Elliptic Curves: Theory and Application

Similar documents
Elliptic Curves, Factorization, and Cryptography

Elliptic Curve Cryptosystems

Congruent number elliptic curves of high rank

Algebraic Geometry: Elliptic Curves and 2 Theorems

Public-key Cryptography and elliptic curves

SEMINAR SECURITY - REPORT ELLIPTIC CURVE CRYPTOGRAPHY

One can use elliptic curves to factor integers, although probably not RSA moduli.

On the Torsion Subgroup of an Elliptic Curve

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

Introduction to Arithmetic Geometry

Elliptic Curve Cryptography

8 Elliptic Curve Cryptography

Elliptic Curves and Mordell s Theorem

CPSC 467b: Cryptography and Computer Security

Elliptic Curves. Giulia Mauri. Politecnico di Milano website:

CPSC 467b: Cryptography and Computer Security

Applied Cryptography and Computer Security CSE 664 Spring 2018

Elementary Number Theory and Cryptography, 2014

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

CPSC 467: Cryptography and Computer Security

Public Key Cryptography

Elliptic Curve Cryptography with Derive

Introduction to Arithmetic Geometry Fall 2013 Lecture #24 12/03/2013

Introduction to Elliptic Curve Cryptography. Anupam Datta

Torsion Points of Elliptic Curves Over Number Fields

Elliptic Curves. Akhil Mathew (Department of Mathematics Drew UniversityElliptic MathCurves 155, Professor Alan Candiotti) 10 Dec.

Introduction to Elliptic Curves

Elliptic Curves and Public Key Cryptography

Other Public-Key Cryptosystems

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

MATH 158 FINAL EXAM 20 DECEMBER 2016

14 Diffie-Hellman Key Agreement

LECTURE 2 FRANZ LEMMERMEYER

APA: Estep, Samuel (2018) "Elliptic Curves" The Kabod 4( 2 (2018)), Article 1. Retrieved from vol4/iss2/1

CONGRUENT NUMBERS AND ELLIPTIC CURVES

Number Fields Generated by Torsion Points on Elliptic Curves

Outline of the Seminar Topics on elliptic curves Saarbrücken,

Polynomial Interpolation in the Elliptic Curve Cryptosystem

Public-key Cryptography and elliptic curves

Elliptic Curve Crytography: A Computational Science Model

Final Report. Cryptography and Number Theory Boot Camp NSF-REU. Summer 2017

Lecture Notes, Week 6

Dip. Matem. & Fisica. Notations. Università Roma Tre. Fields of characteristics 0. 1 Z is the ring of integers. 2 Q is the field of rational numbers

Elliptic curve cryptography. Matthew England MSc Applied Mathematical Sciences Heriot-Watt University

Parshuram Budhathoki FAU October 25, Ph.D. Preliminary Exam, Department of Mathematics, FAU

Arithmetic Progressions Over Quadratic Fields

Elliptic Curves Cryptography and factorization. Part VIII. Elliptic curves cryptography and factorization. Historical Remarks.

Crypto math II. Alin Tomescu May 27, Abstract A quick overview on group theory from Ron Rivest s course in Spring 2015.

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography

Chapter 10 Elliptic Curves in Cryptography

Candidates must show on each answer book the type of calculator used. Only calculators permitted under UEA Regulations may be used.

Elliptic Curves. Dr. Carmen Bruni. November 4th, University of Waterloo

The 8 th International Conference on Science and Mathematical Education in Developing Countries

Pythagoras = $1 million problem. Ken Ono Emory University

Elliptic curves and modularity

Elliptic Curve Cryptography

A gentle introduction to isogeny-based cryptography

Points of High Order on Elliptic Curves ECDSA

Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs

Points of Finite Order

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Public Key Cryptography. All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other.

Curves, Cryptography, and Primes of the Form x 2 + y 2 D

A gentle introduction to elliptic curve cryptography

Chapter 8 Public-key Cryptography and Digital Signatures

The Elliptic Curve in https

The Weil Pairing on Elliptic Curves and Its Cryptographic Applications

Definition of a finite group

Notes for Lecture 17

Number Theory in Cryptology

Congruent Number Problem and Elliptic curves

A WHIRLWIND TOUR BEYOND QUADRATICS Steven J. Wilson, JCCC Professor of Mathematics KAMATYC, Wichita, March 4, 2017

Public-key Cryptography: Theory and Practice

ELLIPTIC CURVES AND CRYPTOGRAPHY

Using semidirect product of (semi)groups in public key cryptography

Some new families of positive-rank elliptic curves arising from Pythagorean triples

Arithmétique et Cryptographie Asymétrique

6.5 Elliptic Curves Over the Rational Numbers

Elliptic Curves over Q

Topics in Cryptography. Lecture 5: Basic Number Theory

INTEGERS. In this section we aim to show the following: Goal. Every natural number can be written uniquely as a product of primes.

LECTURE 15, WEDNESDAY

LECTURE 18, MONDAY

Introduction to Modern Cryptography. Lecture RSA Public Key CryptoSystem 2. One way Trapdoor Functions

Math/Mthe 418/818. Review Questions

Other Public-Key Cryptosystems

Why Should I Care About Elliptic Curves?

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Elliptic Curve Cryptography

Elliptic Curve Cryptology. Francis Rocco

b = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.

Practice Assignment 2 Discussion 24/02/ /02/2018

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

Theory of Computation Chapter 12: Cryptography

Elliptic Curve Cryptosystems

Grade 11/12 Math Circles Elliptic Curves Dr. Carmen Bruni November 4, 2015

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Tomáš Madaras Congruence classes

Transcription:

s Phillips Exeter Academy Dec. 5th, 2018

Why Elliptic Curves Matter The study of elliptic curves has always been of deep interest, with focus on the points on an elliptic curve with coe cients in certain fields. Applications of elliptic curves include: Solving Diophantine equations Factorizing large numbers Cryptography Calculating the perimeter of an ellipse Various other well-known problems

Congruent Numbers Open Problem The Congruent Numbers Problem asks which positive integers can be expressed as the area of a right triangle with rational sides. So, a number n is congruent if there exist rational numbers a, b, c such that a 2 + b 2 = c 2, ab 2 = n First few congruent numbers: 5, 6, 7, 13, 14, 15, 20, 21, 22

Connection to Elliptic Curves Because any primitive Pythagorean triple can be expressed as (p 2 q 2, 2pq, p 2 + q 2 ), we can set a = x2 n 2,b= 2xn y y,c= x2 + n 2, y where x, y are rational numbers. Simplifying gives y 2 = x 3 n 2 x, which is an elliptic curve. So, n is congruent if and only if y 2 = x 3 n 2 x has a non-trivial rational point.

Groups, Rings, and Fields Definition A group is a pair (G, ) whereg is a set and is a binary operation G G! G that satisfies the following properties: 1 8 a, b, c 2 G, a (b c) =(a b) c. 2 9 e 2 G such that a e = e a = a 8 a 2 G. 3 8 a 2 G, there exists b 2 G such that a b = b a = e. A group is abelian if a b = b a 8 a, b 2 G. Often we write a b as ab.

Groups, Rings, and Fields (cont.) Definition A ring is a triple (R, +, ), where R is a set and, + are binary operations R R! R such that: 1 The pair (R, +) satisfies the properties of an abelian group, where its additive identity is labeled 0, 2 8 a, b, c 2 R, a (b c) =(a b) c. 3 8 a, b, c 2 R, a (b + c) =a b + a c. 4 9 1 2 R such that a 1=1 a = a. R is called commutative if in addition we have a b = b a for all a, b 2 R. Definition A field is a commutative ring such that every nonzero element has a multiplicative inverse.

The Projective Plane Definition The n-dimensional projective plane P n K classes defined by is the set of equivalence (K n+1 {0})/(v v 8 2 K ). Denote the equivalence class of (a 0,a 1,a 2,...,a n ) as [a 0,a 1,a 2,...,a n ]. For this presentation, we will only be talking about Elliptic Curves in the Projective plane, or P 2 K.

Elliptic Curves Definition A curve is non-singular if there is a unique, defined tangent line at every point. Definition Let K be a field. An elliptic curve over K is a non-singular curve defined by an equation of the form Y 2 Z = ax 3 + bx 2 Z + cxz 2 + dz 3, with coe cients in a field K, living in the projective plane P 2 K.

Alternate form of Elliptic Curves By mapping [ X Z, Y Z, 1] to (x, y), we can classify all equivalence classes with Z 6= 0: Y 2 = a Z X 3 + b Z X 2 + c Z y 2 = ax 3 + bx 2 + cx + d. X + d, or Z Plugging in Z = 0 gives X = 0, so the only point at infinity is O =[0, 1, 0]. Therefore, our elliptic curve is equivalent to the equation y 2 = ax 3 + bx 2 + cx + d in the a ne plane, adjoined with the point O.

Weierstrass Form Definition An elliptic curve over a field K is in Weierstrass form if it is of the form y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6 When the characteristic of K is not 2 or 3, the Weierstrass form can be further simplified down to y 2 = x 3 + ax + b through a series of substitutions. Many of our results will assume this simplified Weierstrass form.

The Discriminant Definition The discriminant D of an elliptic curve y 2 = x 3 + ax 2 + bx + c is D = 4a 3 c + a 2 b 2 + 18abc 4b 3 27c 2. When a = 0, or equivalently given simplified Weierstrass form, we have D = 4b 3 27c 2. Remark D 6= 0is equivalent to the curve being non-singular.

Elliptic Curve Addition Definition The sum p 1 + p 2 is defined to be the reflection of the third intersection of the line p 1 p 2 with E over the x-axis.

Elliptic Curve Addition 2 Since connecting O with a point gives a vertical line, O +(x, y) =(x, y), so O is the identity. Since (x, y)+(x, y) =O, it is clear that an inverse exists for any point: (x, y). In addition, trivially, this addition function is commutative. Assuming simple Weierstrass form, some algebra gives a complicated formula for addition involving only rational functions. This means that the set of rational points is closed under addition, where the rational points are the set of points with coe cients in K.

Elliptic Curves as a Group This group addition is associative, though we will not prove it. Therefore, this addition function satisfies the conditions: 1 Associative 2 Commutative 3 Closed over E(K) 4 Has an identity O 5 Each point has an inverse which are all the requirements for an abelian group, so the pair (E(K), +) is a group.

Points of Finite Order Question What is the structure of the points of finite order?

Structure of Complex Points Let E(C) be all the points with complex coordinates on the elliptic curve. Then, there is an isomorphism between E(C) and a parallelogram in R 2.

Structure of Complex Points Let E(C) be all the points with complex coordinates on the elliptic curve. Then, there is an isomorphism between E(C) and a parallelogram in R 2. The elliptic curve addition formula then becomes equivalent to adding the coordinates like vectors, and then subtracting multiples of! 1 and! 2 until the point ends back up within the parallelogram. O is sent to the origin.

Structure of Points of order dividing n From our isomorphism, we see that for np to equal O, thenn times the image of P must be a linear combination of! 1 and! 2. Therefore, the image of P is a n! 1 + b n! 2, for non-negative integers a, b < n. Therefore, the set of complex points of order dividing n is isomorphic to Z/nZ Z/nZ. From our addition formula, all points of finite order are algebraic, so this structure is the same for not only E(C), but also for E(Q).

Nagell-Lutz Let the equation y 2 = x 3 + ax 2 + bx + c define a non-singular elliptic curve denoted as E, witha, b, c 2 Z. Let D be the discriminant of the curve, as defined earlier. Theorem (Nagell-Lutz) If P =(x, y) is a rational point of finite order on E, for the elliptic curve group law, then: 1 x and y are integers 2 If y =0, then P has order two 3 If y 6= 0, then y divides D, which implies y 2 divides D.

Mordell s Theorem Definition An abelian group G is finitely generated if there exists a finite set S =(a 1,a 2,a 3,...,a n ) consisting of elements of G, such that any element e of G can be expressed as an integer combination of elements of S. Theorem (Mordell) If a non-singular elliptic curve E has a rational point, then the group of rational points (E(Q), +) is a finitely generated abelian group.

Elliptic Curves over Finite Fields An elliptic curve E over a finite field F p is the point set {(x, y) 2 (F p ) 2 y 2 x 3 + ax + b (mod p)} [ {O}. Note that O is the point at infinity, and a and b are two integers in F p. In particular, the discriminant 4a 3 + 27b 2 6 0(modp). We can use the group structure of elliptic curves to create a number of algorithms. Factorization of Large Numbers Public Key Cryptography

An Example of an elliptic curve over a finite field Let E be the curve y 2 = x 3 + x +1overF 5. x x 3 + x +1 y Points 0 1 ±1 (0, 1), (0, 4) 1 3 - - 2 1 ±1 (2, 1), (2, 4) 3 1 ±1 (3, 1), (3, 4) 4 4 ±2 (4, 2), (4, 3) 1 1 1 Note that #E(F 5 ) p 1=9 5 1=3

Hasse-Weil Bound Theorem If C is a non-singular irreducible curve of genus g defined over a finite field F p, then the number of points on C with coordinates in F is equal to p +1, where the error term satisfies apple2g p p. For an elliptic curve C over a finite field F p, the Hasse-Weil theorem gives the estimate that the number of points of elliptic curve C is #C(F p ) p 1 apple2 p p

Reduction modulo p Definition (Reduction modulo p) Wewritez! z for the map reduction modulo p, where Z! Z/pZ = F p, z 7! z. Let C be a cubic curve, given by a Weierstrass equation with integer coe cients a, b, c. C : y 2 = x 3 + ax 2 + bx + c Take equation for C, and reduce those coe get a new curve with coe cients in F p, cients modulo p to C : y 2 = x 3 +ãx 2 + bx + c.

Reduction modulo p, Cont. The curve C will be non-singular if p 3 and the discriminant D = 4ã 3 c +ã 2 b2 + 18ã b c 4 b 3 27 c 2 is non-zero. The reduced curve C (mod p) is non-singular provided that p 3 and p does not divide the discriminant D. Let P =(x, y) 2 C(Q) be a point with integer coordinates. By reduction modulo p, we have ỹ 2 = x 3 +ã x 2 + b x + c. So P =( x, ỹ) is a point in C(F p ). In addition, if P = O, define P = Õ. We then get a map P! P from the points in C(Q) with integer coordinates to C(F p ).

Reduction modulo p Theorem Theorem Let C be a non-singular cubic curve y 2 = x 3 + ax 2 + bx + c with integer coe cients a, b, c, and let D be the discriminant. If p does not divide 2D, then the group of finite order points in E(Q) under reduction modulo p injects into Ẽ(F p).

Elliptic Curve Cryptography Discrete Logarithm Problem Find an integer m that solves the congruence a m b(mod p) Elliptic Curve Discrete Logarithm Problem Given P, Q 2 C(F p ), find an integer m such that mp = Q.

Public-key Cryptography

Diffie-Hellman Key Exchange 1 Alice and Bob agree on an elliptic curve E over a finite field F q such that the discrete logarithm problem is hard in E(F q ). They also agree on a point P 2 E(F q ).

Diffie-Hellman Key Exchange 1 Alice and Bob agree on an elliptic curve E over a finite field F q such that the discrete logarithm problem is hard in E(F q ). They also agree on a point P 2 E(F q ). 2 Alice chooses a secret integer a, computes P a = ap, and sends P a to Bob.

Diffie-Hellman Key Exchange 1 Alice and Bob agree on an elliptic curve E over a finite field F q such that the discrete logarithm problem is hard in E(F q ). They also agree on a point P 2 E(F q ). 2 Alice chooses a secret integer a, computes P a = ap, and sends P a to Bob. 3 Bob chooses a secret integer b, computes P b = bp, and sends P b to Alice.

Diffie-Hellman Key Exchange 1 Alice and Bob agree on an elliptic curve E over a finite field F q such that the discrete logarithm problem is hard in E(F q ). They also agree on a point P 2 E(F q ). 2 Alice chooses a secret integer a, computes P a = ap, and sends P a to Bob. 3 Bob chooses a secret integer b, computes P b = bp, and sends P b to Alice. 4 Alice computes ap b = abp.

Diffie-Hellman Key Exchange 1 Alice and Bob agree on an elliptic curve E over a finite field F q such that the discrete logarithm problem is hard in E(F q ). They also agree on a point P 2 E(F q ). 2 Alice chooses a secret integer a, computes P a = ap, and sends P a to Bob. 3 Bob chooses a secret integer b, computes P b = bp, and sends P b to Alice. 4 Alice computes ap b = abp. 5 Bob computes bp a = bap.

Diffie-Hellman Key Exchange (Cont.) 6 Alice and Bob use some publicly agreed on method to extract a key from abp. The only information that the eavesdropper Eve sees is the curve E, thefinitefieldf q, and the points P, ap, and bp.she therefore needs to compute abp from the points P, ap, and bp.

Massey-Omura Key Exchange

Mathematical Implementation of Massey-Omura 1 Alice and Bob agree on an elliptic curve E over a finite field F q. Let N = #E(F q ).

Mathematical Implementation of Massey-Omura 1 Alice and Bob agree on an elliptic curve E over a finite field F q. Let N = #E(F q ). 2 Alice represents her message as a point M 2 E(F q ).

Mathematical Implementation of Massey-Omura 1 Alice and Bob agree on an elliptic curve E over a finite field F q. Let N = #E(F q ). 2 Alice represents her message as a point M 2 E(F q ). 3 Alice chooses a secret integer A with gcd(a,n)= 1, computes M 1 = AM, and sends M 1 to Bob.

Mathematical Implementation of Massey-Omura 1 Alice and Bob agree on an elliptic curve E over a finite field F q. Let N = #E(F q ). 2 Alice represents her message as a point M 2 E(F q ). 3 Alice chooses a secret integer A with gcd(a,n)= 1, computes M 1 = AM, and sends M 1 to Bob. 4 Bob chooses a secret integer B with gcd(b,n)= 1, computes M 2 = BM 1, and sends M 2 to Alice.

Mathematical Implementation of Massey-Omura 1 Alice and Bob agree on an elliptic curve E over a finite field F q. Let N = #E(F q ). 2 Alice represents her message as a point M 2 E(F q ). 3 Alice chooses a secret integer A with gcd(a,n)= 1, computes M 1 = AM, and sends M 1 to Bob. 4 Bob chooses a secret integer B with gcd(b,n)= 1, computes M 2 = BM 1, and sends M 2 to Alice. 5 Alice computes A 1 2 Z N. She computes M 3 = A 1 M 2 and sends M 3 to Bob.

Mathematical Implementation of Massey-Omura 1 Alice and Bob agree on an elliptic curve E over a finite field F q. Let N = #E(F q ). 2 Alice represents her message as a point M 2 E(F q ). 3 Alice chooses a secret integer A with gcd(a,n)= 1, computes M 1 = AM, and sends M 1 to Bob. 4 Bob chooses a secret integer B with gcd(b,n)= 1, computes M 2 = BM 1, and sends M 2 to Alice. 5 Alice computes A 1 2 Z N. She computes M 3 = A 1 M 2 and sends M 3 to Bob. 6 Bob computes B 1 2 Z N. He computes M 4 = B 1 M 3. Then M 4 = M is the message.

Mathematical implementation of Massey-Omura (cont.) The eavesdropper Eve knows E(F q ) and the points AM, BAM, and BM. Let a = A, b = B, P = ABM. Then we see that Eve knows P, bp, ap and wants to find abp. This is exactly the discrete log problem, which is hard to crack!

Massey-Omura vs. Diffie-Hellman Di e-hellman Key Exchange The secret keys of Alice and Bob together determine the private key they will use. Massey-Omura Key Exchange One party determines what the shared private key would be.

Acknowledgements We would like to thank: Yongyi Chen Our Parents Dr. Khovanova and Dr. Gerovitch MIT PRIMES

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback