.22

deg(a+b) a2det()+b2det()+ab(det(+)det()det()) (mod n)Since this holds for infinitely many n it is an equality.

46


52/175

Chapter 4

Elliptic curves over finite fields

Let F be a finite field and E an elliptic curve defined over F. Since there areonly a finite number of pairs (x, y), with x, y F, the group E(F) must itselfbe finite. In this chapter we discuss the basic theory of elliptic curves overfinite fields, which is the starting point for cryptographic applications.

During the course of the chapter we prove Hasses theorem which gives abound of the size of the group defined by E(Fq). We also look at methodsto find the order of a point in E(F).

4.1 Examples

A finite field will have pn elements for some prime p and some integer n 1(see Appendix B.5.1). Those curves, Fp where n = 1 are known as the primecurves and are isomorphic to Zp. When working with an elliptic curve definedover a finite field Fp we perform all operations modulo p.

Example 4.1. Let E be y2 = x3 + x + 1 over F5 (= Z5). To find all thepoint on E(F5) we consider the possible values of x, the values of x

3 + x + 1they give, and then what values of y, will give the same value when squared.

x x3 + x + 1 y Points0 1

1 (0,1), (0,4)

1 3 - -2 1 1 (2,1), (2,4)3 1 1 (3,1), (3,4)4 4 2 (4,2), (4,3)

47


53/175

So we see that E(F5) has order 9.

We can perform addition as before. For example lets compute 3(0, 1) =2(0, 1) + (0, 1). We first need to calculate 2(0, 1) = (x, y), so using thenotation of the addition formulas:

m =3(0)2 + 1

2=

1

2 3, then

x = 32 2(0) = 9 4 and y = 3(0 4) 1 = 13 2

Next we compute 3(0, 1) = (4, 2) + (0, 1) = (X, Y) where

m =1 40

2

=3

2 3 3 = 9 4 (mod 5)

X = 42 4 0 = 12 2 (mod 5)Y = 4(4 2) 2 = 6 1 (mod 5)

So 3(0, 1) = (2, 1). Now we know that E(F5) has order 9, so all its elementshave order dividing 9. The only choices are 1,3 or 9 and we have shown that(0,1) does not have order 1 or 3. Therefore (0,1) has order 9 and hence E(F5)is cyclic and generated by (0,1). For more examples of working with E(Fp)see Section 2.2.1.

Example 4.2. Let E be the elliptic curve y2 + xy = x3 + 1 defined over F2.

There are only four points in F2 and all except (0,0) satisfy the elliptic curveequation soE(F2) = {, (0, 1), (1, 0), (1, 1)}

This is a cyclic group of order 4. The point has order 1 and the point (0,1)has order 2. We can show, (using the formula from Appendix A.3 since we arein characteristic 2), that (1,0) and (1,1) have order 4 and so are generatorsof the group.

Now consider E(F4) = E(F22). F4 is a finite field with 4 elements whichwe can write as F4 = {0, 1, , 2}, where 2+ +1 = 0 (see Appendix B.5.1).We can use w3 = 1 since

0( 1) = (2 + + 1)( 1)0 = 3 + 2 + 2 1 = 3 1

Now lets list the elements of E(F4).

48


54/175

x = 0 y2 = 1 y = 1

x = 1 y2

+ y = 0 y = 0, 1x = y2 + y = 0 y = 0, x = 2 y2 + 2y = 0 y = 0, 2x = y =

Therefore E(F4) = {, (0, 1), (1, 0), (1, 1), (, 0), (, ), (2, 0), (2, 2)}.Since we are in characteristic 2 we know, by Proposition 3.11, that there

is at most one point of order 2 which we have already identified as (0,1).E(F4) is a group of order 8, so its elements must have order 1,2,4 or 8. Weknow only has order 1 and only (0,1) has order 2. By Theorem B.6 weknow that only 4 elements have order dividing 4, so it is those of the order 4subgroup, E(F2). We can conclude that E(F4) is cyclic of order 8 where anyof the four point that contain or 2 is a generator.

Let 2(x, y) = (x2, y2) be the Frobenius map. We can see that 2 per-

mutes the elements of E(F4) as

2(E(F4)) = {, (0, 1), (1, 0), (1, 1), (2, 0), (2, 2), (4, 0), (4, 4)}= {, (0, 1), (1, 0), (1, 1), (2, 0), (2, 2), (, 0), (, )} = E(F4)

using w3 = 1. Further more we can see that

E(F2) = {(x, y) E(F4) | 2(x, y) = (x, y)}In general, for any elliptic curve E, defined over Fq and any extension F of

Fq, the Frobenius map q permutes the elements of E(F) and is the identityon the subgroup E(Fq). (See Lemma 4.3)

Theorem 4.1. LetE be an elliptic curve over the finite fieldFq. Then

E(Fq) Zn, or Zn1 Zn2for some integer n 1, or for some integers n1, n2 1 with n1|n2.Proof From Theorem B.6 we know that a finite abelian group, such as E(Fq)is isomorphic to a direct sum of cyclic groups

E(Fq)

Zn1

Zn2

...

Znr

with ni|ni+1 for n 1. We can then apply Corollary B.7 show E(Fq) has nr1elements of order dividing n1. However, by Theorem 3.12 there are at mostn21 such points, therefore r 2, which gives the desired result.

49


55/175

4.2 Hasses theorem

The aim of this section is to prove Hasses theorem, which gives a bound onthe size ofE(Fq). We follow the logic in Chapter VI of [5] to understand thesize of E(Fq).

For each of the q possible values of x, there are at most 2 ys whichtogether with the x could satisfy the Weierstrass equation. So it is easy tosee that there are at most 2q+ 1 points in E(Fq) along with the 2qpossible pairs (x, y). However, since only half the elements in Fq have squareroots we might expect around half that number.

Recall the Legendre symbol (Appendix B.6). We can generalise this to afinite field Fq, q odd, by defining for x Fq

x

Fq

=

+1 if t2 = x has a solution t Fq1 if t2 = x has no solution t Fq0 if x = 0

We can now give a more accurate solution to the number of points on E(Fq):

1 +xFq

1 +

x3 + Ax + B

Fq

= q+ 1 +

xFq

x3 + Ax + B

Fq

We would expect x3 + Ax + B to be equally likely to have a square root

or not. So we could treat the sum as a random walk where we have equalchance of taking one step forwards or back at each stage. From probabilitytheory the net distance traveled after q tosses is of the order

q. So using

this analysis we would expect the size ofE(Fq) to be around q+ 1 +

q. Aswe see from Hasses Theorem below, this is close to the truth.

Theorem 4.2 (Hasse). Let E be an elliptic curve over the finite field Fq.Then the order of E(Fq) satisfies the following inequality.

|q+ 1 E(Fq)| 2q

The proof is given in the following section

50


56/175

4.2.1 The Frobenius endomorphism

Let Fq be a finite field with algebraic closure Fq and let the Frobenius mapfor Fq, q : Fq Fq be given by

q : x xq

Let E be an elliptic curve defined over Fq, then q acts on the coordinatesof points in E(Fq) as below.

q(x, y) = (xq, yq), q() =

Lemma 4.3. LetE be defined overFq and let (x, y) E(Fq). Then

(i) q(x, y) E(Fq).(ii) (x, y) E(Fq) if and only if q(x, y) = (x, y).

Proof We know from Theorem B.14 that in a field with characteristic q

(a + b)q = aq + bq aq = aThis proof will hold for both the Weierstrass and generalised Weierstrassequation so assume E is given by

y2 + a1xy + a3y = x3 + a2x

2 + a4x + a6

with ai Fq. Now raising each side of the equation to the power q gives(y2 + a1xy + a3y)

q = (x3 + a2x2 + a4x + a6)

q

(y2)q + aq1xqyq + aq3y

q = (x3)q + aq2(x2)q + aq4x

q + aq6(yq)2 + a1(x

qyq) + a3(yq) = (xq)3 + a2(x

q)2 + a4(xq) + a6

So we see that (xq, yq) lies on E, proving part (i).For part (ii) we recall from Theorem B.14 that x Fq if and only if

q(x) = x. The same will be true for y, and so using part (i)

(x, y) E(Fq) x, y Fq q(x) = x, q(y) = y q(x, y) = (x, y)

51


57/175

Let E be an elliptic curve defined over Fq. Recall from Lemma 3.4 that

q is then an endomorphism of E of degree q, and is not separable. We alsofind that the kernel of the endomorphism q is trivial, (related to the factthat it is not separable by Theorem 3.5).

Since q is an endomorphism of E, so is 2q = q q. Moreover so is

nq = q q ... nqfor every n 1. Since multiplication by -1 is also an endomorphism we canconclude that the sum nq 1 is an

Documents

xMatthew England MSc Dissertation