introduction to elliptic curves : day 1 - cosic · elliptic curves an elliptic curve over k is de...

Introduction to Elliptic Curves : Day 1

Benjamin Smith

INRIA Saclay–Ile-de-FranceLaboratoire d’informatique de l’ecole polytechnique (LIX)

ECRYPT II Winter School, Lausanne, January 2009

Smith (INRIA & LIX) Elliptic Curves 1 ECRYPT II, January 2009 1 / 29

Geometry


The Ground Field

We let K denote the ground field— that is, the field we will be working over.

Every other field in question will be an extension of K .

For our applications, K will be a finite field Fq;

it is also useful to consider K = Q or K = C.

We let K denote the algebraic closure of K .

Until further notice, we will assume K = K— that is, we can always find solutions to equations over K .


Elliptic Curves

An elliptic curve over K is defined by an equation

E : y 2 + H(x)y = F (x),

where deg H ≤ 1 and deg F = 3, with coefficients in K .

Notice that if we replace y with −y − H(x) the equation stays the same:so E has an involution

ιE : (x , y) 7−→ (x ,−y − H(x)).

Often, we choose an equation in the form

E : y 2 = x3 + ax + b,

in which case ιE is defined by ιE (x , y) = (x ,−y).Smith (INRIA & LIX) Elliptic Curves 1 ECRYPT II, January 2009 4 / 29

Rational Points

Let E : y 2 + H(x)y = F (x) be an elliptic curve over K .

Definition (Rational points)

The set of K -rational points of E is

E (K ) := {(α, β) ∈ K 2 : β2 + H(α)β = F (α)} ∪ {OE},

where OE is the unique projective “point at infinity” of E .

More generally, if L is any extension of K we set

E (L) := {(α, β) ∈ L2 : β2 + H(α)β = F (α)} ∪ {OE}.

Notice that E (K ) ⊂ E (L1) ⊂ E (L2) whenever L1 ⊂ L2.


The Function Field

Definition (Function Field)

The function field of E : y 2 + H(x)y = F (x) is defined to be

K (E ) := K (x)[y ]/(y 2 + H(x)y − F (x)).

The elements of K (E ) are quotients n(x , y)/d(x , y).

We can view each function f as a mapping from E to K ∪ {∞}(geometrically speaking, a morphism f : E → P1).

Example

Consider the point P = (2, 3) on the curve E : y 2 = x3 + 1.we can evaluate functions at P:

((x2 − y)/(y + x))(P) = 1

((x + 7)/(y − x − 1))(P) =∞


Zeroes and PolesFunctions have poles and zeroes:

The zeroes of f are the points in f −1(0).

The poles of f are the points in f −1(∞).

(zeroes and poles can occur with multiplicity > 1.)

Theorem

If f is a function in K (E ), then

1 f has only finitely many zeroes and poles, and

2 counted with multiplicity, the number of zeroes of f equals thenumber of poles of f .


Principal Divisors

Definition (Principal divisors)

To each f in K (E ) we associate a principal divisor: that is, a formal sum

div(f ) =∑

P∈E(K)

νP(f )(P),

where νP(f ) is the order of vanishing of f at P:

νP(f ) = n if f has a zero of multiplicity n at P;

νP(f ) = −n if f has a pole of multiplicity n at P;

νP(f ) = 0 otherwise.

The collection of principal divisors is denoted Prin(E ):

Prin(E ) = {div(f ) : f ∈ K (E )}.


Computing Zeroes and Poles

To compute zeroes and poles, we use the rules

1 div(α) = 0 if and only if α is in K \ {0};2 div(fg) = div(f ) + div(g)

and div(f /g) = div(f )− div(g);

3 νP(∑

i αixai ybi ) = n

if the plane curve∑

i αixai ybi = 0 intersects E n times at P;

4 νOE(∑

i αixai ybi ) = −maxi{2ai + 3bi}.

In particular, note that

1 Prin(E ) is a group, and

2 div(f ) = div(g) if and only if f = αg for some α 6= 0 in K :i.e. functions are determined by their principal divisors,up to a constant factor.


Examples of Principal Divisors

Example

Consider the curve E : y 2 = x3 + 1 over F13.

div(x) = (0, 1) + (0,−1)− 2(OE );

div(y) = (−1, 0) + (4, 0) + (−3, 0)− 3(OE );

div(x2/y) = 2(0,−1) + 2(0, 1)− (−1, 0)− (4, 0)− (−3, 0)− (OE );

div( x2−y−1xy ) = (OE ) + (0,−1) + (2, 3)− (0, 1)− (−3, 0)− (4, 0).


General Divisors

Definition (Divisors)

A divisor on E is a formal sum of points in E (K ), with coefficients in Z:

Div(E ) =

∑P∈E(K)

nP(P)

,

with the nP in Z, and only finitely many of the nP nonzero.

This generalises our definition of principal divisorsby allowing arbitrary integer values for the coefficients nP ,rather than restricting to legitimate vanishing orders of functions on E .

Div(E ) is a group, and Prin(E ) is a subgroup of Div(E ).

Note that there is no addition defined (yet) for points of E (K ).


Degrees

Definition (Degree)

We define a degree homomorphism deg : Div(E )→ Z by

deg(∑P

nP(P)) =∑P

nP .

The kernel of deg is a subgroup of Div(E ), denoted Div0(E ):

Div0(E ) = {D ∈ Div(E ) : deg(D) = 0} ⊂ Div(E ).

Since every function has the same number of zeroes and poles, we have

Prin(E ) ⊂ Div0(E ).

This inclusion is strict:not every divisor of degree zero is the divisor of a function!


Our Groups So Far...So far, we have three groups built from points of E :

Prin(E ) ⊂ Div0(E ) ⊂ Div(E ).

Each of these groups is too big to be useful.(None of them are even finitely generated...)

The map D 7→ (D − deg(D)(OE ), deg(D)) defines an isomorphism

Div(E )∼=←→ Div0(E )× Z.

— so Div(E ) is not much more interesting than Div0(E ).

A much more interesting group is the quotient

Pic0(E ) := Div0(E )/Prin(E )

(which describes the difference between Div0(E ) and Prin(E )).


Divisors are “Parts” of Functions...

The trick is to see degree-0 divisors as “parts of functions”.

Example

Let E be the elliptic curve E : y 2 = x3 + 1 over F13, andconsider D1 = (0, 1)− (OE ) and D2 = (0,−1)− (OE ).

Both D1 and D2 are in Div0(E ), but neither is the divisor of a function.

However, D1 + D2 = div(x) .

Here, we could view D1 and D2 as being “pieces” of x ...


Divisor Classes

Definition (Equivalent divisors)

We say divisors D1 and D2 are equivalent (and write D1 ∼ D2)if D1 = D2 + div(f ) for some f in K (E ).

Definition (Divisor classes)

The class of a divisor D on E is

[D] = {D ′ ∈ Div(E ) : D ′ ∼ D}.

The degree-0 divisor classes on E form the group

Pic0(E ) := Div0(E )/Prin(E ),

with group operation [D1] + [D2] = [D1 + D2].


Riemann–Roch

The key to computing efficiently in Pic0(E ) is the Riemann–Roch theorem.We skip the theorem itself, and just state the following useful corollaries:

Theorem (Corollaries of Riemann–Roch)

Let E be an elliptic curve over K .

Every degree-0 divisor class on E can be represented by a divisorof the form (P)− (OE ): that is,

Pic0(E ) = {[(P)− (OE )] : P ∈ E (K )}.

For every P1 and P2 in E (K ), there exists a unique P3 in E (K )and a function f in K (E ) (unique up to a constant factor) such that

(P1)− (OE ) + (P2)− (OE ) = (P3)− (OE ) + div(f ).


The Explicit Group Law

Given P1 and P2, how do we compute the point P3 and function fsuch that (P1)− (OE ) + (P2)− (OE ) = (P3)− (OE ) + div(f ) ?

Theorem (Bezout)

Every line intersects with E in three points (which may coincide.)

1 Let l = αx + βy + γ be a polynomial defining the line throughP1 and P2. It has zeroes at P1, P2, and some other point R(by Bezout’s theorem), and a triple pole at infinity.

2 The polynomial v = x − x(R) defines a “vertical” line through Rand OE : it has zeroes at R and ιE (R), and a double pole at infinity.

3 Hence div(l/v) = (P1 + P2 + R − 3OE )− (R + ι(R)− 2OE ),so (P1 − OE ) + (P2 − OE ) = (ι(R)− OE ) + div(l/v), and thus

P3 = ιE (R) and f = l/v .


The JacobianWe obviously have a bijection

E (K )←→ Pic0(E )

defined by P 7−→ [(P)− (OE )] .We can use this bijection to give a group structure to E (K ):

+ : E (K )× E (K ) −→ E (K )(P1,P2) 7−→ P1 + P2 := P3 = ιE (R)

Exercise

Give formulae for x(P3) and y(P3) in terms of x(P1), y(P1), x(P2), y(P2).

This implies that the group law is actually a geometric morphism

+ : E × E −→ E .

This means that E is a geometric object with a group law, whose pointsform a group isomorphic to Pic0(E ) (so E is its own Jacobian).


The Identity and Negation

Note that P + Q means the point on E representingthe sum (P)− (OE ) + (Q)− (OE ),as opposed to the divisor (P) + (Q).

Example

1 The zero element of the group E (K ) is OE ,since it corresponds to [(OE )− (OE )] = [0].

2 Recall div(x − x(P)) = (P) + (ιE (P))− 2(OE ), which implies

−P = ιE (P).


Multiplication-by-m

For every integer m, we have a map

[m]E : E → E

defined by [m]E P := P + · · ·+ P (with m summands).

Exercise1 [m]E is a geometric morphism

(i.e. defined by polynomials in the coordinate functions).

2 [m1]E ◦ [m2]E = [m1m2]E .

3 m(P)−m(OE ) = ([m]P)− (OE ) + div(fm,P)for some function fm,P on E , which can be efficiently computed.

Definition

The function fm,P defined above is called a Miller function.


Torsion

Definition (The m-torsion subgroup)

For each integer m > 0, the m-torsion subgroup of E is defined by

E [m] = {P ∈ E (K ) : [m]P = 0}.

To describe E [m] we need only describe E [le ]for each prime power le dividing m (by the CRT).

Theorem

Let p be the characteristic of K . We have

E [le ] ∼= (Z/leZ)2 for all primes l 6= p and all e > 0 ,

andE [pe ] ∼= Z/peZ for all e > 0 (the ordinary case) ,

orE [pe ] = 0 for all e > 0 (the supersingular case) .


PairingsLet G1, G2, and GT be commutative groups of prime order r .

Traditionally, we write G1 and G2 additively and GT multiplicatively.

Definition (Pairings)

A pairing is a mappinge : G1 × G2 → GT

that is

bilinear: e(P1 + P2,Q) = e(P1,Q)e(P2,Q) for all P1, P2, and Q,and e(P,Q1 + Q2) = e(P,Q1)e(P,Q2) for all P, Q1, and Q2; and

nondegenerate: for all P 6= 0G1 there exists a Q in G2

such that e(P,Q) 6= 1, and similarly for all Q 6= 0 in G2,there exists a P in G1 such that E (P,Q) 6= 1.

If we fix P0 in G1, then Q 7→ e(P0,Q) is a homomorphism G2 → GT .

If we fix Q0 in G2, then P 7→ e(P,Q0) is a homomorphism G1 → GT .


Examples of Pairings

Example (Some familiar pairings)

Multiplication of ring elements:I eg. G1 = G2 = GT = Z+

I e(a, b) = ab

Scalar (dot) product on a vector space:I eg. G1 = G2 = Rn,Gt = RI e(v ,w) = v · w

More generally, matrix multiplication:I G1 = Mm×n(R),G2 = Mn×r (R),GT = Mm×r (R);I e(A,B) = AB.

A common situation in cryptography is

G1 and G2 are groups formed from an elliptic curve E/Fq,

GT is a subgroup of F×q ,

G1, G2, and GT all have large prime order r , and

e : G1 × G2 → GT is a variant of the Tate pairing.


Miller Functions and Pairings

We can use Miller functions on E to define pairings on E [r ].

If D =∑

P nP(P), then we set f (D) =∏

P f (P)nP .

Example (Tate pairing)

The Tate pairing 〈·, ·〉r : E [r ]×E (K )/[r ]E (K ) −→ K×/(K×)r is defined by

〈P,Q〉r = fr ,P(DQ),

where DQ ∈ [(Q)− (OE )].

Example (Weil pairing)

The Weil pairing er (·, ·) : E [r ]× E [r ] −→ µr is defined by

er (P,Q) = fr ,P(DQ)/fr ,Q(DP),

where DQ ∈ [(Q)− (OE )], DP ∈ [(P)− (OE )].


Pairing ApplicationsPairings have a wide range of applications, both elementary and advanced:

Example (Computing group structure)

We use the Weil pairing to check if two r -torsion points are dependent,since er (P,Q) = 1 iff Q = [m]E P for some integer m. (exercise: why?)

Example (Tripartite Diffie–Hellman key exchange)

Suppose Angela, Bob, and Carla want to share a common secret key.

1 Let E , r , and some P in E [r ] be public,and choose a pairing e on E [r ] such that e(P,P) 6= 1.

2 Angela, Bob, and Carla choose secret integers a, b, and c ,publishing [a]E P, [b]E P, and [c]E P, respectively.

3 Angela computes e([b]E P, [c]E P)a, Bob computes e([a]E P, [c]E P)b,and Carla computes e([a]E P, [b]E P)c .

4 Since e is bilinear, each has computed e(P,P)abc ,which can be used as a common secret key.


ArithmeticFrom now on, K is not algebraically closed.


Rationality

Definition (Rationality)

We say an object is K -rational or defined over K if it is Galois-stable.

Example

Consider the curve E : y 2 = x3 − 2 over R.The points (1, i) and (1,−i) of E (C) are not R-rational points(they are not fixed by complex conjugation).However, the divisor (1, i) + (1,−i) is R-rational.

Example

In the context where K is the finite field Fq,an object is K -rational if it is fixed by the qth-power Frobenius map.


Elliptic Curves are Group Schemes

Exercise

The group law of E is defined over K :if σ is an automorphism of K fixing K , then

(P + Q)σ = Pσ + Qσ.

Therefore, E is a group scheme: that is, a covariant functor fromthe category of extensions of K to the category of commutative groups.

This means

for every extension L of K we get a group E (L); and

whenever there is a homomorphism φ : L1 → L2 fixing K ,we get a homomorphism φ∗ : E (L1)→ E (L2) .

In particular,

E (L1) is a subgroup of E (L2) whenever K ⊂ L1 ⊂ L2, and

the Galois group of K/K acts on E .


Practical Rationality

On a more practical note, the fact that + is defined over K implies that

[m]E is always K -rational(so it is always defined using polynomials with coefficients in K ), and

If P is in E [m](K ), then the Miller function fm,P is defined over K .

There are two important things to keep in mind:

Many elements or structures associated to E may be defined onlyover some extension L of K , and hence may not be “visible” over K .

It may be too expensive to compute with elements of E (L)for some extensions L of K .


introduction to elliptic curves : day 1 - cosic · elliptic curves an elliptic curve over k is de...

Documents