elliptic c public key cryptography 1. i pkc ec · roblem in cryptography [1976, before rsa] 644...

ELLIPTIC CURVES ANDPUBLIC KEY CRYPTOGRAPHY

1. INTRODUCTION TO PKC AND EC

Adolfo Quirós (Gracián)[email protected]

Universidad Autónoma de Madrid

3rd VDS Summer SchoolTechendorf am Weißensee, 17/09/2018

1 / 45

[email protected]

PLAN FOR THE WEEK

Lecture 1: Introduction to Public Key Cryptography(Discrete Logarithm Problem); introduction to EllipticCurves.Lecture 2: The Discrete Logarithm Problem in EllipticCurve Cryptography.Discussion / Problems session 1: A discrete matrixgroup calculation; Projective Plane; Riemann-RochTheorem; application to Elliptic Curves.Lecture 3: Isogenies and Cryptography. (PostquantumCryptography)Discussion / Problems session 2: Calculations;Hasse-Weil Zeta-function and the Riemann Hypothesis (docryptographers care?).

2 / 45

THE BASIC PROBLEM

A(lice) wants to communicate a message m to B(ob), butshe does not want E(ve) to know what it says.Of course, if A can “whisper in B’s ear”, there is noproblem.Difficulties arise when the message must be transmittedthrough an insecure channel which is accesible to E.Access can be (relatively) hard [intercept a messenger or atelegraph/telephone land line] but sometimes it is trivial[intercept a radio or mobile phone transmission].

3 / 45

APPLICATIONS

Historically: military and diplomatic. Few people involved.E=SPY.Eventually, even this kinds of communications involvedmassive exchanges of information [World War II].XXI century: all kinds of electronic communications:

Bank/Finantial transactions.E-mail.Internet shopping.Mobile phones.

New applications in identification problems:What mobile phone is it?Electronic signature.

WE CAN:1 Try to hide that the message exists2 Make the message unreadable even if it is intercepted:

Cryptography

4 / 45

CAESAR [SUBSTITUTION] CRYPTOSYSTEM

Suetonius, De Vita Caesarum.Book I [Julius Caesar]

LVI. [. . . ] If he had anything confidentialto say, he wrote it in cypher, that is, by sochanging the order of the letters of thealphabet that not a word could be madeout. If anyone wishes to decypher these,and get at their meaning, he mustsubstitute the fourth letter of the alphabet,namely D, by A, and so with the others.

Using a (standard) 26 letters alphabet

CypherM A X I M U S# # # # # # #P D A L P Y V

DecipherC B Q R# # # #Z E N O

5 / 45

LET’S FORMALISE CRYPTOGRAPHY

1 There are two sets of messages [message units]:

M = {Clear messages (what we want to say)}C = {Cypher messages (what we actually transmit)}

2 As in the example, messages are written in analphabet= A =finite set of symbols.

Alphabets for M and C may or not coincide.

Examples:A ={A , B , . . . , Z}A ={A ,B, . . . ,Z , . , : ,?, ,1,2,3,. . . ,9,0}A =ASCII codeA ={0 , 1},

6 / 45

LET’S FORMALISE CRYPTOGRAPHY (2)

3 Cypher/Encrypt function:

f : M �! C INJECTIVE

The corresponding decypher/decrypt function is

f�1 : C �!M

4 A(lice) must know f and B(ob) must know f�1.

When A wants to communicate a message m 2M to B,she calculates f (m) = c and sends this c to B.

B can calculate f�1(c) = m and read the message.

5 Breaking the cypher= Someone other than B knows f�1.

7 / 45

LET’S FORMALISE CRYPTOGRAPHY (3)

Can we use more than one cypher function?

6 Cryptosystem. Collection of cypher functions:

fe : Me �! Ce

wheree 2 E = {encryption keys}

The decypher functions, (fe)�1, depend then on

d 2 D = {decryption keys}

Of course d = d(e).

The difference between “symmetric key” and “public key” ishow easy/hard is the procedure to find d from e.

8 / 45

FORMALISATION OF CAESAR CRYPTOSYSTEM

A = {A,B,C,. . . ,X,Y,Z} ! {0, 1, . . . , 25} ! Z/26

We can use modular arithmetic mod 26

M = C = E = D = A = (Z/26,+)

As keys: A= +0, B=+1,. . . , Z=+25 = �1.

fe : M �! C, fe(m) = m + e.

(fe)�1 = f�e, that is, d = �e.

Caesar is a very weak cryptosystem because:there are very few keys,Since message units are just single letters it is easy to dofrequency analysis.

We should use cryptosystems where message units are

not single letters.

9 / 45

AN EXAMPLE WITH VECTORS AND MATRICES

Alphatet, as before: A = {A,B,C,. . . ,X,Y,Z} ! Z/26.Messages: pairs of letters= dimension 2 vectors.

M = C = (Z/26)2

AD

�=

03

�,

OL

�=

1411

�,

FO

�=

5

14

�.

Keys: 2⇥ 2 matrices modulo 26.

f✓

OL

�◆=

2 51 8

� 1411

�=

5

24

�=

FY

�,

f✓

FO

�◆=

2 51 8

� 514

�=

2

13

�=

CN

�.

The inverse function is multiplication by A�1 mod 26:

E = D = GL2(Z/26) := {A 2 Mat2⇥2(Z/26) : A has an inverse}

10 / 45

A MACHINE T DO LINEAR ALGEBRA

Mechanical device that multiplies a matrix A 2 GL6(Z/26) anda vector X 2 (Z/26)6. Patented by Lester S. Hill and LouisWeisner in 1929 (U.S. Patent 1,845,947).

Hill cryptosystem: We divide the text in blocks of 6 letters, andeach resulting clear message unit X 2 (Z/26)6 is encryptedusing the machine as the unique C 2 (Z/26)6 defined by

AX = C.

Each C is written as a block of 6 letters, all these blocks arejoined and the resulting cypher text is transmitted.

11 / 45

HOW MANY DIFFERENT MACHINES COULD HILL ANDWEISNER MANUFACTURE?

Each machine used a single matrix A [which made them a lotless useful!].

How many elements are there in GL6(Z/26)?

2636 matrices A 2 Mat6⇥6(Z/26): how many have an inverse?

It is not enough that det(A) 6= 0. Linear Algebra is easierover a field. But Z/26 is NOT a field.A has an inverse () m.c.d .(det(A), 26) = 1.Chinese Remainder Theorem (36 times)+ Linear Algebraover the fields Z/2 and Z/13:

|GL6(Z/26)| = |GL6(Z/2)| · |GL6(Z/13)| =233813562465700543438777563435557819277317976883200

(51 digits).

12 / 45

LOTS OF PROGRESS OVER TIME

Enigma machine.

DES (Data EncryptionStandard, 1976)

AES (Advanced EncryptionStandard, 2002)

One-time pad (perfectsecurity!)

13 / 45

ALL OF THESE CRYPTOSYSTEMS SHARE A PROPERTY

If e=encryption key is known, it is easy to find d=decryption key.

They are known as symmetric key cryptosystems.

CONSEQUENCES

Each couple of users must use a different e.If a new user wants to join, she first has to exchange keys,through a secure channel, with all other users.

These are not big problems for a ring of spies, but they are fore-mail users / tax payers / e-bay / Amazon /. . .

14 / 45

SOLUTION: USE ONE-WAY [TRAPDOOR] FUNCTIONS

Injective functionsf : M �! C

such that, even if one knows f , it is in practice impossibleto find f�1 unless one has additional information [=thetrapdoor].

In other words.

Knowing e=encryption key, is not enough (without access tothe trapdoor) to know d=decryption key.

15 / 45

EASY / HARD CALCULATIONS

Given a datum n 2 Z, its size is the number of digits of n:

log10 n ⇠ log2 n ⇠ log n.

A procedure (that we apply to n) is

easy if running it takes polynomial time: O((log n)k ).

hard if running it takes exponential time:O(ec log n) = O(nc).

less hard if running it takes sub-exponential time, forexample: O(ec(log n)1/3(log log n)2/3

).

NOTATION

f , g : Z>0 ! R>0. We write f = O(g) if there exist constants B,Csuch that f (n) C · g(n) for all n � B.

16 / 45

PUBLIC KEY CRYPTOGRAPHY

1 If we have a cryptosystem that uses one-way functions toencrypt, then each user A, B, C,. . . chooses an encryptionkey eA, eB, eC , . . . and publishes it [in some short of “KeyBook”, or in the user’s web page], while keeping secret thedecryption keys dA, dB, dC . . . .

2 When B(ob) wants to send a message m to A(lice), hefinds in the Key Book eA, and therefore knows fA, thePUBLIC function that EVERYBODY uses to encryptmessages send to Alice. In particular, Bob will transmit

c = fA(m).

3 Then Alice, AND ONLY SHE, knows dA. Hence Alice, ANDONLY SHE, can compute f�1

A , and therefore read

f�1A (c) = f�1

A (fA(m)) = m.

17 / 45

CONSEQUENCES

Now we only need a par of keys (e, d)[=(public, private)]for each user.

If a new user wants to join, it is enough to publish in the”Key Book” his / her public key e. No need to get in touchwith other users beforehand!

18 / 45

SOME APPLICATIONS

Using public key cryptography to encrypt messages isexpensive. But it can be used, and in fact is used, for otherpurposes.

1 To create a virtual secure channel to exchange classicsymmetric keys [PGP, mobile phone]: if k is the symmetrickey, we can send to A(lice) fA(k).

2 User authentification [mobile phone]: If I send to A(lice)fA(challenge) and she returns challenge, I may assume Ais Alice (nobody else knows f�1

A ).

3 Digital signatures: only A can sign a message usingf�1A (message digest). Everybody can check the signature(everybody knows fA).

All of this is great, provided one-way functions exist and areeasy to use!

19 / 45

THE RSA CRYPTOSYSTEM[R. RIVEST, A. SHAMIR, L. ADLEMAN, 1977]

SRA (1977) – RSA (2003)

What is the idea behind RSA?

Finding large primes p, q(⇠ 300 digits ⇠ 1024 bits)is easy.

However, even knowing thatn = pq (⇠ 600 digits),finding its factors is,in practice, impossible.

Number of particles in theUniverse: 1072 – 1087.

20 / 45

ANOTHER ONE-WAY FUNCTION:THE DISCRETE LOGARITHM PROBLEM

(Not hard to prove) Given a prime p, the set

F⇤p := Z/p \ {0} = {1, 2, . . . , p � 1}

is a cyclic (multiplicative) group, that is there exists g 2 F⇤p

such thatF⇤

p = {g, g2, g3, . . . , gp�1}.

[Remark: Fermat’s Little Theorem) gp�1 = 1 mod p.]

Given an integer x , finding gx mod p is easy.

By contrast, for large p, given y 2 F⇤p, finding x such that

gx = y mod p is, in practice, impossible.

Finding x from y is the Discrete Logarithm Problem [DLP]

21 / 45

GRAPH OF gx mod p FOR p = 1231, g = 3

22 / 45

GRAPH OF gx mod p FOR p = 11113, g = 13

23 / 45

FIRST APPEARANCE OF THE DISCRETE LOGARITHMPROBLEM IN CRYPTOGRAPHY [1976, BEFORE RSA]

644 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-22, NO. 6, NOVEMBER 1976

New Directions in Cryptography Invited Paper

WHITFIELD DIFFIE AND MARTIN E. HELLMAN, MEMBER, IEEE

Abstract-Two kinds of contemporary developments in cryptography are examined. Widening applications of teleprocessing have given rise to a need for new types of cryptographic systems, which minimize the need for secure key distribution channels and supply the equivalent of a written signature. This paper suggests ways to solve these currently open problems. It also discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long stand- ing.

I. INTRODUCTION

W E STAND TODAY on the brink of a revolution in cryptography. The development of cheap digital

hardware has freed it from the design limitations of mechanical computing and brought the cost of high grade cryptographic devices down to where they can be used in such commercial applications as remote cash dispensers and computer terminals. In turn, such applications create a need for new types of cryptographic systems which minimize the necessity of secure key distribution channels and supply the equivalent of a written signature. At the same time, theoretical developments in information theory and computer science show promise of providing provably secure cryptosystems, changing this ancient art into a science.

The development of computer controlled communication networks pron$ses effortless and inexpensive contact between people or computers on opposite sides of the world, replacing most mail and many excursions with telecommunications. For many applications these contacts must be made secure against both eavesdropping.and the injection of illegitimate messages. At present, however, the solution of security problems lags well behind other areas of communications technology. Contemporary cryptography is unable to meet the requirements, in that its use would impose such severe inconveniences on the system users, as to eliminate many of the benefits of teleprocessing.

Manuscript received June 3,1976. This work was partially supported by the National Science Foundation under NSF Grant ENG 10173. Portions of this work were presented at the IEEE Information Theory Workshop;Lenox , MA, June 23-25, 1975 and the IEEE International Symposium on Information Theory in Ronneby, Sweden, June 21-24, 1976.

W. Diffie is with the Department of Electrical Engineering, Stanford Universitv. Stanford. CA. and the St,anford Artificial IntelliPence Lab- oratory, g&ford, CIk 94.505.

Y

M. E. Hellman is with the Department of Electrical Engineering, Stanford University, Stanford, CA 94305.

The best known cryptographic problem is that of privacy: preventing the unauthorized extraction of information from communications over an insecure channel. In order to use cryptography to insure privacy, however, it is currently necessary for the communicating parties to share a key which is known to no one else. This is done by send- ing the key in advance over some secure channel such as private courier or registered mail. A private conversation between two people with no prior acquaintance-is a common occurrence in business, however, and it is unrealistic to expect initial business contacts to be postponed long enough for keys to be transmitted by some physical means. The cost and delay imposed by this key distribution problem is a major barrier to the transfer of business communications to large teleprocessing networks.

Section III proposes two approaches to transmitting keying information over public (i.e., insecure) channels without compromising the security of the system. In a public key cryptosystem enciphering and deciphering are governed by distinct keys, E and D, such that computing D from E is computationally infeasible (e.g., requiring lOloo instructions). The enciphering key E can thus be publicly disclosed without compromising the deciphering key D. Each user of the network can, therefore, place his enciphering key in a public directory. This enables any user of the system to send a message to any other user enciphered in such a way that only the intended receiver is able to decipher it. As such, a public key cryptosystem is a multiple access cipher. A private conversation can therefore be held between any two individuals regardless of whether they have ever communicated before. Each one sends messages to the other enciphered in the receiver’s public enciphering key and deciphers the messages he re- ceives using his own secret deciphering key.

We propose some techniques for developing public key cryptosystems, but the problem is still largely open.

Public key distribution systems offer a different ap- proach to eliminating the need for a secure key distribution channel. In such a system, two users who wish to exchange a key communicate back and forth until they arrive at a key in common. A third party eavesdropping on this exchange must find it computationally infeasible to compute the key from the information overheard, A possible solution to the public key distribution problem is given in Section III, and Merkle [l] has a partial solution of a different form.

A second problem, amenable to cryptographic solution, which stands in the way of replacing contemporary busi-

.

24 / 45

DIFFIE-HELLMAN KEY EXCHANGE

A and B must agree on an integer k [for example, a key fora symmetric cryptosystem].They choose (or somebody provides) in advance a largeprime p (such that we will have 0 < k < p) and a generatorg for F⇤

p. Neither p nor g need to be kept secret.A chooses (secretly! [and at random]) an integer a, andsends ga mod p to B.B chooses (secretly! [and at random]) an integer b, andsends gb mod p to A.Without knowing b, A can calculate (gb)a mod p.Without knowing a, B can calculate (ga)b mod p.A and B may use k = (gb)a = (ga)b as a key.E can intercept ga and gb, but can not calculate k withoutsolving a Discrete Logarithm Problem! [More precisely, aDiffie-Hellman Problem: given ga and gb, find gab.]

25 / 45

A (RIDICULOUSLY SMALL) DIFFIE-HELLMAN EXAMPLE

x 5x

1 52 23 104 45 206 87 178 169 11

10 911 2212 1813 2114 1315 1916 317 1518 619 720 1221 1422 1

Consider the prime p = 23.

Check that g = 5 generates F⇤23.

A chooses as exponent a = 9.

A sends 11.

B chooses as exponent b = 16.

B sends 3.

The common key is

k = 39 = 1116 = 59⇥16 = 5144 = 512 = 18 mod 23

26 / 45

IF WE CAN TRANSMIT KEYS,COULDN’T WE TRANSMIT MESSAGES?

Based on the Discrete LogarithmProblem, Taher Elgamal proposedin 1984:

A cryptosystem.

A digital signature scheme.

[He also worked in Netscape,where he developed the SSL(Secure Sockets Layer) protocol.]

27 / 45

ELGAMAL CRYPTOSYSTEM [SLIGHTLY SIMPLIFIED]

Messages are integers 1 M k . A large prime p > kand a generator g for F⇤

p are made public.A [and all other users] chooses [at random] a positiveinteger d ( p � 1), its private key.A makes public e = gd mod p, its public key.If B wants to send a message M to A:

B chooses [at random] an integer r .Sends to A: c = (gr , er M) = (c1, c2).

A recibes c. To decrypt it, A calculates

c2

cd1=

er Mgrd =

er Mer = M.

If you are not A, to do this, you must be able to calculategrd from gd and gr , that is, you must solve a Diffie-HellmanProblem.

28 / 45

CAN WE WORK ON GROUPS OTHER THAN F⇤p?

To set up Diffie-Hellman or Elgamal we need

A finite cyclic group G =< g > . . .

Examples:

Multiplicative group of any finite field: (F⇤q, ·), q = pr .

Additive group of integers modulo N: (Z/N,+), any N > 1.

Aren’t all cyclic groups G =< g > with |G| = N isomorphic?

Z/N ⇠�!< g >

x 7�! gx

Why chose one group and not another?

29 / 45

ISOMORPHIC GROUPS ARE NOT EQUAL FOR DLP

To set up Diffie-Hellman or Elgamal we need

A finite cyclic group G =< g > . . .. . . where the Discrete Logarithm Problem is hard.

DLP, to make explicit the inverse isomorphism

< g >⇠�! Z/N

This is not equally easy / hard for all groups.

For F⇤q, it is about as hard as for F⇤

p (of the same size).For Z/N, it is trivial: (Z/N,+) =< 1 >, log1a = a;(Z/N,+) =< g >, logga = a/g mod N.

Are there cyclic groups where DLP is harder than in F⇤q?

Enter Elliptic Curve Cryptography

30 / 45

WHAT ARE ELLIPTIC CURVES?

An ellipse is NOT an elliptic curve, but there is some relation[the length of an ellipse is given by an elliptic integral].

An elliptic curve E is an algebraic, projective, smooth, genus 1curve together with a point O 2 E .E is defined over the field K if it is given by polynomials withcoefficients in K and O has coordinates in K .

Thanks to the Riemann-Roch Theorem, we can give a moreconcrete definition.

Elliptic curve defined over a field K (char(K ) 6= 2, 3): solutions(in K ) of

E : y2 = x3 + Ax + B, A,B 2 K ,� = �16(4A3 + 27B2) 6= 0,

together with O: a point “at infinity” contained in all verticallines.

31 / 45

EXAMPLES OF ELLIPTIC CURVES (DRAWN IN R2)

y2 = x3 � x y2 = x3 + x y2 = x3 + x2

y2 = x3

32 / 45

EXAMPLES OF ELLIPTIC CURVES (DRAWN IN R2)

y2 = x3 � x y2 = x3 + x y2 = x3 + x2

y2 = x3

The curve must be smooth.It can not have crossings (nodes), norpinchpoints (cusps).It must have a (unique) tangent ateach point.

32 / 45

AT HOW MANY POINTS DOES A LINE INTERSECT ANELLIPTIC CURVE?

E : y2 = x3 +Ax +By = rx + s ; (rx + s)2 = x3 +Ax +B has 3roots, maybe multiple, maybe in thealgebraic closure K , but if we countcorrectly there are 3 points of intersection.

What if the line is vertical?: x = s; y2 = s3 + As + B has only 2 roots(maybe multiple, maybe in K ).

E is a projective curve; it has points atinfinity (not in the affine plane). In this case,there is a unique O 2 E at infinity containedin all vertical lines.

All lines cut E at 3 points (properlycounted).

The line at infinity cuts E at O withmultiplicity 3.

33 / 45

WE CAN ADD POINTS ON AN ELLIPTIC CURVE!

We may define geometrically a sum on E :chords-and-tangents method.

P,Q 2 E ) R(= PQ) 2 EPQ,O 2 E )P + Q := (PQ)O 2 E

(E ,+) is an abelian group.

P + Q = Q + P by construction.Identity element = OP = (x , y)) �P = (x ,�y)Associativity is the only hardproperty: formulas, geometry,Riemann-Roch / Picard group.

34 / 45

(DRAFT OF) GEOMETRIC PROOF OF ASSOCIATIVITY

CAYLEY-BACHARACH THEOREM

C,C1,C2 proyective cubics.C\C1 = {P1,P2, . . . ,P7,P8,A}.C\C2 = {P1,P2, . . . ,P7,P8,B}.

Then A = B.

35 / 45

(DRAFT OF) GEOMETRIC PROOF OF ASSOCIATIVITY

CAYLEY-BACHARACH THEOREM

C,C1,C2 proyective cubics.C\C1 = {P1,P2, . . . ,P7,P8,A}.C\C2 = {P1,P2, . . . ,P7,P8,B}.

Then A = B.

COROLLARY

(P + Q)R = P(Q + R)) (P + Q) + R = P + (Q + R)

35 / 45

K -RATIONAL POINTS

Suppose E is defined over K , that is

E : y2 = x3 + Ax + B, A,B 2 K .

It makes sense to look for solutions in K :

When K = Q this solves diophantine problems.The curve E has infinitely many points in K , but to docryptography we would like to have a finite group.

Let K be a field and E be an elliptic curve defined over K

The K -rational points of E are

E(K ) = {P 2 E : P = (x , y), x , y 2 K} [O.

Notice that we require (but in fact it follows from the projectiveequation) that O 2 E(K ). In particular, E(K ) 6= ;.

36 / 45

K -RATIONAL POINTS ARE ALSO A (SUB-)GROUP

FUNDAMENTAL FACT

Assume:E is defined over K .P,Q 2 E(K ).r is the line joining P and Q.The three points where r cuts E are P,Q and R.

Then also R 2 E(K ).

Proof?

COROLLARY

P,Q 2 E(K )) P + Q 2 E(K ).E(K ) ( 6= ;) is a subgroup of E .

37 / 45

LET’S DO AN EXAMPLE

E : y2 = x3 � 2x ,defined over Q.

P = (0, 0) 2 E(Q)

Q = (�1,�1) 2 E(Q)

P + Q = (2,�2)

2Q =

2(P + Q) =

38 / 45



P = (0, 0) 2 E(Q)

Q = (�1,�1) 2 E(Q)

P + Q = (2,�2)

2Q = (94 ,

218 )

2(P + Q) = (94 ,

218 )

38 / 45



P = (0, 0) 2 E(Q)

Q = (�1,�1) 2 E(Q)

P + Q = (2,�2)

2Q = (94 ,

218 )

2(P + Q) = (94 ,

218 )

8Q = 8(P + Q) =

38 / 45



P = (0, 0) 2 E(Q)

Q = (�1,�1) 2 E(Q)

P + Q = (2,�2)

2Q = (94 ,

218 )

2(P + Q) = (94 ,

218 )

8Q = 8(P + Q) =

( 6897012211958668922875209739998784 ,

159969286818790737227291513459773175236858805437952 )

38 / 45



P = (0, 0) 2 E(Q)

Q = (�1,�1) 2 E(Q)

P + Q = (2,�2)

2Q = (94 ,

218 )

2(P + Q) = (94 ,

218 )

8Q = 8(P + Q) =

( 6897012211958668922875209739998784 ,

159969286818790737227291513459773175236858805437952 )

= (3.0150 . . . , 4.623 . . . )38 / 45

WHAT DOES THE GROUP (E(K ),+) LOOK LIKE?

It depends on K .Let’s start with K = C.L = Z!1 � Z!2 ⇢ C a lattice.

Weierstrass } function for L:

}(z) =1z2+

X

0 6=!2L

✓1

(z � !)2 �1!2

◆

}(z) = }(z + !1) = }(z + !2)

g2 = 60X

0 6=!2L

!�4

g3 = 140X

06=!2L

!�6

(}(z)0)2 = 4}(z)3�g2}(z)�g3.

We get an isomorphismC/⇤! {y2 = 4x3 � g2x � g3}

z 7! (}(z),}(z)0)

All E/C are like this.

C/⇤ = ; genus 139 / 45

OVER R

Let S1 be the circle group. There are two possibilities.

E(R) ' S1 E(R) ' S1 ⇥ Z/240 / 45

OVER Q

MORDELL (-WEIL) THEOREM, 1922

E : y2 = x3 + Ax + B, A,B 2 Z (or 2 Q).

Then E(Q) is a finitely generated abelian group:

E(Q) = Zr � E(Q)tors, E(Q)tors := (finite) torsion subgroup

MAZUR, 1978

E(Q)tors =

⇢Z/n, n = 1, . . . , 10, 12Z/2⇥ Z/n, n = 2, 4, 6, 8

We know a lot less about r=rank. Can it be arbitrarily large?

Elkies (2006), r � 28:y2 + xy + y = x3 � x2 � 20067762415575526585033208209338542750930230312178956502x +

34481611795030556467032985690390720374855944359319180361266008296291939448732243429

Bhargava-Shankar (2015): average rank 1.17.41 / 45

EXAMPLES OVER Q

E4,0 : y2 = x3 + 4x E0,6 : y2 = x3 + 6 E�2,0 : y2 = x3 � 2xE4,0(Q) = Z/4 E0,6(Q) = O E�2,0(Q) = Z/2� Z

P = (0, 0),Q = (�1,�1){nQ,P ± nQ : �25 n 25}

SIEGEL, 1929E has only finitely many points with integer coordinates.

EXAMPLE: INTEGER POINTS ON E�2,0

{(0, 0)(�1,�1), (�1, 1), (2,�2), (2, 2), (338,�6214), (338, 6214)}= {P,Q,�Q,P �Q,P �Q,P + 3Q,P � 3Q}

42 / 45

OVER Z/p (= Fp , FINITE FIELDS)

If p is prime and A,B 2 Z, we look for solutions to

y2 = x3 + Ax + B mod p.

If p 6 |� = �16(4A3 + 27B2), these (together with O) are anelliptic curve over Z/p.

E(Z/p) is, for sure, finite, (why?). In fact (why?):

|E(Z/p)| p2 + 1.

For p = 1231 this bound is 1 515 362, but

|E0,6(Z/1231)| = 1183, |E�2,0(Z/1231)| = 1232,

much closer to p than to p2.

43 / 45

EXAMPLES OVER Z/p (p = 1231)

E0,6 : y2 = x3 + 6 mod 1231 E�2,0 : y2 = x3 � 2x mod 1231

E0,6(Q) = O E�2,0(Q) = Z/2� Z

|E0,6(Z/1231)| = 1183 |E�2,0(Z/1231)| = 1232

E0,6(Z/1231) = Z/1183 E�2,0(Z/1231) = Z/2� Z/616

44 / 45

HOW LARGE IS E(Z/p)? (E : y2 = x3 + Ax + B)

E(Z/p) is obviously finite. (|E(Z/p)| 2p + 1)

Why in the examples |E(Z/p)| ⇠ p?

How many squares in Z/p? p�12 + 1 = p+1

2 .Probability of x3 + Ax + B, x 2 Z/p being a square: ⇠ 1

2 .For how many x 2 Z/p does y2 = x3 + Ax + B havesolutions? ⇠ p

2 .How many points in E come from each x 2 Z/p withy2 = x3 + Ax + B having a solution? 2.Hence |E(Z/p)| ⇠ p (+1).

There is a good bound for the error term in this estimate

HASSE BOUND, 1934

| |E(Z/p)|� (p + 1) | 2p

p

45 / 45

HOW LARGE IS E(Z/p)? (E : y2 = x3 + Ax + B)

E(Z/p) is obviously finite. (|E(Z/p)| p2 + 1)E(Z/p) is obviously finite. (|E(Z/p)| 2p + 1)

Why in the examples |E(Z/p)| ⇠ p?

How many squares in Z/p? p�12 + 1 = p+1

2 .Probability of x3 + Ax + B, x 2 Z/p being a square: ⇠ 1

2 .For how many x 2 Z/p does y2 = x3 + Ax + B havesolutions? ⇠ p

2 .How many points in E come from each x 2 Z/p withy2 = x3 + Ax + B having a solution? 2.Hence |E(Z/p)| ⇠ p (+1).

There is a good bound for the error term in this estimate

HASSE BOUND, 1934

| |E(Z/p)|� (p + 1) | 2p

p

45 / 45

elliptic c public key cryptography 1. i pkc ec · roblem in cryptography [1976, before rsa] 644...

Documents