The Discrete Logarithm Problem on Elliptic Curves

The Discrete Logarithm Problem on Elliptic Curves Cryptography Jake Leonard NKECK ([email protected])) African Institute for Mathematical Sciences (AIMS) Cameroon Supervised by: Pr J. W. Sanders AIMS-South Africa & Stellenbosch University, South Africa

16 June 2014 Submitted in Partial Fulfillment of a Structured Masters Degree at AIMS-Cameroon

Abstract The application of elliptic curves in public key cryptography is relatively recent. In this research project the relevant theory of elliptic curves is presented, the group law on elliptic curves is proved geometrically and algebraically by passing the Riemann-Roch theorem.The Hasse’s theorem is also proved. The discrete logarithm problem on a general group and on elliptic curves is defined and some general attacks are discussed on it: the Baby step-Giant step attack and the Pollard-Rho attack and we insist on their mathematical formalisms1 and their implementation codes in Sage. Finally, we present some elliptic curves public key cryptosystems: the Diffie-Hellman cryptosystem and the ElGamal cryptosystem and some algorithm examples to implement them in Sage.

Declaration I, the undersigned, hereby declare that the work contained in this essay is my original work, and that any work done by others or by myself previously has been acknowledged and referenced accordingly.

Jake Leonard NKECK, 16 june 2014 1

The notion of formalism is introduced in Chapter 4.

i

Contents Abstract

i

1 Introduction

1

2 Algebraic geometry

2

2.1

Affine and projective varieties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

2

2.2

Algebraic curves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

7

3 Elliptic Curves

15

3.1

Elliptic curve over a general field K

. . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

3.2

Elliptic curves over finite fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

4 The Discrete Logarithm Problem in Elliptic curves Cryptography

28

4.1

The Discrete Logarithm Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

4.2

Elliptic curves cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

5 Conclusion

35

A Proofs of some results

36

B Pseudocodes for the Pollard-Rho method and the Baby step-Giant step method

39

B.1 Baby step-Giant step pseudocode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 B.2 Pollard-Rho pseudocode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 References

42

ii

1. Introduction The increase of the demand for all kind of information today in a distributed setting imposes strong requirements for security. For example bank transactions, emails and army communications. To secure sensitive information, to check if the security is safe and to see if the sender and the receiver must establish contact in advance before the sending of the sensitive information is a problem which Public key cryptography can solve. ”Cryptography is study of the mathematical techniques related to aspects of information security such as confidentiality, data integrity, entity identification and data origin authentication” [MvOV10]. Public key cryptography consists of a collection of cryptographic algorithms where we find two special keys, a private key and a public key. Public key cryptography was introduced in 1970 but emerged in 1976 from Diffie and Hellman1 . The theory was based on a function that is easy to compute but hard to invert when the image of an input is given (one-way function). The most famous public key cryptography is RSA invented in 1978 by Rivest, Shamir and Adleman. RSA is based on the hardness of computing the factors of large integers. Shor [Mil86] in 1994 developed an efficient algorithm for factoring large integers; this approach based on quantum mechanics has weakened the security of RSA. In 1985, Victor Miller [Mil86] and Neal Kolbitz [Kob87] suggested the use of elliptic curves in cryptography: elliptic curve cryptography. The elliptic curve cryptography theory is based on the difficulty of solving the discrete logarithm problem on elliptic curves. Elliptic curve cryptography is much more efficient than RSA cryptography since, for example, 223-bit security using elliptic curves provides the same security as 1024-bit security using RSA. The aim of this project is firstly to prove geometrically and algebraically the group law on elliptic curves. Secondly, to prove the Hasse’s Theorem. Thirdly, to present and specify the discrete logarithm problem on elliptic curves and some classical methods to solve it. Fourthly, to present some public key cryptosystems with their mathematical formalism and finally, to implement some examples in Sage. Chapter 2 is a review of some notions of algebraic geometry. In Chapter 3, we present some general mathematical properties of elliptic curves like the group law on elliptic curves, the computation of the addition of two points on elliptic curves and their applications over finite fields where we prove the Hasse’s Theorem. In Chapter 4, we first present the discrete logarithm problem, two general methods to solve it with their implementation codes and some examples solved in Sage: the baby step-Giant step and the Pollard-Rho. Secondly, we present two famous Elliptic Curve Cryptography systems with their implementations in some examples in Sage: the Diffie-Hellman and the ElGamal systems. The sage file is available on the site Example.

1

It was really discovered in 1973 by Ellis, Cocks and Williamson at Government Communication Headquarters in the UK, but since they were working for the government who obliged them to keep the secret, they could not publish their work.

1

2. Algebraic geometry In this chapter we review algebraic geometry. We start by a review of affine and projective varieties. Then we present a particular type of variety: algebraic curves. We end this chapter by the Theorem of Riemann-Roch which is fundamental for the description of the group law on elliptic curves.

2.1

Affine and projective varieties

In this section K is a field and K its algebraic closure. 2.1.1 Definition (Affine and Projective space). [CFA+ 10, p. 1] - The affine space of dimension n, denoted by An (K) or An , is the set of the n-tuples of K, (An (K) = (K)n ). n

- The projective space of dimension n on K, denoted by Pn (K) or P , is the quotient set An+1 (K) \ {0}/ ∼ where ∼ is the equivalence relation defined by ∗ (x0 , · · · , xn ) ∼ (y0 , · · · , yn ) if and only if ∃λ ∈ K , (y0 , · · · , yn ) = λ(x0 , · · · , xn ) = (λx0 , · · · , λxn ) . ∗

An equivalence class for this relation is [x0 , · · · , xn ] = {(λx0 , · · · , λxn ) ∈ An : λ ∈ K }. - The set of K−rational points of An is the set An (K) = {(x1 , · · · , xn ) ∈ An , ∀i = 1, · · · , n : xi ∈ K}. - Similarly, the set of K-rational points of Pn is the set Pn (K) = {[x0 , · · · , xn ] ∈ Pn , ∀i = 0, · · · , n : xi ∈ K}. 2.1.2 Definition (Homogeneous ideal). [Sil09, p. 7] Let d ∈ N. A polynomial f ∈ K[X 0 ] = K[X0 , · · · , Xn ] is an homogeneous polynomial of degree d if ∀λ ∈ K, f (λX0 , · · · , λXn ) = λd f (X0 , · · · , Xn ). An homogeneous ideal is an ideal generated by homogeneous polynomials. 2.1.3 Definition (Algebraic set). [Sil09, p. 2;7] a) An affine algebraic set is a set of the form Va (I) = {P ∈ An , ∀f ∈ I : f (P ) = 0} where I is an ideal of K[X] = K[X1 , · · · , Xn ]. b) If V is an algebraic set, the ideal of V is Ia (V ) = {f ∈ K[X], ∀P ∈ V : f (P ) = 0}.

2

Section 2.1. Affine and projective varieties

Page 3

c) A projective algebraic set is a set of the form Vp (I) = {P ∈ Pn : ∀f ∈ I, f homogeneous : f (P ) = 0} where I is an homogeneous ideal. d) The homogeneous ideal of a projective algebraic set V is the set Ip (V ) = {f ∈ K[X 0 ] : f homogeneous and ∀P ∈ V : f (P ) = 0}. e) An affine algebraic set (respectively a projective algebraic set) V is said to be defined over K if Ia (V ) (respectively Ip (V )) can be generated by some polynomials in K[X] (respectively by some homogeneous polynomials of K[X 0 ]). We denote it by V /K. f) If V is a projective algebraic set defined over K, we define the set of rational points of V by V (K) = V ∩ Pn (K). 2.1.4 Example. Let us pose K = C and consider the spaces A2 (C) and P2 (C). We have - The set A = {(x1 , x2 ) ∈ A2 (C) : x21 = 0} is an affine algebraic set since A = {(x1 , x2 ) ∈ A2 (C) : x1 = 0} = Va (X1 ) - Let S = (X12 ). We have Va (S) = {(x1 , x2 ) ∈ A2 (C) : x21 = 0} = {(x1 , x2 ) ∈ A2 (C) : x1 = 0} = Va (X1 ). The ideal of Va (S) is Ia (Va (S)) = {f ∈ C[X1 , X2 ] : ∀P ∈ Va (X1 ), f (P ) = 0} = {f ∈ C[X1 , X2 ] : X1 divides f } = (X1 ). Ia (Va (S)) is prime so Va (S) is an affine variety. - The polynomial X12 is homogeneous in C[X0 , X1 , X2 ]. The set A0 = {[x0 , x1 , x2 ] ∈ P2 (C) : x21 = 0} is a projective algebraic set since A0 = Vp (X1 ). Let S 0 = (X12 ). We have Vp (S 0 ) = Vp (X1 ) and I(Vp (S 0 )) = (X1 ). 2.1.5 Remark. Set A = {I ideal of K[X]} (we need I homogeneous if we are in Pn ) and B = {V algebraic set of K} where (K = An or Pn as appropriate). Let us define the maps Va : (A, ⊂) −→ (B, ⊂)

and

I 7−→ Va (I)

Ia : (B, ⊂) −→ (A, ⊂) V 7−→ Ia (V ).

Respectively in Pn we define Vp : (A, ⊂) −→ (B, ⊂) I 7−→ Vp (I)

and

Ip : (B, ⊂) −→ (A, ⊂) V 7−→ Ip (V )

The pair (Va , Ia ) (respectively (Vp , Ip )) forms an antitone Galois connection since - ∀I1 , I2 , ∈ A, ∀V1 , V2 ∈ B, I1 ⊂ I2 ⇒ Va (I2 ) ⊂ Va (I1 ) (respectively Vp (I2 ) ⊂ Vp (I1 )) and V1 ⊂ V2 ⇒ Ia (V2 ) ⊂ Ia (V1 ) (respectively Ip (V2 ) ⊂ IP (V1 )).


Page 4

- ∀I ∈ A, ∀V ∈ B, I ⊂ Ia (V ) ⇒ V ⊂ Va (I) (respectively I ⊂ Ip (V ) ⇒ V ⊂ Vp (I)). We have for all V algebraic set, Va (Ia (V )) = V (respectively Vp (Ip (V )) = V ) but (since the previous example) I ⊂ Ia (Va (I)) (respectively I ⊂ Ip (Vp (I))), we say that Va and Ia (respectively Vp and Ip are weak inverse. However, the√Hilbert-Nutstellensatz (see [Har77, p. 4]) theorem show us that for all I ideal of K[X], Ia (Va (I)) = I and Ia (Va (I)) = I if and only if I is prime. 2.1.6 Definition. An affine (respective projective) hyperplane is an algebraic set of An (respectively Pn ) given by the equation a1 X1 + · · · + an Xn = 0 (respectively a0 X0 + · · · + an Xn = 0) where a0 , · · · , an ∈ K are not all 0. 2.1.7 Example. If n = 2, a projective hyperplane is a line given by the equation aX + bY + cZ = 0 with a, b, c not all 0. Now let us state the link between An and Pn . 2.1.8 Remark. [Sil09, p. 9] Pn contains many copies of An . For i = 0, · · · , n, let us define the map An

ϕi :

−→ Pn

(x1 , · · · , xn ) 7−→ [x1 , · · · , xi−1 , 1, xi , · · · , xn ]. Let Hi = {[x0 , · · · , xn ] ∈ Pn : xi = 0} be the hyperplane defined by Xi = 0 and let Ui = Pn \ Hi . For every i = 0, · · · , n, we define φi :

−→ An x0 xi−1 xi+1 xn [x0 , · · · , xn ] 7−→ ,··· , , ,··· , . xi xi xi xi Ui

φi is a bijection and φi = ϕ−1 i |Ui . The family {Ui }i=0,··· ,n is called a standard covering of Pn . Fix i = 0, · · · , n. We can identify An with Ui ⊂ Pn by φ−1 i . Let V be a projective algebraic set and Ip (V ) its homogeneous ideal. Then the set ϕ−1 i (V ∩Ui ), denoted by V ∩An , is an affine algebraic set and Ia (V ∩An ) = {f (X0 , · · · , Xi−1 , 1, Xi+1 , · · · , Xn ) : f ∈ Ip (V )}. 2.1.9 Definition. Let V be an affine algebraic set and Ia (V ) its ideal. Then V can be identified with a subset of Pn by its image ϕi (V ) for i fixed. The projective closure of V , denoted by V , is the projective algebraic set such that Ip (V ) =< {f ∗ (X) : f ∈ Ia (V )} > where deg(f ) Xi−1 Xi+1 Xn 0 f ∗ (X0 , · · · , Xn ) = Xi f X , · · · , , , · · · , Xi Xi Xi Xi . Note that Vp (Ip (V )) = V (Remark 2.1.5) for every algebraic set, so the algebraic closure is well defined. 2.1.10 Example. If V = {(x, y) ∈ A2 : y 2 = x3 + x + 1}, we have V = {[x, y, z] ∈ P2 : y 2 z = x3 + x2 z + z 3 } 2.1.11 Theorem. [Har77, p. 10-11] Let V be an affine variety and let W be a projective variety.


Page 5

i) V is a projective variety and V = V ∩ An . ii) W ∩ An is an affine variety and either W ∩ An = ∅ or W = W ∩ An . iii) If an affine (respectively a projective) variety V is defined over K, then V (respectively V ∩ An ) is defined over K. 2.1.12 Definition. [Sil09, p. 3] Let V /K be an affine variety. We set K[V ] = K[X]/Ia (V /K) (quotient ring). Since Ia (V /K) is prime, K[V ] is integral (ring which has no divisor of zero). The fraction field of K[V ], denoted K(V ) is called the function field of V /K. 2.1.13 Example. Let V = {(2, 3)} ⊂ A2 (C). We have C[V ] = C[X, Y ]/Ia (V ) = C[X, Y ]/ < X − 2, Y − 3 >≡ C. 2.1.14 Definition. [Sil09, p. 4] - Let V be an affine variety. The dimension of V , denoted by dim(V ) is the transcendence degree1 of K(V ) over K. - Let V /K be a non empty projective variety and let i such that V ∩ An = ϕ−1 i (V ∩ Ui ) 6= ∅. The n dimension of V is the dimension of V ∩ A . We are studying geometrics objects, so we are naturally interested in whether they are smooth (since a non smooth object can be approximated by some smooth objects, to know that an object is smooth is a good starting place for a study). 2.1.15 Definition. [Sil09, p. 4] Let V ⊂ An be an affine variety, let P ∈ V and f1 , · · ·, fm ∈K[X] a ∂fi set of generators of Ia (V ). Then V is non singular (or smooth) at P if the m×n matrix ∂Xj 1≤i,j≤m has rank n − dim(V ). If V is non singular at every point, then we say that V is non singular (or smooth). 2.1.16 Remark. Let V be an affine variety given by a single non constant polynomial equation f (X1 , · · · , Xn ) = 0. We have dim(V ) = n − 1 (see [Har77, p. 7]). So P ∈ V is a singular point of V ∂f ∂f if and only if f (P ) = 0 and (P ) = · · · = (P ) = 0. ∂X1 ∂Xn 2.1.17 Example. ∀a 6= 0, the affine line L : ax + by + cz = 0 on P2 (C) is non singular since ∂f ∀P ∈ P2 (C), (P ) = a 6= 0. ∂x 2.1.18 Definition. [Sil09, p. 5] Let V be an affine variety and let P ∈ V . - We define an ideal MP of K[V ] by MP = {f ∈ K[V ] : f (P ) = 0}. Note that MP is a maximal ideal of K[V ] (MP ideal of K[V ] and for any ideal J of K[V ], (MP ⊂ J) ⇒ (J = MP ) or (J = K[V ])) since there is an isomorphism K[V ]/MP −→ K, f + MP 7−→ f (P ). 1

If K is a field and F ⊃ K is an extension of K. The transcendence degree of F over K is the cardinal of a transcendence basis over K. Recall that a transcendence basis over K is a set B ⊂ F such that B is transcendent and F is an algebraic extension of K(B) (recalll that K(B)) is the subfield of F generated by K ∪ B.


Page 6

- The local ring of V in P , denoted by K[V ]P , is the localization of K[V ] at MP . This means f K[V ]P = : f, g ∈ K[V ], g(P ) 6= 0 . g The functions of K[V ]P are said to be regular at P . 2.1.19 Example. Set V = {(2, 3)} ⊂ A2 (C). C[V ] = C[X, Y ]/ < X − 2, Y − 3 >∼ = C. Then C[V ] is a field and ∀P ∈ V, MP = {0} (since MP is maximal). f Put P = (2, 3). We have C[V ]P = : f, g ∈ C[V ], g(2, 3) 6= 0 . g 2.1.20 Definition. [Sil09, p. 11] Let V be a projective variety. Let P ∈ V and let i ∈ {1, · · · , n} such that P ∈ Ui ∼ = An . We say that V is smooth or non singular at P if V ∩ An is non singular at P . The local ring of V at P , denoted also K[V ]P , is the local ring of V ∩ An at P . A function f ∈ K(V ) is regular at P if f ∈ K[V ]P . Now we define the notion of rational map of projective varieties. 2.1.21 Definition. [Sil09, p. 11] Let V1 , V2 be projective varieties. A map ϕ : V1 −→ V2 is rational if ∃f0 , · · · , fn ∈ K(V1 ) such that ϕ = [f0 , · · · , fn ] where ∀P ∈ V1 , [f0 , · · · , fn ](P ) = [f0 (P ), · · · , fn (P )] ∈ V2 . ∗

If ∃λ ∈ K , λf0 , · · · λfn ∈ K(V ), we say that ϕ is defined over K. 2.1.22 Remark. A rational map is not necessarily a well defined function at every point. But it may be possible to evaluate the image of a point P where some fi are not regular by replacing each fi by gfi , for an appropriate g. 2 2 2.1.23 Example. If V = {(x, y) ∈ A2 (C) : y 2 = x3 + x + 1}, we have V = {[x, y, z] ∈ P (C) : y z = x x3 + xz 2 + z 3 }. The map ϕ : V → P2 (C), [x, y, z] 7→ , y, z is rational at every point of V 1−y except at [x, 1, z] ∈ V .

But by multiplying each component of ϕ by g(x, y, z) = 1 − y ∈ C(V ) we have gϕ = [x, (1 − y)y, (1 − y)z]. We can now evaluate ϕ at every point of V except [0, 1, z] ∈ V . 2.1.24 Definition. [Sil09, p. 12] Let V1 , V2 be projective varieties. A rational map ϕ : V1 −→ V2 , ϕ = [f0 , · · · , fn ] is regular in P ∈ V1 if there is a function g ∈ K(V1 ) such that ∀i = 0, · · · , n gfi is regular at P and there is j = 0, · · · , n such that gfj (P ) 6= 0. If such a g exists, then we set ϕ(P ) = [(gf0 )(P ), · · · , (gfn )(P )]. If ϕ is regular at every point, ϕ is a morphism of projective varieties. 2 2 3 2 3 2.1.25 Example. For V = {[x, y, z] ∈ P (C) : y z = x + xz + z }. The map ϕ : V → x P2 (C), [x, y, z] 7→ , y, z is not regular at [0, 1, 0] (since there is no way to multiply ϕ by a 1−y rational map g and get gϕ well defined at [0, 1, 0]).

Now we present a particular type of projective variety which is crucial for the topic of this dissertation.

Section 2.2. Algebraic curves

2.2

Page 7

Algebraic curves

An algebraic curve (or a curve) is a projective variety of dimension one. Let C be a curve and P ∈ C a singular point. Let us consider the map

v : K[C]P f g

−→ N ∪ {∞} 7−→ sup{d ∈ N : f ∈ MPd }.

Note that g ∈ K[C]P \ MP = MP0 \ MP and then sup{d ∈ N : g ∈ MPd } = 0. 2.2.1 Proposition. v is a valuation. Proof. Let f /g, f1 /g1 , f2 /g2 ∈ K[C]P . Suppose d1 = sup{d ∈ N : f1 ∈ MPd } and d2 = sup{d ∈ N : f2 ∈ MPd }. - Let us show that v(f1 /g1 ) + v(f2 /g2 ) = v(f1 f2 /g1 g2 ). ∀f1 ∈ MPd1 and ∀f2 ∈ MPd2 , f1 f2 ∈ MPd1 +d2 and we have d1 + d2 ≤ sup{d ∈ N : f1 f2 ∈ MPd }, hence v(f1 /g1 ) + v(f2 /g2 ) ≤ v(f1 f2 /g1 g2 ). f1 f2 ∈ MPd ⇒ f1 f2 ∈ MP ⇒ f1 ∈ MP or f2 ∈ MP since MP is a maximal ideal (so prime). Then {d ∈ N : f1 f2 ∈ MPd } ⊂ {d ∈ N : f1 ∈ MP } ∪ {d ∈ N : f2 ∈ MP } ⊂ {d ∈ N : f1 ∈ MPd } ∪ {d ∈ N : f2 ∈ MPd }. Then sup{d ∈ N : f1 f2 ∈ MPd } ≤ sup {d ∈ N : f1 ∈ MPd } ∪ {d ∈ N : f2 ∈ MPd } ≤ sup{d ∈ N : f1 ∈ MPd } + {d ∈ N : f2 ∈ MPd }. Then v(f1 /g1 ) + v(f2 /g2 ) ≥ v(f1 f2 /g1 g2 ) Hence v(f1 /g1 ) + v(f2 /g2 ) = v(f1 f2 /g1 g2 ) - Let us prove that v (f1 /g1 + f2 /g2 ) ≥ min {v (f1 /g1 ) , v (f2 /g2 )}. Suppose d1 ≤ d2 , i.e., min(d1 , d2 ) = d1 . Now v (f1 /g1 + f2 /g2 ) = sup d ∈ N : f1 g2 + f2 g1 ∈ MPd . Since MPd2 ⊂ MPd1 we have f2 ∈ MPd2 and f1 g2 + f2 g1 ∈ MPd1 , hence d1 ≤ sup{d ∈ N : f1 g2 + f2 g1 ∈ MPd } which proves that v (f1 /g1 + f2 /g2 ) ≥ min {v (f1 /g1 ) , v (f2 /g2 )}. - Let us prove that v (f /g) = ∞ ⇔ f /g = 0. [ Now v(f /g) = ∞ ⇔ f /g ∈ MPd . Set k = deg(f ). d∈N

We have f /g ∈

MPk+1

implies that there exists αi,j /βi,j ∈ MP such that βi,j (P ) 6= 0 and


Page 8

k+1 n+1

X Y αi,j f . = g βi,j i=0 j=0

f (P ) = 0 ⇔ f (P ) = 0. Since f /g ∈ MPk+1 , P is a root of order k + 1 of f . But g deg(f ) = k, so f = 0, i.e.,f /g = 0. We have

Hence v (f /g) = 0 ⇒ f /g = 0. Reciprocally if sup d ∈ N : 0 ∈ MPd = ∞. Then we have the equality v (f /g) = 0 ⇔ f /g = 0. Hence v is a valuation. Furthermore we claim that ∀f, g ∈ K[C], v (f /g) = v(f ) − v(g). In fact if f, g ∈ K(C), we have v(f ) = v (f g/g) = v (f /g) + v(g), then v (f /g) = v(f ) − v(g). Let us extend the definition of v to Z ∪ {∞} by defining v 0 : K(C) −→ Z ∪ {∞} f /g

7−→ v(f ) − v(g).

2.2.2 Proposition. v 0 is a valuation. In fact ∀f, f 0 , g, g 0 ∈ K(C), Proof. Let f, f 0 , g, g 0 ∈ K(C), - v0

f f0 g g0

= v(f f 0 ) − v(gg 0 ) = v(f ) + v(f 0 ) − v(g) − v(g 0 ) = v 0

f g

+ v0

0 f g0

.

0

0

v f /g + f /g

0

f g 0 + gf 0 = v gg 0 0 = v(f g + gf 0 ) − v(gg 0 ) 0

≥ min(v(f g 0 ), v(gf 0 )) − v(g) − v(g 0 ) ≥ min(v(f ) + v(g 0 ) − v(g) − v(g 0 ) + v(g) + v(f 0 ) − v(g) − v(g 0 )) ≥ min v 0 (f /g) , v 0 f 0 /g 0 - v 0 (f /g) = ∞ ⇔ v(f ) − v(g) = ∞ ⇔ v(f ) = ∞ since if v(g) = ∞ then g = 0 and

f is not g

regular. Hence v 0 (f /g) = ∞ ⇔ f = 0 ⇔ f /g = 0.

2.2.3 Definition. The map v defined above is called the normalized valuation on K[C]P and is denoted by ordP . By v 0 we can extend ordP to Z ∪ {∞}. A uniformizer for C at P is any function t ∈ K(C) with ordP (t) = 1. 2.2.4 Definition. [Sil09, p. 18] Let C and P be as above, and let f ∈ K(C). If ordP (f ) ≥ 0, we say that f is regular at P . If ordP (f ) < 0, we say that f has a pole at P . If ordP (f ) > 0 we say that f has a zero at P .


Page 9

2.2.5 Proposition. [Sil09, p. 18] Let C be a smooth curve and f ∈ K(C) with f 6= 0. Then there are only finitely many points of C at which f has a pole or zero. Further, if f has no poles, then f ∈ K. 2.2.6 Example. For the curve C : y 2 z = (x − z)(x − 2z)(x − 3z) in P2 , P1 = [1, 0, 1], O = [0, 1, 0] and f (x, y, z) = x − z ∈ C(C). Since f ∈ MP1 \ MP21 , we have ordP1 (f ) = ordP1 (y 2 ) + ordP1 (z) − ordP1 (x − 2z) − ordP1 (x − 3z) = 2. y2z We have ordO (f ) = ordO = ordO (y 2 )+ordO (z)−ordO (x−2z)−ordO (x−3z) = (x − 2z)(x − 3z) −1 2.2.7 Proposition. [Sil09, p. 19] Let C be a curve, let V ⊂ Pn be a variety, let P ∈ C be a smooth point and let ϕ : C −→ V be a rational map. Then ϕ is regular in P . In particular if C is smooth, ϕ is a morphism of projective varieties (morphism of curves). 2.2.8 Proposition. [Har77, p. 137] Let ϕ : C1 −→ C2 be a morphism of curves. Then ϕ is either constant or surjective. 2.2.9 Remark. Let C1 and C2 be two curves on K and ϕ : C1 −→ C2 a non constant map defined over K. Then ϕ induces an injection of function fields fixing K ϕ∗ : K(C1 ) −→ K(C2 ) f

7−→ ϕ∗ (f ) = f ◦ ϕ

2.2.10 Theorem. [Sil09, p. 20] Let C1 /K and C2 /K be two curves and let ϕ : C1 −→ C2 be a non constant rational map defined over K. Then K(C1 ) is a finite extension of ϕ∗ (K(C2 )). 2.2.11 Definition. [Sil09, p. 21] Let C1 /K and C2 /K be two curves and ϕ : C1 −→ C2 a function defined over K. The degree of ϕ is defined to be 0 if ϕ is constant; otherwise we say that ϕ is a finite map and we define its degree to be deg(ϕ) = [K(C1 ) : ϕ∗ (K(C2 ))]. We say that ϕ is separable if K(C1 )/ϕ∗ (K(C2 )) is separable2 2.2.12 Proposition. [Sil09, p. 22] If ϕ : C1 −→ C2 is a map between two smooth curves C1 and C2 , then ϕ is an isomorphism. 2.2.13 Definition. [Sil09, p. 23] Let ϕ : C1 −→ C2 be a non constant map of smooth curves, and let P ∈ C1 . The ramification index of ϕ at P , denoted by eϕ (P ), is the quantity eϕ (P ) = ordP (ϕ∗ tϕ (P )), where tϕ (P ) ∈ K(C2 ) is a uniformizer at ϕ(P ). Note that eϕ (P ) ≥ 1. We say ϕ is unramified at P if eϕ (P ) = 1, and that ϕ is unramified if it is unramified at every point of C1 . 2.2.14 Proposition. X [Sil09, p. 23] Let ϕ : C1 −→ C2 be a constant map of smooth curves. Then for every Q ∈ C2 , eϕ (P ) = deg(ϕ) P ∈ϕ−1 (Q)

2.2.15 Definition. [Sil09, p. 27] - The divisor group of a curve C, denoted by Div(C) is the free abelian group3 generated by the X points of C. Thus a divisor D ∈ Div(C) is a formal sum D = nP (P ), where nP ∈ Z and P ∈C

nP = 0 for all but finitely many P ∈ C. 2 If K is a field and F ⊃ K an algebraic extension of K, F is separable if ∀α ∈ F , the minimal polynomial of α has distinct roots. 3 A free abelian group is an abelian group with a basis i.e., a group with a non empty subset B such that every element can be written as a linear combination of elements of B with coefficient in Z.


Page 10

- The degree of a divisor D ∈ Div(C) is degD =

X

nP .

P ∈C

2.2.16 Proposition. [Sil09, p.27-28] a) The set of the divisors of degree 0 is a subgroup of Div(C), denoted by Div 0 (C). b) The map div : K(C)∗ −→ Div(C) f

7−→ div(f ) =

X

ordP (f )(P )

P ∈C

is an homomorphsm of abelian groups 2.2.17 Proposition. [Sil09, p. 28] Let C be a smooth curve and let f ∈ K(C)∗ . ∗

a) div(f ) = 0 if and only if f ∈ K . b) deg(div(f )) = 0 2.2.18 Definition. [Sil09, p. 28] i) A divisor D ∈ Div(C) is principal if D = div(f ) for some f ∈ K(C). ii) Two divisors D1 and D2 are linearly equivalents (which we denote D1 ∼ D2 ) if D1 − D2 is principal. 2.2.19 Example. Let C : y 2 z = (x − z)(x − 2z)(x − 3z), let Pi = [i, 0, 1], i = 1, 2, 3, O = [0, 1, 0] and f (x, y, z) = x − z. We have div(f ) = 2(P1 ) + 2(P2 ) + 2(P3 ) − 3O 2.2.20 Proposition. The set of principal divisors is a subgroup of Div(C). Proof. Let us call Div(p) (C) the set of principal divisors. The null divisor 0 ∈ Div(p) (C) since 0 = div(1). Let D1 , D2 ∈ Div(p) (C), D1 = div(f1 ), D2 = div(f2 ). We have D1 − D2 = div(f1 ) − div(f2 ) = div (f1 /f2 ). So D1 − D2 ∈ Div(p) (C). 2.2.21 Definition. [Sil09, p. 28] - The Picard group of denoted by P ic(C) is the quotient group Div(C)/Divp (C). - The Picard group of order 0, denoted by P ic0 (C), is the quotient of Div 0 (C) by the subgroup of principal divisors: P ic0 (C) = Div 0 (C)/Div(p) (C). We now introduce the notion of differential which is an important notion used in the Riemann-Roch Theorem. In the following we consider that C is a smooth curve over K. unless we precise the characteristic of the curve.


Page 11

2.2.22 Definition. [Sil09, p. 30] The space of differential forms on C, denoted by ΩC , is the K-vector space generated by symbols of the form dx for x ∈ K(C), such that ∀x, y ∈ K(C), ∀a ∈ K: i) d(x + y) = dx + dy ii) d(xy) = xdy + ydx iii) da = 0. 2.2.23 Proposition. [Sil09, p. 30] Let x ∈ K(C). Then ΩC is a 1-dimensional K(C)-vector space and dx is a K(C)-basis for ΩC if and only if K(C)/K(x) is a finite separable extension of K(x). 2.2.24 Proposition. [Sil09, p. 31] Let C be a curve, let P ∈ C and let t ∈ K(C) be a uniformizer at P. a) For every ω ∈ ΩC , there exists a unique function g ∈ K(C), depending on ω and t, satisfying ω ω = gdt. We denote g by . dt b) Let f ∈ K(C) be regular at P . Then

df is also regular at P . dt

ω c) Let ω ∈ ΩC with ω 6= 0. The quantity ordP ( dt ) depends only on ω and P , independent of the choice of the uniformizer t. We call this value the order of ω at P and denote it by ordP (ω).

d) Let f ∈ K(C) with f (P ) = 0 and let p = char(K). Then ordP (f dx) = ordP (f ) + ordP (x) − 1 if p = 0 or p does not divide ordP (x). ordP (f dx) ≥ ordP (f ) + ordP (x) if p > 0 and p divides ordP (x). 2.2.25 Remark. [Sil09, p. 32] There are no regular differentials on P1 . In fact if t is a coordinate function on P1 , then div(dt) = −2∞)4 . Note that ∀β ∈ K, t − β is a uniformizer at β, so ordβ (dt) = ordβ (d(t − β)) = 0. But, at ∞ = [0, 1] ∈ P1 , we need to use a function such as our uniformizer. Then ordβ (dt) = ord∞ (t2 d( 1t )) = −2, hence dt is not regular. Now let ω be a non zero differential on P1 . Then by the Proposition 2.2.24, there is g ∈ K(P1 ) such that ω = gdt. Since dt is not regular, ω is not regular. 2.2.26 Definition. [Sil09, p. 32] Let ω ∈ ΩC . The divisor associated with ω is X div(ω) = ordP (ω)(P ) ∈ Div(C). The differential ω ∈ ΩC is regular if ∀P ∈ C, ordP (ω) ≥ 0. Let P ∈C

ω ∈ ΩC , ω is non vanishing if ∀P ∈ C, ordP (ω) ≤ 0. Since ΩC is a 1-dimensional K(C)-vector space, for ω1 , ω2 ∈ ΩC , ω1 6= 0, ω2 6= 0, there exists f ∈ K(C)∗ such that ω1 = f ω2 . Then div(ω1 ) = div(f ) + div(ω2 ) This helps us to define an equivalence class called the divisor class. 2.2.27 Definition. [Sil09, p. 32] The canonical divisor class on C is the image in P ic(C) of div(ω) for any non zero differential ω ∈ C. Any divisor of this class is called a canonical divisor. 4

In P1 we denote by ∞ the point [0, 1].


Page 12

2.2.28 Definition. [Sil09, p. 33] A divisor D = if ∀P ∈ C, nP ≥ 0. Similarly, we write D1 ≥

X

nP (P ) is effective P ∈C D2 if D1 − D2 ≥ 0.

(or positive), denoted by D ≥ 0,

2.2.29 Definition. [Sil09, p. 34] Let C be a smooth curve and D ∈ Div(C). We define the set L(D) = {f ∈ K(C)∗ : div(f ) ≥ −D} ∪ {0}. 2.2.30 Proposition. [Sil09, p. 34] The set L(D) is a finite dimensional K-vector space and we denote by l(D) its dimension. 2.2.31 Proposition. [Sil09, p. 34] Let C be a non singular curve. i) Let D ∈ Div(C) be a divisor such that deg(D) < 0. Then L(D) = {0} and l(D) = 0. ii) If D, D0 ∈ Div(C) are linearly equivalent then L(D) is isomorphic to L(D0 ) and l(D) = l(D0 ). i) Suppose there is f ∈ L(D), f 6= 0. From the Proposition 2.2.17, X 0 = deg(divf ) ≥ deg(−D) = −nP = −deg(D) > 0 since deg(D) ≤ 0, so 0 < 0, which is a

Proof.

P ∈C

contradiction. Hence L(D) = 0 and l(D) = 0. ii) If D ∼ D0 then ∃f ∈ K(C) such that D = D0 + div(f ). Let us define ϕ : L(D) −→ L(D0 ) g

7−→ f g

and prove that ϕ is an isomorphism. ? ϕ is well defined since g ∈ L(D) ⇒ divg ≥ −D ⇒ divf + divg ≥ −D + divf ⇒ div(f g) ≥ −D + divf = −D0 ⇒ f g ∈ L(D0 ) ? ϕ is linear since ∀g1 , g2 ∈ L(D) and ∀λ ∈ K, ϕ(g1 + λg2 ) = f (g1 + λg2 ) = f g1 + λf g2 = ϕ(g1 ) + λϕ(g2 ). ? Let us prove that ϕ is invertible. Consider ψ : L(D0 ) −→ L(D) g g 7−→ f - ψ is well defined since f ∈ K(C)∗ and ∀g ∈ L(D0 ), div (g/f ) = div(g) − div(f ) ≥ −D − div(f ) = −D0 ⇒ g/f ∈ L(D0 ). - ψ is linear. In fact, ∀λ ∈ K, ∀g1 , g2 ∈ L(D0 ), ψ(λg1 + g2 ) = λg/f + g2 /f = λψ(g1 ) + ψ(g2 )


Page 13

∀g ∈ L(D), ∀g 0 ∈ L(D0 ), ψ ◦ ϕ(g) = ψ(f g) = f g/f = g and ϕ ◦ ψ(g 0 ) = ϕ (g 0 /f ) = f g 0 /f = g 0 Hence ϕ is an isomorphism and hence l(D) = l(D0 ).

2.2.32 Proposition. [Sil09, p. 36] Let C/K be a smooth curve and let D ∈ DivK (C) (group of divisors defined over K). Then L(D) has a basis consisting of functions in K(C). 2.2.33 Remark. [Sil09, p. 34] Let g ∈ K(C)∗ and let KC = div(ω) be a canonical divisor of C. g ∈ L(D) ⇔ divg ≥ −divω ⇔ div(gω) ≥ 0 ⇔ ∀P ∈ C, ordP (gω) ≥ 0 ⇔ g is regular Since every differential form of C has the form gω for some g ∈ K(C)∗ , we have that the map θω : {ω1 ∈ ΩC : ω is regular} −→ L(KC ) ω1 = f ω

7−→

f

is an isomorphism. 2.2.34 Theorem. ( Riemann-Roch) Let C be a smooth curve and let KC be a canonical divisor of C. There is an integer g ≥ 0, called genus of C such that ∀D ∈ Div(C), l(D) − l(KC − D) = deg(D) − g + 1. Proof. See [Har77, p. 295 and following] 2.2.35 Lemma. Let C be a smooth curve and f K(C) with f 6= 0. Then there are only finitely many points of C at which f has a pole or zero. Further, if f has no poles, then f ∈ K. 2.2.36 Corollary. [Sil09, p. 35] Under the conventions of the Riemann-Roch theorem, a) l(KC ) = g b) deg(KC ) = 2g − 2 c) If degD > 2g − 2, then l(D) = degD − g + 1. Proof.

a) Let us apply Theorem 2.2.34. For D = 0 =

X

0(P ), we have

P ∈C

l(0) − l(KC ) = deg(0) − g + 1 ie., l(0) = l(KC ) − g + 1. But L(0) = {f ∈ K(C)∗ : div(f ) ≥ 0} ∪ {0} = {f ∈ K(C)∗ : ∀P ∈ C, ordP (f ) ≥ 0} ∪ {0} = {f ∈ K(C)∗ : ∀P ∈ C, f has no pole at P } ∪ {0} = K

since Lemma 2.2.35.


Page 14

So L(0) = K and l(0) = 1. Hence l(KC ) = g. b) Let us apply Theorem 2.2.34. For D = KC , we have l(KC ) − l(0) = deg(KC ) − g + 1. Since l(KC ) = g we have deg(KC ) = 2g − 2. c) Let us apply Theorem 2.2.34. For D = KC − D and for D, we have deg(KC − D) = g − 1 − (−l(KC − D) + l(D)) = g − 1 − deg(D) + g − 1 = 2g − 2 − deg(D) < 0. So l(KC − D) = 0 by Proposition 2.2.31 and we have (Theorem 2.2.34) l(D) = deg(D) − g + 1

2.2.37 Remark. [Sil09, p. 35] Let C = P1 . Remark 2.2.25 shows us that there are no regular differentials on P1 . Using the identification of Remark 2.2.33, we have L(KC ) = 0. Then by Corollary 2.2.36 we see that P1 has genus 0, and Theorem 2.2.34 reads l(D) − l(−2(∞) − D) = degD + 1. In particular, if degD ≥ −1, then by the Corollary 2.2.36 we have ∀D ∈ Div(C), l(D) = deg(D) + 1 In the next chapter we are looking at a particular case of algebraic curves: the elliptic curves which are interesting in cryptography because of their group law and the difficulty to solve the discrete logarithm problem on them.

3. Elliptic Curves In this chapter we present the relevant properties of elliptic curves. We start by a study of elliptic curves over a general field. We prove the geometric and algebraic group law on elliptic curves. Then we briefly present the relevant properties of elliptic curves over a finite field where we prove the Hasse’s Theorem and the Weil’s Theorem which are crucial for bounding and counting points on elliptic curves (since in the algorithmic part of that essay project we work on elliptic curves over finite fields).

3.1

Elliptic curve over a general field K

Recall that we are working in the projective plane P2 . 3.1.1 Definition. [Sil09, p. 59] An elliptic curve is a pair (E, O), where E is a non singular curve of genus one and O ∈ E. The elliptic curve E is defined over K, written E/K, if E is defined over K as a curve and O ∈ E(K). O is called the base point of the elliptic curve E (we will see it later at 3.1.5). The following proposition characterizes an elliptic curve as a non singular curve defined by an equation called a Weierstrass Equation. Before that, let us enunciate the following lemma. 3.1.2 Lemma. [Sil09, p. 48] Let E be a non singular curve defined over K by the ”Weierstrass Equation” y 2 + a1 xy + a3 y = x3 + a2 x2 + a4 x + a6 . dx dy is an element of ΩE = 2 2y + a1 x + a3 3x + 2a2 x + a4 − a1 y and ω has neither zeros nor poles, i.e., div(ω) = 0. Then the differential ”invariant” ω =

3.1.3 Lemma. [Sil09, p. 48] If a curve E given by a Weierstrass equation is singular, then there exists a rational map φ : E −→ P1 of degree one, i.e., the curve E is birational to P1 . The following proposition characterizes an elliptic curve by a Weirstrass Equation. 3.1.4 Proposition. [Sil09, p. 59] Let E be an elliptic curve defined over K. a) There exist functions x, y ∈ K(E) such that the map φ : E −→ P2 , φ = [x, y, 1] gives an isomorphism of E/K to on a curve given by a Weierstrass Equation C : y 2 + a1 xy + a3 y = x3 + a2 x2 + a4 x + a6

(3.1.1)

with coefficients a1 , · · · , a6 ∈ K and φ(O) = [0, 1, 0]. The functions x and y are called Weierstrass coordinates for the elliptic curve E. b) Any two Weierstrass equations for E as 3.1.1 are related by a linear change of variables of the form: x = u2 x0 + r y = u3 y 0 + su2 x2 + t with u ∈ K ∗ and r, s, t ∈ K. 15

Section 3.1. Elliptic curve over a general field K

Page 16

c) Conversely, every smooth cubic curve C given by a Weierstrass equation 3.1.1 is an elliptic curve over K with base point (Definition 3.1.1) O = [0, 1, 0]. Proof. [Sil09, p. 59] a) Let us consider the spaces L(n(O)) for n = 1, 2, · · · . Corollary 2.2.36 appled with g = 1 (since E has genus 1 by definition) shows that ∀n ≥ 1, dim(L(n(O))) = l(n(O)) = n. By Proposition 2.2.32, since 1 ∈ K(E), we can choose (incomplete basis theorem) x, y ∈ K(E) so that {1, x} is a basis of L(2(O)) and {1, x, y} is a basis for L(3(O)). The element x must have a pole of exact order 2 at O. In fact let f ∈ K(E)∗ such that O is the 1 2 and ord (1/f ) = 2. unique pole of order 2 of f . So ∈ MO O f Since ordO (1/f ) = ordO (1)−ordO (f ) = −ordO (f ), we have ordO (f ) = −2, then f ∈ L(2(O)). Hence f = k1 1 + k2 x for some k1 , k2 ∈ K. But f = k1 1 + k2 x so k2 x = f − k1 O is a pole of order 2 of f − k1 so it is a pole of order 2 of x and it is the unique pole of order 2 of x (since it is the unique pole of f ). Similarly, we can prove that y must have a pole of order 3. Hence dim(L(6(O))) = 6 and L(6(O)) contains the functions 1, x, y, x2 , xy, y 2 , x3 . It follows that there is a linear relation a1 + a2 x + a3 y + a4 x2 + a5 xy + a6 y 2 + a7 x3 = 0. We can take a1 , · · · , a7 ∈ K (not all zero) by Proposition 2.2.32. We must have a6 a7 6= 0. In fact, if a6 a7 = 0 then a6 = 0 or a7 = 0, hence x or y would have a pole at O of different order and then would vanish. Replacing x and y by −a6 a7 x and a6 a27 y respectively, we have y2 +

a3 a6 a2 a3 a6 a2 a2 a6 a7 a1 a5 a26 a7 xy + 3 4 7 y = x3 + 3 4 7 x2 + 3 4 x − 3 4 3 4 a6 a7 a6 a7 a6 a7 a6 a7 a6 a7

i.e., y 2 + A1 xy + A3 y = x3 + A2 x2 + A4 x + A6 This gives a map φ : E −→ P2 , φ = [x, y, 1] with x, y verifying Equation 3.1.1. Let C = φ(E). By Proposition 2.2.7, since E is non singular, φ is a morphism. Then by Proposition 2.2.12, since φ is not constant, φ is surjective. φ(O) = [0, 1, 0] since y has a higher-order pole than x at O. Now let us prove that φ : E −→ C ⊂ P2 has degree one. It suffices to show that K(E) = K(x, y). Consider the map [x, 1] : E −→ P1 .The element x has a pole of order 2 in O and no other poles hence by Proposition 2.2.14, this function has degree 2 and then [K(E) : K(x)] = 2. By the same way [y, 1] : E −→ P1 has degree 3, hence [K(E) : K(y)] = 3. Hence [K(E) : K(x, y)] divides both 2 and 3, so [K(E) : K(x, y)] = 1. Let us show that C is smooth.


Page 17

Suppose C is singular. By the Lemma 3.1.3 there is a rational map θ : C −→ P1 of degree one. Hence θ ◦ φ : E −→ P1 is a map of degree one between two smooth curves, so from Proposition 2.2.12, θ ◦ φ is an isomorphism. But the genus of C is one and the genus of P1 is 0 (Remark 2.2.37): contradiction. Hence C is a smooth curve and by Proposition 2.2.12, φ : E −→ C is an isomorphism. b) Let (x, y) and (x0 , y 0 ) be two sets of Weierstrass coordinate functions on E. Then x and x0 have poles of order 2 at O and y and y 0 have poles of order 3 at O. Hence {1, x} and {1, x0 } are both bases for L(2(O)) and {1, x, y} and {1, x0 , y 0 } are both bases for L(3(O)). Thus there are constants u1 , u2 ∈ K ∗ and r, s2 , t ∈ K such that x = u1 x0 + r and y = u2 y 0 + s2 x0 + t. Since (x, y) and (x0 , y 0 ) satisfy the Weierstrass Equation 3.1.1, we have by identification u31 = u22 . u2 s2 Let us take u = and s = 2 . We have x = u2 x0 + r and y = u3 y 0 + su2 + t. u1 u c) Let E be a smooth curve given by the Weierstrass equation 3.1.1. Let g be the genus of C. By Lemma 3.1.2, the differential invariant ω of C is regular and non vanishing. Hence div(ω) = 0. By Corollary 2.2.36 we have 0 = deg(divω) = 2g − 2 ⇒ g = 1. Taking [0, 1, 0] as the point at infinity makes E into an elliptic curve.

3.1.5 Remark. x and y.

1) [Sil09, p. 61] Let E/K be an elliptic curve with Weierstrass coordinate functions

Then K(E) = K(x, y) and [K(E) : K(x)] = 2. 2) The last proposition gives us another way of defining an elliptic curve. In fact, if (E, O) is an elliptic curve over K, we identify E with [x, y, 1] : y 2 + a1 xya3 y = x3 + a2 x2 + a4 x + a6 ∪ {[0, 1, 0]} ⊂ P2 (K) Let us consider the non singular curve C of equation y 2 z + a1 xyz + a3 yz 2 = x3 + a2 x2 z + a4 xz 2 + a6 z 3

(3.1.2)

We have C = {[x, y, z] : (x, y, z) verifies 3.1.2 and z 6= 0} ∪ {[0, 1, 0]} o nh x y i x y , ,1 : , , 1 verifies 3.1.2 ∪ {[0, 1, 0]} = z z z z = E Hence E can be represented by Equation 3.1.2. Let {U1 , U2 , U3 } be the standard covering of P2 with ∀i = 1, 2, 3, Ui = {[x1 , x2 , x3 ] ∈ P2 : xi 6= 0}.


Page 18

The map φ3 :

A2

−→ U3

(x, y) 7−→ [x, y, 1] is an homeomorphism (see [CFA+ 10, p. 49]) and we have E = (E ∩ U3 ) ∪ (E ∩ P2 \ U3 ) = (E ∩ A2 ) ∪ {[0, 1, 0]} = E ∩ A2 E ∩ A2 = {(x, y) ∈ K × K : y 2 + a1 xy + a3 y = x3 + a2 x2 + a4 x + a6 } is called the affine part of E and [0, 1, 0] the point at infinity of E (denoted by O). As we see, if E is a smooth curve, then E ∩ A2 is also a smooth curve which we can denote (x, y) instead of [x, y, 1] for [x, y, 1] ∈ E. 3.1.6 Example. Here the curve E1 is an elliptic curve but E2 is not an elliptic curve (singular at (0,0)).

(a) E1 : y 2 = x3 + 1

(b) E2 : y 2 = x3

3.1.7 Definition. [Kra11, p. 5] Let L be an extension of K in K. Let P = [x, y, z] be a point of P2 . P ∗ is a rational point of L if there exists λ ∈ K such that λx, λy, λz are elements of L. It also means for xj [x1 , x2 , x3 ] ∈ P2 is rational on L if and only if ∃i = 1, 2, 3 such that xi 6= 0 and ∀j = 1, 2, 3, ∈ L. xi We denote by P2 (L) the set of rational points on L. Let E be an elliptic curve of Equation 3.1.2. 3.1.8 Definition. [Kra11, p. 5] A point of E is rational on L if it is an element of E ∩ P2 (L). We denote by E(L) = E ∩ P2 (L) the set of rational points on L. 3.1.9 Remark. E(L) = {(x, y) ∈ L : y 2 + a1 xy + a3 y = x3 + a2 x2 + a4 x + a6 } ∪ {[0, 1, 0]}. Now we want to define a geometric group law on an elliptic curve. First of all, let us prove the uniqueness of a line passing through two points on the curve. 3.1.10 Lemma. [Kra11, p. 8] Let P = [a1 , a2 , a3 ] and Q = [b1 , b2 , b3 ] be two points of P2 , P 6= Q. 2 2 There exists a unique line of P passing through P and Q. This line is the set of points [x, y, z] ∈ P such a1 b1 x that a2 b2 y = 0 i.e., ux + vy + wz = 0 with u = a2 b3 − a3 b2 ; v = a3 b1 − a1 b3 ; w = a1 b2 − a2 b1 . a3 b3 z


Page 19

Proof. See A.0.5 Let E be an elliptic curve defined by Equation 3.1.2. Put F (x, y, z) = y 2 z + a1 xyz + a3 yz 2 − x3 − a2 x2 z − a4 xz 2 − a6 z 3 . 3.1.11 Definition. The tangent line of E in P ∈ P2 is the line defined by the equation ∂F ∂F ∂F (P )x + (P )y + (P )z = 0. ∂x ∂y ∂z 3.1.12 Remark. [Kra11, p. 9] 1) The equation of the tangent line at O is z = 0. 2) Let P = [x0 , y0 , 1] be a point of E distinct from O. The equation of the tangent line at P is ∂F ∂F (P )(x − x0 z) + (P )(y − y0 z) = 0. ∂x ∂y 3) Every line with equation x = λz is called a vertical line. Let L be a line. Since the degree of the equation is 3, the line intersects E at 3 points P, Q, R (not necessarily distinct). This helps us to define a composition law on E. 3.1.13 Definition. [Sil09, p. 51] Let P, Q, R ∈ E, let L be the line passing through P and Q (if P = Q, L is the tangent line to E at P ), and let R be the third point of intersection of L with E. Let L0 be the line through R and O. Then L0 intersects E at R, O and a third point We denote this third point by P + Q. Hence we define the composition law + on E. 3.1.14 Lemma. [Sil09, p. 51] If a line L intersects E at the points P, Q, R (not necessarily distinct), then (P + Q) + R = O. Proof. The third intersection point between the line passing through P and Q (which is L by Lemma 3.1.10) is R. The line L0 passing through R and O intersects the curve at P + Q. The line passing through P + Q and R coincides with L0 (since P + Q ∈ L0 ) and then the intersection point with the curve is O. The line passing through O and itself is the line z = 0 and it intersects the curve to O. Hence (P + Q) + R = O. 3.1.15 Proposition. The pair (E, +) is an abelian group. Proof. First step: + is well defined by definition. Second step: Neutral element. Let P ∈ E. Let us prove that P + O = P . - P = O. The line passing through P and O is the tangent line at O z = 0. The third intersection point of L and E is R = O and the line L0 passing through R and O (which is the line z = 0) intersects the curve at O. Hence O + O = O.


Page 20

- If P 6= O, P = [x1 , y1 , 1] The line L passing through P and O is the vertical line of equation x = x1 z (Lemma 3.1.10). L intersects E at R. The line R passing through R and O coincides with L (since L is passing through O and R and by Lemma 3.1.10, we have uniqueness), hence the third point of intersection of L0 and E is P . Hence P + O = P . - Since the line passing through P and O is the line passing through O and P (uniqueness by Lemma 3.1.10) we have also O + P = P . Hence O is the neutral element of (E, +). Third step: Inverse. Let P ∈ E and let us find Q ∈ E such that P + Q = O. . P = O. It suffices to take Q = O. . If P 6= O, the line L passing through P and O intersects the curve (by definition) at the three (non necessarily distinct) points P, O and Q. By Lemma 3.1.14 we have P + Q + O = O, this means P + Q = O. Hence we have the existence of a point Q such that P + Q = O, which is naturally denoted by −P . Fourth step: Abelian. Let P, Q ∈ E. Since the line passing through P and Q is the same as the line passing through Q and P , they intersect the curve at the same point R and the line passing through R and O intersects the curve at P + Q = Q + P . Fifth step: Associativity Let P, Q, R ∈ E. We will show that (P + Q) + R = P + (Q + R). It suffices to prove that −((P + Q) + R) = −(P + (Q + R)). Let us designate (P, Q) the line passing through P and Q. The union of the lines (P, Q), (P + Q, R) and (Q + R, O) defines a cubic curve C (The equation of C is the product of the equations of the lines). The union of the lines (P + Q, O), (Q, R) and (Q + R, P ) defines a cubic curve C 0 . The cubic curves C and C 0 intersect E at 9 points and they have 8 common points: P, Q, R, O, P + Q, −(P + Q), (Q + R), −(Q + R). By the Noether’s Fundamental theorem (see [Men11, p. 16]), the 9th intersection point of E and C and E and C 0 is also a common point of E, C and C 0 . But the 9th intersection point of E and C is −((P + Q) + R) and the 9th intersection point of E and C 0 is −(P + (Q + R)). Hence we have −((P + Q) + R) = −(P + (Q + R)) and then (P + Q) + R = P + (Q + R).


Page 21

We have proved that we can define an elliptic curve by a Weierstrass Equation, but not all the Weierstrass Equation are not defining elliptic curves (see the singular curve E2 defined in Example 3.1.6 since E2 is singular). Let us have a look at the characterization of the non singularity of a curve defined by a Weierstrass Equation. Let E be an elliptic curve defined by the Weierstrass equation 3.1.1. Let (x, y) ∈ E, we have y 2 + a1 xy + a3 y = x2 + a2 x2 + a4 x + a6 ⇔ y(y + a1 x + a3 ) = x3 + a2x + a4 x + a6 . 1 By the change of variable y 7−→ (y − a1 x − a3 ) we obtain y12 = 4x3 + (4a2 + a21 )x2 + (2a1 a3 + 4a4 )x + 2 4a6 + a23 . Set b2 = 4a2 + a21 ; b4 = a1 a3 + 2a4 ; b6 = 4a6 + a23 , We have y 2 = 4x3 + b2 x2 + 2b4 xb6 . Let us define b8 = a21 a6 + 4a2 a6 − a1 a3 a4 + a2 a23 − a24 ; c4 = b22 − 24b4 ; c6 = −b32 + 36b2 b4 − 216b6 and ∆ = −b22 b8 − 8b34 − 27b26 + 9b2 b4 b6 . We have b2 b6 − b24 = 4b8 and c34 − c36 = 1728∆. 3.1.16 Definition. [Sil09, p. 43] The quantity ∆ is called the discriminant of the Weierstrass equation. 3.1.17 Example. The curve C : y 2 = x3 + x + 1 defined over Q has discriminant −496. Now let us characterize the non singularity of an elliptic curve in terms of the discriminant. 3.1.18 Proposition. [Sil09, p. 45] Let E be an elliptic curve defined by a Weierstrass equation 3.1.2. Then E is non singular if and only if ∆ 6= 0. Since every elliptic curve can be characterized by a Weierstrass equation we can now use that equation to define the addition law on elliptic curves. 3.1.19 Proposition. [Sil09, p. 53] Let E be an elliptic curve given by the Weierstrass equation 3.1.2. a) P0 = (x0 , y0 ) then −P0 = (x0 , y0 − a1 x0 − a3 ). b) Let P1 = (x1 , y1 ), P2 = (x2 , y2 ) ∈ E and P3 := P1 + P2 = (x3 , y3 ) i) If x1 = x2 and y1 + y2 + a1 x2 + a3 = 0 then P1 + P2 = O. y2 − y1 y1 x 2 − y2 x 1 ii) If not, set λ = ,µ= if x1 6= x2 and x2 − x1 x2 − x1 3x2 + 2a2 x1 + a4 − a1 y1 −x31 + a4 x1 + 2a6 − a3 y1 λ= 1 ;µ= 2y1 + a1 x1 + a3 2y1 + a1 x1 + a3 If x1 = x2 and y1 + y2 + a1 x1 + a3 6= 0, then P3 is given by x3 = λ2 + a1 λ − a2 − x1 − x2 and y3 = −(λ + a1 )x3 − µ − a3 . Proof. See A.0.6 3.1.20 Example. For the elliptic curve E : y 2 = x3 + 6x2 + 5x + 1 over the field F17 , P = (0, 1) and Q = (6, 15), we have: P + Q = (1, 8); 2P = (13, 9); 3P + 2Q = (6, 2). 3.1.21 Lemma. [Sil09, p. 61] Let (E, O) be an elliptic curve and let P, Q ∈ E. Then (P ) ∼ (Q)1 iff P = Q. 1

Recall that ∼ is the relation defined in Proposition 2.2.18


Page 22

3.1.22 Proposition. [Sil09, p. 61] Let (E, O) be an elliptic curve. a) For every D ∈ Div 0 (E), there exists an unique point PD ∈ E such that (D) ∼ (PD ) − (O). b) The map σ : Div 0 (E) −→ E D

7−→ PD such that D ∼ (PD ) − (O)

is surjective. c) Let D1 , D2 ∈ Div 0 (E) then σ(D1 ) = σ(D2 ) if and only if D1 ∼ D2 . So σ induces a bijection σ ˜ : P ic0 (E) −→ E D

7−→ PD

having inverse θ : E −→ P ic0 (E) P

∼

7−→ (P ) − (O) = the divisor class of (P ) − (O)

d) The geometric group law described by the Definition 3.1.13 and the ”algebraic group law ” induced from P ic0 (E) using σ are the same. Proof. a) Let f ∈ L(D + (O))∗ , since the degree of D + (O) is 1 so by Corollary 2.2.36, dim(L(D + (O))) = 1 (since the genus is one). So there are P ∈ E such that X div(f ) + D + (O) = nP (P ) ≥ 0. P ∈E

Since deg(div(f ) + D + (O)) = 1 (since deg(div(f )) = 0 and deg(D + (O)) = 1) there is P ∈ E such that div(f ) + D + (O) = (P ) ⇒ div(f ) = (P ) − D − (O) ⇒ (P ) ∼ D + (O). If there is Q such that div(f ) = (Q) − D − (O), we will have (Q) ∼ D − (O) ∼ (P ) ⇒ (Q) ∼ (P ) ⇒ Q = P . Hence we have the uniqueness of P = PD . b) Let us consider the map σ : Div 0 (E) −→ E D

7−→ PD

The existence and uniqueness of PD show us that σ is well defined. If P ∈ E, we have σ((P ) − (O)) = P . Hence σ is surjective. c) Let D1 , D2 ∈ E such that PD1 = σ(D1 ) = σ(D2 ) = PD2 , Then D1 ∼ (PD1 ) − (O) ∼ (PD2 ) − (O) ∼ D2 Reciprocally D1 ∼ D2 ⇒ (PD1 ) − (O) = (PD2 ) ∼ (O) ⇒ (PD1 ) ∼ (PD2 )


Page 23

since (PD1 ) ∼ (PD1 ) − O and (PD2 ) ∼ (PD2 ) − O Hence PD1 = PD2 . We can now define a bijection σ ˜ : P ic0 (E) −→ E D

7−→ PD

(since P ic0 (E) = Div 0 (E)/ ∼). The inverse of σ ˜ is θ : E −→ P ic0 (E) P

∼

7−→ (P ) − (O) + Div(p) (E) = (P ) − (O) .

d) It suffices to show that ∀P, Q ∈ E, θ(P + Q) = θ(P ) + θ(Q) where the first + is geometric addition and the second is addition in P ic0 (E). Let L be the line passing through P and Q, and let R be the third intersection point of L and E. Let L0 be the line passing through R and O. Set L : f (x, y, z) = ax + by + cz = 0 and L0 : f 0 (x, y, z) = a0 x + b0 y + c0 z. We know that the line L00 : z = 0 intersects E at O with the multiplicity 3 (since O is the only point of intersection of E and L00 ). So div (f /z) = div(f ) − div(z) = (P ) + (Q) + (R) − 3(O) and div (f 0 /z) = div(f 0 ) − div(z) = (R) + (P + Q) − 2(O). Hence (P + Q) − (P ) − (Q) + (O) = div (f 0 /f ) ∼ 0. So (P + Q) ∼ (P ) + (Q) − (O) and then (P + Q) − (O) ∼ ((P ) − (O)) + ((Q) − (O)). Hence θ(P + Q) = θ(P ) + θ(Q). Thus θ is a bijective homomorphism we can identify the geometric law to the algebraic law.

3.1.23 Corollary. [Sil09, p. 63] Let E be an elliptic curve and D =

X

nP (P ) ∈ Div 0 (E).

P ∈E

Then D is principal iff

X

nP P = O and

P ∈E

where nP P =

X

nP = 0,

P ∈E

 P + ·{z · · + P}    |

if nP ≥ 0

P − ·{z · · − P}    |

if nP < 0 .

nP times

−nP times

Proof. Note that the map θ is a bijective group homomorphism then σ ˜ is also a bijective group homomorphism. Let D be a principal divisor. Then deg(D) = deg(div(f )) = 0 for some f . ∼

We have D ∈ Div 0 (E) and D ∼ 0 = (O) − (O) ⇔ σ ˜ (D ) = O.

Section 3.1. Elliptic curve over a general field K ∼

X

So O = σ ˜ (D ) =

Page 24

∼

nP σ ˜ ((P ) ) since σ ˜ is an homomorphism.

P ∈E

We have O =

X

∼

nP σ ˜ ((P ) ) =

P ∈E

X

∼

nP σ ˜ ((P ) − (O) ) since (P ) ∼ (P ) − (O).

P ∈E

In fact, ∀P ∈ E, (P ) − (P ) − (O) = (O) and (O) = div(f ) where f ∈ K(C) is such that f has a unique pole of order 1 at O. Hence ∀P ∈ E, (P ) − (P ) − (O) = (O) ∈ Div(p) (C). X X X ∼ Hence O = nP σ ˜ ((P ) − (O) ) = nP σ ˜ ◦ θ(P ) = nP P . P ∈E

Furthermore, deg(D) = 0 ⇔

P ∈E

X

P ∈E

nP = 0.

P ∈E

Note that by Definition 3.1.13, + and − are rational maps. We have worked on the geometry of individual elliptic curves. We now a look at maps between elliptic curves. Since an elliptic curve has distinguished zeros, it is important to look at some maps which respect that property. 3.1.24 Definition. [Sil09, p. 66] Let (E1 , O1 ) and (E2 , O2 ) be elliptic curves. An isogeny from E1 to E2 is a morphism ϕ : E1 −→ E2 satisfying ϕ(O1 ) = ϕ(O2 ). E1 and E2 are isogeneous if there is an isogeny ϕ from E1 to E2 with ϕ(E1 ) 6= {O2 }. From Proposition 2.2.8, an isogeny satisfies either ϕ(E1 ) = {O2 } or ϕ(O∈ ) = E2 . We denote by Hom(E1 , E2 ) the set of isogenies from E1 to E2 . (Hom(E1 , E2 ), +) is an abelian group. The degree of an isogeny is the degree of the finite extension K(E1 )/ϕ∗ (K(E2 )). Let ϕ : E1 −→ E2 be an isogeny, since either ϕ(E1 ) = {O2 } or ϕ(E1 ) = E2 , then deg(ϕ) = 0 implies ϕ = [0] where [0] : E1 −→ E2 P

7−→ [0](P ) = O2

3.1.25 Example. The maps + and − are isogenies. 3.1.26 Theorem. [TF11, p. 21] Let ϕ : E1 −→ E2 be an isogeny. Then ϕ is a group homomorphism. 3.1.27 Proposition. [Sil09, p. 68] Let E/K be an elliptic curve and n ∈ Z, m 6= 0. Then the map [m] : E −→ E, ∀P ∈ E, [m]P = mP is a non constant isogeny. 3.1.28 Corollary. [Sil09, p. 72] Let ϕ : E1 −→ E2 be a non zero isogeny. Then ker(ϕ) is a finite group. Proof. Since ϕ is a homomorphism, ker(ϕ) is a subgroup of E1 which is finite since X eϕ (P ) = deg(ϕ) < ∞ (from Proposition 2.2.14). P ∈ker(ϕ)

3.1.29 Theorem. [Sil09, p. 73] Let ϕ : E1 −→ E2 a non zero isogeny which is separable. Then ϕ is unramified and card(ker(ϕ)) = deg(ϕ). K(E1 ) is a Galois extension of ϕ∗ (K(E2 )). (See [Mil14, p. 38] for the definition of a Galois extension).

Section 3.2. Elliptic curves over finite fields

Page 25

3.1.30 Proposition. [Sil09, p. 86] Let E be an elliptic curve and let m ∈ Z with m 6= 0. Then deg[m] = m2 .

3.2

Elliptic curves over finite fields

In this section, we study elliptic curves defined over a finite field Fq . We start by the Frobenius endomorphism and we continue with the theorem of Hasse which helps us to bound the number of elements of E(Fq ). q = pm , p prime number, m ∈ N ;Fq : finite field of q elements ;Fq : algebraic closure of Fq ; Gal(Fq /Fq ): Galois group of Fq (See [Mil14, p. 37]). Let E/Fq be an elliptic curve defined over a finite field. We need to estimate the number of solutions to Equation 3.1.1 with (x, y) ∈ F2q . The Frobenius endomorphism 3.2.1 Definition. Let E be an elliptic curve. The Frobenius endomorphism is the isogeny defined by φq : E −→ E, (x, y) 7−→ (xq , y q ). 3.2.2 Lemma. Let (x, y) ∈ E(Fq ). i) φq (x, y) ∈ E(Fq ) ii) (x, y) ∈ E(Fq ) ⇔ φq (x, y) = (x, y). Proof. Suppose that E defined by Equation (3.1.1). If q = pm with p prime and m ∈ N, then char(Fq ) = p and (

∀α, β ∈ Fq , (α + β)q = αq + β q q

∀α ∈ Fq , α = α

(?) (??)

i) Let (x, y) ∈ E(Fq ), since ∀α, β ∈ Fq , (α + β)q = αq + β q , we have (y q )2 + a1 xq y q + a3 y q = (xq )3 + a2 (xq )2 + a4 xq + a6 . So (xq , y q ) ∈ E(Fq ) ⇒ φq (x, y) ∈ E(Fq ). ii) Since ∀α ∈ Fq , αq = α, we have (x, y) ∈ E(Fq ) ⇔ x, y ∈ Fq ⇔ (xq , y q ) = (x, y) ⇔ φq (x, y) = (x, y). Reciprocally ∀(x, y) ∈ E, φq (x, y) = (x, y) ⇒ (xq ,q ) = (x, y) ⇒ xq = x and y q = y ⇒ x, y ∈ Fq and (x, y) ∈ E(Fq ).

3.2.3 Proposition. [Sil09, p. 79] Let E be an elliptic curve defined over a field Fq of characteristic p, let φq be the Frobenius morphism, and let m, n ∈ Z. Then the map [m] + nφ : E −→ E is separable iff p - m. In particular [1] − φ is separable.


Page 26

3.2.4 Definition. [Sil09, p. 85] Let A be an abelian group. A function d : A −→ R is a quadratic form if the following conditions are satisfied: i) ∀α ∈ A, d(α) = d(−α). ii) The pairing A × A −→ R, (α, β) 7−→ d(α + β) − d(α) − d(β) is bilinear. Recall that a quadratic form d is positive definite if it satisfies a) ∀α ∈ A, d(α) ≥ 0. b) ∀α ∈ A, d(α) = 0 ⇔ α = 0. 3.2.5 Lemma. [Sil09, p. 85] Let E1 and E2 be elliptic curves. The degree map deg : Hom(E1 , E2 ) −→ Z is a positive-definite quadratic form. 3.2.6 Lemma. [Sil09, p. 138] Let A be an abelian group and p let d : A −→ Z be a positive definite quadratic form. Then ∀ψ, φ ∈ A, |d(ψ, φ) − d(φ) − dψ| ≤ 2 d(φ)d(ψ). 3.2.7 Theorem. [Sil09, p. 138]( Hasse) Let E/Fq be an elliptic curve defined over a finite field. Then √ ||E(Fq )| − q − 1| ≤ 2 q. p √ Equivalently, | |E(Fq )| − q| ≤ 1. √ √ The set Hq = [q − 1 − 2 q, q − 1 + 2 q] is called the Hasse’s interval for q. Proof. [Sil09, p. 138] Suppose E is defined by the Weierstrass equation 3.1.1 with coefficients in Fq . Let φq the q th −power Frobenius endmorphism. By Lemma 3.2.2 we have ∀P ∈ E(Fq ), P ∈ E(Fq ) ⇔ φq (P ) = P . Thus E(Fq ) = ker([1] − φq ). But by Proposition 3.2.3 and Theorem 3.1.29 we find that |E(Fq )| = |ker([1] − φq )| = deg([1] − φq ). Since the degree of φ in Hom(E, E) is a positive definite quadratic form 3.2.5, by Lemma 3.2.6, we have the result p √ ||E(Fq )| − deg(1) − deg(φq )| ≤ 2 deg(φq )deg(1), i.e., ||E(Fq )| − q − 1| ≤ 2 q. 3.2.8 Example. Consider the elliptic curve defined over F101 by the equation y 2 +2y = x3 +8x2 +5x+1 The point P = (5, 6) is a point of order 98 so |E(F101 )| is a multiple of 98. By Hasse’s Theorem, 79 ≤ |E(F101 )| ≤ 121 then |E(F101 )| = 98. √ 3.2.9 Remark. By Hasse’s Theorem, we have |E(Fq )| = q + 1 − t with |t| ≤ 2 q. The value t is called the Frobenius trace and the polynomial X 2 − tX + q is called the Frobenius polynomial. The three next properties give us a way to know the number of elements of E(Fqk ), k ∈ N. 3.2.10 Lemma. [Sil09, p. 143] Let φq be the Frobenius endomorphism, and t the Frobenius trace. Then φ2q − tφq + q = 0. Furthermore, t is the unique integer k such that φ2q − kφq + q = 0, ie., ∀P ∈ E(Fq ), (φq ◦ φq )(P ) + kφq (P ) + qP = O.


Page 27

3.2.11 Lemma. [Sil09, p. 142] Let α, β ∈ C be the roots of the Frobenius polynomial. Then ∀k ∈ N, set sk = αk + β k . We have s0 = 2, s1 = t ∈ Z and ∀k ≥ 1, sk+1 = tsk − qsk−1 . Proof. We know that X 2 − tX + q = (X − α)(X − β) where t = α + β and q = αβ. By induction α2 − tα + q = 0 and β 2 − tβ + q = 0, hence s2 = α2 + β 2 = t(α + β) − 2q = ts1 − qs0 ∈ Z. Then for k = 1 we have the result. Suppose that for k ∈ N, sk+1 = tsk − qsk−1 , α2 − tα + q = 0 and β 2 − tβ + q = 0 then αk+2 = tαk+1 − qαk−1 and β k+2 = tβ k+1 − qβ k−1 . Then sk+2 = αk+2 + β k+2 = tsk+1 − qsk ∈ Z. Hence we have the result. 3.2.12 Theorem. [Sil09, p. 142]( Weil) Let E(Fq ) be an elliptic curve, let φq be the Frobenius polynomial and let α, β ∈ C be the roots of the Frobenius polynomial. Then ∀n ∈ N, |E(Fqn )| = q n + 1 − αn − β n . Proof. Let n ∈ N and let us consider the polynomial fn (X) = (X n − αn )(X n − β n ) = X 2n − (αn + β n )X n + q n ∈ Z[X] Since α and β are roots of fn , X 2 − tX + q divides f and we have fn = (X 2 − tX + q)Hn (X). n n n 2 But by Lemma 3.2.10, φ2q − kφq + q = 0, so φ2n q − (α + β )φq + q = (φq − kφq + q)H(φq ) = 0. n n n Since φnq = φqn , we have φ2qn − (αn + β n )φqn + q n = φ2n q − (α + β )φq + q = 0.

By Lemma 3.2.10 there is r ∈ Z such that φ2qn − rφqn + q = 0 with r = q n + 1 − |E(Fqn )|. Hence we have r = αn + β n ∈ Z (Lemma 3.2.11) and |E(Fqn )| = q n + 1 − (αn + β n ). 3.2.13 Example. For the elliptic curve E : y 2 = x3 + 2x + 1 defined over F7 , we have E(F7 ) = {(0, 1), (0, 6), (1, 2), (1, 5)} ∪ {[0, 1, 0]} and |E(F7 )| = 5. The Frobenius trace is t = −|E(F7 )| + 7 + 1 = 3, so the Frobenius polynomial is X 2 − 3X + 7. 1 √ 1 √ 3 3 The roots of the Frobenius polynomial are α = − i 19 + and β = i 19 + . Hence we have 2 2 2 2 |E(F710 )| = 710 + 1 − (αn + β n ) = 282507775.

4. The Discrete Logarithm Problem in Elliptic curves Cryptography In this chapter we will first define the Discrete Logarithm Problem and some attacks. After, we will study some algorithms for encryption and decryption in the Diffie-Hellman and the EL-gamal cryptosystems. It is important to recall that we work on elliptic curves over a finite field Fq .

4.1

The Discrete Logarithm Problem

4.1.1 Definition. [Sil09, p. 376] Let G be a multiplicative abelian group and let x, y ∈ G such that y is in the subgroup generated by x. The discrete logarithm problem in that setting (DLP) is the problem of determining m ≥ 1 such that xm = y. In this section we will work particularly on E(Fq ) where q = pn , p prime and n ∈ N. So we must define the DLP in that group. 4.1.2 Definition. The DLP for an elliptic curve E(Fq ) and P, Q ∈ E(Fq ) is to determine m such that mP = Q. Attacks on the DLP We define an attack on the DLP as a way to solve it. Here we present the Baby step-Giant step method in a general group G. Specification of the DLP Input: x, y ∈ G: x has order N . Output: k : N satisfying (∃m ∈ N : y = xm ) ⇒ (k = m). The Baby step-Giant step method 4.1.3 Proposition. [Sil09, p. 138] (Shank’s Algorithm) The following algorithm developed by Shanks √ √ solves the DLP in O( N log N ) steps with O( N ) storage. It is good for moderate sized N . 1) Let n be the smallest integer greater at least

√

N.

2) Make a list of the elements x, x2 , · · · , xn . 3) Set z = (xn )−1 and make the list of the elements yz, yz 2 , · · · , yz n . 4) Look for a match between 2) and 3): if ∃i, j ∈ N such that xi = yz j then y = xi+jn . Otherwise there is no m such that y = xm (in that case the proposition (∃m ∈ N : y = xm ) is wrong. The algorithm does not return anything).

28

Section 4.1. The Discrete Logarithm Problem

Page 29

Proof. Suppose there is m ∈ N, 0 ≤ m < N such that y = xm . Put m = nj + i with i, j ∈ N, 0 ≤ i < n. (Euclidean division). We have 0 ≤ j ≤

√ m−i i N −i n2 − i ≤ ≤ since n ≥ N . Hence i ≤ j ≤ n − ≤ n. n n n n

Then xi is in the list 2) and yz j = yx−jN in the list 3). So there is a match xi = xm−jN = yx−jN = yz j and y = xi z −j = xi+jN . √ Let n be the the smallest integer at least N . We have 2n + 1 group operations for the construction of the lists 2) and 3). This implies asymptotically O(n) group operations. To sort the elements in the lists 2) and 3) takes O(n log n) operations (with a sorting algorithm like Merge sort (Mergesort) for example), and to check whether any particular element in 3) coincides with an element in 2) takes O(log n) operations. The summation gives√a complexity in times of gives √ √ O(n) + O(n log n) + O(n log n) ∼ 2 O(2n log n) = O(n log(n )) ∼ O( N log N ) (since N ≤ n ≤ N + 1) operations (steps). √ Since the two lists (2) and 3)) are stored, the Baby step - Giant step algorithm takes O( N ) storages.

Let us now present the analogue of the Baby step-Giant Step in an elliptic curve E(Fq ) of order N . Protocol on elliptic curves [Was12, p. 146] 1) Fix m ≥ N and compute mP . 2) Make and store a list of iP for 0 ≤ i ≤ m. 3) Compute the points Q − jmP for j = 0, · · · m − 1 until one matches an element from the list 2). 4) If iP = Q − jmP , we have Q = kP with k ≡ i + jm(mod N ). Correctness This algorithm works, in fact, since N ≤ m2 we have 0 ≤ k ≤ m2 and there are k0 , k1 ∈ Z such that k = mk1 + k0 with 0 ≤ k0 < k. k − k0 k ≤ ≤ m, n, hence Q − k1 (mP ) = kP − k1 (mP ) = (k − k1 mP ) = k0 P . m m So there is always a match i.e., k always exists.

Then k1 ≤

4.1.4 Example. Let us work on E(F599 ) with E : y 2 = x3 + 1. If P = (60, 19) and Q = (277, 239), the resolution of the DLP Q = kP is k = 266 (See Algorithm B.1 for the pseudocode and follow the link Example to get the sage file). NB: We may not need to know the order N of E(Fq ) since by the Hasse’s theorem we can take p m √ m ≥ q + 1 + 2 q. An improved method consists of storing only the points iP for 0 ≤ i ≤ and 2 checking whether Q − jmP = ±P . This method terminates (since we are sure to get a match after √ O( N ) steps). The Baby step - Giant step is one of the fastest algorithms for the DLP on general elliptic curves. The disadvantage of the Baby step - Giant Step√is that it takes a lot of storage. The Pollard-Rho method runs in roughly the same time (which is O( N ), see [Sil09, p. 382-386]) as the Baby Step - Giant step but takes very little storage.

Section 4.2. Elliptic curves cryptography

Page 30

The Pollard-Rho Method The method of Pollard-Rho needs a function f which behaves randomly, a random point P0 and computes the iterations Pi+1 = f (Pi ). Since E(Fq ) is finite, there will be i0 < j0 such that Pi0 = Pj0 . We can follow the following protocol for the Pollard-Rho algorithm. Protocol First recall that given P and Q in E(Fq ) we need an integer k such that Q = kP . 1) Divide E(Fq ) into disjoint subsets F1 , F2 , · · · , Fs where s is around 20. 2) Choose 2s random pairs of integers (ai , bi ) such that 1 ≤ ai , bi ≤ N , set Mi = ai P + bi Q and choose f such that ∀ V ∈ E(Fq ), if V ∈ Fi , f (V ) = V + Mi . 3) Choose random integers a0 , b0 such that P0 = a0 P + b0 Q, start to compute Pi+1 = f (Pi ) and record the integer uj , vj such that Pj = aj P + vj Q. In fact if Pj+1 = (uj + ai )P + (vj + bi )Q and then (uj+1 , vj+1 ) = (uj + ai , vj + bi ). 4 Find the match. If Pj0 = Pi0 then ui0 P + vi0 Q = uj0 P + vj0 Q i.e., (ui0 − uj0 )P = (vj0 − vi0 )Q. N If d = gcd(N, vj0 − vi0 ) we have k ≡ (vj0 − vi0 )−1 (ui0 − uj0 )(mod ). d √ We expect to find a match with at most a constant time N (this method is non deterministic). This gives us d choices of k, so we try possibilities until we get Q = kP . 4.1.5 Example. Let us work on E(F1093 ) with E : y 2 = x3 + x + 1. If P = (0, 1) and Q = (413, 959), the resolution of the DLP Q = kP is k = 499.( See Algorithm B.2 for the pseudocode and follow the link Example to dowload the sage file.)

4.2

Elliptic curves cryptography

In this section we discuss some cryptosystems1 based on the DLP on elliptic curves. Basic configuration Alice wants to send a message to Bob called a plaintext (pt) and she doesn’t want the eavesdropper Eve to read the message. She encrypts the message, using an encryption key, and gets a ciphertext (ct). When Bob receives the message he decrypts it using a decryption key. We present here the public key encryption where Bob publishes a public encryption key that Alice uses and Bob keeps a private key which enables him to decrypt the messages. The most famous method is RSA encryption [RSA78] which we will not present here. We will work on the Diffie-Hellman key encryption [Was12, p. 170] exchange and the ElGamal public key encryption [Was12, p. 174]. Specification M := Universe of messages. I := Universe of individuals. ∀A, B ∈ I, ∀m ∈ M, define 1

A cryptosystem is defined by a couple encryption decryption (EA , E A ) defined on this page.


Page 31

- f (A, B, m) := A sends a message to B. - g(A, m) : B such that g(A, m) := (A knows m). Input: A, B ∈ I, m ∈ M. Output: f (A, B, m) satisfying (∀E ∈ I, (g(E, m) ⇒ ((E = A) ∨ (E = B)))). In public key encryption, each of Alice and Bob has an encryption key and a decryption key that provide functions, respectively: EA : Plaintext −→ Ciphertext; E A : Plaintext −→ Ciphertext. The encryption by A of a plain text pt gives a the ciphertext EA (pt). The decryption by A of a ciphertext ct gives the plain text E A (ct). Encryption EA and decryption E A must be inverse: EA ◦ E A = E A ◦ EA = Identity, EA and E B are easy to compute and it is computationally infeasible2 to compute E A given EA . The Diffie-Hellman key exchange Protocol [Was12, p. 170] 1) Alice and Bob agree on an elliptic curve E over a finite field Fq such that the DLP is hard to solve in E(Fq ) and also on a point P ∈ E(Fq ) such that the subgroup generated by P has large order (we usually take P such that the order of P is a large prime number). 2) Alice chooses a secret integer a, computes Pa = aP and sends Pa to Bob. 3) Bob chooses an integer b, computes Pb = bP and sends Pb to Alice. 4) Alice computes aPb = abP . 5) Bob computes bPa = baP . Formalism The encryption function for a plain text P for an integer a here is Ea (P ) := aP . NB: We will use hid to say that information is kept secret and vis to say that information is public. Alice vis Ea

hid a, Eab , P .

Bob vis Eb

hid b, Eab , P .

Alice −→ Bob: Ea (P ); Bob: Eb (P ); Bob −→ Alice: Eb (P ); Alice: Ea (Eb (P )); Bob: Eb (Ea (P )). 2 Being computationally infeasible means there is no polynomial time algorithm that can compute E A given EA on a ordinary computer (not a quantum computer).


Page 32

4.2.1 Example. Follow the link (Example) for an example under Sagemath. ElGamal public key encryption Alice wants to send a message to Bob. First Bob chooses an elliptic curve E over a finite field Fq such that the DLP is hard to solve for E(Fq ) and a point P ∈ E of large order. He also chooses a secret integer s and computes B = sP . The elliptic curve E, the finite field Fq and the point P, B are Bob’s public key. Bob’s private key is the integer s. Protocol [Was12, p. 174] To send a message to Bob, Alice does the following: 1) Downloads Bob’s public key. 2) Expresses her message as a point M ∈ E(Fq ). 3) Chooses a secret integer k and computes M1 = kP . 4) Computes M2 = M + kB 5) Sends M1 , M2 to Bob who decrypts by computing M = M2 − sM1 . Formalism Let us define the encryption and decryption functions. - For a given elliptic curve E over Fq , for k ∈ Z and B ∈ E(Fq ), the encryption function is EPk B : E(Fq ) −→ E(Fq ) × E(Fq ) M

7−→ (kP, M + kB).

- For some points M1 , M2 ∈ E(Fq ), the decryption function is E s : E(Fq ) × E(Fq ) −→ E(Fq ) (M1 , M2 ) Alice vis EPk B

hid k ∈ Z

Bob vis P, B ∈ E(Fq )

hid s ∈ Z, E s

7−→ M2 − sM1 .

Alice: M ∈ E(Fq ) Alice −→ Bob: EPk B (M ) Bob: E s (EPk B (M )) Correctness: This decryption works since ∀M ∈ E(Fq ), E s (EPk B (M )) = E s (kP, M + kB) = M + kB − skP = M + ksP − skP = M . So E s ◦ EPk B = Identity. Eve knows E, Fq , P, B, kP, M + kB. If Eve can calculate discrete logarithms, she can find s (or k) by using P and B.(respectively P and kP ) and she can deduce M +kB −skP (respectively M +ksP −kB).


Page 33

4.2.2 Remark. - Alice must use a different k each time she sends a message to Bob. In fact if Alice uses the same k for two messages M and M 0 , Eve recognizes it since M 0 +kB−M −kB = M −M 0 . It suffices for Eve to know M and she will know M 0 . - To express a text as a point on the elliptic curve, Alice can convert the text to the first coordinate of the elliptic curve point or she can convert the text to the 100 last digits of the first coordinate of a point on the elliptic curve. It can happen that Eve blocks the message of Alice to Bob and sends another message to Bob and vice versa (the man in the middle attack, see [HPS08, p. 122]).It is important to find a way for Bob to know that the message he receives comes from Alice. We will look at the Elgamal signature to achieve such authentication. Elgamal signature Alice wants to attach a signature to the message she sends to Bob. She will not just attach a signature to the message otherwise Eve can copy it and attach it on every message she wants. She has to make an encryption so that it is possible for Bob to check if the signature is valid. Alice must establish a public key. She chooses an elliptic curve E over a finite field Fq and A ∈ E(Fq ) an element of order N (usually a large prime number). She also chooses a ∈ Z, computes B = aA and chooses a function f : E(Fq ) −→ Z such that |f (E(Fq ))| is large and the image of a point doesn’t have many antecedents. The public information of Alice is E, Fq , f, A and B. A private N does not need to be made public. Protocol To sign a document, Alice: 1) Represents the document as an integer m (if m > N , choose a larger curve (curve of more points) or use a hash function [MVO96, p. 33]). 2) Chooses a random k with gcd(k, N ) = 1 and computes J = kA. 3) Computes s = k −1 (m − af (J)) (mod N ). The signed message is (m, J, s). Note that here m is not a secret document. If Alice wants m to be secret, she needs to use an encrypted form. Formalism Alice vis m E, Fq , f , A, B = aA

hid k ∈ Z, a ∈ Z

Input: m ∈ Z, E, Fq , f , A,B = aA Output: m, J = kA, s ∈ Z (the signature) satisfying Protocol of verification Bob verifies the message as follows:

∀k : Z : gcd(k, N ) = 1, s = k −1 (m − af (kA)) (mod N ) .


Page 34

1) Downloads Alice’s public encryption. 2) Computes L1 = f (J)B + sJ and L2 = mA. 3) If L1 = L2 then the signature is valid. Formalism Input: (m, J, s) Output: z : B such that L1 := f (J)B + sJ; L2 := mA; z := (L1 = L2 ) Further, if the signature is valid, then L1 = f (J)B + sR = f (J)aA + skA = f (J)aA + (m − af (J) + zN )A for some z ∈ Z since sk ≡ (m − af (J))(modN ). Hence L1 = mA + zN A = mA + O = L2 . 4.2.3 Remark. Note that if Eve can compute discrete logarithms, she can use A and B to find a and she can use Alice’s signature everywhere. Eve can also find a by using A, J to find k and since s, f (J), m are known, she uses ks ≡ m − af (J)(mod N ) ⇔ af (J) ≡ m − ks(mod N ). 4.2.3 has gcd(f (J), N ) solutions for a. Eve can just try the possibilities until she obtains B = aA (as long as s is known). 4.2.4 Remark. Alice must keep a and k secret and use a different random k for each signature since if m and m0 are using the same k to obtain the messages (m, J, s) and (m0 , J, s0 ). Eve recognizes that k has been used twice and ks ≡ m − af (J)(mod N ); ks0 ≡ m0 − af (J)(mod N ); then k(s − s0 ) ≡ (m − m0 )(mod N ). There are gcd(s − s0 , N )-many possible values for k, Eve can try each one until she finds R = kA. When Eve knows k, she knows a. Disadvantage: The signed message (m, J, s) is approximatively three times as long as the original message. A more efficient method is to use a hash function H and sign H(m). We recall that a hash function is a function which takes arbitrary length messages and transforms it into fixed length messages. A hash function should have the properties: 1) Given a message m, to calculate the value H(m) is very quick. 2) Given y, it is almost impossible3 to find m when we know H(m) = y (we say that H is pre-image resistant). We just replace m by H(m) in the previous protocol. 3

Almost impossible means computationally impossible in our context

5. Conclusion This research project has introduced the general theory of elliptic curves over a general field by proving geometrically and algebraically the group law on elliptic curves by using some classical theorems like the Riemann-Roch theorem. We have also shown how to bound the order of a set of rational points of an elliptic curve by Hasse’s Theorem and even how to compute it by Weil’s Theorem. In the algorithmic aspect of elliptic curves, we present the discrete logarithm problem on elliptic curves and two methods to solve it: the Baby step-Giant step method and the Pollard-Rho method with some implementation examples under Sage. We have also made an application on some public key cryptosystems: the DiffieHelmann and the ElGamal cryptosystems with their mathematical formalism in term of the encryption and decryption functions. The application of elliptic curves in the transmission of information has developed very quickly. For example in 2008, the company Symantec developed its first crypt certificates based in elliptic curve cryptography and in 2013, they obtained authorization to launch the technology. There is one way to have some doubts in the security of elliptic curve cryptosystems. In fact in 1994, the efficient algorithm developed by Shor [Mil86] for factoring large integers, if it is implemented into a quantum computer, will weaken the security of elliptic curves cryptosystems. For the moment we can rely on that security while waiting for an implemented algorithm to crack the cryptosystems we are using today.

35

Appendix A. Proofs of some results A.0.5 Lemma. (Lemma 3.1.10) Let P = [a1 , a2 , a3 ] and Q = [b1 , b2 , b3 ] be two points of P2 , P 6= Q. There exists one a unique line of P2 passing through P and Q. This line is the set of points [x, y, z] ∈ P2 a1 b1 x such that a2 b2 y = 0 i.e., ux + vy + wz = 0 with u = a2 b3 − a3 b2 ; v = a3 b1 − a1 b3 ; a3 b3 z w = a1 b2 − a2 b1 . Proof. The line L passing through P and Q is the set of points [x, y, z] such that the determinant a1 b1 x a2 b2 y = 0, that means ux+vy+wz = 0 with u = a2 b3 −a3 b2 ; v = a3 b1 −a1 b3 ; w = a1 b2 −a2 b1 . a3 b3 z Let us prove the uniqueness of that line. Suppose we have another line u0 x + v 0 y + w0 z = 0 passing through P and Q. Put f (x, y, z) = ux + vy + wz and g(x, y, z) = u0 x + v 0 y + w0 z. The functions f and g are linear maps. [x, y, z] ∈ ker(f ) ⇔ [x, y, z] ∈ L ⇔ [x, y, z] is a linear combination of P and Q. Since P, Q ∈ ker(f ), we have ker(f ) is generated by P = [a1 , a2 , a3 ] and Q = [b1 , b2 , b3 ]. Similarly, ker(g) is generated by [a1 , a2 , a3 ] and [b1 , b2 , b3 ]. Hence ker(f ) = ker(g) and dim(ker(f )) = dim(ker(g)) = 2. 3

Let us prove that ker(f )⊥ is generated by f in the dual K-vector space (K )∗ . Recall 3

3

ker(f )⊥ = {h ∈ (K )∗ : ∀X ∈ K , f (X) = 0 : h(X) = 0} and let {e1 , e2 } be a basis of ker(f ). Let us define 3

ψ : (K )∗ −→ K

2

7−→ (h(e1 ), h(e2 )).

h The map ψ is well defined and linear.

3

Let us show that ψ is surjective. Completing the basis {e1 , e2 } to a basis {e1 , e2 , e3 } for K , let 3 {e∗1 , e∗2 , e∗3 }, be the dual basis for (K )∗ . Then for i = 1, 2 we have ψ(e∗i ) = (e∗i (e1 ), e∗i (e2 )) is the 2 2 ith vector of the canonical basis of K . So Im(ψ) contains all the canonical basis of K and then 2 Im(ψ) = K . Hence ψ is surjective. 3

2

By the Rank Theorem dim(K )∗ = dim(ker(ψ)) + dim(K ). Hence dim(ker(ψ)) = 1. But 3

ker(ψ) = {h ∈ (K )∗ : h(e1 ) = 0 and h(e2 ) = 0} 3

= {h ∈ (K )∗ : ∀X ∈ ker(f ), h(X) = 0} = ker(f )⊥ , 36

Page 37 so dim(ker(f )⊥ ) = 1. Since f ∈ ker(f )⊥ , we have < f > ⊂ ker(f )⊥ (where < f > is the subspace generated by f ). Similarly ker(g)⊥ is generated by g. Since ker(f ) = ker(g), we have ker(f )⊥ = ker(g)⊥ and there is λ ∈ K such that g = λf ; this means ∀ [x, y, z] ∈ P2 , u0 x + v 0 y + w0 z = λ(ux + vy + wz) which proves the uniqueness of the line L. A.0.6 Proposition. (Proposition 3.1.19) Let E be an elliptic curve given by the Weierstrass equation 3.1.2. a) P0 = (x0 , y0 ) then −P0 = (x0 , y0 − a1 x0 − a3 ). b) Let P1 = (x1 , y1 ), P2 = (x2 , y2 ) ∈ E and P3 := P1 + P2 = (x3 , y3 ) i) If x1 = x2 and y1 + y2 + a1 x2 + a3 = 0 then P1 + P2 = O. y2 − y1 y1 x 2 − y2 x 1 ii) If not, set λ = ,µ= if x1 6= x2 and x2 − x1 x2 − x1 3x2 + 2a2 x1 + a4 − a1 y1 −x31 + a4 x1 + 2a6 − a3 y1 λ= 1 ;µ= if x1 = x2 2y1 + a1 x1 + a3 2y1 + a1 x1 + a3 and y1 + y2 + a1 x1 + a3 . Then P3 is given by x3 = λ2 + a1 λ − a2 − x1 − x2 and y3 = −(λ + a1 )x3 − µ − a3 . Proof. a) By the third step of Proposition 3.1.15, −P0 is a point of the line (P0 , O) and O and we have O = P0 + (−P0 ) = (P0 + O) + (−P0 ). L has as equation L : x = x0 z. Substituting this into the equation of E, we have y 2 z + a1 x0 yz 2 + a3 yz 2 = x30 z 3 + a2 x20 z 3 + a4 x0 z 3 + a6 z 3 Since O is already a point of L ∩ E, we can assume z 6= 0 and make the change of variable y y 7−→ . We obtain z y 2 + (a1 x0 + a3 )y − x30 − a2 x20 − a4 x0 − a6 = 0.

(A.0.1)

Equation A has two solutions and since y0 is a solution of and the sum of the solutions is −a1 x0 − a3 , then the other solution is y00 = −y0 − a1 x0 − a3 . Hence −P0 = (x0 , y00 ). b) Let P1 = (x1 , y1 ), P2 = (x2 , y2 ) ∈ E and P3 := P1 + P2 = (x3 , y3 ). i) If x1 = x2 and y1 + y2 + a1 x2 + a3 = 0 then P2 = −P1 and hence P1 + P2 = O. ii)

? Suppose x1 6= x2 . Let L be the line (P1 , P2 ) and let R = (x + 30 , y30 ) be the third intersection point of L and E. x1 x2 x y2 − y1 The equation of L is given by y1 y2 y = 0, i.e., y = λx + µz with λ = x2 − x1 1 1 z x1 y2 − x2 y1 and µ = . x1 − x2

Page 38 x1 x2 x Suppose O ∈ L. We have y1 y2 y = 0 ⇔ x1 = x2 , which is a contradiction. So 1 1 z O∈ / L. y When L intersects E we have z 6= 0, so we can make the change of variables y 7→ z x and x 7→ and we get the system z ( y = λx + µ (1) y 2 + a1 xy + a3 y = x3 + a2 x2 + a4 x + a6

(2)

(1) in (2) implies x3 + (a2 − λ2 − λa1 )x2 + (a4 − 2λµ − a1 µ − a3 λ)x + a6 − a3 µ − µ2 = 0 This polynomial is a polynomial of degree 3 and the sum of the roots is −a2 + λ2 + λa1 . Since x1 and x2 are solutions of this equation, the third solution is x03 = λ2 + λa1 − a2 − x1 − x2 and we get y30 = λx03 + µ Since P1 + P2 + R = O we have P3 := P1 + P2 = −R and then we have P3 = (x3 , y3 ) with ( x3 = x03 = λ2 + λa1 − a2 − x1 − x2 (3) y3 − (λ + a1 )x3 − µ − a3

(4)

? Suppose x1 = x2 and y1 + y2 + a1 x2 + a3 6= 0. - Suppose y1 = y2 . Then P1 = P2 The tangent line L at E in P1 is given by 3x2 + 2a2 x1 + a4 − a1 y1 −x31 + a4 x1 + 2a6 − a3 y1 L : y = λx+µz with λ = 1 and µ = . 2y1 + a1 x1 + a3 2y1 + a1 x1 + a3 By the same reasoning as previously we can show that P3 = (x3 , y3 ) where (x3 , y3 ) verify (5) and (6) - Suppose y1 6= y2 . The line passing through P1 and P2 is given by L : x = x1 z; L is a vertical line. Let us find the intersection points of L and E. We need to solve the system (

x = x1 z y 2 z + a1 xyz + a3 yz 2 − x3 − a2 x2 z − a4 xz 2 − a6 z 3 = 0

(10 ) in (20 ) implies y 2 + (a1 x1 + a3 )y − (x21 + a3 x1 + a4 x1 + a6 ) = 0 We know that y1 and y2 are solutions of that system, so y1 + y2 = −(a1 x1 + a3 ), which is a contradiction since y1 + y2 + a1 x2 + a3 6= 0. Hence we cannot have the case x1 = x2 , y1 6= y2 and y1 + y2 + a1 x2 + a3 6= 0.

(10 ) (20 )

Appendix B. Pseudocodes for the Pollard-Rho method and the Baby step-Giant step method B.1

Baby step-Giant step pseudocode

Algorithm 1: Baby step - Giant step Input: E, q, P, Q ∈ E(Fq ) Output: k ∈ Z such that Q = kP N := order of E(Fq ) p √ Initialize: A, B, m:=[ ],[ ],b q + 1 + 2 qc + 1 /* We initialize the lists of storage and √ the value of an integer greater than N */ for i = 0 to m do add iP to A /* We complete the list of the iP . */ for j = 0 to m − 1 do add Q − jmP to B

/* We complete the list of Q − jmP .

*/

/* We find the match.

*/

for x ∈ A do for y ∈ B do if x = y then a:=index of x in A b := index of y in B k := a + bm (mod N ) return k

B.2

/* We solve the DLP */

Pollard-Rho pseudocode

39

Section B.2. Pollard-Rho pseudocode

Page 40

Algorithm 2: Pollard-Rho Specific expressions: ARI(2, m): add a random integer between 2 and m ; integ(m): Transform the element m to an integer; Input E, q, P, Q ∈ E(Fq ); Output k ∈ Z such that Q = kP ; N := order of E(Fq ); Initialize: x, y, d, l := 1, 1, gcd(N, y), y −1 x mod( Nd ); while lP 6= Q do Initialize: A, B, M, F, C := [ ], [ ], [ ], [ ], [ ]; /* We initalize the lists we will use. */ for i = 0 to 2s − 3 do ARI(2, N ) to A; /* Complete the list A by random integer between 2 and N . */ ARI(2, N ) to B; /* Complete the list A by random integer between 2 and N */ append A[i]P + B[i]Q to M ; /* Complete the list M by linear combinations of the points P and Q */ P0 := M [0]; /* The starting point we use to get the sequence f (Pi ) = Pi+1 . */ Initialize: a, b, k := A[0], B[0], 0; /* The coordinates of the starting point and the initialization of of k for the while loop. */ while k ≤ lenght(M ) do i := integ(xP0 ) mod(s); U:=U + M[i+1]; /* Compute the points Pi+1 = f (Pi ). */ a:=a+ A[i+1]; /* Coefficient of P in the combination of Pi . */ b:=b+B[i+1]; /* Coefficient of Q in the combination of Pi . */ append [a, b] to C; /* list of the coefficients in term of P and Q. */ if U ∈ F then append U to F ; /* we want to find the match. */ for L ∈ F do if L=U then r := index of L in F; /* the index of the first apparition of the match point in the list */ break /* Stop when we find the match. */ c := C[r]; d = C[k − 1]; break else append U to F ;

/* The components of the first match point. /* The components of the second match point.

/* If no match, continue */ /* We solve the DLP */

y = d[1] − c[1]; return y −1 x mod( Nd )

*/ */

/*

*/ x := d[0] − c[0];

Acknowledgements I am expressing my gratitude to my supervisor Prof. J.W. Sanders, for the support, guidance and encouragement during the course of writing this project. I don’t forget to appreciate the brains behind this meritable institute, AIMS: the founder (Prof. Neil Turok), the director (Prof. Barry Green), and also the academic director (Prof. Mama Foupouagnigni). I am grateful to all other staff members of AIMS-Cameroon particularly the tutors Collins and Zoe for the corections. I would like to thank my parents, Mr. and Mrs. Nkeck for their encouragements. I am also grateful to all my classmates particularly Joel, Carole, Dinamo, Diane and Leticia for their encouragements.

41

References [CFA+ 10] H. Cohen, G. Frey, R. Avanzi, C. Doche, T. Lange, K. Nguyen, and F. Vercauteren, Handbook of Elliptic and Hyperelliptic Curve Cryptography, Discrete Mathematics and Its Applications, Taylor & Francis, 2010. [Har77]

R. Hartshorne, Algebraic Geometry, Graduate Texts in Mathematics, Springer, 1977.

[HPS08]

J. Hoffstein, J. Pipher, and J.H. Silverman, An Introduction to Mathematical Cryptography, Undergraduate Texts in Mathematics, Springer, 2008.

[Kob87]

Neal Koblitz, Elliptic Curve Cryptosystems, Mathematics of Computation 48 (1987), no. 177, 203–209. MR 88b:94017

[Kra11]

Alain Kraus, Cours de Cryptographie, Chapitre VII- Courbes elliptiques, http://www.usthb. dz/fmath/IMG/pdf/Chapitre 7.pdf, 2011, [Online; accessed August 26, 2011.].

[Men11]

Dileep Menon, Bezout’s Theorem for Curves, http://www.math.uchicago.edu/∼may/ VIGRE/VIGRE2011/REUPapers/Menon.pdf, 2011, [Online; accessed August 26, 2011.].

[MH06]

Marusia Rebolledo Michael Hagler, Eva Bayer Fluckiger, Courbes Elliptiques et Cryptographie, http://math.univ-bpclermont.fr/∼rebolledo/page-fichiers/projetMichael.pdf, 2006, [Online; accessed February 19, 2006.].

[Mil86]

Victor S. Miller, Use of elliptic curves in cryptography, Advances in Cryptology (London, UK, UK), CRYPTO ’85, Springer-Verlag, 1986, pp. 417–426.

[Mil14]

James S. Milne, Fields and Galois Theory (v4.50), 2014, Available at www.jmilne.org/math/.

[MVO96] Alfred J. Menezes, Scott A. Vanstone, and Paul C. Van Oorschot, Handbook of Applied Cryptography, 1st ed., CRC Press, Inc., Boca Raton, FL, USA, 1996. [MvOV10] A.J. Menezes, P.C. van Oorschot, and S.A. Vanstone, Handbook of Applied Cryptography, Taylor & Francis, 2010. [RSA78]

R. L. Rivest, A. Shamir, and L. Adleman, A Method for obtaining digital signatures and public-key cryptosystems, Commun. ACM 21 (1978), no. 2, 120–126.

[Sil09]

J.H. Silverman, The Arithmetic of Elliptic Curves, Graduate Texts in Mathematics, Springer, 2009.

[TF11]

Daniel Arnold Moklovan Thierry Favre, Eva Bayer Fluckiger, Cryptographie et Courbes Elliptiques, http://infoscience.epfl.ch/record/167830/files/Favre TDS 2011.pdf, 2011, [Online; accessed May 31, 2011.].

[Was12]

L.C. Washington, Elliptic Curves: Number Theory and Cryptography, Second Edition, Discrete Mathematics and Its Applications, Taylor & Francis, 2012.

42