Elliptic Curves over Finite Fields

Size: px

Start display at page:

Download "Elliptic Curves over Finite Fields"

Tracey Hall
6 years ago
Views:

1 Elliptic Curves over Finite Fields Katherine E. Stange Stanford University Boise REU, June 14th, 2011

2 Consider a cubic curve of the form E : y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6

3 If you intersect with any line, there are exactly 3 solutions:

4 Actually, sometimes it looks like 2 solutions. But in this case we imagine an extra point at infinity,, that the line goes through.

5 So if we start with two points on the curve...

6 So if we start with two points on the curve, and draw a line through them...

7 So if we start with two points on the curve, and draw a line through them to get another point...

8 This is almost a group law. To make it work (all the axioms) we actually have to add a reflection at the end:

9 Group Law And that s how we get P + Q.

10 Identity: Identity

11 Inverses Inverses: Two points on a line with.

12 Associativity Hard to check, but true!

13 The points of the elliptic curve form a group!

14 Z/pZ, the integers modulo p... has addition (3 mod 7) + (6 mod 7) = 2 mod 7... has subtraction (3 mod 7) (6 mod 7) = 4 mod 7... has multiplication (2 mod 7) (4 mod 7) = 1 mod 7... has division (1 mod 7) (2 mod 7) = 1/2 mod 7 = 4 mod 7 In fact, it s a field. We call it F p, the finite field of p elements.

15 y 2 + y = x 3 + x 2 over F 7

16 y 2 + y = x 3 + x 2 over F 11

17 y 2 + y = x 3 + x 2 over F 17

18 y 2 + y = x 3 + x 2 over F 31

19 y 2 + y = x 3 + x 2 over F 10501

20 An elliptic curve E/Q gives rise to an elliptic curve E/F p for each p:

21 y 2 + y = x 3 + x 2 Also, given P E(Q), we get a list of orders modulo p: prime order of P (This point P has infinite order in E(Q).)

22 Elliptic Divisibility Sequences P = (0, 0) 1 2P = ( 1, 1) 1 3P = (1, 2) 1 4P = (2, 3) ( 5P = 3, 2 2, 1 ) 2 3 ( 6p = 2 3 2, 28 ) 3 3 7P = (21, 99) ( 11 8P = 7 2, 20 ) 7 3 ( 9P = , 931 ) 11 3 ( P = 20 2, )

23 Definition An elliptic divisibility sequence (EDS) is an integer sequence W n satisfying W n+m W n m W 2 r + W m+r W m r W 2 n + W r+n W r n W 2 m = 0. On any elliptic curve, we can define A n, B n, W n recursively so that ( An np = Wn 2, B ) n Wn 3, and W n is an EDS. W n = 0 np =

24 Reducing an EDS modulo p EDS from P = (0, 0) on y 2 + y = x 3 + x 2 1, 1, 1, 1, 2, 3, 1, 7, 11, 20, 19, 87, 191, 197, 1018 EDS from P = (0, 0) on y 2 + y = x 3 + x 2 modulo 7: 1, 1, 1, 6, 5, 4, 6, 0, 4, 6, 2, 4, 5, 6, 3

25 Let s put together some of the data: prime order of P W W W W W W W W W W W W W W W W W W W W W W W W W W W W W W

26 When we reduce mod 7, where does ( 11 8P = 49, 20 ) 343 go? To! The identity. So 8 P = modulo 7. In the associated EDS, 7 W 8. The primes appear in the EDS at the multiples of the order of P.

27 n W n factorisation n W n factorisation If p W n and n m, then p W m.

28 n L n factorisation n L n factorisation If p L n and n m, then p L m.

29 E(F p ) - group of points over F p For each x 0 F p (there are p of them), the quadratic equation in y y 2 + a 1 x 0 y + a 3 y = x a 2x a 4x 0 + a 6 has either 0 or 2 solutions. So either no points or 2 points: (x 0, y 1 ) and (x 0, y 2 ). So, if we assume that half the time it has solutions, then we get about p points. Oh, and there s the point. So that makes about p + 1 points

30 Given E/Q, we get a list of group-orders #E(F p ): y 2 + y = x 3 + x 2 p #E(F p )

31 Theorem (Hasse (1933)) We write a p = p + 1 #E(F p ). #E(F p ) p 1 < 2 p p #E(F p) a p 2 p p #E(F p) a p 2 p

32 Theorem (Hasse (1933)) We write a p = p + 1 #E(F p ). #E(F p ) p 1 < 2 p

33 Theorem (Deuring, 1941) For any n such that n p 1 < 2 p, there exists some elliptic curve E over F p such that #E(F p ) = n

34 Theorem (Cassells, 1966) The group E(F p ) is of the form where m 1 m 2 and m 1 p 1. Z/m 1 Z Z/m 2 Z

35 Index divisibility Joseph H. Silverman and I saw a paper of Chris Smyth, in which he asked, for Lucas sequences L n : When does n L n? So we wondered the same thing for W n an elliptic divisibility sequence: When does n W n?

36 When does n W n? Does it happen for n = p? If P has order p modulo p, then p W p. This can happen if #E(F p ) = p. Such a curve is called anomalous and is unsafe for cryptography because it has special structure.

37 Can we generalise this? What about if n = pq? If p W q and q W p, then p W pq and q W pq. So pq W pq. This happens if P has order p modulo q and order q modulo p. Definition Let E be an elliptic curve defined over Q. A pair (p, q) of primes is called an amicable pair for E if #E(F p ) = q, and #E(F q ) = p. Question (How often) does this happen?

38 Amicable Pairs Definition Let E be an elliptic curve defined over Q. A pair (p, q) of primes is called an amicable pair for E if #E(F p ) = q, and #E(F q ) = p.

39 Amicable Pairs Definition Let E be an elliptic curve defined over Q. A pair (p, q) of primes is called an amicable pair for E if #E(F p ) = q, and #E(F q ) = p. Example y 2 + y = x 3 x has one amicable pair with p, q < 10 7 : ( , ) y 2 + y = x 3 + x 2 has four amicable pairs with p, q < 10 7 : (853, 883), (77761, 77999), ( , ), ( , ).

40 Question Let Q E (X) = # { amicable pairs (p, q) such that p, q < X } How does Q E (X) grow with X?

41 Heuristic Prob(p is part of an amicable pair) ( ) = Prob q def = #E(F p ) is prime and #E(F q ) = p = Prob(q def = #E(F p ) is prime) Prob(#E(F q ) = p).

42 Heuristic Prob(p is part of an amicable pair) ( ) = Prob q def = #E(F p ) is prime and #E(F q ) = p = Prob(q def = #E(F p ) is prime) Prob(#E(F q ) = p). A conjecture of Koblitz says that Prob(#E(F p ) is prime) 1 log p,

43 Heuristic Prob(p is part of an amicable pair) ( ) = Prob q def = #E(F p ) is prime and #E(F q ) = p = Prob(q def = #E(F p ) is prime) Prob(#E(F q ) = p). A conjecture of Koblitz says that Prob(#E(F p ) is prime) 1 log p, A conjecture of Sato and Tate says that Prob(#E(F q ) = p) 1 q 1 p.

44 Heuristic Prob(p is part of an amicable pair) ( ) = Prob q def = #E(F p ) is prime and #E(F q ) = p = Prob(q def = #E(F p ) is prime) Prob(#E(F q ) = p). A conjecture of Koblitz says that Prob(#E(F p ) is prime) 1 log p, A conjecture of Sato and Tate says that Together: Prob(#E(F q ) = p) 1 q 1 p. Prob(p is part of an amicable pair) 1 p(log p).

45 Heuristic Q E (X) p X Prob(p is the smaller prime in an amicable pair ) p X 1 p(log p). Use the rough approximation f (X) p X to obtain n X/ log X Q E (X) f (n log n) X 1 u log u X/ log X X f (t log t) dt f (u) du log u du log u X (log X) 2.

46 Conjecture (Version 1) Let E/Q be an elliptic curve, let Q E (X) = # { amicable pairs (p, q) such that p, q < X } Assume infinitely many primes p such that #E(F p ) is prime.

47 Conjecture (Version 1) Let E/Q be an elliptic curve, let Q E (X) = # { amicable pairs (p, q) such that p, q < X } Assume infinitely many primes p such that #E(F p ) is prime. Then Q E (X) X (log X) 2 as X,

48 Data agreement...? X Q(X) Q(X) / X (log X) 2 log Q(X) log X Table: Counting amicable pairs for y 2 + y = x 3 + x 2 (thanks to Andrew Sutherland with smalljac)

49 Aliquot cycles Definition Let E be an elliptic curve. An aliquot cycle of length l for E is a sequence of distinct primes (p 1, p 2,..., p l ) such that #E(F p1 ) = p 2, #E(F p2 ) = p 3,... #E(F pl 1 ) = p l, #E(F pl ) = p 1.

50 Aliquot cycles Definition Let E be an elliptic curve. An aliquot cycle of length l for E is a sequence of distinct primes (p 1, p 2,..., p l ) such that #E(F p1 ) = p 2, #E(F p2 ) = p 3,... #E(F pl 1 ) = p l, #E(F pl ) = p 1. Example y 2 = x 3 25x 8 : (83, 79, 73)

51 Aliquot cycles Definition Let E be an elliptic curve. An aliquot cycle of length l for E is a sequence of distinct primes (p 1, p 2,..., p l ) such that #E(F p1 ) = p 2, #E(F p2 ) = p 3,... #E(F pl 1 ) = p l, #E(F pl ) = p 1. Example y 2 = x 3 25x 8 : (83, 79, 73) E : y 2 = x x : (23, 31, 41, 47, 59, 67, 73, 79, 71, 61, 53, 43, 37, 29)

52 Chinese Remainder Theorem If you have a bunch of congruence conditions for distinct primes: x b 1 mod p 1 x b 2 mod p 2. x b n mod p n Then there is a solution x Z.

53 Constructing aliquot cycles with CRT Fix l and let p 1, p 2,..., p l be a sequence of primes such that p i + 1 p i+1 2 p i for all 1 i l, where by convention we set p l+1 = p 1.

54 Constructing aliquot cycles with CRT Fix l and let p 1, p 2,..., p l be a sequence of primes such that p i + 1 p i+1 2 p i for all 1 i l, where by convention we set p l+1 = p 1. For each p i find (by Deuring) an elliptic curve E i over F pi satisfying #E i (F pi ) = p i+1.

55 Constructing aliquot cycles with CRT Fix l and let p 1, p 2,..., p l be a sequence of primes such that p i + 1 p i+1 2 p i for all 1 i l, where by convention we set p l+1 = p 1. For each p i find (by Deuring) an elliptic curve E i over F pi satisfying #E i (F pi ) = p i+1. Use the Chinese remainder theorem on the coefficients of the Weierstrass equations for E 1,..., E l to find an elliptic curve E over Q satisfying E mod p i = Ei for all 1 i l.

56 Constructing aliquot cycles with CRT Fix l and let p 1, p 2,..., p l be a sequence of primes such that p i + 1 p i+1 2 p i for all 1 i l, where by convention we set p l+1 = p 1. For each p i find (by Deuring) an elliptic curve E i over F pi satisfying #E i (F pi ) = p i+1. Use the Chinese remainder theorem on the coefficients of the Weierstrass equations for E 1,..., E l to find an elliptic curve E over Q satisfying E mod p i = Ei for all 1 i l. Then by construction, the sequence (p 1,..., p l ) is an aliquot cycle of length l for E.

57 Another example y 2 + y = x 3 x has one amicable pair with p, q < 10 7 : ( , ) y 2 + y = x 3 + x 2 has four amicable pairs with p, q < 10 7 : (853, 883), (77761, 77999), ( , ), ( , ).

58 Another example y 2 + y = x 3 x has one amicable pair with p, q < 10 7 : ( , ) y 2 + y = x 3 + x 2 has four amicable pairs with p, q < 10 7 : (853, 883), (77761, 77999), ( , ), ( , ). y 2 = x has 5578 amicable pairs with p, q < 10 7 : (13, 19), (139, 163), (541, 571), (613, 661), (757, 787),....

59 CM case Theorem Let E/Q be an elliptic curve with complex multiplication, with j E 0. Suppose that p and q are primes of good reduction for E with p 5 and q = #E(F p ).

60 CM case Theorem Let E/Q be an elliptic curve with complex multiplication, with j E 0. Suppose that p and q are primes of good reduction for E with p 5 and q = #E(F p ). Then either #E(F q ) = p or #E(F q ) = 2q + 2 p.

61 Pairs on CM curves (D, f ) (3,3) (11,1) (19,1) (43,1) (67,1) (163,1) X = X = X = X = Table: Q E (X) for elliptic curves with CM

62 Pairs on CM curves (D, f ) (3,3) (11,1) (19,1) (43,1) (67,1) (163,1) X = X = X = X = Table: Q E (X) for elliptic curves with CM (D, f ) (3,3) (11,1) (19,1) (43,1) (67,1) (163,1) X = X = X = X = Table: Q E (X)/N E (X) for elliptic curves with CM

63 Conjecture (Version 2) Let E/Q be an elliptic curve, let Q E (X) = # { amicable pairs (p, q) such that p, q < X } Assume infinitely many primes p such that #E(F p ) is prime.

64 Conjecture (Version 2) Let E/Q be an elliptic curve, let Q E (X) = # { amicable pairs (p, q) such that p, q < X } Assume infinitely many primes p such that #E(F p ) is prime. (a) If E does not have complex multiplication, then X Q E (X) (log X) 2 as X,

65 Conjecture (Version 2) Let E/Q be an elliptic curve, let Q E (X) = # { amicable pairs (p, q) such that p, q < X } Assume infinitely many primes p such that #E(F p ) is prime. (a) If E does not have complex multiplication, then X Q E (X) (log X) 2 as X, (b) If E has complex multiplication, then X Q E (X) (log X) 2 as X.

66 No longer aliquot cycles in CM case Theorem A CM elliptic curve E/Q with j(e) 0 has no aliquot cycles of length l 3 consisting of primes p 5.

67 No longer aliquot cycles proof Let (p 1, p 2,..., p l ) be an aliquot cycle of length l 3, with p i 3. We must have p i = 2p i p i 2 for 3 i l, p 1 = 2p l + 2 p l 1.

68 No longer aliquot cycles proof Let (p 1, p 2,..., p l ) be an aliquot cycle of length l 3, with p i 3. We must have p i = 2p i p i 2 for 3 i l, p 1 = 2p l + 2 p l 1. Determining the general term for the recursion, we get p l+1 = lp 2 (l 1)p 1 + l(l 1). p 1 = p l+1 = p 1 = p 2 + l 1.

69 No longer aliquot cycles proof Let (p 1, p 2,..., p l ) be an aliquot cycle of length l 3, with p i 3. We must have p i = 2p i p i 2 for 3 i l, p 1 = 2p l + 2 p l 1. Determining the general term for the recursion, we get p l+1 = lp 2 (l 1)p 1 + l(l 1). p 1 = p l+1 = p 1 = p 2 + l 1. Cyclically permuting the cycle gives where we set p l+1 = p 1. p i = p i+1 + l 1 for all 1 i l,

70 No longer aliquot cycles proof Let (p 1, p 2,..., p l ) be an aliquot cycle of length l 3, with p i 3. We must have p i = 2p i p i 2 for 3 i l, p 1 = 2p l + 2 p l 1. Determining the general term for the recursion, we get p l+1 = lp 2 (l 1)p 1 + l(l 1). p 1 = p l+1 = p 1 = p 2 + l 1. Cyclically permuting the cycle gives p i = p i+1 + l 1 for all 1 i l, where we set p l+1 = p 1. So p i > p i+1 for all 1 i l and p l > p 1. Contradiction!

PMA225 Practice Exam questions and solutions Victor P. Snaith

PMA225 Practice Exam questions and solutions 2005 Victor P. Snaith November 9, 2005 The duration of the PMA225 exam will be 2 HOURS. The rubric for the PMA225 exam will be: Answer any four questions. You