Counting points on elliptic curves over F q

Transcription

1 Counting points on elliptic curves over F q Christiane Peters DIAMANT-Summer School on Elliptic and Hyperelliptic Curve Cryptography September 17, 2008

2 p.2 Motivation Given an elliptic curve E over a finite field F q. Is the Discrete Logarithm Problem hard on E? One criterion for hardness: Group order #E(F q ) divisible by a large prime factor.

3 p.3 Short introductory notes Schoof (1983): first polynomial-time algorithm for point counting. late 80s/early 90s: Elkies and Atkin come up with speed-ups; leads to SEA (Schoof-Elkies-Atkin) algorithm. mid-90s: lots of speed-ups, characteristic-2 algorithms note: basic Schoof algorithm also applicable for hyperelliptic curves; see Eric Schost s talk next week at ECC

4 p.4 1. Introduction 2. Schoof s algorithm 3. Computing in the torsion group 4. Improvements by Elkies

5 p.5 Elliptic curves over F q Let q = p r for a prime p 5. Given A,B F q with 4A B 2 0. The zero set of Y 2 = X 3 + AX + B with the point P at infinity forms an elliptic curve.

6 p.6 Multiplication map Let m Z. If m > 0: If m < 0: [m](p) = P } + {{ + P }, m times [m](p) = [ m]( P). [0] : E E, [0](P) = P is the constant map and [1] the identity. The m-torsion group contains all points of order divisible by m: E[m] = {P E : [m](p) = P }.

7 p.7 Frobenius Endomorphism The map π : E E, (x,y) (x q,y q ) is called Frobenius endomorphism. We call a point (x,y) on E F q -rational if and only if π(x,y) = (x,y). We denote the rational points of E by E(F q ). In particular E(F q ) = ker([1] π).

8 p.8 The number of rational points Denote the number of rational points of E by #E(F q ). Trivial bound #E(F q ) 2q + 1: check for all x F q whether x 3 + Ax + B is a square in F q. Recall Legendre symbol: ( ) a = q 1 if a is a non-square in F q, 0 if a = 0 in F q, 1 if a is a square in F q. We get #E(F q ) = 1 + x F q ( 1 + ( x 3 + Ax + B q )).

9 p.9 Hasse s bound The Frobenius endomorphism satisfies the following characteristic equation over Z. π 2 t π + q = 0. The integer t is called the trace of the Frobenius endomorphism. It satisfies #E(F q ) = 1 + q t. t 2 q.

10 p Introduction 2. Schoof s algorithm 3. Computing in the torsion group 4. Improvements by Elkies

11 p.11 The idea Hasse: #E(F q ) = q + 1 t with t 2 q. Let L be minimimal among all primes which satisfy l > 4 q. l prime 2 l L Then the Chinese Remainder Theorem gives a unique t satisfying t mod l [ 2 q, 2 q ]. Prime number theorem: Need only O(log q) primes l.

12 p.12 Determine t mod l The restriction of the Frobenius endomorphism π to E[l] satisfies π 2 t π + q = 0 where t = t mod l and q = q mod l are uniquely determined. Let P E[l]. 1. Compute R = π(p) and Q = π 2 (P) + [q ]P in E[l]. 2. Check which t {0,1,...,l 1} satisfies Q = [t ]R.

13 p Introduction 2. Schoof s algorithm 3. Computing in the torsion group 4. Improvements by Elkies

14 p.14 Division polynomials Torsion group E[m] = {P E : [m](p) = P }. If gcd(q,m) = 1 we have E[m] = (Z/mZ) (Z/mZ). Let m 1. The lth division polynomial ψ l F q [X,Y ] vanishes in all l-torsion points, i.e., for P = (x,y) in E( F q ), P E[2] lp = P ψ l (x,y) = 0.

15 p.15 Recursion for ψ m (X, Y ) Given E : Y 2 = X 3 + AX + B over F q. ψ 1 = 1, ψ 2 = 2 Y, ψ 3 = 3 X 4 + 6AX B X A 2, ψ 4 = 4 Y (X 6 + 5AX B X 3 5A 2 X 2 4AB X 8B 2 A 3 ) and ψ 2m+1 = ψ m+2 ψm 3 ψm+1 3 ψ m 1 if m 2, 2Y ψ 2m = ψ m (ψ m+2 ψm 1 2 ψ m 2 ψm+1) 2 if m 3. Let gcd(m, q) = 1. For odd m we have ψ m F q [X] with deg X (ψ m ) = (m 2 1)/2. For even m we have ψ m Y F q [X] with deg X (ψ m ) = (m 2 4)/2. (replace all powers of Y by the curve equation.)

16 p.16 Multiplication map revisited Theorem For m 3 ( [m](x,y) = x ψ m 1 ψ m+1 ψm 2, ψ m+2 ψm 1 2 ψ m 2 ψm+1 2 ) 4y ψm 3. Note: this shows that [m] is a rational map.

17 p.17 Compute in a polynomial ring Check equality π 2 (P) + [q](p) = [t](p) in E[l] by looking at the polynomials corresponding to the x-coordinates of the point on the left and right side, resp. We compute the trace t modulo l in the ring R l = F q [X,Y ]/(Y 2 X 3 AX B,ψ l (X)) If we want to check if p 1 (X) = p 2 (X) in R l for two polynomials p 1 (X),p 2 (X) we check whether gcd(p 1 p 2,ψ l ) 1. Exercise Given a point (x,y) on a curve in Weierstrass form. You can write y q as h(x)y in R l. Determine h(x) F q [x].

18 p.18 Example Consider the curve E : Y 2 = X X 12 in F q with q = 97. Determine the trace of π modulo l = 5. The 5th division polynomial ψ 5 is given by 5x 12 18x 10 x 9 25x 8 40x 7 39x 6 + 7x 5 + 3x 4 14x x x + 47 Given a point P = (x,y) in E[5] we work in R 5 = F 97 [x,y]/(y 2 x 3 31x + 12,ψ 5 (x)).

19 p.19 Computing in R 5 π(x, y) = [47 x x x x x x x x 4 40 x x x + 26, (6 x x x x 8 11 x x 6 3 x x 4 39 x 3 48 x 2 x 9)y]. π 2 (x, y) = [ 17 x x x 9 x x x x 5 32 x x x x + 34, (34 x x 10 8 x 9 11 x 8 48 x x 6 8 x 5 37 x 4 21 x x x + 48)y]. [q mod 5](x, y) = [2](x, y) = [22 x x x x x 7 13 x x x 4 38 x x x + 17, ( 11 x x 9 48 x 8 12 x x x 5 10 x x x x + 24)y]

20 p.20 Find t such that π 2 (x, y) + [2](x, y) = [t]π(x, y) π 2 (x, y) + [2]P = [ 14 x x x x x x x x x 5 17 x x 3 2 x x 46, ( 11 x x x x x x x 8 24 x x x 5 47 x x x 2 40 x 32)y]. For t = 1 the point [t]π(x,y) = π(x,y) has a non-trivial gcd with π 2 (x,y) + [2](x,y) in both its x- and y-coordinate. Thus, t 1 mod 5. In fact, t = 14 and therefore #E(F 97 ) = ( 14) = 112 =

21 p.21 Complexity - very rough operation count Each prime l is about O(log q). Fix l. Elements of R l = F q [X,Y ]/(Y 2 X 3 AX B,ψ l )(X) have size O(l 2 log q) = O(log 3 q), since deg ψ l = (l 2 1)/2. Computing the Frobenius endomorphism in R l takes O(log 7 q) bit operations. Prime number theorem: need O(log q) primes l. Total cost: O(log 8 q).

22 p.22 Summary Schoof s algorithm Determine the trace t of the Frobenius endomorphism π modulo small primes l, in order to compute #E(F q ) = q + 1 t. Compute t mod l in R l = F q [X,Y ]/(Y 2 X 3 AX B,ψ l (X)) whose size is determined by the degree of ψ l which is (l 2 1)/2). Improvement: Try to determine the trace modulo l in a subgroup of E[l] and therefore determine a linear factor of the lth division polynomial ψ l.

23 p Introduction 2. Schoof s algorithm 3. Computing in the torsion group 4. Improvements by Elkies

24 p.24 Characteristic polynomial revisited The Frobenius endomorphism π is a linear operator on the vector space E[l] = F 2 l. Its characteristic polynomial splits over F l T 2 tt + q = (T λ 1 )(T λ 2 ). If λ 1,λ 2 F l, we found two eigenvalues of π. We call l an Elkies prime. Then there exist two points P 1,P 2 E[l] such that π(p 1 ) = [λ 1 ]P 1 and π(p 2 ) = [λ 2 ]P 2. The points P 1,P 2 generate each a π-invariant subgroup of order l of E[l].

25 p.25 Compute the trace of the Frobenius in a subgroup of E[l] Characteristic equation T 2 tt + q = (T λ 1 )(T λ 2 ). For λ 1,λ 2 F l we get q = λ 1 λ 2 and thus t = λ 1 + λ 2 = λ 1 + q/λ 1. Determining t in a subgroup means finding an eigenvalue of the Frobenius in F l. New check equation. Find λ {0,1,...,l 1} such that π(p) = [λ](p) for a non-trivial point of a subgroup of E[l].

26 p.26 Determine whether l is an Elkies prime Let E have a subgroup C of prime order l. Then there exists an elliptic curve E and an isogeny φ : E E with kernel C. The lth modular polynomial Φ l is a polynomial of degree l + 1 in F q [X,Y ]. Its roots are exactly the j-invariants of all l-isogeneous elliptic curves. Theorem Let E be an elliptic curve over F q, not supersingular with j-invariant j not equal to 0 or Then E has a π-invariant subgroup C of order l if and only if the polynomial Φ l (j,t) has a root j in F q. Note: j is the j-invariant of an l-isogeneous elliptic curve E which is isomorphic to E/C.

27 p.27 Representing a l-group C Determine factor F l of ψ l in F q [X] such that (x,y) C F l (x) = 0. Construct F l by finding an degree-l isogeny φ with kernel C. We get F l (X) = (X P x ). ±P C P P Degree: deg X F l = (l 1)/2.

28 p.28 Complexity for the Elkies procedure Compute the Frobenius and [λ]p in the ring F q [X,Y ]/(Y 2 X 3 AX B,F l (X)) which has size O(llog q) = O(log 2 q). Overall complexity O(log 5 q) bit operations.

29 p.29 Atkin and SEA If l is not an Elkies prime we can use Atkin s method to compute t mod l: Determine the rth power of the Frobenius such that there is a π r -invariant subgroup of E[l]. Then t mod l satisfies for an rth root of unity. Schoof-Elkies-Atkin algorithm t 2 (ζ r ζ 1 r )q Compute the trace t modulo small primes l until l > 4 q. For each l use the modular polynomial Φ l to decide whether to use Elkies or Atkin s procedure. Determine the trace t in the Hasse interval using the Chinese Remainder theorem. Complexity of SEA: O(log 6 q).

30 Thank you! p.30