Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
52 23 MA6011 Elliptic curves mod p Elliptic curves have been studied by mathematicians for a long time. Starting in about 1985 such curves were used in cryptography. In the cryptographic applications of elliptic curves we are no longer interested in their rational points but in their solutions modulo a prime p. In other words, we are not looking for pairs (x, y) of rational numbers satisfying y 2 = x3 + ax2 + bx + c but for pairs (x, y) with x and y from the set Fp = {0, 1, 2, . . . , p − 1} satisfying the same equation. But now we carry out the operations of addition and multiplication modulo p. If a ∈ Fp and a 6= 0 then gcd(a, p) = 1, thus we can divide by a. Indeed, using the extended Euclidean algorithm, we find b ∈ Fp such that ab ≡ 1 mod p. To divide by a then simply means to multiply by b. We call b ∈ Fp the multiplicative inverse of a. For example, from 3 · 4 ≡ 1 mod 11 we see that 4 is the inverse of 3 in F11 and so 7/3 = 7 · 4 = 28 = 6 in F11 . This indeed is true, because 7/3 = 6 means nothing but 3 · 6 = 7 which is correct when we calculate modulo 11. A set is called a field if an addition and a multiplication is defined on it so that the usual laws (associativity, commutativity, distributivity) hold true and division by non-zero elements is possible. We are familiar with the real number field and the complex number field. The rational numbers also form a field. Crucial for the following is that Fp has the properties of a field as well. Given the equation y 2 = x3 + ax2 + bx + c of an elliptic curve E we can easily determine points (x, y) ∈ Fp × Fp which lie on the elliptic curve. We call them Fp -points of E. Example 23.1. Let p = 5 and consider the elliptic curve y 2 = x3 − 3x2 + 3x. To find its Fp -points, we first draw up a table of values of x3 − 3x2 + 3x where all the calculations are carried out modulo 5. Then we have to find those x for which x3 − 3x2 + 3x is a quadratic residue modulo p. x 0 1 2 3 4 x2 x3 −3x2 3x 0 0 0 0 1 1 2 3 4 3 3 1 4 2 3 4 1 4 2 2 x3 − 3x2 + 3x 0 1 2 4 3 In the second column we see that the possible squares modulo 5 are 0, 1, 4. Therefore, there is no solution with x = 2 or x = 4. We can now list the points of our elliptic curve modulo 5: (0, 0), (1, 1), (1, 4), (3, 2), (3, 3). This curve has five F5 -points. Example 23.2. Consider the curve y 2 = x3 + 1, with p = 11. Again draw up a table. Week 9 53 x x2 x3 0 1 2 0 1 4 0 1 8 3 9 5 4 5 9 5 6 7 8 9 3 3 5 9 4 4 7 2 6 3 10 1 10 x3 + 1 1 2 9 6 10 5 8 3 7 4 0 Matching the last row with the squares gives us the following 11 points on this curve: (0, 1), (0, 10), (2, 3), (2, 8), (5, 4), (5, 7), (7, 5), (7, 6), (9, 2), (9, 9), (10, 0). Example 23.3. Let p = 13 and consider the curve y 2 = x3 + x2 + 2. x x2 x3 0 1 2 0 1 4 0 1 8 x3 + x2 + 2 3 9 1 2 4 1 12 4 5 3 12 12 8 6 7 8 9 10 11 12 10 10 12 3 9 4 1 8 5 5 1 12 5 12 4 7 9 4 6 6 10 11 2 After matching the last row with the squares we find these 14 F13 -points on this elliptic curve: (1, 2), (1, 11), (2, 1), (2, 12), (3, 5), (3, 8) (4, 2), (4, 11), (5, 3), (5, 10), (7, 2), (7, 11), (10, 6), (10, 7) We define addition of Fp -points on an elliptic curve exactly as we defined it for rational points earlier. In particular, we need to include a point at infinity. We call this point OE if the elliptic curve is called E. This is not the point (0, 0) which may or may not be a point of E. If the curve E is given by y 2 = x3 + ax2 + bx + c and P = (x1 , y1 ), Q = (x2 , y2 ) are Fp -points on it, we can use the formulae for the coordinates of P + Q and of 2P we found in the previous section: P + Q = (x, y) with y2 − y1 provided that x1 6≡ x2 m= x2 − x1 x = −a + m2 − x1 − x2 y = −y1 + m(x1 − x) 2P = (x, y) with 2 3x + 2ax1 + b provided that 2y1 6≡ 0 m= 1 2y1 x = −a + m2 − 2x1 y = −y1 + m(x1 − x). mod p mod p Knowing how to add and to double points on an elliptic curve E allows us to form other multiples of a point P inductively by defining mP = (m − 1)P + P for m ≥ 2. Negative multiples are defined as well: (−m)P = −(mP ). 54 MA6011 Example 23.4. Continuing with Example 23.1 we let P = (3, 2) and obtain 2P = (1, 4), because we get m = 3, x = 3 + 9 − 6 = 1 and y = −2 + 3(3 − 1) = 4 in the calculation modulo 5. We also obtain 3P = 2P + P = (1, 4) + (3, 2) = (0, 0) as we now have m = 4 and x = 3 + 16 − 1 − 3 = 0 and y = −4 + 4(1 − 0) = 0. If we continue this way we get 4P = (1, 1), 5P = (3, 3) and 6P = OE . We thus have E = {OE , P, 2P, 3P, 4P, 5P }. We say that the point P generates the set of F5 -points of E. Example 23.5. In Example 23.2 the equation of E was y 2 = x3 + 1, with p = 11. The doubling formula becomes: m = 3x21 /2y1 and 2(x1 , y1 ) = (m2 − 2x1 , −y1 + m(3x1 − m2 )). Starting with P = (7, 5) a calculation shows that P 2P 3P 4P = (7, 5) = (2, 8) = (5, 7) = (0, 10) 5P 6P 7P 8P = (9, 9) = (10, 0) = (9, 2) = (0, 1) 9P 10P 11P 12P = (5, 4) = (2, 3) = (7, 6) = OE and again P = (7, 5) generates the set of F11 -points of E. In addition to P , only 5P = (9, 9), 7P = (9, 2) and 11P = (7, 6) are generators. For all the other points a smaller multiple will produce OE . For example, with Q = (0, 10) we get 2Q = (0, 1) and 3Q = OE and the higher multiples of Q will again be (0, 10), (0, 1) or OE . Example 23.6. In Example 23.3 the equation of E was y 2 = x3 + x2 + 2, with p = 13. If P = (x1 , y1 ) is on this curve, the formula for 2P in this case is 2P = (−1 + m2 − 2x1 , −y1 + m(x1 − x)) with m = (3x21 + 2x1 )/2y1 and x = −1 + m2 − 2x1 . Starting with P = (3, 5), we obtain 2P = (10, 7), 4P = (4, 2), 8P = (5, 10) and 16P = P . Hence 15P = OE . In this case, we can express each point as a multiple of P . Further calculations show that 3P = 2P + P = (2, 12), 5P = 4P + P = (1, 2), 6P = 4P +2P = (7, 2), 7P = 6P +P = (5, 3), 9P = 8P +P = (7, 11), 10P = (1, 11), 11P = (4, 11), 12P = (2, 1), 13P = (10, 6) and 14P = (3, 8). Thus P = (3, 5) generates all the F13 -points on this elliptic curve. The method of completing the cube works when we do calculations modulo p, provided that p 6= 3. This means that we can restrict our attention to elliptic curves given by an equation of the form y 2 = x3 + bx + c. This is knows as the Weierstrass form of an elliptic curve. The condition that the curve is non-singular simplifies to 4b3 + 27c2 6= 0. If we are interested in Fp -points, this condition is to be understood as 4b3 + 27c2 6≡ 0 mod p. We have seen above how to find new points if we know at least one point on an elliptic curve. To find such an initial point, we may pick randomly a number 0 ≤ x ≤ p − 1 and then use the Jacobi symbol to check whether x(x2 + b) + c is a quadratic residue modulo p. If so, we find a square root and if not we try again. Week 9 24 55 Elliptic Curves in Cryptography Elliptic curves are used in modern cryptography for key exchange. The resulting algorithms are faster and the key sizes are smaller than those used for RSA and for the Diffie-Hellman key exchange which is based on discrete logarithms. The classical Diffie-Hellman key exchange works as follows. A large prime p and a primitive root g modulo p are made publicly known. Two users A and B who wish to exchange a secret key both randomly select their own private keys kA and kB . Both should be integers between 1 and p − 1. Then they calculate their public keys g kA and g kB which they exchange. Both users are then able, with their private k k key, to compute their common secret key g kA kB = g kA B = g kB A . The security of this method depends on the difficulty of the discrete logarithm problem. This idea can be extended to elliptic curves. Instead of raising a primitive root g to certain powers, a point P on an elliptic curve is multiplied by certain integers. In practice this means that a prime p, an elliptic curve E and an Fp -point G on E have to be made known publicly. The users A and B choose their secret keys kA and kB and exchange the pubic keys kA G and kB G. Their secret key is kA kB G, which both can compute with their secret key from the public key of the other user. The security of this method depends on the difficulty of finding an integer k such that P = kG, where P and G are two known Fp -points on an elliptic curve E. When carrying out calculations on elliptic curves, the point at infinity has always to be taken account of. The proper way of doing this is using projective coordinates. To understand them, we rewrite the equation of the curve in the form y 2 z = x3 + bxz 2 + cz 3 with an extra variable z. This equation is homogeneous in x, y, z. This means that if (x, y, z) is a solution then so also is (kx, ky, kz) for any k 6= 0. A solution (x, y) of the original equation will be represented in projective coordinates as (x, y, 1). This works because substituting z = 1 in the homogeneous equation returns the original equation y 2 = x3 + ax + b of the curve. The key point is now that we define that in projective coordinates (x, y, z) and (kx, ky, kz) both represent the same point. Moreover, when using projective coordinates it is not allowed to have all three components equal to zero, that is (0, 0, 0) does not represent a point in projective coordinates. In order to avoid confusion, we will write (x : y : z) for the point that is represented by (kx, ky, kz) for any k 6= 0. For example (x : y : 1) = (2x : 2y : 2) = (−x : −y : −1) are projective coordinates of the same point (x, y) in usual coordinates. This means that the usual coordinates of a point (x1 : y1 : z1 ) with z1 6= 0 are x = x1 /z1 and y = y1 /z1 . Because k 6= 0, projective coordinates of a point (x, y) will always have z 6= 0. If z = 0 the equation of the cubic simplifies to 0 = x3 . Therefore, the only point with projective coordinates (x : y : 0) on the elliptic curve is the point (0 : y : 0) where y 6= 0. This is the point at infinity, i.e. OE = (0 : 1 : 0). Let us now summarise our knowledge of addition and doubling of points on an elliptic curve E which is given in Weierstrass form y 2 = x3 + bx + c. Let two points 56 MA6011 P1 = (x1 : y1 : z1 ) and P2 = (x2 : y2 : z2 ) in projective coordinates be given on the curve E. This means that y12 z1 = x31 + bx1 z12 + cz13 and y22 z2 = x32 + bx2 z22 + cz23 . We describe now how to find projective coordinates (x : y : z) for the point P = P1 + P2 on the curve E. • If z1 = 0 we have P = P2 = (x2 : y2 : z2 ). • If z2 = 0 we have P = P1 = (x1 : y1 : z1 ). • Assume z1 6= 0 and z2 6= 0 for all items below. • Replace x1 by x1 y1 x2 y2 , y1 by , x2 by and y2 by . z1 z1 z2 z2 • If x1 = x2 and y1 + y2 = 0 we have P = OE = (0 : 1 : 0). • If x1 = x2 and y1 + y2 6= 0 we define m = • If x1 6= x2 we define m = 3x21 + b for use below. 2y1 y2 − y1 for use below. x2 − x1 • The projective coordinates of P are x = m2 − x1 − x2 , y = m(x1 − x) − y1 and z = 1. In this description, P1 = P2 is allowed, so that doubling is included in the above algorithm. Subtraction P1 − P2 is the same as adding the negative of P2 , i.e. P1 − P2 = P1 + (−P2 ). The negative of P2 is (x2 : −y2 : z2 ). In particular, −OE = OE . If these calculations are carried out modulo a prime number p, equalities and inequalities have to be taken as congruences modulo p. Example 24.1. Let p = 101 and E the curve given by y 2 = x3 + 43x + 5. By trying small values for x, we may find the F101 -points P = (1, 7) and Q = (0, 45) on E. In order to calculate 10P we apply successive doubling in the following way. We first observe that 10 = 8 + 2 = 23 + 2 = (22 + 1) · 2 and so we find 10P = (4P + P ) · 2 = ((2P ) · 2 + P ) · 2. Here are the calculations. To find 2P , we have x1 = 1, y1 = 7 and so m = (3x21 + 43)/2y1 = 46/14 = 23/7. Using Euclid’s algorithm we find that 29·7−2·101 = 1, hence 29 is the multiplicative inverse of 7 in F101 and so m = 23/7 = 23 · 29 = 667 = 61 = −40. Recall that all our calculations are modulo 101 here. We obtain x = m2 − 2x1 = (−40)2 − 2 = 1598 = 83 y = m(x1 − x) − y1 = −40(1 − 83) − 7 = −40 · 19 − 7 = −767 = 41 and so 2P = (83, 41). The second step is to find 4P = 2(83, 41), so we have x1 = 83 and y1 = 41. Now m = (3x21 + 43)/2y1 = 1015/82 = 5/82. The inverse of 82 is found to be −16, because 13 · 101 − 16 · 82. Thus m = 5/82 = 5 · (−16) = −80 = 21. Therefore, x = m2 − 2x1 = 212 − 2 · 83 = 477 = 73 y = m(x1 − x) − y1 = 21(83 − 73) − 41 = 169 = 68 Week 9 57 and so 4P = (73, 68). The next step is to find 5P = P + 4P . Here we have x1 = 1, y1 = 7 and x2 = 73, y2 = 68. Therefore, m = (y2 − y1 )/(x2 − x1 ) = (68 − 7)/(73 − 1) = 61/72. The extended Euclidean algorithm gives us the equation 5 · 101 − 7 · 72 = 1. This means that −7 is the inverse of 72 and so m = 61/72 = (−7) · 61 = −427 = −23. We obtain now x = m2 − x1 − x2 = (−23)2 − 73 − 1 = 455 = 51 y = m(x1 − x) − y1 = −23(73 − 51) − 68 = −574 = 32 and so 5P = (51, 32). In the last step we find 10P by doubling 5P = (51, 32). Here we have x1 = 51 and y1 = 32 and obtain m = (3x21 + 43)/2y1 = 7534/64 = 69/64. The inverse of 64 in F101 turns out to be 30. Therefore, m = 69/64 = 69 · 30 = 2070 = 50 and we finally get x = m2 − 2x1 = 502 − 2 · 51 = 2398 = 75 y = m(x1 − x) − y1 = 50(51 − 75) − 32 = −1232 = 81, i.e. 10P = (75, 81). Example 24.2. Let p = 1009 and the curve E be given by y 2 = x3 + 71x + 602. The point P = (1, 237) is on E. To calculate 99P , we first observe that 99 = 64 + 32 + 2 + 1 = 26 + 25 + 21 + 20 = ((2 + 1) · 24 + 1) · 2 + 1 and so 99P = (((((2P + P )2)2)2)2 + P )2 + P. The intermediate steps in the calculation are as follows. 2P = (268, 692) 3P = (653, 258) 6P = (301, 157) 25 12P = (448, 129) 24P = (255, 425) 48P = (297, 673) 49P = (769, 977) 98P = (30, 802) 99P = (237, 558) Number of points on an elliptic curve There are only finitely many Fp -points on an elliptic curve y 2 = x3 + bx + c, because there are only finitely many possibilities for x and y in Fp . For small primes p we could make a list of all Fp -points or we may count them by calculating x3 + bx + c for each x ∈ Fp and then use the Legendre symbol to find if this is a quadratic residue. Example 25.1. To find the number of F5 -points on the curve y 2 = x3 + 2x + 1, we calculate x3 + 2x + 1 mod 5 for x = 0, 1, 2, 3, 4 and then find the corresponding Legendre symbol modulo 5. We should not forget to count the point at infinity OE . 3 x +2x+1 x x3 2x x3 + 2x + 1 y 5 0 1 2 3 4 0 1 3 2 4 0 2 4 1 3 1 4 3 4 3 1 1 -1 1 -1 ±1 ±2 ±2 58 MA6011 This shows that we have seven F5 -points, including OE , on this curve. This method of calculation results in the following formula for the number Np of Fp -points on y 2 = x3 + bx + c in which a sum of Legendre symbols occurs Np = p + 1 + p−1 3 X x + bx + c p x=0 . To understand this we only have to observe that for a fixed x the number of y which satisfies the congruence y 2 ≡ x3 + bx + c mod p is equal to 3 x + bx + c 1+ . p However, for large primes p this formula is not very practicable. More useful is the following general theorem. Theorem 25.2 (Hasse). If Np is the number of Fp -points on an elliptic curve then √ √ p + 1 − 2 p < Np < p + 1 + 2 p. The number ap = p + 1 − Np is known as the p-defect of the elliptic curve and √ Hasse’s Theorem says that its absolute value is relatively small: |ap | < 2 p. Example 25.3. With p = 5, Hasse’s Theorem shows that 2 ≤ N5 ≤ 10. With the method used in the previous example to count points we obtain the following table: 2 y y2 y2 y2 y2 E = x + 2x = x3 + 4x + 2 = x3 + x = x3 + 3x + 2 = x3 + 1 3 N5 (E) ap (E) 2 4 3 3 4 2 5 1 6 0 2 y y2 y2 y2 E = x + 2x + 1 = x3 + 4x = x3 + x + 1 = x3 + 3x 3 N5 (E) 7 8 9 10 ap (E) −1 −2 −3 −4 In general, it can be shown that for all primes p and each value of ap that is possible by Hasse’s Theorem, there exists an elliptic curve with exactly this p-defect. The number of Fp -points on an elliptic curve when the prime p is large can be calculated by an algorithm of Schoof. A description of the mathematical background of Schoof’s algorithm is beyond the scope of this course.