Curves, Cryptography, and Primes of the Form x 2 + y 2 D

Similar documents
Introduction to Elliptic Curves

CONSTRUCTING SUPERSINGULAR ELLIPTIC CURVES. Reinier Bröker

Constructing genus 2 curves over finite fields

14 Ordinary and supersingular elliptic curves

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

Explicit Complex Multiplication

8 Elliptic Curve Cryptography

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Isogeny graphs of abelian varieties and applications to the Discrete Logarithm Problem

Fast, twist-secure elliptic curve cryptography from Q-curves

Elliptic Curve Cryptosystems

The Elliptic Curve in https

Identifying supersingular elliptic curves

Some algebraic number theory and the reciprocity map

Math/Mthe 418/818. Review Questions

Mappings of elliptic curves

Elliptic curve cryptography in a post-quantum world: the mathematics of isogeny-based cryptography

Congruent number elliptic curves of high rank

Elliptic Curves Spring 2015 Lecture #23 05/05/2015

The Splitting of Primes in Division Fields of Elliptic Curves

Igusa Class Polynomials

Counting points on elliptic curves: Hasse s theorem and recent developments

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

Elliptic Curves I. The first three sections introduce and explain the properties of elliptic curves.

Class invariants for quartic CM-fields

Igusa Class Polynomials

Chapter 4 Asymmetric Cryptography

Asymmetric Cryptography

Counting points on elliptic curves over F q

Igusa class polynomials

Course 2316 Sample Paper 1

An Introduction to Supersingular Elliptic Curves and Supersingular Primes

Lecture Notes, Week 6

Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs

Polynomial Interpolation in the Elliptic Curve Cryptosystem

Applications of Complex Multiplication of Elliptic Curves

Modular forms and the Hilbert class field

An Alternate Decomposition of an Integer for Faster Point Multiplication on Certain Elliptic Curves

Definition of a finite group

Independence of Heegner Points Joseph H. Silverman (Joint work with Michael Rosen)

Isogenies in a quantum world

Public-key Cryptography: Theory and Practice

SEMINAR SECURITY - REPORT ELLIPTIC CURVE CRYPTOGRAPHY

An introduction to the algorithmic of p-adic numbers

6]. (10) (i) Determine the units in the rings Z[i] and Z[ 10]. If n is a squarefree

Non-generic attacks on elliptic curve DLPs

Elliptic Curves: Theory and Application

HOMEWORK 11 MATH 4753

CPSC 467: Cryptography and Computer Security

ON ISOGENY GRAPHS OF SUPERSINGULAR ELLIPTIC CURVES OVER FINITE FIELDS

Introduction to Arithmetic Geometry Fall 2013 Lecture #24 12/03/2013

CPSC 467b: Cryptography and Computer Security

ElGamal type signature schemes for n-dimensional vector spaces

SM9 identity-based cryptographic algorithms Part 1: General

The Application of the Mordell-Weil Group to Cryptographic Systems

Constructing Families of Pairing-Friendly Elliptic Curves

The Discrete Logarithm Problem on the p-torsion Subgroup of Elliptic Curves

Projects on elliptic curves and modular forms

Finite Fields and Elliptic Curves in Cryptography

Arithmetic of split Kummer surfaces: Montgomery endomorphism of Edwards products

Evaluating Large Degree Isogenies between Elliptic Curves

The L-series Attached to a CM Elliptic Curve

ON A FAMILY OF ELLIPTIC CURVES

Exercises MAT2200 spring 2014 Ark 5 Rings and fields and factorization of polynomials

Elliptic curves and modularity

Chapter 5. Modular arithmetic. 5.1 The modular ring

Outline of the Seminar Topics on elliptic curves Saarbrücken,

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

ETA-QUOTIENTS AND ELLIPTIC CURVES

Introduction to Elliptic Curve Cryptography

FORMAL GROUPS OF CERTAIN Q-CURVES OVER QUADRATIC FIELDS

Class Field Theory. Steven Charlton. 29th February 2012

Public-key Cryptography and elliptic curves

Elliptic Curves Spring 2013 Lecture #8 03/05/2013

Computing the image of Galois

Lecture 1: Introduction to Public key cryptography

On Orders of Elliptic Curves over Finite Fields

Using semidirect product of (semi)groups in public key cryptography

Isogeny graphs, modular polynomials, and point counting for higher genus curves

Hyperelliptic curves

COMPUTER ARITHMETIC. 13/05/2010 cryptography - math background pp. 1 / 162

CLASS FIELD THEORY AND COMPLEX MULTIPLICATION FOR ELLIPTIC CURVES

ELLIPTIC CURVES OVER FINITE FIELDS

Galois Representations

Topics in Cryptography. Lecture 5: Basic Number Theory

Elliptic curve cryptography. Matthew England MSc Applied Mathematical Sciences Heriot-Watt University

Public-Key Cryptosystems CHAPTER 4

On elliptic curves in characteristic 2 with wild additive reduction

ORAL QUALIFYING EXAM QUESTIONS. 1. Algebra

EXAMPLES OF MORDELL S EQUATION

HONDA-TATE THEOREM FOR ELLIPTIC CURVES

Mathematical analysis of the computational complexity of integer sub-decomposition algorithm

EXAMPLES OF MORDELL S EQUATION

The group law on elliptic curves

Katherine Stange. ECC 2007, Dublin, Ireland

Schoof s Algorithm for Counting Points on E(F q )

Elliptic Curves Spring 2015 Lecture #7 02/26/2015

2-ADIC ARITHMETIC-GEOMETRIC MEAN AND ELLIPTIC CURVES

Constructing Abelian Varieties for Pairing-Based Cryptography

The complexity of Diophantine equations

Transcription:

Curves, Cryptography, and Primes of the Form x + y D Juliana V. Belding Abstract An ongoing challenge in cryptography is to find groups in which the discrete log problem hard, or computationally infeasible. Such a group can be used as the setting for many cryptographic protocols, from Diffie- Hellman key exchange to El Gamal encryption. As the group of points of an elliptic curve over a finite field is one of the few known examples, it is important to be able to efficiently construct elliptic curves with large prime order. We show how constructing such a cryptographic elliptic curve over the field of p elements relates to the classic number theory problem of determining which primes p can be written as x + y D for integers x, y and D. 1 The Discrete Logarithm Problem Consider a finite group G of prime order N. The discrete logarithm problem, or DLP, is: The Discrete Log Problem: Given a, b G, with b = a n, find n. This can be thought of as computing the log of b with base a. Consider Z/NZ, the set of equivalence classes of integers {[0], [1], [],..., [N 1]}, where two integers a, b are equivalent modulo N if a b is a multiple of N. The group operation is addition modulo N so the DLP is written b an mod N. Solving this requires computing the inverse of a mod N, which can be done in polynomial time using Euclid s algorithm. Thus the DLP is not NP-hard in Z/NZ. However, for the group of points of an elliptic curve E over a finite field F p with prime order N (defined in the next section), the best ways to solve the DLP are all exponential in log(n). For N 10 80, with current computing power, it is infeasible to determine n. Thus the exponent n can be used to hide information in cryptographic protocols. To construct a cryptographic elliptic curve, that for which the DLP will be hard, we want to solve the following problem: Problem: Find large primes p and N and an elliptic curve E such that the group of points of E with coordinates in F p has size N. A Brief Introduction to Elliptic Curves An elliptic curve E over a field F is given by a Weierstrass equation y = x 3 + Ax + B (1) with A, B F and 4A 3 + 7B 0. (This last requirement says the curve has no singularities.) Let F be the algebraic closure of F, the set of all solutions of polynomials with coefficients in F. For example, if F = R, F = C. The set of points of E, denoted E( F ) consists of all points (x, y) F F that satisfy (??). The remarkable fact is that there is a natural way to add points on the curve, thus turning E( F ) into a commutative group. For the details, a good source is [? 1

Since F is algebraically closed, for any x 0 F, the points (x 0, ± x 3 0 + Ax 0 + B) are in E( F ). Thus, since F is infinite, E( F ) is an infinite group. But we are interested in a finite group for the DLP, so we consider E(F ), where F = F p = Z/pZ.) Each x 0 F p gives at most two points in E(F p ), depending on whether or not x 3 0 + Ax 0 + B has a square root modulo p. Therefore E(F p ) is always a finite group. More importantly, we have a bound on its order by Hasse s Theorem. Let N = #E(F p ). Then p + 1 p < N < p + 1 + p () We call this the Hasse interval and denote it H p. Recall that we want to find an elliptic curve E over F p such that #E(F p ) = N. By this, we mean find an equation of the form (??) with coefficients in F p. It is possible, however, that two different Weierstrass equations describe essentially the same elliptic curve, in which case the two curves are said to be isomorphic. For E defined over a field F, the j-invariant of E is a rational function of A and B, taking values in F, which classifies elliptic curves up to isomorphism. That is, j(e) = j(e ) if and only if E and E are isomorphic. Given a value j F, it is straightforward to determine a Weierstrass equation for E with j(e) = j. We note that if E and E are isomorphic, the groups E(F p ) and E (F p ) may have different orders, in which case we say the curves are twists. If E(F p ) has N = p + 1 t points, its twist will have p + 1 + t points. The value t is known as the trace of E. If t 0, E is called ordinary, and we focus only on these curves, since trace zero curves are susceptible to sub-exponential attacks [? So to solve the problem, we could first find p, N such that N H p. (This is heuristically possible by the Prime Number Theorem). Then we could choose j-invariants at random until we find E such that it or its twist has N points [? But how do we know we will succeed? The amazing fact is that given N H p, there exists an elliptic curve over F p such that #E(F p ) = N. This relies on the intimate connection between the j-invariant of certain elliptic curves over C and primes of the form x + y D, where D = t 4p. Understanding this connection will be the focus of the remainder of this essay. 3 The Endomorphism Ring of an Elliptic Curve Let F be any field. Recall that we can add two points on an elliptic curve, so in particular, we can add a point to itself. This allows us to define a multiplication on E as [n]p := P } + P {{ +... + P }. n As the resulting sum is a point of E, we have a map [n] : E E, given by rational functions. Furthermore, since addition is associative and commutative, [n](p + Q) = [n]p + [n]q. That is, [n] is a homomorphism. A homomorphism of E given by rational functions is called an endomorphism. Let s consider the set End F (E). We can define the sum of two endomorphisms as (φ+ψ)(p ) = φ(p )+ψ(p ). This addition makes End F (E) into a commutative group. Furthermore, we can compose two endomorphisms (φ ψ)(p ) = φ(ψ(p )) and this composition law makes End F (E) into a ring. A lot of key information about an elliptic curve is encoded in the structure of this ring, as we shall see. We already know that End F (E) contains [n] for every positive integer [n Defining [ n] : P [n]p, we have that End F (E) contains [n] for all n Z. Thus, for any E, End F (E) contains Z. 3.1 Endomorphisms over F p Now let s consider an elliptic curve over F p. The Frobenius map (x, y) π (x p, y p ) (3)

is given by rational functions over F p and can be shown to be a homomophism ([?], 75). Thus π is in End Fp (E). Write N = p + 1 t. The Frobenius map satisfies the equation: π [t]π + [p] = [0] (4) in End Fp (E). 1 Note that t 4p is negative by Hasse s theorem (??). We can write this quantity as f D, for some f, D Z with D > 0 and squarefree. Solving the equation (??) for π, we see that π corresponds to an element of the quadratic imaginary field K = Q( D): π = t ± f D. (5) We now see that if E has N = p + 1 t points, End Fp (E) contains Z and π, and therefore the ring Z[π Note that Z[π] Z[ 1+ D ] = {a + b 1+ D a, b Z}. Since N is an odd prime number, t and f must be odd, and so D 3 mod 4. This means the ring Z[ 1+ D ] is the ring of integers of K, where K = Q( D). That is, every element is an algebraic integer α, the root of a polynomial with integer coefficients and leading coefficient one which cannot be factored in Z. This polynomial is known as the minimal polynomial of α. It turns out that End Fp (E) for E with N points will always be contained in or equal to Z[ 1+ D So to solve the original problem, it is enough to solve the following problem: Problem: Given p, N, construct an elliptic curve E with End Fp (E) = Z[ 1+ D But how can we construct an elliptic curve just by knowing its endomorphism ring? Fortunately, this turns out to be more tractable for elliptic curves over C and there is a way to relate elliptic curves over C to those over F p via their j-invariants. Note that a curve Ẽ over C will have a complex-valued j(ẽ), thus there is no reason a priori that it makes sense as an element of F p. For example, the complex number i is not in F 7 since 1 = 6 mod 7 and 6 doesn t have a square root in F 7. If, however, j(ẽ) does make sense as an element of F p, then the elliptic curve E over F p with j-invariant j(ẽ) mod p will have the same endomorphism ring as the curve over C. (This is due to a deep theorem of Deuring [?) So we can tackle the problem by first finding an elliptic curve over C with End C (Ẽ) = Z[ 1+ D ], and then seeing if its j-invariant makes sense modulo p. 3. Endomorphisms over C Any elliptic curve over C can be identified uniquely with the group C/Λ, where Λ = Z + τz is a lattice in C. Here C/Λ is the group of equivalence classes of points in C where z 1 z if and only if z 1 z Λ. It turns out that End C (E) = Z[ 1+ D ] if and only if λλ Λ for every λ Z[ 1+ D ], in which case we say λ has complex multiplication. So we want to find a lattice with complex multiplication by Z[ 1+ D We can classify lattices up to isomorphism by the complex-valued function j, where j(λ) = 1 q + 744 + 196884q +... and q = e πiτ [? This value agrees with the j-invariant of the elliptic curve E over C corresponding to C/Λ, but it is not an integer value and cannot be calculated exactly. However, if Λ has complex multiplication by Z[ 1+ D ], then j(λ) is an algebraic integer. The roots of its minimal polynomial, denoted H D (x), are precisely the j-invariants of all lattices with complex multiplication by Z[ 1+ D 1 The fact that π is closely related to the order of N of E(F p) shouldn t be a surprise. If P = (x, y) E(F p), then π(p ) = P since F p is the set of solutions to x p = x. Futhermore, π(p ) = P implies that P E(F p). The λ correspond to symmetries of the lattice. For example, the lattice Λ = Z + iz has multiplication by λ = i since i(a + ib) = b + ia Λ. This is equivalent to a counterclockwise rotation of 90. 3

Since H D (x) has coefficients in Z, we can reduce the coefficients modulo p and get a polynomial with coefficients in F p. If H D (x) has a root in F p this means that the j-invariant of the elliptic curve over C makes sense modulo p. Thus any roots of this polynomial in F p will be the j-invariants of elliptic curves over F p with End Fp = Z[ 1+ D So all that remains is to show that the polynomial H D has roots modulo p! This question relates precisely to the classic number theory problem of primes of the form x + y D, which we explore in the final section. 4 Primes of the Form x + y D Consider the following classic problem from number theory: when is a prime p = x + y for x, y integers? 3 Though we are looking for integer solutions, it s best to tackle this problem in a larger set of numbers, namely the Gaussian integers Z[i] = {a + bi : a, b Z, i = 1}. For example, the prime 5 can be written as 1 + which is the same as (1 + i)(1 i) in Z[i The problem therefore becomes: When do there exist x, y Z such that p = (x iy)(x + iy) in the ring Z[i]? Z[i] is a unique factorization domain, which means that, just like in the integers, every element of Z[i] has a unique decomposition into prime elements. (By prime, we simply mean a number can be written of the product of two non-invertible elements.) The norm of an element is just the standard complex norm: N(x + iy) = (x + iy)(x iy). Since the norm is a multiplicative map, an element with prime norm must be prime. Thus x ± iy are both prime. So if p = (x + iy)(x iy), by unique factorization this means p cannot be a prime element of Z[i]! In this case, the prime p is said to split in Z[i Thus, answering the problem comes down to understanding when the prime p of Z splits in Z[i We note also that if p splits in Z[i], then the minimal polynomial of i, x + 1, factors modulo p. For example, x + 1 = (x + )(x ) modulo 5. This gives a very useful criterion for when a prime splits: 4 a prime p splits in a ring Z[α] if and only if the minimal polynomial of α factors completely into linear terms modulo p. Now consider the more general problem: For D fixed, when can a prime p be written as x +y D for x, y Z? Note how this relates to the problem of constructing E with N = p + 1 t. Recall that End Fp (E) will contain Z[π] where π = t+f D, for t, f integers. Thus, if we can construct such an elliptic curve, we have that 4p can be written as x + y D for x, y Z. As in the case of D = 1, both of these problems hinge on how the prime p behaves in Z[ D], respectively Z[ 1+ D We can follow the above strategy, but we have to deal with ideals, introduced to circumvent the problem that these rings may not necessarily be unique factorization domains. (The classic example is Z[ 5] where (1 + 5)(1 5) = 3.) In particular, it turns out that 4p = x +y D if and only if the ideal (p) splits completely in H, the Hilbert class field of K. (For those familiar with algebraic number theory, K is the maximal abelian unramified extension of K.) The minimal polynomial of this extension, known as the Hilbert class polynomial of D, is precisely H D (x), whose roots are the j-invariants of elliptic curves over C with endomorphism ring Z[ 1+ D But we know that a number splits completely in an extension if and only if the minimal polynomial factors into linear terms modulo p. Thus, precisely because we can write 4p = t + f D, we know that H D (x) has roots modulo p which will be the j-invariants of elliptic curves over F p with N = p + 1 t points. Thus, constructing a cryptographic curve comes down to factoring a polynomial in F p! Of course, this requires computing the Hilbert class polynomial H D (x), which is not a trivial matter. For small D, it has been done [? However as the size of D grows, so do the coefficients of H D (x), and it becomes 3 The answer, known as Fermat s Theorem on the Sum of Two Squares, is that for p odd, there exist x, y Z such that p = x + y if and only if p 1 mod 4. The forward direction is straightforward to see. If x, y are both even or both odd, then x + y 0 mod, which means p 0 mod. As p is odd, this is clearly impossible. Thus x, y must be of opposite parity, in which case x + y 1 mod 4. For the reverse direction, see for example [?] or [? 4 There are actually a few exceptions to this, but these do not occur in the situation in which we are interested. 4

computationally infeasible to determine H D (x). Thus, techniques for determining j without knowing the whole polynomial is an active area of research in number theory, which as we have now seen, is highly relevant to building secure cryptosystems. References [1] Bröker, Reiner, Constructing elliptic curves of prescribed order, PhD Thesis, Thomas Stieltjes Institute for Mathematics, 006. [] Cox, D., Primes of the Form x + ny : Fermat, Class Field Theory and Complex Multiplication, John Wiley & Sons, 1989. [3] Silverman, J. The Arithmetic of Elliptic Curves, Springer-Verlag, 1986. [4] Wagon, S. Editor s corner: the Euclidean algorithm strikes again, Amer. Math. Monthly 97 (1990), no., 15 19. [5] Washington, L. Elliptic Curves: Number Theory and Cryptography Chapman & Hall/CRC, 003. [6] Zagier, D. A one-sentence proof that every prime p 1 (mod 4) is a sum of two squares, Amer. Math. Monthly 97 (1990), no., 144. 5

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback