Public Key Crypto Systems and Elliptic Curves

Gerhard Frey

To cite this version:

Gerhard Frey. Public Key Crypto Systems and Elliptic Curves. 3rd cycle. Oujda (Maroc),2009, pp.128. <cel-00420494>

HAL Id: cel-00420494

https://cel.archives-ouvertes.fr/cel-00420494

Submitted on 29 Sep 2009

HAL is a multi-disciplinary open accessarchive for the deposit and dissemination of sci-entific research documents, whether they are pub-lished or not. The documents may come fromteaching and research institutions in France orabroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, estdestinee au depot et a la diffusion de documentsscientifiques de niveau recherche, publies ou non,emanant des etablissements d’enseignement et derecherche francais ou etrangers, des laboratoirespublics ou prives.

Public Key Crypto Systemsand Elliptic Curves

Gerhard Frey

Institute forExperimental Mathematics

University of Duisburg-Essenfrey@exp-math.uni-essen.de

CIMPAEcole de cryptographieUniversite Mohammed I

Oujda18 - 30 Mai 2006

1

Contents

1 DISCRETE LOGARITHMSBASED on ELLIPTIC CURVES 81.1 Key Exchange . . . . . . . . . . . . . . . . . . . 9

1.1.1 Abstract setting . . . . . . . . . . . . . 9

1.1.2 One Realization . . . . . . . . . . . . . 11

1.2 DL-Systems . . . . . . . . . . . . . . . . . . . . . . 13

1.2.1 Security Hierarchy . . . . . . . . . . . 14

1.3 Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . 17

1.3.1 Generic Attacks . . . . . . . . . . . . . 18

1.3.2 Index-Calculus . . . . . . . . . . . . . . . 19

1.4 Examples . . . . . . . . . . . . . . . . . . . . . . . . 21

1.4.1 The additive group Z/ℓ. . . . . 21

1.4.2 The Classical DL . . . . . . . . . . . . 22

1.4.3 Basic Idea . . . . . . . . . . . . . . . . . . . . 23

1.5 Relevant Number Theory . . . . . . . 27

1.6 Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . 31

1.6.1 First Step . . . . . . . . . . . . . . . . . . . . 31

1.6.2 Second Step . . . . . . . . . . . . . . . . . 33

1.6.3 Linear Algebra . . . . . . . . . . . . . . . 35

2

1.6.4 Complexity . . . . . . . . . . . . . . . . . . 38

1.6.5 RESULT . . . . . . . . . . . . . . . . . . . . . 39

1.6.6 HOPE . . . . . . . . . . . . . . . . . . . . . . . 40

2 Elliptic Curves over C 412.1 Lattices and Curves . . . . . . . . . . . . . 42

2.2 Isogenies and Endomorphisms . . 49

2.3 Torsion Points . . . . . . . . . . . . . . . . . . . 52

2.4 Elliptic Curves and Number The-ory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

3 Elliptic Curves over GeneralFields 57

3.0.1 Addition Law . . . . . . . . . . . . . . . . 60

3.0.2 Isogenies and Endomorphisms 63

3.0.3 Torsion Points and Tate Mod-ule . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

3.0.4 ℓ-adic Representations . . . . . . 72

4 Elliptic Curves over Finite Fields 744.1 The Frobenius Morphism . . . . . . . 74

4.1.1 Rational Points . . . . . . . . . . . . . . 76

3

4.2 The Characteristic Polynomial ofφq . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

4.2.1 Tate-Honda Theory . . . . . . . . . 79

5 Pure Math and Technique 80

6 Generation of Instances 866.1 Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . 87

6.2 Density Theorems . . . . . . . . . . . . . . . 88

6.3 The CM Method . . . . . . . . . . . . . . . . 90

6.4 Schoof’s Algorithm . . . . . . . . . . . . . . 94

6.4.1 The Atkin-Elkies Variant . . . 96

6.5 p-adic Methods . . . . . . . . . . . . . . . . . . 100

6.5.1 Satoh’s Method . . . . . . . . . . . . . . 102

6.5.2 The AGM-method . . . . . . . . . . . 103

6.5.3 Kedlaya’ Method . . . . . . . . . . . . 105

6.5.4 Optimalzation . . . . . . . . . . . . . . . 107

6.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . 108

7 Security 1097.1 Index-Calculus in Jacobian Va-

rieties of Positive Dimension . . . . 110

4

7.2 Weil Descent . . . . . . . . . . . . . . . . . . . . . 113

7.3 Bilinear Structures . . . . . . . . . . . . . . 116

7.3.1 Applications of Bilinear Struc-tures . . . . . . . . . . . . . . . . . . . . . . . . . 117

7.3.2 Tate Pairing . . . . . . . . . . . . . . . . . 118

7.4 Computation of the Duality Pair-ing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

7.4.1 Dangerous Pairings . . . . . . . . . . 123

7.4.2 Pairing Friendly Curves . . . . . 124

8 Conclusion 125

5

ReferencesEverything needed about Elliptic Curvescan be found inJ. Silverman: The Arithmetic of El-liptic Curves, GTM 106, Springer 1986

Everything used in the lecture aboutPublic Key Cryptography and EllipticCurves including the theory of finite fieldsboth from the theoretical and algorith-mic point of view can be found inH. Cohen & G. Frey (eds.): Hand-book of Elliptic and Hyperelliptic CurveCryptography, CRC 2005cited in the following as BOOK.

In this book one finds an exhausting listof references (40 pp)

6

Lecture 1

7

1 DISCRETE LOGARITHMS BASEDon ELLIPTIC CURVES

Almost all practically used (or usable)crypto systems rely on crypto primitivesbased on hard computational problemsin easily “implemented” mathematicalobjects.-In these lectures we shall concentrateus to the Discrete Logarithm Prob-lem (DLP) in groups G whose orderis divided by a large prime number ℓ.

8

1.1 Key Exchange

1.1.1 Abstract setting

AssumeA ⊂ N and B ⊂ Endset(A).For simplicity we shall assume that Bis closed under composition.Key Exchange Assume that there isan element a0 ∈ A such that the ele-ments of B commute on B{a0}:For all b1, b2 ∈ B we have

b1(b2(a0)) = b2(b1(a0)).

9

Use(A, a0), B

for a key exchange system in an obviousway:

The partners Pi (i=1,2) choose bi andpublish bi(a0).Then

b1(b2(a0)) = b2(b1(a0))

is the common secret.The security depends (not only) on thecomplexity to find for randomly chosena1, a2 ∈ B{a0} all elements b ∈ Bwith b(a0) = a1 modulo the relation:

b ∼ b′ iff b(a2) = b′(a2).

10

1.1.2 One Realization

Choose A =: G a cyclic group of primeorder ℓ embedded into N by a numera-tion and let a0 be a generator.

B := AutZ(G) ∼= (Z/ℓ)∗

can be identified with {1, ..., ℓ− 1} by

b(a) := ab.

The key exchange scheme is:

Pi chooses bi ∈ Z and publishes abi0 .

Then(ab10 )b2

is the common secret key.

11

A (non-trivial) result is:The security is determined by the com-plexity of theDiscrete Logarithm Problem ( DLP)For randomly chosen a1, a2 ∈ G com-pute n ∈ N with

a2 = an1 .

The residue class of such an n moduloℓ is called loga1(a2).Remark:There are “derived” cryptographic schemesfor which the hardness ofDHDP: For randomly given elementsa0, a1, a2, a3 decide whether

loga0(a1) · loga0(a2) = loga0(a3).

12

1.2 DL-Systems

Definition 1.1 A DL-system is agroup G of prime order ℓ with

• the elements in G are presented ina compact way i.e. by O(log(ℓ))bits

• the group composition ⊕ is easy tobe implemented and very fast,i.e.has complexity O(log(ℓ)).

• the discrete logarithm problem (DL-problem) i.e.:for randomly chosen elements g1, g2 ∈G compute a number k ∈ Z suchthat [k]g2 = g1is hard to be computed.

13

1.2.1 Security Hierarchy

In the ideal case the complexity of DLPin a group G were

exp(C · log(ℓ) +O(1))

with positive (and not too small) C.This is obtained in generic groups, and,as we hope, in certain groups related toelliptic curves and abelian varieties ofdimension 2.In this case we say that the complexityof the DL is exponential.

In many cases one gets a weaker result:The complexity is subexponential,and this forces to take the parameterslarger to get security.

14

Explicitly this means:There are numbers 0 < α < 1 and Csuch that the complexity for computingthe DL is

O(exp(C · log(ℓ)α · log(log(ℓ))1−α)).

In practice α is often 1/2 or 1/3.

The security of the DL- system is verypoor if the complexity is polynomial,i.e.

O(exp(C · log(log(ℓ)))).

In this case security could be achievedonly because of big constants, and so itis not scalable by enlarging ℓ.

15

Remark 1.2 A typical example for analgorithm with subexponential complex-ity is factoring numbers by the (gen-eral) number field sieve.The number α is 1/2 (respectively 1/3with the GNFS).This forces to take as parameters forRSA-systems numbers n with log2(n) ≥2048.

16

1.3 Attacks

We describe two types of rather gen-eral methods to compute discrete log-arithms. Of course we can use for ev-ery key exchange scheme brute force at-tacks (e.g. exhaustive search).This has complexity O(ℓ).

17

1.3.1 Generic Attacks

Using the algebraic realization, i.e. us-ing the structure “group” the amazingfact is that we can do much better thanbrute force attacks: The Baby-Step-Giant-Step method of Shanks as well as theρ- and Λ-methods of Pollard work inevery finite group. All of them havetime-complexity O(ℓ1/2) and the meth-ods of Pollard need very little storagespace (for more details cf. BOOK, sect.19.4, 19.5, 19.6.)Hence they are exponential with con-stant C = 1/2.The good news is that in “generic groups”we cannot do better.

18

1.3.2 Index-Calculus

In reality we shall have to use a concretepresentation of our group. In many ex-amples there are elements in G whichare easier to deal with, and this givesrise to the index-calculus attack.

The principle of index-calculus methodsin abelian groups G is to find a “factorbase” F consisting of relatively few ele-ments and to compute G as Z−modulegiven by the free abelian group gener-ated by the base elements modulo rela-tions.Then one has to prove that with highprobability every element of G can bewritten (fast and explicitly) as a sum ofelements in the factor base.

19

The important task in this method isto balance the number of elements inthe factor base to make the linear alge-bra over Z manageable and to guaran-tee “smoothness” of arbitrary elementswith respect to this base. Typically suc-cesses give rise to algorithms for the com-putation of the DL in G which havesubexponential complexity and so,for large enough order of G, the DL-systems have rather poor exponentialsecurity.

20

1.4 Examples

1.4.1 The additive group Z/ℓ.

This example shows that in special groupswe may find special algorithms whichare much faster than our general ones.Take a, b ∈ Z/ℓ \ {0}.We want to determine n such that

a− n · b = µ · ℓ.Since gcd(b, ℓ) = 1 we compute by theEuclidean algorithm number in time andspace linearly in log(ℓ) numbers x1, x2with

1 + x1 · b = x2 · ℓ.Hence a·x1 modulo ℓ is equal to logb(a).

21

1.4.2 The Classical DL

Take q = pf with a prime p and let Fqbe the field with q elements.Its multiplicative group F∗

q is a cyclicgroup with q − 1 elements.Let ζ be a primitive root of unity oforder q− 1 in F∗ and x ∈ F∗ arbitrary.

Definition 1.3 The discrete logarithmof x with respect to the base point ζis (any) integer k with

x = ζk.

It is clear that we can take k as elementin Z/(q − 1) = {0, . . . , q − 1}.We want to compute k !

22

1.4.3 Basic Idea

Interpret the field F as residue field ofthe ring of integers of a number field andthen compute the discrete logarithm assolution of a congruence equa-tion.

From now on assume the simplest case:q = p is a prime.The multiplicative group F∗ can be rep-resented as (N, ·)/∼ where n1 ∼ n2 ifand only if n1 ≡ n2 mod p.A system of representatives is given by{1, . . . , p− 1}.

23

Let x0 be a representative of ζ and xa representative of x. Then the dis-crete logarithm problem translates tothe congruence problem

find k ∈ N such thatx ≡ xk0 modulo p.

The advantage of this formulation isthat one sees the relation of the problemwith the multiplicative structure of N

and hence the factorization of numbersby prime powers can be used.Moreover it is possible to introduce akind of “size” for elements x in F: it islog2 x.

24

Remark 1.4 If q = pf choose g asmonic irreducible polynomial over Fpof degree f . Then F∗ is in a canon-ical way isomorphic to (Fp[X ]/(g))∗

and is represented by the polynomialsof degree less than f over Fp. We caninterpret the polynomial ring Fp[X ]/(g)as residue field of a polynomial ringZ[X ]/(g) where g is a monic polyno-mial of degree f which is modulo pequal to g and then we can use thearithmetic of this ring to interpret andto solve the discrete logarithm prob-lem by congruences.

25

Remark 1.5 None of the following ar-guments will use that q = p is a prime.Hence we shall generalize the situa-tion and try to solve–whenever it ispossible– for natural numbers N andx, x0 ∈ N the congruence equation

x ≡ xk0 moduloN with k ∈ N.

26

1.5 Relevant Number Theory

It is well known that every natural num-ber is the product of powers of primenumbers. Deep theorems in number the-ory predict some laws about propertiesof prime divisors, e.g. the powers whichcan occur or the size of the prime fac-tors. Typically these results are asymp-totic properties.One observation is that relatively oftenonly small factors occur. To make thisprecise we define the concept of smooth-ness.

27

Definition 1.6 Let B be a positivenumber. A number n is B−smoothiff all prime divisors of n are ≤ B.

Theorem 1.7 (Theorem of Canfield-Erdos-Pomerance)Let x, y be natural numbers which growasymptotically such that (for some fixedǫ ∈]0, 1[) we have

(log x)ǫ < log u < (log x)1−ǫ

with u = log x/ log y and x large enough.Let ψ(x, y) be the number of numbersn < x which are y-smooth.Then

ψ(x, y) = xu−u(1−o(1))

asymptotically for x→ ∞.

28

We needSubexponential Functions:Let α be a real number in ]0, 1[, c ∈ R.Define

Lx(α, c) := exp(c log xα log log x1−α).

ExerciseShow that for α > α′ we have

Lx(α, c)Lx(α′, c′) = Lx(α, c)

and

Lx(α, c)Lx(α, c′) = Lx(α, c + c′).

29

Use this and Theorem 1.7 to getThe heuristic probability to find a smoothnumber with smoothness bound B =Lx(1/2, c) in a random walk in [1, x] is

Lx(1/2,−1

2c).

If we want to find B such numbers wehave (again heuristically) to make ∼Lx(1/2, c)Lx(1/2,−1/2c) = Lx(1/2,

2c−12c )

trials.

30

1.6 Strategy

The idea for the computation of the dis-crete logarithm modulo N is to dividethe task.

1.6.1 First Step

We choose a smoothness bound B andassume that the base point x0 is B-smooth with order ϕ(N ).Take x as starting point of a controlledwalk by taking powers of x modulo Nwhich behaves like a random walk. Theprobability to meet a smooth elementy = xd is as above.

31

Assume that we can compute k ∈ Nwith y ≡ xk0 modulo N .We can compute the (multiplicative) in-verse d′ of d modulo ϕ(N ) by using Eu-clid’s algorithm and get

x ≡ yd′ ≡ xkd

′0 moduloN.

So we have reduced the computation ofthe discrete logarithm to the

32

1.6.2 Second Step

Solve the congruence equation for smoothnumbers !

Relations Assume thatF consists ofs prime numbers (e.g. all primes ≤ B).Let F be the free lattice Zs generatedby exponents of pi ∈ F as entries in thevectors z = (. . . , zi, . . . ).By m(z) we denote the homomorphismfrom Zs into the group of smooth num-bers which maps z = (. . . , zi, . . . ) to∏pi∈F p

zii .

Remark 1.8 If z = (. . . , zi, . . . ) cor-responds to a number ≤ N then it isa sparse vector.

33

Define m from Zs to Z/N∗ by

m(z) :≡ m(z)

modulo N .The kernel of m consist of vectors (. . . , zi, . . . )with

∏

pi∈Fpzii ≡ 1 mod N.

Such vectors give relations: rationalnumbers with smooth numerator anddenominator which are congruent to 1modulo N . List resulting vectors

v1 = (vj1), . . . , vt = (vjt)

in a matrix.

34

1.6.3 Linear Algebra

We assume that the base point x0 issmooth and (to be explicit) has expo-nential vector e = (1, 0, . . . , 0).The element x is assumed to be smoothwith exponential vectorv = (vi), pi ∈ F .We look for λ ∈ Z such that e − λv iscontained in ΛR. Hence we should have

z1v1 + z2v2 + · · · + ztvt − e + λv = 0.

By this we get s linear equations

v1,1z1 + v1,2z2 + · · · + v1,tzt + λv1 = 1

and for 2 ≤ j ≤ s

vj,1z1 + vj,2z2 + · · · + vj,tzt + λvj = 0

and any solution of this system in in-tegers solves the DL-computation of vwith base point e.

35

A priori this is an equation over Z. Butof course λ is only determined modulothe order of x in (Z/N )∗. So we cancompute modulo ϕ(N ) (or, if known,modulo the order of x).

Next it is more convenient to computesolutions of homogenous equations. Thisis easily achieved by changing our task:find λ, µ such that −λ′v − µe ∈ ΛR.If φ(N ) is known (which we assumed)we get

λ = λ′ · µ′

with µ′ the inverse of µ modulo ϕ(N ).

36

We can describe the algorithm of thesecond step shortly in the following way:

• Choose and compute a factor base Fwith s elements.

To any relation take the attached expo-nential vector as i−th row vector of thematrix A (relation matrix) till the rankof A is equal to s.Add the exponential vectors of x0 andx as additional rows to A to get the ma-tric A.

Find a non-trivial solution of A · z = 0modulo ϕ(N ).

37

1.6.4 Complexity

Again the size of F plays a crucial rolefor the complexity of the second step.For finding one relation it is good tohave s large. But for finding enoughrelations s should be small.Having enough relations one has to solvea system of linear equations of a largesize. This would be hopeless in gen-eral. But the matrix A has a specialshape (sparse) and so there are specialmethods to solve the system fast. Keywords are sparse matrix techniques suchas Wiedemann’s or Lanczos’ algorithms.The running time of this step of sizeO(s2).

38

1.6.5 RESULT

Take N = p a prime.With B = Lp−1

(1/2,

√1/2

)the rela-

tion collection stage takes expected timeLp

(1/2;

√2).

Solving the system of linear equationstakes the same expected running timeLp(1/2,

√2) because the matrix is sparse.

We get:The expected running time forthe computation of the DL in F∗ is

Lp(1/2,

√1/2

).

39

1.6.6 HOPE

We hope that DL’s in groups generatedwith the help of carefully chosen El-liptic Curves (or curves of genus 2) willhave the same complexity as in genericgroups.

40

Lecture 2

ELLIPTIC CURVES

2 Elliptic Curves over C

For this section see BOOK, section 5.1.5.

41

2.1 Lattices and Curves

Let Λ be a lattice in C, i.e.

Λ = Zω1 + Zω2 with Im(w2/w1) > 0.

The group

TΛ = C/Λ

carries in a natural way an analytic struc-ture and is compact: it is a commuta-tive compact Lie group, in fact it is aone-dimensional torus.It follows that there is an underlyingstructure of analgebraic projective curve EΛand that the meromorphic function onTΛ form the field F (EΛ) of rational func-tions on EΛ.Moreover it follows at once that the (topo-logical, analytical, algebraic) genus ofEΛ is 1.

42

By standard theorems (Weierstraß, Mittag-Leffler) one can construct generating func-tions (over C) of F (EΛ).Note that this are meromorphic func-tions on C which are periodic with re-spect to Λ.One explicit example is the Weierstraß℘-function

℘(z,Λ) =1

z2+

∑

ω∈Λ\{0}(

1

(z − ω)2− 1

w2),

another one its derivative and there is adifferential equation

℘

2

′2= ℘3 − 15G4℘− 35G6

with Eisenstein series G4(Λ) and G6(Λ)with

Gn(Λ) :=∑

ω∈Λ\{0}ω−n.

43

It is not difficult to see that

F (EΛ) = C(℘, ℘′).

Hence the map

C/Λ → C2 ∪∞z 7→ (℘(z), 1/2℘′(z))

is a holomorphic bijection form the torusTΛ to the projective regular plane curve

EΛ : Y 2Z = X3−15G4XZ2−35G6Z

3.

There is one point (0, 1, 0) “at infin-ity” which corresponds to 0 ∈ C/Λ, thepoles of ℘ and ℘′.

44

It follows that the setEΛ(C) of C-rationalpoints on EΛ is a Lie group and by gen-eral principles, the addition ⊕ is givenby algebraic functions, i.e. by poly-nomials, and that the zero point is theunique point with z = 0.Hence the Weierstraß functions satisfyaddition formulas.

45

Conversely:Given a projective curve

E : Y 2Z = X3 + AXZ2 +BZ3

without singularities there is a latticeΛ with E = EΛ.

Definition 2.1 Curves E given by equa-tions

E : Y 2Z = X3 + AXZ2 +BZ3

with A,B ∈ C without singularitiesare called elliptic curves over C.

Two plane projective curves E,E′ areisomorphic if there is projective invert-ible transformation of the projective planemapping E to E′.

46

Theorem 2.2 Two elliptic curves Eand E′ with lattices Λ and Λ′ are iso-morphic iff there is an element α ∈ C

with α · Λ = Λ′.Hence by identifying isomorphicelliptic curves we can assume thatΛE = Z + τE · Z with Im(τE) > 0.τE is determined by E up to transfor-

mations τE 7→ aτE+bcτE+d with a, b, c, d ∈

Z and ad− bc = 1.Denote by H the set of complex num-bers with positive imaginary part.The holomorphic function

j : H → C

τE 7→ j(τE) = 1728A3

4A3 + 27B2

is surjective and determines the iso-morphy class of E uniquely.

47

Definition 2.3 jE = 1728 4·A3

4A3+27B2 is

the absolute invariant (or: j-invariant)of E.

Remark 2.4 For given j 6= 0, 123 theelliptic curve

Ej : Y 2Z = X3+27j

123 − jXZ2+

27j

123 − jZ3

has invariant j.To j = 0 corresponds the curve Y 2Z =X3 + Z3, and to j = 123 correspondsthe curve Y 2Z = X3 +XZ2.

48

2.2 Isogenies and Endomorphisms

Definition 2.5 Two elliptic curves E,E′

are isogenous if there is a non-constantrational map η from E to E′ mappingthe point of infinity of E to the oneof E′.

Remark 2.6 Let

η : E → E′

be an isogeny.Then η is a group homomorphism fromE(C) to E(C) with finite kernel.The order of the kernel is called thedegree of η.

49

We determine the isogeny classes againby using the theory of complex tori ap-plied to elliptic curves and get:

Proposition 2.7 Let E and E′ be twoelliptic curves defined over C with lat-tices Λ (respectively Λ′).Then E is isogenous to E′ iff thereexists an α ∈ C∗ with αΛ ⊂ Λ′. If sodenote by ηα the isogeny from E toE′. Then the kernel of ηα is canoni-cally isomorphic to α−1Λ′/Λ.

50

Corollary 2.8 Assume that E is anelliptic curve over C with jE = j(τ ).Then

EndC(E) = {α ∈ C | αΛτ ⊂ Λτ}.In particular, EndC(E) is a commu-tative integral domain.There is a natural injection of EndC(E)into Gl2(Q), and since EndC(E) iscommutative its image is of dimen-sion ≤ 2 over Q.

51

2.3 Torsion Points

The simplest isogenies are−idE and n · idE := [n],the scalar multiplication by natural num-bers n.They generate a subring of EndC(E)which is identified with Z.The kernel of [n] is the group of n-torsionpoints E[n].It is isomorphic to

1/nΛE/ΛE∼= Z/n× Z/n.

52

As kernel of a morphism it is the set ofzeroes of polynomials in X,Y , and itis easily shown that these polynomialshave coefficients in Z.If n is odd an n-torsion point 6= P∞is characterized by the fact that its X-coordinate is the zero of a polynomialΨn(X) ∈ Z[X ] of degree (n2 − 1)/2.By induction (or more elegant geomet-ric arguments) one proves that Ψn(X)is a separable polynomial modulo all primesp with gcd(n, p) = 1.

53

2.4 Elliptic Curves and NumberTheory

We continue to assume that E is an el-liptic curve over C.

Definition 2.9 The elliptic curve Ehas complex multiplication (CM) ifand only if EndC(E) is larger than Z.

Let E have CM and lattice

ΛE = Z + τZ.

It is an easy exercise to show that τ isa nonrational integer in an imaginaryquadratic field Kτ and EndC(E) is theorder corresponding to Z + τZ in Kτ .The converse is true as well.

54

Proposition 2.10 Let K be an imag-inary quadratic field, let O be an or-der of K, and let A be an ideal ofO. Then A ⊂ C is a lattice, the el-liptic curve EA := C/A is an ellip-tic curve with complex multiplicationand EndC(EA) = O. For two idealsA,A′ of O we get: EA is isomorphicto EA′ over C (i.e. the absolute j-invariants are equal) iff A and A′ arein the same ideal class.

So elliptic curves with complex multi-plication have algebraic periods τ .But even more important:the absolute invariant j(τ ) is a very spe-cial algebraic integer, i.e. it is the zeroof a monic polynomial over Z, and isobtained as j-invariant of an ideal in animaginary quadratic field.

55

The exact statement is the key result ofclass field theory of imaginary quadraticfields.

Theorem 2.11 Assume that E is de-fined over C and has complex multi-plication. Let τ be its period. ThenQ(τ ) is an imaginary quadratic field,EndQ(τ )(E) = EndC(E) is an order

OE in Q(τ ) and the absolute invari-ant j(τ ) is an algebraic integer thatlies in the ring class field HOE

overQ(τ ). The invariant j(τ ) is the j-function evaluated at an ideal of OE.

56

3 Elliptic Curves over GeneralFields

In the last section we began with ana-lytic theory to define elliptic curves.But since analytic tori of dimension 1are compact Riemann surfaces we coulduse general principles to get an algebraictheory.We use this to define elliptic curves overarbitrary (perfect) fieldsK with charac-teristic p ≥ 0.

57

Definition 3.1 An elliptic curve Edefined over K is a cubic plane pro-jective curve without singularities andwith a rational point P∞.

Equivalently: E is given by an equa-tion

Y 2Z + a1XY Z + a3Y Z2 =

= X3 + a2X2Z + a4XZ

2 + a6Z3

with ai ∈ K,

a Weierstraß equation, and there isno point on E for which all partialderivatives vanish..If p 6= 2, 3 then one can choose theequation such that a1 = a2 = a3 = 0.

58

Equivalently: E is a projective nonsingular absolutely irreducible curveof genus 1 with K-rational point.

Equivalently: E is a projective curvewhich is isomorphic to its Jacobianvariety, i.e. E is an abelian varietyof dimension 1.

Behind these equivalences is the funda-mental theorem of Riemann-Roch.

59

3.0.1 Addition Law

A consequence of the equivalences aboveis that, in a natural and completely al-gebraic way, the set of rational pointson elliptic curves E over any extensionfield L of K is an abelian group.We have the following geometric defi-nition:

Three different points P,Q,R add upto the zero element

P ⊕Q⊕R = 0

iff these points ar collinear.If P = Q this has to be interpreted as:R lies on the tangent line of E in P .

60

If the equation for E is in Weierstraßform (with a1 = a3 = 0) we see atonce that the neutral element is P∞ =(0, 1, 0) and that −P is the point onE symmetric to P with respect to theX-axis.

Figure 1: Group law on elliptic curve y2 = f(x) over R

P

Q

−(P ⊕ Q)

P ⊕ Q

P

[2]P

−[2]P

61

It is easy to translate this in algebraicformulas :In general we have (in affine coordinates(X,Y )

(x1, y1) ⊕ (x2, y2) = (x3, y3) with

x3 = −(x1 + x2) + ((y1 − y2)

(x1 − x2))2

and y3 such that (x3, y3) ∈ E(K) notcollinear with (x1, y1), (x2, y2).

These formulas are rather easy to imple-ment and do calculations with comput-ers. But because of their importance forcryptography there were and are tremen-dous efforts to make them even faster.For details see corresponding chaptersin BOOK.

62

3.0.2 Isogenies and Endomorphisms

Isomorphisms and TwistsFor simplicity assume that the charac-teristic of K is prime to 6 and let Ebe given by a short (affine) Weierstraßequation

E : y2 = x3 + a4x + a6.

• If a4 = 0 then for every a′6 ∈ K∗ the

curve E is isomorphic to E′ : y2 =x3 + a′6 over K

((a6/a

′6)

1/6).

• If a6 = 0 then for every a′4 ∈ K∗ the

curve E is isomorphic to E′ : y2 =x3 + a′4x over K

((a4/a

′4)

1/4).

• If a4a6 6= 0 then for every v ∈ K∗

the curve E is isomorphic to Ev :y2 = x3 + a′4x + a′6 with a′4 = v2a4

and a′6 = v3a6 over the field K(√v).

63

It is easily seen that the isomorphismclass of E is, over algebraically closedfields, uniquely determined by

jE = j = 123 · 4a3

4

4a34 + 27a2

6

.

If K is not algebraically closed jE de-termines E only up to twists.If j 6= 0, 123 these twists are quadratic:The twisted curves are given by

E(d) : d·y2 = x3+a4x+a6 with d ∈ K∗.

64

Isogenies

Definition 3.2 Two curves E/K andE′/K are isogenous over K if thereexists a projective map of the planeP2/K which, restricted to E, induces

ψ : E → E′

mapping the neutral element of E tothe neutral element of E′.

Theorem 3.3 The map ψ induces agroup homomorphism from E(K) toE′(K).

65

One important property is that for ev-ery isogeny ψ, there exists a unique isogenyψ : E′ → E, the dual isogeny of ψ, suchthat

ψ ◦ ψ = [m]E and ψ ◦ ψ = [m]E′.

The degree of the isogeny ψ is equalto this m.Ifm is prime to char(K) the degree of ψis equal to the order of ker(ψ) = {P ∈E(K);ψ(P ) = 0}.An isogeny ψ is separable, iff

degree(ψ) =| ker(ψ) | .

66

EndomorphismsAs usual isogenies between E and itselfare called endomorphisms. The setof all endomorphisms of E defined overK will be denoted by EndK(E).It has no zero divisors and contains Z

in a natural way.

Definition 3.4 If End(E) is strictlybigger than Z we say that E has com-plex multiplication (CM).

We have seen in the previous chapterthat over C (respectively, over fields ofcharacteristic 0,) the ring End(E) is com-mutative, and in the case of C, is equalto an order in an imaginary quadraticfield.This is “almost true” in characteristicp > 0, too.

67

Theorem 3.5 (Deuring)Assume that the endomorphism [p] isnot totally inseparable, i.e. that E[p] 6={0}.Then EndK(E) is commutative andeither equal to Z · idE or equal to anorder in an imaginary quadratic field.

The vague statement “almost true” isspecified in the following way:There is a polynomial Sp(T ) ∈ Fp[T ]such that

E[p] = 0 iff Sp(jE) = 0.

In this case jE lies in Fp2.Elliptic curves with this property arecalled supersingular elliptic curves.If E is not supersingular we call it or-dinary.

68

Since supersingular curves play only aminor role in cryptography we shall as-sume from now on that E is ordinarymostly without mentioning it .Hence the field of endomorphisms of E,

EndK(E)0 := EndK(E)⊗

Q

is either Q or Q(√−d) with d > 0

square free.

69

3.0.3 Torsion Points and Tate Mod-ule

As before we denote by [n] the scalarmultiplication corresponding to the en-domorphism [n] · idE. The multiplica-tion by n is an endomorphism of thecurve E for every n ∈ Z of degree n2.If n is prime to p it is separable andhence as abelian groups

E[n] := ker([n]) ∼= Z/n× Z/n.

But E[n] carries more structure: It isthe set of common zeroes of a system ofpolynomials with coefficients in Z[a4, a6, X, Y ].In modern language:E[n] is a group scheme defined over K.For n = pk one gets that the separabil-ity degree of [pk] is equal to pk iff E isordinary.

70

Take a prime ℓ 6= p.Multiplikation by [lk] mapsE[ln+k] sur-jectively to E[ℓn] for all natural num-bers k, n hence the groups {E[ln]} forma projective system.

Definition 3.6

Tℓ(E) := proj − limn→∞E[ln]

is the ℓ-adic Tate module of E.

Tℓ(E) is a module over the ring of ℓ-adic numbers Zℓ and is isomorphic toZℓ × Zℓ.

The Tate modules replace the lattice Λknown from the analytic theory.In modern language: Tℓ(E) is the firstcohomology group ofE in the etale topol-ogy.

71

3.0.4 ℓ-adic Representations

Here is a hint how to use the Tate mod-ules.Let η be an endomorphism of E.Obviously η maps E[ln] to itself andis compatible with multiplication by lk

and so it induces a Zℓ morphism

ηℓ : Tℓ(E) → Tℓ(E)

which is injective if η 6= 0.By elementary linear algebra one con-cludes that for n large enough| ker(η)∩E[ℓn] | is equal to the highestℓ-power dividing (det(η)ℓ).

72

The morphisms ηℓ depend on ℓ.An important (and not so deep) fact is

Theorem 3.7 (Weil)

• For all primes ℓ 6= p the polyno-mials χηℓ(T ) lie in Z[T ] and areindependent of ℓ.

• For all numbers n prime to p thecharacteristic polynomial of η re-stricted to E[n] is equal to χηℓ(T )modulo n.

• Identify η with an element π inEnd(E)0.Assume that η /∈ Z.Then χηℓ(T ) is equal to the mini-mal polynomial χπ(T ) of π.

73

4 Elliptic Curves over Finite Fields

We assume that the ground field K isequal to Fq with q = pk.

4.1 The Frobenius Morphism

Let φq be the Frobenius automorphismof Fq defined by

φq(x) = xq for all x ∈ Fq.

Let E be an elliptic curve defined overFq.We assume that E is ordinary.The Frobenius morphism on the pro-jective plane is obtained by applying φqto coordinates sending points (X,Y, Z)to (Xq, Y q, Zq).

74

Let E be an elliptic curve defined overFq.Then it is obvious that φq maps E(Fq)to E(Fq).We note that this map is bijective.but is no isomorphism!It is a purely inseparable endomorphismof degree q. It follows that φq /∈ Z.Hence E has CM and its field of en-domorphisms is an imaginary quadraticfield Q(

√−dE) and φq corresponds to

an integer πq in this field with norm q.

75

4.1.1 Rational Points

A trivial but crucial remark is: The ele-ments fixed by φq in E(Fq) are E(Fq).Hence E(Fq) is the kernel of idE − φq.Since idE − φq is separabel, it follows

Theorem 4.1

| E(Fq) |= degree(idE − φq).

Corollary 4.2 Let f (T ) be the char-acteristic polynomial of φq− idE, in-terpreted as numbers in the field ofendomorphisms of E.Then

| E(Fq) |= f (0).

76

4.2 The Characteristic Polynomialof φq

We associate to φq the characteristicpolynomial of πq

χπq(T ) = T 2 − Trace(πq) + q.

Let λ1, λ2 be the eigenvalues of φq (forinstance interpreted by actions on Tatemodules).We can take λ1 = πq.It follows that λ2 = q/πq and Trace(λ1) =λ1 + q/λ1 = 2 · Re(πq).Since πq is not a rational number wemust have

| (Trace(πq) |< 2√q.

We use the Corollary 4.1.1 and the factthat f (0) = χπq(1) and get

77

Theorem 4.3 We have

| E(Fq) |= χπq(1) = q+1−Trace(πq).Hence

| E(Fq) − q − 1 |≤ 2√q.

The inequality in the theorem is for el-liptic curves over finite fields the ana-logue of the Riemann hypothesis.It is often called the Hasse-Weil bound.

78

4.2.1 Tate-Honda Theory

We saw that the Frobenius endomor-phism of an elliptic curve over Fq can beidentified with an integer π in an imag-inary quadratic field Q(

√−d) with the

additional property that | π |= √q.

The theory of Tate-Honda (valid in amuch more general frame) states thatthe converse is true, too.Moreover, two elliptic curves over Fqare isogenous iff their field of endomor-phisms are equal, and this is the caseiff the characteristic polynomials of theFrobenius endomorphisms are equal.Hence we get the

Theorem 4.4 (Tate)E and E′ are isogenous over Fq iff

| E(Fq) |=| E′(Fq) | .

79

Lecture 3

DISCRETE LOGARITHMBASED on ELLIPTIC

CURVES

5 Pure Math and Technique

In the second lecture I was totally in therealm of pure Mathematic(according to Gauß: even the PURESTof Sciences: Number Theory). Is thisL’art pour l’art?At least, it seemed to be so for a longtime.

80

An extreme opinion was expressed byHardy.

81

In particular he states:

“... applied math is dull”.

But in the same book we find:

”Pure mathematics is on the whole dis-tinctly more useful than applied. Forwhat is useful above all is technique,and mathematical technique is taughtmainly through pure mathematics.”

82

So let us come to technique

a classical machine readable passport

83

add: electronic signature

84

necessary: a whole bunch of securitytools

85

6 Generation of Instances

We want to use the group of rationalpoints

E(Fq)

of elliptic curves E over finite fields Fqfor DL-systems.Hence a first task is to find (Fq, E) suchthat

| E(Fq) |= h·ℓ with ℓ ∼ 1080 prime, h small .

86

6.1 Strategy

We know by the Hasse-Weil bound thatq ∼ 1080.So we choose q randomly of this size andthen E randomly.By counting points we decide whetherwe have found a good pair.For this strategy we have to estimatethe chance for success and to be able tocount points on elliptic curves rapidly.It is useful to divide the strategy in twosubcases.

1. We fix q and look for random curvesover Fq (maybe we have a favoritefield), or

2. we fix E (e.g. over Q and vary q(maybe we have a favorite elliptic curve).

87

6.2 Density Theorems

For both strategies we have theoreti-cal results which tell us that we shallsucceed with high probability after rel-atively few trials (but it may happenthat we shall need about 100 trials).Look at the first strategy and assumefor simplicity that p = q (which is themost important case anyway.)By Deuring , Hasse-Weil and Honda weknow that for every integer t in the in-terval

Iq = [−2√q, 2

√q]

of length 4√q there is an isogeny class

of elliptic curves E with

| E(Fq) |= q + 1 − t.

88

Now the prime number theorem tells usthat (asymptotically) there are

∼ 4√q

loqq

prime numbers amongst these possibleorders, and (together with a known prob-ability distribution of numbers in isogenyclasses) this gives the desired probabilis-tic success rate.The success rate for the second strat-egy is given by theorems/conjectures ofLang-Trotter type which predict the dis-tribution of traces of Frobenius elementsfor elliptic curves over number fields.

89

6.3 The CM Method

We describe a method to find “good”elliptic curves for many prime fields Fpby using CM theory.Historically this was the first method toproduce elliptic curves with known or-der, it was used by Morain et al. forfactoring numbers, and it was imple-mented by A. Spallek 1992 in a Diplomathesis (Essen) suitable for cryptography.It is very fast and is till today, in prtic-ular if one wants to find series of ellipticcurves.The strategy is of the second type.But we choose the ring of endomorphismand hence a whole isogeny class insteadof choosing an equation for the ellipticcurve.

90

Take d as square free natural numberand O as ring of integers in Q(

√−d).

d should be not too large (∼ 106) suchthat the class number is not too big(∼ 103).In a pre computation we compute a setof representatives {Ai} of the ideal classgroup of O.We have to make another pre computa-tion.We compute an approximation (over C)of the polynomial

Hd(X) =∏

Ai

(X − j(Ai)).

We know from CM theory that this poly-nomial has integer coefficients, and ifour approximation is good enough wecan determine Hd(X) exactly. (This isthe most delicate part of the algorithm.)

91

We are looking for primes p with p ∼1080 which split in O into two principalprime ideals.Let π be a generator of one of theseprime ideals.Then π is a Weil number and we knowthat it is the Frobenius endomorphismof an elliptic curve E over Fp (use classfield theory for this) with

dp =| E(Fq) |= p + 1 − (π + π.

We test easily whether dp is (almost) aprime.If not, we look at another p.

92

If yes, we compute by Berlekamp’s al-gorithm a zero jp of Hd(X) modulo p.This needs O(deg(Hd)logp) time.)(By class field theory we know that allzeroes of Hd modulo p lie in Fp.) Nowtake

Ep : Y 2Z = X3+jp

123 − jpXZ2+

jp

123 − jpZ3,

choose a random point P0 ∈ Ep(Fp)and test whether

dp · P0 = 0.

If the answer is yes thenEp is the looked-for curve.If the answer is no a twist of Ep doesthe job.

93

6.4 Schoof’s Algorithm

The first algorithm which computed forrandom q and for random E the orderof E(Fq) in polynomial time is due toRene Schoof.Remember: Let LE(T ) be the charac-teristic polynomial of the Frobenius en-domorphism of E.It is a polynomial with integral coeffi-cients which simultaneously for all natu-ral numbers n is the characteristic poly-nomial of φq acting on torsion points oforder n of E. Since the absolute valueof its coefficients are bounded by q it isdetermined by this action for small n.

94

This is the starting point of Schoof’s al-gorithm. To carry it through one hasto describe the points of order n by thedivision polynomials,e.g. ψn(X) whichis of degree O(n2).It is made effective by a well known fact:There is a linear recurrency between then-division polynomials of elliptic curves.

Theorem 6.1 (Schoof)For elliptic curves E the complexityto compute LE(T ) is bounded by apolynomial function in log(q).

95

6.4.1 The Atkin-Elkies Variant

In this original version the algorithm ismuch to slow for practical use. The rea-son is the high degree of ψn(X). thingshave become much better by observa-tions and refinements due to Atkin andElkies:Instead of using the kernel of the mul-tiplication by small n on elliptic curvesE one can use the kernel of endomor-phisms of small norm and determineLE(T )modulo ideals in the endomorphism ringOE of E.This is especially easy if the prime lsplits in OE.

96

For the actual computation one has tofind convenient methods to describe iso-genies of elliptic curves.Here enter the modular curves X0(l).These curves parametrize pairs of ellip-tic curves with cyclic isogenies of degreel. Their rich theory is the key to manyof the important results in arithmeticgeometry (e.g. FLT).We get the following refinement of Schoof’theorem.

Proposition 6.2 Let ǫ be a positivereal number.Let E be an elliptic curve over F andl a prime which is split in OE.Then LE(T ) modulo l can be com-puted with probabilistic complexity O((log(l)2·log(q))1+ǫ).

97

The estimates due to Hasse-Weil implythatO(log(q)) different primes l are suf-ficient.To use Proposition 6.2 we want to usesplit primes only and so we need boundswhich ensure that we have found enoughof them.We observe that q is a non-trivial normwith respect to OE/Z and so the size ofthe discriminant of RE is bounded byO(| q |).This implies conjecturally (and in prac-tice) that it is enough to use primes lup to a bound of size O(log(q)).

98

Under the assumption of the GeneralisedRiemann Hypothesis (GRH) it can beproved that the boundO((log(q))2) (withexplicitly computable constants) is bigenough.So we get

Theorem 6.3 Assume that GRH istrue. Let ǫ be a positive real num-ber. Let E be an elliptic curve de-fined over F.The order of E(F) can be computedwith (probabilistic) complexity O((log(q))δ)with δ ≤ 5 + ǫ and conjecturally δ ≤4 + ǫ.

99

6.5 p-adic Methods

This is maybe the theoretically most in-teresting family of algorithms to com-pute the characteristic polynomial of theFrobenius endomorphism over a field Fq,and it is definitely the fastest one as longas p is small. But because of lack of timeI have to be very sketchy and ask theinterested audience to look for for morinformation in the BOOK where thesealgorithmsare discussed in great detail.

100

The principle is the following.We have the Frobenius operation overfinite fields in two variants.First we have the Frobenius automor-phism from Galois theory.It is very easy both theoretically and al-gorithmically to lift this automorphismto a Galois automorphism in the abso-lute Galois group of a p-adic field Kwith residue field Fq.Secondly, we have the Frobenius endo-morphism φq as element of End(E) forany elliptic curve E defined over Fq. Ifwe liftE to an elliptic curve defined overK we cannot expect that there is a liftof φq to the endomorphism ring of thelifted curve. In fact, we have to expectthat the lifted curve has no CM. Thisexcludes in general that we can use p-adic approximation to compute LE(T ).

101

6.5.1 Satoh’s Method

We now assume that E is ordinary.Then by Deuring’s theorem there is avery special lift with the same ring ofendomorphism as E: this is the canon-ical lift.Using Newton iteration applied to themodular curveX0(p) Satoh showed howto compute this canonical lift p-adically.He gets the result:

Theorem 6.4 (Satoh)There exists a deterministic algorithmto compute the number of points onan elliptic curve E over a finite fieldFq with q = pk and j(E) 6∈ Fp2, which

requires O(k2µ+1) bit-operations andO(k3) space for fixed p. Here µ is thecost of the multiplication in Fq.

102

6.5.2 The AGM-method

This method is, in its original variant,due to Mestre. It works for the most im-portant case p = 2 (and for p = 3) andis the fastest algorithm for these groundfields. It is a variant of Satoh’s method.Classically, the Arithmetic-Geometric-Mean (AGM) was introduced by La-grange and Gauß to compute elliptic in-tegrals or equivalently the period ma-trix of an elliptic curve over C.

103

Mestre showed how a 2-adic version ofthe AGM can be used to count the num-ber of points on an ordinary elliptic curveover a finite field of characteristic 2. Thereason is that it is used to describe anisogeny of degree 2 and hence in the or-dinary case the Frobenius. Later, Mestrereinterpreted this algorithm as a specialcase of Riemann’s duplication formulafor theta functions and generalized it toordinary hyperelliptic curves.The complexity of Algorithm isO(k2µ+1)bit-operations. The space complexity isO(d2).

104

6.5.3 Kedlaya’ Method

This is maybe the most interesting anduniversal method.The difficulty of lifing the Frobenius en-domorphism is solved by using a formallifting (i.e. using power series insteadof polynomials) of E and than uses the(now easy) description of the Frobeniusas power series operation. The charac-teristic polynomial of φq is obtained bythe operation on the de Rham cohomol-ogy of the corresponding power seriesring.This idea goes back to Dwork.

105

To get finite dimensional cohomologygroups one has to use overconvergentpower series, the so-called “dagger lift”.This and the development of the corre-sponding cohomology theory includinga Lefschetz fixed point formula is due toMonsky-Washnitzer.The method is very easily implementedin spite of its complicated mathemati-cal background, and it is applicable fornearly all varieties over finite fields.

106

6.5.4 Optimalzation

In the end and mixing all methods to-gether one gets an asymptotically op-timal elliptic curve point counting al-gorithm that runs in time O(k2µlogk)and requires O(k2) space, for p fixedand with µ the cost of multiplication inFq.

107

6.6 Conclusion

Using the results from above and tak-ing into account the predictions on thestructure ofE(Fq) we can find very rapidlymany cryptographically good randomelliptic curves in a range which is suffi-cient for cryptography. So it is worth-while to discuss security.

108

7 Security

The good news is: There is no algorithmknown which computes directly insideof E(Fq) the discrete logarithm fasterthan the generic algorithms.In particular, there is no Index-Calculusalgorithm known which works with lift-ing points to number fields.There is a mathematical reason for this:The theorem of Mordell-Weil and theexistence of the Neron-Tate pairing.

BUTthere are in special situations transfersto other groups which are vulnerable.

109

7.1 Index-Calculus in Jacobian Va-rieties of Positive Dimension

By work of Adleman, Huang, Gaudry,Enge.... we have a classical result: In-dex Calculus yields a subexponential al-gorithm for the computation of the DLin class groups of curves of large genus.More important for us is a result of C.Diem, P. Gaudry, N. Theriault, E. Thom:TheoremThere exists a (probabilistic) algorithmwhich computes the DL in the divisorclass group of curves of genus g , up to alog factor, in expected time of O(q(2−2/g)).

This rules out g = 4 and g = 3 is indanger.

110

But things are worse.By using a different approach for thechoice of factor bases Diem could showthat the degree d of a plane curve rep-resentation is another crucial, too.

Theorem (Diem)Fix d ≥ 4 such that d or d− 1 is prime.Then the DLP in the degree 0 class groupsof curves given by (reflexive) plane mod-els of degree d can be solved in an ex-

pected time of O(q2−2

d−2).

We can take d = 4 (non-hyperellipticcurves of genus 3) to get a bound forthe complexity of DLP by O(q).

111

For many hyperelliptic curves there isa correspondence to a non-hyperellipticcurve of genus 3 which can be computedefficiently.Hence (many of the) curves of genus 3are insecure.Why are these results important for el-liptic curves?

112

7.2 Weil Descent

Assume that the used base field is Fq

with q = pd.By restricting scalars we find an abelianvariety WE defined over Fp given in anexplicit way of dimension d with

W (Fp) = E(Fq).

Hence the DL in Fq is equivalent withthe DL in WE(Fp), and it may hap-pen that we can apply index-calculus asabove to WE!I suggested to study this situation in atalk at ECC 1998.This turned out to be rather fruitful.There is work of Galbraith, Hess andSmart, of Diem, Gaudry,....

113

For instance we know that the very nicefield F2155 is not the best choice as basefield for secure Elliptic curves, since

155 = 5 · (32 − 1).

But the real strength of the method isagain in low dimension.As one result we shall see that 4 is a baddegree,too.

114

Diem’s and Gaudry’s Results

Theorem 7.1 Fix n > 2.Then the DLP in E(Fqn) can be solved

in an expected time of O(q2−2/n) (withq growing).In particular, for n = 4 the complex-ity of the DLP is O(q).

Use as factor base points “with X-coordinatein Fq”. More precisely one uses sub-varieties defined by Semaev‘s summa-tion polynomials. As smoothness testone has to solve systems of polynomialequations defining zero dimensional schemes.This is a very nice piece of computa-tional arithmetic geometry.So we should use elliptic curves eitherover prime fields or over fields F2n withn a prime but not Mersenne.

115

7.3 Bilinear Structures

Definition 7.2 Assume that there areZ-modules B and C and a bilinearmap

Q : A×B → C

with

i) the group composition laws in A,B and C as well as the map Q arefast (e.g. in polynomial time).

ii) Q(., .) is non-degenerate in the firstvariable. Hence, for random b ∈B we have Q(a1, b) = Q(a2, b) iffa1 = a2 .

We call (A,Q) a DL-system with bi-linear structure.

116

7.3.1 Applications of Bilinear Struc-tures

There are destructive aspects which mayweaken DL-systems if they carry a bi-linear structure.Here is one.

The DL-system (A, ◦) is at most assecure as the discrete logarithm in(C, ◦).

And there are constructive aspects, forinstance

Tripartite Key Exchange,

Identity Based Protocols, and

Short Signatures.

For more information the interested readeris advised to visit Paulo Barretos Pair-ing Based Crypto Lounge.

117

7.3.2 Tate Pairing

It is not easy to find bilinear structures.One main source are the duality theo-rems from number theory and geome-try:Key word is class field theory.Here is a consequence. Let ℓ be a primedifferent from p.LetE[ℓ](q) ⊂ E[ℓ] be defined as ℓ-torsionpoints on which φq acts by scalar mul-tiplication with q.Let k be minimal such that ℓ | qk − 1.Hence Fqk is the smallest extension field

of Fq containing an ℓ-th root of unity.k is called the embedding degree (withrespect to E and ℓ).

118

Theorem 7.3 There is a non-degeneratepairing

<,>ℓ: E(Fq)/ℓ·E(Fq)×E[ℓ](q) → F∗qk/F∗ℓ

qk

given by the the following rule:Take Q ∈ E[ℓ](q) and fQ as functionwith only pole of order ℓ in ·P∞ andonly zero in Q and of order ℓ.Take P ∈ E(Fq) and represent thedivisor class of P − P∞ by a divisorD coprime to Q− P∞.Then

< P + ℓ · E(Fq), Q >= fQ(D) · F∗ℓqk.

119

Remark 7.4 This theorem is a con-sequence of the p-adic Tate pairingin the presentation found by Lichten-baum. In the early 1990 H. G. Ruckand myself suggested to use this pair-ing (which is in fact defined for divi-sor class groups of curves of arbitrarygenus) to transfer the DL into multi-plicative groups.Then Menezes, Okamoto and Van-stone used a related but more compli-cated pairing, the Weil pairing, andapplied it to supersingular elliptic curves.One finds this as so-called MOV at-tack in the literature.

Consequence: one can transfer the DL-problem in E(Fq)[ℓ] to the DL in in F∗

qk

provided that one can compute fQ(D)fast enough.

120

7.4 Computation of the DualityPairing

The problem is that the degree of thezero- resp. pole divisor of fQ are verylarge and so a direct approach to dothis evaluation is not possible. The wayout is given by the theory of MumfordTheta groups and was implemented byV. Miller for elliptic curves (applied tothe Weil pairing). So this fast evalu-ation is called “Miller algorithmus” inthe literature.The principle is that the evaluation isa result of a scalar multiplication in agroup, and hence adding and doublingcan be applied.

121

CONSEQUENCE:We can reduce the discrete logarithmin E(Fq))[ℓ] to the discrete logarithmin F∗

qkwith the costs O(log(| Fqk |).

In general k is very large (∼ ℓ) and sothe pairing cannot be computed.

Proposition 7.5 If E[ℓ](Fq) 6= 0 thenthe trace of φq is congruent to q + 1modulo ℓ and the corresponding dis-crete logarithm in E(Fq) can be re-duced to the discrete logarithm ininthe field Fqm where m is the small-est integer such that the trace of φmqbecomes congruent to 2 modulo ℓ.

122

7.4.1 Dangerous Pairings

The pairing is dangerous for the secu-rity of the DL if the embedding degreek is so small that the DL in F∗

qkhas

complexity < ℓ1/2.This implies that k has to be at least≥ 12.

Example 7.6 Let E be a supersingu-lar elliptic curve.Then k ≤ 6, and it is ≤ 4 if p 6= 3,and ≤ 2 if p is prime to 6.Hence supersingular elliptic curves pro-vide only subexponential security.As examples for such curves one cantake E : Y 2Z = X3−XZ2 and p ≡ 3modulo 4, or E : Y 2Z = X3 +Z3 andp ≡ 2 modulo 3.

123

7.4.2 Pairing Friendly Curves

As we have mentioned there are posi-tive aspects of bilinear structures.So it is important to find E, q, ℓ withk ≥ 12 and ≤ 30.By work of Freeman, Cock, Pinch, Bar-reto, Nahrig et al. we have now manyof such curves but still the final story isnot written.

124

8 Conclusion

We can use the most efficient machineryof Arithmetic Geometry to construct cryptosystems and to analyze their security.

Concrete Examples (travelling onevery new German passport)

125

brainpoolP224r1p: D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FFA: 68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43B: 2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400Bq: D7C134AA264366862A18302575D0FB98D116BC4B6DDEBCA3A5A7939F

126

brainpoolP256r1p:A9FB57DBA1EEA9BC3E660A909D838D726E 3BF623D52620282013481D1F6E5377A:7D5A0975FC2C3057EEF67530417AFFE7FB80 55C126DC5C6CE94A4B44F330B5D9B:26DC5C6CE94A4B44F330B5D9BBD77CBF958416295CF7E1CE6BCCDC18FF8C07B6q:A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7

127

So we have found an important applica-tion of Arithmetic Geometry to one ofthe fundamental needs of our civiliza-tion: Data Security.

BUT

We should not forget that nearly all ofthe results we use were found withoutthe aim of direct application leading tothese curvesand we should not forget the beautyof “pure” Mathematics and itsinspiration!

THANK YOU!

128