Finite Fields and Elliptic Curves in Cryptography

Transcription

1 Finite Fields and Elliptic Curves in Cryptography Frederik Vercauteren - Katholieke Universiteit Leuven - COmputer Security and Industrial Cryptography 1

2 Overview Public-key vs. symmetric cryptosystem Security of RSA cryptosystem Elliptic curve discrete logarithm Pohlig-Hellman attack on ECDLP Proofs of primality with elliptic curves 2

3 Public-key vs. symmetric cryptosystem Symmetric cryptosystem: Alice and Bob share a common key K K is used both for encryption and decryption n users n(n 1)/2 keys Both Alice and Bob have to keep K secret High speeds are possible, e.g. AES: 8MB/s on Pentium 200MHz 3

4 Public-key vs. Symmetric Cryptosystem Public-key cryptosystem: Diffie-Hellman (1976) based on (trapdoor) one-way functions given x, easy to compute f(x) given f(x), difficult to compute x given f(x) and trapdoor, easy to compute x Example: Let g be generator of F p, p large prime, then f g (x) g x mod p is a one-way function. Discrete log problem: compute x given f g (x). Key exchange: Alice sends Bob P A = x A mod p, Bob sends Alice P B = x B mod p. Common key K AB = x A B mod p. 4

5 The RSA-cryptosystem Invented by Rivest, Shamir, Adleman (1977) construct trapdoor one-way function Let n = p q, with p and q large primes (i.e. at least 512 bits) Compute φ(n) = (p 1) (q 1), i.e. order of (Z/nZ) Choose e and d such that e d = 1 mod φ(n), gcd(e, n) = gcd(d, n) = 1 Public key: (e, n) Private key: d or p and q Encryption: C = M e mod n Decryption: M = C d mod n 5

6 Security of RSA-cryptosystem Three computationally equivalent problems: 1. Factor modulus n 2. Compute Euler-Phi φ(n) = (p 1) (q 1) 3. Given P = (e, n) compute d with e d = 1 mod φ(n) Proof: (1) (2) (3) : trivial (3) (1) : Given (e, n) we get d, with e d = 1 mod φ(n), so e d 1 = k φ(n). For a (Z/nZ) we therefore have a e d 1 = 1 mod n a e d 1 = 1 mod p and a e d 1 = 1 mod q. 6

7 Security of RSA-cryptosystem (cont.) Now, e d 1 is even, so a (e d 1)/2 will be a root of 1 modulo p and q. This gives 4 possibilities for a (e d 1)/2 mod n via CRT p \ q r 1 1 r 2 1 Note that r i ±1 mod n, since CRT gives isomorphism. So we expect a (e d 1)/2 ±1 mod n for about half (Z/nZ) (this can be shown rigorously). Search a (Z/nZ) with a (e d 1)/2 ±1 mod n, then we clearly have 1 < gcd(a (e d 1)/2 1, n) < n since either p or q divides a (e d 1)/2 1, but not both. 7

8 Factoring vs. Discrete Log Define function L n (a, b) = exp ( (b + O(1))(ln n) a (lnlnn) 1 a). If a = 1 then L n is exponential in lnn, for a = 0 L n is polynomial in lnn. If 0 < a < 1 then L n is called sub-exponential. Best known method for factoring and computing discrete logarithms is general number field sieve which has running time L n ( 1 3, 1.923). Factoring: August 1999, RSA-155 (512 bits), factored with GNFS in 8000 MIPS years Discrete log: April 2001, DLP-120 (400 bits), computed with GNFS in 400 MIPS years 8

9 Definition of Elliptic Curves Let K and K its algebraic closure, then an elliptic curve E over K is the set of solutions in P(K) of E : Y 2 Z + a 1 XY Z + a 3 Y Z 2 = X 3 + a 2 X 2 Z + a 4 XZ 2 + a 6 Z 3, with a 1, a 2, a 3, a 4, a 6 K and E non-singular. Canonical forms over different fields K: Condition on K Equation Char(K) 2, 3 y 2 = x 3 + a 4x + a 6 Char(K) = 3, j(e) 0 y 2 = x 3 + a 2x 2 + a 6 Char(K) = 3, j(e) = 0 y 2 = x 3 + a 4x + a 6 Char(K) = 2, j(e) 0 y 2 + xy = x 3 + a 2x 2 + a 6 Char(K) = 2, j(e) = 0 y 2 + a 3y = x 3 + a 4x + a 6 9

10 Group Law on Elliptic Curves R L 4 L P Q 4 P 2 2 R P L L 4 P Q Construction P Q Construction 2P The elliptic curve y 2 = x 3 7x + 6 over R and the group law 10

11 Elliptic Curve over Finite Field Ù Ù Ù ¾¾ Ù ¾½ ¾¼ Ù ½ Ù ½ Ù ½ Ù ½ Ù Ù Ù ½ Ù ½ Ù ½ ½¾ ½½ Ù ½¼ Ù Ù Ù Ù Ù Ù Ù Ù Ù ¾ Ù Ù Ù ½ ¼ ¼ ½ ¾ ½¼ ½½ ½¾ ½ ½ ½ ½ ½ ½ ½ ¾¼ ¾½ ¾¾ The elliptic curve y 2 = x 3 + x + 3 mod 23 11

12 Elliptic Curve Discrete Logarithm Problem Let F q be finite field with q elements and E an elliptic curve over F q. Take point P E(F q ) and k Z and set Q = k P, then the ECDLP is: given Q and P, compute k. Attacks on ECDLP: Let n = #E(F q ) General attacks: work in any group and have run time O( n). For an elliptic curve n q, so O( q), i.e. exponential in log q. MOV-attack: use Weil pairing to reduce ECDLP to DLP in F l q, with l smallest integer such that q l = 1 mod n. For small l, this leads to sub-exponential attack. Anomalous curves: n = q. Apply q-adic elliptic curve logarithm. Time complexity of O(log q), so linear in log q. 12

13 Pohlig and Hellman Attack To solve DLP in any finite abelian group G, it is sufficient to solve DLP in all subgroups of prime power. The original DLP can be recovered using CRT. Suppose G = n = p e 1 1 pe 2 2 pe s s and we wish to solve Q = m P. Set p = p 1 and e = e 1, then we show how to compute m mod p e. Restrict DLP to subgroup of order p by multiplying with n 1 = n/p e 1, i.e. Q 1 = n 1 Q = m (n 1 P) = mp 1 = m 0 P 1 with m 0 = m mod p. Use general attack to compute m 0. 13

14 Pohlig and Hellman Attack (cont.) Suppose we know m i = m mod p i then m = m i +λ i p i mod p i+1, with 0 λ i < p. Set n i+1 = n/p e i 1, then and also Q i+1 = n i+1 Q = m (n i+1 P) = (m i + λ p i ) P i+1 Q i+1 m i P i+1 = λ i (p i P i+1 ) = λ i P 1. Again use general attack to compute λ i. Conclusion: a general attack on ECDLP exists with run time O( p) where p is the largest prime factor in #E(F q ). Before using elliptic curve, check if it is divisible by large prime (at least 160 bits). 14

15 ECDLP vs. RSA & DLP 15

16 2B 2B, that s the question... Fundamental Theorem of Arithmetic Given n N 0, then the factorisation of n into primes is unique up to order, i.e. Different questions: What is the factorisation of n Test if n is prime Test if n is composite n = p a 1 1 pa 2 2 pa r r 16

17 Tests of Primality and of Compositeness Test of Primality If a certain condition on n is fulfilled, then n is prime, otherwise n is composite Test of Compositeness If a certain condition on n is fulfilled, then n is composite Primality Test Compositeness Test Success n is prime n is composite Fail n is composite? 17

18 Tests of Compositeness Fermat s Theorem If p is prime and gcd(a, p) = 1, then a p 1 1 mod p. Fermat Compositeness Test If gcd(a, n) = 1 and a n 1 1 mod n, then n is composite. Definition An odd composite number n for which a n 1 1 mod n is called a Fermat pseudoprime for base a. Example n = 341 = gives mod 341, however mod

19 Tests of Compositeness Data Pomerance, Selfridge and Wagstaff: < pseudoprimes to base pseudoprimes to base 2 and pseudoprimes to base 2 and 3 and pseudoprimes to base 2 and 3 and 5 and 7 Definition An odd composite number n for which a n 1 1 mod n for all a satisfying gcd(a, N) = 1 is called a Carmichael number. Example Smallest Carmichael number is n = 561 = Data 2163 Carmichael numbers < and < Stucture of Carmichael Numbers n is a Carmichael number iff p 1 n for every prime factor p of n and n is composite and squarefree. 19

20 Strong pseudoprime test Definition An odd composite number n with n = 2 s d + 1, with d odd is called a strong pseudoprime for base a if a d 1 mod n or r < s, a d 2r 1 mod n. Data Jaeschke: < only 101 strong pseudoprimes to bases 2, 3, 5 Data is smallest strong pseudoprime to bases 2, 3, 5, 7, 11, 13, 17 No Strong Carmichael Numbers If n is odd and composite then n fails the strong pseudoprime test for at least 3/4 of the bases less than n. Miller-Rabin Algorithm Apply strong pseudoprime test for t different bases a i ; if n is composite then this will be proved with 20

21 probability > 1 (1/4) t. 21

22 Simple Tests of Primality Trial Division If n is composite, then n has a prime factor p n. If for all primes p n, we have p n, then n is prime. Strong Pseudoprime Test If n is a strong pseudoprime for more than 1/4 of the bases smaller than n, then n is prime. SPT with Generalized Riemann Hytpothesis If n is strong pseudoprime for all {2, 3,..., 2 log n 2 }, then n is prime. A proof of the Generalized Riemann Hypothesis implies a deterministic polynomial-time primality test. 22

23 Tests of Primality Pocklington s theorem Let n be an integer > 1 and q a prime divisor of n 1, with q e (n 1) and q e+1 (n 1). Suppose there is an integer a such that a n 1 1 mod n and gcd(a (n 1)/q, n) = 1. Then if p is any prime divisor of n then p 1 mod q e. Proof Let b be the order of a in F p. Then b p 1 and since a n 1 1 mod p, we have b n 1. However, a (n 1)/q 1 mod p, so b (n 1)/q and thus q e b and so also q e p 1. 23

24 Tests of Primality Corollary Write n 1 as F R, with F and R coprime and the factorisation of F completely known and F > n. For each prime factor q of F we can find an a q such that a n 1 q 1 mod n and gcd(a (n 1)/q q, n) = 1, if and only if n is prime. Proof F divides p 1 for every prime p dividing n, and F > n. If n is prime, take a primitive root. Problem Half the factorisation of n 1 should be known and it should be proven that all factors of F are prime DOWNRUN process. 24

25 Tests of Primality Example Take n = , then n 1 = Take F = then a = a = 2 will prove primality of n if p = and q = are prime. Now p 1 = and take F = and a 29 = a 101 = 2, then this proves primality of p. Also q 1 = and take F = and a 3 = 5 and a = 2, then this proves primality of q iff is prime. 25

26 Certificate of primality

27 General Principle for Tests of Primality Definition G is a group modulo n if the elements are (vectors of) residues modulo n the group operation is defined in terms of arithmetic operations modulo n. Definition Let d n, then G d is the group derived from G by reducing modulo d is called the restricted group modulo d. Example (Z/nZ) is a group modulo n and for each d n (Z/dZ) is the restricted group modulo n. 27

28 General Principle for Tests of Primality Primality proof Let n be highly probable prime and G group modulo n. If there exists x G and integers m, s m with the following conditions, then n is prime: s > the order of G q for each prime q n and q n. x m = e. For each prime p s, at least one of the coordinates of x (m/p) e is coprime to n. Example Let G = Z/nZ and q n, with q n. Then G q = Z/qZ and the order of G q is q 1 < n. Problem Given n this provides only 1 group G = Z/nZ modulo n. 28

29 Primality Test based on Elliptic Curves Definition Let n be positive integer and gcd(n, 6) = 1. An elliptic curve E over Z/nZ is a curve y 2 = x 3 + ax + b, with gcd(4a b 2, n) = 1. If p n then the reduction of E modulo p is an elliptic curve over F p. Group operation on E(Z/nZ) Let P 1 and P 2 be two points in E(Z/nZ), with P 1 P 2. Define P 1 + P 2 using the ordinary elliptic curve group operation. Then P 1 + P 2 will have denominators prime to n if and only if for all primes p n we have P 1 mod p + P 2 mod p is different from O in E(F p ). 29

30 Primality Test based on Elliptic Curves Apply General Principle to G = E(Z/nZ): Let q n and q n, then G q = E(F q ) and so #G ( q + 1) 2. Since q n, #G < (n 1/4 + 1) 2. Let m, s m integers with s > (n 1/4 + 1) 2 and P E(Z/nZ) with 1. m P = O, 2. (m/p) P is defined and different from O, for each prime p s, n is prime. 30

31 Primality Test based on Elliptic Curves: Algorithm 1. Select a, b Z/nZ, such that E a,b is an elliptic curve over Z/nZ. 2. Determine m = #E(Z/nZ) as if n were prime. 3. Test if m = k q with k > 1 and probable prime q > (n 1/4 + 1) If this test fails then return to 1, else proceed. 5. Select a point P = (x, y) E(Z/nZ). 6. Compute (m/q) P = k P. If this is undefined, then a divisor of n is found. If

32 8. Prove the primality of q recursively, using this algorithm.

33 Proof that n = is prime Consider elliptic curve E a,b with a = b = m = is the order of E(Z/nZ) and has a 81-bit cofactor p 1 = which is probably prime. ( , ) is a point on E a,b and satisfies m P = O and (m/q) P O. 33

34 Proof that n = is prime 34

35 Selecting E and m: Goldwasser & Kilian Select a, b Z/nZ, such that gcd(n, 4a b 2 ) = 1. Compute #E(Z/nZ) using Schoof s algorithm (run time O(log 8 n)). If the algorithm fails, then n is not a prime, else it produces m. If m is not of the form k q then go to the first step. Under reasonable hypotheses on the distribution of primes in small intervals (i.e. O( x)) the expected run time is O(log 12 n). 35

36 Selecting E and m: Atkin Let #E(F p ) = p + 1 t, then the complex multiplication field of E is L = Q( t 2 4p). If L is known for a certain E, then m = #E(F p ) can be easily computed. If L and p are given, then a small list of m s can be computed for those elliptic curves which have L as their CMF. Given Q( ) and prime p, a small list of elliptic curves over F p having Q( ) as CMF can be constructed. 36

37 Selecting E and m: Atkin (cont.) 1. Select imaginary quadratic field L = Q( ) which has not been used yet. 2. Compute candidates m s for elliptic curves with L as CMF. 3. If none of these m is of the form k q with k > 1 and q probable prime > (n 1/4 + 1) 2, then return to (1). 4. Let m have the right form. Compute small list curves E over Z/nZ with L as CMF. Select curve E, with #E(Z/nZ) = m, e.g. by testing if m P = O. Expected run time of CM primality test is O(log 6+ε n). 37

38 Counting Points on Elliptic Curves in Characteristic 2 Frederik Vercauteren - Katholieke Universiteit Leuven - COmputer Security and Industrial Cryptography 38

39 Overview Elliptic curves over finite fields of characteristic 2 The Frobenius endomorphism Counting two by two Baby-Step Giant-Step Weil s theorem and Koblitz curves Schoof s algorithm Improvements of Elkies and Atkin Satoh s algorithm 39

40 Elliptic Curves over Finite Fields of Characteristic 2 Finite field of char 2: F q = F 2 [X]/(f(X)), q = 2 n Algebraic closure: F q = m 1 F q m Th: Suppose x F q, then x F q x q = x Elliptic curve E over F q (a, b F q ): y 2 + xy = x 3 + ax 2 + b O = [0 : 1 : 0] Isomorphism classes: a {0, γ}, Tr(γ) = 1. #E 0,b (F q ) + #E γ,b (F q ) = 2q

41 Frobenius Endomorphism Def: Frobenius endomorphism: F : E(F q ) E(F q ) : (x, y) (x q, y q ) Def: Trace of Frobenius t: #E(F q ) = q + 1 t Def: [m] : E(F q ) E(F q ) : P mp Characteristic equation of F: F 2 [t] F + [q] = [0] (Hasse, 1933): Trace of Frobenius satisfies t 2 q 41

42 Counting Two by Two # solutions of Ax 2 + Bx + C = 0, with A 0, B, C F q is B = 0 1 solution and B 0 2 (1 Tr( AC )) solutions. B2 E over F q given by y 2 + xy = x 3 + ax 2 + b, then (0, b) E(F q ) If x 0 then points also satisfy ( y ) 2 x + x y = x + a + b x, and therefore one can compute #E(F q ) as #E(F q ) = (1 Tr(x + a + bx ) ). x F q 42

43 Slow algorithm, with complexity O(q log 2 q), useful for q <

44 Baby-Step Giant-Step Algorithm Hasse-Weil: #E(F q ) H := [q + 1 q, q q] Set N = 4 q and write x = j N i, with i, j N and i < k Generate point P on curve and suppose x = j N ī H satisfies x P = O ( j N) P = ī P Precompute table with i P for 0 < i < N Compute Q = N P and compare j Q with table, for j > N If match, compute Ord(P) j m N i m and devise #E(F q ) Time O( 4 q log 2 q) Memory O( 4 q) 44

45 Weil s Theorem & Koblitz Curves Weil: Let E be defined over F q, #E(F q ) = q + 1 t and let X 2 tx + q = (X α)(x β), then for every m N we have #E(F m q ) = q m + 1 (α m + β m ). Recursion: Set t 0 = 2 and t m = q m +1 #E(F m q ), then t m satisfy t m+1 = t 1 t m q t m 1. Curve over F 2 is called a Koblitz curve If l m then E(F 2 l) is subgroup of E(F 2 m), so #E(F 2 l) #E(F 2 m) Very few Koblitz curves with #E divisible by large prime NIST: Koblitz curves over F 2 n with m = 163, 233, 283, 409,

46 Schoof s Algorithm (1985) Idea: compute trace of Frobenius t mod l i for primes l i l i l i > 4 q and use CRT to compute the correct value of t Def: l-torsion group E[l] = {P E lp = O} = Z l Z l Idea: restrict characteristic equation of F to E[l] F 2 l [t l ] F l + [q l ] = [0] where t l = t mod l and q l = q mod l For all l-torsion points P = (x, y) (x q2, y q2 ) + [q l ](x, y) = [t l ](x q, y q ) 46

47 Algorithm: test for every τ {0, 1,...,l 1} (x q2, y q2 ) + [q l ](x, y) = [τ](x q, y q ) 47

48 Schoof s Algorithm Details How can we compute in E[l]? Solution: division polynomials f l of degree (l 2 1)/2 f 0 = 0, f 1 = 1, f 2 = x, f 3 = x 4 + x 3 + a 6, f 4 = x 6 + a 6 x 2, f 2m+1 = fmf 3 m+2 + f m 1 fm+1 3 m 2, xf 2m = fm 1f 2 m f m+2 + f m 2 f m fm+1 2 m 3. Theorem: P = (x, y) E[l] f l (x) = 0 Note P E[l] F(P) E[l], so if S = P E[l]\O x(p) then f l (x) = α S(x α) F q [x] 48

49 Schoof s Algorithm Details Theorem: m 2, P = (x, y) E \ O, mp = ( x, ỹ) x = x + f m 1f m+1 f 2 m, ỹ = x + y + f m 1f m+1 f 2 m + f m 2f 2 m+1 xf 3 m + (x 2 + y) f m 1f m+1 xf 2 m All computations in E[l] transformed to F q [x]/(f l (x)) Time complexity of O(log 8 q) Memory complexity of O(log 3 q) Useful for fields with q <

50 Ideas of Elkies and Atkin Idea: roots of X 2 t l X + q l in F l are not? Criterium: = t 2 4q is a square modulo l or not? Def: if is a square modulo l then l is Elkies-prime, else l is Atkin-prime. Note E[l] = Z l Z l = i=1...l+1 C i, if P 1, P 2 generate E[l] then E 1 = P 1, E 2 = P 2, E i = P 1 + (i 2) P 2 i = 3,...l + 1. Study the action of F l on these l-groups If F l (C i ) C i then F l (C i ) = C i and F l has eigenvalue λ in F l 50

51 Ideas of Elkies and Atkin (cont.) Suppose l is Elkies-prime, then (X λ)(x µ) = 0, λ, µ F l At least 1 C i s is invariant under Frobenius-map Let g l (x) = ±P i C 1 \O (x x(p i)) then g l (x) F q [x] Note that deg(g l ) = (l 1)/2 and g l (x) f l (x), so more efficient Equating coefficient of char. polynomial of F l gives t = λ + q λ mod l 51

52 Ideas of Elkies and Atkin (cont.) Problem: how can one compute g l (x)? Solution: compute isogenie φ with kernel C 1 ( ) G(x) φ : E E H(x) + yk(x) : (x, y), g l (x) 2 g l (x) 3 Suppose l is Atkin-prime, then is a quadratic non-residu modulo l Generate a number of possibilities for t mod l Final step: combine info from both Elkies and Atkin primes Complexity = O(log 6 q) 52

53 Isogenies and modular polynomials Morphism from E 1 to E 2 is a rational map that is defined at every point P on E 1. Isogenie is a morphism and I(O 1 ) = O 2 Theorem: every isogenie is a group homomorphism from E 1 to E 2 Suppose I separable, then the degree of I = #ker(i) Theorem: Let E be an elliptic curve over F q and S a subgroup of E with F(S) = S, then there exists an elliptic curve E and an isogenie φ : E E defined over F q, with ker(φ) = S 53

54 Isogenies and modular polynomials (cont.) Let j a = 1/a be the j-invariant of curve E : y 2 + xy = x 3 + a. Theorem: for every prime l there exists a modular polynomial Φ l (x, y) of degree l + 1 with following properties: there exists an isogenie of degree l from E a to E b iff Φ l (j a, j b ) = 0 the polynomial Φ l (x, j a ) has a root j b F q r iff the kernel of the isogenie I : E a E b is a one dimensional eigenspace of F r in E[l] the polynomial Φ l (x, j a ) splits completely in F q r[x] iff F r acts as a scalar matrix on E[l] 54

55 Isogenies and modular polynomials Theorem: factorisation of Φ l (x, j a ) = h 1 h 2 h s, then possibilities for the degrees of h 1, h 2,...,h s are: (1 l) or ( ) and t 2 4q = 0 mod l (1 1 r...r) and t 2 4q is a square modulo l, r l 1 and F acts on E[l] as a matrix λ 0 0 µ (r r...r) and r > 1 and r l + 1 and t 2 4q is not a square modulo l and t satisfies the equation t 2 = q(ζ ζ 1 ) mod l for ζ a primitive r-th root of unity in F l. 1 A 55

56 SEA-algorithm: outline 1. M := 1, l := 2, A := {}, E := {} 2. While M < 4 q do: (a) Compute modular polynomial Φ l (x, y) (b) Compute splitting S of Φ l (x, y) (c) If S = (1 l) or S = ( ), E (2 q, l) (d) If S = (1 1 r...r): Compute polynomial F l (x) via isogenie Find eigenvalue λ modulo l t = λ + q/λ mod l E (t, l) (e) If S = (r r...r) Compute set T such that t mod l T

57 3. Compute t exact using match and sort

58 Satoh s Algorithm: Main Idea Theorem of Deuring: exists an elliptic curve E over a p-adic field Reduction modulo p of E equals E End(E) = End(E) The elliptic curve E is called the canonical lift of E E π E F F E π E 58

59 Since TrF = TrF = t, it suffices to compute TrF 59

60 p-adic Integers and Extensions p-adic integer is a sequence x = (x 1, x 2,...,x k,...) with x k Z/p k Z and x k+1 x k mod p k for k 1 Projection π k : Z p Z/p k Z : x x k and π(z p ) = F p Let q = p n and f(t) a monic polynomial in Z p [t] of degree n, with π(f) irreducible in F p [t], then Z q is defined as Z p [t]/(f(t)) If a Z q then a = a n 1 t n a 1 t + a 0 with a i Z p Note π(z q ) = F q and π k (Z q ) = (Z/p k Z)[t]/(f(t)) 60

61 Newton Iteration Let f(t) Z q [t] and suppose x 0 Z q such that f(x 0 ) 0 mod p m and f (x 0 ) 0 mod p, then we can get a better approximate root x 1 of f as follows which satisfies x 1 = x 0 f(x 0) f (x 0 ), f(x 1 ) 0 mod p 2m and f (x 1 ) 0 mod p. General case: Let k N be largest integer with f (x 0 ) 0 mod p k. If m > 2k, then we can compute a better approximate root x 1 with f(x 1 ) 0 mod p 2m 2k. 61

62 Computing the Canonical Lift of an Elliptic Curve The little Frobenius endomorphism σ : F q F q : x x p Applying σ to coefficients of E gives the conjugate E σ and extend the little Frobenius to elliptic curves as σ : E E σ : (x, y) (x p, y p ) If p = 2 then E σ is given by the equation y 2 + xy = x 3 + a 2 Let E i = E σ(n i) and σ i : E i+1 E i : (x, y) (x p, y p ) σ n 1 E = E σ n 2 0 E σ 1 n 1 σ 0 E 1 E 0 = E Frobenius endomorphism F = σ 0 σ n 1 62

63 Computing the Canonical Lift of an Elliptic Curve Theorem of Lubin-Serre-Tate: Let E be an elliptic curve over F q and let j(e) be its j-invariant and j(e) F q \ F p 2 and consider the following diagram, E 0 Σ n 1 Σ n 2 Σ 1 Σ 0 E n 1 E 1 E 0 π π π π σ n 1 σ n 2 σ 1 σ 0 E 0 E n 1 E 1 E 0 then the j-invariants j(e i ) satisfy j(e i ) Z q and Φ p (j(e i ), j(e i+1 )) = 0 and j(e i ) j(e i ) mod p 63

64 Computing the Canonical Lift of an Elliptic Curve Let the vector function Θ : Z n q Z n q be Θ(x 0,...,x n 1 ) = (Φ p (x 0, x 1 ), Φ p (x 1, x 2 ),...,Φ p (x n 1, x 0 )) and denote with (DΘ)(x 0,...,x n 1 ) its Jacobian matrix, i.e. 0 1 Φ p (x Φ X 0, x 1 ) p (x Y 0, x 1 ) 0 Φ 0 p (x X 1, x 2 ) 0... Φ 0 0 p (x Y n 2, x n 1 ) C A Φ p (x Φ Y n 1, x 0 ) 0 p (x X n 1, x 0 ) then one can lift (j(e 0 ),...,j(e n 1 )) to (j(e 0 ),...,j(e n 1 )) via (x 0,...,x n 1 ) (x 0,...,x n 1 ) ((DΘ) 1 Θ)(x 0,...,x n 1 ) 64

65 Computing Trace of Frobenius on Lifted Curve Theorem by Satoh: Let E be formal group associated with E and f End(E), f End(E), π(f) separable f(z) = cz + O(z 2 ) Tr(f) = c + q c F is inseparable so take dual F, which is separable E 0 ˆΣ 0 ˆΣ1 ˆΣn 2 ˆΣn 1 E 1 E n 1 E 0 π π π π ˆσ 0 ˆσ 1 ˆσ n 2 ˆσ n 1 E 0 E 1 E n 1 E 0 65

66 Let Σi (z) = c i z + O(z 2 ) then c = n 1 i=0 c i 66

67 Computing Trace of Frobenius on Lifted Curve (cont.) Theorem: Let E be an elliptic curve and G finite subgroup of E, then there exists a unique elliptic curve E and separable isogeny φ : E E with kerφ = G. ˆΣ E i i E i+1 v λ E i /KerˆΣ i Vélu s formulae give equation of E i /KerˆΣ i and of the isogeny ν This finally leads to formula for c 2 i 67

68 Outline of Satoh s Algorithm Input: Elliptic curve E over finite field F q Output: Trace of Frobenius t = q + 1 #E(F q ) 1. Compute conjugates of E, i.e. E σi for i = 0,...,n 1 2. Lift the j-invariants j(e i ) simultaneously to j(e i ) using a multivariate Newton iteration 3. Compute the squares c 2 i using j(e i) and j(e i+1 ) 4. Set c 2 = n 1 i=0 c2 i and compute c with correct sign 5. Return t c mod p n+3 2 and t 2 q Time of O(log 3+ǫ q) Memory of O(log 3 q). Recently: new algorithm with memory of O(log 2 q). 68