Elliptic Curves, Factorization, and Cryptography

Similar documents
Elliptic Curves: Theory and Application

Elliptic Curves and Mordell s Theorem

Algebraic Geometry: Elliptic Curves and 2 Theorems

On the Torsion Subgroup of an Elliptic Curve

A WHIRLWIND TOUR BEYOND QUADRATICS Steven J. Wilson, JCCC Professor of Mathematics KAMATYC, Wichita, March 4, 2017

Elliptic Curves and Public Key Cryptography

LECTURE 7, WEDNESDAY

Chapter 4 Finite Fields

x = x y and y = x + y.

Torsion Points of Elliptic Curves Over Number Fields

Introduction to Arithmetic Geometry

A gentle introduction to elliptic curve cryptography

One can use elliptic curves to factor integers, although probably not RSA moduli.

Elliptic Curve Cryptography with Derive

CS 259C/Math 250: Elliptic Curves in Cryptography Homework 1 Solutions. 3. (a)

Discrete Logarithm Problem

LECTURE 2 FRANZ LEMMERMEYER

Elliptic Curves Spring 2013 Lecture #12 03/19/2013

RATIONAL POINTS ON CURVES. Contents

Introduction to Elliptic Curve Cryptography. Anupam Datta

Objective Type Questions

Public-key Cryptography: Theory and Practice

Arithmetic Progressions Over Quadratic Fields

Some Highlights along a Path to Elliptic Curves

Introduction to Arithmetic Geometry Fall 2013 Lecture #23 11/26/2013

Basic elements of number theory

Basic elements of number theory

Elliptic Curves. Akhil Mathew (Department of Mathematics Drew UniversityElliptic MathCurves 155, Professor Alan Candiotti) 10 Dec.

Public-key Cryptography and elliptic curves

2.1 Affine and Projective Coordinates

FINITE GROUPS AND EQUATIONS OVER FINITE FIELDS A PROBLEM SET FOR ARIZONA WINTER SCHOOL 2016

Finite Fields. Mike Reiter

Math 312/ AMS 351 (Fall 17) Sample Questions for Final

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

ELLIPTIC CURVES BJORN POONEN

Introduction to Elliptic Curve Cryptography

SEMINAR SECURITY - REPORT ELLIPTIC CURVE CRYPTOGRAPHY

Polynomials. Chapter 4

The Chinese Remainder Theorem

Introduction to Cryptology. Lecture 19

Elliptic curves, Factorization and Primality Testing Notes for talks given at London South bank University 7, 14 & 21 November 2007 Tony Forbes

CPSC 467: Cryptography and Computer Security

Elliptic Curves I. The first three sections introduce and explain the properties of elliptic curves.

A field F is a set of numbers that includes the two numbers 0 and 1 and satisfies the properties:

Congruence of Integers

Introduction to Arithmetic Geometry Fall 2013 Lecture #2 09/10/2013

Congruent number elliptic curves of high rank

CPSC 467b: Cryptography and Computer Security

LEGENDRE S THEOREM, LEGRANGE S DESCENT

Theorem 6.1 The addition defined above makes the points of E into an abelian group with O as the identity element. Proof. Let s assume that K is

Number Theory in Cryptology

Mathematical Foundations of Cryptography

Counting Points on Curves of the Form y m 1 = c 1x n 1 + c 2x n 2 y m 2

Projective space. There are some situations when this approach seems to break down; for example with an equation like f(x; y) =y 2 (x 3 5x +3) the lin

Counting points on elliptic curves: Hasse s theorem and recent developments

An Introduction to Elliptic Curve Cryptography

Elliptic Curve Cryptosystems

Elliptic Curves Cryptography and factorization. Part VIII. Elliptic curves cryptography and factorization. Historical Remarks.

Introduction to Algebraic Geometry. Franz Lemmermeyer

Elliptic Curve Discrete Logarithm Problem

Elliptic Curve Crytography: A Computational Science Model

Definition of a finite group

HOME ASSIGNMENT: ELLIPTIC CURVES OVER FINITE FIELDS

CONTINUED FRACTIONS, PELL S EQUATION, AND TRANSCENDENTAL NUMBERS

Isogeny invariance of the BSD conjecture

Elliptic Curve Cryptography

COMPUTER ARITHMETIC. 13/05/2010 cryptography - math background pp. 1 / 162

LECTURE 5, FRIDAY

Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography

Number Fields Generated by Torsion Points on Elliptic Curves

SKILL BUILDER TEN. Graphs of Linear Equations with Two Variables. If x = 2 then y = = = 7 and (2, 7) is a solution.

Updated: January 16, 2016 Calculus II 7.4. Math 230. Calculus II. Brian Veitch Fall 2015 Northern Illinois University

Grade 11/12 Math Circles Rational Points on an Elliptic Curves Dr. Carmen Bruni November 11, Lest We Forget

Elliptic curve cryptography. Matthew England MSc Applied Mathematical Sciences Heriot-Watt University

Elliptic Curve Cryptography

Math 445 Handy facts since the second exam

1. Projective geometry

Coding Theory ( Mathematical Background I)

CS 6260 Some number theory

1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation

Roots and Coefficients Polynomials Preliminary Maths Extension 1

Arithmétique et Cryptographie Asymétrique

RSA Cryptosystem and Factorization

Math Theory of Number Homework 1

CONGRUENT NUMBERS AND ELLIPTIC CURVES

ax b mod m. has a solution if and only if d b. In this case, there is one solution, call it x 0, to the equation and there are d solutions x m d

The complexity of Diophantine equations

Non-generic attacks on elliptic curve DLPs

Curves, Cryptography, and Primes of the Form x 2 + y 2 D

Pythagoras = $1 million problem. Ken Ono Emory University

Irrationality of 2 and Arakelov Geometry

Outline of the Seminar Topics on elliptic curves Saarbrücken,

LECTURE 10, MONDAY MARCH 15, 2004

Local properties of plane algebraic curves

Lecture Notes. Advanced Discrete Structures COT S

ELLIPTIC CURVES AND CRYPTOGRAPHY

Points of Finite Order

Tomáš Madaras Congruence classes

Elliptic Nets and Points on Elliptic Curves

Definitions. Notations. Injective, Surjective and Bijective. Divides. Cartesian Product. Relations. Equivalence Relations

Transcription:

Elliptic Curves, Factorization, and Cryptography Brian Rhee MIT PRIMES May 19, 2017

RATIONAL POINTS ON CONICS The following procedure yields the set of rational points on a conic C given an initial rational point: Take the initial point O, and from that point project the conic C onto a rational line L. Then, all points mapped to a rational point were originally rational points, and vice versa. Figure: Projecting a conic onto a line

RATIONAL POINTS ON CONICS If O and P are both rational points, then Q is also a rational point, since two rational lines always intersect at a rational point. If O and Q are rational points, then O and P are the roots of the intersection of a conic and a line: ax 2 + bxy + cy 2 + dx + ey + f = 0 Simplifies to a quadratic by substituting y = mx + g, which is our line L. Since the coefficients of the conic and the line are rational, the coefficients of the quadratic are also rational. This implies the sum of the roots are rational, but one root (O) is already rational, so P must be as well. This shows the bijection between rational points on C and rational points on L.

ELLIPTIC CURVES Our reading group mainly focused on the study of polynomials of degree 3 and genus 1. One such example is Bachet s equation. By fixing an integer c Z, we look for rational solutions to the Diophantine equation y 2 x 3 = c The solutions to these equations using real numbers are called cubic curves or elliptic curves, each of which is of the form y 2 = ax 3 + bx 2 + cx + d but can be simplified into the Weierstrass form by substituting x = x b 3a : y 2 = ax 3 + bx + c

PROJECTIVE PLANE We can transform these elliptic curves into the projective plane by substituting y = Y Z and x = X Z. Now, the curves become Y 2 Z = a X 3 + b X Z 2 + c Z 3 Now, each point is expressed as [X, Y, Z]. If Z = 0, then the point at infinity must be on the line y = Y X x. Otherwise, the point is ( X Z, Y Z ). This also means that the point [X, Y, Z] is the same as the point [kx, ky, kz] Plugging in Z = 0 yields x = 0, so [0, 1, 0] is the only point at infinity on each elliptic curve, denoted as O.

BEZOUT S LAW Bezout s law for general curves states that for a curve of degree m and a curve of degree n, including overlapping points such as tangency, they intersect at exactly mn points in the projective plane. Figure: The two cubics intersect at nine points

ADDITION OF POINTS ON ELLIPTIC CURVES To define the addition of points on elliptic curves, we need to first define the operation. Figure: The operation

ADDITION OF POINTS ON ELLIPTIC CURVES, CONT. To add P and Q, take the third intersection point P Q, join it to O by a line, and then take the third intersection point to be P + Q. In other words, set P + Q = O (P Q). Figure: Addition of P and Q

GROUPS A group is a set of elements with an operation that satisfies the condition of closure, associativity, identity and inverse. An abelian group is a group that satisfies the commutativity property.

IDENTITY ELEMENT Figure: O acts as an Identity Element Because O acts as the Identity Element, with the operation being +, which is obviously commutative, we see that the points on the elliptic curve becomes a group, an abelian one at that.

MORDELL S THEOREM For a non-singular cubic curve C given by the equation y 2 = x 3 + ax + b for any a, b Z, we know that the group of rational points on curve C is an abelian group. Mordell s Theorem states that Theorem The group of rational points of an elliptic curve has a finite number of generators.

HASSE-WEIL THEOREM Theorem If C is a non-singular irreducible curve of genus g defined over a finite field F p, then the number of points on C with coordinates in F p is equal to p + 1 ɛ, where the error term ɛ satisfies ɛ 2g p. For an elliptic curve C over a finite field F p, the Hasse-Weil theorem gives the estimate that the number of points of elliptic curve C is 2 p #C(F p ) p 1 2 p

APPLICATIONS Elliptic curves over finite fields are easy to implement on any computer, since the group law is a simple algebraic equation in the coefficients. We can use the group structure to create a number of algorithms. Factorization of Large Numbers Public Key Cryptography

POLLARD S METHOD However, we see that Pollard s method quickly grows inefficient, as d should be a product of small primes to make the calculations take up a smaller number of steps.

LENSTRA S FACTORIZATION METHOD Although Pollard s factorization method yields around log N steps, Lenstra s elliptic curve factorization method allows us to keep factorizing.

AN EXAMPLE OF LENSTRA S We can attempt to factor n = 1715761513. 1 Let x 1 = 2, y 1 = 3, so P = (2, 3). WLOG, for a given b let c = 1 2b. First, let b = 1 and c = 1. 2 As we cycle through steps 6-10, observe that for some d P d = dp d 1 =...d!p 1 Thus, let d max = 20 and calculate up to 20!P in modulo n. For example, P 20 = 20!P = 20!(2, 3) = (693588502, 858100579) However, the whole point of Lenstra s algorithm is that the addition law has to break down when we obtain a gcd(v, n) less than n for some v(mod n) so that the algorithm terminates. 3 We can either keep going or pick different b and c s for the same d max = 20.

AN EXAMPLE OF LENSTRA S (CONT.) For b = 5 and c = 11, we hit the jackpot. Everything goes smoothly up until Q = 16!P = (962228801, 946564039) (mod 1715761513) on the curve y 2 = x 3 + 5x 9. To compute 17!P = 17Q, we must add 16Q + Q. We first calculate that 16Q = (505708443, 718251590). Next, we must find the inverse modulo n of the difference of x-coordinates of Q and 16Q, so we need to invert x(16q) x(q) = 505708443 962228801 = 456520358 (mod n)

AN EXAMPLE OF LENSTRA S (CONT.) But when we use the Euclidean algorithm to compute the gcd of this quantity and n, we find that gcd(x(16q) x(q), n) = gcd( 456520358, 1715761513) = 26927 This gives a non-trivial factor of n and also the complete prime factorization of n, so we are done. n = 1715761513 = 26927 63719

CRYPTOGRAPHY Discrete Logarithm Problem Find an integer m that solves the congruence a n b(mod p) Elliptic Curve Discrete Logarithm Problem Given P, Q C(F p ), find an integer m such that mp = Q.

ELLIPTIC CURVE DISCRETE LOGARITHM PROBLEM Consider the elliptic curve C : y 2 = x 3 + x 2 + x + 1 over the field F 97 Points P = (7,20) and Q = (17,46) are in C(F 97 ). We can use the "collision algorithm" to quickly solve for m. Make two lists of P, 2P, 3P,..., and Q 10P, Q 20P, Q 30P,... until finding a common point ap = Q 10P, so m = a + 10b. We pick 10 because its close to 97. Comparing the lists, one can quickly find the collision 7P = (8, 87) = Q 40P, so 47P = Q.

BENEFITS OF ELLIPTIC CURVE CRYPTOGRAPHY The ECDLP is much more preferred over the DLP Much harder to decrypt Takes up much less bits Much more efficient overall

ACKNOWLEDGEMENTS We would like to thank: Yongyi Chen Our Parents Dr. Khovanova and Dr. Gerovitch MIT PRIMES

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback