Elliptic curves: Theory and Applications. Day 1: basic de ... · Elliptic curves: Theory and...

Elliptic curves: Theory and Applications.Day 1: basic definitions and the group law.

Elisa Lorenzo Garcıa

Universite de Rennes 1

11-09-2017

Elisa Lorenzo Garcıa (Rennes 1) Elliptic Curves 1 11-09-2017 1 / 21

Index

Elliptic curves: Theory and Applications.

1. Basic definitions and group law.

2. The j-invariant and the torsion groups.

3. Counting points and factoring and primality testing.

4. The discrete logarithm problem.


This slides are inspired by the books:


Elliptic curves

Definition

An elliptic curve E is the graph of an equation of the form

y2 = x3 + ax + b,

where a, b are constants in a field K such that the discriminant∆ = 4a3 + 27b2 6= 0. We say that E is defined over the field K .

The set of points of the elliptic curve over some field extension L/K is

E (L) = {∞} ∪ {(x , y) ∈ L× L s.t. y2 = x3 + Ax + B}.

The point at infinity ∞ will be defined later.The condition ∆ 6= 0 implies that the curve does not have singular points,which equivalent to the polynomial x3 + ax + b = 0 not having multipleroots.


Elliptic curves in characteristic 2 and 3

In general, we need to work with the more general equation of the form

y2 + a1xy + a3y = x3 + a2x2 + a4x + a6,

where a1, ..., a6 are constants in a field K .If the characteristic is not 2 or 3, we can make a change of variables to geta simplified Weiertrass model.Later, we will discuss other models of elliptic curves.The field K will be usually taken to be Q, R, C or a finite field Fq.


Elliptic curves over the complex numbers

A curve over the complex numbers is a Riemann surface. Topologicallyspeaking a Riemann surface is determined by its genus: ”the number ofholes”.

This can be defined more formally by looking at the dimension of thevector space of regular differentials of the curve.An elliptic curve is a curve of genus 1 together with a distinguished point.Over the complex numbers an elliptic curve is a torus and it can be seenas a quotient of C by a lattice 〈1, τ〉 where τ ∈ C with Im(τ) > 0.


Elliptic curves over the Real numbers

Depending on the number of real roots we get one graphic of the other.


Elliptic curves over finite fields


Recall on finite fields

Let Fq be a field with q elements. Clearly, a finite field cannot havecharacteristic 0, so let p be the characteristic of Fq. Then Fq contains Fp

and it is an Fp-vector space. Then q = pr .

Theorem

Every finite field has a generator, i.e., there exists g ∈ Fq such thatF∗q = {g}.

Theorem

Let Fq be the finite field of q = pr elements, and let σ : a 7→ ap. Then σis an automorphism of Fq that only leaves fixed Fp. Moreover,Gal(Fq/Fp) = AutFp(Fq) = 〈σ〉 is cyclic of order r .


Recall on finite fields

Let p be a prime and let p(x) ∈ Fp[x ] be a irreducible polynomial ofdegree r .

Theorem

Let be q = pr , thenFq ' Fp[x ]/p(x).

Example. Let us take p = 3, r = 2 and p(x) = x2 + 1, we can realize F9

as F3[x ]/p(x) ' F3(i) for i a fixed root of x2 = −1. Moreover, 1 + i is agenerator of F∗9.

Example. Let us take p = 2, r = 3 and p(x) = x3 + x + 1, we can realizeF8 as F2[x ]/p(x) ' F2(α) for α a fixed root of x3 + x + 1 = 0. Moreover,α is a generator of F∗8.


The proyective spaceWe all know that parallel lines meet at infinity. Projective space allows usto make sense out of this statement and also to interpret the point atinfinity on an elliptic curve.

Let K be a field. The 2-dimensional projective space P2K over K is given

by the equivalence classes of triples (x , y , z) with x , y , z ∈ K and at leastone of x , y , z non-zero.


The proyective space

Two triples (x , y , z) and (x ′, y ′, z ′) are said to be equivalent if there existsa nonzero element λ ∈ K such that (x , y , z) = (λx ′, λy ′, λz ′). Theequivalence class of a triple only depends on the ratios of x to y to z .Therefore, the equivalence class of (x , y , z) is denoted (x : y : z).

If (x : y : z) is a point with z 6= 0, then (x : y : z) = (x/z : y/z : 1).These are the ”finite points” in P2

K . However, if z = 0 then dividing by zshould be thought of as giving ∞ in either the x or the y coordinate, andtherefore the points (x : y : 0) are called the ”points at infinity” in P2

K .

A n-dimensional affine variety is given by the zero-locus of an idealI ⊆ K [x1, ..., xn]. A n-dimensional projective variety is given by thezero-locus of an ideal I ⊆ K [x0, ..., xn] generated by homogeneous ideals.


The point at infinity

We have the natural inclusion K × K ↪→ P2K : (x , y) 7→ (x : y : 1), from

where we have the ”finite”points of an elliptic curve.Recall,

E (K ) = {∞} ∪ {(x , y) ∈ K × K s.t. y2 = x3 + Ax + B}.

The points at the infinity are the other solutions to

y2z = x3 + axz2 + z3

in P2K .

Hence, ∞ = (0 : 1 : 0).


Homogenous equations and Bezout’s Theorem

A curve C in P2K is given by the zero locus of a homogenous polynomial

F (x , y , z) = 0.

The curve is not singular if there is no point (x0 : y0 : z0) ∈ C such that∂F∂x (x0, y0, z0) = ∂F

∂y (x0, y0, z0) = ∂F∂z (x0, y0, z0) = 0.

Theorem (Bezout’s)

Let C : F (x , y , z) = 0 and D : G (x , y , z) = 0 be two differentnon-singular plane projective curves defined over a field K . Then the totalnumber of intersection points of C and D counted with multiplicity isequal to the product of the degrees of F and G .


The Group Law

The main difference between an elliptic curve and any other curve is thatin the elliptic curve we can define a group law on it set of points.We proceed as follows: start with two points P = (x1, y1) and Q = (x2, y2)on an elliptic curve E given by the equation y2 = x3 + ax + b. Define anew point −R = (x3,−y3) as the third point of intersection of the line Lthrough P and Q with E . We finally define P + Q = R = (x3, y3).


The Group Law

Assume first that P 6= Q and that neither point is ∞. Draw the line Lthrough P and Q. Its slope is

m =y2 − y1

x2 − x1.

If x1 = x2, then L is vertical. Then −R = R =∞. Otherwise, we canassume x1 6= x2. Then, the equation of L is

y = m(x − x1) + y1

To find the intersection with E , substitute to get

(m(x − x1) + y1)2 = x3 + ax + b.

This is a degree 3 equation for which we already know two solution x1 andx2. Hence, x3 = m2 − x1 − x2 and y3 = −(m(x3 − x1) + y1).


The Group Law

If Q =∞, then P +∞ = P. If P = Q, then we take the line L to be thetangent line to E at P. Implicit differentiation allows us to find the slopem:

2ydy

dx= 3x2 + a, so m =

dy

dx=

3x21 + a

2y1.

If y1 = 0, then the line is vertical and we set P + Q = 2P =∞.Otherwise, the equation of L is

y = m(x − x1) + y1,

and by repeating the previous argument

x3 = m2 − 2x1, and y3 = m(x1 − x3)− y1.


The Group Law

Theorem

The addition of points on an elliptic curve E satisfies the followingproperties:

(commutativity) P + Q = Q + P for all P,Q ∈ E .

(existence of identity) P +∞ = P for all P ∈ E .

(existence of inverse) Given P ∈ E , there exists P ′ ∈ E withP + P ′ =∞. This point will be denoted by −P.

(associativity) (P+Q)+R=P+(Q+R) for all P,Q,R ∈ E .


The Group Law

An elliptic curve over a finite field has only finitely many points withcoordinates in that finite field. Therefore, we obtain a finite abeliangroup in this case.

If E is an elliptic curve defined over Q, then E (Q) is a finitelygenerated abelian group. By the Mordell-Weil theorem, this group isisomorphic to Zr ⊕ F for some r ≥ 0 and some finite group F . Theinteger r is called the rank of E (Q).

An elliptic curve over the complex numbers C is isomorphic to atorus. The usual addition of complex numbers induces a group law onC/Λ that corresponds to the group law on the elliptic curve under theisomorphism between the torus and the elliptic curve.


The Group Law

We will sometimes consider elliptic curves defined over a ring and not overfield. For instance we will take a ring R = Zn := Z/nZ.

Proposition

Let n1 and n2 be odd integers with gcd(n1, n2) = 1. Let E be an ellipticcurve defined over Zn1n2 . Then there is a group isomorphism

E (Zn1n2) ' E (Zn1)⊕ E (Zn2).


The Group Law: integer times a point

Let k be a positive integer and let P be a point on an elliptic curve E .The following procedure computes kP.

1 Start with a = k , B =∞, C = P.

2 If a is even, let a = a/2, and let B = B, C = 2C .

3 If a is odd, let a = a− 1, and let B = B + C , C = C .

4 If a 6= 0, go to step 2.

5 Ouput B.

On the other hand, if we are working over a large finite field and we aregiven point P and kP, it is very difficult to determine the value of k . Thisis called the discrete logarithm problem for elliptic curves and it is thebasis for the cryptographic applications.


Elliptic curves: Theory and Applications. Day 1: basic de ... · Elliptic curves: Theory and...

Documents

Transcript of Elliptic curves: Theory and Applications. Day 1: basic de ... · Elliptic curves: Theory and...