Elliptic curve arithmetic - ECC 2017 Elliptic curve arithmetic Wouter Castryck ECC school, Nijmegen,

download Elliptic curve arithmetic - ECC 2017 Elliptic curve arithmetic Wouter Castryck ECC school, Nijmegen,

of 36

  • date post

    19-Mar-2020
  • Category

    Documents

  • view

    3
  • download

    0

Embed Size (px)

Transcript of Elliptic curve arithmetic - ECC 2017 Elliptic curve arithmetic Wouter Castryck ECC school, Nijmegen,

  • Elliptic curve arithmetic

    Wouter Castryck

    ECC school, Nijmegen, 9-11 November 2017

    ๐‘ƒ1

    ๐‘ƒ2

    ๐‘ƒ1 + ๐‘ƒ2

  • Tangent-chord arithmetic on cubic curves

  • Introduction Consequence of Bรฉzoutโ€™s theorem: on a cubic curve

    ๐ถ โˆถ ๐‘“ ๐‘ฅ, ๐‘ฆ = ฯƒ๐‘–+๐‘—=3๐‘Ž๐‘–๐‘—๐‘ฅ ๐‘–๐‘ฆ๐‘— = 0,

    new points can be constructed from known points using tangents and chords.

    This principle was already known to 17th century natives like Fermat and Newton.

    ๐‘“ ๐‘ฅ, ๐‘ฆ = 0

    Pierre de Fermat

    Isaac Newton

  • Introduction

    This construction was known to respect the base field.

    This means: if ๐‘“ ๐‘ฅ, ๐‘ฆ โˆˆ ๐‘˜[๐‘ฅ, ๐‘ฆ] with ๐‘˜ some field, and one starts from points having coordinates in ๐‘˜, then new points obtained through the tangent-chord method also have coordinates in ๐‘˜.

    Informal reason:

    Consider two points on the ๐‘ฅ-axis ๐‘ƒ1 = ๐‘Ž, 0 and ๐‘ƒ2 = (๐‘, 0). Then the โ€œchordโ€ is ๐‘ฆ = 0.

    The intersection is computed by ๐‘“ ๐‘ฅ, 0 = ๐‘ฅ โˆ’ ๐‘Ž โ‹… ๐‘ฅ โˆ’ ๐‘ โ‹… linear factor

    always has a root over ๐’Œ!

    ๐‘ƒ1

    ๐‘ƒ2

    ๐‘“ ๐‘ฅ, ๐‘ฆ = 0

  • Introduction Thus: tangents and chords give some sort of composition law on the set of ๐‘˜-rational points of a cubic curve.

    Later it was realized that by adding in a second step, this gives the curve an abelian group structure! only after an incredible historical detour which took more than 200 yearsโ€ฆ

    First formalized by Poincarรฉ in 1901.

    Henri Poincarรฉ

    choose a base point

    ๐‘‚

    ๐‘ƒ1

    ๐‘ƒ2

    ๐‘ƒ1 + ๐‘ƒ2

    ๐‘ƒ

    2๐‘ƒ commutativity: ๐‘ƒ1 + ๐‘ƒ2 = ๐‘ƒ2 + ๐‘ƒ1

    associativity: ๐‘ƒ1 + ๐‘ƒ2 + ๐‘ƒ3 = ๐‘ƒ1 + (๐‘ƒ2 + ๐‘ƒ3)

    neutral element: ๐‘ƒ + ๐‘‚ = ๐‘ƒ

    inverse element: โˆƒ โˆ’๐‘ƒ โˆถ ๐‘ƒ + โˆ’๐‘ƒ = ๐‘‚

  • Introduction

    Conditions for this to work:

    1) One should work projectively (as opposed to affinely):

    Homogenize

    ๐‘“ ๐‘ฅ, ๐‘ฆ = ฯƒ๐‘–+๐‘—=3๐‘Ž๐‘–๐‘—๐‘ฅ ๐‘–๐‘ฆ๐‘— to ๐น ๐‘ฅ, ๐‘ฆ, ๐‘ง = ฯƒ๐‘–+๐‘—=3๐‘Ž๐‘–๐‘—๐‘ฅ

    ๐‘–๐‘ฆ๐‘—๐‘ง3โˆ’๐‘–โˆ’๐‘—

    and consider points ๐‘ฅ: ๐‘ฆ: ๐‘ง โ‰  (0: 0: 0), up to scaling.

    Two types of points:

    affine points points at infinity

    ๐‘ง = 0

    ๐‘ง โ‰  0: the point is of the form (๐‘ฅ: ๐‘ฆ: 1)

    But then ๐‘ฅ, ๐‘ฆ is an affine point!

    ๐‘ง = 0: points of the form (๐‘ฅ: ๐‘ฆ: 0) up to scaling.

    (Up to three such points.)

  • Introduction

    Conditions for this to work:

    2) The curve should be smooth, meaning that

    ๐‘“ = ๐œ•๐‘“

    ๐œ•๐‘ฅ =

    ๐œ•๐‘“

    ๐œ•๐‘ฆ =

    ๐œ•๐‘“

    ๐œ•๐‘ง = 0

    has no solutions.

    ๏

    ๏

    ๏

    This ensures that every point ๐‘ƒ has a well-defined tangent line

    ๐‘‡ โˆถ ๐œ•๐‘“

    ๐œ•๐‘ฅ ๐‘ƒ โ‹… ๐‘ฅ +

    ๐œ•๐‘“

    ๐œ•๐‘ฆ ๐‘ƒ โ‹… ๐‘ฆ +

    ๐œ•๐‘“

    ๐œ•๐‘ง ๐‘ƒ โ‹… ๐‘ง = 0.

  • Introduction

    Conditions for this to work:

    3) ๐‘‚ should have coordinates in ๐‘˜, in order for the arithmetic to work over ๐‘˜.

    ๐‘‚

    Definition: an elliptic curve over ๐‘˜ is a smooth projective cubic curve ๐ธ/๐‘˜ equipped with a ๐‘˜-rational base point ๐‘‚.

    (Caution: there exist more general and less general definitions.)

    Under these assumptions we have as wanted: Tangent-chord arithmetic turns ๐ธ into an abelian group with neutral element ๐‘‚. The set of ๐‘˜-rational points ๐ธ(๐‘˜) form a subgroup.

  • Exercises

    1) Describe geometrically what it means to invert a point ๐‘ƒ, i.e. to find a point โˆ’๐‘ƒ such that

    ๐‘ƒ + โˆ’๐‘ƒ = ๐‘‚.

    ๐‘‚

    2) Why does this construction simplify considerably if ๐‘‚ is a flex (= point at which its tangent line meets the curve triply)?

    3) If ๐‘‚ is a flex then

    3๐‘ƒ โ‰” ๐‘ƒ + ๐‘ƒ + ๐‘ƒ = ๐‘‚ if and only if ๐‘ƒ is a flex.

    Explain why.

  • On the terminology โ€œelliptic curvesโ€

  • On the terminology

    In the 18th century, unrelated to all this, Fagnano and Euler revisited the unsolved problem of determining the circumference of an ellipse.

    Giulio Fagnano

    Leonhard Euler

    ?

    They got stuck on difficult integrals, now called elliptic integrals.

  • On the terminology

    In the 19th century Abel and Jacobi studied the inverse functions of elliptic integrals.

    ๐‘ก = ๐‘“(๐‘ ) ?

    When viewed as complex functions, they observed doubly periodic behaviour: there exist ๐œ”1, ๐œ”2 โˆˆ ๐‚ such that

    ๐‘“ ๐‘ง + ๐œ†1๐œ”1 + ๐œ†2๐œ”2 = ๐‘“ ๐‘ง for all ๐œ†1, ๐œ†2 โˆˆ ๐™.

    Niels H. Abel

    Carl G. Jacobi

    Compare to: sin ๐‘ฅ + ๐œ† โ‹… 2๐‘˜๐œ‹ = sin ๐‘ฅ for all ๐œ† โˆˆ ๐™, etc.

    Such generalized trigonometric functions became known as elliptic functions.

  • On the terminology

    In other words: elliptic functions on ๐‚ are well-defined modulo ๐™๐œ”1 + ๐™๐œ”2.

    ๐œ”1

    ๐œ”2

    Karl Weierstrass

    Mid 19th century Weierstrass classified all elliptic functions for any given ๐œ”1, ๐œ”2, and used this to define a biholomorphism

    ๐‚/(๐™๐œ”1 + ๐™๐œ”2) โ†’ ๐ธ: ๐‘ง โ†ฆ (โ„˜ ๐‘ง ,โ„˜โ€ฒ ๐‘ง )

    to a certain algebraic curve ๐ธโ€ฆ

    Note that ๐‚/(๐™๐œ”1 + ๐™๐œ”2) is an abelian group, almost by definition.

    The biholomorphism endows ๐ธ with the same group structureโ€ฆ โ€ฆ where it turns out to correspond to tangent-chord arithmetic!

    โ€ฆ which he called an elliptic curve!

  • Weierstrass curves and their arithmetic

  • The concrete type of elliptic curves found by Weierstrass now carry his name. They are the most famous shapes of elliptic curves.

    Assume char ๐‘˜ โ‰  2,3.

    ๐‘ฆ2 = ๐‘ฅ3 + ๐ด๐‘ฅ + ๐ต๐‘ฆ2๐‘ง = ๐‘ฅ3 + ๐ด๐‘ฅ๐‘ง2 + ๐ต๐‘ง3

    (typical plot for ๐‘˜ = ๐‘)

    Weierstrass curves ๐‘ง = 0 ๐‘‚ = (0: 1: 0)

    Definition: a Weierstrass elliptic curve is defined by

    where ๐ด, ๐ต โˆˆ ๐‘˜ satisfy 4๐ด3 + 27๐ต2 โ‰  0. The base point ๐‘‚ is the unique point at infinity.

    Can be shown: up to โ€œisomorphismโ€ every elliptic curve is Weierstrass.

  • Note:

    1) the lines through ๐‘‚ = (0: 1: 0) are the vertical lines (except for the line at infinity ๐‘ง = 0).

    2) The equation ๐‘ฆ2 = ๐‘ฅ3 + ๐ด๐‘ฅ + ๐ต is symmetric in ๐‘ฆ.

    Weierstrass curves

    (๐‘ฅ, ๐‘ฆ) This gives a first feature: inverting a point on a Weierstrass curve is super easy!

    Indeed: if ๐‘ƒ = (๐‘ฅ, ๐‘ฆ) is an affine point then

    โˆ’๐‘ƒ = ๐‘ฅ,โˆ’๐‘ฆ .

    ๐‘‚

    ๐‘ƒ

    (๐‘ฅ, โˆ’๐‘ฆ)

  • What about point addition?

    Weierstrass curves

    Write ๐‘ƒ1 + ๐‘ƒ2 = ๐‘ฅ3, ๐‘ฆ3 .

    Line through ๐‘ƒ1 = (๐‘ฅ1, ๐‘ฆ1) and ๐‘ƒ2 = (๐‘ฅ2, ๐‘ฆ2) is

    ๐‘ฆ โˆ’ ๐‘ฆ1 = ๐œ† ๐‘ฅ โˆ’ ๐‘ฅ1 where ๐œ† = ๐‘ฆ2โˆ’๐‘ฆ1

    ๐‘ฅ2โˆ’๐‘ฅ1 .

    ๐‘ƒ1

    ๐‘ƒ2

    ๐‘ƒ1 + ๐‘ƒ2

    Substituting ๐‘ฆ โ† ๐‘ฆ1 + ๐œ† ๐‘ฅ โˆ’ ๐‘ฅ1 in the curve equation ๐‘ฅ3 + ๐ด๐‘ฅ + ๐ต โˆ’ ๐‘ฆ2 = 0:

    ๐‘ฅ3 + ๐ด๐‘ฅ + ๐ต โˆ’ (๐œ†2๐‘ฅ2 +โ‹ฏ) = 0.๐‘ฅ3 + ๐ด๐‘ฅ + ๐ต โˆ’ ๐‘ฆ1 + ๐œ† ๐‘ฅ โˆ’ ๐‘ฅ1 2 = 0.๐‘ฅ3 โˆ’ ๐œ†2๐‘ฅ2 +โ‹ฏ = 0.

    So, sum of the roots is ๐œ†2. But ๐‘ฅ1, ๐‘ฅ2 are roots!

    We find: แ‰Š ๐‘ฅ3 = ๐œ†

    2 โˆ’ ๐‘ฅ1 โˆ’ ๐‘ฅ2 ๐‘ฆ3 = โˆ’๐‘ฆ1 โˆ’ ๐œ†(๐‘ฅ3 โˆ’ ๐‘ฅ1)

  • Weierstrass curves

    ๐‘ƒ

    2๐‘ƒ

    where ๐œ† = ๐‘ฆ2โˆ’๐‘ฆ1

    ๐‘ฅ2โˆ’๐‘ฅ1 .

    We find: แ‰Š ๐‘ฅ3 = ๐œ†

    2 โˆ’ ๐‘ฅ1 โˆ’ ๐‘ฅ2 ๐‘ฆ3 = โˆ’๐‘ฆ1 โˆ’ ๐œ†(๐‘ฅ3 โˆ’ ๐‘ฅ1)

    But what if ๐‘ฅ1 = ๐‘ฅ2?

    Two cases:

    Either ๐‘ฆ1 = ๐‘ฆ2 โ‰  0, i.e. ๐‘ƒ1 = ๐‘ƒ2 = ๐‘ƒ.

    In this case we need to replace ๐œ† by

    ๐œ† = 3๐‘ฅ1

    2+2๐ด๐‘ฅ1

    2๐‘ฆ1 .

    Or ๐‘ฆ1 = โˆ’๐‘ฆ2, in which case ๐‘ƒ1 + ๐‘ƒ2 = ๐‘‚.

    ๐‘‚

    ๐‘ƒ1

    ๐‘ƒ2

    Conclusion: formulas for computing on a Weierstrass curve are not too bad, but case distinctive.

  • More efficient elliptic curve arithmetic?

    The Weierstrass addition formulas are reasonably good for several purposesโ€ฆ โ€ฆ but can they be boosted? Huge amount of activity starting in the 1980โ€™s.

    One reason: Koblitz and Millerโ€™s suggestion to use elliptic curves in crypto!

    Initial reason: Lenstraโ€™s elliptic curve method (ECM) for integer factorization.

    agree on ๐ธ/๐…๐‘ž and ๐‘ƒ โˆˆ ๐ธ(๐…๐‘ž)

    chooses secret ๐’‚ โˆˆ ๐™ chooses secret ๐’ƒ โˆˆ ๐™

    computes ๐’‚๐‘ƒ computes ๐’ƒ๐‘ƒreceives receives computes ๐’‚ ๐’ƒ๐‘ƒ = ๐’‚๐’ƒ๐‘ƒ computes ๐’ƒ ๐’‚๐‘ƒ = ๐’‚๐’ƒ๐‘ƒ

    (Example: Diffie-Hellman key exchange.)

    Victor Miller

    Neal Koblitz

  • Generic methods for efficient scalar multiplication

  • Efficient scalar multiplication

    The most important operation in both (discrete-log based) elliptic curve cryptography, the elliptic curve method for integer factorization,

    is scalar multiplication: given a point ๐‘ƒ and a positive integer ๐‘Ž, compute

    ๐‘Ž๐‘ƒ โ‰” ๐‘ƒ + ๐‘ƒ +โ‹ฏ+ ๐‘ƒ

    ๐‘Ž times.