Elliptic curves: Theory and Applications. Day 3: Counting points.

Similar documents
Applied Cryptography and Computer Security CSE 664 Spring 2018

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

Counting points on elliptic curves over F q

3 The fundamentals: Algorithms, the integers, and matrices

4 Number Theory and Cryptography

Math 109 HW 9 Solutions

Lecture Notes. Advanced Discrete Structures COT S

Solutions to Problem Set 4 - Fall 2008 Due Tuesday, Oct. 7 at 1:00

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

CHAPTER 3. Congruences. Congruence: definitions and properties

COMP239: Mathematics for Computer Science II. Prof. Chadi Assi EV7.635

Basic elements of number theory

Basic elements of number theory

A Few Primality Testing Algorithms

Applied Cryptography and Computer Security CSE 664 Spring 2017

One can use elliptic curves to factor integers, although probably not RSA moduli.

MATH 433 Applied Algebra Lecture 4: Modular arithmetic (continued). Linear congruences.

Corollary 4.2 (Pepin s Test, 1877). Let F k = 2 2k + 1, the kth Fermat number, where k 1. Then F k is prime iff 3 F k 1

Fermat s Little Theorem. Fermat s little theorem is a statement about primes that nearly characterizes them.

An integer p is prime if p > 1 and p has exactly two positive divisors, 1 and p.

Factoring Algorithms Pollard s p 1 Method. This method discovers a prime factor p of an integer n whenever p 1 has only small prime factors.

LARGE PRIME NUMBERS (32, 42; 4) (32, 24; 2) (32, 20; 1) ( 105, 20; 0).

Congruence of Integers

Part II. Number Theory. Year

Part V. Chapter 19. Congruence of integers

1 Overview and revision

AN EXPOSITION OF SCHOOF S ALGORITHM

ax b mod m. has a solution if and only if d b. In this case, there is one solution, call it x 0, to the equation and there are d solutions x m d

Basic Algorithms in Number Theory

2.3 In modular arithmetic, all arithmetic operations are performed modulo some integer.

MATH 361: NUMBER THEORY FOURTH LECTURE

A Guide to Arithmetic

Chapter 3 Basic Number Theory

ECEN 5022 Cryptography

Finite Fields and Elliptic Curves in Cryptography

HOMEWORK 11 MATH 4753

2x 1 7. A linear congruence in modular arithmetic is an equation of the form. Why is the solution a set of integers rather than a unique integer?

a the relation arb is defined if and only if = 2 k, k

Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography

Number Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.

Notes on Systems of Linear Congruences

LARGE PRIME NUMBERS. In sum, Fermat pseudoprimes are reasonable candidates to be prime.

CONTEMPORARY CRYPTOSYSTEMS

Algorithms (II) Yu Yu. Shanghai Jiaotong University

CHAPTER 6. Prime Numbers. Definition and Fundamental Results

Lecture 11 - Basic Number Theory.

Schoof s Algorithm for Counting Points on E(F q )

2x 1 7. A linear congruence in modular arithmetic is an equation of the form. Why is the solution a set of integers rather than a unique integer?

p = This is small enough that its primality is easily verified by trial division. A candidate prime above 1000 p of the form p U + 1 is

Elliptic Curves Cryptography and factorization. Part VIII. Elliptic curves cryptography and factorization. Historical Remarks.

The Elliptic Curve Method and Other Integer Factorization Algorithms. John Wright

COUNTING POINTS ON ELLIPTIC CURVES OVER F q

Definition of a finite group

Elliptic Curves Spring 2013 Lecture #8 03/05/2013

2 Arithmetic. 2.1 Greatest common divisors. This chapter is about properties of the integers Z = {..., 2, 1, 0, 1, 2,...}.

Instructor: Bobby Kleinberg Lecture Notes, 25 April The Miller-Rabin Randomized Primality Test

Primality Testing. 1 Introduction. 2 Brief Chronology of Primality Testing. CS265/CME309, Fall Instructor: Gregory Valiant

MATH 501 Discrete Mathematics. Lecture 6: Number theory. German University Cairo, Department of Media Engineering and Technology.

1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation

Linear Congruences. The equation ax = b for a, b R is uniquely solvable if a 0: x = b/a. Want to extend to the linear congruence:

Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography

Simultaneous Linear, and Non-linear Congruences

Public-key Cryptography: Theory and Practice

Primality testing: then and now

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

Slides by Christopher M. Bourke Instructor: Berthe Y. Choueiry. Spring 2006

PUTNAM TRAINING NUMBER THEORY. Exercises 1. Show that the sum of two consecutive primes is never twice a prime.

1. multiplication is commutative and associative;

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

Congruent Number Problem and Elliptic curves

= 1 2x. x 2 a ) 0 (mod p n ), (x 2 + 2a + a2. x a ) 2

Lecture 2. The Euclidean Algorithm and Numbers in Other Bases

Elementary Number Theory. Franz Luef

MATH 2112/CSCI 2112, Discrete Structures I Winter 2007 Toby Kenney Homework Sheet 5 Hints & Model Solutions

1. Algebra 1.7. Prime numbers

Elementary Number Theory and Cryptography, 2014

Basic Algorithms in Number Theory

Elliptic Curves Spring 2013 Lecture #12 03/19/2013

Number Theory Math 420 Silverman Exam #1 February 27, 2018

Introduction to Cryptology. Lecture 19

Discrete Mathematics and Probability Theory Fall 2018 Alistair Sinclair and Yun Song Note 6

NUMBER SYSTEMS. Number theory is the study of the integers. We denote the set of integers by Z:

Q 2.0.2: If it s 5:30pm now, what time will it be in 4753 hours? Q 2.0.3: Today is Wednesday. What day of the week will it be in one year from today?

Theory of Numbers Problems

Wilson s Theorem and Fermat s Little Theorem

198 VOLUME 46/47, NUMBER 3

Counting points on hyperelliptic curves

M381 Number Theory 2004 Page 1

CSE 311 Lecture 13: Primes and GCD. Emina Torlak and Kevin Zatloukal

Introduction to Public-Key Cryptosystems:

Advanced Algorithms and Complexity Course Project Report

Primality testing: then and now

Chapter 5. Number Theory. 5.1 Base b representations

WXML Final Report: Primality of Polynomials

MATH 145 Algebra, Solutions to Assignment 4

3.2 Solving linear congruences. v3

All variables a, b, n, etc are integers unless otherwise stated. Each part of a problem is worth 5 points.

COMS W4995 Introduction to Cryptography September 29, Lecture 8: Number Theory

Postmodern Primality Proving

Cryptosystem. Traditional Cryptosystems: The two parties agree on a secret (one to one) function f. To send a message M, thesendersendsthemessage

Transcription:

Elliptic curves: Theory and Applications. Day 3: Counting points. Elisa Lorenzo García Université de Rennes 1 13-09-2017 Elisa Lorenzo García (Rennes 1) Elliptic Curves 3 13-09-2017 1 / 26

Counting points: basic idea Let E be the curve y 2 = x 3 + x + 1 over F 5. To count points on E, we make a list of the possible values of x, then of x 3 + x + 1 (mod 5), then of the square roots y of x 3 + x + 1 (mod 5). This yields the points on E. Therefore, E(F 5 ) has order 9. The complexity is O(q). x x 3 + x + 1 y Points 0 1 ±1 (0, 1), (0, 4) 1 3 2 1 ±1 (2, 1), (2, 4) 3 1 ±1 (3, 1), (3, 4) 4 4 ±2 (4, 2), (4, 3) Elisa Lorenzo García (Rennes 1) Elliptic Curves 3 13-09-2017 2 / 26

Complexity In order to well-define the complexity, we have to define the available operations and its cost. In the arithmetic complexity, the operations with integers have a unit cost: addition, subtraction, multiplications and division. For an algorithm we always give the worse case complexity. Example. The complexity for computing n! is O(n). Elisa Lorenzo García (Rennes 1) Elliptic Curves 3 13-09-2017 3 / 26

Complexity In order to well-define the complexity, we have to define the available operations and its cost. In the arithmetic complexity, the operations with integers have a unit cost: addition, subtraction, multiplications and division. For an algorithm we always give the worse case complexity. Example. The complexity for computing n! is O(n). The notation O( ). The meaning of f (n) = O(g(n)) when n is that there exist K > 0 and A > 0, such that for all n > A, one has f (n) K g(n). Example. O(3x 5 + 8 + 7log(x)) = O(x 5 ). Elisa Lorenzo García (Rennes 1) Elliptic Curves 3 13-09-2017 3 / 26

Counting points: another basic idea Theorem Let E be an elliptic curve defined by y 2 = x 3 + Ax + B over F q. Then #E(F q ) = q + 1 + ( x 3 ) + Ax + B. F q x F q Corollary Let x 3 + Ax + B be a polynomial with A, B F q, where q is odd. Then ( x 3 ) + Ax + B 2 q F q x F q Again the complexity is O(q). Elisa Lorenzo García (Rennes 1) Elliptic Curves 3 13-09-2017 4 / 26

Counting points: Baby Step - Giant Step Let P E(F q ). We want to find an integer k such that kp =. Let #E(F q ) = N. Then, NP =. We do not know N yet, but we know that q + 1 2 q N q + 1 + 2 q. We could try all values of N in this range and see which ones satisfy NP =. This takes around 4 q steps. However, it is possible to speed this up to around 4q 1/4 steps by the following algorithm. 1. Compute Q = (q + 1)P. 2. Choose an integer m with m > q 1/4. Compute and store the points jp for j = 0, 1, 2,..., m. 3. Compute the points Q + k(2mp) for k = m, (m 1),..., m until there is a match Q + k(2mp) = ±jp with a point (or its negative) on the stored list. Elisa Lorenzo García (Rennes 1) Elliptic Curves 3 13-09-2017 5 / 26

Counting points: Baby Step - Giant Step 4. Conclude that (q + 1 + 2mk ± j)p =. Let M = q + 1 + 2mk ± j. 5. Factor M. Let p 1,..., p r be the distinct prime factors of M. 6. Compute (M/p i )P for i = 1,..., r. If (M/p i )P = for some i, replace M with M/p i and go back to step (5). If (M/p i )P for all i then M is the order of the point P. 7. If we are looking for #E(F q ), then repeat steps (1)-(6) with randomly chosen points in E(F q ) until the least common multiple of the orders divides only one integer N with q + 1 2 q N q + 1 + 2 q. Then N = #E(F q ). Remarks: Assuming that there is a match, this method clearly produces an integer that annihilates P. But why is there a match? Why does step (6) yield the order of P? Elisa Lorenzo García (Rennes 1) Elliptic Curves 3 13-09-2017 6 / 26

Counting points: Baby Step - Giant Step To save storage space, it might be more efficient to store only the x coordinates of the points jp (along with the corresponding integer j), since looking for a match with ±jp only requires the x-coordinate. When a match is found, the two possible y-coordinates can be recomputed. Computing Q + k(2mp) can be done by computing Q and 2mP once for all. To get from Q + k(2mp) to Q + (k + 1)(2mP), simply add 2mP rather than recomputing everything. Similarly, once jp has been computed, add P to get (j + 1)P. We are assuming that we can factor M. If not, we can at least find all the small prime factors p i and check that (M/p i )P for these. Then M will be a good candidate for the order of P. Why is the method called Baby Step - Giant Step? The baby steps are from a point jp to (j + 1)P. The giant steps are from a point k(2mp) to (k + 1)(2mP), since we take the bigger step 2mP. Elisa Lorenzo García (Rennes 1) Elliptic Curves 3 13-09-2017 7 / 26

Counting points: Baby Step - Giant Step Example Let E be the elliptic curve y 2 = x 3 10x + 21 over F 557. Let P = (2, 3). We follow the BS-GS algorithm. 1 Q = 558P = (418, 33). 2 Let m = 5, which is greater than 557 1/4. The list of jp is, (2, 3), (58, 164), (44, 294), (56, 339), (132, 364). 3 When k = 1, we have Q + k(2mp) = (2, 3), which matches the point on our list for j = 1. 4 We have (q + 1 + 2mk j)p = 567P =. 5 Factor 567 = 3 4 7. Compute (567/3)P = 189P =. We now have 189 as a candidate for the order of P. 6 Factor 189 = 3 3 7. Compute (189/3)P = (38, 535) and (189/7)P = (136, 360). Therefore 189 is the order of P. Hence, #E(F 557 ) = 567. Elisa Lorenzo García (Rennes 1) Elliptic Curves 3 13-09-2017 8 / 26

Counting points: Schoof s Algorithm Complexity O(log 8 q). Improvements by Atkins and Elkies. Suppose E is an elliptic curve given by y 2 = x 3 + Ax + B over F q. We know, by Hasse s theorem, that #E(F q ) = q + 1 a, with a 2 q. Let S = {2, 3, 5, 7,..., L} be a set of primes such that l > 4 q. l S If we can determine a mod l for each prime l S, then we know a mod l, and therefore a is uniquely determined. Let l be prime. For simplicity, we assume l p, where p is the characteristic of F q. We also assume that q is odd. We want to compute a (mod l). Elisa Lorenzo García (Rennes 1) Elliptic Curves 3 13-09-2017 9 / 26

The Chinese Remainder theorem Theorem (The Chinese Remainder theorem) Let n 1,..., n k be pairwise coprime integers greater than 1. Let a 1,..., a k be any integers, then there exists an integer x such that x a 1 (mod n 1 )..., x a k (mod n k ) and any two such x are congruent modulo N = n i. Elisa Lorenzo García (Rennes 1) Elliptic Curves 3 13-09-2017 10 / 26

Counting points: Schoof s Algorithm l = 2: If x 3 + Ax + B has a root e F q, then (e, 0) E[2] and (e, 0) E(F q ), so E(F q ) has even order. In this case, q + 1 a 0(mod 2), so a is even. If x 3 + Ax + B has no roots in F q, then E(F q ) has no points of order 2, and a is odd. To determine whether x 3 + Ax + B has a root in F q, we could try all the elements in F q, but there is a faster way. Recall that the roots of x q x are exactly the elements of F q. Therefore, x 3 + Ax + B has a root in F q if and only if it has a root in common with x q x. The Euclidean algorithm, applied to polynomials, yields the gcd of the two polynomials. If q is very large, the polynomial x q has very large degree. Therefore, it is more efficient to compute x q x q (mod x 3 + Ax + B) by successive squaring, and then use the result to compute gcd(x q x, x 3 + Ax + B) = gcd(x q x, x 3 + Ax + B). Elisa Lorenzo García (Rennes 1) Elliptic Curves 3 13-09-2017 11 / 26

Counting points: Schoof s Algorithm When n is odd, we have the division polynomial ψ n and (x, y) E[n] ψ n (x) = 0. On the other hand, the Frobenius endomorphism φ q (x, y) = (x q, y q ) satisfies φ 2 q aφ q + q = 0. Let (x, y) be a point of order l. Then (x q2, y q2 ) + q l (x, y) = a l (x q, y q ), where q l = q(mod l) and a l = a(mod l). Elisa Lorenzo García (Rennes 1) Elliptic Curves 3 13-09-2017 12 / 26

Counting points: Schoof s Algorithm 1. Choose a set of primes S = {2, 3, 5,..., L} (with p / S) such that l S l > 4 q. 2. If l = 2, we have a 0(mod 2) if and only if gcd(x 3 + Ax + B, x q x) 1. 3. For each odd prime l S, do the following. (a) Let q l q(mod l) with q l < l/2. (b) Compute the x-coordinate x of (x, y ) = (x q2, y q2 ) + q l (x, y)mod ψ l. (c) For j = 1, 2,..., (l 1)/2, do the following. i. Compute the x-coordinate x j of (x j, y j ) = j(x, y). ii. If x x q j 0(mod ψ l ), go to step (iii). If not, try the next value of j (in step (c)). If all values 1 j (l 1)/2 have been tried, go to step (d). iii. Compute y and y j. If (y y q j )/y 0(mod ψ l), then a j(mod l). If not, then a j(mod l). Elisa Lorenzo García (Rennes 1) Elliptic Curves 3 13-09-2017 13 / 26

Counting points: Schoof s Algorithm 3. (Cont.) (d) If all values 1 j (l 1)/2 have been tried without success, let w 2 q (mod l). If w does not exist, then a 0(mod l). (e) If gcd(numerator(x q x w ), ψ l ) = 1, then a 0 (mod l). Otherwise, compute gcd(numerator((y q y w )/y), ψ l ). If this gcd is not 1, then a 2w (mod l). Otherwise, a 2w (mod l). 4. Use the knowledge of a (mod l) for each l S to compute a (mod l). Choose the value of a that satisfies this congruence and such that a 2 q. The number of points in E(F q ) is q + 1 a. Elisa Lorenzo García (Rennes 1) Elliptic Curves 3 13-09-2017 14 / 26

Counting points: Schoof s algorithm Let E be the elliptic curve y 2 = x 3 + 2x + 1 mod 19. Then #E(F 19 ) = 19 + 1 a. We want to determine a. We ll show that 1(mod 2) a 2(mod 3) 3(mod 5) Putting these together yields a 23(mod 30). Since a < 2 19 < 9, we must have a = 7. We start with l = 2. We compute x 19 x 2 + 13x + 14 (mod x 3 + 2x + 1) by successive squaring and then use the result to compute gcd(x 19 x, x 3 + 2x + 1) = gcd(x 2 + 12x + 14, x 3 + 2x + 1) = 1. It follows that x 3 + 2x + 1 has no roots in F 19. Therefore, there is no 2-torsion in E(F 19 ), so a 1 (mod 2). Elisa Lorenzo García (Rennes 1) Elliptic Curves 3 13-09-2017 15 / 26.

Counting points: Schoof s algorithm For l = 3, we proceed as in Schoof s algorithm and eventually get to j = 1. We have q 2 = 361 and we have q 1 (mod 3). Therefore, q l = 1 and we need to check whether (x 361, y 361 ) + (x, y) = ±(x 19, y 19 ) for (x, y) E[3]. The third division polynomial is ψ 3 = 3x 4 + 12x 2 + 12x 4. We compute the x-coordinate of (x 361, y 361 ) + (x, y): ( y 361 ) 2 ( y (x x 361 x 361 x = (x 3 3 + 2x + 1) 180 ) 2 1 + 2x + 1) x x 361 x 361 x, x Elisa Lorenzo García (Rennes 1) Elliptic Curves 3 13-09-2017 16 / 26

Counting points: Schoof s algorithm where we have used the relation y 2 = x 3 + 2x + 1. We need to reduce this mod ψ 3. The natural way to start is to use the extended Euclidean algorithm to find the inverse of x 361 x (mod ψ 3 ). However, gcd(x 361 x, ψ 3 ) = x 8 1, so the multiplicative inverse does not exist. We could remove x 8 from the numerator and denominator of (x 3 + 2x + 1) 180 1 x 361, x but this is unnecessary. Instead, we realize that since x = 8 is a root of ψ 3, the point (8, 4) E(F 19 ) has order 3. Therefore, so a 2(mod 3). #E(F 19 ) = 19 + 1 a 0 (mod 3), Elisa Lorenzo García (Rennes 1) Elliptic Curves 3 13-09-2017 17 / 26

Factoring and primality testing The problems of factorization and primality testing are related, but are very different in nature. The largest announced factorization up to the year 2007 was of an integer with 200 digits. However, it was at that time possible to prove primality of primes of several thousand digits. It is possible to prove that a number is composite without finding a factor. One way is to show that a n 1 1(mod n) for some a with gcd(a, n) = 1. Theorem (Fermat s little theorem) If n is prime and gcd(a, n) = 1, then a n 1 1(mod n). It follows that n must be composite, even though we have not produced a factor. Elisa Lorenzo García (Rennes 1) Elliptic Curves 3 13-09-2017 18 / 26

Factoring and primality testing Of course, if a n 1 1(mod n) for several random choices of a, we might suspect that n is probably prime. But how can we actually prove n is prime? If n has only a few digits, we can divide n by each of the primes up to n. However, if n has hundreds of digits, this method will take too long (much longer than the predicted life of the universe). Definition If a n 1 1 (mod n), we say that n is a pseudo-prime in base a. If n is pseudo-prime for all base a coprime to n, we say it is a Carmichael number. Similarly, suppose we have proved that a number is composite. How do we find the factors? Elisa Lorenzo García (Rennes 1) Elliptic Curves 3 13-09-2017 19 / 26

Factoring algorithms In the mid 1980 s, Hendrik Lenstra gave new impetus to the study of elliptic curves by developing an efficient factoring algorithm that used elliptic curves. It turned out to be very effective for factoring numbers of around 60 decimal digits, and, for larger numbers, finding prime factors having around 20 to 30 decimal digits. Example. We want to factor 4453. Let E be the elliptic curve y 2 = x 3 + 10x 2mod 4453 and let P = (1, 3). Let s try to compute 3P. First, we compute 2P. The slope of the tangent line at P is 3x 2 + 10 2y = 13 6 3713(mod 4453). We used the fact that gcd(6, 4453) = 1 to find 6 1 3711(mod 4453). Using this slope, we find that 2P = (x, y), with x 3713 2 2 4332, y 3713(x 1) 3 3230. Elisa Lorenzo García (Rennes 1) Elliptic Curves 3 13-09-2017 20 / 26

Factoring algorithms To compute 3P, we add P and 2P. The slope is 3230 3 4332 1 = 3227 4331. But gcd(4331, 4453) = 61 1. Therefore, we have found the factor 61 of 4453, and 4453 = 61 73. Recall that E(Z 4453 ) = E(F 61 ) E(F 73 ). If we look at the multiples of P mod 61 we have P (1, 3), 2P (1, 58), 3P, 4P (1, 3),...(mod 61). However, the multiples of P mod 73 are P (1, 3), 2P (25, 18), 3P (28, 44),..., 64P (mod 73). Elisa Lorenzo García (Rennes 1) Elliptic Curves 3 13-09-2017 21 / 26

Factoring algorithms 1. Choose several (usually around 10 to 20) random elliptic curves E i : y 2 = x 3 + A i x + B i and points P i mod n. 2. Choose an integer B (perhaps around 10 8 ) and compute [B!]P i on E i for each i. 3. If step 2 fails because some slope does not exist mod n, then we have found a factor of n. 4. If step 2 succeeds, increase B or choose new random curves E i and points P i and start over. Steps 2, 3 and 4 can often be done in parallel using all of the curves E i simultaneously. The elliptic curve method is very successful in finding a prime factor p of n when p < 10 40. Elisa Lorenzo García (Rennes 1) Elliptic Curves 3 13-09-2017 22 / 26

Primality tests Suppose n is an integer of several hundred decimal digits. It is usually easy to decide with reasonable certainty whether n is prime or composite. But suppose we actually want to prove that our answer is correct. If n is composite, then usually either we know a nontrivial factor or n failed a pseudoprimality test (for example, perhaps a n 1 1(mod n) for some a). Therefore, when n is composite, it is usually easy to prove it, and the proof can be stated in a form that can be checked easily. But if n is prime, the situation is more difficult. Cohen and Lenstra developed methods involving Jacobi sums that work well for primes of a few hundred digits. However, for primes of a thousand digits or more, the most popular method currently in use involves elliptic curves. Elisa Lorenzo García (Rennes 1) Elliptic Curves 3 13-09-2017 23 / 26

Primality tests Proposition Let n > 1 be an integer, and let n 1 = rs with r n. Suppose that, for each prime l r, there exists an integer a l with ( ) 1(mod n) and gcd a (n 1)/l l 1, n = 1. a n 1 l Then n is prime. The converse can be proved to be also true. Elisa Lorenzo García (Rennes 1) Elliptic Curves 3 13-09-2017 24 / 26

Primality tests Theorem Let n > 1 and let E be an elliptic curve mod n. Suppose there exist distinct prime numbers l 1,..., l k and finite points P i E(Z n ) such that 1. l i P i = for 1 i k. 2. k i=1 l i > (n 1/4 + 1) 2. Then n is prime. Elisa Lorenzo García (Rennes 1) Elliptic Curves 3 13-09-2017 25 / 26

Primality tests Example. Let n = 907. Let E be the elliptic curve y 2 = x 3 + 10x 2 mod n. Let l = 71. Then l > (907 1/4 + 1) 2 42.1. Let P = (819, 784). Then 71P = and 907 is prime. Of course, we needed the fact that 71 is prime, which could also be proved using the same result, or by direct calculation. How did we find E and P? First, we looked at a few elliptic curves mod 907 until we found one whose order was divisible by a prime l that was slightly larger than 42.1. (If we had chosen l 907 then we would not have made much progress, since we would still have needed to prove the primality of l). In fact, to find the order of the curve, we started with curves where we knew a point. In the present case, E has the point (1, 3). Using Baby Step, Giant Step, we found the order of (1, 3) to be 923 = 13 71. Then we took P = 13(1, 3), which has order 71. Elisa Lorenzo García (Rennes 1) Elliptic Curves 3 13-09-2017 26 / 26

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback