Elliptic curve cryptography. Matthew England MSc Applied Mathematical Sciences Heriot-Watt University

Transcription

1 Elliptic curve cryptography Matthew England MSc Applied Mathematical Sciences Heriot-Watt University Summer 2006

2 Abstract This project studies the mathematics of elliptic curves, starting with their derivation and the proof of how points upon them form an additive abelian group. We then work on the mathematics neccessary to use these groups for cryptographic purposes, specifically results for the group formed by an elliptic curve over a finite field, E(F q ). We examine the mathematics behind the group of torsion points, to which every point in E(F q ) belongs, and prove Hasse s theorem along with a number of other useful results. We finish by describing how to define a discrete logarithm problem using E(F q ) and showing how this can form public key cryptographic systems for use in both encryption and key exchange. Acknowledgments Many thanks to Dr. Mark Lawson, for his help, supervision and enthusiasm for this project.

3 Contents 1 Introduction 1 2 Elliptic curves A class of algebraic curves Group law Prime curve examples Torsion points and endomorphisms of elliptic curves Endomorphisms of elliptic curves Torsion points Successive doubling The basis for E[n] Division polynomials The Weil pairing Elliptic curves over finite fields Examples Hasse s theorem The Frobenius endomorphism Orders of points Baby Step, giant step Elliptic curve cryptography The basics of cryptography Public key cryptography The discrete logarithm problem Diffie-Hellman key exchange The El Gamal cryptosystem i

4 5.4 Elliptic curve cryptography The discrete logarithm problem for elliptic curves Diffie-Hellman key exchange for elliptic curves El Gamal cryptosystem for elliptic curves Summary and conclusions 75 Bibliography 77 APPENDIX 78 A Elliptic curve material 78 A.1 Singular curves A.1.1 The relationship between multiple roots and singular points A.1.2 Triple root A.1.3 Double root A.2 Deriving the condition for distinct roots A.2.1 Determining the roots A.2.2 The discriminant A.2.3 Relating back to elliptic curves A.3 Elliptic curves in characteristic A.4 Elliptic curves in characteristic A.5 The proof of associativity A.5.1 Projective geometry and the point at infinity A.5.2 Lines in PK A.5.3 The proof of associativity A.6 The proofs omitted from Chapter A.7 Methods to determine the order of E(F q ) exactly A.7.1 Subfield curves A.7.2 Legendre symbols A.8 Supersingular curves B Mathematical background material 137 B.1 Algebraic curves B.2 Fractions in polynomial rings B.3 Number theory ii

5 B.4 Group theory B.5 Field theory B.5.1 Finite fields B.5.2 Constructing F B.5.3 Constructing F B.5.4 Addition and multiplication tables of F B.6 Miscellaneous C Matlab Code 161 C.1 The Matlab code for ECAD.m C.2 The Matlab code for PC.m C.3 The Matlab code for ECADP.m C.4 The Matlab code for inve.m C.5 The Matlab code for SUCDOB.m C.6 The Matlab code for check.m C.7 The Matlab code for RR44.m iii

6 Chapter 1 Introduction An elliptic curve is usually defined to be the graph of an equation y 2 = x 3 + Ax + B where x, y, A and B belong to a specified field. These curves are of great use in a number of applications, largely because it possible to take two points on such a curve and generate a third. In fact, we will show that by defining an addition operation and introducing an extra point,, the points on an elliptic curve form an additive abelian group. Such a group can then be used to create an analogue of the discrete logarithm problem which is the basis for several public key cryptosystems. This project will introduce the mathematics behind elliptic curves and then demonstrate how to use them for cryptography. The project loosely follows and adds to the work in Chapters 2 to 6 of [9]. If not otherwise stated the material has been adapted from this source. Chapter 2 of the project introduces the basic mathematics behind elliptic curves, such as the proof that the points upon them form an abelian group. Chapter 3 then considers those points in the group which are torsion while Chapter 4 considers elliptic curves defined over finite fields. Here we prove Hasse s theorem to give a bound on the size of the group. Chapter 5 demonstrates how the mathematics of the previous chapters can be employed in a cryptographic algorithm for use in key exchange or encryption of messages. Appendix A contains some further results on elliptic curves while Appendix B contains the mathematical background material that is employed throughout the project. We also make use of Matlab to speed up calculations with elliptic curves and the relevant codes can be found in Appendix C. 1

7 Chapter 2 Elliptic curves Elliptic curves have, over the last three decades, become an increasingly important subject of research in number theory and related fields such as cryptography. They have also played a part in numerous other mathematical problems over hundreds of years. For example, the congurant number problem of finding which integers n can occur as the area of a right angled triangle with rational sides can be expressed using elliptic curves (see Chapter 1 of [9]). In this chapter we set out the basic mathematics of elliptic curves, starting with their derivation and definition followed by the proof that points upon them form an additive abelian group. 2.1 A class of algebraic curves Elliptic curves are a specific class of algebraic curves. In this section we show how we arrive at their standard definition, seen in the introduction, from the more general case. First consider an algebraic curve formed from a conic on the left and a cubic on the right: y 2 + θ 1 xy + θ 2 y + θ 3 x + θ 4 = x 3 + σ 1 x 2 + σ 2 x + σ 3 where θ i, σ i are constants. We can then combine the constant and linear terms to form what is known as the generalised Weierstrass equation: y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6 (2.1) where a 1,..., a 6 are constants. In practice we must specify which field these constants and the variables, x, y belong to. So long as this field does not have 2

8 characteristic 2 then we can divide the above equation by 2 and complete the square. This gives ( y + a 1x 2 + a ) ( ) 2 ( 3 = x 3 + a 2 + a2 1 x 2 + a 4 + a ) ( ) 1a 3 a 2 x a 6 which can be written as y 2 1 = x 3 + a 2x 2 + a 4x + a 6 with y 1 = y +a 1 x/2+a 3 /2 and some constants a 2, a 4, a 6. If the characteristic were 2 then 2 would be equivalent to 0 in this field. We would then not be able to perform the above operation as we cannot divide by zero. If the characteristic was neither 3 or 2, then we could perform a further substitution letting x 1 = x + a 2/3 to obtain y 2 1 = x Ax 1 + B for some constants A, B. This equation is known as the Weierstrass equation for an elliptic curve and is used in all cases, except those where the characteristic of the field is either 2 or 3. If the characteristic is 2 then we use the generalised Weierstrass equation and if it is 3 we use Equation (2.1). Notice that we assume the coefficients of the y 2 and x 3 terms are one. Suppose we start with an equation cy 2 = dx 3 + ax + b with c, d 0. Then multiply both sides of the equation by c 3 d 2 to obtain (c 2 dy) 2 = (cdx) 3 + (ac 2 d)(cdx) + (bc 3 d 2 ) and so if we use the change of variables y 1 = c 2 dy, x 1 = cdx then we have an equation in Weierstrass form. We cannot draw meaningful pictures of such curves over most fields, but for intuition we can think of graphs over the real numbers of which there are two main types. 3

9 Figure 2.1: Some examples of elliptic curves defined over the real numbers. On the left is y 2 = x 3 x and on the right y 2 = x 3 + x The first example has three real roots, while the second has one. We prove in Appendix A.1 that when an elliptic curve has a multiple root it will have a singular point, which causes problems when defining the addition operation. We investigate the singular cases in Appendix A.1 but otherwise assume that all the roots are distinct. In Appendix A.2 we use the definition of the discriminant applied to this case when the characteristic is neither 2 or 3 to derive the following condition for distinct roots. 4A B 2 0 The general definition for an elliptic curve will be the Weierstrass equation applied with the above condition. As mentioned above we must specify what set A, B, x and y belong to. Usually they will belong to a field such as R, C or Q, one of the finite fields F p (= Z p ) for a prime p or one of the finite fields F q where q = p k with k 1. If K is a field with A, B K then we say the elliptic curve E is defined over K. In general we use E and K to represent an elliptic curve and the field over which it is defined. If we wish to consider points in a field L K we write E(L), which is defined as below. E(L) = { } {(x, y) L L y 2 = x 3 + Ax + B} We include this point of infinity on elliptic curves for use in the group operation defined in the following section. It is easiest to regard it as a point 4

10 (, ) and denote it simply by sitting at the top of the y-axis. A line is said to pass through when it is exactly verticle (i.e. x = constant), and so two verticle lines will meet at. We make sense of this concept and interpret as being on an elliptic curve in Appendix A.5.1. We also think of as sitting at the bottom of the y-axis, but this would imply two straight lines meet at two points. Instead we require this top and bottom to be the same point, (as if the y-axis were wrapped around to form a circle). 2.2 Group law As stated in the introduction, we can start with two points on an elliptic curve (or even one) and produce another. In this section we describe how to carry out this process and derive the formula for use with the Weierstrass equation. We then show that by defining this process as an addition operation we can generate an additive abelian group. Suppose we have a point P = (x 0, y 0 ) on an elliptic curve (in any characteristic). If L is a line through P and then it is a verticle line x = x 0. We denote the other point of intersection between L and E as P. For the Weierstrass equation, P = (x 0, y 0 ) since this curve is symmetric about the x-axis. For the generalised Weierstrass equation it is as calculated as in the lemma below. Lemma 2.1. If P = (x 0, y 0 ) lies on the curve, E, given by y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6 then the other point of intersection between E and x = x 0 is P = (x 0, a 1 x 0 a 3 y 0 ) Proof We know that when x = x 0 there are two points on E, y 0 and y 1 so: y 2 + a 1 x 0 y + a 3 y = x a 2 x a 4 x 0 + a 6 0 = y 2 + y(a 1 x 1 + a 3 ) + ( x 3 0 a 2 x 2 0 a 4 x 0 + a 6 ) (y y 0 )(y y 1 ) = y 2 y(y 0 + y 1 ) + y 0 y 1 We can see that the negative of the coefficient of the linear term is the sum of the roots. Therefore y 0 + y 1 = a 1 x 0 a 3 y 1 = a 1 x 0 a 3 y 0 5

11 So P = (x 0, a 1 x 0 a 3 y 0 ) as required. So if P = (x 0, y 0 ) then P as defined above is (x 0, a 1 x 0 a 3 y 0 ) if the characteristic of K is 2 and (x 0, y 0 ) otherwise. Later we conclude that P = P in group notation. We can now define elliptic curve addition. Suppose we are on an elliptic curve, E, defined over a field K of any characteristic. If we start with two points, P 1 = (x 1, y 1 ) and P 2 = (x 2, y 2 ) on E then we can find a third point, P 3 as follows. Draw the line L between P 1 and P 2, find the third point of intersection, denoted P 3. Finally calculate (P 3) = P 3 using the method above. The addition operation is then defined as P 1 + P 2 = P 3 Figure 2.2: Adding points on an elliptic curve We now find explicit formula for P 3 by looking at the different possibilities for P 1 and P 2. Suppose that we are on an elliptic curve E given by the Weierstrass equation y 2 = x 3 + Ax + B. First assume P 1 P 2 and that neither point is. We then know that the slope of the line L is m = y 2 y 1 x 2 x 1 6

12 Now assume that x 2 x 1 in which case the equation of L is y = m(x x 1 ) + y 1 (2.2) To find the intersection with E substitute (2.2) into the equation for E: (m(x x 1 ) + y 1 ) 2 = x 3 + Ax + B x 3 m 2 x = 0 where the three roots of this cubic are the three points where L intersects E. Note from Theorem B.16 that the sum of the roots is the negative of the coefficient of the x 2 term in the cubic. We know two of the roots are x 1 and x 2 and so we can conclude that x 3 = m 2 x 1 x 2. We can then substitute back to get y 3 = m(x 3 x 1 ) + y 1. Finally we can reflect in the x-axis to find P 3 = (x 3, y 3 ) x 3 = m 2 x 1 x 2, y 3 = m(x 1 x 3 ) y 1 In the case that x 1 = x 2 but y 1 y 2 the line through P 1 and P 2 is verticle and so intersects E at. Reflecting in the x-axis gives and so P 1 + P 2 = In the case where P 1 = P 2 = (x 1, y 1 ) the line, L, is the tangent at (x 1, y 1 ). Implicit differentiation allows us to find m, the slope of L 2y dy dx = 3x2 + A = m = dy dx = 3x2 1 + A 2y 1 If y 1 = 0 then L is verticle so we set P 1 + P 2 =. Otherwise the equation of L is y = m(x x 1 ) + y 1 as before. We can substitute in to obtain the same cubic and then use the fact that x 1 is a double root to obtain P 3 = (x 3, y 3 ) x 3 = m 2 2x 1, y 3 = m(x 1 x 3 ) y 1 Finally suppose P 2 = in which case the line between P 1 and is a verticle line that intersects E at P 1 the reflection of P 1 in the x-axis. Then when we reflect this back we get P 1 so P 1 + = P 1 7

13 we can extend this to include + =. We can now begin to see why elliptic curves are suited for the definition of such an operation. The right hand side of the Weierstrass equation is cubic which ensures that the line between any two points will intersect at a third point, the first step in the operation. Then the y 2 term on the left hand side makes the curve symmetric about the x-axis, which is vital for the reflection part. The addition operation is summarised in the box below. SUMMARY Let E be an elliptic curve defined by y 2 = x 3 + Ax + B. Let P 1 = (x 1, y 1 ) and P 2 = (x 2, y 2 ) be points on E with P 1, P 2. We then define P 1 + P 2 = P 3 = (x 3, y 3 ) as follows 1. If x 1 x 2 then where m = y 2 y 1 x 2 x 1 x 3 = m 2 x 1 x 2, y 3 = m(x 1 x 3 ) y 1 2. If x 1 = x 2 but y 1 y 2 then P 1 + P 2 = 3. If P 1 = P 2 and y 1 0 then where m = 3x2 1 +A 2y 1 x 3 = m 2 2x 1, y 3 = m(x 1 x 3 ) y 1 4. If P 1 = P 2 and y 1 = 0, then P 1 + P 2 = Also we define P + = P for all points P on E If the characteristic of K is 2 or 3 then we use the same method for elliptic curve addition but the formula are different. We consider the characteristic 2 and 3 cases in Appendix A.3 and Appendix A.4 respectively. Theorem 2.2. The points on E form an additive abelian group with as the identity element and elliptic curve addition as the group operator. 8

14 Proof Recall the definition of a group from Appendix B.4. The commutativity is obvious from the formulas and the intuition of drawing a straight line through two points, while the identity property holds by definition. It is also clear from the formulas that the sum of any two points will also be on the elliptic curve, and if those original points had coordinated in a field L, then so does the sum. For inverses we define P as P, (the reflection of P in the x-axis in the characteristic not 2 case). Then P + P = for all P. Associativity can be proved with the formulas, trying all cases, or with a number of other approaches. We use projective space to prove this property in Appendix A.5. This theorem will also hold for the characteristic not 2 case similarly (defining P as P given by Equation (2.1)). Example 2.1. Let E be the curve y 2 = x 3 25x and suppose we know the point ( 4, 6) lies on the curve. To find another point on E we can add this point to itself. In the notation of elliptic curve addition we have: Hence 2( 4, 6) = ( 4, 6) + ( 4, 6) = m = 3( 4)2 25 2(6) = = ( (23 ) ) 2 2( 4), ( 4 x 3) 6 ( , ) 1728 A Matlab m-file was constructed to perform elliptic curve addition over the real numbers. Suppose we have an elliptic curve, E, given by y 2 = x 3 + Ax + B and two points P 1 = (x 1, y 1 ), P 2 = (x 2, y 2 ). The m-file will find the sum, P 1 + P 2 = P 3 = (x 3, y 3 ), where + represents elliptic curve addition. It takes as its inputs x 1, y 1, x 2, y 2 and A and produces x 3, y 3 and, if requested, m. In future examples elliptic curve addition is performed with this m-file to save calculation. The file is stored in ECAD.m and can be found in Appendix C.1 Note that if P is a point on an elliptic curve and k is a positive integer, then kp denotes P + P P (with k summands). If k < 0 then kp = ( P ) + ( P ) ( P ), (with k summands). 9

15 2.2.1 Prime curve examples This section contains some examples of working with elliptic curves which are defined over Z p. These are often called the prime curves and can be far simpler to work with as we can reduce modulo p at each stage. These examples are derived from those in Section 10.3 of [8]. Suppose we have an elliptic curve, E, over Z p. In this case we have a cubic equation in which the variables and coefficients take values on the set of integers 0, 1,...(p 1) and all calculations are performed modulo p. y 2 x 3 + Ax + B (mod p) We write E p (A, B) for the set of integers (x, y) that satisfy the above equation, together with a point at infinity,. Example 2.2. The set E 11 (1, 6) is the set of integers (x, y) that satisfy y 2 x 3 + x + 6 (mod 11) We can see that (x, y) = (7, 9) is in this set as 9 2 (mod 11) = ( ) (mod 11) 81 (mod 11) = 356 (mod 11) 4 = 4 To find all the points in E 11 (1, 6) we find all the possible values x 3 + x + 6 (mod p) and then see what values of y 2 will match. There are 11 choices of x, the integers {0, 1,..., 10}. Subbing these values in turn into the cubic and reducing modulo 11 will give us the possible values of y 2 : x = 0 = RHS = 6 x = 6 = RHS = x = 1 = RHS = 8 x = 7 = RHS = x = 2 = RHS = 16 5 x = 8 = RHS = x = 3 = RHS = 36 3 x = 9 = RHS = x = 4 = RHS = 74 8 x = 10 = RHS = x = 5 = RHS = So we can see that the possible values of y 2 are {3, 4, 5, 6, 7, 8, 9} i.e. y 2 cannot be 0,1,2 or 10. Next examine the 10 possible values of y and identify which values of x they could be paired with to give a point on the curve. 10

16 y = 0 y 2 = 0 No Points y = 6 y 2 = 36 3 x = 3 y = 1 y 2 = 1 No Points y = 7 y 2 = 49 5 x = 2 y = 2 y 2 = 4 x = 5, 7, 10 y = 8 y 2 = 64 9 x = 8 y = 3 y 2 = 9 x = 8 y = 9 y 2 = 81 4 x = 5, 7, 10 y = 4 y 2 = 16 5 x = 2 y = 10 y 2 = No Points y = 5 y 2 = 25 3 x = 3 So there are 13 points in E 11 (1, 6) (the 12 found above and ): E 11 (1, 6) = {(2, 4), (2, 7), (3, 5), (3, 6), (5, 2), (5, 9), (7, 2), (7, 9), (8, 3), (8, 8), (10, 2), (10, 9), } An m-file, PC.m, to find and plot all the points on a prime curve was constructed and is stored in Appendix C.2. This m-file takes as its inputs, A, B and p and produces two vectors X, Y which contain all the points (x, y) that lie on y 2 x 3 + Ax + B (mod p). When run on this example it verified that we had found found all the points in E 11 (1, 6) and plotted the graph below. We can see that the points are symmetric about the line y =

17 We can perform the elliptic curve addition operation on prime curves, however we reduce modulo p at each step. For example, still considering E 11 (1, 6): If P = (8, 3) then we know that P = (8, 3). Working modulo 11 we see that P = (8, 8) which is also a point in E 11 (1, 6). Let P = (8, 3) and Q = (3, 5). Then to find R = P + Q: m = = = 1 3 = 1 4 = 4 The penultimate step involved taking the multiplicative inverse of 3 in Z 11. We now proceed to show that x R = = 5, y R = 4(8 5) 3 = 9 So in E 11 (1, 6) we find (8, 3) + (3, 5) = (5, 9). Again let P = (8, 3). To calculate 2P = P + P : m = 3(82 ) + 1 = = 1 (mod 11) 6 Then x 2P = 1 2 2(8) = 15 7 (mod 11) y 2P = 1(8 7) 3 = 2 9 (mod 11) So in E 11 (1, 6) we find 2(8, 3) = (7, 9). The earlier m-file for performing elliptic curve addition was modified for use with prime curves. It now reduces modulo p at each stage using Matlab s mod function and find the inverse of elements so the final answer is an element on a prime curve. This new m-file is ECADP.m and can be found in Appendix C.3. It contains the same inputs and outputs as ECAD.m but the user must input p in addition. It makes use of the m-file inve.m which is stored in Appendix C.4. This m-file takes as its inputs a number N and a prime p and outputs the inverse of N in the group Z p. The m-file ECADP.m was used to calculate the remaining entries in the addition table overleaf (Table 2.1). In Example 3.4 we show that (2, 7) is a generator of this group and so it is isomorphic to Z

18 + (2,4) (2,7) (3,5) (3,6) (5,2) (5,9) (7,2) (7,9) (8,3) (8,8) (10,2) (10,9) (2,4) (5,9) (7,2) (10,2) (2,7) (8,8) (7,9) (3,6) (5,2) (10,9) (8,3) (3,5) (2,4) (2,7) (5,2) (10,9) (7,9) (8,3) (2,4) (3,5) (7,2) (10,2) (5,9) (3,6) (8,8) (2,7) (3,5) (7,2) (10,9) (8,3) (8,8) (7,9) (5,2) (2,7) (5,9) (3,6) (2,4) (10,2) (3,5) (3,6) (10,2) (7,9) (8,8) (7,2) (8,3) (2,4) (5,9) (3,5) (5,2) (10,9) (2,7) (3,6) (5,2) (2,7) (8,3) (8,8) (7,2) (10,2) (10,9) (3,5) (3,6) (2,4) (7,9) (5,9) (5,2) (5,9) (8,8) (2,4) (7,9) (8,3) (10,9) (3,6) (10,2) (2,7) (3,5) (5,2) (7,2) (5,9) (7,2) (7,9) (3,5) (5,2) (2,4) (10,9) (3,6) (2,7) (8,8) (10,2) (5,9) (8,3) (7,2) (7,9) (3,6) (7,2) (2,7) (5,9) (3,5) (10,2) (2,4) (10,9) (8,3) (8,8) (5,2) (7,9) (8,3) (5,2) (10,2) (5,9) (3,5) (3,6) (2,7) (8,8) (10,9) (7,9) (7,2) (2,4) (8,3) (8,8) (10,9) (5,9) (3,6) (5,2) (2,4) (3,5) (10,2) (8,3) (7,2) (2,7) (7,9) (8,8) (10,2) (8,3) (3,6) (2,4) (10,9) (7,9) (5,2) (5,9) (8,8) (7,2) (2,7) (3,5) (10,2) (10,9) (3,5) (8,8) (10,2) (2,7) (5,9) (7,2) (8,3) (5,2) (2,4) (7,9) (3,6) (10,9) (2,4) (2,7) (3,5) (3,6) (5,2) (5,9) (7,2) (7,9) (8,3) (8,8) (10,2) (10,9) Table 2.1: The addition table for E11(1, 6). This is the group of points (x, y) that satisfy y 2 = x 3 + x + 6 within the field Z11 along with the point. This group can be shown to be isomorphic to Z13 and generated by the point (2,7). 13

19 Example 2.3. Consider E 23 (1, 1), the set of integers (x, y) that satisfy y 2 x 3 + x + 1 (mod 23) Running PC.m with A = B = 1 and p = 23 produced: Note that all the point with the exception of (4,0) are symmetric about the line y = If there were another point, symmetric to (4,0) then there would be a point at (4,23). However this is equivalent to (4,0) in modulo 23, so its as if the y-axis was wrapped around to form a circle the analogy given earlier. An m-file to check whether a point lies on a prime curve, (check.m), was created and stored in Appendix C.6. This m-file takes as its inputs x, y, A, B, p and checks whether the point (x, y) lies on the curve y 2 x 3 + Ax + B (mod p) 14

20 Chapter 3 Torsion points and endomorphisms of elliptic curves The order, of an element, a, in any additive abelian group defined by an elliptic curve, is the smallest positive integer m such that ma =. If no such m exists, we say that a has infinite order. Finitely generated abelian groups can be split into the torsion and torsion free subgroups where the former contain the torsion points which are those points whose orders are finite. These points play a large role in the theory of elliptic curves, especially in elliptic curves defined over finite fields, where all points are torsion. In general the torsion subgroup is simpler to work with, which is another reason why elliptic curves over finite fields are of such great interest. In this chapter we examine the properties of the torsion points as well as deriving some results for use in Chapter 4. We start by considering endomorphisms of elliptic curves, which help in our study of the torsion points since multiplication by n on an elliptic curve can be described as an endomorphism. 3.1 Endomorphisms of elliptic curves Recall that a homomorphism is a structure-preserving map between two algebraic structures (in this case, groups). Here we use endomorphism to mean a homomorphism α : E(K) E(K) that is given by rational functions. In other words, α(p 1 + P 2 ) = α(p 1 ) + α(p 2 ), and there are rational functions 15

21 R 1 (x, y), R 2 (x, y) with coefficients in K such that α(x, y) = (R 1 (x, y), R 2 (x, y)) for all (x, y) E(K). Since α is a homomorphism we have α( ) =. Also assume that α is not the trivial endomorphism that maps every point to, denoted by α = 0. Example 3.1. Let E be given by y 2 = x 3 + Ax + B and let α(p ) = 2P. Then α is a homomorphism and α(x, y) = (R 1 (x, y), R 2 (x, y)) where R 1 (x, y) = R 2 (x, y) = ( ) 3x A 2x 2y ( ) ( ( ) ) 3x 2 + A 3x A 3x y 2y 2y Since α is a homomorphism given by rational functions, it is an endomorphism of E. The following theorem will allow us to use a standard form for the rational functions that describe an endomorphism. Theorem 3.1. Let E be given by y 2 = x 3 + Ax + B, and defined over a field K. Any endomorphism, α, can be completely defined by the following, where p(x), q(x) are polynomials with no common factors and s(x), t(x) likewise. ( p(x) α(x, y) = (r 1 (x), r 2 (x)y) = q(x), y s(x) ) t(x) Proof α is an endomorphism and so can be expressed with rational functions, α(x, y) = (R 1 (x, y), R 2 (x, y)). Now, since y 2 = x 3 + Ax + B for all (x, y) E(K) we can replace any even power of y by a polynomial in x, and any odd power of y by y times a polynomial in x: R(x, y) = p 1(x) + p 2 (x)y p 3 (x) + p 4 (x)y We could then rationalize the denominator and replace y 2 to get R(x, y) = q 1(x) + q 2 (x)y q 3 (x) (3.1) 16

22 Since α is a homomorphism it will preserve the structure of the curve so This means that α(x, y) = α( (x, y)) = α(x, y) R 1 (x, y) = R 1 (x, y), and R 2 (x, y) = R 2 (x, y) By writing R 1 in the form of Equation (3.1) we can see that q 2 (x) = 0, and similarly with R 2, we find that q 1 (x) = 0. Therefore we may assume that α(x, y) = (r 1 (x), r 2 (x)y) for rational functions r 1 (x), r 2 (x). We must still consider what happens when one of the rational functions is not defined at a point. Write r 1 (x) = p(x) q(x), and r 2(x) = y s(x) t(x) with polynomials p(x), q(x) that do not have a common factor and s(x), t(x) likewise. If q(x) = 0 at some point (x, y) then we assume that α(x, y) =. If q(x) 0 then part (ii) of Lemma 3.2 below shows that r 2 (x) will also be defined. This completes the proof of Theorem 3.1 Lemma 3.2. Let α(x, y) = ( p(x) q(x), y s(x) ) t(x) be an endomorphism of the elliptic curve E given by y 2 = x 3 + Ax + B. Let p, q be polynomials with no common root, and s, t likewise. Then (i) For a polynomial u(x), such that u and q have no common root (x 3 + Ax + B)s(x) 2 t(x) 2 = u(x) q(x) 3 (ii) t(x 0 ) = 0 if and only if q(x 0 ) = 0. 17

23 Proof (i) Because α is a endomorphism, the point α(x, y) also lies on the elliptic curve E. Hence ( (x 3 + Ax + B)s(x) 2 = y2 s(x) 2 = y s(x) ) 2 t(x) 2 t(x) 2 t(x) = ( p(x) q(x) ) 3 + A p(x) q(x) + B = p(x)3 + Ap(x)q(x) 2 + Bq(x) 3 q(x) 3 u(x) q(x) 3 where u(x) = p(x) 3 + Ap(x)q(x) 2 + Bq(x) 3. We still need to show that u(x) and q(x) do not share a root. Suppose q(a) = 0. If u(a) = 0 also, then u(a) = p(a) 3 + Ap(a)q(a) 2 + Bq(a) 3 = 0 p(a) 3 = 0 = p(a) = 0 We assumed p(x) and q(x) shared no common roots so this cannot happen. Therefore if q(a) = 0 then u(a) 0 meaning u and q have no common roots. (ii) From part (i) we know that Then if q(x 0 ) = 0 we have (x 3 + Ax + B)s(x) 2 q(x) 3 = t(x) 2 u(x) t(x 0 ) 2 u(x 0 ) = 0 Now we know that u and q do not share a common root so u(x 0 ) 0 therefore t(x 0 ) = 0 as required. To prove the converse, suppose t(x 0 ) = 0, then (x Ax 0 + B)s(x 0 ) 2 q(x 0 ) 3 = 0 But s(x 0 ) 0 because t and s are assumed to have no common roots so (x Ax 0 + B)q(x 0 ) 3 = 0 We now consider the following two cases a) If x Ax 0 + B 0 then q(x 0 ) 3 = 0 so q(x 0 ) = 0 and we are done. 18

24 b) If x Ax 0 + B = 0 then (x x 0 ) divides (x 3 + Ax + B) so x 3 + Ax + B = (x x 0 )Q(x) where Q(x 0 ) 0 as we have assumed no multiple roots. Now because t(x 0 ) = 0 we can make a similar factorisation to get t(x) = (x x 0 )T (x) for some polynomials T (x). Now we can consider again the equation from part (i) (x 3 + Ax + B)s(x) 2 q(x) 3 = t(x) 2 u(x) Now when x = x 0 we get (x x 0 )Q(x)s(x) 2 q(x) 3 = [(x x 0 )T (x)] 2 q(x) 3 Q(x)s(x) 2 = (x x 0 )T (x) 2 u(x) q(x 0 ) 3 Q(x 0 )s(x 0 ) 2 = 0 We have already shown that s(x 0 ) 0 and that Q(x 0 ) 0 so we have q(x 0 ) = 0 as required. Define the degree of α to be, deg(α) = Max {deg(p(x)), deg(q(x))} if α is non trivial. If α = 0 then define deg(α) = 0. Define α 0 to be a separable endomorphism if the derivative r 1(x) is not identically zero. (Recall that if a function is identically zero then it is the zero function as opposed to merely zero at a particular point.) By Lemma 3.3 below, this is equivalent to saying that at least one of p (x) and q (x) is not identically zero. Lemma 3.3. Let p(x), q(x) be polynomials with no common roots. Then ( ) d p(x) = 0 if and only if p (x) = 0 and q (x) = 0 dx q(x) Proof Using the quotient rule ( ) d p(x) = q(x)p (x) p(x)q (x) dx q(x) q(x) 2 19

25 So if r 1(x) = 0 then q(x)p (x) p(x)q (x) = 0. Suppose for a contradiction that p (x) 0. We can then write q(x) = p(x)q (x) p(x) Let x 0 be a root of q(x), then by assumption p(x 0 ) 0. We can then consider the following two cases. (i) If x 0 is not a root of q(x), then q (x 0 ) 0. Now setting x = x 0 gives q(x 0 ) = p(x 0)q (x 0 ) p (x 0 ) 0 = p(x 0 )q (x 0 ) But p(x 0 ) 0 and q (x 0 ) 0 so we have a contradiction. (ii) If x 0 is a root of q (x 0 ) then q(x) = (x x 0 ) n Q(x) q (x) = (x x 0 ) m R(x) where Q(x 0 ) 0, R(x 0 ) 0 and m < n. Then substituting gives (x x 0 ) n Q(x) = p(x)(x x 0) m R(x) p (x) (x x 0 ) r Q(x) = p(x)r(x) p (x) where r > 0. Now let x = x 0 0 = p(x 0 )R(x 0 ) But p(x 0 ) 0 and R(x 0 ) 0 so we have a contradiction. So we must assume that p (x) = 0. The proof that q (x) = 0 is similar with the roles of p and q reversed. 20

26 Example 3.2. Consider again α(p ) = 2P which had ( ) 3x A R 1 (x, y) = 2x 2y Subbing in for y 2 and simplifying yields r 1 = x4 2Ax 2 8Bx + A 2 4(x 3 + Ax + B) Therefore deg(α) = 4. Note that q (x) = 4(3x 2 + A) which is not zero. This is true even in characteristic 3 when we set A = 0 because a curve x 3 + B will have multiple roots in characteristic 3 (27B 2 0), which is contrary to assumption. Therefore α is a separable endomorphism. Example 3.3. We now repeat the previous example in characteristic 2, using the formula from Appendix A.3 for doubling a point. If y 2 + xy = x 3 + a 2 x 2 + a 6 we have α(x, y) = (r 1 (x), R 2 (x, y)) with r 1 (x) = (x 4 + a 6 )/x 2. Therefore deg(α) = 4. Since p (x) = 4x 3 0 and q (x) = 2x 0 the endomorphism α is not separable. Similarly in the case y 2 +a 3 y = x 3 +a 4 x+a 6, we have r 1 (x) = (x 4 +a 2 4)/a 2 3. Therefore deg(α) = 4 but α is not separable. In general, when in characteristic p, the map α(q) = pq has degree p 2 and is not separable. Suppose E is defined over the finite field F q. Then we define the Frobenius Map as φ q (x, y) = (x q, y q ) Lemma 3.4. Let E be defined over F q. Then φ q is an endomorphism of E with degree q, and φ q is not separable. Proof The main task of this proof is to show that φ q : E(F q ) E(F q ) is a homomorphism. So we need to show that if (x 1, y 1 ) + (x 2, y 2 ) = (x 3, y 3 ) then φ q (x 1, y 1 ) + φ q (x 2, y 2 ) = φ q (x 3, y 3 ) for all the possible combinations of (x 1, y 1 ) and (x 2, y 2 ) E(F q ). Throughout the proof we can use Proposition B.14 because E is defined over F q. This stated that φ q (x + y) = φ q (x) + φ q (y) φ q (xy) = φ q (x)φ q (y) 21

27 (i) If x 1 x 2 then (x 3, y 3 ) is given by x 3 = m 2 x 1 x 2, y 3 = m(x 1 x 2 ) y 1, m = y 2 y 1 x 2 x 1 Now consider the sum of φ q (x 1, y 1 ) and φ q (x 2, y 2 ) given by (X, Y ) where X = = Y = = ( y q 2 y q 1 x q 2 x q 1 x 2 x 1 ) 2 ( x q 1 x q (y2 y 1 ) q 2 = (x 2 x 1 ) q ( ( ) ) 2 q y2 y 1 x 1 x 2 = x q 3 x 2 x 1 ( y q 2 y q ) ( 1 x q 2 x q (x q 1 x q 3) y q y2 y 1 1 = 1 x 2 x 1 (( ) ) q y2 y 1 (x 1 x 3 ) y 1 = y q 3 ) 2 x q 1 x q 2 ) q (x 1 x 3 ) q y q 1 So φ q (x 1, y 1 ) + φ q (x 2, y 2 ) = (x q 3, y q 3) = φ q (x 3, y 3 ) as required. (ii) If (x 1, y 1 ) = (x 2, y 2 ) and y 1 0 then (x 3, y 3 ) is given by x 3 = m 2 2x 1, y 3 = m(x 1 x 3 ) y 1, m = 3x2 1 + A 2y 1 We now show that the sum of φ q (x 1, y 1 ) and φ q (x 2, y 2 ) given by (X, Y ) is φ q (x 3, y 3 ) as before. We use 2 q = 2, 3 q = 3, A q = A, since 2,3,A F q. X = = Y = = ( 3x 2q ) 2 ( 1 + A 3 2x q q x 2q 1 = 2y q A q 2 q y q 1 ( (3x A ) 2 2x q 1 ( ) (3x A) q 2 2x q (2y 1 ) q 1 = 2y 1 ( 3x 2q ) ( 1 + A 3x 2y q (x q 1 x q 3) y q 2 1 = 1 + A 1 2y 1 (( 3x A 2y 1 ) (x 1 x 3 ) y 1 ) q = y q 3 ) 2 2x 1 ) q = x q 3 ) q (x 1 x 3 ) q y q 1 So φ q (x 1, y 1 ) + φ q (x 2, y 2 ) = (x q 3, y q 3) = φ q (x 3, y 3 ) as required. 22

28 (iii) If x 1 = x 2 but y 1 y 2 (so y 2 = y 1 ) then (x 3, y 3 ) =. So φ q (x 1, y 1 ) + φ q (x 2, y 2 ) = φ q (x 1, y 1 ) + φ q (x 1, y 1 ) = (x q 1, y q 1) + (x q 1, y q 1) The final equality uses the fact that q is a power of a prime and so odd, meaning ( y) q = y q. Now, by definition the sum of a point on an elliptic curve and its reflection in the x-axis is the point so Finally we note that φ q (x 1, y 1 ) + φ q (x 2, y 2 ) = φ q ( ) = φ q ((X, Y )+(X, Y )) = φ q (X, Y )+φ q (X, Y ) = (X q, Y q )+(X q, Y q ) = So φ q (x 1, y 1 ) + φ q (x 2, y 2 ) = = φ q (x 3, y 3 ) as required. (iv) If (x 1, y 1 ) = (x 2, y 2 ) and y 1 = 0, then (x 3, y 3 ) = by definition. Then φ q (x 1, y 1 ) + φ q (x 2, y 2 ) = (x q 1, 0) + (x q 1, 0) = We showed in the case above that φ q ( ) = so as required. φ q (x 1, y 1 ) + φ q (x 2, y 2 ) = = φ q ( ) = φ q (x 3, y 3 ) (v) If one of the points, say (x 2, y 2 ) = then (x 3, y 3 ) = (x 1, y 1 ). So φ q (x 1, y 1 ) + φ q (x 2, y 2 ) = φ q (x 1, y 1 ) + = φ q (x 1, y 1 ) = φ q (x 3, y 3 ) as required So we have shown that φ q is a homomorphism. Since φ q (x, y) = (x q, y q ), the map is given by rational functions, making φ q an endomorphism. We can clearly see that the degree is q, and since q 0 in F q, the derivative of r 1 (x) = x q is identically zero, meaning φ q is not separable. The following is the key result of this section which allows us to relate the degree of an endomorphism to the size of its kernel. If a homomorphism maps from G to H then the kernel is the set of elements mapped to, e H, the identity of H. Since a group homomorphism preserves identity elements, the identity element, e G, of G must belong to the kernel. If this is the only element of the kernel then the homomorphism is injective. 23

29 Theorem 3.5. Let α 0 be a separable endomorphism of an elliptic curve, E. Then deg(α) = #Ker(α) where Ker(α) is the kernel of the homomorphism α : E(K) E(K) If α is not separable then deg(α) > #Ker(α) Proof Write α(x, y) = (r 1 (x), yr 2 (x)) with r 1 (x) = p(x)/q(x), as above. Assume first that α is a separable endomorphism so r 1 0. r 1 = [p(x)q(x) 1 ] = p (x)q(x) 1 p(x)q(x) 2 q (x) 0 So we can multiply by q(x) 2 to see that p q pq is not the zero polynomial. Let S be the set of x K such that (pq p q)(x)q(x) = 0. Since both pq p q and q(x) are not the zero polynomial we know that S is a set of zeros to a non zero polynomial and hence finite. Its image under r 1 (x) will hence be finite as well. Let (a, b) E(K) be such that (i) a 0, b 0, (a, b). (ii) deg(p(x) aq(x)) = Max{deg(p), deg(q)} = deg(α) (iii) a r 1 (S). (iv) (a, b) α(e(k)) We must prove that such an (a, b) exists. Consider each of the conditions in turn: (i) There are infinitely many (a, b) E(K) since K is algebraically closed. So clearly we can exclude those when a = 0, b = 0 and (a, b) =. (ii) Let p(x) = cx n + lower order terms and q(x) = dx m + lower order terms. If the deg(p) > deg(q) then n > m so p aq will clearly have deg(n) as required. Similarly if deg(p) < deg(q) then the condition will always hold. So consider what happens when n = m. The condition will only fail if c ad = 0. But if this were the case then multiply a by an integer greater than one, to find a point for which the condition holds. 24

30 (iii) We can always find a point that satisfies this condition as r 1 (S) is finite, but we have an infinite number of points. (iv) There are infinitely many points in E(K). If the set {r 1 (x) x E(K)} was finite then for at least some k K there are infinitely many k so k = r 1 (x). This would mean that r 1 (x) k = 0 for infinitely many k. This implies that r 1 (x) is a constant, which would make its derivative zero and give us a contradiction. Hence r 1 (x) is infinite, making α(e(k)) an infinite set. So we can always find (a, b) α(e(k)). So such a point (a, b) exists. We want to prove that there are exactly deg(α) points (x 1, y 1 ) E(K) such that α(x 1, y 1 ) = (a, b). For such a point we have p(x 1 ) q(x 1 ) = a, y 1r 2 (x 1 ) = b Since (a, b) we must have q(x 1 ) 0, so by Lemma 3.2 r 2 (x 1 ) is defined. Since b 0 and y 1 r 2 (x 1 ) = b we know that r 2 (x 1 ) 0 so we can set y 1 = b/r 2 (x 1 ). Therefore x 1 determines y 1 so we need only count how many values of x 1 satisfy p(x 1 ) = aq(x 1 ) p(x 1 ) aq(x 1 ) = 0 By assumption (ii) p(x) aq(x) = 0 has deg(α) roots, counting multiplicities, so if all the roots are distinct we are done. We must show that p aq has no multiple roots. Suppose that x 0 is a multiple root of p aq. Then we know that both the curve and its derivative are zero here: p(x 0 ) aq(x 0 ) = 0 = p(x 0 ) = aq(x 0 ) p (x 0 ) aq (x 0 ) = 0 = aq (x 0 ) = p (x 0 ) Multiplying the two equations yields Since a 0 ap(x 0 )q (x 0 ) = ap (x 0 )q(x 0 ) p(x 0 )q (x 0 ) p (x 0 )q(x 0 ) = 0 which implies that x 0 is a root of pq p q so x 0 S. Therefore a = r 1 (x 0 ) S which is contrary to assumption. Therefore p aq has deg(α) distinct roots and hence there are deg(α) points (x 1, y 1 ) E(K) such that α(x 1, y 1 ) = (a, b). 25

31 Since α is a homomorphism and this holds for the point (a, b), it will hold for all (a, b) α(e(k)), including the identity meaning the kernel of α has deg(α) elements. If α is not separable then the above steps hold, but p aq is always the zero polynomial so p(x) aq(x) = 0 always has multiple roots and so fewer than deg(α) solutions. Theorem 3.6. Let E be an elliptic curve defined over a field K. Let α 0 be an endomorphism of E. Then α : E(K) E(K) is surjective. Proof Let (a, b) E(K). We want to prove that there is a point (x, y) E(K) that α maps to it. Since α( ) =, we may assume that (a, b). Let r 1 (x) = p(x)/q(x) as above. We consider the two cases: (i) If p(x) aq(x) is not a constant then it has a root, at x 0 say. Since p and q have no common roots we know q(x 0 ) 0 (if it were, then it would imply p(x 0 ) = 0 which is contrary to assumptions.) So p(x 0 ) aq(x 0 ) = 0 = a = p(x 0) q(x 0 ) Choose y 0 K to be either square root of x 3 0 +Ax 0 +B. Then α(x 0, y 0 ) is defined and equals (a, b ) for some b. Since (b ) 2 = a 3 + Aa + B = b 2 we have b = ±b. If b = b then we have found our point (x, y) that maps to (a, b) and we are done. If b = b then α(x 0, y 0 ) = (a, b ) = (a, b). (ii) Now consider the case when p aq is constant. Since E(K) is infinite and the kernel of α is finite, only finitely many points of E(K) can map to a point with a given x coordinate. So either p(x) or q(x) is not constant. If p and q are two non constant polynomials then there is at most one value of a so p aq is constant. Therefore there are at most two points (a, b) and (a, b) that are not mapped to by α. Let (a 1, b 1 ) = α(p 1 ) be any other point. We can choose it such that (a 1, b 1 ) + (a, b) (a, ±b). So there exists P 2 with α(p 2 ) = (a 1, b 1 )+(a, b). Then α(p 2 P 1 ) = (a, b) and α(p 1 P 2 ) = (a, b). So every point (a, b) is mapped to by α. 26

32 We have shown that if α 0 is an endomorphism of E then every point (a, b) E(K) is mapped to by a point (x, y) E(K). Therefore α is surjective. We next want to derive a criterion for separability (Proposition 3.10). If (x, y) is a point on y 2 = x 3 + Ax + B, then we can differentiate to get 2yy = 3x 2 + A Similarly we can differentiate a rational function to get d dx f(x, y) = f x(x, y) + f y (x, y)y where f x and f y are the partial derivatives. Lemma 3.7. Let E be the elliptic curve y 2 = x 3 +Ax+B. Fix a point (u, v) on E. For any point (x, y) so x u (u, v) + (x, y) = (f(x, y), g(x, y)) where f(x, y) and g(x, y) are rational functions whose coefficients depend on (u, v). Then d f(x, y) dx = 1 g(x, y) y Proof From the addition formulas we have ( ) 2 y v f(x, y) = u x x u ( ) ( ( ) ) y v y v g(x, y) = u + u + x v x u x u ( ) ( ) y v 2u(x u) 2 (y v) 2 + x(x u) 2 = v x u (x u) 2 = (y v)3 + x(y v)(x u) 2 + 2u(y v)(x u) 2 v(x u) 3 (x u) 3 Then using the quotient rule we can calculate d dx f(x, y) = 2(x u)2 (y v)y 2(y v) 2 (x u)(1) (x u) 4 1 = 2y (y v)(x u) 2(y v) 2 (x u) 3 (x u) 3 27

33 Because 2yy = 3x 2 + A we can substitute for y to give 3x2+A d 2( )(y v)(x u) 2(y v) 2 (x u) 3 2y f(x, y) = dx (x u) 3 = (3x2 + A)(y v)(x u) 2y(y v) 2 y(x u) 3 y(x u) 3 y d dx f(x, y) g(x, y) = (3x2 + A)(y v)(x u) 2y(y v) 2 y(x u) 3 (x u) 3 Then + (y v)3 x(y v)(x u) 2 2u(y v)(x u) 2 + v(x u) 3 (x u) 3 (x u) 3 y d dx f(x, y) g(x, y) = (3x2 + A)(y v)(x u) 2y(y v) 2 y(x u) 3 +(y v) 3 x(y v)(x u) 2 2u(y v)(x u) 2 + v(x u) 3 = Avx + vu 3 yu 3 + yv 2 + y 2 v Ayu + Avu y 3 v 3 + x 3 y x 3 v + Ayx = v[au + u 3 v 2 Ax x 3 + y 2 ] + y[ Au u 3 + v 2 + Ax + x 3 y 2 ] Because (u, v) and (x, y) lie on E we can use v 2 = u 3 + Au + B and y 2 = x 3 + Ax + B to reduce the above expression (x u) 3 y d dx f(x, y) g(x, y) = v[au + u3 (u 3 + Au + B) Ax x 3 + (x 3 + Ax + B)] +y[ Au u 3 + (u 3 + Au + B) + Ax + x 3 (x 3 + Ax + B)] Then because x u this implies = v[ B + B] + y[+b B] = 0 y d f(x, y) = g(x, y) dx which can be rearranged to give the desired result 28

34 Lemma 3.8. Let α 1, α 2, α 3 be non-zero endomorphisms of an elliptic curve E with α 1 + α 2 = α 3. Write α j (x, y) = (R αj (x), ys αj (x)). Suppose there are constants c α1, c α2 such that R α 1 (x) S α1 (x) = c α 1 and R α 2 (x) S α2 (x) = c α 2. Then R α 3 (x) S α3 (x) = c α 1 + c α2 Proof Let (x 1, y 1 ) and (x 2, y 2 ) be variable points on E, so x 1 x 2. Write where (x 3, y 3 ) = (x 1, y 1 ) + (x 2, y 2 ) (x 1, y 1 ) = α 1 (x, y), (x 2, y 2 ) = α 2 (x, y) Then x 3 and y 3 are rational functions of x 1, y 1, x 2, y 2 which in turn are rational functions of x, y. By Lemma 3.7 with (x, y) = (x 1, y 1 ) and (u, v) = (x 2, y 2 ) x 3 x 1 = y 3 y 1 Similarly with (x, y) = (x 2, y 2 ) and (u, v) = (x 1, y 1 ) x 3 = y 3 x 2 y 2 By assumption x j x = c y j α j y for j = 1, 2. So by the chain rule dx 3 dx = x 3 x 1 x 1 x + x 3 x 2 x 2 x = y 3 y 1 c α1 y 1 y + y 3 y 2 c α2 y 2 y = (c α 1 + c α2 ) y 3 y Then dividing by y 3 /y gives the result Proposition 3.9. Let E be an elliptic curve defined over a field K, and let n be a nonzero integer. Suppose that multiplication by n on E is given by n(x, y) = (R n (x), ys n (x)) for all (x, y) E(K), where R n and S n are rational functions. Then R n(x) S n (x) = n This then implies that multiplication by n is separable if and only if n is not a multiple of the characteristic p of the field. 29

35 Proof We showed earlier that R n = R n and S n = S n and so we have R n/s n = R n/s n. Therefore the result for positive n will imply the result for negative n. We will prove that R n(x)/s n (x) = n for all positive n using proof by mathematical induction (PMI). We can see this is trivially true for n = 0 and n = 1. Suppose that it is true for n, then Lemma 3.8 will imply that it is true for the sum, n + 1. Therefore R n(x) S n (x) = n n 1 by PMI. This coupled with the fact that if it holds for positive n, then it holds for negative n implies the result for all integers n. Now for multiplication by n to be separable we need R n(x) 0. This will be the case if and only if n = R n(x)/s n (x) 0, which is equivalent to p not dividing n. So this proves the second part of the proposition, multiplication by n is separable if and only if n p. Proposition Let E be an elliptic curve defined over F q, where q is the power of the prime p. Let r and s be integers, not both 0. The endomorphism rφ q + s is separable if and only if p s. (φ q the Frobenius map) Proof Let the endomorphism that describes multiplication by r be r(x, y) = (R r (x), ys r (x)) Then the endomorphism for multiplication by rφ q is Therefore (R rφq (x), ys rφq (x)) = (rφ q )(x, y) = (R q r(x), y q S q r(x)) c rφq = (R q r(x), y(x 3 + Ax + B) (q 1)/2 S q r(x)) = R rφ q S rφq = qrq 1 r R r = 0 S rφq Also c s = R s/s s = s by Proposition 3.9. So by Lemma 3.8 Therefore R rφ q+s only if p s. R rφ q+s S rφq+s = c rφq+s = c rφq + c s = 0 + s = s 0, (and hence the endomorphism is separable), if and 30

36 3.2 Torsion points The torsion points are those points in E whose orders are finite. Let E be an elliptic curve defined over a field K, with algebraic closure K and let n be a positive integer. For a given n we define the subgroup E[n] = {P E(K) np = } This group acts as the kernel of the multiplication by n endomorphism, which maps x nx. We will start by looking at the form of E[2] and E[3] before moving on to the general case. When the characteristic is not two E can be expressed in the form y 2 = x 3 + a 2x 2 + a 4x + a 6 = (x e 1 )(x e 2 )(x e 3 ) with e 1, e 2, e 3 K. It is easy to calculate E[2], as a point satisfies 2P = if and only if the tangent line at P is verticle. When we have a curve in characteristic not 2 this only happens when y = 0 so E[2] = {, (e 1, 0), (e 2, 0), (e 3, 0)} Because E[n] is a finite abelian group we can apply Theorem B.6 here. When the characteristic is not 2, E[2] is a group of order 4 and so isomorphic to either Z 4 or Z 2 Z 2. We know the group is not cyclic as all points have order 2, so we conclude that in this case E[2] Z 2 Z 2 If the characteristic is 2 then, from Appendix A.3 E has one of the following forms (I) y 2 + xy + x 3 + a 2 x 2 + a 6 = 0 (II) y 2 + a 3 y + x 3 + a 4 x + a 6 = 0 In the first case a 6 0 and in the second case a 3 0, otherwise the curves would be singular. If P = (x, y) is a point of order 2 then once again the tangent at P must be verticle. This time, however, the curve is not symmetric about the x-axis so we look for the points when the partial derivative with respect to y vanishes: 31

37 (I) f y = 2y + x x (mod 2) (II) f y = 2y + a 3 a 3 (mod 2) So in the first case we need x = 0 meaning 0 = y 2 + a 6 = (y + a 6 ) 2. Therefore (0, a 6 ) is the only point of order 2 and E[2] = {, (0, a 6 )} Z 2 In the second case the partial derivative with respect to y is a 3 0. Therefore there is no point of order 2 so E[2] = { } Z 1 We denote the set of only one element by 0. summarises these results. The following proposition Proposition Let E be an elliptic curve over a field K. If the characteristic of K is not 2 then E[2] Z 2 Z 2 If the characteristic of K is 2 then E[2] 0 or Z 2 Now consider E[3]. Assume first that the characteristic is neither 2 nor 3, in which case E is given by y 2 = x 3 + Ax + B. A point P satisfies 3P = if and only if 2P = P. This means that the x-coordinate of 2P equals the x-coordinate of P while the y-coordinate will differ in sign. (If the y-coordinates were equal then 2P = P implying P =.) So using the addition equations m 2 2x = x, m = 3x2 + A 2y Hence (3x 2 + A) 2 4y 2 = 3x (3x 2 + A) 2 = 12x(x 3 + Ax + B) 3x 4 + 6Ax Bx A 2 = 0 32

38 The discriminant of this polynomial is 6912(4A B 2 ) 2 which is clearly non-zero since we assumed the roots of the Weierstrass equation were distinct. So this polynomial has no multiple roots, meaning there are 4 distinct values of x K each yielding 2 values of y, summing to 8 points of order 3. Since is also in E[3] we see that E[3] is a group of order 9, so from Theorem B.6 we know that it is isomorphic to either Z 9 or Z 3 Z 3. But, every element is 3-torsion, so no point has order 9, meaning the group is not cyclic. Therefore E[3] Z 3 Z 3 Next assume we are in characteristic 3 meaning we have an equation of the form y 2 = x 3 + a 2 x 2 + a 4 x + a 6. We can compute the x-coordinate of 2P in the usual method. We first use implicit differentiation to calculate the gradient of the tangent, m = (2a 2 x + a 4 ) 2 /4y 2 and then we substitute in E and note that the x 2 coefficient has an extra term this time. So setting the x-coordinate of 2P to that of P gives ( 2a2 x + a 4 ) 2 a 2 2y = 3x 0 (4a 2 2x 2 + a a 2 a 4 x) 4a 2 y 2 = 0 a 2 2x 2 + a a 2 a 4 x a 2 (x 3 + a 2 x 2 + a 4 x + a 6 ) = 0 a 2 x 3 + a 2 a 6 a 2 4 = 0 Recall that 3 0, 4 1 in characteristic 3. Note that we cannot have a 2 = a 4 = 0 as then y 2 = (x+a 1/2 6 ) 3 has multiple roots. If a 2 = 0 then we get a 2 4 = 0 which cannot happen, so E[3] = { } Z 1 in this case. If a 2 0 then the equation becomes a 2 (x 3 + a) = 0 for some constant a. This has a single triple root so there is one value of x and 2 corresponding values of y meaning two points of order 3. Since is also a point we see that E[3] has order 3 so E[3] Z 3. Finally assumes that we are in characteristic 2. We can use the addition formulas from Appendix A.3 to show that E[3] Z 3 Z 3. As before we have two possibilities: (I) If y 2 + xy = x 3 + a 2 x 2 + a 6 then calculating 2P and setting the x- coordinate equal to the x-coordinate of P gives x = x4 + a 6 x 2 0 = x 4 x 3 + a 6 33