A Method for Picking a Rational Point on
Elliptic Curves over F2
n
Abstract : This paper provides a method for picking a rational point
on elliptic curves over the finite field of characteristic 2. The method is
practically much more useful than the traditional random picking method,
in the case when the cryptosystem replaces elliptic curves randomly in
run-time.
Keywords : Elliptic curve , Rational point, Trace function.
1. Introduction
In recent years the cryptosystem based on the elliptic curve has been
widely studied as the most strong public key cryptosystem.
Much of practical procedures in the construction or use of groups for
the elliptic curve cryptosystems are to pick an initial rational point on an
elliptic curve .
There has been only one method-random pick method which works in
a probabilistic polynomial time(see [1] and [2]). Thus, the method can be
used in the cryptosystems fixing the groups, but not in the systems which
replace the groups randomly in real-time, because it could not meet the
1
strict requirements from the time allocation and the continuous current
for such systems.
In fact, it is important to find a deterministic polynomial algorithm to
pick a rational point on an elliptic curve (see [2]).
In this paper, we present one method of picking a rational point on any
elliptic curve over the finite field F2n . By this method, we are able to
pick a rational point on an elliptic curve with a complexity of n field
multiplications.
The paper is organized as follows.
In section 2 we discuss some properties of the trace function of F2n
over F2 and then obtain a necessary and sufficient condition for the trace
function to be invariant with respect to the transformation which maps
every element of F2n onto its inverse. In section 3 we show how to pick a
rational point on an elliptic curve over the field F2n .
2. Some properties of the trace function of F2n over F2 .
Let  and Tr be respectively canonical automorphism and trace
function of F2n , i.e.,
2
 ( x)  x 2 , x  F2
n 1
n
Tr ( )   2 ,   F2n .
i
i 0
Putting
k 1
Trk    i ,
i 0
we have
Trn  Tr ,
Tri Tr j  Tr j Tri ,
Tr , k odd
Trk Tr  
 0 , k even .
Particularly, we have
 Tr , n odd
Tr 2  
 0 , n even
and
Tr2Tr  0 .
To investigate the structure of ImTr2 ,we consider an operator defined
by
n
 :   i 1 (  )Tri ,
i 1
where   F2 n .
3
The following result is of interest.
Lemma. We have
Tr2   Tr  Tr (  ) .
The proof of this lemma is straightforward.
Corollary 1.
Im Tr2  Ker Tr ,
i.e., the following sequence is exact.
Tr
Tr
Tr2
Tr2
  F2n  F2n  F2n  F2n  F2n  
Corollary 2. For  ,   F2 n , if
Tr ( )  1, Tr (  )  0 ,
then
Tr2  ( )  
and vice versa, that is ,the set of all solutions of the equation
Tr2 ( x)  
is entirely determined by the operator  .
The two corollaries above follow from a direct calculation by virtue
of the Lemma.
From above discussions we deduce that Tr is, of course,  -invariant.
Now we consider the relation between the maps,
4
 : x  x 1
 : x  x 1
and the trace function Tr .
The following theorem is of particular importance for next section.
Theorem. The trace function Tr is  -invariant in F2*n if and only
if n  1 or n  2 .
Proof : We set F  F \ KerTr .
Since Tr  0 , there is an element p  F2 n such that Tr ( p )  1 .Then
a map x  x  p is one-to-one between F and Ker Tr .
So we see that
| F || Ker Tr | ,
| F |  | Ker Tr | 2 n ,
where |  | denotes the cardinal number of a set . Therefore
| F | 2 n1.
First ,suppose that n is odd and n>2.
Then Tr (1)  1 , that is, F contains 1. Also from the condition, F is
closed under the action of  and moreover the unique fixed point of 
is 1.
Hence | F \ {1} | 2 n1  1 must be divided by the order of  which
equals 2. Since n > 2 , this is a contradiction.
5
Next, assume n  4k , k  0 .Then Tr (1)  0 , that is, Tr is  invariant and hence F is closed under the action of  .So, F is closed
under the action of  , where    .
It is easy to prove that the order of  equals 3.
Since 3 is a prime number, the  -orbit whose order is less than 3 is
the only fixed point. Also by a direct calculation, we can see that the set
of the fixed points consists of two elements s,t  F2 2 \ F2 .
On the other hand ,since F24 k is even-dimensional extension of F2 2 ,
Tr ( F22 )  0 .
Hence s,t  F , that is, all  -orbits in F have order 3. Thus | F |
must be divided by 3 and this contradicts.
Finally, we suppose that n  2k , where k is odd. Then F2n is 2dimensional extension of F2k , that is,
F2n  F2k ( s )  F2k (t )
Since
Tr2 (s)  Tr2 (t )  1
and F2n is odd-dimensional extension of F2 2 , it is easy to see that
Tr ( s)  Tr (t )  1 .
As proved above, from the fact that k is odd, it follows that Trk is
not  -invariant in F2k . That is ,there is b  F2k such that
6
Trk ( b)  1, Trk (b 1 )  0 .
Taking into account s  1  s 1 , we have
1  Tr2 ( s)  Tr ( s) 
 Tr ((Trk (b)  Trk (b 1 )) s  Trk (b 1 ))
 Tr ( sTrk (b)  s 1Trk (b 1 )),
that is,
k 1
 Tr a
i 0
i
  (ai )   1 ,
where a i   i (b) s .
Therefore there is a number i 0 such that


Tr (ai0 )  Tr  (ai0 ) ,
i.e., the  -invariant property of Tr is broken at ai0 and this completes
the proof of necessity.
Conversely, when n equals 1 or 2, one can easily deduce that Tr is
 -invariant in F2*n .
□
Let
   {x | Tr ( x)  1, Tr ( x 1 )  0}
and
    (  ) .
By the theorem above,   and   are not empty when n > 2.
7
Since the order of  is equal to 2,  -trace M may be denoted by
1  .
Now we give the following result without proof.
Corollary 3.  -trace M is a bijection which maps   onto itself. And
the orders of all orbits of M in   are more than 3. Furthermore   does
not contain any fixed point of M.
Thus we obtain the following commutative diagram :

  

M
M
l
  

3. Picking a rational point on the elliptic curve over F2n .
Let us consider a non-supersingular curve
E : y 2  xy  x 3  a 2 x 2  a6
(1)
over F2n ,where n is odd.
Our goal in this section is to find ( x, y)  F22n satisfying (1).
By the transformation
y  x( x  z ) ,
we obtain the equation
z 2  z  x 2  a6 x 2  a 2 .
Again by the transformation
8
(2)
t  x 2 ,
we have the equation
z 2  z  t  a6 t 1  a 2 .
(3)
Note that the two transformations above are one-to-one when
x  0.From the corollary 2, it is sufficient to find t such that
Tr (t  a 6 t 1  a 2 )  0 .
(4)
First , let Tr (a6  a 2 )  1 . Then t  1 satisfies (4).
Next, assume Tr (a6  a 2 )  0 . Set
B  { i (b) | i  0,1,2,, n  1} ,
where b    .
We now prove that there exists the solution to the equation (4) in B
for every element b    .
In fact, if every element of B satisfies the equation
Tr (t  a 6 t 1  a 2 )  1 ,
then
n 1
1   Tr ( i (b)  a 6 i (b 1 )  a 2 )
i 0
n 1
n 1
i 0
i 0
 Tr (   i (b)  a 6   i (b 1 )  a 2 )
 Tr ( Tr (b)  a6Tr (b 1 )  a 2 )
9
 Tr ( a6  a2 )  0 ,
and this is a contradiction. Thus, we know that there exist always
solutions to the equation (1) .
The set B may be statically given by calculations in advance.Although
we have to calculate the set B dynamically ,the complexity is much less
than that of one field multiplication, because it is the skew-selecting
operation in the field of characteristic 2.
Thus the actual complexity of every trial-check in B is about one field
multiplication by a 6 . So, picking a rational point has a complexity
which is about n field multiplications.
As a result ,we are able to pick a rational point on a non-supersingular
curve over F2n with a complexity of n field multiplications.
Note :
When n is a composite number, it is possible to discuss this
problem ,but we omit them here .
References
[1] I.F.Blake,G.Seroussi,and N.P.Smart, Elliptic Curves in Cryptography,Cambridge,2000.
[2] A.J.Menezes, I.F.Blake, X.Gao, R.C.Mullin, S.A.Vanstone ,and T.
Yaghoobian, Application of Finite Fields ,Kluwer,1993.
[3] J.H.Silverman, The Arithmetic of Elliptic Curves,Springer-Verlag,
1986.
10
11