• date post

19-Mar-2020
• Category

## Documents

• view

4

0

Embed Size (px)

### Transcript of Elliptic curve arithmetic - ECC 2017 Elliptic curve arithmetic Wouter Castryck ECC school, Nijmegen,...

• Elliptic curve arithmetic

Wouter Castryck

ECC school, Nijmegen, 9-11 November 2017

๐1

๐2

๐1 + ๐2

• Tangent-chord arithmetic on cubic curves

• Introduction Consequence of Bรฉzoutโs theorem: on a cubic curve

๐ถ โถ ๐ ๐ฅ, ๐ฆ = ฯ๐+๐=3๐๐๐๐ฅ ๐๐ฆ๐ = 0,

new points can be constructed from known points using tangents and chords.

This principle was already known to 17th century natives like Fermat and Newton.

๐ ๐ฅ, ๐ฆ = 0

Pierre de Fermat

Isaac Newton

• Introduction

This construction was known to respect the base field.

This means: if ๐ ๐ฅ, ๐ฆ โ ๐[๐ฅ, ๐ฆ] with ๐ some field, and one starts from points having coordinates in ๐, then new points obtained through the tangent-chord method also have coordinates in ๐.

Informal reason:

Consider two points on the ๐ฅ-axis ๐1 = ๐, 0 and ๐2 = (๐, 0). Then the โchordโ is ๐ฆ = 0.

The intersection is computed by ๐ ๐ฅ, 0 = ๐ฅ โ ๐ โ ๐ฅ โ ๐ โ linear factor

always has a root over ๐!

๐1

๐2

๐ ๐ฅ, ๐ฆ = 0

• Introduction Thus: tangents and chords give some sort of composition law on the set of ๐-rational points of a cubic curve.

Later it was realized that by adding in a second step, this gives the curve an abelian group structure! only after an incredible historical detour which took more than 200 yearsโฆ

First formalized by Poincarรฉ in 1901.

Henri Poincarรฉ

choose a base point

๐

๐1

๐2

๐1 + ๐2

๐

2๐ commutativity: ๐1 + ๐2 = ๐2 + ๐1

associativity: ๐1 + ๐2 + ๐3 = ๐1 + (๐2 + ๐3)

neutral element: ๐ + ๐ = ๐

inverse element: โ โ๐ โถ ๐ + โ๐ = ๐

• Introduction

Conditions for this to work:

1) One should work projectively (as opposed to affinely):

Homogenize

๐ ๐ฅ, ๐ฆ = ฯ๐+๐=3๐๐๐๐ฅ ๐๐ฆ๐ to ๐น ๐ฅ, ๐ฆ, ๐ง = ฯ๐+๐=3๐๐๐๐ฅ

๐๐ฆ๐๐ง3โ๐โ๐

and consider points ๐ฅ: ๐ฆ: ๐ง โ  (0: 0: 0), up to scaling.

Two types of points:

affine points points at infinity

๐ง = 0

๐ง โ  0: the point is of the form (๐ฅ: ๐ฆ: 1)

But then ๐ฅ, ๐ฆ is an affine point!

๐ง = 0: points of the form (๐ฅ: ๐ฆ: 0) up to scaling.

(Up to three such points.)

• Introduction

Conditions for this to work:

2) The curve should be smooth, meaning that

๐ = ๐๐

๐๐ฅ =

๐๐

๐๐ฆ =

๐๐

๐๐ง = 0

has no solutions.

๏

๏

๏

This ensures that every point ๐ has a well-defined tangent line

๐ โถ ๐๐

๐๐ฅ ๐ โ ๐ฅ +

๐๐

๐๐ฆ ๐ โ ๐ฆ +

๐๐

๐๐ง ๐ โ ๐ง = 0.

• Introduction

Conditions for this to work:

3) ๐ should have coordinates in ๐, in order for the arithmetic to work over ๐.

๐

Definition: an elliptic curve over ๐ is a smooth projective cubic curve ๐ธ/๐ equipped with a ๐-rational base point ๐.

(Caution: there exist more general and less general definitions.)

Under these assumptions we have as wanted: Tangent-chord arithmetic turns ๐ธ into an abelian group with neutral element ๐. The set of ๐-rational points ๐ธ(๐) form a subgroup.

• Exercises

1) Describe geometrically what it means to invert a point ๐, i.e. to find a point โ๐ such that

๐ + โ๐ = ๐.

๐

2) Why does this construction simplify considerably if ๐ is a flex (= point at which its tangent line meets the curve triply)?

3) If ๐ is a flex then

3๐ โ ๐ + ๐ + ๐ = ๐ if and only if ๐ is a flex.

Explain why.

• On the terminology โelliptic curvesโ

• On the terminology

In the 18th century, unrelated to all this, Fagnano and Euler revisited the unsolved problem of determining the circumference of an ellipse.

Giulio Fagnano

Leonhard Euler

?

They got stuck on difficult integrals, now called elliptic integrals.

• On the terminology

In the 19th century Abel and Jacobi studied the inverse functions of elliptic integrals.

๐ก = ๐(๐ ) ?

When viewed as complex functions, they observed doubly periodic behaviour: there exist ๐1, ๐2 โ ๐ such that

๐ ๐ง + ๐1๐1 + ๐2๐2 = ๐ ๐ง for all ๐1, ๐2 โ ๐.

Niels H. Abel

Carl G. Jacobi

Compare to: sin ๐ฅ + ๐ โ 2๐๐ = sin ๐ฅ for all ๐ โ ๐, etc.

Such generalized trigonometric functions became known as elliptic functions.

• On the terminology

In other words: elliptic functions on ๐ are well-defined modulo ๐๐1 + ๐๐2.

๐1

๐2

Karl Weierstrass

Mid 19th century Weierstrass classified all elliptic functions for any given ๐1, ๐2, and used this to define a biholomorphism

๐/(๐๐1 + ๐๐2) โ ๐ธ: ๐ง โฆ (โ ๐ง ,โโฒ ๐ง )

to a certain algebraic curve ๐ธโฆ

Note that ๐/(๐๐1 + ๐๐2) is an abelian group, almost by definition.

The biholomorphism endows ๐ธ with the same group structureโฆ โฆ where it turns out to correspond to tangent-chord arithmetic!

โฆ which he called an elliptic curve!

• Weierstrass curves and their arithmetic

• The concrete type of elliptic curves found by Weierstrass now carry his name. They are the most famous shapes of elliptic curves.

Assume char ๐ โ  2,3.

๐ฆ2 = ๐ฅ3 + ๐ด๐ฅ + ๐ต๐ฆ2๐ง = ๐ฅ3 + ๐ด๐ฅ๐ง2 + ๐ต๐ง3

(typical plot for ๐ = ๐)

Weierstrass curves ๐ง = 0 ๐ = (0: 1: 0)

Definition: a Weierstrass elliptic curve is defined by

where ๐ด, ๐ต โ ๐ satisfy 4๐ด3 + 27๐ต2 โ  0. The base point ๐ is the unique point at infinity.

Can be shown: up to โisomorphismโ every elliptic curve is Weierstrass.

• Note:

1) the lines through ๐ = (0: 1: 0) are the vertical lines (except for the line at infinity ๐ง = 0).

2) The equation ๐ฆ2 = ๐ฅ3 + ๐ด๐ฅ + ๐ต is symmetric in ๐ฆ.

Weierstrass curves

(๐ฅ, ๐ฆ) This gives a first feature: inverting a point on a Weierstrass curve is super easy!

Indeed: if ๐ = (๐ฅ, ๐ฆ) is an affine point then

โ๐ = ๐ฅ,โ๐ฆ .

๐

๐

(๐ฅ, โ๐ฆ)

Weierstrass curves

Write ๐1 + ๐2 = ๐ฅ3, ๐ฆ3 .

Line through ๐1 = (๐ฅ1, ๐ฆ1) and ๐2 = (๐ฅ2, ๐ฆ2) is

๐ฆ โ ๐ฆ1 = ๐ ๐ฅ โ ๐ฅ1 where ๐ = ๐ฆ2โ๐ฆ1

๐ฅ2โ๐ฅ1 .

๐1

๐2

๐1 + ๐2

Substituting ๐ฆ โ ๐ฆ1 + ๐ ๐ฅ โ ๐ฅ1 in the curve equation ๐ฅ3 + ๐ด๐ฅ + ๐ต โ ๐ฆ2 = 0:

๐ฅ3 + ๐ด๐ฅ + ๐ต โ (๐2๐ฅ2 +โฏ) = 0.๐ฅ3 + ๐ด๐ฅ + ๐ต โ ๐ฆ1 + ๐ ๐ฅ โ ๐ฅ1 2 = 0.๐ฅ3 โ ๐2๐ฅ2 +โฏ = 0.

So, sum of the roots is ๐2. But ๐ฅ1, ๐ฅ2 are roots!

We find: แ ๐ฅ3 = ๐

2 โ ๐ฅ1 โ ๐ฅ2 ๐ฆ3 = โ๐ฆ1 โ ๐(๐ฅ3 โ ๐ฅ1)

• Weierstrass curves

๐

2๐

where ๐ = ๐ฆ2โ๐ฆ1

๐ฅ2โ๐ฅ1 .

We find: แ ๐ฅ3 = ๐

2 โ ๐ฅ1 โ ๐ฅ2 ๐ฆ3 = โ๐ฆ1 โ ๐(๐ฅ3 โ ๐ฅ1)

But what if ๐ฅ1 = ๐ฅ2?

Two cases:

Either ๐ฆ1 = ๐ฆ2 โ  0, i.e. ๐1 = ๐2 = ๐.

In this case we need to replace ๐ by

๐ = 3๐ฅ1

2+2๐ด๐ฅ1

2๐ฆ1 .

Or ๐ฆ1 = โ๐ฆ2, in which case ๐1 + ๐2 = ๐.

๐

๐1

๐2

Conclusion: formulas for computing on a Weierstrass curve are not too bad, but case distinctive.

• More efficient elliptic curve arithmetic?

The Weierstrass addition formulas are reasonably good for several purposesโฆ โฆ but can they be boosted? Huge amount of activity starting in the 1980โs.

One reason: Koblitz and Millerโs suggestion to use elliptic curves in crypto!

Initial reason: Lenstraโs elliptic curve method (ECM) for integer factorization.

agree on ๐ธ/๐๐ and ๐ โ ๐ธ(๐๐)

chooses secret ๐ โ ๐ chooses secret ๐ โ ๐

computes ๐๐ computes ๐๐receives receives computes ๐ ๐๐ = ๐๐๐ computes ๐ ๐๐ = ๐๐๐

(Example: Diffie-Hellman key exchange.)

Victor Miller

Neal Koblitz

• Generic methods for efficient scalar multiplication

• Efficient scalar multiplication

The most important operation in both (discrete-log based) elliptic curve cryptography, the elliptic curve method for integer factorization,

is scalar multiplication: given a point ๐ and a positive integer ๐, compute

๐๐ โ ๐ + ๐ +โฏ+ ๐

๐ times.