23 Elliptic curves mod p

Transcription

1 52 MA Elliptic curves mod p Elliptic curves have been studied by mathematicians for a long time. Starting in about 1985 such curves were used in cryptography. In the cryptographic applications of elliptic curves we are no longer interested in their rational points but in their solutions modulo a prime p. In other words, we are not looking for pairs (x, y) of rational numbers satisfying y 2 = x 3 + ax 2 + bx + c but for pairs (x, y) with x and y from the set F p = {0, 1, 2,..., p 1} satisfying the same equation. But now we carry out the operations of addition and multiplication modulo p. If a F p and a 0 then gcd(a, p) = 1, thus we can divide by a. Indeed, using the extended Euclidean algorithm, we find b F p such that ab 1 mod p. To divide by a then simply means to multiply by b. We call b F p the multiplicative inverse of a. For example, from mod 11 we see that 4 is the inverse of 3 in F 11 and so 7/3 = 7 4 = 28 = 6 in F 11. This indeed is true, because 7/3 = 6 means nothing but 3 6 = 7 which is correct when we calculate modulo 11. A set is called a field if an addition and a multiplication is defined on it so that the usual laws (associativity, commutativity, distributivity) hold true and division by non-zero elements is possible. We are familiar with the real number field and the complex number field. The rational numbers also form a field. Crucial for the following is that F p has the properties of a field as well. Given the equation y 2 = x 3 + ax 2 + bx + c of an elliptic curve E we can easily determine points (x, y) F p F p which lie on the elliptic curve. We call them F p -points of E. Example Let p = 5 and consider the elliptic curve y 2 = x 3 3x 2 + 3x. To find its F p -points, we first draw up a table of values of x 3 3x 2 + 3x where all the calculations are carried out modulo 5. Then we have to find those x for which x 3 3x 2 + 3x is a quadratic residue modulo p. x x 2 x 3 3x 2 3x x 3 3x 2 + 3x In the second column we see that the possible squares modulo 5 are 0, 1, 4. Therefore, there is no solution with x = 2 or x = 4. We can now list the points of our elliptic curve modulo 5: (0, 0), (1, 1), (1, 4), (3, 2), (3, 3). This curve has five F 5 -points. Example Consider the curve y 2 = x 3 + 1, with p = 11. Again draw up a table.

2 Week 9 53 x x x x Matching the last row with the squares gives us the following 11 points on this curve: (0, 1), (0, 10), (2, 3), (2, 8), (5, 4), (5, 7), (7, 5), (7, 6), (9, 2), (9, 9), (10, 0). Example Let p = 13 and consider the curve y 2 = x 3 + x x x x x 3 + x After matching the last row with the squares we find these 14 F 13 -points on this elliptic curve: (1, 2), (1, 11), (2, 1), (2, 12), (3, 5), (3, 8) (4, 2), (4, 11), (5, 3), (5, 10), (7, 2), (7, 11), (10, 6), (10, 7) We define addition of F p -points on an elliptic curve exactly as we defined it for rational points earlier. In particular, we need to include a point at infinity. We call this point O E if the elliptic curve is called E. This is not the point (0, 0) which may or may not be a point of E. If the curve E is given by y 2 = x 3 + ax 2 + bx + c and P = (x 1, y 1 ), Q = (x 2, y 2 ) are F p -points on it, we can use the formulae for the coordinates of P + Q and of 2P we found in the previous section: P + Q = (x, y) with m = y 2 y 1 x 2 x 1 provided that x 1 x 2 mod p x = a + m 2 x 1 x 2 y = y 1 + m(x 1 x) 2P = (x, y) with m = 3x ax 1 + b 2y 1 provided that 2y 1 0 mod p x = a + m 2 2x 1 y = y 1 + m(x 1 x). Knowing how to add and to double points on an elliptic curve E allows us to form other multiples of a point P inductively by defining mp = (m 1)P + P for m 2. Negative multiples are defined as well: ( m)p = (mp ).

3 54 MA6011 Example Continuing with Example 23.1 we let P = (3, 2) and obtain 2P = (1, 4), because we get m = 3, x = = 1 and y = 2 + 3(3 1) = 4 in the calculation modulo 5. We also obtain 3P = 2P + P = (1, 4) + (3, 2) = (0, 0) as we now have m = 4 and x = = 0 and y = 4 + 4(1 0) = 0. If we continue this way we get 4P = (1, 1), 5P = (3, 3) and 6P = O E. We thus have E = {O E, P, 2P, 3P, 4P, 5P }. We say that the point P generates the set of F 5 -points of E. Example In Example 23.2 the equation of E was y 2 = x 3 + 1, with p = 11. The doubling formula becomes: m = 3x 2 1/2y 1 and 2(x 1, y 1 ) = (m 2 2x 1, y 1 + m(3x 1 m 2 )). Starting with P = (7, 5) a calculation shows that P = (7, 5) 5P = (9, 9) 9P = (5, 4) 2P = (2, 8) 6P = (10, 0) 10P = (2, 3) 3P = (5, 7) 7P = (9, 2) 11P = (7, 6) 4P = (0, 10) 8P = (0, 1) 12P = O E and again P = (7, 5) generates the set of F 11 -points of E. In addition to P, only 5P = (9, 9), 7P = (9, 2) and 11P = (7, 6) are generators. For all the other points a smaller multiple will produce O E. For example, with Q = (0, 10) we get 2Q = (0, 1) and 3Q = O E and the higher multiples of Q will again be (0, 10), (0, 1) or O E. Example In Example 23.3 the equation of E was y 2 = x 3 + x 2 + 2, with p = 13. If P = (x 1, y 1 ) is on this curve, the formula for 2P in this case is 2P = ( 1 + m 2 2x 1, y 1 + m(x 1 x)) with m = (3x x 1 )/2y 1 and x = 1 + m 2 2x 1. Starting with P = (3, 5), we obtain 2P = (10, 7), 4P = (4, 2), 8P = (5, 10) and 16P = P. Hence 15P = O E. In this case, we can express each point as a multiple of P. Further calculations show that 3P = 2P + P = (2, 12), 5P = 4P + P = (1, 2), 6P = 4P +2P = (7, 2), 7P = 6P +P = (5, 3), 9P = 8P +P = (7, 11), 10P = (1, 11), 11P = (4, 11), 12P = (2, 1), 13P = (10, 6) and 14P = (3, 8). Thus P = (3, 5) generates all the F 13 -points on this elliptic curve. The method of completing the cube works when we do calculations modulo p, provided that p 3. This means that we can restrict our attention to elliptic curves given by an equation of the form y 2 = x 3 + bx + c. This is knows as the Weierstrass form of an elliptic curve. The condition that the curve is non-singular simplifies to 4b c 2 0. If we are interested in F p -points, this condition is to be understood as 4b c 2 0 mod p. We have seen above how to find new points if we know at least one point on an elliptic curve. To find such an initial point, we may pick randomly a number 0 x p 1 and then use the Jacobi symbol to check whether x(x 2 + b) + c is a quadratic residue modulo p. If so, we find a square root and if not we try again.

4 Week Elliptic Curves in Cryptography Elliptic curves are used in modern cryptography for key exchange. The resulting algorithms are faster and the key sizes are smaller than those used for RSA and for the Diffie-Hellman key exchange which is based on discrete logarithms. The classical Diffie-Hellman key exchange works as follows. A large prime p and a primitive root g modulo p are made publicly known. Two users A and B who wish to exchange a secret key both randomly select their own private keys k A and k B. Both should be integers between 1 and p 1. Then they calculate their public keys g k A and g k B which they exchange. Both users are then able, with their private key, to compute their common secret key g k Ak B = ( g A) k kb = ( g B) k ka. The security of this method depends on the difficulty of the discrete logarithm problem. This idea can be extended to elliptic curves. Instead of raising a primitive root g to certain powers, a point P on an elliptic curve is multiplied by certain integers. In practice this means that a prime p, an elliptic curve E and an F p -point G on E have to be made known publicly. The users A and B choose their secret keys k A and k B and exchange the pubic keys k A G and k B G. Their secret key is k A k B G, which both can compute with their secret key from the public key of the other user. The security of this method depends on the difficulty of finding an integer k such that P = kg, where P and G are two known F p -points on an elliptic curve E. When carrying out calculations on elliptic curves, the point at infinity has always to be taken account of. The proper way of doing this is using projective coordinates. To understand them, we rewrite the equation of the curve in the form y 2 z = x 3 + bxz 2 + cz 3 with an extra variable z. This equation is homogeneous in x, y, z. This means that if (x, y, z) is a solution then so also is (kx, ky, kz) for any k 0. A solution (x, y) of the original equation will be represented in projective coordinates as (x, y, 1). This works because substituting z = 1 in the homogeneous equation returns the original equation y 2 = x 3 + ax + b of the curve. The key point is now that we define that in projective coordinates (x, y, z) and (kx, ky, kz) both represent the same point. Moreover, when using projective coordinates it is not allowed to have all three components equal to zero, that is (0, 0, 0) does not represent a point in projective coordinates. In order to avoid confusion, we will write (x : y : z) for the point that is represented by (kx, ky, kz) for any k 0. For example (x : y : 1) = (2x : 2y : 2) = ( x : y : 1) are projective coordinates of the same point (x, y) in usual coordinates. This means that the usual coordinates of a point (x 1 : y 1 : z 1 ) with z 1 0 are x = x 1 /z 1 and y = y 1 /z 1. Because k 0, projective coordinates of a point (x, y) will always have z 0. If z = 0 the equation of the cubic simplifies to 0 = x 3. Therefore, the only point with projective coordinates (x : y : 0) on the elliptic curve is the point (0 : y : 0) where y 0. This is the point at infinity, i.e. O E = (0 : 1 : 0). Let us now summarise our knowledge of addition and doubling of points on an elliptic curve E which is given in Weierstrass form y 2 = x 3 + bx + c. Let two points

5 56 MA6011 P 1 = (x 1 : y 1 : z 1 ) and P 2 = (x 2 : y 2 : z 2 ) in projective coordinates be given on the curve E. This means that y 2 1z 1 = x bx 1 z cz 3 1 and y 2 2z 2 = x bx 2 z cz 3 2. We describe now how to find projective coordinates (x : y : z) for the point P = P 1 + P 2 on the curve E. If z 1 = 0 we have P = P 2 = (x 2 : y 2 : z 2 ). If z 2 = 0 we have P = P 1 = (x 1 : y 1 : z 1 ). Assume z 1 0 and z 2 0 for all items below. Replace x 1 by x 1 z 1, y 1 by y 1 z 1, x 2 by x 2 z 2 and y 2 by y 2 z 2. If x 1 = x 2 and y 1 + y 2 = 0 we have P = O E = (0 : 1 : 0). If x 1 = x 2 and y 1 + y 2 0 we define m = 3x2 1 + b 2y 1 for use below. If x 1 x 2 we define m = y 2 y 1 x 2 x 1 for use below. The projective coordinates of P are x = m 2 x 1 x 2, y = m(x 1 x) y 1 and z = 1. In this description, P 1 = P 2 is allowed, so that doubling is included in the above algorithm. Subtraction P 1 P 2 is the same as adding the negative of P 2, i.e. P 1 P 2 = P 1 + ( P 2 ). The negative of P 2 is (x 2 : y 2 : z 2 ). In particular, O E = O E. If these calculations are carried out modulo a prime number p, equalities and inequalities have to be taken as congruences modulo p. Example Let p = 101 and E the curve given by y 2 = x x + 5. By trying small values for x, we may find the F 101 -points P = (1, 7) and Q = (0, 45) on E. In order to calculate 10P we apply successive doubling in the following way. We first observe that 10 = = = ( ) 2 and so we find 10P = (4P + P ) 2 = ((2P ) 2 + P ) 2. Here are the calculations. To find 2P, we have x 1 = 1, y 1 = 7 and so m = (3x )/2y 1 = 46/14 = 23/7. Using Euclid s algorithm we find that = 1, hence 29 is the multiplicative inverse of 7 in F 101 and so m = 23/7 = = 667 = 61 = 40. Recall that all our calculations are modulo 101 here. We obtain x = m 2 2x 1 = ( 40) 2 2 = 1598 = 83 y = m(x 1 x) y 1 = 40(1 83) 7 = = 767 = 41 and so 2P = (83, 41). The second step is to find 4P = 2(83, 41), so we have x 1 = 83 and y 1 = 41. Now m = (3x )/2y 1 = 1015/82 = 5/82. The inverse of 82 is found to be 16, because Thus m = 5/82 = 5 ( 16) = 80 = 21. Therefore, x = m 2 2x 1 = = 477 = 73 y = m(x 1 x) y 1 = 21(83 73) 41 = 169 = 68

6 Week 9 57 and so 4P = (73, 68). The next step is to find 5P = P + 4P. Here we have x 1 = 1, y 1 = 7 and x 2 = 73, y 2 = 68. Therefore, m = (y 2 y 1 )/(x 2 x 1 ) = (68 7)/(73 1) = 61/72. The extended Euclidean algorithm gives us the equation = 1. This means that 7 is the inverse of 72 and so m = 61/72 = ( 7) 61 = 427 = 23. We obtain now x = m 2 x 1 x 2 = ( 23) = 455 = 51 y = m(x 1 x) y 1 = 23(73 51) 68 = 574 = 32 and so 5P = (51, 32). In the last step we find 10P by doubling 5P = (51, 32). Here we have x 1 = 51 and y 1 = 32 and obtain m = (3x )/2y 1 = 7534/64 = 69/64. The inverse of 64 in F 101 turns out to be 30. Therefore, m = 69/64 = = 2070 = 50 and we finally get i.e. 10P = (75, 81). x = m 2 2x 1 = = 2398 = 75 y = m(x 1 x) y 1 = 50(51 75) 32 = 1232 = 81, Example Let p = 1009 and the curve E be given by y 2 = x x The point P = (1, 237) is on E. To calculate 99P, we first observe that 99 = = = ((2 + 1) ) and so 99P = (((((2P + P )2)2)2)2 + P )2 + P. The intermediate steps in the calculation are as follows. 2P = (268, 692) 12P = (448, 129) 49P = (769, 977) 3P = (653, 258) 24P = (255, 425) 98P = (30, 802) 6P = (301, 157) 48P = (297, 673) 99P = (237, 558) 25 Number of points on an elliptic curve There are only finitely many F p -points on an elliptic curve y 2 = x 3 + bx + c, because there are only finitely many possibilities for x and y in F p. For small primes p we could make a list of all F p -points or we may count them by calculating x 3 +bx+c for each x F p and then use the Legendre symbol to find if this is a quadratic residue. Example To find the number of F 5 -points on the curve y 2 = x 3 + 2x + 1, we calculate x 3 + 2x + 1 mod 5 for x = 0, 1, 2, 3, 4 and then find the corresponding Legendre symbol modulo 5. We should not forget to count the point at infinity O E. x x 3 2x x 3 + 2x + 1 ( x 3 +2x ± ± ± ) y

7 58 MA6011 This shows that we have seven F 5 -points, including O E, on this curve. This method of calculation results in the following formula for the number N p of F p -points on y 2 = x 3 + bx + c in which a sum of Legendre symbols occurs p 1 ( ) x 3 + bx + c N p = p p x=0 To understand this we only have to observe that for a fixed x the number of y which satisfies the congruence y 2 x 3 + bx + c mod p is equal to ( ) x 3 + bx + c 1 +. p However, for large primes p this formula is not very practicable. More useful is the following general theorem. Theorem 25.2 (Hasse). If N p is the number of F p -points on an elliptic curve then p p < N p < p p. The number a p = p + 1 N p is known as the p-defect of the elliptic curve and Hasse s Theorem says that its absolute value is relatively small: a p < 2 p. Example With p = 5, Hasse s Theorem shows that 2 N With the method used in the previous example to count points we obtain the following table: E N 5 (E) a p (E) E N 5 (E) a p (E) y 2 = x 3 + 2x 2 4 y 2 = x 3 + 2x y 2 = x 3 + 4x y 2 = x 3 + 4x 8 2 y 2 = x 3 + x 4 2 y 2 = x 3 + x y 2 = x 3 + 3x y 2 = x 3 + 3x 10 4 y 2 = x In general, it can be shown that for all primes p and each value of a p that is possible by Hasse s Theorem, there exists an elliptic curve with exactly this p-defect. The number of F p -points on an elliptic curve when the prime p is large can be calculated by an algorithm of Schoof. A description of the mathematical background of Schoof s algorithm is beyond the scope of this course.