ELLIPTIC CURVES OVER FINITE FIELDS

Transcription

1 Further ELLIPTIC CURVES OVER FINITE FIELDS FRANCESCO PAPPALARDI #4 - THE GROUP STRUCTURE SEPTEMBER 7 TH 2015 SEAMS School 2015 Number Theory and Applications in Cryptography and Coding Theory University of Science, Ho Chi Minh, Vietnam August 31 - September 08, 2015

2 Definition (Elliptic curve) An elliptic curve over a field K is the data of a non singular Weierstraß equation E : y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6, a i K If p = char K > 3, E := ( a 5 1 a 3a 4 8a 3 1 a 2a 3 a 4 16a 1 a 2 2 a 3a a 2 1 a2 3 a 4 a 4 1 a2 4 8a2 1 a 2a a2 2 a a 1a 3 a a3 4 + Further a 6 1 a a 4 1 a 2a a 2 1 a2 2 a a 3 2 a 6 36a 3 1 a 3a 6 144a 1 a 2 a 3 a 6 72a 2 1 a 4a 6 288a 2 a 4 a a 2 6 )

3 Elliptic curves over K After applying a suitable affine transformation we can always assume that E/K has a Weierstraß equation of the following form Example (Classification (p = char K )) E p E y 2 = x 3 + Ax + B 5 4A B 2 y 2 + xy = x 3 + a 2 x 2 + a 6 2 a 2 6 y 2 + a 3 y = x 3 + a 4 x + a 6 2 a 4 3 Further y 2 = x 3 + Ax 2 + Bx + C 3 4A 3 C A 2 B 2 18ABC +4B C 2 Let E/F q elliptic curve, an extra point. Set E(F q ) = {(x, y) F 2 q : y 2 = x 3 + Ax + B} { }

4 If P, Q E(F q ), r P,Q : { line through P and Q if P Q tangent line to E at P if P = Q, r P, : vertical line through P Further 3 3 R P 1 Q P 1 P P+ Q r P, E(F q ) = {P,, P } P := P r P,Q E(F q ) = {P, Q, R} P + E Q := R

5 Theorem The addition law on E/K (K field) has the following properties: (a) P + E Q E (b) P + E = + E P = P (c) P + E ( P) = (d) P + E (Q + E R) = (P + E Q) + E R (e) P + E Q = Q + E P So (E( K ), + E ) is an abelian group. Remark: If E/K L, K L K, E(L) is an abelian group. P, Q E P E P E P, Q, R E P, Q E Further P = (x 1, y 1 ) = (x 1, a 1 x 1 a 3 y 1 )

6 Formulas for Addition on E (Summary) P 1 = (x 1, y 1 ), P 2 = (x 2, y 2 ) E(K ) \ { }, Addition Laws for the sum of affine points If P 1 P 2 E : y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6 x = x P 1 + E P 2 = 1 2 x 1 x 2 λ = y 2 y 1 x 2 x 1 1x ν = 2 y 2x 1 x 2 x 1 If P 1 = P 2 Further 2y + a x + a = 0 P 1 + E P 2 = 2P 1 = y 1 + a 1 x + a 3 0 Then λ = 3x a 2x 1+a 4 a 1y 1 2y 1+a 1x+a 3, ν = a 3y 1+x 3 1 a 4x 1 2a 6 2y 1+a 1x 1+a 3 P 1 + E P 2 = (λ 2 a 1 λ a 2 x 1 x 2, λ 3 a 2 1 λ + (λ + a 1)(a 2 + x 1 + x 2 ) a 3 ν)

7 Formulas for Addition on E (Summary for special equation) P 1 = (x 1, y 1 ), P 2 = (x 2, y 2 ) E(K ) \ { }, Addition Laws for the sum of affine points If P 1 P 2 E : y 2 = x 3 + Ax + B x = x P 1 + E P 2 = 1 2 x 1 x 2 λ = y 2 y 1 x 2 x 1 1x ν = 2 y 2x 1 x 2 x 1 If P 1 = P 2 Further Then y 1 = 0 y 1 0 λ = 3x 2 +A 1, ν = x 3 Ax 1 1 2B 2y 1 2y 1 P 1 + E P 2 = (λ 2 x 1 x 2, λ 3 + λ(x 1 + x 2 ) ν) P 1 + E P 2 = 2P 1 =

8 Group Structure Theorem (Classification of finite abelian groups) If G is abelian and finite, n 1,..., n k N >1 such that 1 n 1 n 2 n k 2 G = Cn1 C nk Furthermore n 1,..., n k (Group Structure) are unique Further Example (One can verify that:) C 2400 C 72 C 1440 = C288 C 1800 C 480 Shall show that E(F q ) = Cn C nk n, k N >0 (i.e. E(F q ) is either cyclic (n = 1) or the product of 2 cyclic groups)

9 Proof of the associativity P + E (Q + E R) = (P + E Q) + E R P, Q, R E We should verify the above in many different cases according if Q = R, P = Q, P = Q + E R,... Here we deal with the generic case. i.e. All the points ±P, ±R, ±Q, ±(Q + E R), ±(P + E Q), all different Mathematica code L[x_,y_,r_,s_]:=(s-y)/(r-x); M[x_,y_,r_,s_]:=(yr-sx)/(r-x); A[{x_,y_},{r_,s_}]:={(L[x,y,r,s]) 2 -(x+r), -(L[x,y,r,s]) 3 +L[x,y,r,s](x+r)-M[x,y,r,s]} Together[A[A[{x,y},{u,v}],{h,k}]-A[{x,y},A[{u,v},{h,k}]]] det = Det[({{1,x 1,x 3 1 -y2 1 },{1,x 2,x 3 2 -y2 2 },{1,x 3,x 3 3 -y2 3 }})] PolynomialQ[Together[Numerator[Factor[res[[1]]]]/det], {x 1,x 2,x 3,y 1,y 2,y 3 }] PolynomialQ[Together[Numerator[Factor[res[[2]]]]/det], {x 1,x 2,x 3,y 1,y 2,y 3 }] Further runs in 2 seconds on a PC For an elementary proof: An Elementary Proof of the Group Law for Elliptic Curves. Department of Mathematics: Rice University. Web. 20 Nov friedl/papers/aaelliptic.pdf More cases to check. e.g P + E 2Q = (P + E Q) + E Q

10 EXAMPLE: Elliptic curves over F 2 From our previous list: Groups of points E E(F 2 ) E(F 2 ) y 2 + xy = x 3 + x {, (0, 1)} 2 y 2 + xy = x {, (0, 1), (1, 0), (1, 1)} 4 y 2 + y = x 3 + x {, (0, 0), (0, 1), (1, 0), (1, 1)} 5 y 2 + y = x 3 + x + 1 { } 1 Further y 2 + y = x 3 {, (0, 0), (0, 1)} 3 So for each curve E(F 2 ) is cyclic except possibly for the second for which we need to distinguish between C 4 and C 2 C 2. Note: each C i, i = 1,..., 5 is represented by a curve /F 2

11 EXAMPLE: Elliptic curves over F 3 From our previous list: Groups of points i E i E i (F 3 ) E i (F 3 ) 1 y 2 = x 3 + x {, (0, 0), (2, 1), (2, 2)} C 4 2 y 2 = x 3 x {, (1, 0), (2, 0), (0, 0)} C 2 C 2 3 y 2 = x 3 x + 1 {, (0, 1), (0, 2), (1, 1), (1, 2), (2, 1), (2, 2)} C 7 4 y 2 = x 3 x 1 { } {1} 5 y 2 = x 3 + x 2 1 {, (1, 1), (1, 2)} C 3 6 y 2 = x 3 + x {, (0, 1), (0, 2), (1, 0), (2, 1), (2, 2)} C 6 7 y 2 = x 3 x {, (0, 1), (0, 2), (1, 1), (1, 2), } C 5 8 y 2 = x 3 x 2 1 {, (2, 0))} C 2 Further Note: each C i, i = 1,..., 7 is represented by a curve /F 3 ( Exercise: let a ) q be the kronecker symbol. Show that the number of non isomorphic (i.e. inequivalent) classes of elliptic curves over F q is ( ) 4 ( ) 3 2q q + 2 q

12 EXAMPLE: Elliptic curves over F 5 and F 4 E/F 5 (12 elliptic curves), #E(F 5 ) {2, 3, 4, 5, 6, 7, 8, 9, 10}. n, 2 n 10!E/F 5 : #E(F 5 ) = n with the exceptions: Example (Elliptic curves over F 5 ) E 1 : y 2 = x and E 2 : y 2 = x both order 6 { x 2x y E 1 and E 2 affinely equivalent over 3y F 5 [ 3] = F 25 (twists) E 3 : y 2 = x 3 + x and E 4 : y 2 = x 3 + x + 2 order 4 Further E 3 (F 5 ) = C2 C 2 E 4 (F 5 ) = C4 E 5 : y 2 = x 3 + 4x and E 6 : y 2 = x 3 + 4x + 1 both order 8 E 5 (F 5 ) = C2 C 4 E 6 (F 5 ) = C8 E 7 : y 2 = x 3 + x + 1 order 9 and E 7 (F 5 ) = C9 Exercise: Classify all elliptic curves over F 4 = F 2 [ξ], ξ 2 = ξ + 1

13 The j-invariant Let E/K : y 2 = x 3 + Ax + B, p 5 and E := 4A B 2. { x u 2 x y u 3 u K E E u : y 2 = x 3 + u 4 Ax + u 6 B y Definition The j invariant of E is j = j(e) = A 3 4A 3 +27B 2 Properties of j invariants 1 j(e) = j(e u ), u K Further 2 j(e /K ) = j(e /K ) u K s.t. E = E u 3 j 0, 1728 E : y 2 = x 3 + 3j 1728 j x + 2j 1728 j, j(e) = j 4 j = 0 E : y 2 = x 3 + B, j = 1728 E : y 2 = x 3 + Ax 5 j : K { K affinely equivalent classes of E/K }. 6 p = 2, 3 different definition if K = F q can take u F q 12

14 of j invariants From Friday E 1 : y 2 = x and E 2 : y 2 = x #E 1 (F 5 ) = #E 2 (F 5 ) = 6 and j(e 1 ) = j(e 2 ) = 0 { x 2x y 3y Definition (twisted curve) Let E/F q : y 2 = x 3 + Ax + B, µ F q \ (F q )2. E µ : y 2 = x 3 + µ 2 Ax + µ 3 B E 1 and E 2 affinely equivalent over F 5 [ 3] = F 25 (twists) Further is called twisted curve. Exercise: prove that j(e) = j(e µ ) E and E µ are F q [ µ] affinely equivalent #E(F q 2 ) = #E µ (F q 2 ) usually #E(F q ) #E µ (F q )

15 Determining points of order 2 Let P = (x 1, y 1 ) E(F q ) \ { }, P has order 2 2P = P = P So P = (x 1, a 1 x 1 a 3 y 1 ) = (x 1, y 1 ) = P = 2y 1 = a 1 x 1 a 3 If p 2, can assume E : y 2 = x 3 + Ax 2 + Bx + C P = (x 1, y 1 ) = (x 1, y 1 ) = P = y 1 = 0, x Ax Bx 1 + C = 0 Further Note the number of points of order 2 in E(F q ) equals the number of roots of X 3 + Ax 2 + Bx + C in F q roots are distinct since discriminant E 0 E(F q 6 ) has always 3 points of order 2 if E/F q E[2] := {P E( F q ) : 2P = } = C2 C 2

16 Determining points of order 2 (continues) If p = 2 and E : y 2 + a 3 y = x 3 + a 2 x 2 + a 6 P = (x 1, a 3 + y 1 ) = (x 1, y 1 ) = P = a 3 = 0 Absurd (a 3 = 0) and there are no points of order 2. If p = 2 and E : y 2 + xy = x 3 + a 4 x + a 6 P = (x 1, x 1 + y 1 ) = (x 1, y 1 ) = P = x 1 = 0, y 2 1 = a 6 So there is exactly one point of order 2 namely (0, a 6 ) Further Definition 2 torsion points E[2] = {P E : 2P = }. In conclusion E[2] = { C2 C 2 if p > 2 C 2 if p = 2, E : y 2 + xy = x 3 + a 4 x + a 6 { } if p = 2, E : y 2 + a 3 y = x 3 + a 2 x 2 + a 6

17 Elliptic curves over F 2, F 3 and F 5 Each curve /F 2 has cyclic E(F 2 ). E E(F 2 ) E(F 2 ) y 2 + xy = x 3 + x {, (0, 1)} 2 y 2 + xy = x {, (0, 1), (1, 0), (1, 1)} 4 y 2 + y = x 3 + x {, (0, 0), (0, 1), (1, 0), (1, 1)} 5 y 2 + y = x 3 + x + 1 { } 1 y 2 + y = x 3 {, (0, 0), (0, 1)} 3 E 1 : y 2 = x 3 + x E 2 : y 2 = x 3 x E 1 (F 3 ) = C4 and E 2 (F 3 ) = C2 C 2 Further E 3 : y 2 = x 3 + x E 4 : y 2 = x 3 + x + 2 E 3 (F 5 ) = C2 C 2 and E 4 (F 5 ) = C4 E 5 : y 2 = x 3 + 4x E 6 : y 2 = x 3 + 4x + 1 E 5 (F 5 ) = C2 C 4 and E 6 (F 5 ) = C8

18 Determining points of order 3 Let P = (x 1, y 1 ) E(F q ) P has order 3 3P = 2P = P Further So, if p > 3 and E : y 2 = x 2 + Ax + B 2P = (x 2P, y 2P ) = 2(x 1, y 1 ) = (λ 2 2x 1, λ 3 + 2λx 1 ν) P has order 3 x 2P = x 1 Substituting λ, x 2P x 1 = 3x 4 1 6Ax Bx 1+A 2 = 0 4(x 3 1 +Ax 1+4B) where λ = 3x 2 1 +A 2y 1, ν = x 3 1 Ax 1 2B 2y 1. Note ψ 3 (x) := 3x 4 + 6Ax Bx A 2 the 3 rd division polynomial (x 1, y 1 ) E(F q ) has order 3 ψ 3 (x 1 ) = 0 E(F q ) has at most 8 points of order 3 If p 3, E[3] := {P E : 3P = } = C3 C 3

19 Determining points of order 3 (continues) Exercise Let E : y 2 = x 3 + Ax 2 + Bx + C, A, B, C F 3 n. Prove that if P = (x 1, y 1 ) E(F 3 n ) has order 3, then 1 Ax AC B2 = 0 2 E[3] = C3 if A 0 and E[3] = { } otherwise Example (from Friday) If E : y 2 = x 3 + x + 1, then #E(F 5 ) = 9. ψ 3 (x) = (x + 3)(x + 4)(x 2 + 3x + 4) Further Hence { E[3] =, (2, ±1), (1, ± 3), (1 ± 2 3, ±(1 ± } 3)) 1 E(F 5 ) = {, (2, ±1), (0, ±1), (3, ±1), (4, ±2)} = C9 2 Since F 25 = F 5 [ 3] E[3] E(F 25 ) 3 #E(F 25 ) = 27 E(F 25 ) = C3 C 9

20 Determining points of order 3 (continues) Inequivalent curves /F 7 with #E(F 7 ) = 9. E ψ 3 (x) E[3] E(F 7 ) E(F 7 ) = y 2 = x x(x + 1)(x + 2)(x + 4) {, (0, ±3), ( 1, ±1), (5, ±1), (3, ±1)} C 3 C 3 y 2 = x 3 + 3x + 2 (x + 2)(x 3 + 5x 2 + 3x + 2) {, (5, ±3)} C 9 y 2 = x 3 + 5x + 2 (x + 4)(x 3 + 3x 2 + 5x + 2) {, (3, ±3)} C 9 y 2 = x 3 + 6x + 2 (x + 1)(x 3 + 6x 2 + 6x + 2) {, (6, ±3)} C 9 Can one count the number of inequivalent E/F q with #E(F q ) = r? Example (A curve over F 4 = F 2 (ξ), ξ 2 = ξ + 1; E : y 2 + y = x 3 ) We know E(F 2 ) = {, (0, 0), (0, 1)} E(F 4 ). E(F 4) = {, (0, 0), (0, 1), (1, ξ), (1, ξ + 1), (ξ, ξ), (ξ, ξ + 1), (ξ + 1, ξ), (ξ + 1, ξ + 1)} Further ψ 3 (x) = x 4 + x = x(x + 1)(x + ξ)(x + ξ + 1) E(F 4 ) = C3 C 3 Exercise (Suppose (x 0, y 0 ) E/F 2 n has order 3. Show that) 1 E : y 2 + a 3 y = x 3 + a 4 x + a 6 x a2 3 x 0 + (a 4 a 3 ) 2 = 0 2 E : y 2 + xy = x 3 + a 2 x 2 + a 6 x x a 6 = 0

21 Determining points of order (dividing) m Definition (m torsion point) Let E/K and let K an algebraic closure of K. E[m] = {P E( K ) : mp = } Further Theorem (Structure of Torsion Points) Let E/K and m N. If p = char(k ) m, E[m] = Cm C m If m = p r m, p m, E[m] = Cm C m or E[m] = Cm C m E/F p is called { ordinary supersingular if E[p] = Cp if E[p] = { }

22 Group Structure of E(F q ) Corollary Let E/F q. n, k N are such that Further E(F q ) = Cn C nk Proof. From classification Theorem of finite abelian group E(F q ) = Cn1 C n2 C nr with n i n i+1 for i 1. Hence E(F q ) contains n r 1 points of order dividing n 1. From Structure of Torsion Theorem, #E[n 1 ] n 2 1. So r 2 Theorem (Corollary of Weil Pairing) Let E/F q and n, k N s.t. E(F q ) = Cn C nk. Then n q 1. We shall discuss the proof of the latter tomorrow

23 Sketch of the proof of Structure Theorem of Torsion Points The division polynomials The proof generalizes previous ideas and determine the points P E(F q ) such that mp = or equivalently (m 1)P = P. Definition (Division Polynomials of E : y 2 = x 3 + Ax + B (p > 3)) ψ 0 =0 ψ 1 =1 ψ 2 =2y ψ 3 =3x 4 + 6Ax Bx A 2 ψ 4 =4y(x 6 + 5Ax Bx 3 5A 2 x 2 4ABx 8B 2 A 3 ). ψ 2m+1 =ψ m+2 ψ 3 m ψ m 1ψ 3 m+1 for m 2 ( ) ψm ψ 2m = (ψ m+2 ψ 2 m 1 2y ψ m 2ψ 2 m+1 ) for m 3 Further The polynomial ψ m Z[x, y] is called the m th division polynomial

24 The division polynomials Lemma Let E : y 2 = x 3 + Ax + B, (p > 3) and let ψ m Z[x, y] the m th division polynomial. Then Proof is an exercise. ψ 2m+1 Z[x] and ψ 2m 2yZ[x] True ψ 0, ψ 1, ψ 2, ψ 3, ψ 4 and for the rest apply induction, the identity y 2 = x 3 + Ax + B and consider the cases m odd and m even. Lemma ψ m = { y(mx (m2 4)/2 + ) mx (m2 1)/2 + if m is even if m is odd. Further Hence ψ 2 m = m2 x m2 1 + Proof is another exercise on induction:

25 Theorem (E : Y 2 = X 3 + AX + B elliptic curve, P = (x, y) E) where ( m(x, y) = x ψ m 1ψ m+1 ψ 2 m(x) ) ( ), ψ 2m(x, y) φm (x) = 2ψm(x) 4 ψm(x), ω m(x, y) 2 ψm(x, 3 y) φ m = xψ 2 m ψ m+1ψ m 1, ω m = ψ m+2ψ 2 m 1 ψ m 2ψ 2 m+1 4y We will omit the proof of the above (see [8, Section 9.5]) Exercise (Prove that after substituting y 2 = x 3 + Ax + B) Further 1 φ m (x) Z[x] 2 φ m (x) = x m2 + ψ m (x) 2 = m 2 x m ω 2m+1 yz[x], ω 2m Z[x] 4 ω m (x,y) yz(x) ψm 3 (x,y) 5 gcd(ψ 2 m (x), φ m(x)) = 1 this is not really an exercise!! - see [8, Corollary 3.7]

26 Lemma #E[m] = #{P E( K ) : mp = } { = m 2 if p m < m 2 if p m Further Proof. Consider the homomorphism: If p m, need to show that [m] : E( K ) E( K ), P mp # Ker[m] = #E[m] = m 2 We shall prove that P 0 = (a, b) [m](e( K )) \ { } s.t. #{P E( K ) : mp = P 0 } = m 2 Since E( K ) infinite, we can choose (a, b) [m](e( K )) s.t. 1 ab 0 2 x 0 K : (φ m ψ m 2φ m ψ m )(x 0)ψ m (x 0 ) = 0 a φ m(x 0 ) ψ m 2 (x 0) if p m, conditions imply that φ m (x) aψ 2 m (x) has m 2 = (φ m (x) aψ 2 m (x)) distinct roots in fact φ m (x) = m 2 and ψ 2 m (x) = m2 1

27 Proof continues. Write The map is a well defined bijection. mp = m(x, y) = ( φ m (x) ψ 2 m (x), ω m(x,y) ψ m (x) 3 ) = ( φ m (x) ψ 2 m (x), yr(x) ) {α K : φ m (α) aψ m (α) 2 = 0} {P E( K ) : mp = (a, b)} α 0 (α 0, br(α 0 ) 1 ) Hence there are m 2 points P E( K ) with mp = (a, b) Further So there are m 2 elements in Ker[m]. If p m, the proof is the same except that φ m (x) aψ m (x) 2 has multiple roots!! In fact φ m (x) aψ m (x)2 = 0

28 From Lemma, Theorem follows: If p m, apply classification Theorem of finite Groups: E[m] = Cn1 C n2 C nk, n i n i+1. Let l n 1, then E[l] E[m]. Hence l k = l 2 k = 2. So E[m] = Cn1 C n2 Finally n 2 m and n 1 n 2 = m 2 so m = n 1 = n 2. If p m, write m = p j m, p m and Further E[m] = E[m ] E[p j ] = Cm C m E[p j ] The statement follows from: which is done by induction. E[p j ] = { { } C p j and C m C p j = Cm p j

29 From Lemma, Theorem follows (continues) Induction base: E[p] = { { } C p if follows from #E[p] < p 2 If E[p] = { } E[p j ] = { } j 2: In fact if E[p j ] { } then it would contain some element of order p(contradiction). If E[p] = Cp, then E[p j ] = Cp j j 2: In fact E[p j ] is cyclic (otherwise E[p] would not be cyclic!) Fact: [p] : E( K ) E( K ) is surjective (to be proven tomorrow) If P E and ord P = p j 1 Q E s.t. pq = P and Q = p j. Hence E[p j ] = Cp j since it contains an element of order p j. Further Remark: E[2m + 1] \ { } = {(x, y) E( K ) : ψ 2m+1 (x) = 0} E[2m] \ E[2] = {(x, y) E( K ) : y 1 ψ 2m (x) = 0}

30 Theorem (Hasse) Let E be an elliptic curve over the finite field F q. Then the order of E(F q ) satisfies q + 1 #E(F q ) 2 q. So #E(F q ) [( q 1) 2, ( q + 1) 2 ] the Hasse interval I q Further Example (Hasse Intervals) q I q 2 {1, 2, 3, 4, 5} 3 {1, 2, 3, 4, 5, 6, 7} 4 {1, 2, 3, 4, 5, 6, 7, 8, 9} 5 {2, 3, 4, 5, 6, 7, 8, 9, 10} 7 {3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13} 8 {4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14} 9 {4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16} 11 {6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18} 13 {7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21} 16 {9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 25} 17 {10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26} 19 {12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28} 23 {15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33} 25 {16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36} 27 {18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38} 29 {20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40} 31 {21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43} 32 {22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44}

31 Theorem (Waterhouse) Let q = p n and let N = q + 1 a. E/F q s.t.#e(f q ) = N a 2 q and one of the following is satisfied: (i) gcd(a, p) = 1; (ii) n even and one of the following is satisfied: 1 a = ±2 q; 2 p 1 (mod 3), and a = ± q; 3 p 1 (mod 4), and a = 0; (iii) n is odd, and one of the following is satisfied: 1 p = 2 or 3, and a = ±p (n+1)/2 ; 2 a = 0. Further Example (q prime N I q, E/F q, #E(F q ) = N. q not prime:) q a 4 = 2 2 { 4, 3, 2, 1, 0, 1, 2, 3, 4} 8 = 2 3 { 5, 4, 3, 2, 1, 0, 1, 2, 3, 4, 5} 9 = 3 2 { 6, 5, 4, 3, 2, 1, 0, 1, 2, 3, 4, 5, 6} 16 = 2 4 { 8, 7, 6, 5, 4, 3, 2, 1, 0, 1, 2, 3, 4, 5, 6, 7, 8} 25 = 5 2 { 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10} 27 = 3 3 { 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10} 32 = 2 5 { 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11}

32 Theorem (Rück) Suppose N is a possible order of an elliptic curve /F q, q = p n. Write N = p e n 1 n 2, p n 1 n 2 and n 1 n 2 (possibly n 1 = 1). There exists E/F q s.t. E(F q ) = Cn1 C n2 p e if and only if 1 n 1 = n 2 in the case (ii).1 of ; 2 n 1 q 1 in all other cases of. Example Further If q = p 2n and #E(F q ) = q + 1 ± 2 q = (p n ± 1) 2, then E(F q ) = Cp n ±1 C p n ±1. Let N = 100 and q = 101 E 1, E 2, E 3, E 4 /F 101 s.t. E 1 (F 101 ) = C10 C 10 E 2 (F 101 ) = C2 C 50 E 3 (F 101 ) = C5 C 20 E 4 (F 101 ) = C100

33 Further Reading... Further IAN F. BLAKE, GADIEL SEROUSSI, AND NIGEL P. SMART, Advances in elliptic curve cryptography, London Mathematical Society Lecture Note Series, vol. 317, Cambridge University Press, Cambridge, J. W. S. CASSELS, Lectures on elliptic curves, London Mathematical Society Student Texts, vol. 24, Cambridge University Press, Cambridge, JOHN E. CREMONA, Algorithms for modular elliptic curves, 2nd ed., Cambridge University Press, Cambridge, ANTHONY W. KNAPP, Elliptic curves, Mathematical Notes, vol. 40, Princeton University Press, Princeton, NJ, NEAL KOBLITZ, Introduction to elliptic curves and modular forms, Graduate Texts in Mathematics, vol. 97, Springer-Verlag, New York, JOSEPH H. SILVERMAN, The arithmetic of elliptic curves, Graduate Texts in Mathematics, vol. 106, Springer-Verlag, New York, JOSEPH H. SILVERMAN AND JOHN TATE, Rational points on elliptic curves, Undergraduate Texts in Mathematics, Springer-Verlag, New York, LAWRENCE C. WASHINGTON, Elliptic curves: Number theory and cryptography, 2nd ED. Discrete Mathematics and Its Applications, Chapman & Hall/CRC, HORST G. ZIMMER, Computational aspects of the theory of elliptic curves, Number theory and applications (Banff, AB, 1988) NATO Adv. Sci. Inst. Ser. C Math. Phys. Sci., vol. 265, Kluwer Acad. Publ., Dordrecht, 1989, pp