Embed Size (px)
Citation preview
'
&
$
%
Finite Fields and Elliptic Curves in Cryptography
Frederik Vercauteren
-
Katholieke Universiteit Leuven
-
COmputer Security and Industrial Cryptography
1
'
&
$
%
Overview
• Public-key vs. symmetric cryptosystem
• Security of RSA cryptosystem
• Elliptic curve discrete logarithm
• Pohlig-Hellman attack on ECDLP
• Proofs of primality with elliptic curves
2
'
&
$
%
Public-key vs. symmetric cryptosystem
Symmetric cryptosystem:
• Alice and Bob share a common key K
• K is used both for encryption and decryption
• n users ⇒ n(n− 1)/2 keys
• Both Alice and Bob have to keep K secret
• High speeds are possible, e.g. AES: 8MB/s on Pentium 200MHz
3
'
&
$
%
Public-key vs. Symmetric Cryptosystem
Public-key cryptosystem: Diffie-Hellman (1976) based on (trapdoor)
one-way functions
• given x, easy to compute f(x)
• given f(x), difficult to compute x
• given f(x) and trapdoor, easy to compute x
Example: Let g be generator of F∗p, p large prime, then
fg(x) ≡ gx mod p
is a one-way function. Discrete log problem: compute x given fg(x).
Key exchange: Alice sends Bob PA = xA mod p, Bob sends Alice
PB = xB mod p. Common key KAB = xA·B mod p.
4
'
&
$
%
The RSA-cryptosystem
Invented by Rivest, Shamir, Adleman (1977) construct trapdoor
one-way function
• Let n = p · q, with p and q large primes (i.e. at least 512 bits)
• Compute φ(n) = (p− 1) · (q − 1), i.e. order of (Z/nZ)∗
• Choose e and d such that e · d = 1 mod φ(n),
gcd(e, n) = gcd(d, n) = 1
• Public key: (e, n)
• Private key: d or p and q
• Encryption: C = Me mod n
• Decryption: M = Cd mod n
5
'
&
$
%
Security of RSA-cryptosystem
Three computationally equivalent problems:
1. Factor modulus n
2. Compute Euler-Phi φ(n) = (p− 1) · (q − 1)
3. Given P = (e, n) compute d with e · d = 1 mod φ(n)
Proof:
(1)⇒ (2)⇒ (3) : trivial
(3)⇒ (1) : Given (e, n) we get d, with e · d = 1 mod φ(n), so
e · d− 1 = k · φ(n). For a ∈ (Z/nZ)∗ we therefore have
ae·d−1 = 1 mod n ⇒ ae·d−1 = 1 mod p and ae·d−1 = 1 mod q.
6
'
&
$
%
Security of RSA-cryptosystem (cont.)
Now, e · d− 1 is even, so a(e·d−1)/2 will be a root of 1 modulo p and q.
This gives 4 possibilities for a(e·d−1)/2 mod n via CRT
p \ q −1 1
−1 −1 r1
1 r2 1
Note that ri 6= ±1 mod n, since CRT gives isomorphism. So we
expect a(e·d−1)/2 6= ±1 mod n for about half (Z/nZ)∗ (this can be
shown rigorously).
Search a ∈ (Z/nZ)∗ with a(e·d−1)/2 6= ±1 mod n, then we clearly have
1 < gcd(a(e·d−1)/2 − 1, n) < n
since either p or q divides a(e·d−1)/2 − 1, but not both.
7
'
&
$
%
Factoring vs. Discrete Log
Define function
Ln(a, b) = exp((b + O(1))(ln n)a · (ln lnn)1−a
).
If a = 1 then Ln is exponential in lnn, for a = 0 Ln is polynomial in
lnn. If 0 < a < 1 then Ln is called sub-exponential.
Best known method for factoring and computing discrete logarithms
is general number field sieve which has running time Ln( 13 , 1.923).
Factoring: August 1999, RSA-155 (512 bits), factored with GNFS in
8000 MIPS years Discrete log: April 2001, DLP-120 (400 bits),
computed with GNFS in 400 MIPS years
8
'
&
$
%
Definition of Elliptic Curves
Let K and K its algebraic closure, then an elliptic curve E over K is
the set of solutions in P(K) of
E : Y 2Z + a1XY Z + a3Y Z2 = X3 + a2X2Z + a4XZ2 + a6Z
3,
with a1, a2, a3, a4, a6 ∈ K and E non-singular.
Canonical forms over different fields K:
Condition on K Equation
Char(K) 6= 2, 3 y2 = x3 + a′4x + a′
6
Char(K) = 3, j(E) 6= 0 y2 = x3 + a′2x
2 + a′6
Char(K) = 3, j(E) = 0 y2 = x3 + a′4x + a′
6
Char(K) = 2, j(E) 6= 0 y2 + xy = x3 + a′2x
2 + a′6
Char(K) = 2, j(E) = 0 y2 + a′3y = x3 + a′
4x + a′6
9
'
&
$
%
Group Law on Elliptic Curves
−6 −4 −2 0 2 4 6
−4
−2
0
2
4
P ⊕ Q
Q
P
R
L′
L
−6 −4 −2 0 2 4 6
−4
−2
0
2
4
2P
P
L′
L
R
Construction P ⊕Q Construction 2P
The elliptic curve y2 = x3 − 7x + 6 over R and the group law
10
'
&
$
%
Elliptic Curve over Finite Field
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 220123456789
10111213141516171819
202122u
uu
uu
uu
uu
uuu
uu
uu
uu
uu
uu
uu
uu
The elliptic curve y2 = x3 + x + 3 mod 23
11
'
&
$
%
Elliptic Curve Discrete Logarithm Problem
Let Fq be finite field with q elements and E an elliptic curve over Fq.
Take point P ∈ E(Fq) and k ∈ Z and set Q = k · P , then the ECDLP
is: given Q and P , compute k.
Attacks on ECDLP: Let n = #E(Fq)
• General attacks: work in any group and have run time O(√
n).
For an elliptic curve n ≃ q, so O(√
q), i.e. exponential in log q.
• MOV-attack: use Weil pairing to reduce ECDLP to DLP in Flq,
with l smallest integer such that ql = 1 mod n. For small l, this
leads to sub-exponential attack.
• Anomalous curves: n = q. Apply q-adic elliptic curve logarithm.
Time complexity of O(log q), so linear in log q.
12
'
&
$
%
Pohlig and Hellman Attack
To solve DLP in any finite abelian group |G|, it is sufficient to solve
DLP in all subgroups of prime power. The original DLP can be
recovered using CRT.
Suppose |G| = n = pe11 · pe2
2 · · · pess and we wish to solve
Q = m · P.
Set p = p1 and e = e1, then we show how to compute m mod pe.
• Restrict DLP to subgroup of order p by multiplying with
n1 = n/pe−1, i.e.
Q1 = n1 ·Q = m · (n1 · P ) = mP1 = m0P1
with m0 = m mod p. Use general attack to compute m0.
13
'
&
$
%
Pohlig and Hellman Attack (cont.)
• Suppose we know mi = m mod pi then m = mi +λi ·pi mod pi+1,
with 0 ≤ λi < p. Set ni+1 = n/pe−i−1, then
Qi+1 = ni+1 ·Q = m · (ni+1 · P ) = (mi + λ · pi) · Pi+1
and also
Qi+1 −mi · Pi+1 = λi · (pi · Pi+1) = λi · P1.
Again use general attack to compute λi.
• Conclusion: a general attack on ECDLP exists with run time
O(√
p) where p is the largest prime factor in #E(Fq).
• Before using elliptic curve, check if it is divisible by large prime
(at least 160 bits).
14
'
&
$
%
ECDLP vs. RSA & DLP
15
'
&
$
%
2B ′ ‖ ¬2B ′, that’s the question . . .
Fundamental Theorem of Arithmetic Given n ∈ N0, then the
factorisation of n into primes is unique up to order, i.e.
n = pa11 × pa2
2 × · · · × par
r
Different questions:
• What is the factorisation of n
• Test if n is prime
• Test if n is composite
16
'
&
$
%
Tests of Primality and of Compositeness
Test of Primality If a certain condition on n is fulfilled, then n is
prime, otherwise n is composite
Test of Compositeness If a certain condition on n is fulfilled, then
n is composite
Primality Test Compositeness Test
Success n is prime n is composite
Fail n is composite ?
17
'
&
$
%
Tests of Compositeness
Fermat’s Theorem If p is prime and gcd(a, p) = 1, then
ap−1 ≡ 1 mod p.
Fermat Compositeness Test If gcd(a, n) = 1 and an−1 6≡ 1 mod n,
then n is composite.
Definition An odd composite number n for which an−1 ≡ 1 mod n
is called a Fermat pseudoprime for base a.
Example n = 341 = 11 · 31 gives 2340 ≡ 1 mod 341, however
3340 ≡ 56 mod 341.
18
'
&
$
%
Tests of Compositeness
Data Pomerance, Selfridge and Wagstaff: < 25 · 109
21853 pseudoprimes to base 2
4709 pseudoprimes to base 2 and 3
2552 pseudoprimes to base 2 and 3 and 5
1770 pseudoprimes to base 2 and 3 and 5 and 7
Definition An odd composite number n for which an−1 ≡ 1 mod n for all
a satisfying gcd(a, N) = 1 is called a Carmichael number.
Example Smallest Carmichael number is n = 561 = 3 · 11 · 17
Data 2163 Carmichael numbers < 25 · 109 and 105212 < 1015
Stucture of Carmichael Numbers n is a Carmichael number iff p − 1|n
for every prime factor p of n and n is composite and squarefree.
19
'
&
$
%
Strong pseudoprime test
Definition An odd composite number n with n = 2s · d + 1, with d
odd is called a strong pseudoprime for base a if
ad ≡ 1 mod n or ∃ r < s, ad·2r ≡ −1 mod n.
Data Jaeschke: < 1012 only 101 strong pseudoprimes to bases 2, 3, 5
Data 34155 00717 28321 is smallest strong pseudoprime to bases 2,
3, 5, 7, 11, 13, 17
No Strong Carmichael Numbers If n is odd and composite then
n fails the strong pseudoprime test for at least 3/4 of the bases less
than n.
Miller-Rabin Algorithm Apply strong pseudoprime test for t
different bases ai; if n is composite then this will be proved with
20
'
&
$
%
probability > 1− (1/4)t.
21
'
&
$
%
Simple Tests of Primality
Trial Division If n is composite, then n has a prime factor p ≤ √n.
If for all primes p ≤ √n, we have p 6 |n, then n is prime.
Strong Pseudoprime Test If n is a strong pseudoprime for more
than 1/4 of the bases smaller than n, then n is prime.
SPT with Generalized Riemann Hytpothesis If n is strong
pseudoprime for all {2, 3, . . . , ⌊2 log n⌋2}, then n is prime.
⇒ A proof of the Generalized Riemann Hypothesis implies a
deterministic polynomial-time primality test.
22
'
&
$
%
Tests of Primality
Pocklington’s theorem Let n be an integer > 1 and q a prime
divisor of n− 1, with qe|(n− 1) and qe+1 6 |(n− 1). Suppose there is
an integer a such that
an−1 ≡ 1 mod n and gcd(a(n−1)/q, n) = 1.
Then if p is any prime divisor of n then
p ≡ 1 mod qe.
Proof Let b be the order of a in F∗p. Then b|p− 1 and since
an−1 ≡ 1 mod p, we have b|n− 1. However, a(n−1)/q 6≡ 1 mod p, so
b 6 |(n− 1)/q and thus qe|b and so also qe|p− 1.
23
'
&
$
%
Tests of Primality
Corollary Write n− 1 as F ·R, with F and R coprime and the
factorisation of F completely known and F >√
n. For each prime
factor q of F we can find an aq such that
an−1q ≡ 1 mod n and gcd(a(n−1)/q
q , n) = 1,
if and only if n is prime.
Proof F divides p− 1 for every prime p dividing n, and F >√
n. If
n is prime, take a primitive root.
Problem Half the factorisation of n− 1 should be known and it
should be proven that all factors of F are prime ⇒ DOWNRUN
process.
24
'
&
$
%
Tests of Primality
Example Take n = 105554676553297, then
n− 1 = 24 × 3× 1048583× 2097169.
Take F = 1048583× 2097169 then a1048583 = a2097169 = 2 will prove
primality of n if p = 1048583 and q = 2097169 are prime.
Now p− 1 = 2× 29× 101× 179 and take F = 29× 101 and
a29 = a101 = 2, then this proves primality of p.
Also q − 1 = 24 × 3× 43691 and take F = 3× 43691 and a3 = 5 and
a43691 = 2, then this proves primality of q iff 43691 is prime.
25
'
&
$
%
Certificate of primality
105554676553297
1048583 2
2097169 2
1048583
29 2
101 2
2097169
3 5
43691 2
43691
257 3
26
'
&
$
%
General Principle for Tests of Primality
Definition G is a group modulo n if
• the elements are (vectors of) residues modulo n
• the group operation is defined in terms of arithmetic operations
modulo n.
Definition Let d|n, then G|d is the group derived from G by
reducing modulo d is called the restricted group modulo d.
Example (Z/nZ)∗ is a group modulo n and for each d|n (Z/dZ)∗ is
the restricted group modulo n.
27
'
&
$
%
General Principle for Tests of Primality
Primality proof Let n be highly probable prime and G group
modulo n. If there exists x ∈ G and integers m, s|m with the
following conditions, then n is prime:
• s > the order of G|q for each prime q|n and q ≤ √n.
• xm = e.
• For each prime p|s, at least one of the coordinates of x(m/p) − e is
coprime to n.
Example Let G = Z/nZ and q|n, with q ≤ √n. Then G|q = Z/qZ
and the order of G|q is q − 1 <√
n.
Problem Given n this provides only 1 group G = Z/nZ modulo n.
28
'
&
$
%
Primality Test based on Elliptic Curves
Definition Let n be positive integer and gcd(n, 6) = 1. An elliptic
curve E over Z/nZ is a curve
y2 = x3 + ax + b,
with gcd(4a3 + 27b2, n) = 1. If p|n then the reduction of E modulo p
is an elliptic curve over Fp.
Group operation on E(Z/nZ) Let P1 and P2 be two points in
E(Z/nZ), with P1 6= −P2. Define P1 + P2 using the ordinary elliptic
curve group operation.
Then P1 + P2 will have denominators prime to n if and only if for all
primes p|n we have P1 mod p + P2 mod p is different from O in
E(Fp).
29
'
&
$
%
Primality Test based on Elliptic Curves
Apply General Principle to G = E(Z/nZ):
• Let q|n and q ≤ √n, then G|q = E(Fq) and so #G ≤ (√
q + 1)2.
Since q ≤ √n, #G < (n1/4 + 1)2.
• Let m, s|m integers with s > (n1/4 + 1)2 and P ∈ E(Z/nZ) with
1. m · P = O,
2. (m/p) · P is defined and different from O, for each prime p|s,
⇒ n is prime.
30
' $Primality Test based on Elliptic Curves:
Algorithm
1. Select a, b ∈ Z/nZ, such that Ea,b is an
elliptic curve over Z/nZ.
2. Determine m = #E(Z/nZ) as if n were
prime.
3. Test if m = k · q with k > 1 and probable
prime q > (n1/4 + 1)2.
4. If this test fails then return to 1, else
proceed.
5. Select a point P = (x, y) ∈ E(Z/nZ).
6. Compute (m/q) · P = k · P . If this is
undefined, then a divisor of n is found. If
k · P = O, then go back to 5.
' $
8. Prove the primality of q recursively, using
this algorithm.
'
&
$
%
Proof that n = 2100 + 277 is prime
Consider elliptic curve Ea,b with
a = 169317673849406496638751929789
b = 535428649309014131591402355077
m = 1267650600228230776357544186344 is the order of E(Z/nZ) and
has a 81-bit cofactor p1 = 1764763222984205716119937 which is
probably prime.
(1223116517107234371890879608558,348818700976692547697219665601) is
a point on Ea,b and satisfies
m · P = O and (m/q) · P 6= O.
33
'
&
$
%
Proof that n = 2100 + 277 is prime
34
'
&
$
%
Selecting E and m: Goldwasser & Kilian
• Select a, b ∈ Z/nZ, such that gcd(n, 4a3 + 27b2) = 1.
• Compute #E(Z/nZ) using Schoof’s algorithm (run time
O(log8 n)). If the algorithm fails, then n is not a prime, else it
produces m.
• If m is not of the form k · q then go to the first step.
• Under reasonable hypotheses on the distribution of primes in
small intervals (i.e. O(√
x)) the expected run time is O(log12 n).
35
'
&
$
%
Selecting E and m: Atkin
• Let #E(Fp) = p + 1− t, then the complex multiplication field of
E is
L = Q(√
t2 − 4p).
• If L is known for a certain E, then m = #E(Fp) can be easily
computed. If L and p are given, then a small list of m’s can be
computed for those elliptic curves which have L as their CMF.
• Given Q(√
∆) and prime p, a small list of elliptic curves over Fp
having Q(√
∆) as CMF can be constructed.
36
'
&
$
%
Selecting E and m: Atkin (cont.)
1. Select imaginary quadratic field L = Q(√
∆) which has not been
used yet.
2. Compute candidates m’s for elliptic curves with L as CMF.
3. If none of these m is of the form k · q with k > 1 and q probable
prime > (n1/4 + 1)2, then return to (1).
4. Let m have the right form. Compute small list curves E over
Z/nZ with L as CMF. Select curve E, with #E(Z/nZ) = m, e.g.
by testing if m · P = O.
Expected run time of CM primality test is O(log6+ε n).
37
'
&
$
%
Counting Points on Elliptic Curves in
Characteristic 2
Frederik Vercauteren
-
Katholieke Universiteit Leuven
-
COmputer Security and Industrial Cryptography
38
'
&
$
%
Overview
• Elliptic curves over finite fields of characteristic 2
• The Frobenius endomorphism
• Counting two by two
• Baby-Step Giant-Step
• Weil’s theorem and Koblitz curves
• Schoof’s algorithm
• Improvements of Elkies and Atkin
• Satoh’s algorithm
39
'
&
$
%
Elliptic Curves over Finite Fields of Characteristic 2
• Finite field of char 2: Fq∼= F2[X ]/(f(X)), q = 2n
• Algebraic closure: Fq =⋃
m≥1 Fqm
• Th: Suppose x ∈ Fq, then x ∈ Fq ⇔ xq = x
• Elliptic curve E over Fq (a, b ∈ Fq):
y2 + xy = x3 + ax2 + b ∪ O = [0 : 1 : 0]
• Isomorphism classes: a ∈ {0, γ}, Tr(γ) = 1.
#E0,b(Fq) + #Eγ,b(Fq) = 2q + 2
40
'
&
$
%
Frobenius Endomorphism
• Def: Frobenius endomorphism:
F : E(Fq) −→ E(Fq) : (x, y) 7→ (xq, yq)
• Def: Trace of Frobenius t:
#E(Fq) = q + 1− t
• Def: [m] : E(Fq) −→ E(Fq) : P 7→ mP
• Characteristic equation of F :
F 2 − [t] ◦ F + [q] = [0]
• (Hasse, 1933): Trace of Frobenius satisfies
|t| ≤ 2√
q
41
'
&
$
%
Counting Two by Two
• # solutions of Ax2 + Bx + C = 0, with A 6= 0, B, C ∈ Fq is
B = 0⇒ 1 solution and B 6= 0⇒ 2 · (1− Tr(AC
B2)) solutions.
• E over Fq given by y2 + xy = x3 + ax2 + b, then (0,√
b) ∈ E(Fq)
• If x 6= 0 then points also satisfy
(y
x
)2
+x
y= x + a +
b
x,
and therefore one can compute #E(Fq) as
#E(Fq) = 2 + 2 ·∑
x∈F∗
q
(1− Tr(x + a +
b
x)
).
42
'
&
$
%
• Slow algorithm, with complexity O(q · log2 q), useful for q < 230
43
'
&
$
%
Baby-Step Giant-Step Algorithm
• Hasse-Weil: #E(Fq) ∈ H := [q + 1−√q, q + 1 +√
q]
• Set N = 4√
q and write x = j ·N − i, with i, j ∈ N and i < k
• Generate point P on curve and suppose x = j ·N − i ∈ H satisfies
x · P = O ⇒ (j ·N) · P = i · P
• Precompute table with i · P for 0 < i < N
• Compute Q = N · P and compare j ·Q with table, for j > N
• If match, compute Ord(P )|jm ·N − im and devise #E(Fq)
• Time O( 4√
q · log2 q) – Memory O( 4√
q)
44
'
&
$
%
Weil’s Theorem & Koblitz Curves
• Weil: Let E be defined over Fq, #E(Fq) = q + 1− t and let
X2 − tX + q = (X − α)(X − β), then for every m ∈ N we have
#E(Fmq ) = qm + 1− (αm + βm).
• Recursion: Set t0 = 2 and tm = qm +1−#E(Fmq ), then tm satisfy
tm+1 = t1 · tm − q · tm−1.
• Curve over F2 is called a Koblitz curve
• If l|m then E(F2l) is subgroup of E(F2m), so #E(F2l)|#E(F2m)
• Very few Koblitz curves with #E divisible by large prime
• NIST: Koblitz curves over F2n with m = 163, 233, 283, 409, 571
45
'
&
$
%
Schoof’s Algorithm (1985)
• Idea: compute trace of Frobenius t mod li for primes li∏li
li > 4√
q and use CRT to compute the correct value of t
• Def: l-torsion group E[l] = {P ∈ E | lP = O} ∼= Zl ⊕ Zl
• Idea: restrict characteristic equation of F to E[l]
F 2l − [tl] ◦ Fl + [ql] = [0]
where tl = t mod l and ql = q mod l
• For all l-torsion points P = (x, y)
(xq2
, yq2
) + [ql](x, y) = [tl](xq, yq)
46
'
&
$
%
• Algorithm: test for every τ ∈ {0, 1, . . . , l − 1}
(xq2
, yq2
) + [ql](x, y) = [τ ](xq, yq)
47
'
&
$
%
Schoof’s Algorithm – Details
• How can we compute in E[l] ?
• Solution: division polynomials fl of degree (l2 − 1)/2
f0 = 0, f1 = 1, f2 = x,
f3 = x4 + x3 + a6, f4 = x6 + a6x2,
f2m+1 = f3mfm+2 + fm−1f
3m+1 m ≥ 2,
xf2m = f2m−1fmfm+2 + fm−2fmf2
m+1 m ≥ 3.
• Theorem: P = (x, y) ∈ E[l]⇔ fl(x) = 0
• Note P ∈ E[l]⇔ F (P ) ∈ E[l], so if S = ∪P∈E[l]\O x(P ) then
fl(x) =∏
α∈S
(x− α) ∈ Fq[x]
48
'
&
$
%
Schoof’s Algorithm – Details
• Theorem: m ≥ 2, P = (x, y) ∈ E \ O, mP = (x, y)
x = x +fm−1fm+1
f2m
,
y = x + y +fm−1fm+1
f2m
+fm−2f
2m+1
xf3m
+ (x2 + y)fm−1fm+1
xf2m
• All computations in E[l] transformed to Fq[x]/(fl(x))
• Time complexity of O(log8 q) – Memory complexity of O(log3 q)
• Useful for fields with q < 2130
49
'
&
$
%
Ideas of Elkies and Atkin
• Idea: roots of X2 − tlX + ql in Fl are not ?
• Criterium: ∆ = t2 − 4q is a square modulo l or not ?
• Def: if ∆ is a square modulo l then l is Elkies-prime, else l is
Atkin-prime.
• Note E[l] ∼= Zl ⊕ Zl = ∪i=1...l+1Ci, if P1, P2 generate E[l] then
E1 = 〈P1〉, E2 = 〈P2〉, Ei = 〈P1 + (i− 2) · P2〉 i = 3, . . . l + 1.
• Study the action of Fl on these l-groups
• If Fl(Ci) ⊂ Ci then ⇒ Fl(Ci) = Ci and Fl has eigenvalue λ in Fl
50
'
&
$
%
Ideas of Elkies and Atkin (cont.)
• Suppose l is Elkies-prime, then
(X − λ)(X − µ) = 0, λ, µ ∈ Fl
• At least 1 Ci’s is invariant under Frobenius-map
• Let gl(x) =∏
±Pi∈C1\O(x− x(Pi)) then gl(x) ∈ Fq[x]
• Note that deg(gl) = (l − 1)/2 and gl(x)|fl(x), so more efficient
• Equating coefficient of char. polynomial of Fl gives
t = λ +q
λmod l
51
'
&
$
%
Ideas of Elkies and Atkin (cont.)
• Problem: how can one compute gl(x) ?
• Solution: compute isogenie φ with kernel C1
φ : E −→ E′ : (x, y) 7→(
G(x)
gl(x)2,H(x) + yK(x)
gl(x)3
)
• Suppose l is Atkin-prime, then ∆ is a quadratic non-residu
modulo l
• Generate a number of possibilities for t mod l
• Final step: combine info from both Elkies and Atkin primes
• Complexity = O(log6 q)
52
'
&
$
%
Isogenies and modular polynomials
• Morphism from E1 to E2 is a rational map that is defined at
every point P on E1.
• Isogenie is a morphism and I(O1) = O2
• Theorem: every isogenie is a group homomorphism from E1 to E2
• Suppose I separable, then the degree of I = #ker(I)
• Theorem: Let E be an elliptic curve over Fq and S a subgroup of
E with F (S) = S, then there exists an elliptic curve E′ and an
isogenie φ : E −→ E′ defined over Fq, with ker(φ) = S
53
'
&
$
%
Isogenies and modular polynomials (cont.)
• Let ja = 1/a be the j-invariant of curve E : y2 + xy = x3 + a.
• Theorem: for every prime l there exists a modular polynomial
Φl(x, y) of degree l + 1 with following properties:
– there exists an isogenie of degree l from Ea to Eb iff
Φl(ja, jb) = 0
– the polynomial Φl(x, ja) has a root jb ∈ Fqr iff the kernel of
the isogenie I : Ea −→ Eb is a one dimensional eigenspace of
F r in E[l]
– the polynomial Φl(x, ja) splits completely in Fqr [x] iff F r acts
as a scalar matrix on E[l]
54
'
&
$
%
Isogenies and modular polynomials
Theorem: factorisation of Φl(x, ja) = h1h2 · · ·hs, then possibilities
for the degrees of h1, h2, . . . , hs are:
• (1 l) or (1 1 . . . 1) and t2 − 4q = 0 mod l
• (1 1 r . . . r) and t2 − 4q is a square modulo l, r|l − 1 and F acts
on E[l] as a matrix0
@
λ 0
0 µ
1
A
• (r r . . . r) and r > 1 and r|l + 1 and t2 − 4q is not a square
modulo l and t satisfies the equation t2 = q(ζ + 2 + ζ−1) mod l
for ζ a primitive r-th root of unity in Fl.
55
' $SEA-algorithm: outline
1. M := 1, l := 2, A := {}, E := {}
2. While M < 4√
q do:
(a) Compute modular polynomial Φl(x, y)
(b) Compute splitting S of Φl(x, y)
(c) If S = (1 l) or S = (1 1 . . . 1),
E ∪ (2√
q, l)
(d) If S = (1 1 r . . . r):
• Compute polynomial Fl(x) via
isogenie
• Find eigenvalue λ modulo l
• t = λ + q/λ mod l
• E ∪ (t, l)
(e) If S = (r r . . . r)
• Compute set T such that t mod l ∈ T
' $
3. Compute t exact using match and sort
'
&
$
%
Satoh’s Algorithm: Main Idea
• Theorem of Deuring: exists an elliptic curve E over a p-adic field
– Reduction modulo p of E equals E
– End(E) ∼= End(E)
• The elliptic curve E is called the canonical lift of E
E
E
E
E
-
-
? ?
π π
F
F
58
'
&
$
%
• Since TrF = TrF = t, it suffices to compute TrF
59
'
&
$
%
p-adic Integers and Extensions
• p-adic integer is a sequence x = (x1, x2, . . . , xk, . . .) with
xk ∈ Z/pkZ and xk+1 ≡ xk mod pk for k ≥ 1
• Projection πk : Zp −→ Z/pkZ : x 7→ xk and π(Zp) ∼= Fp
• Let q = pn and f(t) a monic polynomial in Zp[t] of degree n,
with π(f) irreducible in Fp[t], then Zq is defined as Zp[t]/(f(t))
• If a ∈ Zq then a = an−1tn−1 + · · ·+ a1t + a0 with ai ∈ Zp
• Note π(Zq) ∼= Fq and πk(Zq) ∼= (Z/pkZ)[t]/(f(t))
60
'
&
$
%
Newton Iteration
• Let f(t) ∈ Zq[t] and suppose x0 ∈ Zq such that
f(x0) ≡ 0 mod pm and f ′(x0) 6≡ 0 mod p,
then we can get a better approximate root x1 of f as follows
x1 = x0 −f(x0)
f ′(x0),
which satisfies
f(x1) ≡ 0 mod p2m and f ′(x1) 6≡ 0 mod p.
• General case: Let k ∈ N be largest integer with
f ′(x0) ≡ 0 mod pk. If m > 2k, then we can compute a better
approximate root x1 with f(x1) ≡ 0 mod p2m−2k.
61
'
&
$
%
Computing the Canonical Lift of an Elliptic Curve
• The little Frobenius endomorphism σ : Fq −→ Fq : x 7→ xp
• Applying σ to coefficients of E gives the conjugate Eσ and
extend the little Frobenius to elliptic curves as
σ : E −→ Eσ : (x, y) 7→ (xp, yp)
• If p = 2 then Eσ is given by the equation y2 + xy = x3 + a2
• Let Ei = Eσ(n−i)
and σi : Ei+1 −→ Ei : (x, y) 7→ (xp, yp)
E = E0 En−1 · · · E1 E0 = E- - - -σn−1 σn−2 σ1 σ0
• Frobenius endomorphism F = σ0 ◦ · · · ◦ σn−1
62
'
&
$
%
Computing the Canonical Lift of an Elliptic Curve
Theorem of Lubin-Serre-Tate: Let E be an elliptic curve over Fq and
let j(E) be its j-invariant and j(E) ∈ Fq \ Fp2 and consider the
following diagram,
E0
E0
En−1
En−1
· · ·
· · ·
E1
E1
E0
E0
- - - -
- - - -
? ? ? ?
π π π π
Σn−1 Σn−2 Σ1 Σ0
σn−1 σn−2 σ1 σ0
then the j-invariants j(Ei) satisfy
j(Ei) ∈ Zq and Φp(j(Ei), j(Ei+1)) = 0 and j(Ei) ≡ j(Ei) mod p
63
'
&
$
%
Computing the Canonical Lift of an Elliptic Curve
Let the vector function Θ : Znq −→ Zn
q be
Θ(x0, . . . , xn−1) = (Φp(x0, x1), Φp(x1, x2), . . . , Φp(xn−1, x0))
and denote with (DΘ)(x0, . . . , xn−1) its Jacobian matrix, i.e.0
B
B
B
B
B
B
B
B
B
@
∂Φp
∂X(x0, x1)
∂Φp
∂Y(x0, x1) · · · 0
0∂Φp
∂X(x1, x2) · · · 0
......
...
0 0 · · ·∂Φp
∂Y(xn−2, xn−1)
∂Φp
∂Y(xn−1, x0) 0 · · ·
∂Φp
∂X(xn−1, x0)
1
C
C
C
C
C
C
C
C
C
A
then one can lift (j(E0), . . . , j(En−1)) to (j(E0), . . . , j(En−1)) via
(x0, . . . , xn−1)← (x0, . . . , xn−1)− ((DΘ)−1Θ)(x0, . . . , xn−1)
64
'
&
$
%
Computing Trace of Frobenius on Lifted Curve
• Theorem by Satoh: Let E be formal group associated with E and
f ∈ End(E), f ∈ End(E), π(f) separable
f(z) = cz + O(z2)⇒ Tr(f) = c +q
c
• F is inseparable so take dual F , which is separable
E0
E0
E1
E1
· · ·
· · ·
En−1
En−1
E0
E0
- - - -
- - - -
? ? ? ?
π π π π
Σ0 Σ1 Σn−2 Σn−1
σ0 σ1 σn−2 σn−1
65
'
&
$
%
• Let˜Σi(z) = ciz + O(z2) then c =
∏n−1i=0 ci
66
'
&
$
%
Computing Trace of Frobenius on Lifted Curve (cont.)
• Theorem: Let E be an elliptic curve and G finite subgroup of E,
then there exists a unique elliptic curve E′ and separable isogeny
φ : E −→ E′ with kerφ = G.
Ei Ei+1Σi
Ei/KerΣi
^
-
v λ
• Velu’s formulae give equation of Ei/KerΣi and of the isogeny ν
• This finally leads to formula for c2i
67
'
&
$
%
Outline of Satoh’s Algorithm
Input: Elliptic curve E over finite field Fq
Output: Trace of Frobenius t = q + 1−#E(Fq)
1. Compute conjugates of E, i.e. Eσi
for i = 0, . . . , n− 1
2. Lift the j-invariants j(Ei) simultaneously to j(Ei) using a
multivariate Newton iteration
3. Compute the squares c2i using j(Ei) and j(Ei+1)
4. Set c2 =∏n−1
i=0 c2i and compute c with correct sign
5. Return t ≡ c mod p⌊n+32 ⌋ and |t| ≤ 2
√q
Time of O(log3+ǫ q) – Memory of O(log3 q). Recently: new algorithm
with memory of O(log2 q).
68
