Curves, Cryptography, and Primes of the Form x 2 + y 2 D

Transcription

1 Curves, Cryptography, and Primes of the Form x + y D Juliana V. Belding Abstract An ongoing challenge in cryptography is to find groups in which the discrete log problem hard, or computationally infeasible. Such a group can be used as the setting for many cryptographic protocols, from Diffie- Hellman key exchange to El Gamal encryption. As the group of points of an elliptic curve over a finite field is one of the few known examples, it is important to be able to efficiently construct elliptic curves with large prime order. We show how constructing such a cryptographic elliptic curve over the field of p elements relates to the classic number theory problem of determining which primes p can be written as x + y D for integers x, y and D. 1 The Discrete Logarithm Problem Consider a finite group G of prime order N. The discrete logarithm problem, or DLP, is: The Discrete Log Problem: Given a, b G, with b = a n, find n. This can be thought of as computing the log of b with base a. Consider Z/NZ, the set of equivalence classes of integers {[0], [1], [],..., [N 1]}, where two integers a, b are equivalent modulo N if a b is a multiple of N. The group operation is addition modulo N so the DLP is written b an mod N. Solving this requires computing the inverse of a mod N, which can be done in polynomial time using Euclid s algorithm. Thus the DLP is not NP-hard in Z/NZ. However, for the group of points of an elliptic curve E over a finite field F p with prime order N (defined in the next section), the best ways to solve the DLP are all exponential in log(n). For N 10 80, with current computing power, it is infeasible to determine n. Thus the exponent n can be used to hide information in cryptographic protocols. To construct a cryptographic elliptic curve, that for which the DLP will be hard, we want to solve the following problem: Problem: Find large primes p and N and an elliptic curve E such that the group of points of E with coordinates in F p has size N. A Brief Introduction to Elliptic Curves An elliptic curve E over a field F is given by a Weierstrass equation y = x 3 + Ax + B (1) with A, B F and 4A 3 + 7B 0. (This last requirement says the curve has no singularities.) Let F be the algebraic closure of F, the set of all solutions of polynomials with coefficients in F. For example, if F = R, F = C. The set of points of E, denoted E( F ) consists of all points (x, y) F F that satisfy (??). The remarkable fact is that there is a natural way to add points on the curve, thus turning E( F ) into a commutative group. For the details, a good source is [? 1

2 Since F is algebraically closed, for any x 0 F, the points (x 0, ± x Ax 0 + B) are in E( F ). Thus, since F is infinite, E( F ) is an infinite group. But we are interested in a finite group for the DLP, so we consider E(F ), where F = F p = Z/pZ.) Each x 0 F p gives at most two points in E(F p ), depending on whether or not x Ax 0 + B has a square root modulo p. Therefore E(F p ) is always a finite group. More importantly, we have a bound on its order by Hasse s Theorem. Let N = #E(F p ). Then p + 1 p < N < p p () We call this the Hasse interval and denote it H p. Recall that we want to find an elliptic curve E over F p such that #E(F p ) = N. By this, we mean find an equation of the form (??) with coefficients in F p. It is possible, however, that two different Weierstrass equations describe essentially the same elliptic curve, in which case the two curves are said to be isomorphic. For E defined over a field F, the j-invariant of E is a rational function of A and B, taking values in F, which classifies elliptic curves up to isomorphism. That is, j(e) = j(e ) if and only if E and E are isomorphic. Given a value j F, it is straightforward to determine a Weierstrass equation for E with j(e) = j. We note that if E and E are isomorphic, the groups E(F p ) and E (F p ) may have different orders, in which case we say the curves are twists. If E(F p ) has N = p + 1 t points, its twist will have p t points. The value t is known as the trace of E. If t 0, E is called ordinary, and we focus only on these curves, since trace zero curves are susceptible to sub-exponential attacks [? So to solve the problem, we could first find p, N such that N H p. (This is heuristically possible by the Prime Number Theorem). Then we could choose j-invariants at random until we find E such that it or its twist has N points [? But how do we know we will succeed? The amazing fact is that given N H p, there exists an elliptic curve over F p such that #E(F p ) = N. This relies on the intimate connection between the j-invariant of certain elliptic curves over C and primes of the form x + y D, where D = t 4p. Understanding this connection will be the focus of the remainder of this essay. 3 The Endomorphism Ring of an Elliptic Curve Let F be any field. Recall that we can add two points on an elliptic curve, so in particular, we can add a point to itself. This allows us to define a multiplication on E as [n]p := P } + P {{ P }. n As the resulting sum is a point of E, we have a map [n] : E E, given by rational functions. Furthermore, since addition is associative and commutative, [n](p + Q) = [n]p + [n]q. That is, [n] is a homomorphism. A homomorphism of E given by rational functions is called an endomorphism. Let s consider the set End F (E). We can define the sum of two endomorphisms as (φ+ψ)(p ) = φ(p )+ψ(p ). This addition makes End F (E) into a commutative group. Furthermore, we can compose two endomorphisms (φ ψ)(p ) = φ(ψ(p )) and this composition law makes End F (E) into a ring. A lot of key information about an elliptic curve is encoded in the structure of this ring, as we shall see. We already know that End F (E) contains [n] for every positive integer [n Defining [ n] : P [n]p, we have that End F (E) contains [n] for all n Z. Thus, for any E, End F (E) contains Z. 3.1 Endomorphisms over F p Now let s consider an elliptic curve over F p. The Frobenius map (x, y) π (x p, y p ) (3)

3 is given by rational functions over F p and can be shown to be a homomophism ([?], 75). Thus π is in End Fp (E). Write N = p + 1 t. The Frobenius map satisfies the equation: π [t]π + [p] = [0] (4) in End Fp (E). 1 Note that t 4p is negative by Hasse s theorem (??). We can write this quantity as f D, for some f, D Z with D > 0 and squarefree. Solving the equation (??) for π, we see that π corresponds to an element of the quadratic imaginary field K = Q( D): π = t ± f D. (5) We now see that if E has N = p + 1 t points, End Fp (E) contains Z and π, and therefore the ring Z[π Note that Z[π] Z[ 1+ D ] = {a + b 1+ D a, b Z}. Since N is an odd prime number, t and f must be odd, and so D 3 mod 4. This means the ring Z[ 1+ D ] is the ring of integers of K, where K = Q( D). That is, every element is an algebraic integer α, the root of a polynomial with integer coefficients and leading coefficient one which cannot be factored in Z. This polynomial is known as the minimal polynomial of α. It turns out that End Fp (E) for E with N points will always be contained in or equal to Z[ 1+ D So to solve the original problem, it is enough to solve the following problem: Problem: Given p, N, construct an elliptic curve E with End Fp (E) = Z[ 1+ D But how can we construct an elliptic curve just by knowing its endomorphism ring? Fortunately, this turns out to be more tractable for elliptic curves over C and there is a way to relate elliptic curves over C to those over F p via their j-invariants. Note that a curve Ẽ over C will have a complex-valued j(ẽ), thus there is no reason a priori that it makes sense as an element of F p. For example, the complex number i is not in F 7 since 1 = 6 mod 7 and 6 doesn t have a square root in F 7. If, however, j(ẽ) does make sense as an element of F p, then the elliptic curve E over F p with j-invariant j(ẽ) mod p will have the same endomorphism ring as the curve over C. (This is due to a deep theorem of Deuring [?) So we can tackle the problem by first finding an elliptic curve over C with End C (Ẽ) = Z[ 1+ D ], and then seeing if its j-invariant makes sense modulo p. 3. Endomorphisms over C Any elliptic curve over C can be identified uniquely with the group C/Λ, where Λ = Z + τz is a lattice in C. Here C/Λ is the group of equivalence classes of points in C where z 1 z if and only if z 1 z Λ. It turns out that End C (E) = Z[ 1+ D ] if and only if λλ Λ for every λ Z[ 1+ D ], in which case we say λ has complex multiplication. So we want to find a lattice with complex multiplication by Z[ 1+ D We can classify lattices up to isomorphism by the complex-valued function j, where j(λ) = 1 q q +... and q = e πiτ [? This value agrees with the j-invariant of the elliptic curve E over C corresponding to C/Λ, but it is not an integer value and cannot be calculated exactly. However, if Λ has complex multiplication by Z[ 1+ D ], then j(λ) is an algebraic integer. The roots of its minimal polynomial, denoted H D (x), are precisely the j-invariants of all lattices with complex multiplication by Z[ 1+ D 1 The fact that π is closely related to the order of N of E(F p) shouldn t be a surprise. If P = (x, y) E(F p), then π(p ) = P since F p is the set of solutions to x p = x. Futhermore, π(p ) = P implies that P E(F p). The λ correspond to symmetries of the lattice. For example, the lattice Λ = Z + iz has multiplication by λ = i since i(a + ib) = b + ia Λ. This is equivalent to a counterclockwise rotation of 90. 3

4 Since H D (x) has coefficients in Z, we can reduce the coefficients modulo p and get a polynomial with coefficients in F p. If H D (x) has a root in F p this means that the j-invariant of the elliptic curve over C makes sense modulo p. Thus any roots of this polynomial in F p will be the j-invariants of elliptic curves over F p with End Fp = Z[ 1+ D So all that remains is to show that the polynomial H D has roots modulo p! This question relates precisely to the classic number theory problem of primes of the form x + y D, which we explore in the final section. 4 Primes of the Form x + y D Consider the following classic problem from number theory: when is a prime p = x + y for x, y integers? 3 Though we are looking for integer solutions, it s best to tackle this problem in a larger set of numbers, namely the Gaussian integers Z[i] = {a + bi : a, b Z, i = 1}. For example, the prime 5 can be written as 1 + which is the same as (1 + i)(1 i) in Z[i The problem therefore becomes: When do there exist x, y Z such that p = (x iy)(x + iy) in the ring Z[i]? Z[i] is a unique factorization domain, which means that, just like in the integers, every element of Z[i] has a unique decomposition into prime elements. (By prime, we simply mean a number can be written of the product of two non-invertible elements.) The norm of an element is just the standard complex norm: N(x + iy) = (x + iy)(x iy). Since the norm is a multiplicative map, an element with prime norm must be prime. Thus x ± iy are both prime. So if p = (x + iy)(x iy), by unique factorization this means p cannot be a prime element of Z[i]! In this case, the prime p is said to split in Z[i Thus, answering the problem comes down to understanding when the prime p of Z splits in Z[i We note also that if p splits in Z[i], then the minimal polynomial of i, x + 1, factors modulo p. For example, x + 1 = (x + )(x ) modulo 5. This gives a very useful criterion for when a prime splits: 4 a prime p splits in a ring Z[α] if and only if the minimal polynomial of α factors completely into linear terms modulo p. Now consider the more general problem: For D fixed, when can a prime p be written as x +y D for x, y Z? Note how this relates to the problem of constructing E with N = p + 1 t. Recall that End Fp (E) will contain Z[π] where π = t+f D, for t, f integers. Thus, if we can construct such an elliptic curve, we have that 4p can be written as x + y D for x, y Z. As in the case of D = 1, both of these problems hinge on how the prime p behaves in Z[ D], respectively Z[ 1+ D We can follow the above strategy, but we have to deal with ideals, introduced to circumvent the problem that these rings may not necessarily be unique factorization domains. (The classic example is Z[ 5] where (1 + 5)(1 5) = 3.) In particular, it turns out that 4p = x +y D if and only if the ideal (p) splits completely in H, the Hilbert class field of K. (For those familiar with algebraic number theory, K is the maximal abelian unramified extension of K.) The minimal polynomial of this extension, known as the Hilbert class polynomial of D, is precisely H D (x), whose roots are the j-invariants of elliptic curves over C with endomorphism ring Z[ 1+ D But we know that a number splits completely in an extension if and only if the minimal polynomial factors into linear terms modulo p. Thus, precisely because we can write 4p = t + f D, we know that H D (x) has roots modulo p which will be the j-invariants of elliptic curves over F p with N = p + 1 t points. Thus, constructing a cryptographic curve comes down to factoring a polynomial in F p! Of course, this requires computing the Hilbert class polynomial H D (x), which is not a trivial matter. For small D, it has been done [? However as the size of D grows, so do the coefficients of H D (x), and it becomes 3 The answer, known as Fermat s Theorem on the Sum of Two Squares, is that for p odd, there exist x, y Z such that p = x + y if and only if p 1 mod 4. The forward direction is straightforward to see. If x, y are both even or both odd, then x + y 0 mod, which means p 0 mod. As p is odd, this is clearly impossible. Thus x, y must be of opposite parity, in which case x + y 1 mod 4. For the reverse direction, see for example [?] or [? 4 There are actually a few exceptions to this, but these do not occur in the situation in which we are interested. 4

5 computationally infeasible to determine H D (x). Thus, techniques for determining j without knowing the whole polynomial is an active area of research in number theory, which as we have now seen, is highly relevant to building secure cryptosystems. References [1] Bröker, Reiner, Constructing elliptic curves of prescribed order, PhD Thesis, Thomas Stieltjes Institute for Mathematics, 006. [] Cox, D., Primes of the Form x + ny : Fermat, Class Field Theory and Complex Multiplication, John Wiley & Sons, [3] Silverman, J. The Arithmetic of Elliptic Curves, Springer-Verlag, [4] Wagon, S. Editor s corner: the Euclidean algorithm strikes again, Amer. Math. Monthly 97 (1990), no., [5] Washington, L. Elliptic Curves: Number Theory and Cryptography Chapman & Hall/CRC, 003. [6] Zagier, D. A one-sentence proof that every prime p 1 (mod 4) is a sum of two squares, Amer. Math. Monthly 97 (1990), no.,