Add to collection(s) Add to saved
  1. Math
  2. Algebra

j Elliptic curves in characteristic 2 The j-invariant in characteristic 3 -invariant characteristic

advertisement 
j-invariant characteristic 2 and 3
Elliptic curves in characteristic 2
The j-invariant in characteristic 3
Isomorphism classes
The Frobenius endomorphism
Hasse’s Inequality
Endomorphism ring
7. Elliptic Curves over finite fields
In this chapter we will focus on elliptic curves over finite fields and prove one of the most
important results in this theory: the Hasse-Weil inequality. In order to do so, we will study the
Frobenius endomorphism which is the simplest example of an inseparable endomorphism.
We will also complete the definition of j-invariant in the cases excluded in Chapter 3, that is
when the field K has characteristic 2 or characteristic 3.
7.1
7.1.1
j-invariant characteristic 2 and 3
Elliptic curves in characteristic 2
In the previous chapters we have been mostly using elliptic curves E over K given by short
Weierstrass equations instead of long Weierstrass equations: when the field K has characteristic
different from 2 and 3, we have shown that there exists a change of coordinates from a long
Weierstrass equation to a short Weierstrass equation. If the field K has characteristic 2, the
formulas given do not apply. In this section we sketch what happens in this case.
For the remaining of this section we will assume char(K) = 2.
First let us observe that the short Weierstrass equation gives a singular curve. Let C be the curve
y2 = x3 + Ax + B defined over K and let g(x, y) = y2 − x3 − Ax − B, then ∂∂ gy = 2y ≡ 0 and ∂∂ gx =
−3x2 − A ≡ x2 + A. For any x0 ∈ K such that x2 + A = 0, let y0 be the square root of x03 + Ax0 + B.
The point (x0 , y0 ) lies on the curve C and it is a singular point since ∂∂ gy (y0 ) = ∂∂ gx (x0 ) = 0.
Let E be an elliptic curve over K given by a long Weierstrass equation:
E : y2 + a1 xy + a3 y = x3 + a2 x2 + a4 x + a6 ,
with a1 , a2 , a3 , a4 , a6 ∈ K. There are two cases we will consider, depending on the coefficient a1 .
Case 1. Let us suppose that a1 is not zero, then the change of coordinates:
(
x = a21 x1 + aa13
2
2
y = a31 y1 + a−3
1 (a1 a4 + a3 ).
Chapter 7. Elliptic Curves over finite fields
68
gives the following equation: y21 + x1 y1 = x13 + a02 x12 + a06 with a02 , a06 ∈ K. This equation is
non-singular if and only if a06 6= 0. In this case we set
j(E) :=
1
.
a06
Case 2. Let us suppose that a1 = 0, then the change of coordinates:
(
x = x1 + a2
y = y1 .
gives the equation: y21 + a03 y1 = x13 + a04 x1 + a06 with a03 , a04 and a06 ∈ K. This equation is nonsingular if and only if a03 6= 0. In this case we set
j(E) := 0.
The group law on an elliptic curve E over a field K of characteristic 2 is defined as we did
in Chapter 2, through chord and tangent process. Let us notice that the inverse of a point
P = (x, y) ∈ E(K) is the point −P = (x, −a1 x − a3 − y) ∈ E(K) (the usual formula for the inverse
of a point for an elliptic curve given by a long Weierstrass equation).
Let us describe the duplication law in characteristic 2. One of the expressions we will derive has
been already used in Example 6.1.1.4. As before there are two cases, depending on the equation
of the elliptic curve or, equivalently, depending on the j-invariant being zero or not.
Let P = (x0 , y0 ) ∈ E(K).
If the elliptic curve E is given by y2 + xy = x3 + a2 x2 + a6 with a2 , a6 ∈ K (hence, a6 6= 0) then
by implicit differentiation we have:
x
dy
+ (y + x2 ) = 0
dx
since 2y+x ≡ x and y+3x2 +2a2 x ≡ y+x2 . If x0 = 0 the point P = −P hence 2P = 0. Otherwise,
y +x2
the slope of the tangent line L thought P is m = 0x0 0 . So the equation of the line is given by:
L : y = m(x − x0 ) + y0 ,
and the intersection L ∩ E = {P, −2P} contains the point −2P = (x1 , y1 ) where
x1 = m2 + m + a2 =
Hence, 2P = (x2 , y2 ) where x2 =
x04 +a6
x02
x 4 + a6
x2
y1 = m(x1 − x0 ) + y0 .
and y2 = x1 + y1 .
Similarly, if the elliptic curve E is given by y2 + a3 y = x3 + a4 x + a6 with a3 , a4 and a6 ∈ K, and
a3 6= 0, by implicit differentiation:
a3
dy
+ (a4 + x2 ) = 0
dx
so the equation of the tangent line at the point P is
L:y=
x02 + a4
(x − x0 ) + y0 .
a3
As before, an easy computation shows that 2P = (x2 , y2 ) where x2 =
x04 +a24
a23
and y2 = a3 + y1 .
7.2 Isomorphism classes
7.1.2
69
The j-invariant in characteristic 3
Let E be an elliptic curve over a field K with char(K) = 3. Then, after a suitable change of
coordinates, E is given by a medium Weierstrass equation:
E : y2 = x3 + a2 x2 + a4 x + a6 ,
with a2 , a4 , a6 ∈ K. The j-invariant of E is defined as:
j(E) =
a62
2
2
a2 a4 − a32 a6 − a34
=
a62
,
∆f
where ∆ f is the discriminant of f (x) = x3 + a2 x2 + a4 x + a6 (this formula is false if the characteristic is not 3).
7.2
Isomorphism classes
Let p ≥ 5 be a prime, and K = F p (= Z/pZ). The group F×
p is a cyclic group. Let ζ be a primitive
×
×
2
root modulo p, i.e. a cyclic generator of F p . Let (F p ) denote the subgroup of elements in F×
p
that are square. We can write
2
p−2
F×
p = 1, ζ , ζ , . . . , ζ
2
2 4
p−3
(F×
.
p ) = 1, ζ , ζ , . . . , ζ
p−1
2
×
We see that the cardinality of (F×
p ) is 2 , i.e. half of that of F p . In other words, half of
the non-zero elements of F p are squares, and the other half are non-squares. So the quotient
× 2
F×
p /(F p ) is a group of order 2 with representatives 1 and ζ .
Let E : y2 = x3 + Ax + B, with A, B ∈ F×
p , be an elliptic curve. The condition A, B 6= 0 implies
that j = j(E) 6= 0, 1728. For every g ∈ F×
p , let
E (g) : y2 = x3 + g2 Ax + g3 B.
Then E (g) is also an elliptic curve, and we have j(E) = j(E (g) ). If g is not a square in F p then
2
E∼
6 E (g) over F p , but E ∼
=
= E (g ) over F p . In general, E ∼
= E (g) over F p when g is a non-zero
(g)
∼
square, and E =
6 E over F p when g is a non-square.
Hence, for each j 6= 0, 1728, there are two isomorphism classes of elliptic curves E/F p with
× 4
j(E) = j. The calculations for j = 0 and j = 1728 depend on the order of F×
p /(F p ) and of
× 6
F×
p /(F p ) respectively.
7.3
The Frobenius endomorphism
The Frobenius map is the simplest example of an inseparable map which plays an important role
in the study of elliptic curves over finite fields.
Let Fq be a finite field with q elements, where q = ps for some prime p. We recall that, as a
subfield of the algebraic closure F p of F p , Fq is characterised by
Fq = {x ∈ F p : xq = x}.
Indeed, the zero element of Fq clearly satisfies the identity xq − x = 0. Since Fq is a field,
×
F×
q = Fq \ {0} is a group with (q − 1) elements. Thus each x ∈ Fq satisfies the polynomial
xq−1 − 1 = 0, which is separable in Fq [x] since (xq−1 − 1)0 = −xq−2 6≡ 0. Thus the roots of this
polynomial are the (q − 1) distinct elements of F×
q.
Chapter 7. Elliptic Curves over finite fields
70
Definition 7.1 Let E be an elliptic curve over Fq . The Frobenius map of E is given by
φq : E(Fq ) → E(Fq )
(x, y) 7→ (xq , yq ).
It is easy to see that this is indeed a map: if P = (x, y) ∈ E(Fq ), then we have
(yq )2 = (y2 )q = (x3 + Ax + B)q = x3q + Aq xq + Bq = (xq )3 + Axq + B = f (xq ).
(Note that this uses the fact that E is defined over Fq .) Hence, φq (P) = (xq , yq ) ∈ E(Fq ).
Corollary 7.3.1 (a) The map φq is a (purely) inseparable endomorphism.
(b) For every integer m, n ∈ Z, the map mφq + n is separable if and only if p - n.
Proof. The map φq is clearly given by rational functions; since φq (0) = 0, it is an endomorphism
by Theorem 6.1.1. Furthermore, φq is inseparable since the derivative of the first coordinate is
qxq−1 ≡ 0. In fact, we can see that
degi (φq ) = q and degs (φq ) = 1.
Thus φq is purely inseparable (in particular, cφq = 0). This proves (a).
For (b), we observe that, by Theorem 6.2.7 (ii) and (iv),
cmφq +n = mcφq + n = n.
This implies that cmφq +n 6= 0 ⇔ p - n. By Theorem 6.2.7 (v), this means that mφq + n is separable
if and only if p - n.
Corollary 7.3.2 Let E be an elliptic curve over a finite field Fq . Then, we have
#E(Fq ) = deg(φq − 1).
Proof. Let P = (x, y) ∈ E(Fq ); we see that
P ∈ E(Fq ) ⇔ (xq , yq ) = (x, y) ⇔ φq (P) = P ⇔ (φq − 1)(P) = 0 ⇔ P ∈ ker(φq − 1)
Hence, E(Fq ) = ker(φq − 1). By Corollary 7.3.1, we know that (φq − 1) is separable. So it
follows from Theorem 6.2.4 (iii) that #E(Fq ) = # ker(φq − 1) = deg(φq − 1).
7.4
Hasse’s Inequality
Let E be an elliptic curve over the finite field Fq . Estimates for the size of the group E(Fq ) are
important for cryptographic applications.
For example, let E be the elliptic curve y2 +xy+y = x3 +x2 +x+1: then we have that #E(F127 ) =
120, #E(F163 ) = 152 and #E(F1009 ) = 980.
7.4 Hasse’s Inequality
71
(a) #E(F127 ) = 120,
(b) #E(F163 ) = 152,
(c) #E(F1009 ) = 980.
We can now prove the following important result:
Theorem 7.4.1 — Hasse’s Inequality. Let q be a prime power and Fq the finite field with q
elements. Let E be an elliptic curve defined over Fq . Then, we have
√
|#E(Fq ) − (q + 1)| ≤ 2 q.
Proof. We recall the Frobenius endomorphism
φq : E(Fq ) → E(Fq )
(x, y) 7→ (xq , yq ).
It has degree deg(φq ) = q. We showed in Corollary 7.3.2 that #E(Fq ) = deg(φq − 1), hence:
#E(Fq ) = deg(φq − 1) = deg(φq ) − 2hφq , 1i + 1 = q + 1 − 2hφq , 1i.
Hence
#E(Fq ) − (q + 1) = −2hφq , 1i.
By the Cauchy-Schwartz inequality, we see that
√
|#E(Fq ) − (q + 1)| = 2|hφq , 1i| ≤ 2 q.
Example 7.4.1.1 Let q = 7, and E an elliptic curve over F7 . Then, the Hasse Inequality
implies that
√
√
|#E(F7 ) − (7 + 1)| ≤ 2 7 = 28 ⇒ |#E(F7 ) − 8| ≤ 5.
So
3 ≤ #E(F7 ) ≤ 13.
R
For an elliptic curve E over Fq , the finite field with q elements, the Hasse Inequality gives
a very good estimate of the size of the group of Fq -rational points on E:
√
√
q + 1 − 2 q ≤ #E(Fq ) ≤ q + 1 + 2 q.
Chapter 7. Elliptic Curves over finite fields
72
Corollary 7.4.2 Let E be an elliptic curve over Fq . Let aq = q + 1 − #E(Fq ). Then, the
Frobenius endomorphism φq satisfies the polynomial x2 − aq x + q.
Proof. In the proof of Theorem 7.4.1, we showed that
aq = q + 1 − #E(Fq ) = 2hφq , 1i.
Since deg(φq ) = q, Proposition 6.4.1 implies that φq satisfies the equation x2 − aq x + q = 0.
We can reinterpret the Hasse Inequality as the statement that
√
√
−2 q ≤ aq ≤ 2 q.
R
The statements of this section and the previous do also hold in characteristic 2 and 3.
Let E be an elliptic curve defined over Fq , then #E(Fq ) = q + 1 − aq . The Frobenius endomorphism φq satisfies: x2 − aq x + q = 0. Let α, β be the roots of x2 − aq x + q = 0, therefore,
x2 − aq x + q = (x − α)(x − β ) = 0
where α + β = aq , αβ = q.
Let n be a positive integer, it is possible to prove the following recursive relation to compute the
number of points of E over the finite field of cardinality qn :
#E(Fqn ) = qn + 1 − aqn = qn + 1 − α n − β n .
7.5
Endomorphism ring
Analogously with the characteristic zero case, when char(K) = p > 0 is prime, there are two
cases. In positive characteristic, the endomorphism ring is a characteristic zero ring but it has not
to be commutative. Here the two cases:
• the elliptic curve is said to be ordinary if End(E) has rank 2, this is the “usual case”;
• the elliptic curve is said to be supersingular if End(E) has rank 4, this is the “unusual case”.
In that case, End(E) is non-commutative, and is isomorphic to an order in a quaternion
algebra.
Related documents
COMPUTER PROBLEMS: DAY 10 (1) Find the first 10,000 pythagorean triples.
COMPUTER PROBLEMS: DAY 10 (1) Find the first 10,000 pythagorean triples.
M360 Mathematics of Information Security
M360 Mathematics of Information Security
Course MA342P — Sample Paper 2 Timothy Murphy May 2, 2016
Course MA342P — Sample Paper 2 Timothy Murphy May 2, 2016
MATH 655 Supplementary Homework Fall 2012
MATH 655 Supplementary Homework Fall 2012
MATH 360 Mathematics of Information Security
MATH 360 Mathematics of Information Security
Math 5405/Cryptography/Spring 2013 Review for the Final Exam Definitions. (1) A public key.
Math 5405/Cryptography/Spring 2013 Review for the Final Exam Definitions. (1) A public key.
MATH-GA 2150.001: Homework 4 . Show that the group E(F
MATH-GA 2150.001: Homework 4 . Show that the group E(F
MATH 360 Mathematics of Information Security Midterm # 3 – Practice
MATH 360 Mathematics of Information Security Midterm # 3 – Practice
Download
advertisement