A normal form for elliptic curves in characteristic 2

Similar documents
Arithmetic of split Kummer surfaces: Montgomery endomorphism of Edwards products

Structure of elliptic curves and addition laws

Efficient arithmetic on elliptic curves in characteristic 2

LECTURE 7, WEDNESDAY

Models of Elliptic Curves

CORRESPONDENCE BETWEEN ELLIPTIC CURVES IN EDWARDS-BERNSTEIN AND WEIERSTRASS FORMS

Introduction to Arithmetic Geometry Fall 2013 Lecture #24 12/03/2013

Edwards Curves and the ECM Factorisation Method

The Rationality of Certain Moduli Spaces of Curves of Genus 3

Mappings of elliptic curves

Introduction to Arithmetic Geometry Fall 2013 Lecture #23 11/26/2013

Elliptic curves in Huff s model

Parameterization of Edwards curves on the rational field Q with given torsion subgroups. Linh Tung Vo

Elliptic Curves Spring 2013 Lecture #12 03/19/2013

GALOIS GROUPS OF CUBICS AND QUARTICS (NOT IN CHARACTERISTIC 2)

REPRESENTATION THEORY WEEK 5. B : V V k

COMPLEX MULTIPLICATION: LECTURE 13

Elliptic Curves Spring 2015 Lecture #23 05/05/2015

Parametrizations for Families of ECM-Friendly Curves

Constructing genus 2 curves over finite fields

Elliptic Curves and Public Key Cryptography

1 The Galois Group of a Quadratic

Twisted Jacobi Intersections Curves

Introduction to Arithmetic Geometry

Twisted Hessian curves

A New Model of Binary Elliptic Curves with Fast Arithmetic

LARGE TORSION SUBGROUPS OF SPLIT JACOBIANS OF CURVES OF GENUS TWO OR THREE

Elliptic curves and modularity

Explicit Kummer Varieties for Hyperelliptic Curves of Genus 3

12. Hilbert Polynomials and Bézout s Theorem

Outline of the Seminar Topics on elliptic curves Saarbrücken,

Algebra Homework, Edition 2 9 September 2010

David Eklund. May 12, 2017

Integral points of a modular curve of level 11. by René Schoof and Nikos Tzanakis

V (f) :={[x] 2 P n ( ) f(x) =0}. If (x) ( x) thenf( x) =

1 Flat, Smooth, Unramified, and Étale Morphisms

Algebraic Geometry Spring 2009

disc f R 3 (X) in K[X] G f in K irreducible S 4 = in K irreducible A 4 in K reducible D 4 or Z/4Z = in K reducible V Table 1

TAMAGAWA NUMBERS OF ELLIPTIC CURVES WITH C 13 TORSION OVER QUADRATIC FIELDS

Finite affine planes in projective spaces

Twists of elliptic curves of rank at least four

The moduli space of binary quintics

Cyclic Groups in Cryptography

Elliptic Curves and Elliptic Functions

Elliptic Curves over Q

MATH 101A: ALGEBRA I, PART D: GALOIS THEORY 11

Isogeny invariance of the BSD conjecture

14. Rational maps It is often the case that we are given a variety X and a morphism defined on an open subset U of X. As open sets in the Zariski

Introduction to Arithmetic Geometry Fall 2013 Lecture #17 11/05/2013

ALGORITHMS FOR ALGEBRAIC CURVES

Addition laws on elliptic curves. D. J. Bernstein University of Illinois at Chicago. Joint work with: Tanja Lange Technische Universiteit Eindhoven

PARAMETRIZATIONS FOR FAMILIES OF ECM-FRIENDLY CURVES

FOUNDATIONS OF ALGEBRAIC GEOMETRY CLASS 45

MANIN-MUMFORD AND LATTÉS MAPS

Cover Page. The handle holds various files of this Leiden University dissertation

Arithmetic of Elliptic Curves. Christophe Doche and Tanja Lange

Arithmetic Progressions Over Quadratic Fields

Lecture 1. Toric Varieties: Basics

Math 676. A compactness theorem for the idele group. and by the product formula it lies in the kernel (A K )1 of the continuous idelic norm

LECTURE 2 FRANZ LEMMERMEYER

Groups that Distribute over Stars

Math 203, Solution Set 4.

22M: 121 Final Exam. Answer any three in this section. Each question is worth 10 points.


ANALYSIS OF SMALL GROUPS

AN ELEMENTARY PROOF OF THE GROUP LAW FOR ELLIPTIC CURVES

GALOIS EMBEDDING OF ALGEBRAIC VARIETY AND ITS APPLICATION TO ABELIAN SURFACE. Hisao Yoshihara

Coding theory: algebraic geometry of linear algebra David R. Kohel

Shult Sets and Translation Ovoids of the Hermitian Surface

THE PERIOD-INDEX PROBLEM IN WC-GROUPS III: BICONIC CURVES

Periodic continued fractions and elliptic curves over quadratic fields arxiv: v2 [math.nt] 25 Nov 2014

Elliptic Curves: An Introduction

Modern Number Theory: Rank of Elliptic Curves

Elliptic Nets and Points on Elliptic Curves

ARCS IN FINITE PROJECTIVE SPACES. Basic objects and definitions

Pairing computation on Edwards curves with high-degree twists

Public-key Cryptography: Theory and Practice

Fast arithmetic and pairing evaluation on genus 2 curves

Addition in the Jacobian of non-hyperelliptic genus 3 curves and rationality of the intersection points of a line with a plane quartic

Math 429/581 (Advanced) Group Theory. Summary of Definitions, Examples, and Theorems by Stefan Gille

Néron Models of Elliptic Curves.

Inverted Edwards coordinates

Introduction to Elliptic Curves

Critical Groups of Graphs with Dihedral Symmetry

Algorithm for Concordant Forms

ON ISOTROPY OF QUADRATIC PAIR

1. Projective geometry

1 Rings 1 RINGS 1. Theorem 1.1 (Substitution Principle). Let ϕ : R R be a ring homomorphism

Elliptic Curves Spring 2015 Lecture #7 02/26/2015

10. Smooth Varieties. 82 Andreas Gathmann

Elliptic curve cryptography. Matthew England MSc Applied Mathematical Sciences Heriot-Watt University

Side-Channel Attacks in ECC: A General Technique for Varying the Parametrization of the Elliptic Curve

Curves with many points Noam D. Elkies

ABSTRACT NONSINGULAR CURVES

D-MATH Algebraic Geometry FS 2018 Prof. Emmanuel Kowalski. Solutions Sheet 1. Classical Varieties

CS 259C/Math 250: Elliptic Curves in Cryptography Homework 1 Solutions. 3. (a)

Theorem 6.1 The addition defined above makes the points of E into an abelian group with O as the identity element. Proof. Let s assume that K is

Elliptic Curves Spring 2017 Lecture #5 02/22/2017

Toric forms of elliptic curves and their arithmetic

Transcription:

A normal form for elliptic curves in characteristic 2 David R. Kohel Institut de Mathématiques de Luminy Arithmetic, Geometry, Cryptography et Coding Theory 2011 CIRM, Luminy, 15 March 2011

Edwards model for elliptic curves In 2007, Edwards introduced a new model for elliptic curves, defined by the affine model x 2 + y 2 = a 2 (1 + z 2 ), z = xy, over any field k of characteristic different from 2. The complete linear system associated to the degree 4 model determines a nonsingular model in P 3 with identity O = (a : 0 : 1 : 0): a 2 (X 2 0 + X2 3 ) = X2 1 + X2 2, X 0X 3 = X 1 X 2, as a family of curves over k(a) = k(x(4)). Lange and Bernstein introduced a rescaling to descend to k(d) = k(a 4 ) = k(x 1 (4)), and subsequently (with Joye, Birkner, and Peters) a quadratic twist by c, to define the twisted Edwards model with O = (1 : 0 : 1 : 0): X 2 0 + dx2 3 = cx2 1 + X2 2, X 0X 3 = X 1 X 2.

Edwards model for elliptic curves Properties: 1 The divisor at infinity is equivalent to 3(O) + (T ) where T = (1 : 0 : 1 : 0). 2 The model admits a factorization S (π 1 π 2 ) through P 1 P 1, where π 1 (X 0 : X 1 : X 2 : X 3 ) = (X 0 : X 1 ) = (X 2 : X 3 ), π 2 (X 0 : X 1 : X 2 : X 3 ) = (X 0 : X 2 ) = (X 1 : X 3 ), and S is the Segre embedding S((U 0 : U 1 ), (V 0 : V 1 )) = (U 0 V 0 : U 1 V 0 : U 0 V 1 : U 1 V 1 ). Remark: The inverse morphism is [ 1](X 0 : X 1 : X 2 : X 3 ) = (X 0 : X 1 : X 2 : X 3 ), hence the embedding and the factorization are symmetric.

Edwards model for elliptic curves The remarkable property of the Edwards model is that the symmetry of the embedding and factorization implies that the composition of the addition morphism µ : E E E with each of the projectons π i : E P admits a basis of bilinear defining polynomials. For π 1 µ, we have { } (X0 Y 0 + dx 3 Y 3, X 1 Y 2 + X 2 Y 1 ),, (cx 1 Y 1 + X 2 Y 2, X 0 Y 3 + X 3 Y 0 ) and for π 2 µ, we have { (X1 Y 2 X 2 Y 1, X 0 Y 3 + X 3 Y 0 ), (X 0 Y 0 dx 3 Y 3, cx 1 Y 1 + X 2 Y 2 ) }. Addition laws given by polynomial maps of bidegree (2, 2) are recovered by composing with the Segre embedding.

A few lemmas (symmetric condition) Lemma L(D) is symmetric if and only if L(D) = L((d 1)(O) + (T )) for some T in E[2]. As opposed to prior models (Weierstrass, Hessian, Jacobi), the Edwards model is symmetric but not defined by D d(o) perhaps this is why it escaped description until the 21st century. Lemma Let E P r be an embedding with respect to the complete linear system of a divisor D. Then L(D) is symmetric if and only if [ 1] is projectively linear. The property that D is symmetric is stronger it implies that the automorphism inducing [ 1] fixes a line X 0 = 0 (cutting out D).

A few lemmas (linear translations) Lemma Let E P r be embedded with respect to the complete linear system of a divisor D, let T be in E( k), and let τ T be the translation-by-t morphism. The following are equivalent: τt (D) D. [deg(d)]t = O. τ T is induced by a projective linear automorphism of P r. These lemmas motivate the study of symmetric quartic models of elliptic curves with a rational 4-torsion point T. For such a model, we obtain a 4-dimensional representation of D 4 = [ 1] τt, induced by the action on the global sections Γ(E, L(D)) = k 4.

Construction of a normal form in char(k) = 2 Suppose that E/k is an elliptic curve with char(k) = 2. In view of the previous lemmas and the properties of Edwards normal form, we consider reasonable hypotheses for a characteristic 2 analog. 1 The embedding of E P 3 is a quadratic intersection. 2 E has a rational 4-torsion point T. 3 The group [ 1] τ T = D 4 acts by coordinate permutation, and in particular τ T (X 0 : X 1 : X 2 : X 3 ) = (X 3 : X 0 : X 1 : X 2 ). 4 There exists a symmetric factorization of E through P 1 P 1. Combining conditions 3 and 4, we assume that E lies in the skew Segre image X 0 X 2 = X 1 X 3 of P 1 P 1.

Construction of the normal form... In order for the representation of τ T to stabilize the image of P 1 P 1, we have P 1 P 1 S P 3, where S is defined by X 0 X 2 = X 1 X 3 and π 1 (X 0 : X 1 : X 2 : X 3 ) = (X 0 : X 1 ) = (X 3 : X 2 ), π 2 (X 0 : X 1 : X 2 : X 3 ) = (X 0 : X 3 ) = (X 1 : X 2 ). Secondly, up to isomorphism, there are two permutation representations of D 4, both having the same image. The two representations are distinguished by the image of [ 1]: 0 0 0 1 0 0 1 0 0 1 0 0 1 0 0 0 or 1 0 0 0 0 0 0 1 0 0 1 0 0 1 0 0

Construction of the normal form... In order for the representation of τ T to stabilize the image of P 1 P 1, we have P 1 P 1 S P 3, where S is defined by X 0 X 2 = X 1 X 3 and π 1 (X 0 : X 1 : X 2 : X 3 ) = (X 0 : X 1 ) = (X 3 : X 2 ), π 2 (X 0 : X 1 : X 2 : X 3 ) = (X 0 : X 3 ) = (X 1 : X 2 ). Secondly, up to isomorphism, there are two permutation representations of D 4, both having the same image. The two representations are distinguished by the image of [ 1]: or [ 1](X 0 : X 1 : X 2 : X 3 ) = (X 3 : X 2 : X 1 : X 0 ), [ 1](X 0 : X 1 : X 2 : X 3 ) = (X 0 : X 3 : X 2 : X 1 ).

Construction of a normal form... Considering the form of the projection morphisms from X 0 X 2 = X 1 X 3 : π 1 (X 0 : X 1 : X 2 : X 3 ) = (X 0 : X 1 ) = (X 3 : X 2 ), π 2 (X 0 : X 1 : X 2 : X 3 ) = (X 0 : X 3 ) = (X 1 : X 2 ), we see that only the first of the possible actions of [ 1]: [ 1](X 0 : X 1 : X 2 : X 3 ) = (X 3 : X 2 : X 1 : X 0 ), [ 1](X 0 : X 1 : X 2 : X 3 ) = (X 0 : X 3 : X 2 : X 1 ), stabilizes π 1 and π 2 (the second exchanges them). It remains to consider the forms of degree 2 which are D 4 -invariant modulo the relation X 0 X 2 = X 1 X 3, which is spanned by { (X0 + X 1 + X 2 + X 3 ) 2, (X 0 + X 2 )(X 1 + X 3 ), X 0 X 2 }.

Construction of a normal form... It follows that an elliptic curve satisfying the hypotheses must be the intersection of X 0 X 2 = X 1 X 3 with a form a (X 0 + X 1 + X 2 + X 3 ) 2 + b (X 0 + X 2 )(X 1 + X 3 ) + c X 0 X 2 = 0. Moreover, in order to be invariant under [ 1], the identity lies on the line X 0 = X 3, X 1 = X 2, hence b (X 0 + X 1 ) 2 + c X 0 X 1 = 0. If c = 0, we obtain O = (1 : 1 : 1 : 1), which is fixed by τ T, a contradiction. If b = 0, we may take O = (1 : 0 : 0 : 1), S = (0 : 1 : 1 : 0) = 2T. For any other nonzero b and c we can transform the model to such a normal form with b = 0.

A normal form in characteristic 2 This construction determines a normal form in P 3 for elliptic curves E/k with rational 4-torsion point T : (X 0 + X 1 + X 2 + X 3 ) 2 = cx 0 X 2 = cx 1 X 3. 1 The identity is O = (1 : 0 : 0 : 1) and T = (1 : 1 : 0 : 0). 2 The translation by T morphism is given by: τ T (X 0 : X 1 : X 2 : X 3 ) = (X 3 : X 0 : X 1 : X 2 ). 3 The inverse morphism is defined by: [ 1](X 0 : X 1 : X 2 : X 3 ) = (X 3 : X 2 : X 1 : X 0 ). 4 E admits a factorization through P 1 P 1, where π 1 (X 0 : X 1 : X 2 : X 3 ) = (X 0 : X 1 ) = (X 3 : X 2 ), π 2 (X 0 : X 1 : X 2 : X 3 ) = (X 0 : X 3 ) = (X 1 : X 2 ), Remark: X 0 + X 1 + X 2 + X 3 = 0 cuts out Z/4Z = T.

An alternative normal form What happens if we drop the symmetry of the factorization? The alternative permutation representation for [ 1] is given by [ 1](X 0 : X 1 : X 2 : X 3 ) = (X 0 : X 3 : X 2 : X 1 ), and on X 0 X 2 = X 1 X 3 an elliptic curve must still be the intersection with an invariant form: a (X 0 + X 1 + X 2 + X 3 ) 2 + b (X 0 + X 2 )(X 1 + X 3 ) + c X 0 X 2 = 0. The new condition for O to be fixed by [ 1] is that it lies on X 1 = X 3, hence a (X 0 + X 2 ) 2 + c X 0 X 2 = 0. Analogously, we find a = 0, with O = (1 : 0 : 0 : 0), giving the normal form (X 0 + X 2 )(X 1 + X 3 ) = c X 0 X 2 = c X 1 X 3.

An alternative normal form This above form lacks the symmetric projections π 1 and π 2 ; and the divisor class defining the embedding is equivalent to 4(O). A transformation of the ambient space: ι(x 0, X 1, X 2, X 3 ) = ( c X 0 + X 1 + X 3, X 0 + c X 1 + X 2, X 1 + c X 2 + X 3, X 0 + X 2 + c X 3 ) yields a new normal form with identity O = (c : 1 : 0 : 1): (X 0 + X 2 ) 2 = c 2 X 1 X 3, (X 1 + X 3 ) 2 = c 2 X 0 X 2. Remark: The hyperplane X 2 = 0 cuts out 4(O). We refer to this as the (split) µ 4 -normal form for an elliptic curve, and the prior model as Z/4Z-normal form.

Construction of the µ 4 -normal form The simplest addition on elliptic curves are obtained as eigenvectors for the action of a torsion subgroup on elliptic curve models (Edwards excluded) for which a cyclic torsion subgroup acts as a coordinate scaling by µ n. In the case of the Edwards model, we twist the constant subgroup scheme Z/4Z by 1 in order to have a µ 4, and diagonalize the torsion action. This gives an isomorphism E C, where E is the twisted Edwards curve X 2 0 + X 2 1 = X 2 2 16rX 2 3, X 0 X 3 = X 1 X 2, and C is the µ 4 -normal form: C : X 2 0 rx 2 2 = X 1 X 3, X 2 1 X 2 3 = X 0 X 2. (X 0 : X 1 : X 2 : X 3 ) (X 0 : X 1 + X 2 : X 3 : X 1 + X 2 ).

The hierarchy of µ 4 -normal forms Noting that k(r) = k(x 1 (4)), we consider normal forms for this family under the base extensions k(r) = k(x 0 (4)) k(s) = k(x(γ(2) Γ 0 (4))) k(t) = k(x(4)) Let C 0 be the elliptic curve in µ 4 -normal form described above: X 2 0 rx2 2 = X 1X 3, X 2 1 X2 3 = X 0X 2, If s = 1/r 2, then renormalization of X 2 gives the curve C 1 : X 2 0 X2 2 = X 1X 3, X 2 1 X2 3 = sx 0X 2. Finally if s = t 4, a rescaling of X 0 and X 2 gives the elliptic curve C 2 with identity (t : 1 : 0 : 1) and full level 4 structure: X 2 0 X2 2 = t2 X 1 X 3, X 2 1 X2 3 = t2 X 0 X 2.

The split µ 4 -normal form Let k be a field, and consider the elliptic curve C 2 in split µ 4 -normal form X 2 0 X2 2 = t2 X 1 X 3, X 2 1 X2 3 = t2 X 0 X 2, with identity O = (t : 1 : 0 : 1). The inverse morphism is given by the with (X 0, X 1, X 2, X 3 ) (X 0, X 3, X 2, X 1 ), C 2 [2](k) = {O, ( e : 1 : 0 : 1), (0 : 1 : e : 1), (0 : 1 : e : 1)}. The divisor X 2 = 0 defines a subgroup µ 4 E[4], with rational points in k[i] = k[x]/(x 2 + 1): µ 4 (k) = {O, (it : 1 : 0 : 1), ( t : 1 : 0 : 1), ( it : 1 : 0 : 1)}, and a constant subgroup Z/4Z E[4] is given by Z/4Z(k) = {O, (1 : t : 1 : 0), (0 : 1 : t : 1), ( 1 : 0 : 1 : t)}.

Construction of the Z/4Z-normal form On the Edwards model, the automorphism τ T acts by τ T (X 0 : X 1 : X 2 : X 3 ) = (X 0 : X 2 : X 1 : X 3 ), as a result, τ T induces a cyclic permutation of the forms U 0 = X 0 + X 1 + X 2 + X 3, U 1 = X 0 + X 1 X 2 X 3, U 2 = X 0 X 1 X 2 + X 3, U 3 = X 0 X 1 + X 2 X 3. which transforms the Edwards curve (with identity (1 : 0 : 1 : 0)) X 2 0 + (16u + 1)X 2 3 = X 2 1 X 2 2, X 0 X 3 = X 1 X 2 to the elliptic curve (with identity (1 : 0 : 0 : 1)) (U 0 U 1 + U 2 U 3 ) 2 = 1/u U 0 U 2 = 1/u U 1 U 3.

Addition law structure for µ 4 -normal form The interest in alternative models of elliptic curves has been driven by the simple form of addition laws the polynomial maps which define the addition morphism µ : E E E as rational maps. Theorem Let E/k, char(k) = 2, be an elliptic curve in µ 4 -normal form: (X 0 + X 2 ) 2 + c 2 X 1 X 3, (X 1 + X 3 ) 2 + c 2 X 0 X 2. A basis for bidegree (2, 2)-addition laws is ( X 2 3 Y 2 1 + X2 1 Y 3 2, c (X 0X 3 Y 1 Y 2 + X 1 X 2 Y 0 Y 3 ), X2 2Y 0 2 + X2 0 Y 2 2, c (X 2X 3 Y 0 Y 1 + X 0 X 1 Y 2 Y 3 ) ), ( X 2 0 Y 2 0 + X2 2 Y 2 2, c (X 0X 1 Y 0 Y 1 + X 2 X 3 Y 2 Y 3 ), X 2 1 Y 2 1 + X2 3 Y 2 3, c (X 1X 2 Y 1 Y 2 + X 0 X 3 Y 0 Y 3 ) ), ( X2X 3Y 1Y 2 + X 0X 1Y 0Y 3, c (X 0X 2Y2 2 + X2 1 Y1Y3), X1X2Y0Y1 + X0X3Y2Y3, c (X2 2Y0Y2 + X1X3Y 2 3 ) ), ( X0X 3Y 0Y 1 + X 1X 2Y 2Y 3, c (X 1X 3Y1 2 + X2 2Y0Y2), X0X1Y1Y2 + X2X3Y0Y3, c (X0X2Y 2 2 + X2 3 Y1Y3) )

Addition law structure for Z/4Z-normal form Theorem Let E/k, char(k) = 2, be an elliptic curve in Z/4Z-normal form: (X 0 + X 1 + X 2 + X 3 ) 2 = cx 0 X 2 = cx 1 X 3. A basis for the bilinear addition law projections for π 1 µ is { (X0 Y 3 + X 2 Y 1, X 1 Y 0 + X 3 Y 2 ), (X 1 Y 2 + X 3 Y 0, X 0 Y 1 + X 2 Y 3 ) and for π 2 µ is: { (X0 Y 0 + X 2 Y 2, X 1 Y 1 + X 3 Y 3 ), (X 1 Y 3 + X 3 Y 1, X 0 Y 2 + X 2 Y 0 ) Addition laws of bidegree (2, 2) are recovered by composition with the skew-segre embedding: S((U 0 : U 1 ), (V 0 : V 1 )) = (U 0 V 0 : U 1 V 0 : U 1 V 1 : U 1 V 0 ). }, } The addition laws are independent of the curve parameters!

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback