ELLIPTIC CURVES OVER FINITE FIELDS

Similar documents
Introduction to Elliptic Curves

Schoof s Algorithm for Counting Points on E(F q )

ON TORSION POINTS ON AN ELLIPTIC CURVES VIA DIVISION POLYNOMIALS

Elliptic curves and modularity

Number Theory in Cryptology

LECTURE 7, WEDNESDAY

Some new families of positive-rank elliptic curves arising from Pythagorean triples

A Note on Scalar Multiplication Using Division Polynomials

The 8 th International Conference on Science and Mathematical Education in Developing Countries

Public-key Cryptography: Theory and Practice

Introduction to Arithmetic Geometry Fall 2013 Lecture #24 12/03/2013

ON A FAMILY OF ELLIPTIC CURVES

Modern Number Theory: Rank of Elliptic Curves

CONSTRUCTION OF HIGH-RANK ELLIPTIC CURVES WITH A NONTRIVIAL TORSION POINT

Cyclic Groups in Cryptography

Mappings of elliptic curves

Elliptic Curves Spring 2017 Lecture #5 02/22/2017

Elliptic Curves Spring 2015 Lecture #7 02/26/2015

On Orders of Elliptic Curves over Finite Fields

2-ADIC ARITHMETIC-GEOMETRIC MEAN AND ELLIPTIC CURVES

Counting points on elliptic curves over F q

Counting points on elliptic curves: Hasse s theorem and recent developments

Elliptic Curves Spring 2013 Lecture #8 03/05/2013

Arithmetic Progressions Over Quadratic Fields

Twists of elliptic curves of rank at least four

Non-generic attacks on elliptic curve DLPs

COMPUTING MODULAR POLYNOMIALS

THERE ARE NO ELLIPTIC CURVES DEFINED OVER Q WITH POINTS OF ORDER 11

COUNTING POINTS ON ELLIPTIC CURVES OVER F q

On elliptic curves in characteristic 2 with wild additive reduction

The Kummer Pairing. Alexander J. Barrios Purdue University. 12 September 2013

THE NUMBER OF TWISTS WITH LARGE TORSION OF AN ELLITPIC CURVE

Dip. Matem. & Fisica. Notations. Università Roma Tre. Fields of characteristics 0. 1 Z is the ring of integers. 2 Q is the field of rational numbers

CONSTRUCTING SUPERSINGULAR ELLIPTIC CURVES. Reinier Bröker

Outline of the Seminar Topics on elliptic curves Saarbrücken,

HONDA-TATE THEOREM FOR ELLIPTIC CURVES

14 Ordinary and supersingular elliptic curves

AN ELEMENTARY PROOF OF THE GROUP LAW FOR ELLIPTIC CURVES

FORMAL GROUPS OF CERTAIN Q-CURVES OVER QUADRATIC FIELDS

Elliptic curves in Huff s model

Formulary for elliptic divisibility sequences and elliptic nets. Let E be the elliptic curve defined over the rationals with Weierstrass equation

Curves, Cryptography, and Primes of the Form x 2 + y 2 D

Elliptic Curves over Finite Fields 1

Elliptic Curves Spring 2015 Lecture #23 05/05/2015

The Congruent Number Problem and the Birch and Swinnerton-Dyer Conjecture. Florence Walton MMathPhil

Elliptic curve cryptography. Matthew England MSc Applied Mathematical Sciences Heriot-Watt University

Computing a Lower Bound for the Canonical Height on Elliptic Curves over Q

Abstracts of papers. Amod Agashe

A Remark on Implementing the Weil Pairing

From the elliptic regulator to exotic relations

On attaching coordinates of Gaussian prime torsion points of y 2 = x 3 + x to Q(i)

1.6.1 What are Néron Models?

CONGRUENT NUMBERS AND ELLIPTIC CURVES

Katherine Stange. ECC 2007, Dublin, Ireland

Fully maximal and minimal supersingular abelian varieties

Congruent number elliptic curves of high rank

arxiv:math/ v1 [math.nt] 15 Mar 2001

Math 2070BC Term 2 Weeks 1 13 Lecture Notes

Elliptic Nets and Points on Elliptic Curves

Computing the image of Galois

Definition of a finite group

COMPLEX MULTIPLICATION: LECTURE 14

Elliptic curves, Factorization and Primality Testing Notes for talks given at London South bank University 7, 14 & 21 November 2007 Tony Forbes

Katherine Stange. Pairing, Tokyo, Japan, 2007

IRREDUCIBILITY OF ELLIPTIC CURVES AND INTERSECTION WITH LINES.

Summation polynomials and the discrete logarithm problem on elliptic curves

Fall 2004 Homework 7 Solutions

ON ISOGENY GRAPHS OF SUPERSINGULAR ELLIPTIC CURVES OVER FINITE FIELDS

Two Efficient Algorithms for Arithmetic of Elliptic Curves Using Frobenius Map

Local root numbers of elliptic curves over dyadic fields

The Number of Rational Points on Elliptic Curves and Circles over Finite Fields

NOTES ON FINITE FIELDS

Elliptic Curves and the abc Conjecture

A course in. Elliptic Curves. Taught by T.A. Fisher. Lent 2013

Elliptic Curves. Akhil Mathew (Department of Mathematics Drew UniversityElliptic MathCurves 155, Professor Alan Candiotti) 10 Dec.

Identifying supersingular elliptic curves

How many units can a commutative ring have?

LECTURE 2 FRANZ LEMMERMEYER

A note on López-Dahab coordinates

arxiv: v1 [math.nt] 31 Dec 2011

Algorithm for Concordant Forms

On Partial Lifting and the Elliptic Curve Discrete Logarithm Problem

Mathematics for Cryptography

CORRESPONDENCE BETWEEN ELLIPTIC CURVES IN EDWARDS-BERNSTEIN AND WEIERSTRASS FORMS

Q N id β. 2. Let I and J be ideals in a commutative ring A. Give a simple description of

Notes on p-divisible Groups

An introduction to the algorithmic of p-adic numbers

AN INTRODUCTION TO ELLIPTIC CURVES

1. Vélu s formulae GENERALIZATION OF VÉLU S FORMULAE FOR ISOGENIES BETWEEN ELLIPTIC CURVES. Josep M. Miret, Ramiro Moreno and Anna Rio

CONGRUENT NUMBERS AND ELLIPTIC CURVES

Projects on elliptic curves and modular forms

Mathematical Research Letters 2, (1995) MODULARITY OF A FAMILY OF ELLIPTIC CURVES. Fred Diamond and Kenneth Kramer

Hyperelliptic Jacobians in differential Galois theory (preliminary report)

Constructing Families of Pairing-Friendly Elliptic Curves

Course 311: Michaelmas Term 2005 Part III: Topics in Commutative Algebra

ELLIPTIC CURVES BJORN POONEN

On some congruence properties of elliptic curves

Weil pairing. Algant: Regensburg and Leiden Elliptic curves and Weil conjectures seminar, Regensburg. Wednesday 22 nd June, 2016.

Explicit Complex Multiplication

LEGENDRE S THEOREM, LEGRANGE S DESCENT

Transcription:

Further ELLIPTIC CURVES OVER FINITE FIELDS FRANCESCO PAPPALARDI #4 - THE GROUP STRUCTURE SEPTEMBER 7 TH 2015 SEAMS School 2015 Number Theory and Applications in Cryptography and Coding Theory University of Science, Ho Chi Minh, Vietnam August 31 - September 08, 2015

Definition (Elliptic curve) An elliptic curve over a field K is the data of a non singular Weierstraß equation E : y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6, a i K If p = char K > 3, E := 1 2 4 ( a 5 1 a 3a 4 8a 3 1 a 2a 3 a 4 16a 1 a 2 2 a 3a 4 + 36a 2 1 a2 3 a 4 a 4 1 a2 4 8a2 1 a 2a 2 4 16a2 2 a2 4 + 96a 1a 3 a 2 4 + 64a3 4 + Further a 6 1 a 6 + 12a 4 1 a 2a 6 + 48a 2 1 a2 2 a 6 + 64a 3 2 a 6 36a 3 1 a 3a 6 144a 1 a 2 a 3 a 6 72a 2 1 a 4a 6 288a 2 a 4 a 6 + 432a 2 6 )

Elliptic curves over K After applying a suitable affine transformation we can always assume that E/K has a Weierstraß equation of the following form Example (Classification (p = char K )) E p E y 2 = x 3 + Ax + B 5 4A 3 + 27B 2 y 2 + xy = x 3 + a 2 x 2 + a 6 2 a 2 6 y 2 + a 3 y = x 3 + a 4 x + a 6 2 a 4 3 Further y 2 = x 3 + Ax 2 + Bx + C 3 4A 3 C A 2 B 2 18ABC +4B 3 + 27C 2 Let E/F q elliptic curve, an extra point. Set E(F q ) = {(x, y) F 2 q : y 2 = x 3 + Ax + B} { }

If P, Q E(F q ), r P,Q : { line through P and Q if P Q tangent line to E at P if P = Q, r P, : vertical line through P Further 3 3 R 2 2 1 P 1 Q 0 0 1 -P 1 P P+ Q 2 2 3 3 2 1 0 1 2 3 4 2 1 0 1 2 3 4 r P, E(F q ) = {P,, P } P := P r P,Q E(F q ) = {P, Q, R} P + E Q := R

Theorem The addition law on E/K (K field) has the following properties: (a) P + E Q E (b) P + E = + E P = P (c) P + E ( P) = (d) P + E (Q + E R) = (P + E Q) + E R (e) P + E Q = Q + E P So (E( K ), + E ) is an abelian group. Remark: If E/K L, K L K, E(L) is an abelian group. P, Q E P E P E P, Q, R E P, Q E Further P = (x 1, y 1 ) = (x 1, a 1 x 1 a 3 y 1 )

Formulas for Addition on E (Summary) P 1 = (x 1, y 1 ), P 2 = (x 2, y 2 ) E(K ) \ { }, Addition Laws for the sum of affine points If P 1 P 2 E : y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6 x = x P 1 + E P 2 = 1 2 x 1 x 2 λ = y 2 y 1 x 2 x 1 1x ν = 2 y 2x 1 x 2 x 1 If P 1 = P 2 Further 2y + a x + a = 0 P 1 + E P 2 = 2P 1 = 1 1 3 2y 1 + a 1 x + a 3 0 Then λ = 3x 2 1 +2a 2x 1+a 4 a 1y 1 2y 1+a 1x+a 3, ν = a 3y 1+x 3 1 a 4x 1 2a 6 2y 1+a 1x 1+a 3 P 1 + E P 2 = (λ 2 a 1 λ a 2 x 1 x 2, λ 3 a 2 1 λ + (λ + a 1)(a 2 + x 1 + x 2 ) a 3 ν)

Formulas for Addition on E (Summary for special equation) P 1 = (x 1, y 1 ), P 2 = (x 2, y 2 ) E(K ) \ { }, Addition Laws for the sum of affine points If P 1 P 2 E : y 2 = x 3 + Ax + B x = x P 1 + E P 2 = 1 2 x 1 x 2 λ = y 2 y 1 x 2 x 1 1x ν = 2 y 2x 1 x 2 x 1 If P 1 = P 2 Further Then y 1 = 0 y 1 0 λ = 3x 2 +A 1, ν = x 3 Ax 1 1 2B 2y 1 2y 1 P 1 + E P 2 = (λ 2 x 1 x 2, λ 3 + λ(x 1 + x 2 ) ν) P 1 + E P 2 = 2P 1 =

Group Structure Theorem (Classification of finite abelian groups) If G is abelian and finite, n 1,..., n k N >1 such that 1 n 1 n 2 n k 2 G = Cn1 C nk Furthermore n 1,..., n k (Group Structure) are unique Further Example (One can verify that:) C 2400 C 72 C 1440 = C288 C 1800 C 480 Shall show that E(F q ) = Cn C nk n, k N >0 (i.e. E(F q ) is either cyclic (n = 1) or the product of 2 cyclic groups)

Proof of the associativity P + E (Q + E R) = (P + E Q) + E R P, Q, R E We should verify the above in many different cases according if Q = R, P = Q, P = Q + E R,... Here we deal with the generic case. i.e. All the points ±P, ±R, ±Q, ±(Q + E R), ±(P + E Q), all different Mathematica code L[x_,y_,r_,s_]:=(s-y)/(r-x); M[x_,y_,r_,s_]:=(yr-sx)/(r-x); A[{x_,y_},{r_,s_}]:={(L[x,y,r,s]) 2 -(x+r), -(L[x,y,r,s]) 3 +L[x,y,r,s](x+r)-M[x,y,r,s]} Together[A[A[{x,y},{u,v}],{h,k}]-A[{x,y},A[{u,v},{h,k}]]] det = Det[({{1,x 1,x 3 1 -y2 1 },{1,x 2,x 3 2 -y2 2 },{1,x 3,x 3 3 -y2 3 }})] PolynomialQ[Together[Numerator[Factor[res[[1]]]]/det], {x 1,x 2,x 3,y 1,y 2,y 3 }] PolynomialQ[Together[Numerator[Factor[res[[2]]]]/det], {x 1,x 2,x 3,y 1,y 2,y 3 }] Further runs in 2 seconds on a PC For an elementary proof: An Elementary Proof of the Group Law for Elliptic Curves. Department of Mathematics: Rice University. Web. 20 Nov. 2009. http://math.rice.edu/ friedl/papers/aaelliptic.pdf More cases to check. e.g P + E 2Q = (P + E Q) + E Q

EXAMPLE: Elliptic curves over F 2 From our previous list: Groups of points E E(F 2 ) E(F 2 ) y 2 + xy = x 3 + x 2 + 1 {, (0, 1)} 2 y 2 + xy = x 3 + 1 {, (0, 1), (1, 0), (1, 1)} 4 y 2 + y = x 3 + x {, (0, 0), (0, 1), (1, 0), (1, 1)} 5 y 2 + y = x 3 + x + 1 { } 1 Further y 2 + y = x 3 {, (0, 0), (0, 1)} 3 So for each curve E(F 2 ) is cyclic except possibly for the second for which we need to distinguish between C 4 and C 2 C 2. Note: each C i, i = 1,..., 5 is represented by a curve /F 2

EXAMPLE: Elliptic curves over F 3 From our previous list: Groups of points i E i E i (F 3 ) E i (F 3 ) 1 y 2 = x 3 + x {, (0, 0), (2, 1), (2, 2)} C 4 2 y 2 = x 3 x {, (1, 0), (2, 0), (0, 0)} C 2 C 2 3 y 2 = x 3 x + 1 {, (0, 1), (0, 2), (1, 1), (1, 2), (2, 1), (2, 2)} C 7 4 y 2 = x 3 x 1 { } {1} 5 y 2 = x 3 + x 2 1 {, (1, 1), (1, 2)} C 3 6 y 2 = x 3 + x 2 + 1 {, (0, 1), (0, 2), (1, 0), (2, 1), (2, 2)} C 6 7 y 2 = x 3 x 2 + 1 {, (0, 1), (0, 2), (1, 1), (1, 2), } C 5 8 y 2 = x 3 x 2 1 {, (2, 0))} C 2 Further Note: each C i, i = 1,..., 7 is represented by a curve /F 3 ( Exercise: let a ) q be the kronecker symbol. Show that the number of non isomorphic (i.e. inequivalent) classes of elliptic curves over F q is ( ) 4 ( ) 3 2q + 3 + q + 2 q

EXAMPLE: Elliptic curves over F 5 and F 4 E/F 5 (12 elliptic curves), #E(F 5 ) {2, 3, 4, 5, 6, 7, 8, 9, 10}. n, 2 n 10!E/F 5 : #E(F 5 ) = n with the exceptions: Example (Elliptic curves over F 5 ) E 1 : y 2 = x 3 + 1 and E 2 : y 2 = x 3 + 2 both order 6 { x 2x y E 1 and E 2 affinely equivalent over 3y F 5 [ 3] = F 25 (twists) E 3 : y 2 = x 3 + x and E 4 : y 2 = x 3 + x + 2 order 4 Further E 3 (F 5 ) = C2 C 2 E 4 (F 5 ) = C4 E 5 : y 2 = x 3 + 4x and E 6 : y 2 = x 3 + 4x + 1 both order 8 E 5 (F 5 ) = C2 C 4 E 6 (F 5 ) = C8 E 7 : y 2 = x 3 + x + 1 order 9 and E 7 (F 5 ) = C9 Exercise: Classify all elliptic curves over F 4 = F 2 [ξ], ξ 2 = ξ + 1

The j-invariant Let E/K : y 2 = x 3 + Ax + B, p 5 and E := 4A 3 + 27B 2. { x u 2 x y u 3 u K E E u : y 2 = x 3 + u 4 Ax + u 6 B y Definition The j invariant of E is j = j(e) = 1728 4A 3 4A 3 +27B 2 Properties of j invariants 1 j(e) = j(e u ), u K Further 2 j(e /K ) = j(e /K ) u K s.t. E = E u 3 j 0, 1728 E : y 2 = x 3 + 3j 1728 j x + 2j 1728 j, j(e) = j 4 j = 0 E : y 2 = x 3 + B, j = 1728 E : y 2 = x 3 + Ax 5 j : K { K affinely equivalent classes of E/K }. 6 p = 2, 3 different definition if K = F q can take u F q 12

of j invariants From Friday E 1 : y 2 = x 3 + 1 and E 2 : y 2 = x 3 + 2 #E 1 (F 5 ) = #E 2 (F 5 ) = 6 and j(e 1 ) = j(e 2 ) = 0 { x 2x y 3y Definition (twisted curve) Let E/F q : y 2 = x 3 + Ax + B, µ F q \ (F q )2. E µ : y 2 = x 3 + µ 2 Ax + µ 3 B E 1 and E 2 affinely equivalent over F 5 [ 3] = F 25 (twists) Further is called twisted curve. Exercise: prove that j(e) = j(e µ ) E and E µ are F q [ µ] affinely equivalent #E(F q 2 ) = #E µ (F q 2 ) usually #E(F q ) #E µ (F q )

Determining points of order 2 Let P = (x 1, y 1 ) E(F q ) \ { }, P has order 2 2P = P = P So P = (x 1, a 1 x 1 a 3 y 1 ) = (x 1, y 1 ) = P = 2y 1 = a 1 x 1 a 3 If p 2, can assume E : y 2 = x 3 + Ax 2 + Bx + C P = (x 1, y 1 ) = (x 1, y 1 ) = P = y 1 = 0, x 3 1 + Ax 2 1 + Bx 1 + C = 0 Further Note the number of points of order 2 in E(F q ) equals the number of roots of X 3 + Ax 2 + Bx + C in F q roots are distinct since discriminant E 0 E(F q 6 ) has always 3 points of order 2 if E/F q E[2] := {P E( F q ) : 2P = } = C2 C 2

Determining points of order 2 (continues) If p = 2 and E : y 2 + a 3 y = x 3 + a 2 x 2 + a 6 P = (x 1, a 3 + y 1 ) = (x 1, y 1 ) = P = a 3 = 0 Absurd (a 3 = 0) and there are no points of order 2. If p = 2 and E : y 2 + xy = x 3 + a 4 x + a 6 P = (x 1, x 1 + y 1 ) = (x 1, y 1 ) = P = x 1 = 0, y 2 1 = a 6 So there is exactly one point of order 2 namely (0, a 6 ) Further Definition 2 torsion points E[2] = {P E : 2P = }. In conclusion E[2] = { C2 C 2 if p > 2 C 2 if p = 2, E : y 2 + xy = x 3 + a 4 x + a 6 { } if p = 2, E : y 2 + a 3 y = x 3 + a 2 x 2 + a 6

Elliptic curves over F 2, F 3 and F 5 Each curve /F 2 has cyclic E(F 2 ). E E(F 2 ) E(F 2 ) y 2 + xy = x 3 + x 2 + 1 {, (0, 1)} 2 y 2 + xy = x 3 + 1 {, (0, 1), (1, 0), (1, 1)} 4 y 2 + y = x 3 + x {, (0, 0), (0, 1), (1, 0), (1, 1)} 5 y 2 + y = x 3 + x + 1 { } 1 y 2 + y = x 3 {, (0, 0), (0, 1)} 3 E 1 : y 2 = x 3 + x E 2 : y 2 = x 3 x E 1 (F 3 ) = C4 and E 2 (F 3 ) = C2 C 2 Further E 3 : y 2 = x 3 + x E 4 : y 2 = x 3 + x + 2 E 3 (F 5 ) = C2 C 2 and E 4 (F 5 ) = C4 E 5 : y 2 = x 3 + 4x E 6 : y 2 = x 3 + 4x + 1 E 5 (F 5 ) = C2 C 4 and E 6 (F 5 ) = C8

Determining points of order 3 Let P = (x 1, y 1 ) E(F q ) P has order 3 3P = 2P = P Further So, if p > 3 and E : y 2 = x 2 + Ax + B 2P = (x 2P, y 2P ) = 2(x 1, y 1 ) = (λ 2 2x 1, λ 3 + 2λx 1 ν) P has order 3 x 2P = x 1 Substituting λ, x 2P x 1 = 3x 4 1 6Ax 2 1 12Bx 1+A 2 = 0 4(x 3 1 +Ax 1+4B) where λ = 3x 2 1 +A 2y 1, ν = x 3 1 Ax 1 2B 2y 1. Note ψ 3 (x) := 3x 4 + 6Ax 2 + 12Bx A 2 the 3 rd division polynomial (x 1, y 1 ) E(F q ) has order 3 ψ 3 (x 1 ) = 0 E(F q ) has at most 8 points of order 3 If p 3, E[3] := {P E : 3P = } = C3 C 3

Determining points of order 3 (continues) Exercise Let E : y 2 = x 3 + Ax 2 + Bx + C, A, B, C F 3 n. Prove that if P = (x 1, y 1 ) E(F 3 n ) has order 3, then 1 Ax 3 1 + AC B2 = 0 2 E[3] = C3 if A 0 and E[3] = { } otherwise Example (from Friday) If E : y 2 = x 3 + x + 1, then #E(F 5 ) = 9. ψ 3 (x) = (x + 3)(x + 4)(x 2 + 3x + 4) Further Hence { E[3] =, (2, ±1), (1, ± 3), (1 ± 2 3, ±(1 ± } 3)) 1 E(F 5 ) = {, (2, ±1), (0, ±1), (3, ±1), (4, ±2)} = C9 2 Since F 25 = F 5 [ 3] E[3] E(F 25 ) 3 #E(F 25 ) = 27 E(F 25 ) = C3 C 9

Determining points of order 3 (continues) Inequivalent curves /F 7 with #E(F 7 ) = 9. E ψ 3 (x) E[3] E(F 7 ) E(F 7 ) = y 2 = x 3 + 2 x(x + 1)(x + 2)(x + 4) {, (0, ±3), ( 1, ±1), (5, ±1), (3, ±1)} C 3 C 3 y 2 = x 3 + 3x + 2 (x + 2)(x 3 + 5x 2 + 3x + 2) {, (5, ±3)} C 9 y 2 = x 3 + 5x + 2 (x + 4)(x 3 + 3x 2 + 5x + 2) {, (3, ±3)} C 9 y 2 = x 3 + 6x + 2 (x + 1)(x 3 + 6x 2 + 6x + 2) {, (6, ±3)} C 9 Can one count the number of inequivalent E/F q with #E(F q ) = r? Example (A curve over F 4 = F 2 (ξ), ξ 2 = ξ + 1; E : y 2 + y = x 3 ) We know E(F 2 ) = {, (0, 0), (0, 1)} E(F 4 ). E(F 4) = {, (0, 0), (0, 1), (1, ξ), (1, ξ + 1), (ξ, ξ), (ξ, ξ + 1), (ξ + 1, ξ), (ξ + 1, ξ + 1)} Further ψ 3 (x) = x 4 + x = x(x + 1)(x + ξ)(x + ξ + 1) E(F 4 ) = C3 C 3 Exercise (Suppose (x 0, y 0 ) E/F 2 n has order 3. Show that) 1 E : y 2 + a 3 y = x 3 + a 4 x + a 6 x 4 0 + a2 3 x 0 + (a 4 a 3 ) 2 = 0 2 E : y 2 + xy = x 3 + a 2 x 2 + a 6 x 4 0 + x 3 0 + a 6 = 0

Determining points of order (dividing) m Definition (m torsion point) Let E/K and let K an algebraic closure of K. E[m] = {P E( K ) : mp = } Further Theorem (Structure of Torsion Points) Let E/K and m N. If p = char(k ) m, E[m] = Cm C m If m = p r m, p m, E[m] = Cm C m or E[m] = Cm C m E/F p is called { ordinary supersingular if E[p] = Cp if E[p] = { }

Group Structure of E(F q ) Corollary Let E/F q. n, k N are such that Further E(F q ) = Cn C nk Proof. From classification Theorem of finite abelian group E(F q ) = Cn1 C n2 C nr with n i n i+1 for i 1. Hence E(F q ) contains n r 1 points of order dividing n 1. From Structure of Torsion Theorem, #E[n 1 ] n 2 1. So r 2 Theorem (Corollary of Weil Pairing) Let E/F q and n, k N s.t. E(F q ) = Cn C nk. Then n q 1. We shall discuss the proof of the latter tomorrow

Sketch of the proof of Structure Theorem of Torsion Points The division polynomials The proof generalizes previous ideas and determine the points P E(F q ) such that mp = or equivalently (m 1)P = P. Definition (Division Polynomials of E : y 2 = x 3 + Ax + B (p > 3)) ψ 0 =0 ψ 1 =1 ψ 2 =2y ψ 3 =3x 4 + 6Ax 2 + 12Bx A 2 ψ 4 =4y(x 6 + 5Ax 4 + 20Bx 3 5A 2 x 2 4ABx 8B 2 A 3 ). ψ 2m+1 =ψ m+2 ψ 3 m ψ m 1ψ 3 m+1 for m 2 ( ) ψm ψ 2m = (ψ m+2 ψ 2 m 1 2y ψ m 2ψ 2 m+1 ) for m 3 Further The polynomial ψ m Z[x, y] is called the m th division polynomial

The division polynomials Lemma Let E : y 2 = x 3 + Ax + B, (p > 3) and let ψ m Z[x, y] the m th division polynomial. Then Proof is an exercise. ψ 2m+1 Z[x] and ψ 2m 2yZ[x] True ψ 0, ψ 1, ψ 2, ψ 3, ψ 4 and for the rest apply induction, the identity y 2 = x 3 + Ax + B and consider the cases m odd and m even. Lemma ψ m = { y(mx (m2 4)/2 + ) mx (m2 1)/2 + if m is even if m is odd. Further Hence ψ 2 m = m2 x m2 1 + Proof is another exercise on induction:

Theorem (E : Y 2 = X 3 + AX + B elliptic curve, P = (x, y) E) where ( m(x, y) = x ψ m 1ψ m+1 ψ 2 m(x) ) ( ), ψ 2m(x, y) φm (x) = 2ψm(x) 4 ψm(x), ω m(x, y) 2 ψm(x, 3 y) φ m = xψ 2 m ψ m+1ψ m 1, ω m = ψ m+2ψ 2 m 1 ψ m 2ψ 2 m+1 4y We will omit the proof of the above (see [8, Section 9.5]) Exercise (Prove that after substituting y 2 = x 3 + Ax + B) Further 1 φ m (x) Z[x] 2 φ m (x) = x m2 + ψ m (x) 2 = m 2 x m2 1 + 3 ω 2m+1 yz[x], ω 2m Z[x] 4 ω m (x,y) yz(x) ψm 3 (x,y) 5 gcd(ψ 2 m (x), φ m(x)) = 1 this is not really an exercise!! - see [8, Corollary 3.7]

Lemma #E[m] = #{P E( K ) : mp = } { = m 2 if p m < m 2 if p m Further Proof. Consider the homomorphism: If p m, need to show that [m] : E( K ) E( K ), P mp # Ker[m] = #E[m] = m 2 We shall prove that P 0 = (a, b) [m](e( K )) \ { } s.t. #{P E( K ) : mp = P 0 } = m 2 Since E( K ) infinite, we can choose (a, b) [m](e( K )) s.t. 1 ab 0 2 x 0 K : (φ m ψ m 2φ m ψ m )(x 0)ψ m (x 0 ) = 0 a φ m(x 0 ) ψ m 2 (x 0) if p m, conditions imply that φ m (x) aψ 2 m (x) has m 2 = (φ m (x) aψ 2 m (x)) distinct roots in fact φ m (x) = m 2 and ψ 2 m (x) = m2 1

Proof continues. Write The map is a well defined bijection. mp = m(x, y) = ( φ m (x) ψ 2 m (x), ω m(x,y) ψ m (x) 3 ) = ( φ m (x) ψ 2 m (x), yr(x) ) {α K : φ m (α) aψ m (α) 2 = 0} {P E( K ) : mp = (a, b)} α 0 (α 0, br(α 0 ) 1 ) Hence there are m 2 points P E( K ) with mp = (a, b) Further So there are m 2 elements in Ker[m]. If p m, the proof is the same except that φ m (x) aψ m (x) 2 has multiple roots!! In fact φ m (x) aψ m (x)2 = 0

From Lemma, Theorem follows: If p m, apply classification Theorem of finite Groups: E[m] = Cn1 C n2 C nk, n i n i+1. Let l n 1, then E[l] E[m]. Hence l k = l 2 k = 2. So E[m] = Cn1 C n2 Finally n 2 m and n 1 n 2 = m 2 so m = n 1 = n 2. If p m, write m = p j m, p m and Further E[m] = E[m ] E[p j ] = Cm C m E[p j ] The statement follows from: which is done by induction. E[p j ] = { { } C p j and C m C p j = Cm p j

From Lemma, Theorem follows (continues) Induction base: E[p] = { { } C p if follows from #E[p] < p 2 If E[p] = { } E[p j ] = { } j 2: In fact if E[p j ] { } then it would contain some element of order p(contradiction). If E[p] = Cp, then E[p j ] = Cp j j 2: In fact E[p j ] is cyclic (otherwise E[p] would not be cyclic!) Fact: [p] : E( K ) E( K ) is surjective (to be proven tomorrow) If P E and ord P = p j 1 Q E s.t. pq = P and Q = p j. Hence E[p j ] = Cp j since it contains an element of order p j. Further Remark: E[2m + 1] \ { } = {(x, y) E( K ) : ψ 2m+1 (x) = 0} E[2m] \ E[2] = {(x, y) E( K ) : y 1 ψ 2m (x) = 0}

Theorem (Hasse) Let E be an elliptic curve over the finite field F q. Then the order of E(F q ) satisfies q + 1 #E(F q ) 2 q. So #E(F q ) [( q 1) 2, ( q + 1) 2 ] the Hasse interval I q Further Example (Hasse Intervals) q I q 2 {1, 2, 3, 4, 5} 3 {1, 2, 3, 4, 5, 6, 7} 4 {1, 2, 3, 4, 5, 6, 7, 8, 9} 5 {2, 3, 4, 5, 6, 7, 8, 9, 10} 7 {3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13} 8 {4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14} 9 {4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16} 11 {6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18} 13 {7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21} 16 {9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 25} 17 {10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26} 19 {12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28} 23 {15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33} 25 {16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36} 27 {18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38} 29 {20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40} 31 {21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43} 32 {22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44}

Theorem (Waterhouse) Let q = p n and let N = q + 1 a. E/F q s.t.#e(f q ) = N a 2 q and one of the following is satisfied: (i) gcd(a, p) = 1; (ii) n even and one of the following is satisfied: 1 a = ±2 q; 2 p 1 (mod 3), and a = ± q; 3 p 1 (mod 4), and a = 0; (iii) n is odd, and one of the following is satisfied: 1 p = 2 or 3, and a = ±p (n+1)/2 ; 2 a = 0. Further Example (q prime N I q, E/F q, #E(F q ) = N. q not prime:) q a 4 = 2 2 { 4, 3, 2, 1, 0, 1, 2, 3, 4} 8 = 2 3 { 5, 4, 3, 2, 1, 0, 1, 2, 3, 4, 5} 9 = 3 2 { 6, 5, 4, 3, 2, 1, 0, 1, 2, 3, 4, 5, 6} 16 = 2 4 { 8, 7, 6, 5, 4, 3, 2, 1, 0, 1, 2, 3, 4, 5, 6, 7, 8} 25 = 5 2 { 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10} 27 = 3 3 { 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10} 32 = 2 5 { 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11}

Theorem (Rück) Suppose N is a possible order of an elliptic curve /F q, q = p n. Write N = p e n 1 n 2, p n 1 n 2 and n 1 n 2 (possibly n 1 = 1). There exists E/F q s.t. E(F q ) = Cn1 C n2 p e if and only if 1 n 1 = n 2 in the case (ii).1 of ; 2 n 1 q 1 in all other cases of. Example Further If q = p 2n and #E(F q ) = q + 1 ± 2 q = (p n ± 1) 2, then E(F q ) = Cp n ±1 C p n ±1. Let N = 100 and q = 101 E 1, E 2, E 3, E 4 /F 101 s.t. E 1 (F 101 ) = C10 C 10 E 2 (F 101 ) = C2 C 50 E 3 (F 101 ) = C5 C 20 E 4 (F 101 ) = C100

Further Reading... Further IAN F. BLAKE, GADIEL SEROUSSI, AND NIGEL P. SMART, Advances in elliptic curve cryptography, London Mathematical Society Lecture Note Series, vol. 317, Cambridge University Press, Cambridge, 2005. J. W. S. CASSELS, Lectures on elliptic curves, London Mathematical Society Student Texts, vol. 24, Cambridge University Press, Cambridge, 1991. JOHN E. CREMONA, Algorithms for modular elliptic curves, 2nd ed., Cambridge University Press, Cambridge, 1997. ANTHONY W. KNAPP, Elliptic curves, Mathematical Notes, vol. 40, Princeton University Press, Princeton, NJ, 1992. NEAL KOBLITZ, Introduction to elliptic curves and modular forms, Graduate Texts in Mathematics, vol. 97, Springer-Verlag, New York, 1984. JOSEPH H. SILVERMAN, The arithmetic of elliptic curves, Graduate Texts in Mathematics, vol. 106, Springer-Verlag, New York, 1986. JOSEPH H. SILVERMAN AND JOHN TATE, Rational points on elliptic curves, Undergraduate Texts in Mathematics, Springer-Verlag, New York, 1992. LAWRENCE C. WASHINGTON, Elliptic curves: Number theory and cryptography, 2nd ED. Discrete Mathematics and Its Applications, Chapman & Hall/CRC, 2008. HORST G. ZIMMER, Computational aspects of the theory of elliptic curves, Number theory and applications (Banff, AB, 1988) NATO Adv. Sci. Inst. Ser. C Math. Phys. Sci., vol. 265, Kluwer Acad. Publ., Dordrecht, 1989, pp. 279 324.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback