Download Using Elliptic Curves Keith Conrad May 17, 2014

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
Document related concepts

List of important publications in mathematics wikipedia , lookup

Fermat's Last Theorem wikipedia , lookup

Factorization wikipedia , lookup

List of prime numbers wikipedia , lookup

Collatz conjecture wikipedia , lookup

Proofs of Fermat's little theorem wikipedia , lookup

Wiles's proof of Fermat's Last Theorem wikipedia , lookup

Quadratic reciprocity wikipedia , lookup

Transcript 
Using Elliptic Curves
Keith Conrad
May 17, 2014
Proving Compositeness
In practice it is easy to prove a positive integer N is composite
without knowing any nontrivial factor. The most common way is
by a counterexample to Fermat’s Little Congruence:
aN−1 6≡ 1 mod N for some 1 < a < N =⇒ N is composite.
There is an a for any composite N, but might take a while to find
one, e.g., if N = 173032371289 there is no such a < 1000.
Suppose an N is proved composite (by Fermat, Solovay–Strassen,
Miller–Rabin, etc.). How can we find a nontrivial factor of N?
5
Example. Set N = F5 = 22 + 1 = 4294967297, the fifth Fermat
number. Since 3N−1 ≡ 3029026160 6≡ 1 mod N, it’s composite.
Euler famously discovered the prime factorization
N = 641 · 6700417.
We will get this by Lenstra’s elliptic curve factorization algorithm.
Euler’s Method (1732)
Let p be an unknown prime factor of N = 232 + 1. Then
232 ≡ −1 mod N ⇒ 232 ≡ −1 mod p, so 2 mod p has order 64,
and thus 64 divides |(Z/pZ)× | = p − 1, so p ≡ 1 mod 64.
In fact p ≡ 1 mod 128: since p ≡ 1 mod 8, by quadratic reciprocity
2 mod p is a square, say 2 ≡ r 2 mod p. Then r 64 ≡ −1 mod p, so
r mod p has order 128 and thus 128|(p − 1), so p ≡ 1 mod 128.
The first few integers > 1 that are 1 mod 128 are
129, 257, 385, 513, 641, 769, 897.
Easily 129, 385, 513, and 897 are composite (why?). We see
p 6= 257 since 28 = 256 ≡ −1 mod 257 ⇒ 232 ≡ 1 mod 257. The
second prime to try is 641, and it divides N.
Pollard’s p − 1 method (1974)
To find a prime factor p of a number N that we know (or believe)
is composite, seek a and k such that ak ≡ 1 mod N and (p − 1)|k.
Then gcd(ak − 1, N) is divisible by p and is probably not N.
Pick bound B and let M be divisible by all prime powers up to B,
e.g., lcm(2, . . . , B) or B!. If N has a prime factor p such that all
prime-power factors of p − 1 are less than B, then (p − 1)|M,
so (a, N) = 1 ⇒ aM ≡ 1 mod p, and thus p|(aM − 1). Thus
computing (aM − 1, N) should reveal a nontrivial factor of N.
Example. For N = 232 + 1 try B = 10, so M = 4 · 9 · 5 · 7 = 2520.
Letting a = 2, 3, 4, 5, . . . and computing (aM − 1, N), it is 1 until
a = 13, when (132520 − 1, N) = 641: success! This worked since
641 − 1 = 640 = 27 · 5 has all prime factors less than B and
13 mod 641 has order 20, which is a factor of M.
If a’s aren’t making (aM − 1, N) > 1 after a reasonable number of
steps then increase B, recompute M, and start again.
Lenstra’s Elliptic Curve Method (1987)
In the p − 1 method (Z/NZ)× is a proxy for (Z/pZ)× where p|N,
and seek 1 < (aM − 1, N) < N for fixed M and random a. Success
depends on p − 1, for some p|N, having small prime factors. If
no p|N is like that, the p − 1 method won’t be practical.
Lenstra’s idea: for each p there’s only one group (Z/pZ)× but
many elliptic curves mod p, all with roughly p points: Hasse’s
theorem says
√
√
p + 1 − 2 p < |E (Z/pZ)| < p + 1 + 2 p.
Even if p − 1 doesn’t have all small prime factors, a number t near
p − 1 might. An E mod p with |E (Z/pZ)| = t could be used in
place of (Z/pZ)× , with ak replaced by [k](P).
Instead of E (Z/pZ) we use an “elliptic curve mod N”: solutions to
y 2 ≡ x 3 + ax + b mod N.
Lenstra’s Elliptic Curve Method (1987)
Treating N as if it were prime, we’ll “add” points on
E : y 2 = x 3 + ax + b mod N
as if it were smooth: (N, 6) = 1 and (N, 4a3 + 27b 2 ) = 1.
For (x1 , y1 ) and (x2 , y2 ) on E (Z/NZ), set
!
y2 − y1 2
y2 − y1
(x3 , y3 ) :=
− x1 − x2 ,
(x1 − x3 ) − y1
x2 − x1
x2 − x1
if x1 6≡ x2 mod N and
!
2
2
2
3x1 + a
3x1 + a
(x3 , y3 ) :=
− 2x1 ,
(x1 − x3 ) − y1
2y1
2y1
if x1 ≡ x2 mod N and y1 ≡ y2 6≡ 0 mod N.
If we can’t invert x2 − x1 mod N or 2y1 mod N, then (x2 − x1 , N)
or (2y1 , N) is greater than 1, which will be a factor of N that is
likely to be nontrivial: if the math breaks down, we probably win!
Lenstra’s Elliptic Curve Method (1987)
How to find a point on a random “elliptic curve” mod N? Do not
pick the equation first: choose pick P = (x0 , y0 ), then a mod N,
and set b :≡ y02 − (x03 + ax0 ) mod N, so (x0 , y0 ) satisfies
y 2 ≡ x 3 + ax + b mod N.
Example: Set P = (0, 1). For any a, set b = 12 − (03 + a · 0) = 1,
so P lies on
y 2 ≡ x 3 + ax + 1 mod N.
Example: If P = (1, 1), for any a set b = 12 − (13 + a · 1) = −a,
so P lies on
y 2 ≡ x 3 + ax − a mod N.
We will use the first example to factor N = 232 + 1 by an elliptic
analogue of the p − 1 method.
Factoring with Elliptic Curves: Attempt #1
Set N = 232 + 1. For a = 1, 2, . . . , make multiples of P = (0, 1) on
Ea : y 2 ≡ x 3 + ax + 1 mod N.
The number k! is divisible by all prime powers up to k. Compute
[k!](P) mod N for k = 1, 2, . . . and check if math breaks down. If
it does, we get a factor of N greater than 1 (likely not N itself).
Try E1 : y 2 ≡ x 3 + x + 1 mod N and P = (0, 1).
k!
2
6
24
120
[k!](P) mod N
(3221225473, 536870911)
(367298006, 2207005281)
(3611864492, 2086849036)
(251655173, 3076345795)
We can compute [k!](P) by repeated doubling when possible:
[24](P) = [4]([6](P)), [120](P) = [4]([24](P)) + [24](P).
This is “taking too long”; let’s check another elliptic curve mod N.
Factoring with Elliptic Curves: Attempt #2
Try E2 : y 2 ≡ x 3 + 2x + 1 mod N and again P = (0, 1).
k!
2
6
24
[k!](P) mod N
(1, 4294967295)
(2727994353, 3994210159)
(580641148, 946607585)
To find [120](P) = [4]([24](P)) + [24](P) = [96](P) + [24](P), we
first double [24](P) twice to get
[4]([24](P)) = [96](P) ≡ (2857060344, 1664748213) mod N.
Adding [96](P) and [24](P) requires inverting the difference of
x-coordinates:
x2 − x1 = 2857060344 − 580641148 ≡ 2276419196 mod N.
But (x2 − x1 , N) = 641: we’ve found a nontrivial factor of N.
What is going on?
For N = 232 + 1, adding on E (Z/NZ) is adding on E (Z/641Z)
and E (Z/6700417Z) at the same time. For P = (0, 1) on
E2 : y 2 = x 3 + 2x + 1, we have
|E2 (Z/641Z)| = 660 = 22 · 3 · 5 · 11, |E2 (Z/6700417Z)| = 6699046
with P mod 641 of order 30 and P mod 6700417 of order 3349523.
How preparing for [120](P) = [24](P) + [96](P) looks mod primes:
n
24
96
[n](P) mod 641
(272, 579)
(272, 62)
[n](P) mod 6700417
(4405286, 1848788)
(2682702, 2183740)
Adding [24](P) = (x1 , y1 ) and [96](P) = (x2 , y2 ) needs inverse of
x2 − x1 , but x2 − x1 ≡ 0 mod 641 and x2 − x1 6≡ 0 mod 6700417.
That is why we found (x2 − x1 , N) = 641.
Why was E1 : y 2 = x 3 + x + 1 not as useful? The order of P on
E1 (Z/641Z) is 303 30. We’d need [101!](P) to factor N.
A Problem in Art
Escher’s Print Gallery
In 2000, Lenstra saw this 1956 Escher work in an airline magazine.
The picture suggests a “spiral” symmetry around the center and
Lenstra wondered: how to correctly fill in the hole?
Escher’s Print Gallery
Lenstra saw that the empty central hole should be filled in by a
self-replicating process that is a twisted analogue of a classical
self-replicating process in ordinary geometry.
Escher’s Print Gallery
This repeating pattern is called the Droste effect, because the
popular Dutch chocolate company Droste (left) uses it in their
packaging. They claim it goes back to 1900, inspired by the middle
painting, but the image from the Einem chocolate company on the
right from 1897 looks like a more plausible source.
Multiplicative Model for Elliptic Curves
To continue Escher’s twisting pattern into the central region,
Lenstra realized he should use a multiplicatively periodic function.
Traditionally, E (C) ∼
= C/L with L = Z + Zτ , τ 6∈ R. The complex
exponential map exp : C → C× induces an isomorphism
C/(Z + Zτ ) → C× /q Z ,
q = e 2πiτ .
The group C× /q Z is Tate’s model for complex elliptic curves.
Filling in the hole in Print Gallery
With help from Bart de Smit and others, Lenstra filled the hole:
Filling in the hole in Print Gallery
With help from Bart de Smit and others, Lenstra filled the hole:
A Field Embedding Question
Field Embedding
For sets, X ,→ Y and Y ,→ X implies card(X ) = card(Y ).
For vector spaces, V ,→ W and W ,→ V imples V ∼
= W.
What about for fields: if K ,→ L and L ,→ K , is K ∼
= L?
Consider isogenous elliptic curves over Q:
ϕ : E → E 0,
ϕ
b: E 0 → E .
These lead to embeddings of function fields Q(E 0 ) ,→ Q(E ) and
Q(E ) ,→ Q(E 0 ). Check Q(E ) ∼
6 Q(E 0 ) with j-invariants.
=
Example. E : y 2 = x 3 + x 2 + x and E 0 : Y 2 = X 3 − 2X 2 − 3X .
There are isogenies
2
2
Y
y y (1 − x 2 )
−Y (3 + X 2 )
(x, y ) 7→
,
,
(X
,
Y
)
→
7
,
,
x2
x2
4X 2
8X 2
and j(E ) = 2048/3, j(E 0 ) = 35152/9. Thus the fields
p
p
Q(x, x 3 + x 2 + x), Q(X , X 3 − 2X 2 − 3X )
embed into each other but are not isomorphic (unequal j-values).
The Class Number Problem
Class Numbers
In a number field K , with integers OK , an ideal class is a set of
nonzero ideals in OK that are equal up to scaling: I = γJ for a
γ ∈ K × . There are finitely many ideal classes, their number being
the class number h(K ), which is 1 if and only if OK is a UFD.
√
Example. Every
nonzero
ideal
in
Z[
−5] is a scalar multiple of
√
√
(1) or (2, 1 + −5): h(Q( −5)) = 2.
Class numbers of quadratic fields, going back to Gauss:
d√
h(Q(√ d))
h(Q( −d))
1
∗
1
2
1
1
3
1
1
5
1
2
6
1
2
7
1
1
10
2
2
23
1
3
79
3
5
···
···
···
Application 1. If p doesn’t divide h(Q(ζp )) then Kummer settled
Fermat’s Last Theorem for x p + y p = z p ; h(Q(ζp )) = 1 ⇔ p ≤ 19.
Application 2. Action of SL2 (OK ) on P1 (K ) by linear-fractional
transformations (( ca db )[x, y ] = [ax + by , cx + dy ]) has h(K ) orbits.
Class Number Formula
Let K be an imaginary quadratic field. The ζ-function of K
factors into the Riemann zeta-function times a Dirichlet L-function:
ζK (s) :=
X
J6=(0)
X 1 X χ(n)
1
=
ζ(s)L(s,
χ)
=
·
|OK /J|s
ns
ns
n≥1
n≥1
for a quadratic Dirichlet character χ that’s odd (χ(−1) = −1),
and Dirichlet’s analytic class number formula for K says
L(1, χ) =
X χ(n)
n≥1
n
=
2πh(K )
p
,
|µ(K )| |disc(K )|
where µ(K ) is roots of unity in K and disc(K ) is the discriminant.
This links class numbers of imaginary quadratic fields to the value
of an L-function at s = 1.
Example. For K = Q(i), L(s, χ) = 1 − 1/3s +√1/5s − 1/7s + · · · .
Then L(1, χ) = π/4 by calculus, and (2πh)/(4 4) = (π/4)h, so
h = 1: an analytic proof that Z[i] is a UFD.
Class Number Problem
Gauss’s tables suggest finitely many imaginary quadratic
√ fields
have any particular class number. Setting hd = h(Q( −d)) for
squarefree d > 0, the conjecture is that hd → ∞ as d → ∞.
1918: Hecke showed if L(s, χ) satisfies the Generalized
Riemann
√ Hypothesis (GRH) for all odd quadratic χ then
hd > c d/ log d for some positive constant c.
1934: Heilbronn showed if L(s, χ) violates GRH for some odd
quadratic χ, then hd → ∞ as d → ∞.
Combining these, hd → ∞ as d → ∞, but not effectively.
Note: Heilbronn’s idea (now called the Deuring–Heilbronn
phenomenon) was to use a violation of GRH for one L(s, χ) to
get a lower bound on L(1, χ) for other χ.
1934: Heilbronn and Linfoot showed there are at most 10
imaginary quadratic fields with class number 1. Nine were
known. Nobody expected there to be a tenth. (Note: Their
paper is curious today for referring to fields as corpora.)
Class Number Problem
More progress:
1935: Siegel showed that for all ε > 0 there’s cε > 0 such that
hd > cε d 1/2−ε for all d, but cε can’t be explicitly determined.
1952/1966-67: Heegner and then Baker and Stark settled the
class number 1 problem: 9 fields.
1971: Baker & Stark settle class number 2 problem: 18 fields.
1976: Goldfeld showed hd ≥ cε (log d)1−ε with computable cε ,
provided there is an elliptic curve E/Q whose L-function
L(E , s) =
Y
good p
Y
X an
1
1
=
1 − ap /p s + p/p 2s
1 − ap /p s
ns
bad p
n≥1
vanishes to order at least 3 at s = 1 (makes exponent on log d
at least 1 − ε). Proof uses a Heilbronn-like idea: high-order
zero of L(E , s) at s = 1 leads to a lower bound on L(1, χ) for
odd quadratic χ.
Class Number Problem
Therefore one elliptic curve E/Q whose L-function vanishes to order
at least 3 at s = 1 would, in principle, computably settle the class
number problem for imaginary quadratic fields. How to find it?
Birch and Swinnerton-Dyer Conjecture. For any E/Q ,
ords=1 L(E , s) = rank(E (Q)).
So any E/Q with E (Q) ∼
= Z3 ⊕ (torsion) is a candidate for L(E , s)
having a third-order zero at s = 1: want
L(E , 1) = 0, L0 (E , 1) = 0, L00 (E , 1) = 0, L000 (E , 1) 6= 0.
Example: E : y 2 = x 3 − 112x + 400 has E (Q) ∼
= Z3 , generated by
(−8, 28), (−4, 28), (0, 20). A computer could prove L000 (E , 1) 6= 0
numerically, but it’s less clear how to prove lower derivatives are 0:
being .000 . . . is not a proof.
There is a functional equation L(E , 2 − s) = ±(fudge)L(E , s), so
if ± = −1 then L(E , 1) = 0 and L00 (E , 1) = 0. The Gross–Zagier
formula can prove L0 (E , 1) = 0 in specific examples.
Class Number One
We expect infinitely many real quadratic fields have class number
1, but it is not yet proved there there are even infinitely many
number fields with class number 1. Here’s a concrete proposal:
Conjecture (Weber). For all n, Q(cos(2π/2n )) has h = 1.
Evidence.
Fukuda and Komatsu (2009) showed none of these class
numbers have a prime factor less than 107 , and later increased
this bound to 108 (2010) and then to 109 (2011).
It’s true for n ≤ 8 (case n = 8 posted on arXiv on 5/5/2014).
These fields fill the Z2 -extension of Q. Morisawa (2009) showed no
number field in the Z3 -extension of Q has class number divisible by
a prime less than 104 .
Coates (2010) asked if every number field in the Zp -extension of Q
has class number 1 for every prime p. A future task for Iwasawa
theory of elliptic curves?
References
K. Conrad, Applying Quotient Groups to an Unsolved Problem in
Art, http://www.math.uconn.edu/~kconrad/blurbs/
grouptheory/CstarqZ.pdf.
T. Fukuda and K. Komatsu, Weber’s Class Number Problem,
http://staff.miyakyo-u.ac.jp/~taya/jk2008/abst/
fukuda-komatsu.pdf.
D. Goldfeld, “The Class Numbers of Quadratic Fields and the
Conjecture of Birch and Swinnerton-Dyer”, Annali della Scuola
Normale Superiore de Pisa, Classe die Scienze 3 (1976), 623–663.
H. Lenstra, “Factoring Integers with Elliptic Curves”, Annals of
Mathematics 126 (1987), 649–673.
W. Trappe, L. C. Washington, Introduction to Cryptography and
Coding Theory, Prentice-Hall, 2002. See Chapter 15.
Escher and the Droste Effect (explanation and animations):
http://escherdroste.math.leidenuniv.nl/.
Related documents
Here - UMD MATH
Here - UMD MATH
REVIEW SENTENCE, FRAGMENT, RUN
REVIEW SENTENCE, FRAGMENT, RUN
(1) Find all prime numbers smaller than 100. (2) Give a proof by
(1) Find all prime numbers smaller than 100. (2) Give a proof by
Problem Set 8 The getting is
Problem Set 8 The getting is
[Part 2]
[Part 2]
Cryptography issues – elliptic curves
Cryptography issues – elliptic curves
MAS144 – Computational Mathematics and Statistics A (Statistics)
MAS144 – Computational Mathematics and Statistics A (Statistics)
Primality Tests (2pp.)
Primality Tests (2pp.)
Determine the number of odd binomial coefficients in the expansion
Determine the number of odd binomial coefficients in the expansion
[Part 2]
[Part 2]
ppt
ppt
SOLUTIONS TO THE SECOND PROBLEM SHEET FOR
SOLUTIONS TO THE SECOND PROBLEM SHEET FOR