Download Week 9 - Mathematics and Computer Studies

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
Document related concepts

Elementary algebra wikipedia , lookup

Factorization of polynomials over finite fields wikipedia , lookup

Fundamental theorem of algebra wikipedia , lookup

Equation wikipedia , lookup

Homogeneous coordinates wikipedia , lookup

Transcript 
52
23
MA6011
Elliptic curves mod p
Elliptic curves have been studied by mathematicians for a long time. Starting in
about 1985 such curves were used in cryptography. In the cryptographic applications
of elliptic curves we are no longer interested in their rational points but in their
solutions modulo a prime p. In other words, we are not looking for pairs (x, y) of
rational numbers satisfying
y 2 = x3 + ax2 + bx + c
but for pairs (x, y) with x and y from the set
Fp = {0, 1, 2, . . . , p − 1}
satisfying the same equation. But now we carry out the operations of addition and
multiplication modulo p.
If a ∈ Fp and a 6= 0 then gcd(a, p) = 1, thus we can divide by a. Indeed, using
the extended Euclidean algorithm, we find b ∈ Fp such that ab ≡ 1 mod p. To
divide by a then simply means to multiply by b. We call b ∈ Fp the multiplicative
inverse of a. For example, from 3 · 4 ≡ 1 mod 11 we see that 4 is the inverse of 3 in
F11 and so 7/3 = 7 · 4 = 28 = 6 in F11 . This indeed is true, because 7/3 = 6 means
nothing but 3 · 6 = 7 which is correct when we calculate modulo 11.
A set is called a field if an addition and a multiplication is defined on it so that
the usual laws (associativity, commutativity, distributivity) hold true and division
by non-zero elements is possible. We are familiar with the real number field and
the complex number field. The rational numbers also form a field. Crucial for the
following is that Fp has the properties of a field as well.
Given the equation y 2 = x3 + ax2 + bx + c of an elliptic curve E we can easily
determine points (x, y) ∈ Fp × Fp which lie on the elliptic curve. We call them
Fp -points of E.
Example 23.1. Let p = 5 and consider the elliptic curve y 2 = x3 − 3x2 + 3x. To
find its Fp -points, we first draw up a table of values of x3 − 3x2 + 3x where all
the calculations are carried out modulo 5. Then we have to find those x for which
x3 − 3x2 + 3x is a quadratic residue modulo p.
x
0
1
2
3
4
x2 x3 −3x2 3x
0 0
0
0
1 1
2
3
4 3
3
1
4 2
3
4
1 4
2
2
x3 − 3x2 + 3x
0
1
2
4
3
In the second column we see that the possible squares modulo 5 are 0, 1, 4. Therefore,
there is no solution with x = 2 or x = 4. We can now list the points of our elliptic
curve modulo 5:
(0, 0), (1, 1), (1, 4), (3, 2), (3, 3).
This curve has five F5 -points.
Example 23.2. Consider the curve y 2 = x3 + 1, with p = 11. Again draw up a
table.
Week 9
53
x
x2
x3
0 1 2
0 1 4
0 1 8
3
9
5
4
5
9
5 6 7 8 9
3 3 5 9 4
4 7 2 6 3
10
1
10
x3 + 1
1 2 9
6 10 5 8 3 7 4
0
Matching the last row with the squares gives us the following 11 points on this curve:
(0, 1), (0, 10), (2, 3), (2, 8), (5, 4), (5, 7), (7, 5), (7, 6), (9, 2), (9, 9), (10, 0).
Example 23.3. Let p = 13 and consider the curve y 2 = x3 + x2 + 2.
x
x2
x3
0 1 2
0 1 4
0 1 8
x3 + x2 + 2
3
9
1
2 4 1 12
4 5
3 12
12 8
6 7 8 9 10 11 12
10 10 12 3 9 4 1
8 5 5 1 12 5 12
4
7
9
4
6
6 10 11
2
After matching the last row with the squares we find these 14 F13 -points on this
elliptic curve:
(1, 2), (1, 11), (2, 1), (2, 12), (3, 5), (3, 8)
(4, 2), (4, 11), (5, 3), (5, 10), (7, 2), (7, 11), (10, 6), (10, 7)
We define addition of Fp -points on an elliptic curve exactly as we defined it for
rational points earlier. In particular, we need to include a point at infinity. We call
this point OE if the elliptic curve is called E. This is not the point (0, 0) which may
or may not be a point of E.
If the curve E is given by y 2 = x3 + ax2 + bx + c and P = (x1 , y1 ), Q = (x2 , y2 )
are Fp -points on it, we can use the formulae for the coordinates of P + Q and of 2P
we found in the previous section:
P + Q = (x, y)
with
y2 − y1
provided that x1 6≡ x2
m=
x2 − x1
x = −a + m2 − x1 − x2
y = −y1 + m(x1 − x)
2P = (x, y)
with
2
3x + 2ax1 + b
provided that 2y1 6≡ 0
m= 1
2y1
x = −a + m2 − 2x1
y = −y1 + m(x1 − x).
mod p
mod p
Knowing how to add and to double points on an elliptic curve E allows us to form
other multiples of a point P inductively by defining mP = (m − 1)P + P for m ≥ 2.
Negative multiples are defined as well: (−m)P = −(mP ).
54
MA6011
Example 23.4. Continuing with Example 23.1 we let P = (3, 2) and obtain 2P =
(1, 4), because we get m = 3, x = 3 + 9 − 6 = 1 and y = −2 + 3(3 − 1) = 4 in the
calculation modulo 5. We also obtain 3P = 2P + P = (1, 4) + (3, 2) = (0, 0) as we
now have m = 4 and x = 3 + 16 − 1 − 3 = 0 and y = −4 + 4(1 − 0) = 0. If we
continue this way we get 4P = (1, 1), 5P = (3, 3) and 6P = OE . We thus have
E = {OE , P, 2P, 3P, 4P, 5P }.
We say that the point P generates the set of F5 -points of E.
Example 23.5. In Example 23.2 the equation of E was y 2 = x3 + 1, with p = 11.
The doubling formula becomes: m = 3x21 /2y1 and
2(x1 , y1 ) = (m2 − 2x1 , −y1 + m(3x1 − m2 )).
Starting with P = (7, 5) a calculation shows that
P
2P
3P
4P
= (7, 5)
= (2, 8)
= (5, 7)
= (0, 10)
5P
6P
7P
8P
= (9, 9)
= (10, 0)
= (9, 2)
= (0, 1)
9P
10P
11P
12P
= (5, 4)
= (2, 3)
= (7, 6)
= OE
and again P = (7, 5) generates the set of F11 -points of E. In addition to P , only
5P = (9, 9), 7P = (9, 2) and 11P = (7, 6) are generators. For all the other points a
smaller multiple will produce OE . For example, with Q = (0, 10) we get 2Q = (0, 1)
and 3Q = OE and the higher multiples of Q will again be (0, 10), (0, 1) or OE .
Example 23.6. In Example 23.3 the equation of E was y 2 = x3 + x2 + 2, with
p = 13. If P = (x1 , y1 ) is on this curve, the formula for 2P in this case is
2P = (−1 + m2 − 2x1 , −y1 + m(x1 − x))
with m = (3x21 + 2x1 )/2y1 and x = −1 + m2 − 2x1 .
Starting with P = (3, 5), we obtain 2P = (10, 7), 4P = (4, 2), 8P = (5, 10) and
16P = P . Hence 15P = OE . In this case, we can express each point as a multiple
of P . Further calculations show that 3P = 2P + P = (2, 12), 5P = 4P + P = (1, 2),
6P = 4P +2P = (7, 2), 7P = 6P +P = (5, 3), 9P = 8P +P = (7, 11), 10P = (1, 11),
11P = (4, 11), 12P = (2, 1), 13P = (10, 6) and 14P = (3, 8). Thus P = (3, 5)
generates all the F13 -points on this elliptic curve.
The method of completing the cube works when we do calculations modulo p,
provided that p 6= 3. This means that we can restrict our attention to elliptic curves
given by an equation of the form
y 2 = x3 + bx + c.
This is knows as the Weierstrass form of an elliptic curve. The condition that the
curve is non-singular simplifies to 4b3 + 27c2 6= 0. If we are interested in Fp -points,
this condition is to be understood as 4b3 + 27c2 6≡ 0 mod p.
We have seen above how to find new points if we know at least one point on
an elliptic curve. To find such an initial point, we may pick randomly a number
0 ≤ x ≤ p − 1 and then use the Jacobi symbol to check whether x(x2 + b) + c is a
quadratic residue modulo p. If so, we find a square root and if not we try again.
Week 9
24
55
Elliptic Curves in Cryptography
Elliptic curves are used in modern cryptography for key exchange. The resulting
algorithms are faster and the key sizes are smaller than those used for RSA and for
the Diffie-Hellman key exchange which is based on discrete logarithms.
The classical Diffie-Hellman key exchange works as follows. A large prime p
and a primitive root g modulo p are made publicly known. Two users A and B who
wish to exchange a secret key both randomly select their own private keys kA and
kB . Both should be integers between 1 and p − 1. Then they calculate their public
keys g kA and g kB which they exchange. Both users are then able, with their private
k
k
key, to compute their common secret key g kA kB = g kA B = g kB A . The security
of this method depends on the difficulty of the discrete logarithm problem.
This idea can be extended to elliptic curves. Instead of raising a primitive root
g to certain powers, a point P on an elliptic curve is multiplied by certain integers.
In practice this means that a prime p, an elliptic curve E and an Fp -point G on E
have to be made known publicly. The users A and B choose their secret keys kA and
kB and exchange the pubic keys kA G and kB G. Their secret key is kA kB G, which
both can compute with their secret key from the public key of the other user.
The security of this method depends on the difficulty of finding an integer k such
that P = kG, where P and G are two known Fp -points on an elliptic curve E.
When carrying out calculations on elliptic curves, the point at infinity has always to be taken account of. The proper way of doing this is using projective
coordinates. To understand them, we rewrite the equation of the curve in the
form
y 2 z = x3 + bxz 2 + cz 3
with an extra variable z. This equation is homogeneous in x, y, z. This means that
if (x, y, z) is a solution then so also is (kx, ky, kz) for any k 6= 0. A solution (x, y) of
the original equation will be represented in projective coordinates as (x, y, 1). This
works because substituting z = 1 in the homogeneous equation returns the original
equation y 2 = x3 + ax + b of the curve.
The key point is now that we define that in projective coordinates (x, y, z) and
(kx, ky, kz) both represent the same point. Moreover, when using projective coordinates it is not allowed to have all three components equal to zero, that is (0, 0, 0)
does not represent a point in projective coordinates.
In order to avoid confusion, we will write (x : y : z) for the point that is represented by (kx, ky, kz) for any k 6= 0. For example
(x : y : 1) = (2x : 2y : 2) = (−x : −y : −1)
are projective coordinates of the same point (x, y) in usual coordinates. This means
that the usual coordinates of a point (x1 : y1 : z1 ) with z1 6= 0 are x = x1 /z1 and
y = y1 /z1 .
Because k 6= 0, projective coordinates of a point (x, y) will always have z 6= 0. If
z = 0 the equation of the cubic simplifies to 0 = x3 . Therefore, the only point with
projective coordinates (x : y : 0) on the elliptic curve is the point (0 : y : 0) where
y 6= 0. This is the point at infinity, i.e. OE = (0 : 1 : 0).
Let us now summarise our knowledge of addition and doubling of points on an
elliptic curve E which is given in Weierstrass form y 2 = x3 + bx + c. Let two points
56
MA6011
P1 = (x1 : y1 : z1 ) and P2 = (x2 : y2 : z2 ) in projective coordinates be given on the
curve E. This means that y12 z1 = x31 + bx1 z12 + cz13 and y22 z2 = x32 + bx2 z22 + cz23 .
We describe now how to find projective coordinates (x : y : z) for the point
P = P1 + P2 on the curve E.
• If z1 = 0 we have P = P2 = (x2 : y2 : z2 ).
• If z2 = 0 we have P = P1 = (x1 : y1 : z1 ).
• Assume z1 6= 0 and z2 6= 0 for all items below.
• Replace x1 by
x1
y1
x2
y2
, y1 by , x2 by
and y2 by .
z1
z1
z2
z2
• If x1 = x2 and y1 + y2 = 0 we have P = OE = (0 : 1 : 0).
• If x1 = x2 and y1 + y2 6= 0 we define m =
• If x1 6= x2 we define m =
3x21 + b
for use below.
2y1
y2 − y1
for use below.
x2 − x1
• The projective coordinates of P are x = m2 − x1 − x2 , y = m(x1 − x) − y1 and
z = 1.
In this description, P1 = P2 is allowed, so that doubling is included in the
above algorithm. Subtraction P1 − P2 is the same as adding the negative of P2 ,
i.e. P1 − P2 = P1 + (−P2 ). The negative of P2 is (x2 : −y2 : z2 ). In particular,
−OE = OE .
If these calculations are carried out modulo a prime number p, equalities and
inequalities have to be taken as congruences modulo p.
Example 24.1. Let p = 101 and E the curve given by y 2 = x3 + 43x + 5. By
trying small values for x, we may find the F101 -points P = (1, 7) and Q = (0, 45)
on E. In order to calculate 10P we apply successive doubling in the following
way. We first observe that 10 = 8 + 2 = 23 + 2 = (22 + 1) · 2 and so we find
10P = (4P + P ) · 2 = ((2P ) · 2 + P ) · 2. Here are the calculations.
To find 2P , we have x1 = 1, y1 = 7 and so m = (3x21 + 43)/2y1 = 46/14 = 23/7.
Using Euclid’s algorithm we find that 29·7−2·101 = 1, hence 29 is the multiplicative
inverse of 7 in F101 and so m = 23/7 = 23 · 29 = 667 = 61 = −40. Recall that all
our calculations are modulo 101 here. We obtain
x = m2 − 2x1 = (−40)2 − 2 = 1598 = 83
y = m(x1 − x) − y1 = −40(1 − 83) − 7 = −40 · 19 − 7 = −767 = 41
and so 2P = (83, 41).
The second step is to find 4P = 2(83, 41), so we have x1 = 83 and y1 = 41.
Now m = (3x21 + 43)/2y1 = 1015/82 = 5/82. The inverse of 82 is found to be −16,
because 13 · 101 − 16 · 82. Thus m = 5/82 = 5 · (−16) = −80 = 21. Therefore,
x = m2 − 2x1 = 212 − 2 · 83 = 477 = 73
y = m(x1 − x) − y1 = 21(83 − 73) − 41 = 169 = 68
Week 9
57
and so 4P = (73, 68).
The next step is to find 5P = P + 4P . Here we have x1 = 1, y1 = 7 and x2 = 73,
y2 = 68. Therefore, m = (y2 − y1 )/(x2 − x1 ) = (68 − 7)/(73 − 1) = 61/72. The
extended Euclidean algorithm gives us the equation 5 · 101 − 7 · 72 = 1. This means
that −7 is the inverse of 72 and so m = 61/72 = (−7) · 61 = −427 = −23. We
obtain now
x = m2 − x1 − x2 = (−23)2 − 73 − 1 = 455 = 51
y = m(x1 − x) − y1 = −23(73 − 51) − 68 = −574 = 32
and so 5P = (51, 32).
In the last step we find 10P by doubling 5P = (51, 32). Here we have x1 = 51
and y1 = 32 and obtain m = (3x21 + 43)/2y1 = 7534/64 = 69/64. The inverse of 64
in F101 turns out to be 30. Therefore, m = 69/64 = 69 · 30 = 2070 = 50 and we
finally get
x = m2 − 2x1 = 502 − 2 · 51 = 2398 = 75
y = m(x1 − x) − y1 = 50(51 − 75) − 32 = −1232 = 81,
i.e. 10P = (75, 81).
Example 24.2. Let p = 1009 and the curve E be given by y 2 = x3 + 71x + 602.
The point P = (1, 237) is on E. To calculate 99P , we first observe that
99 = 64 + 32 + 2 + 1 = 26 + 25 + 21 + 20 = ((2 + 1) · 24 + 1) · 2 + 1
and so
99P = (((((2P + P )2)2)2)2 + P )2 + P.
The intermediate steps in the calculation are as follows.
2P = (268, 692)
3P = (653, 258)
6P = (301, 157)
25
12P = (448, 129)
24P = (255, 425)
48P = (297, 673)
49P = (769, 977)
98P = (30, 802)
99P = (237, 558)
Number of points on an elliptic curve
There are only finitely many Fp -points on an elliptic curve y 2 = x3 + bx + c, because
there are only finitely many possibilities for x and y in Fp . For small primes p we
could make a list of all Fp -points or we may count them by calculating x3 + bx + c for
each x ∈ Fp and then use the Legendre symbol to find if this is a quadratic residue.
Example 25.1. To find the number of F5 -points on the curve y 2 = x3 + 2x + 1,
we calculate x3 + 2x + 1 mod 5 for x = 0, 1, 2, 3, 4 and then find the corresponding
Legendre symbol modulo 5. We should not forget to count the point at infinity OE .
3
x +2x+1
x x3 2x x3 + 2x + 1
y
5
0
1
2
3
4
0
1
3
2
4
0
2
4
1
3
1
4
3
4
3
1
1
-1
1
-1
±1
±2
±2
58
MA6011
This shows that we have seven F5 -points, including OE , on this curve.
This method of calculation results in the following formula for the number Np
of Fp -points on y 2 = x3 + bx + c in which a sum of Legendre symbols occurs
Np = p + 1 +
p−1 3
X
x + bx + c
p
x=0
.
To understand this we only have to observe that for a fixed x the number of y which
satisfies the congruence y 2 ≡ x3 + bx + c mod p is equal to
3
x + bx + c
1+
.
p
However, for large primes p this formula is not very practicable. More useful is the
following general theorem.
Theorem 25.2 (Hasse). If Np is the number of Fp -points on an elliptic curve then
√
√
p + 1 − 2 p < Np < p + 1 + 2 p.
The number ap = p + 1 − Np is known as the p-defect of the elliptic curve and
√
Hasse’s Theorem says that its absolute value is relatively small: |ap | < 2 p.
Example 25.3. With p = 5, Hasse’s Theorem shows that 2 ≤ N5 ≤ 10. With the
method used in the previous example to count points we obtain the following table:
2
y
y2
y2
y2
y2
E
= x + 2x
= x3 + 4x + 2
= x3 + x
= x3 + 3x + 2
= x3 + 1
3
N5 (E) ap (E)
2
4
3
3
4
2
5
1
6
0
2
y
y2
y2
y2
E
= x + 2x + 1
= x3 + 4x
= x3 + x + 1
= x3 + 3x
3
N5 (E)
7
8
9
10
ap (E)
−1
−2
−3
−4
In general, it can be shown that for all primes p and each value of ap that is possible
by Hasse’s Theorem, there exists an elliptic curve with exactly this p-defect.
The number of Fp -points on an elliptic curve when the prime p is large can be
calculated by an algorithm of Schoof. A description of the mathematical background
of Schoof’s algorithm is beyond the scope of this course.
Related documents
The Law of Demand
The Law of Demand
Section 2
Section 2
Demand PowerPoint
Demand PowerPoint
Areas Under the Standard Normal Curve
Areas Under the Standard Normal Curve
Chapter 21 Worksheet
Chapter 21 Worksheet
No Slide Title
No Slide Title
Section 4.5 - Math Heals
Section 4.5 - Math Heals
Section 5.1 Introduction to Normal Distributions and THE Standard Normal Distribution
Section 5.1 Introduction to Normal Distributions and THE Standard Normal Distribution
Chapter 9 – The Normal Distribution
Chapter 9 – The Normal Distribution
Important Lecture Vocabulary and Concepts
Important Lecture Vocabulary and Concepts
Supply and Demand 101
Supply and Demand 101
Formulae Sheet Learning curve Y = ax
Formulae Sheet Learning curve Y = ax
Elliptic Curve Cryptography
Elliptic Curve Cryptography