Lecture 3 Elliptic curves over finite fields The group order - PowerPoint PPT Presentation

Elliptic curves over F q F. Pappalardi Lecture 3 Elliptic curves over finite fields The group order Reminder from last lecture Points of finite order Algebraqic Structures, Cryptography, The group structure Weil Pairing Number Theory and Applications Endomorphisms African Mathematical School Separability the degree of Universidade Cabo Verde, April 16, 2015 endomorphism Hasse’s Theorem Frobenius endomorphism proof Legendre Symbols Further reading Francesco Pappalardi Dipartimento di Matematica e Fisica Università Roma Tre 3.1

Elliptic curves over F q The division polynomials F. Pappalardi Definition (Division Polynomials of E : y 2 = x 3 + Ax + B ( p > 3 )) ψ 0 = 0 , ψ 1 = 1 , ψ 2 = 2 y ψ 3 = 3 x 4 + 6 Ax 2 + 12 Bx − A 2 ψ 4 = 4 y ( x 6 + 5 Ax 4 + 20 Bx 3 − 5 A 2 x 2 − 4 ABx − 8 B 2 − A 3 ) Reminder from last lecture Points of finite order . The group structure . . Weil Pairing Endomorphisms ψ 2 m + 1 = ψ m + 2 ψ 3 m − ψ m − 1 ψ 3 for m ≥ 2 m + 1 Separability the degree of � ψ m � endomorphism · ( ψ m + 2 ψ 2 m − 1 − ψ m − 2 ψ 2 ψ 2 m = m + 1 ) for m ≥ 3 Hasse’s Theorem 2 y Frobenius endomorphism proof The polynomial ψ m ∈ Z [ x , y ] is the m th division polynomial Legendre Symbols Further reading Theorem ( E : Y 2 = X 3 + AX + B elliptic curve, P = ( x , y ) ∈ E ) � � φ m ( x ) m ( x ) , ω m ( x , y ) mP = m ( x , y ) = , ψ 2 ψ 3 m ( x , y ) ψ m + 2 ψ 2 m − 1 − ψ m − 2 ψ 2 where φ m = x ψ 2 m − ψ m + 1 ψ m − 1 , ω m = m + 1 4 y 3.2

Elliptic curves over F q Points of order m F. Pappalardi Definition ( m –torsion point) Let E / K and let ¯ K an algebraic closure of K . E [ m ] = { P ∈ E ( ¯ K ) : mP = ∞} Reminder from last lecture Points of finite order Theorem (Structure of Torsion Points) The group structure Weil Pairing Let E / K and m ∈ N . If p = char ( K ) ∤ m, Endomorphisms Separability E [ m ] ∼ = C m ⊕ C m the degree of endomorphism If m = p r m ′ , p ∤ m ′ , Hasse’s Theorem Frobenius endomorphism proof E [ m ] ∼ E [ m ] ∼ = C m ⊕ C m ′ or = C m ′ ⊕ C m ′ Legendre Symbols Further reading Idea of the proof: Let [ m ] : E → E , P �→ mP . Then # E [ m ] = # Ker [ m ] ≤ ∂φ m = m 2 equality holds iff p ∤ m . 3.3

Elliptic curves over F q Remark. F. Pappalardi • E [ 2 m + 1 ] \ {∞} = { ( x , y ) ∈ E ( ¯ K ) : ψ 2 m + 1 ( x ) = 0 } • E [ 2 m ] \ E [ 2 ] = { ( x , y ) ∈ E ( ¯ K ) : y − 1 ψ 2 m ( x ) = 0 } Example Reminder from last ψ 4 ( x ) = 2 y ( x 6 + 5 Ax 4 + 20 Bx 3 − 5 A 2 x 2 − 4 BAx + � − A 3 − 8 B 2 � ) lecture Points of finite order ψ 5 ( x ) = 5 x 12 + 62 Ax 10 + 380 Bx 9 − 105 A 2 x 8 + 240 BAx 7 The group structure Weil Pairing + � − 300 A 3 − 240 B 2 � x 6 − 696 BA 2 x 5 Endomorphisms x 4 + � + � − 125 A 4 − 1920 B 2 A � − 80 BA 3 − 1600 B 3 � x 3 Separability the degree of endomorphism x 2 + � + � − 50 A 5 − 240 B 2 A 2 � − 100 BA 4 − 640 B 3 A � x Hasse’s Theorem Frobenius endomorphism + � A 6 − 32 B 2 A 3 − 256 B 4 � proof ψ 6 ( x ) = 2 y ( 6 x 16 + 144 Ax 14 + 1344 Bx 13 − 728 A 2 x 12 + � Legendre Symbols − 2576 A 3 − 5376 B 2 � x 10 Further reading − 9152 BA 2 x 9 + � x 8 + � − 1884 A 4 − 39744 B 2 A � 1536 BA 3 − 44544 B 3 � x 7 x 6 + � + � − 2576 A 5 − 5376 B 2 A 2 � − 6720 BA 4 − 32256 B 3 A � x 5 x 4 + � + � − 728 A 6 − 8064 B 2 A 3 − 10752 B 4 � − 3584 BA 5 − 25088 B 3 A 2 � x 3 + � 144 A 7 − 3072 B 2 A 4 − 27648 B 4 A � x 2 6 A 8 + 192 B 2 A 5 + 1024 B 4 A 2 � + � 192 BA 6 − 512 B 3 A 3 − 12288 B 5 � x + � ) 3.4

Elliptic curves over F q Group Structure of E ( F q ) F. Pappalardi Exercise Use division polynomials in Sage to write a list of all curves E over F 103 such that E ( F 103 ) ⊃ E [ 6 ] . Do the same for curves Reminder from last over F 5 4 . lecture Points of finite order The group structure Weil Pairing Corollary (Corollary of the Theorem of Structure for torsion) Endomorphisms Let E / F q . ∃ n , k ∈ N are such that Separability the degree of endomorphism Hasse’s Theorem Frobenius endomorphism E ( F q ) ∼ = C n ⊕ C nk proof Legendre Symbols Further reading Theorem Let E / F q and n , k ∈ N such that E ( F q ) ∼ = C n ⊕ C nk . Then n | q − 1 . 3.5

Elliptic curves over F q Weil Pairing F. Pappalardi Let E / K and m ∈ N s.t. p ∤ m . Then E [ m ] ∼ = C m ⊕ C m We set K : x m = 1 } µ m := { x ∈ ¯ Reminder from last lecture Points of finite order µ m is a cyclic group with m elements(since p ∤ m ) The group structure Weil Pairing Theorem (Existence of Weil Pairing) Endomorphisms Separability There exists a pairing e m : E [ m ] × E [ m ] → µ m called Weil the degree of endomorphism Pairing, s.t. ∀ P , Q ∈ E [ m ] Hasse’s Theorem Frobenius endomorphism 1 e m ( P + E Q , R ) = e m ( P , R ) e m ( Q , R ) (bilinearity) proof 2 e m ( P , R ) = 1 ∀ R ∈ E [ m ] ⇒ P = ∞ (non degeneracy) Legendre Symbols Further reading 3 e m ( P , P ) = 1 4 e m ( P , Q ) = e m ( Q , P ) − 1 5 e m ( σ P , σ Q ) = σ e m ( P , Q ) ∀ σ ∈ Gal ( ¯ K / K ) 6 e m ( α ( P ) , α ( Q )) = e m ( P , Q ) deg α ∀ α separable endomorphism The last one needs to be discussed further!!! 3.6

Elliptic curves over F q Properties of Weil pairing F. Pappalardi 1 E [ m ] ∼ = C m ⊕ C m ⇒ E [ m ] has a Z / m Z – basis i.e. ∃ P , Q ∈ E [ m ] : ∀ R ∈ E [ m ] , ∃ ! α, β ∈ Z / m Z , R = α P + β Q 2 If ( P , Q ) is a Z / m Z –basis, then ζ = e m ( P , Q ) ∈ µ m is primitive (i.e. ord ζ = m ) Reminder from last lecture Points of finite order Proof. Let d = ord ζ . Then 1 = e m ( P , Q ) d = e m ( P , dQ ) . The group structure ∀ R ∈ E [ m ] , e m ( R , dQ ) = e m ( P , dQ ) α e m ( Q , Q ) d β = 1. Weil Pairing Endomorphisms So dQ = ∞ ⇒ m | d . Separability the degree of 3 E [ m ] ⊂ E ( K ) ⇒ µ m ⊂ K endomorphism Hasse’s Theorem Proof. Let σ ∈ Gal ( ¯ Frobenius endomorphism K / K ) since the basis ( P , Q ) ⊂ E ( K ) , proof σ ( P ) = P , σ ( Q ) = Q . Hence Legendre Symbols ζ = e m ( P , Q ) = e m ( σ P , σ Q ) = σ e m ( P , Q ) = σζ Further reading K / K ) = K ⇒ µ n = � ζ � ⊂ K ∗ So ζ ∈ ¯ K Gal (¯ 4 if E ( F q ) ∼ = C n ⊕ C kn ⇒ q ≡ 1 mod n Proof. E [ n ] ⊂ E ( F q ) ⇒ µ n ⊂ F ∗ q ⇒ n | q − 1 5 If E / Q ⇒ E [ m ] �⊆ E ( Q ) for m ≥ 3 3.7

Elliptic curves over F q Endomorphisms F. Pappalardi Definition A map α : E ( ¯ K ) → E ( ¯ K ) is called an endomorphism if • α ( P + E Q ) = α ( P ) + E α ( Q ) ( α is a group homomorphism) • ∃ R 1 , R 2 ∈ ¯ K ( x , y ) s.t. Reminder from last α ( x , y ) = ( R 1 ( x , y ) , R 2 ( x , y )) ∀ ( x , y ) �∈ Ker ( α ) lecture Points of finite order ( ¯ K ( x , y ) is the field of rational functions , α ( ∞ ) = ∞ ) The group structure Weil Pairing Exercise (Show that we can always assume) Endomorphisms Separability the degree of ∃ r 1 , r 2 ∈ ¯ α ( x , y ) = ( r 1 ( x ) , yr 2 ( x )) , K ( x ) endomorphism Hasse’s Theorem Hint: use y 2 = x 3 + Ax + B and α ( − ( x , y )) = − α ( x , y ) , Frobenius endomorphism proof Legendre Symbols Remarks/Examples: Further reading • if r 1 ( x ) = p ( x ) / q ( x ) with gcd ( p , q ) = 1 and ( x 0 , y 0 ) ∈ E ( ¯ K ) with q ( x 0 ) = 0 ⇒ α ( x 0 , y 0 ) = ∞ � � φ m m , ω m • [ m ]( x , y ) = is an endomorphism ∀ m ∈ Z ψ 2 ψ 3 m • Φ q : E (¯ F q )) → E (¯ F q )) , ( x , y ) �→ ( x q , y q ) is called Frobenius Endomorphism 3.8

Elliptic curves over F q Endomorphisms (continues) F. Pappalardi Theorem If α � = [ 0 ] is an endomorphism, then it is surjective. Sketch of the proof. Reminder from last lecture Assume p > 3, α ( x , y ) = ( p ( x ) / q ( x ) , yr 2 ( x ) and ( a , b ) ∈ E ( ¯ K ) . Points of finite order The group structure Weil Pairing • If p ( x ) − aq ( x ) is not constant, let x 0 be one of its roots. Endomorphisms Choose y 0 a square root of x 2 0 + AX 0 + B . Separability the degree of endomorphism Then either α ( x 0 , y 0 ) = ( a , b ) or α ( x 0 , − y 0 ) = ( a , b ) . Hasse’s Theorem Frobenius endomorphism proof • If p ( x ) − aq ( x ) is constant, Legendre Symbols this happens only for one value of a ! Further reading Let ( a 1 , b 1 ) ∈ E (¯ K ) : ( a 1 , b 1 ) � = ( a , ± b ) and ( a 1 , b 1 ) + E ( a , b ) � = ( a , ± b ) . Then ( a 1 , b 1 ) = α ( P 1 ) and ( a 1 , b 1 ) + E ( a , b ) = α ( P 2 ) Finally ( a , b ) = α ( P 2 − P 1 ) 3.9

Elliptic curves over F q Endomorphisms (continues) F. Pappalardi Definition Suppose α : E → E , ( x , y ) = ( r 1 ( x ) , yr 2 ( x )) endomorphism. Write r 1 ( x ) = p ( x ) / q ( x ) with gcd ( p ( x ) , q ( x )) = 1. • The degree of α is deg α := max { deg p , deg q } Reminder from last lecture • α is said separable if ( p ′ ( x ) , q ′ ( x )) � = ( 0 , 0 ) (identically) Points of finite order The group structure Weil Pairing Lemma Endomorphisms Separability • Φ q ( x , y ) = ( x q , y q ) is a non separable endomorphism of the degree of endomorphism degree q Hasse’s Theorem Frobenius endomorphism � � φ m m , ω m has degree m 2 proof • [ m ]( x , y ) = ψ 2 ψ 3 Legendre Symbols m • [ m ] separable iff p ∤ m. Further reading Proof. First: Use the fact that x �→ x q is the identity on F q hence it fixes the coefficients of the Weierstraß equation. Second: already done. Third See [8, Proposition 2.28] 3.10