René Schoof s Algorithm for Determining the Order of the Group of Points on an Elliptic Curve over a Finite Field

Transcription

1 René Schoof s Algorithm for Determining the Order of the Group of Points on an Elliptic Curve over a Finite Field John J. McGee Thesis submitted to the faculty of the Virginia Polytechnic Institute and State University in partial fulfillment of the requirements for the degree of Master of Science in Mathematics Dr. Ezra Brown, Chair Dr. Charles Parry Dr. Michael Williams April 5, 006 Blacksburg, Virginia Keywords: Elliptic Curve, Schoof, Cryptography

2 René Schoof s Algorithm for Determining the Order of the Group of Points on an Elliptic Curve over a Finite Field John McGee ABSTRACT Elliptic curves have a rich mathematical history dating back to Diophantus (c. 50 C.E.), who used a form of these cubic equations to find right triangles of integer area with rational sides. In more recent times the deep mathematics of elliptic curves was used by Andrew Wiles et. al., to construct a proof of Fermat's last theorem, a problem which challenged mathematicians for more than 300 years. In addition, elliptic curves over finite fields find practical application in the areas of cryptography and coding theory. For such problems, knowing the order of the group of points satisfying the elliptic curve equation is important to the security of these applications. In 1985 René Schoof published a paper [5] describing a polynomial time algorithm for solving this problem. In this thesis we explain some of the key mathematical principles that provide the basis for Schoof's method. We also present an implementation of Schoof's algorithm as a collection of Mathematica functions. The operation of each algorithm is illustrated by way of numerical examples.

3 iii Table of Contents Chapter 1 - Introduction Background When is f(x,y) an Elliptic Curve? Addition of Points on an Elliptic Curve... 4 Example 1 - Elliptic Curve Point Addition... 7 Chapter - Arithmetic in p Elliptic Curves over Finite Fields The Euclidean Algorithm The Extended Euclidean Algorithm Example - The Extended Euclidean Algorithm Finding the modular inverse Example 3 - Multiplicative Inverse (mod p) Modular Exponentiation... 1 Example 4 - Modular Exponentiation Square roots modulo p Shanks-Tonelli Modular Square Root Algorithm Example 5 - Computing Square Roots Modulo p The Chinese Remainder Theorem Example 6 - Determining the Chinese Remainder Chapter 3 - Arithmetic of Elliptic Curves over p Example 7 - Arithmetic in EH p L Chapter 4 - Computing the Order of the Group # EH q L A direct method of computing # EH q L Overview of Schoof's Algorithm Hasse's Theorem Reducing the problem to that for EH p L Baby Step, Giant Step Method... 3 Example 8 - Determining Group Order using Hasse's Theorem... 3 Chapter 5 - Schoof's Algorithm Implementation Computing t Hmod L Determining if x 3 + A x + B has a root in q... 6 Example 9 - Computation of thmod L The Division Polynomials How many division polynomials?... 9

4 iv Example 10 - Computation of the Division Polynomials Computing n P with the Division Polynomials The Frobenius Endomorphism The Characteristic Equation of the Frobenius Schoof's Algorithm: Case One Schoof Equation (17) Schoof Equation (18) Schoof's Algorithm: Case Two Schoof Equation (19x) Schoof Equation (19y) Schoof's Algorithm Summary... 4 Chapter 6 - Results of Running Schoof's Algorithm A Detailed Example Other Experiments Discussion of Results Chapter 7 - Applications The Elliptic Curve Discrete Log Problem Anomalous Curves and the MOV attack References Appendix A - Dictionary of Mathematica Functions for Elliptic Curves Appendix B - Mathematica Code for Our Elliptic Curves Functions... 5 Number Theoretic Algorithms... 5 Elliptic Curve Arithmetic Algorithms Methods to Determine the Elliptic Curve Group Order The Functions that Comprise Schoof's Algorithm List of Figures Figure 1 - René Schoof... Figure - Plot of the Elliptic Curve y = x 3-5 x Figure 3 - Number of digits in p vs. number of small primes List of Tables Table 1 - Points for y = x x + 74 over Table - Results from Schoof's Algorithm... 45

5 ThesisMcGee06June006.nb 1 Chapter 1 - Introduction "In re mathematica ars propendi pluris facienda est quam solvendi" - Georg Cantor. 1.1 Background Consider the following cubic polynomial in x, y over the field of real numbers : y = x 3 + A x + B. Suppose further that the right hand side of equation (1) has distinct roots. Then the graph of this curve is called an elliptic curve. Elliptic curves have a rich mathematical history dating back to Diophantus (c. 00 C.E.), who used a form of these cubic equations to find right triangles of integer area with rational sides. In more recent times some deep mathematical properties of elliptic curves were used by Andrew Wiles et. al., to construct a proof of Fermat's last theorem, a problem that had challenged mathematicians for more than 300 years. The Birch- Swinnerton-Dyer conjecture, one of the Clay Math Institute's million dollar problems, is also a question about certain mathematical properties of elliptic curves. In addition, elliptic curves over the finite field q for some large integer q, find practical application in the areas of cryptography and coding theory. One example of this is the Massey-Omura encryption method which relies on the difficulty of solving the elliptic curve discrete logarithm problem for security. For such methods, knowing the order of the group of points satisfying (1) with coefficients and coordinates in q, written as # EH q L, is very important because a poor choice of curve parameters can lead to a situation that gives a potential eavesdropper the ability to break the code in reasonable time. In 1985 René Schoof ( Figure 1) published a paper entitled "Elliptic curves over finite fields and the computation of square roots mod p" [5]. His paper describes a polynomial time algorithm for determining # EH q L. Refinements to his method by Elkies and Atkin have resulted in computer algorithms capable of finding results for elliptic curves over fields with orders greater than [3,6]. (1)

6 ThesisMcGee06June006.nb Figure 1 - René Schoof The purpose of this thesis is to explain the mathematical basis for Schoof's algorithm and to provide a Mathematica reference implementation of it. In order to achieve this goal we first present some background on elliptic curves in the x-y plane. In particular we will see that the set points on the curve have the structure of an algebraic group. In chapter we review the finite field arithmetic needed to work with elliptic curves over finite fields. In chapter 3 we present some basic algorithms for arithmetic in the group of points on an elliptic curve over a finite field. Chapter 4 describes some methods for computing the elliptic curve group order, and includes an introduction to Schoof's algorithm. We present the details of Schoof's algorithm in chapter 5. For each algorithm we first give a mathematical justification for the method or provide a reference to such. Next we present numerical examples that illustrates the operation of the algorithm. In chapter 6 we present results of running Schoof's algorithm against various curves. We conclude in chapter 7 with some applications that motivate efficient solutions to the elliptic curve group order problem. Appendix A contains a listing of the Mathematica functions that implement these algorithms, and Appendix B presents the Mathematica code for their implementation.

7 ThesisMcGee06June006.nb 3 1. When is f(x,y) an Elliptic Curve? Much of the following discussion is based on material presented in Lawrence Washington's book "Elliptic Curves - Number Theory and Cryptography" [7]. An elliptic curve is the set of points satisfying a nonsingular cubic polynomial in two variables. If K is a field, then an elliptic curve can be specified as E : 8Hx, yl œ K äk» f Hx, yl œ F@x, yd, f Hx, yl = 0<, where f Hx, yl is a particular nonsingular polynomial in x, y of degree 3. A polynomial is nonsingular if it has distinct roots. If the field K has characteristic other than, 3, then by a transformation of variables it can be shown that E has the same behavior as an elliptic curve of the form: () E : y = x 3 + A x + B. Equation (3) is called Weierstrass equation of an elliptic curve. (3) Suppose a, b, c are the roots of the right hand side of (3). Then y = Hx - al Hx - bl Hx - cl = x 3 - Ha + b + cl x + Ha b + a c + b cl x - a b c. Since the coefficient of x is zero we must have a + b + c = 0. Suppose that (3) has a double root. Without loss of generality let the double root be a = b. Then a + c = 0 so that a = -c ê, and we have y = x 3 - ÅÅÅÅ 3 4 c x - ÅÅÅÅ 1 4 c3. Put A = ÅÅÅÅÅÅÅ -3 4 c, B = ÅÅÅÅÅÅÅ -1 4 c3 so that y = x 3 + A x + B then 4 A 3 = - 7 ÅÅÅÅÅÅ 16 c6 = -7 B. Hence if (3) has a double root then 4 A + 7 B = 0. The contrapositive gives that (3) has distinct roots only if 4 A + 7 B 3 0. The negative of the left hand side of (4) is called the discriminant of the elliptic curve. (4)

8 4 ThesisMcGee06June006.nb 1.3 Addition of Points on an Elliptic Curve For an elliptic curve E, take any two points P, Q that lie on E, then by Bezout's Theorem, the line between P and Q will intersect the curve E at a third point R. This is illustrated in Figure for the elliptic curve given by y = x 3-5 x -. Notice that the line between two points would be vertical if the two points had the same x-coordinate. Such a line does not appear to intersect the curve. In this case we define the third point of intersection to be a special point at infinity,. This definition is justified based on a consideration of the elliptic curve in projective coordinates, where is a well-defined point. Figure - Plot of the Elliptic Curve y = x 3-5 x - Using this idea, we can define an addition operation on the elements of E. We define P + Q as follows. Let R be the third point of intersection of the line P - Q with the elliptic curve E. Then P + Q is the reflection of R about the line of sym-

9 ThesisMcGee06June006.nb 5 metry of E, which is the x-axis for curves in Weierstrass form. If the line P - Q is vertical we define P + Q =. To add P + P, we find the line tangent to the curve at P and intersect it with the curve to arrive at R. With these definitions it can be shown that HE, +L actually forms an abelian group with identity. That is, the operation is commutative, associative, and every point P has an inverse -P so that P + H-PL =. In fact, for an elliptic curve in Weierstrass form if P = Hx, yl, then -P = Hx, -yl, the reflection of P about the x-axis. We have demonstrated that every element has an inverse and the proof of commutativity follows directly from the fact that the line through P, Q is the same as a line through Q, P. The proof of associativity is nontrivial. One method of proof is given in Washington [7].4 We can also define this addition operation using analytic geometry. Suppose that P = Hx 1, y 1 L, Q = Hx, y L are two points on the elliptic curve E : y = x 3 + A x + B with distinct x-coordinates. Then the slope of the line between the two points is given by l = Hy - y 1 L ê Hx - x 1 L. The point-slope formula of the line passing through P, Q is given by y - y 1 = lhx - x 1 L. Substituting (6) into the elliptic curve equation (3) yields (5) (6) HlHx - x 1 L + y 1 L = x 3 + A x + B. Expanding and collecting terms in x gives the following monic polynomial in [x] x 3 - l x + H l x 1 - l y 1 + AL x (7) + HB - l x 1 - y 1 + l x 1 y 1 L = 0. We know that x 1, x satisfy (7) because P and Q satisfy both the line and the elliptic curve equations. So we can factor the cubic (7) as Hx - x 1 L Hx - x L Hx - x 3 L = 0, where x 3 must be the x-coordinate of the third point of intersection. Expanding and collecting terms in x we obtain

10 6 ThesisMcGee06June006.nb x 3 - Hx 1 + x + x 3 L x + Hx 1 x + x 1 x 3 + x x 3 L x - x 1 x x 3. Because (7) and (8) represent the same polynomial, the coefficients of x must be equal, giving -l = -Hx 1 + x + x 3 L. Hence we can compute the x-coordinate of the third point of intersection as x 3 = l - x 1 - x. We can compute the corresponding y-coordinate using the equation of the line (6) and then negate the result to obtain the y-coordinate of P + Q, y 3 = -HlHx 3 - x 1 L + y 1 L = lhx 1 - x 3 L - y 1. On the other hand, if x 1 = x then y 1 = y, so either y = y 1 or y = -y 1. If y = -y 1 then the line between P and Q is vertical, and we define P + Q =, the identity. Otherwise P = Q, so we want to compute P + P = P. To accomplish this we define l as the slope of the tangent to the curve at Hx 1, y 1 L. We can compute this slope by implicit differentiation of (3) giving (8) (9) (10) so that y d y = H3 x + AL d x l = d y ÅÅÅÅÅÅÅ d x = 3 x 1 +A ÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅ. y 1 (11) Using this l with equations (9) and (10), along with the fact that x 1 = x and y 1 = y gives Hx 1, y 1 L + Hx 1, y 1 L = Hl - x 1, lhx 1 - x 3 L - y 1 L. (1) Equations (5) through (1) are incorporated into the Mathematica function EcAdd, which adds two points on an elliptic curve over or.

11 ThesisMcGee06June006.nb 7 ü Example 1 - Elliptic Curve Point Addition Let an elliptic curve be given by E : y = x 3 + x + 1 over the rational numbers. Then the discriminant is d = -4 A - 7 B 3 = -4 * 4-7 = -43 0, so that EH L is a valid elliptic curve. It is easy to check, by substituting the point coordinates into the equation for E, that the points P = H0, 1L and Q = H1, -L are elements of EH L. Also, the x coordinates of P, Q are distinct so we can compute the slope of the line passing through P, Q using (5) so that l = --1 ÅÅÅÅÅÅÅÅÅÅÅ 1-0 = -3. Then equations (9) and (10) give x 3 = H-3L = 8 and y 3 = -3 H0-8L - 1 = 3. So that P + Q = H8, 3L, which is also a point in EH L since * = 59 = 3. We obtain the same result using the Mathematica function EcAdd[{,1},{0,1},{1,-}] which returns 88, 3<.

12 8 ThesisMcGee06June006.nb Chapter - Arithmetic in p.1 Elliptic Curves over Finite Fields Suppose q is a finite field of order q, then q = p k for some integer k (see, for example Dummit and Foote [] 14.3). Suppose also that E : y = x 3 + A x + B is an element of yd, which means that A, B œ q. Then, if 4 a b 0 in q it can be shown that EH q L = 8Hx, yl œ q ä q» y = x 3 + A x + B< is an elliptic curve. Further, equations (5) through (1) of the previous section still obey the group axioms when arithmetic is done in the finite field, so that EH q L is a finite abelian group. Since we have at most q choices for x, and for each of these at most choices for y, then EH q L contains at most q points. It turns out that the actual bound is closer to q. Before we consider this question in detail, we introduce some of the number-theoretic functions which are required for computation on elliptic curves over a finite field. For the purpose of our goal, which is to determine the group order # EH q L, it turns out that it will be sufficient to work with fields of prime order, p. This allows us to perform arithmetic in the field using modular arithmetic in ê p. That is, we can perform addition, subtraction and multiplication using ordinary integer arithmetic and then reduce each result mod p by dividing it by p and keeping the remainder. Consider the following example in 7 : 5 * 5 = 5 = = 3 * ª 4 Hmod 7L, so that in 7, 5 * 5 = 4. Performing division in p is a little bit more complicated. To compute a ê b we need to multiply a by the modular inverse of b. For example, to compute 4 ê 5 Hmod 7L we must first find c such that 5 c ª 1 Hmod 7L, then 4 ê 5 = 4 * c. By trial and error we can find that 5 * 3 = 15 ª 1 Hmod 7L so that 4 ê 5 ª 4 * 3 ª 5 Hmod 7L. We will later see how to use the Euclidean algorithm to

13 ThesisMcGee06June006.nb 9 accomplish this for problems involving larger integers. We will also have occasion to compute a k Hmod pl. This can be done by direct computation, for example 3 4 = 81 ª 4 Hmod 7L, so that 3 4 = 4 in 7. Fortunately, for large k and p, there exists a much more efficient method based on doubling and reducing the result mod p at each step. The following sections describe these algorithms.. The Euclidean Algorithm The Euclidean Algorithm computes the greatest common divisor d of the integers a, b. It dates back to at least 300 B.C.E., where it appeared in geometric form in Euclid's Elements. The most obvious way to find the greatest common divisor is to completely factor both a and b into powers of primes such as a = p 1 r 1 p r... p n r n and b = p 1 s 1 p s... pn s n, where r i and s i are integers greater than or equal to zero and r i = 0 if p i does not divide a and s i = 0 of p i does not divide b. Then the greatest common divisor d is given by d = p 1 t 1 p t... pn tn, where t i = minhr i, s i L. For example, if a = 7960 = 3 * 5 * 199 and b = 6580 = 4 * 3 4 * 5, then gcdha, bl = 3 * 5 = 40. However the integer factoring problem is currently understood to be difficult when the integer has no small prime divisors. The Euclidean algorithm is far superior because it can compute the greatest common divisor of two integers without factoring them. Suppose we wish to find the greatest common divisor of a and b, called gcdha, bl. Let a > b and divide a by b producing a = s 0 b + r 0 where 0 r 0 < b (by the division algorithm). If r 0 = 0, then b divides a so gcdha, bl = b. Otherwise, divide b by r 0 giving b = s 1 r 0 + r 1 where 0 r 1 < r 0.

14 10 ThesisMcGee06June006.nb If r 1 = 0 then r 0 divides b and since a = s 0 b + r 0 then r 0 also divides a giving gcdha, bl = r 0. If r i 0, we can continue the process dividing r i-1 by r i giving r 0 = s r 1 + r... r i-1 = s i+1 r i + r i+1. Eventually we must find r n+1 = 0 because at each step 0 r i < r i-1. Then r n-1 = s n+1 r n so that gcdhr n-1, r n L = r n. Note, however, that if x = q y + r then gcdhx, yl = gcdhy, rl. This is true because gcdhy, rl divides both y and r, so it divides x also, hence gcdhy, rl divides gcdhx, yl. But we can write gcdhy, rl as a linear combination of y and r so that gcdhy, rl = u y + v r = u y + vhx - q yl = Hu - v ql y + v x, so gcdhx, yl divides gcdhy, rl, hence gcdhx, yl = gcdhy, rl. Applying this to the chain of divisions above gives gcdhr i-1, r i L = gcdhr i-, r i-1 L, so in particular gcdhr 0, r 1 L = gcdhb, r 0 L = gcdha, bl. Therefore the last nonzero divisor r n = gcdha, bl. Euclid's algorithm for computing the greatest common divisor is implemented in the Mathematica function EuclideanAlgorithm..3 The Extended Euclidean Algorithm The Extended Euclidean Algorithm computes the greatest common divisor d of the integers a, b and also computes two integers r, s such that d = r a + s b. This method provides a fast way to compute multiplicative inverses in p. The algorithm proceeds as follows. Starting with r 0 = 1, s 1 = 0 we take d 0 = a = r 0 a + s 0 b. For step 1 we take r 1 = 0, s 1 = 1 so we can write d 1 = b = r 1 a + s 1 b. At each succeeding step we compute the smallest positive d i ª d i- Hmod d i-1 L, so that d i = d i- - k d i-1 for some positive integer k. The algorithm maintains d i = r i a + s i b at each step so that d i = Hr i- a + s i- bl - khr i-1 a + s i-1 bl = Hr i- - k r i-1 L a + Hs i- - k s i-1 L b. Hence, we must have r i = r i- - k r i-1 and s i = s i- - k s i-1, which completes the

15 ThesisMcGee06June006.nb 11 formulation of the recursion definition. Our Mathematica implementation is based on Rosen [4] 3.3. ü Example - The Extended Euclidean Algorithm If we can find the prime factorization of two numbers then we can write down the greatest common divisor directly. It is the product of the largest prime powers that divide both numbers. For example, let a = 7960 = 3 * 5 * 199 and b = 6580 = 4 * 3 4 * 5. Then gcdha, bl = 3 * 5 = 40. Even for such easy problems, however, the determination of gcdha, bl as a linear combination of a and b is best accomplished using the Extended Euclidean algorithm. Using ExtendedEucideanAlgorithm[ a, b ] we find gcdh7960, 6480L = 40 = -35 * * Finding the modular inverse We can also use the Euclidean algorithm to find the modular inverse. The extended Euclidean algorithm finds the greatest common divisor of two numbers d = gcdha, bl. It also computes two numbers r, s such that d = r a + s b. If a is relatively prime to p, which is always true if p is a prime and 1 < a < p, then gcdha, pl = 1. So to find the modular inverse of a modulo p, we use the Euclidean algorithm to compute gcdha, pl = 1 = r a + s p ª r a Hmod pl, hence a -1 ª r Hmod pl. We need to compute modular inverses in order to perform the divisions in the elliptic curve point addition formulas. ü Example 3 - Multiplicative Inverse (mod p) As an example, lets work over 19, the field with 19 elements 80, 1,..., 18< with arithmetic modulo 19, a prime. In a field, every nonzero element has a multiplicative inverse, so lets find the inverse of 7. The Euclidean algorithm gives gcdh7, 19L = 1 = -8 * * 19 ª -8 * 7 Hmod 19L. But -8 ª 11 Hmod 19L so that 11 * 7 ª 1 Hmod 19L. Hence 7-1 ª 11 Hmod 19L. This is verified by the fact that 11 * 7 = 77 = 4 * ª 1 Hmod 19L.

16 1 ThesisMcGee06June006.nb.5 Modular Exponentiation This method uses the binary representation of n to construct the result. Starts with a 1 ª ahmod pl, x = 1 then at each iteration k we compute If the k th bit of n is 1 then x ª x * a k Hmod pl. Then a k ª a k * a k Hmod pl for the next iteration. In this way the arithmetic is done with relatively small integers, even though a n may have hundreds or thousands of digits. In fact, at each step of the algorithm we multiply two numbers which are less than p, so the largest product we ever compute is less than p. Hence, if the binary representing of p requires m bits, then we need no more than m bits to store the intermediate results. On the other hand, if we compute a n directly, and a has m bits then we would need n m bits to hold the intermediate result. ü Example 4 - Modular Exponentiation As an example, let's compute Hmod 97L. The direct method would first compute = in and then find = * so that ª 48 Hmod 97L. However, in binary 37 = , so we can compute Hmod 97L as follows = = = 11 H3 +1L +1 = i jjih11 L M * 11N k y But 11 ª 4 Hmod 97L, 4 ª 91 Hmod 97L and 91 ª 36 Hmod 97L so that z { * ª HH36 * 11L L * 11 Hmod 97L. Then 396 ª 8 Hmod 97L, H8 L ª Hmod97L, hence ª * 11 ª 48 Hmod 97L. Notice that we performed these computations without using any number larger than 97. We will see later how this same idea, applied to polynomial arithmetic will allow us to compute f HxL k Hmod ghxll in an efficient manner.

17 ThesisMcGee06June006.nb 13.6 Square roots modulo p One of the steps in Schoof's algorithm requires the solution of the congruence w ª p Hmod ll for w, with l a prime number less than è!!! p. In other words we need to find the square root of p modulo l. Unlike the multiplicative inverse problem, this problem does not always have a solution. When it does, we say that p is a quadratic residue modulo l, else p is called quadratic nonresidue. If there is an x such that x ª a Hmod pl, then a is a quadratic residue mod p and a Hp-1Lê ª Hx L Hp-1Lê ª x p-1 ª 1 Hmod pl by Fermat's little theorem. Otherwise, for all i < p, gcdhi, pl = 1. Then for each i less than p, i j ª a Hmod pl has a unique solution, which can not be j = i, else i ª ahmod pl. Hence we can group the solutions into Hp - 1L ê pairs, each with product congruent to a Hmod pl. Taking the product of all of the solutions gives: a Hp-1Lê ª Hp - 1L! Hmod pl, since each number less than p is included exactly once in the product. Then Wilson's Theorem gives Hp - 1L! ª -1 Hmod pl, so that a Hp-1Lê ª -1 Hmod pl. Note that a more efficient algorithm exists which makes use of the Quadratic Reciprocity Theorem of Gauss, but we do not need the complexity of this method because we will be testing for quadratic residues for only modest sized integers..7 Shanks-Tonelli Modular Square Root Algorithm Once we have determined that integer a is a quadratic residue modulo p, we need a method to find the square root. One method to accomplish this is called the Shanks-Tonelli modular square root algorithm. The details of the algorithm, which has performance logarithmic in the number of digits of p, are described in the paper "Square Roots from 1; 4, 51, 10 to Dan Shanks" by Ezra Brown [1].

18 14 ThesisMcGee06June006.nb ü Example 5 - Computing Square Roots Modulo p We consider the following nontrivial example. Let p = We want to find x such that x ª 865 Hmod pl. The Shanks-Tonelli algorithm gives x = We could verify that this is the correct solution using the modular exponentiation method described above, but since we are only computing x Hmod pl we can compute this directly, showing that x ª 865 Hmod pl.

19 ThesisMcGee06June006.nb 15.8 The Chinese Remainder Theorem The Chinese Remainder Theorem provides a method to compute the smallest positive integer satisfying a set of congruences. It first appeared as a method of solution to a particular modular congruence problem in a third-century book by Chinese mathematician Sun Tzu [4] 4.5. In Schoof's algorithm, we compute t i ª t Hmod l i L for a set of small primes l i, where t satisfies # EH p L = p t. The Chinese Remainder Theorem allows us to recover t from this set of congruences, thus determining the order of the group. We are given the following information, for the unknown z < N r i ª z Hmod n i L for i = 1,,..., k where N = n 1 n... n k and gcdhn i, n j L = 1 when i j, so that N is also the least common multiple of the 8n i <. Let a i = N ÅÅÅÅÅ n i, b i = a ī 1 Hmod n i L. The modular inverses b i exist because n i does not divide a i because gcdhn i, n j L = 1 when i j. Then a i b i ª 1 Hmod n i L and since n j divides a i when j i, hence a i b i ª 0 Hmod n j L for j i. So we can compute k z = H i=1 a i b i r i L Hmod NL, which is the unique 0 < z < N for which all the congruences hold. ü Example 6 - Determining the Chinese Remainder For example, suppose we have z ª 1 Hmod L, z ª 0 Hmod 5L, z ª 6 Hmod 7L and z ª 7 Hmod 11L. Then N = 770 and the Chinese remainder algorithm gives a i = 8385, 154, 110, 70< b i = a ī 1 Hmod n i L = 81, 4, 3, 3< e i = a i b i = 8385, 616, 330, 10< z = e ÿ r = 3835 ª 755 Hmod NL So 755 is the smallest positive integer satisfying this set of congruences.

20 16 ThesisMcGee06June006.nb Chapter 3 - Arithmetic of Elliptic Curves over p Now that we have a set of methods for performing arithmetic in p, we can apply these to performing arithmetic in the group EH p L. We provide a set of Mathematica functions to implement algorithms for testing if a cubic equation is an elliptic curve over p, for adding points on the curve, and for efficiently computing k P, the sum of k copies of the point P. In each case it is assumed, and for efficiency sake not verified, that p is a prime. ü Example 7 - Arithmetic in EH p L We will now review several of the mathematical ideas and methods related to elliptic curves over a prime field by way of an example. Consider the elliptic curve E : y = x x + 74 over 97. It has discriminant d ª -H4 a b L ª -H4 * * 74 L ª ª 87 Hmod pl Since the discriminant is nonzero modulo p, E is a valid elliptic curve. At x = 1 we have x x + 74 = = 11 ª 4 Hmod 97L so E has a point with x = 1 if and only if 4 is a quadratic residue modulo 97. Using modular exponentiation we find with p = 97 that 4 Hp-1Lê ª 1 Hmod pl, so that 4 has a square root modulo p. We then employ the Shanks-Tonelli algorithm to find this square root giving 11 ª 4 Hmod pl so that the point P = H1, 11L is an element of EH p L. Next let us compute P + P = P using Equation (1) modulo p as l = 3 x3 +A ÅÅÅÅÅÅÅÅÅÅÅÅÅÅ ª H3 + 46L H -1 L Hmod 97L ª 49 * 75 Hmod 97L ª 86 Hmod 97L. y Then x 3 = l - x 1 ª 86 - Hmod 97L ª Hmod 97L, also y 3 = lhx 1 - x 3 L - y 1 = 86 H1 - L - 11 Hmod 97L ª 6 Hmod 97L. Hence * H1, 11L = H, 6L on EH 97 L. We can also compute 4 * H1, 11L by add-

21 ThesisMcGee06June006.nb 17 ing H, 6L + H, 6L giving H4, 15L or obtain the same result using the function EcPowerMod@846, 74<, 81, 11<, 4, 97D. The order of a point P œ EH p L is defined as the smallest k such that k P =. One way to determine k is to compute n P for each successive n starting at 1 until the result is the identity. For the previous example with E : y = x x + 74 over 97 and P = H1, 11L we find, using repeated application of EcAddMod, that P = H, 6L, 3 P = H7, 1L, 4 P = H4, 15L,..., 15 P = H1, 86L. Since ª 0 Hmod 97L, then 15 P = -P, so we know that 16 P =. Since 16 is the smallest multiple of P for which this occurs we have the order of P is 16 and we write» P» = 16. This gives a hint as to one way to determine # EH p L. By Lagrange's theorem the order of the element of a finite group must divide the order of the group. So we know that 16 divides # EH 97 L for our sample curve.

22 18 ThesisMcGee06June006.nb Chapter 4 - Computing the Order of the Group # EH q L 4.1 A direct method of computing # EH q L A direct approach to determining # EH q L is to compute z = x 3 + A x + B for each x œ q, and then to test if z has a square root in q. If z = 0, then Hx, 0L œ EH q L. If there exists y œ q such that y = z, then Hx, yl, Hx, -yl œ EH q L, else there is no point in EH q L with x-coordinate x. This means there are at most q + 1elements in the group. However, a theorem of finite fields states that exactly 1/ of the non-zero elements of q are quadratic residues. This means that, on average, there will be approximately q + 1 elements in EH q L. As we shall see next, specific bounds on # EH q L can be established, and this is one key to more efficient methods of determining the group order. Before proceeding, we want to fully characterize all of the points in EH p L for our example curve E : y = x x + 74 over 97. We can do this using the Mathematica function FindEcPointSet which encodes the technique above to find every point on the curve. Then for each point we can determine its order using the technique outlined at the end of chapter 3. This method is encoded in the Mathematica function EcPointOrderMod. The results of applying these methods to our example are shown in the table of Figure 3. Note that for each x there are two values of y, which are distinct unless y = 0. This is so because each solution has y ª z Hmod pl where z = x 3 + A x + B for a particular value of x, so if y 1 = z then H-y 1 L = z. There can be no other distinct solutions because the quadratic equation y - z = 0 can have only two solutions. Observe that for each pair of points in Figure 3 with the same value of x we have y ª -y 1 Hmod pl, so that the points Hx, y 1 L, Hx, y L are indeed inverses in EH p L. If we count these points we find 39 pairs of points Hx, y 1 L, Hx, y L where y 1 y. We also have one point, H57, 0L, with y = 0. Including the identity, there are a total of * = 80 points so that # EH p L = 80. The last column in the table gives the order of each point. Notice also that each point order divides 80, the order of the group, as must be so by Lagrange's theorem.

23 ThesisMcGee06June006.nb 19 Table 1 - Points for y = x x + 74 over 97 x y 1 y Ord HPL

24 0 ThesisMcGee06June006.nb 4. Overview of Schoof's Algorithm The method for determining # EH p L outlined above is feasible only for small p. In modern cryptographic applications of elliptic curves the cardinality of the field is typically a number with at least 50 decimal digits. Thus there is a need for an efficient means of computing # EH p L for large primes p. René Schoof's 1985 paper entitled "Elliptic curves over finite fields and the computation of square roots mod p", details a polynomial time algorithm for determining # EH q L. Versions of this algorithm, enhanced by Elkies and Atkins, have been used successfully for q with hundreds of decimal digits [3,6]. The following steps sketch the outline of Schoof's method. Let E be an elliptic curve over q given by E : y = x 3 + A x + B, where A, B œ q. Hasse's Theorem tells us that the cardinality of the group of points is (13) # EH q L = q t, with t è!!! q. Let f q : EH êê ql Ø EH êê ql such that f q HHx, yll = Hx q, y q L. Note that this is map of points with coordinates in the algebraic closure of q. Then f q is an endomorphism called the Frobenius map. It has the following property, crucial to Schoof's algorithm. f q - t f q + q = 0 " P œ EH êê ql (14) (15) We can use (15) to compute t Hmod p i L for a set of L primes p 1, p,..., p L such that L K = i=1 p i > 4 è!!! q, The Chinese Remainder Theorem is then applied to compute the unique t mod K such that t è!!! q. Once we know t we can compute the order of the group as # EH q L = q t. Schoof showed that this algorithm will run time proportional to log 9 q, based on analysis of the number of elementary operations required. The following sec-

25 ThesisMcGee06June006.nb 1 tions will explain the details of this algorithm, along with some important observations that permit its efficient implementation. 4.3 Hasse's Theorem The following theorem, first proved by Helmut Hasse in 1933, places specific bounds on # EH q L. Let EH q L be an elliptic curve over the finite field q with q = p k, k œ + and p a prime. Then there exists a unique t œ such that # EH q L = q t where t < è!!! q Sketch of the Proof Define the map Hf q - 1L : EH êê ql Ø EH êê ql, then the set of points in EH êê ql which are sent to the identity by this map is called the kernel. Then kerhf q - 1L = EH q L, since f q is the identity on EH q L. Further, since f q - 1 is a separable polynomial then # EH q L = # kerhf q - 1L = deghf q - 1L. (16) Now let t = q # EH q L. Then by Washington [7] Proposition 3.16 for r, s œ and gcdhs, ql = 1 we have deghr f q - sl = r Hdeg f q L + s degh-1l + r shdegh f q - 1L - deghf q L - degh-1ll = r q + s + r s H # EH q L - q - 1L = r q q + s + r sh q t - q - 1L. So we can conclude that deghr f q - sl = r q + s - r s t. Since deghr f q - sl 0 and s 0 then dividing through by s gives (17) q H ÅÅÅ r s L - t H ÅÅÅ r s L Having that the set of rational numbers ÅÅÅ r s that for all x œ we have (18) with gcdhs, ql = 1 is dense in implies q x - t x (19) So quadratic equation (19) has no real roots, hence its discriminant is less than zero. Thus

26 ThesisMcGee06June006.nb t - 4 q < 0 fl t < è!!! q, completing the proof of (16). 4.4 Reducing the problem to that for EH p L A beautiful result due to Andre Weil, and explained in Washington [7] Theorem 4.1, shows that if we can compute # EH p L, then we can compute # EH p n L in a direct manner. Let # EH p L = p t. Write X - t X + p = HX - al HX - bl. Then a n + b n œ and # EH p n L = p n Ha n + b n L. So we only need to use Schoof's Algorithm to solve for # EH p L. Then we can compute # EH q L = # EH p n L via (0). Of course, if p is a small prime, then it is easy to determine # EH p L by direct counting or other simple methods, so the complexity of Schoof's method would not be justified. Assuming p is large enough to warrant the use of Schoof's method we may employ another useful result allowing us to determine the integer Ha n + b n L without explicitly computing a and b. The following recursion relation computes s n = Ha n + b n L where s 0 =, s 1 = t, s n+1 = t s n - p s n-1. (0) (1) The Mathematica function ComputeOrderEFq@ t, p, n D implements equations (1) and (). For our example elliptic curve E : y = x x + 74 over 97 we determined that # EH 97 L = 80. By Hasse's theorem # EH 97 L = p t so that 80 = t, hence t = 18. Then we can determine # EH 97 4 L using ComputeOrderEFq, giving # EH p 4 L =

27 ThesisMcGee06June006.nb Baby Step, Giant Step Method One way to use Hasse's bound to compute # EH p L is based on Lagrange's theorem which states that the order of any element of a finite group must divide the order of the group. Hence if we can find the order k of a point Q œ EH p L then the group order must be a multiple of k falling inside of Hasse's bounds. If we compute the order for several different points then some common multiple of these orders must fall inside of Hasse's bounds. Let 8k i < be the set of orders of n points in EH p L. By Hasse's theorem we have for some integer r that p è!!! p < r * lcmh8k i << < p è!!! p. If there is only one r for which this is true, then we must have # EH p L = r * lcmh8k i <<. In order for this method to be efficient we need a high performance method to compute point orders, that is, a method far better than exhaustive search to find the smallest k such that k P = in EH p L. The Baby Step-Giant Step method outlined in Washington [7] 4.3 provides such a method with runtime proportional to è!!! 4 p. ü Example 8 - Determining Group Order using Hasse's Theorem For this example we again take E : y = x 3 + A x + B over < è!!!!! 97 < 10, Hasse's theorem gives Since 97 - * 9 = 79 # EH q L 117 = 97 + * 9. We randomly found that P = H64, 35L is a point on the curve, and that» P» = 16. Since there are three multiples of 16 between 79 and 117, we need to choose another point. We randomly found a second point Q = H46, 95L with» Q» = 0. Then lcmh16, 0L = 80. Since we can conclude that # EH q L = 80, in agreement with the direct counting method.

28 4 ThesisMcGee06June006.nb Chapter 5 - Schoof's Algorithm Implementation "A four-year-old child could understand that. Run out and find me a four-yearold child, I can't make head or tail out of it." - Groucho Marx (Duck Soup-1933) In this chapter we present the algorithms that embody the key ideas of Schoof's method. For the curve given by E : y = x 3 + A x + B, over p, Hasse's theorem tells us that # EH p L = p t. The main objective of Schoof's algorithm is to determine t Hmod ll for a set of small primes l. For the case of l = we have a special method, so we outline this first. For l > we must employ more sophisticated mathematics including the Frobenius endomorphism and the so-called division polynomials. We will examine these in more detail after describing the method for computing t Hmod L.

29 ThesisMcGee06June006.nb Computing t Hmod L As before, let E be an elliptic curve over the finite field p given by E : y = x 3 + A x + B. A point P œ EH p L has order if and only if P + P = which means that P = -P. As we have seen, this is true only if the y-coordinate of P is zero. Now y = 0 if and only if x 3 + A x + B = 0. Suppose that there exists some e œ p such that e 3 + A e + B = 0 then He, 0L œ EH p L. Also, by the definition of elliptic curve addition, He, 0L =, so that He, 0L œ E@D. Then EH p L has a point of order, so that, by Langrange's Theorem, # EH p L = p t is even. Since p + 1 is even then t also is even, therefore t ª 0 Hmod L. Alternatively, suppose that # EH q L is even. Then by Theorem 4.1 of Washington [7] either EH p n or EH p n1 n with n, n 1, n œ and n 1» n. If two groups are isomorphic, there is a 1-1 mapping between the elements of the two groups which preserves the group operation. This means, in particular, that if one has a nonzero point of order, then the other has a nonzero point of order. If EH p n then n is even, because # EH p L is even. We know that n is cyclic with generator 1, and * H ÅÅÅÅ n n * 1L = n ª 0 Hmod nl, so ÅÅÅÅ is an element of n of order, therefore EH p L is cyclic with some generator P g and * H ÅÅÅÅ n * P gl = n P g =, so that P = ÅÅÅÅ n P g has order, therefore P = He, 0L for some e œ p. Otherwise, EH p n1 n and n 1 * n is even, so that either n is even or n 1 is even, which implies that n is even, because n 1» n. So we have that H0, n ÅÅÅÅÅÅ L is a point of order in n 1 n, therefore EH p L has a point of order, call it P. So we conclude that # EH q L ª 0 Hmod L fl $ P œ EH p L with P =. The contrapositive gives that if EH p L does not have a point of order, then

30 6 ThesisMcGee06June006.nb # EH q L ª 1 Hmod L fl t ª 1 Hmod L. Hence to compute t Hmod L it suffices to determine if x 3 + A x + B has a root in p. 5. Determining if x 3 + A x + B has a root in q A basic theorem of algebra tells us if ghxl is a polynomial of degree n with coefficients in p then ghxl has n roots in êê p, the algebraic closure of p. In addition if ghxl has no roots in common with g' HxL, then the roots of ghxl are distinct. Take ghxl = x p - x. Then g' HxL = p x p-1-1 = -1, since p ª 0 Hmod pl, so g' HxL has no roots in êê p. Therefore, the p roots of ghxl are distinct, and these are just the set of elements a of êê p satisfying a p - a = 0 fl a p-1 = 1. But the p - 1 nonzero elements of p µ all have order p - 1, so the roots of ghxl are precisely the elements of p. Then x 3 + A x + B has a root in p if and only if it has a root in common with ghxl. So if gcdhx 3 + A x + B, x p - xl = 1, then x 3 + A x + B has no root in p, else it has at least one such root. From a practical standpoint we can compute x p ª x p Hmod x 3 + A x + BL using an efficient algorithm for modular polynomial exponentiation, and then compute g = gcdhx 3 + A x + B, x p - xl = gcdhx 3 + A x + B, x p - xl, using the Euclidean algorithm for polynomials. Given g, we determine thmod L as t ª 1 Hmod L if g = 1, else t ª 0 Hmod L. This method in encoded in the Mathematica function ComputeTModTwo.

31 ThesisMcGee06June006.nb 7 ü Example 9 - Computation of thmod L We know from previous examples that for E : y = x x + 74 over 97 that # EH p L = 80. Hasse's theorem tells us that # EH p L = p t, hence t = 18, so that t ª 0 Hmod L. By the previous discussion EH p L has a point of order two if and only if gcdhx p - x, x x + 74L 1 where we can compute x p - x modulo x x We find, using modular polynomial arithmetic, that x p Hmod x x + 74L = 30 x + 60 x Then using a modular polynomial version of the Euclidean algorithm we compute gcdh30 x + 59 x + 47, x x + 74L = x Hence EH p L has at least one point of order two. In fact, the table in Figure 3 shows it has exactly one such point, namely P = H57, 0L, thus # EH p L is even. Since # EH p L = p t, and p + 1 = 98 is even, then t is even. Hence t ª 0 Hmod L.

32 8 ThesisMcGee06June006.nb 5.3 The Division Polynomials In order to determine t Hmod l i L for primes l i >, we need to make use of what are called the division polynomials for E : y = x 3 + a x + b. These are polynomials which go to zero on points of a particular order. We define E@nD as the set of n-torsion points of an elliptic curve E : y = x 3 + a x + b, that is, the set of points in EH êê pl with order dividing n, so that E@nD = 8P œ EH êê pl» n P = <. Note that this set includes points with coordinates in êê p, the algebraic closure of p. With this definition the division polynomials y n of an elliptic curve E are elements of yd with the property that y n Hx, yl = 0 if and only if Hx, yl œ E@nD. These polynomials are defined recursively as follows. y 0 = 0, y 1 = 1, y = y, y 3 = 3 x a x + 1 b x - a y 4 = 4 yhx a x b x 3-5 a x - 4 a b x - 8 b - a 3 L y n = y n Hy n+ y n-1 - y n- y n+1 L n œ, n > y n+1 = y n+ y 3 n - y3 n+1 y n-1 n œ, n > 1 Lets see why y 3 is the correct polynomial. First, if P = Hx, yl œ E@3D then 3 P = 0 which means that P = -P, hence the x-coordinates of P and -P must be the same. Using Equations (11,1) to compute P we find so that x = l - x = H3 x +AL ÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅ ÅÅÅÅÅ - x 4 y H-3 xl H4 y L = 9 x A x + A. But y = x 3 + A x + B so that -1 Hx 4 + A x + B xl = 9 x A x + A. Collecting terms and multiplying through by -1 gives 3 x A x + 1 B x - A = y 3. So if y 3 = 0 then P = ±P, meaning that P = or P is a point of order 3. In either case P œ E@3D. The division polynomials are polynomials in x, y. Using the elliptic curve equation we can replace y with x 3 + A x + B. More generally we can replace y k

33 ThesisMcGee06June006.nb 9 with Hx 3 + A x + BL k. This allows us to express the division polynomials as elements of or y so that no power of y greater than 1 will appear. It can be further proved that we can produce polynomials in with the following replacements. f n HxL = 9 y nhx, yl y n Hx, yl ê y if n is odd if n is even These polynomials, by definition, also have the property that f n HxL = 0 if and only if x is the x-coordinate of a point of order n. 5.4 How many division polynomials? How many division polynomials will we need for the execution of Schoof's algorithm? As noted in the outline of Schoof's algorithm in chapter 4, we need to test Equation (15) for a set of primes l i such the product of these primes is greater than 4 è!!! p. The function ComputePrimeSet determines this set. If the cardinality of 8l i < = k, then y k+ is the highest order division polynomial required. What is the relationship between k and p? Figure 4 contains a plot of Log vs. k, which indicates that k grows approximately logarithmically with p. The horizontal axis is the number of primes k, the vertical axis is the number of decimal digits in p, the size p. A statistical fit of this data gives the approximate relationship for k > 10. Log = 0.01 k k Given that we wish to apply Schoof's algorithm to an elliptic curve over p we could use this graph to estimate the number of small primes k that would be required.

34 30 ThesisMcGee06June006.nb Figure 3 - Number of digits in p vs. number of small primes. ü Example 10 - Computation of the Division Polynomials For our example E : y = x x + 74 over 97, we first compute the set of small primes whose product is greater than 4 è!!!!! 97, such that p T 1 Hmod l i L for l i >. The necessary primes are, 5, 7 whose product is 70 > 4 è!!!!! 97. Then p ª Hmod 5L, and p ª 6 Hmod 7L. Therefore we will need division polynomials up to and including y 9, so we compute these at this time. Note that the odd numbered polynomials, such as y 1, y 3,... are polynomials in x only, while the even numbered polynomials are polynomials in x multiplied by y. More precisely y n+1 œ and y n œ y For our sample curve we find that the first five division polynomials are y 1 Hx, yl = 1, y Hx, yl = y, y 3 Hx, yl = x + 8 x + 3 x 4, y 4 Hx, yl = H x + 69 x + 3 x x x 6 L y, y 5 Hx, yl = x + 11 x + 38 x x x x 6 +6 x x x x x 1.

35 ThesisMcGee06June006.nb 31 With E : y = x x + 74 over 97 we have that H4, 15L is a point of order 4. Then we must have f = 0 if and only if 4» n. To check the function ComputeDivisionPolynomials we calculate f for n 8 giving =, f = 4, f = 0, f = 47, f = 5, f =, f = 0, as expected, since H4, 15L œ E@4D and E@4D Œ E@8D. Similarly the point H90, 31L is of order 5 and we find =, f = 76, f = 14, f = 0, f = 1, f = 3. So the division polynomials are correct, at least for this particular case. 5.5 Computing n P with the Division Polynomials If P = Hx, yl is a point in EH êê pl then n P = Ix - y n-1 y ÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅ n+1 ÅÅÅÅ y n, y n+ y n-1 -y n- y ÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅÅ n+1 4 y y3 M n It can be shown that multiplication by n is an endomorphism m n of EH êê pl. This follows from the fact that EH êê pl is an abelian group so that nhp + QL = n P + n Q. Since n P = if and only if P œ E@nD we have that the kernel of m n is E@nD. Further, because m n is expressed as a separable rational polynomial of degree n, we have that # E@nD = deghm n L = n. For a proof of (1) see Washington [7] 9.5. It should be noted that Equation (1) does not provide an efficient way to compute n P for specific points P. Rather, it provides the basis of proof for the characteristic equation of the Frobenius (15), one of the key equations used in Schoof's method. ()

36 3 ThesisMcGee06June006.nb 5.6 The Frobenius Endomorphism Let f q : EH êê ql Ø EH êê ql with f q Hx, yl = Hx q, y q L, called the Frobenius endomorphism. Since a q = a for all a œ q this map is the identity for points with coordinates in q. Let Hx 1, y 1 L œ EH êê ql then y 1 = x A x 1 + B in êê q. Now f q Hx 1, y 1 L = Hx 1 q, y 1 q L. Substituting this into the elliptic curve equation gives Hy 1 q L = Hy 1 L q = Hx A x 1 + BL q. However, for all a, b œ êê q we have Ha + bl q = a q + b q in q so that Hy 1 q L = Hx 1 3 L q + A q x 1 q + HBL q = Hx 1 q L 3 + A x 1 q + B, since A, B œ q. Hence Hx 1 q, y 1 q L = f q Hx 1, y 1 L œ EH êê ql, so that f q maps a point on the curve to another point on the curve. Let P = Hx 1, y 1 L, Q = Hx, y L be two points in EH êê ql with x 1 x, then with l = Hy - y 1 L ê Hx - x 1 L we have P + Q = Hx 3, y 3 L with x 3 = l - x 1 - x, y 3 = lhx 1 - x 3 L - y 1. Using the same properties of q th powers in êê q we have f q HP + QL = Hl q - x 1 q - x q, l q Hx 1 q - x 3 q L - y 1 q L, with l q = Hy q - y 1 q L ê Hx q - x 1 q L. Therefore f q HP + QL = f q HPL + f q HQL. It can also be shown that this holds also for Q = P and Q = -P, so that f q is a homomorphism from EH êê ql to EH êê ql, hence an endomorphism.