# Elliptic curve arithmetic - ECC 2017 Elliptic curve arithmetic Wouter Castryck ECC school, Nijmegen,

date post

19-Mar-2020Category

## Documents

view

3download

0

Embed Size (px)

### Transcript of Elliptic curve arithmetic - ECC 2017 Elliptic curve arithmetic Wouter Castryck ECC school, Nijmegen,

Elliptic curve arithmetic

Wouter Castryck

ECC school, Nijmegen, 9-11 November 2017

๐1

๐2

๐1 + ๐2

Tangent-chord arithmetic on cubic curves

Introduction Consequence of Bรฉzoutโs theorem: on a cubic curve

๐ถ โถ ๐ ๐ฅ, ๐ฆ = ฯ๐+๐=3๐๐๐๐ฅ ๐๐ฆ๐ = 0,

new points can be constructed from known points using tangents and chords.

This principle was already known to 17th century natives like Fermat and Newton.

๐ ๐ฅ, ๐ฆ = 0

Pierre de Fermat

Isaac Newton

Introduction

This construction was known to respect the base field.

This means: if ๐ ๐ฅ, ๐ฆ โ ๐[๐ฅ, ๐ฆ] with ๐ some field, and one starts from points having coordinates in ๐, then new points obtained through the tangent-chord method also have coordinates in ๐.

Informal reason:

Consider two points on the ๐ฅ-axis ๐1 = ๐, 0 and ๐2 = (๐, 0). Then the โchordโ is ๐ฆ = 0.

The intersection is computed by ๐ ๐ฅ, 0 = ๐ฅ โ ๐ โ ๐ฅ โ ๐ โ linear factor

always has a root over ๐!

๐1

๐2

๐ ๐ฅ, ๐ฆ = 0

Introduction Thus: tangents and chords give some sort of composition law on the set of ๐-rational points of a cubic curve.

Later it was realized that by adding in a second step, this gives the curve an abelian group structure! only after an incredible historical detour which took more than 200 yearsโฆ

First formalized by Poincarรฉ in 1901.

Henri Poincarรฉ

choose a base point

๐

๐1

๐2

๐1 + ๐2

๐

2๐ commutativity: ๐1 + ๐2 = ๐2 + ๐1

associativity: ๐1 + ๐2 + ๐3 = ๐1 + (๐2 + ๐3)

neutral element: ๐ + ๐ = ๐

inverse element: โ โ๐ โถ ๐ + โ๐ = ๐

Introduction

Conditions for this to work:

1) One should work projectively (as opposed to affinely):

Homogenize

๐ ๐ฅ, ๐ฆ = ฯ๐+๐=3๐๐๐๐ฅ ๐๐ฆ๐ to ๐น ๐ฅ, ๐ฆ, ๐ง = ฯ๐+๐=3๐๐๐๐ฅ

๐๐ฆ๐๐ง3โ๐โ๐

and consider points ๐ฅ: ๐ฆ: ๐ง โ (0: 0: 0), up to scaling.

Two types of points:

affine points points at infinity

๐ง = 0

๐ง โ 0: the point is of the form (๐ฅ: ๐ฆ: 1)

But then ๐ฅ, ๐ฆ is an affine point!

๐ง = 0: points of the form (๐ฅ: ๐ฆ: 0) up to scaling.

(Up to three such points.)

Introduction

Conditions for this to work:

2) The curve should be smooth, meaning that

๐ = ๐๐

๐๐ฅ =

๐๐

๐๐ฆ =

๐๐

๐๐ง = 0

has no solutions.

๏

๏

๏

This ensures that every point ๐ has a well-defined tangent line

๐ โถ ๐๐

๐๐ฅ ๐ โ ๐ฅ +

๐๐

๐๐ฆ ๐ โ ๐ฆ +

๐๐

๐๐ง ๐ โ ๐ง = 0.

Introduction

Conditions for this to work:

3) ๐ should have coordinates in ๐, in order for the arithmetic to work over ๐.

๐

Definition: an elliptic curve over ๐ is a smooth projective cubic curve ๐ธ/๐ equipped with a ๐-rational base point ๐.

(Caution: there exist more general and less general definitions.)

Under these assumptions we have as wanted: Tangent-chord arithmetic turns ๐ธ into an abelian group with neutral element ๐. The set of ๐-rational points ๐ธ(๐) form a subgroup.

Exercises

1) Describe geometrically what it means to invert a point ๐, i.e. to find a point โ๐ such that

๐ + โ๐ = ๐.

๐

2) Why does this construction simplify considerably if ๐ is a flex (= point at which its tangent line meets the curve triply)?

3) If ๐ is a flex then

3๐ โ ๐ + ๐ + ๐ = ๐ if and only if ๐ is a flex.

Explain why.

On the terminology โelliptic curvesโ

On the terminology

In the 18th century, unrelated to all this, Fagnano and Euler revisited the unsolved problem of determining the circumference of an ellipse.

Giulio Fagnano

Leonhard Euler

?

They got stuck on difficult integrals, now called elliptic integrals.

On the terminology

In the 19th century Abel and Jacobi studied the inverse functions of elliptic integrals.

๐ก = ๐(๐ ) ?

When viewed as complex functions, they observed doubly periodic behaviour: there exist ๐1, ๐2 โ ๐ such that

๐ ๐ง + ๐1๐1 + ๐2๐2 = ๐ ๐ง for all ๐1, ๐2 โ ๐.

Niels H. Abel

Carl G. Jacobi

Compare to: sin ๐ฅ + ๐ โ 2๐๐ = sin ๐ฅ for all ๐ โ ๐, etc.

Such generalized trigonometric functions became known as elliptic functions.

On the terminology

In other words: elliptic functions on ๐ are well-defined modulo ๐๐1 + ๐๐2.

๐1

๐2

Karl Weierstrass

Mid 19th century Weierstrass classified all elliptic functions for any given ๐1, ๐2, and used this to define a biholomorphism

๐/(๐๐1 + ๐๐2) โ ๐ธ: ๐ง โฆ (โ ๐ง ,โโฒ ๐ง )

to a certain algebraic curve ๐ธโฆ

Note that ๐/(๐๐1 + ๐๐2) is an abelian group, almost by definition.

The biholomorphism endows ๐ธ with the same group structureโฆ โฆ where it turns out to correspond to tangent-chord arithmetic!

โฆ which he called an elliptic curve!

Weierstrass curves and their arithmetic

The concrete type of elliptic curves found by Weierstrass now carry his name. They are the most famous shapes of elliptic curves.

Assume char ๐ โ 2,3.

๐ฆ2 = ๐ฅ3 + ๐ด๐ฅ + ๐ต๐ฆ2๐ง = ๐ฅ3 + ๐ด๐ฅ๐ง2 + ๐ต๐ง3

(typical plot for ๐ = ๐)

Weierstrass curves ๐ง = 0 ๐ = (0: 1: 0)

Definition: a Weierstrass elliptic curve is defined by

where ๐ด, ๐ต โ ๐ satisfy 4๐ด3 + 27๐ต2 โ 0. The base point ๐ is the unique point at infinity.

Can be shown: up to โisomorphismโ every elliptic curve is Weierstrass.

Note:

1) the lines through ๐ = (0: 1: 0) are the vertical lines (except for the line at infinity ๐ง = 0).

2) The equation ๐ฆ2 = ๐ฅ3 + ๐ด๐ฅ + ๐ต is symmetric in ๐ฆ.

Weierstrass curves

(๐ฅ, ๐ฆ) This gives a first feature: inverting a point on a Weierstrass curve is super easy!

Indeed: if ๐ = (๐ฅ, ๐ฆ) is an affine point then

โ๐ = ๐ฅ,โ๐ฆ .

๐

๐

(๐ฅ, โ๐ฆ)

What about point addition?

Weierstrass curves

Write ๐1 + ๐2 = ๐ฅ3, ๐ฆ3 .

Line through ๐1 = (๐ฅ1, ๐ฆ1) and ๐2 = (๐ฅ2, ๐ฆ2) is

๐ฆ โ ๐ฆ1 = ๐ ๐ฅ โ ๐ฅ1 where ๐ = ๐ฆ2โ๐ฆ1

๐ฅ2โ๐ฅ1 .

๐1

๐2

๐1 + ๐2

Substituting ๐ฆ โ ๐ฆ1 + ๐ ๐ฅ โ ๐ฅ1 in the curve equation ๐ฅ3 + ๐ด๐ฅ + ๐ต โ ๐ฆ2 = 0:

๐ฅ3 + ๐ด๐ฅ + ๐ต โ (๐2๐ฅ2 +โฏ) = 0.๐ฅ3 + ๐ด๐ฅ + ๐ต โ ๐ฆ1 + ๐ ๐ฅ โ ๐ฅ1 2 = 0.๐ฅ3 โ ๐2๐ฅ2 +โฏ = 0.

So, sum of the roots is ๐2. But ๐ฅ1, ๐ฅ2 are roots!

We find: แ ๐ฅ3 = ๐

2 โ ๐ฅ1 โ ๐ฅ2 ๐ฆ3 = โ๐ฆ1 โ ๐(๐ฅ3 โ ๐ฅ1)

Weierstrass curves

๐

2๐

where ๐ = ๐ฆ2โ๐ฆ1

๐ฅ2โ๐ฅ1 .

We find: แ ๐ฅ3 = ๐

2 โ ๐ฅ1 โ ๐ฅ2 ๐ฆ3 = โ๐ฆ1 โ ๐(๐ฅ3 โ ๐ฅ1)

But what if ๐ฅ1 = ๐ฅ2?

Two cases:

Either ๐ฆ1 = ๐ฆ2 โ 0, i.e. ๐1 = ๐2 = ๐.

In this case we need to replace ๐ by

๐ = 3๐ฅ1

2+2๐ด๐ฅ1

2๐ฆ1 .

Or ๐ฆ1 = โ๐ฆ2, in which case ๐1 + ๐2 = ๐.

๐

๐1

๐2

Conclusion: formulas for computing on a Weierstrass curve are not too bad, but case distinctive.

More efficient elliptic curve arithmetic?

The Weierstrass addition formulas are reasonably good for several purposesโฆ โฆ but can they be boosted? Huge amount of activity starting in the 1980โs.

One reason: Koblitz and Millerโs suggestion to use elliptic curves in crypto!

Initial reason: Lenstraโs elliptic curve method (ECM) for integer factorization.

agree on ๐ธ/๐ ๐ and ๐ โ ๐ธ(๐ ๐)

chooses secret ๐ โ ๐ chooses secret ๐ โ ๐

computes ๐๐ computes ๐๐receives receives computes ๐ ๐๐ = ๐๐๐ computes ๐ ๐๐ = ๐๐๐

(Example: Diffie-Hellman key exchange.)

Victor Miller

Neal Koblitz

Generic methods for efficient scalar multiplication

Efficient scalar multiplication

The most important operation in both (discrete-log based) elliptic curve cryptography, the elliptic curve method for integer factorization,

is scalar multiplication: given a point ๐ and a positive integer ๐, compute

๐๐ โ ๐ + ๐ +โฏ+ ๐

๐ times.

*View more*