4.2 The Frobenius Endomorphism

Size: px

Start display at page:

Download "4.2 The Frobenius Endomorphism"

Timothy Jack Garrison
5 years ago
Views:

1 Department of Computer Science, National Chiao Tung University 1 / 12 Cryptanalysis Lab

2 Outline 1 Definition 2 Lemma Lemma 4.6 and Proposition Proof of Hasse s theorem Lemma 4.8 Proof of Hasse s theorem 5 Theorem Proposition / 12 Cryptanalysis Lab

3 Definition B Define Frobenius map for F q φ q : F q F q x x q B Define Frobenius map for E/F q φ q : E/(F q ) E/(F q ) (x, y) (x q, y q ), 3 / 12 Cryptanalysis Lab

4 Lemma 4.5 Lemma 4.5 E/F q, (x, y) E(F q ) 1 φ q (x, y) E(F q ) 2 (x, y) E(F q ) if and only if φ q (x, y) = (x, y) 4 / 12 Cryptanalysis Lab

5 Proof of Lemma 4.5 Proof: 1 Consider the general form y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6 Raise both sides to the qth power : ( for (a + b) q = a q + b q ) (y q ) 2 + a 1 (x q y q ) + a 3 (y q ) = (x q ) 3 + a 2 (x q ) 2 + a 4 (x q ) + a 6 (x q, y q ) lies on E 2 Recall x F q if and only if φ q (x) = x (Appendix C) (x, y) E(F q ) x, y F q φ q (x) = x and φ q (y) = y φ q (x, y) = (x, y) 5 / 12 Cryptanalysis Lab

6 Lemma 4.6 and Proposition 4.7 Lemma 4.6 E/F q φ q is an endomorphism of E, deg(φ q ) = q, φ q is not separable. (same as Lemma 2.19) Proposition 4.7 E/F q, n 1 1 Ker(φ n q 1) = E(F q n) 2 φ n q 1 is a separable endomorphism, so #E(F q n) = deg(φn q 1) Proof: 1 from Lemma φ n q 1 is separable (Proposition 2.28) so #E(F q n) = deg(φ n q 1) (Proposition 2.20) 6 / 12 Cryptanalysis Lab

7 Lemma 4.8 Lemma 4.8 Let r, s be integers with gcd(s, q) = 1. Then deg(rφ q s) = r 2 q + s 2 rsa where a = q + 1 #E(F q ) = q + 1 deg(φ q 1) Proof: B By Proposition 3.16 deg(rφ q s) = r 2 deg(φ q ) + s 2 deg( 1) rs(deg(φ q 1) deg(φ q ) deg( 1)) For deg(φ q ) = q and deg( 1) = 1 So deg(φ q 1) deg(φ q ) deg( 1) = #E(F q ) q 1 = a 7 / 12 Cryptanalysis Lab

8 Proof of Hasse s theorem Proof: B Since deg(rφ q s) 0 r 2 q + s 2 rsa 0 ( r ) 2 ( r q a r, s with gcd(s, q) = 1 s s) { r s gcd(s, q) = 1} is dense in R and so qx2 ax x R a 2 4q 0 a 2 q 8 / 12 Cryptanalysis Lab

9 Theorem 4.10 Theorem 4.10 E/F q a = q + 1 #E(F q ) Then φ 2 q aφ q + q = 0 and a is the unique k such that φ 2 q kφ q + q = 0, (x, y) E(F q ) Moreover a Trac((φ q ) m ) mod m m with gcd(m, q) = 1 Proof: B If φ 2 q aφ q q 0, then its kernel is finite (Proposition 2.20). We ll show that the kernel is infinite, hence the endomorphism is 0. B Let m 0, gcd(m, q) = 1, φ q induces a matrix (φ q ) m that describes the action of φ q on E[m]. Let ( ) s t (φ m ) = u v 9 / 12 Cryptanalysis Lab

10 Proof - continue (1) B Since φ q 1 is separable by Proposition 2.28, 2.20, 3.15 #Ker(φ q 1) = deg(φ q 1) det((φ q ) m I ) = sv tu (s + v) + 1 (mod m) B By Proposition 3.15, sv tu = det((φ q ) m ) q (mod m) and a = q + 1 #Ker(φ q 1) Therefore, Trace((φ q ) m ) = s + v a (mod m) B By Cayley-Hamilton theorem of linear algebra, we have (φ q ) 2 m a(φ q) m + qi 0 (mod m) (Note that X 2 ax + q is the characteristic polynomial of (φ q ) m ) This means φ 2 q aφ q + q = 0 on E[m] B Since there are infinitely many choices for m, the kernel of φ 2 q aφ q + q is infinite, so the endomorphism is / 12 Cryptanalysis Lab

11 Proof - continue (2) B Proof of uniqueness of a Suppose a 1 a satisfies φ 2 q a 1 φ q + q = 0 Then (a a 1 )φ q = 0 By Theorem 2.21, φ q : E(F q ) E(F q ) is surjective a a 1 0 (mod m) a a 1 = 0 a is unique 11 / 12 Cryptanalysis Lab

12 Proposition 4.11 Proposition 4.11 E/F q, (φ q ) m as above Let a = q + 1 #E(F q ). Then Trace((φ q ) m ) a (mod m) det((φ q ) m ) q (mod m) B Define X 2 ax + q : characteristic polynomial of Frobenius 12 / 12 Cryptanalysis Lab

COUNTING POINTS ON ELLIPTIC CURVES OVER F q

COUNTING POINTS ON ELLIPTIC CURVES OVER F q RENYI TANG Abstract. In this expository paper, we introduce elliptic curves over finite fields and the problem of counting the number of rational points on a