Elliptic curves and applications to cryptography

Transcription

Université de Marseille II, M1
1st Semester 2011-2012
Elliptic curves and applications to
cryptography
By
Christophe RITZENTHALER
2
3
These are notes of a course taught at Marseille in the first semester 2011-2012. They can be found on
www.iml.univ-mrs.fr/~ritzenth.
Please send comments and corrections to me at [email protected].
Notation and convention. Then integer q is a power n > 0 of a prime p and k is a finite field of cardinal
q. The letter K is any (perfect) field of characteristic p, and here p can be 0 as well.
4
Contents
1 Introduction to elliptic curves
1.1 Some definitions . . . . . . . . . .
1.1.1 First definition of an elliptic
1.1.2 Second definition . . . . . .
1.1.3 Third definition . . . . . . .
1.1.4 Isomorphisms . . . . . . . .
1.2 The group law . . . . . . . . . . .
1.2.1 Definition . . . . . . . . . .
1.2.2 Torsion points . . . . . . .
1.2.3 The Weil pairing . . . . . .
. . . .
curve
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
2 Elliptic curves over finite fields
2.1 Number of points on elliptic curves over finite
2.1.1 An example and an easy result . . . .
2.1.2 Hasse-Weil bound . . . . . . . . . . .
2.1.3 A case of the Weil conjectures . . . . .
2.1.4 Supersingular elliptic curves . . . . . .
2.2 Number of points on elliptic curves over finite
2.2.1 Counting points . . . . . . . . . . . .
2.2.2 Baby steps-giant steps . . . . . . . . .
2.2.3 To work with extensions . . . . . . . .
2.2.4 Schoof method . . . . . . . . . . . . .
3 Cryptography
3.1 Cryptographic protocols . . . . . . . . . . .
3.1.1 Encryption scheme . . . . . . . . . .
3.1.2 Diffie-Hellman protocol . . . . . . .
3.1.3 Signature . . . . . . . . . . . . . . .
3.1.4 Some groups for the DLP . . . . . .
3.2 General attacks on DLP and index calculus
3.2.1 Shanks Baby-Step Giant-Step . . . .
3.2.2 The Pollard ρ-algorithm . . . . . . .
3.2.3 The Pohlig-Hellman algorithm . . .
3.2.4 Index calculus . . . . . . . . . . . .
3.3 Attacks on some particular elliptic curves .
3.3.1 The MOV attack . . . . . . . . . . .
3.3.2 Other restrictions . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
i
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1
1
1
2
3
4
5
5
6
6
fields: theory .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
fields: practice
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
. . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
9
9
9
9
10
11
11
11
11
12
12
.
.
.
.
.
.
.
.
.
.
.
.
.
15
15
15
16
16
17
18
18
19
20
21
22
22
23
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
4 Pairings
4.1 Review on divisors . . . . . . . .
4.2 The Weil pairing . . . . . . . . .
4.3 Computation of the Weil pairing:
4.4 Application to cryptography . . .
. . . . .
. . . . .
practice
. . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
25
25
26
28
29
5 Travaux Dirigés
5.1 TD 1 . . . . . . . .
5.1.1 Énoncés . .
5.1.2 Corrections
5.2 TD 2 . . . . . . . .
5.2.1 Énoncés . .
5.2.2 Corrections
5.3 TD 3 . . . . . . . .
5.3.1 Énoncés . .
5.3.2 Corrections
5.4 TD 4 . . . . . . . .
5.4.1 Énoncés . .
5.4.2 Corrections
5.5 TD 5 . . . . . . . .
5.5.1 Énoncés . .
5.5.2 Correction .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
31
31
31
32
33
33
34
35
35
35
35
35
36
37
37
37
6 Devoirs à la maison
6.1 Devoir 1 : Courbe elliptique sur C et tore complexe . . . . . . . . . . . . . . . . . . . . . . .
6.2 Devoir 2 : Nombre de courbes elliptiques sur les corps finis . . . . . . . . . . . . . . . . . . .
39
39
41
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
ii
1
1.1
1.1.1
Introduction to elliptic curves
Some definitions
First definition of an elliptic curve
Definition 1.1.1. A Weierstrass equation of an elliptic curve E over a field K is
E : y 2 + a1 xy + a3 y = x3 + a2 x2 + a4 x + a6
where a1 , a2 , a3 , a4 , a6 ∈ K and ∆ 6= 0 where ∆ is the discriminant of E and is defined as follow


∆ = −b22 b8 − 8b34 − 27b26 + 9b2 b4 b6 ,




2

b2 = a1 + 4a2 ,

b = 2a + a a ,
4
4
1 3



2

b6 = a3 + 4a6 ,




b8 = a21 a6 + 4a2 a6 − a1 a3 a4 + a2 a23 − a24 .
This definition raises many comments.
A non singular algebraic affine curve defined over K
The previous equation defines an algebraic affine curve since it is given by a polynomial in two variables in
the affine plane. It is defined over K meaning that the coefficient of the equation are in K.
To any affine curve C given by an equation C : f (x, y) = 0, where f ∈ K[x, y], one can associate the set of
its K-rational points, i.e.
C(K) := {(a, b) ∈ K 2 , f (a, b) = 0}.
Note that this set can be empty (for instance x2 + y 2 = −1 over R) so the set of points does not determine
the equation of the curve. However if K is algebraically closed and if f is irreducible (check it looking at f
as a polynomial of degree 2 in y) then f is uniquely determined by C(K) up to a scalar multiplier. For this
reason, it is important to be able to consider the set of points of a curve C/K not only over K but over all
extensions of K. In particular, we simply call a K̄-rational point, a point of C.
The condition ∆ 6= 0 insures that E has no singular point. Let us check this in the case a1 = a3 = a2 = 0
and char K 6= 2, 3. A point P = (a, b) ∈ E(k̄) is singular if and only if ∂f /∂x(a, b) = ∂f /∂y(a, b) = 0 where
f = y 2 − (x3 + a4 x + a6 ). Hence we get



2b
−(3a2
+a )
4


b2 − (a3 + a a + a )
4
6
= 0,
= 0,
= 0.
It then means that b = 0 and a is a solution of x3 + a4 x + a6 = 0 and its derivative, i.e. a is a double
root. This can happen if and only if the discriminant of this polynomial is zero, i.e. if and only if
−(4a34 + 27a26 ) = 16∆ = 0.
Let us draw pictures over R.
1
2
Chapter 1. Introduction to elliptic curves
An abstract curve
We have not defined what an elliptic curve is! We only gave an equation of this object. One has to
understand that an elliptic curve is an abstract object that can have many avatars (models), a model given
by a Weierstrass equation being one. Here are other examples
1. Quartic equations: y 2 = f (x) with f a degree 4 polynomial without multiple root;
2. Hessian model: x3 + y 3 + z 3 = dxyz;
3. Intersection of quadrics in P3 : x2 + z 2 = ayt and y 2 + t2 = axz;
4. Edwards model: x2 + y 2 = 1 + dx2 y 2 .
To keep it simple, we will however often confuse the definition of an elliptic curve and of its (Weierstrass
equation) but one has to keep in mind that in general abstract curve 6= a model of a curve 6= an
equation of the curve.
1.1.2
Second definition
An affine version of a curve is often incomplete, for instance in terms of Bézout theorem. It is then better
to consider a projective version.
Definition 1.1.2. A (projective) Weierstrass equation of an elliptic curve E over a field K is
Ẽ : y 2 z + a1 xyz + a3 yz 2 = x3 + a2 x2 z + a4 xz 2 + a6 z 3
where a1 , a2 , a3 , a4 , a6 ∈ K and ∆ 6= 0.
This is not surprising. More generally considering an affine curve C : f (x, y) = 0, one obtains its
projective version by defining the curve C̃ : f˜(x, y, z) = 0 where f˜ is the homogeneous polynomial associated
to f , i.e. such that f˜(x, y, 1) = f (x, y).
What does it means for the points of Ẽ ? Recall that the K-rational points of the projective plane P2 are the
projective points given by the equivalence classes of triples (x, y, z) ∈ K 3 \ (0, 0, 0) under the multiplicative
action of K ∗ . Since the projective equation of Ẽ is homogenous, it makes sense to speak about equivalence
classes (x : y : z) which satisfy the equation of the curve and this defines the set Ẽ(K). Among these points,
we can distinguish
3
1.1. Some definitions
• The affine points of Ẽ, i.e. the ones with z 6= 0. We can hence find a representative with z = 1 and
so with this normalization the affine points of Ẽ are the points of E.
• The points at infinity of Ẽ, i.e. the ones with z = 0. Letting z = 0 in the equation, we get x3 = 0 so
there is a unique point at infinity which is denoted O = (0 : 1 : 0).
By a change of coordinate, one can prove that the point O is non singular : around O, we have the affine
equation z + a1 xz + a3 z 2 = x3 + a2 x2 z + a4 xz 2 + a6 z 3 and the derivatives with respect to x and z at the
point O are 0 and 1. Hence the model Ẽ is a non-singular projective curve. Since E and Ẽ are so closely
related, we often forget the adjective projective or the ˜ in our speech.
1.1.3
Third definition
Just for sake of completeness, let us give the abstract definition of an elliptic curve.
Definition 1.1.3. An elliptic curve over a field K is a projective non-singular curve of genus 1 with a
K-rational point O.
The genus is a ‘topological invariant’ which is a non negative integer. Hence if two curves have different
genus they cannot be transformed into each other in a contineous way without introducing singulairities.
This hence defines a stratification of the set of curves with growing ‘complexity’ according to the genus.
Note that the genus 0 algebraic curves are the one which admit a parametrization, for instance the conics,
i.e. plane curves given by a projective equation of degree 2. One can prove that an elliptic curve does
not admit a parametrization. Since it can be given by a degree 3 equation, this is somehow the simplest
example after the conics. Note that if ∆ would be zero we can see that we can get a parametrization.
Remark 1.1.4. To go even further and make the link with our initial definition, we’d have to use RiemannRoch theorem to see that we can obtain an embedding of our abstract curve as a plane curve using the
Riemann-Roch space associated to the divisor 3O (see [Sil92, Prop.III.3.1]).
Remark 1.1.5. At least, over C, one can see that the genus of an elliptic curve is 1. First, one has to
understand that an elliptic curve can be given as C modulo a lattice Λ through the so-called Weierstrass
functions (see DH 6.1). But C modulo a lattice is a complex torus and it is well known that the genus
counts the number of holes in a compact Riemann surface.
Figure 1.1: A complex torus
4
1.1.4
Isomorphisms
Between two algebraic varieties, there is a natural notion of morphisms which are ‘maps described by
polynomials’. We will choose an ad hoc definition for isomorphisms between Weierstrass models.
Definition 1.1.6. Two elliptic curves E1 and E2 defined over K and given by Weierstrass equations
E1 : y 2 + a1 xy + a3 y = x3 + a2 x2 + a4 x + a6
E2 : y 2 + a01 xy + a03 y = x3 + a02 x2 + a04 x + a06 ,
are said to be isomorphic over K if there exist u, r, s, t ∈ K with u 6= 0 such that the change of variables
(x, y) 7→ (u2 x + r, u3 y + u2 sx + t)
transform the equation of E1 into the equation of E2 (up to a non-zero scalar multiplier of course).
If E2 = E1 , such a transformation is called an automorphism of E1 .
If the characteristic of K is different from 2, one can simplify a Weierstrass model by completing the
square on the left, i.e. replacing y by y − a1 /2x − a3 /2 we get y 2 = x3 + b2 /4x2 + b4 /2x + b6 /4 where the
bi are defined in Sec.1.1.1.
Moreover if the characteristic of K is different from 3, one can eliminate the coefficient in front of x2 , getting
a simplified Weierstrass model of the form y 2 = x3 + ax + b. As the properties we are interested in do not
depend on a model up to isomorphism (over K) we will often consider this model when the characteristic
is not 2 or 3.
Is there a simple way to see if two Weierstrass models are isomorphic over an algebraically closed field K
? Such a classical problem is part of the general theory of invariants and in this case the answer is simple.
Let us start with two simplified Weierstrass models: y 2 = x3 + ax + b and y 2 = x3 + a0 x + b0 . It is easy to
see that the only possible transformation is a = u4 a0 and b = u6 b0 for some u ∈ K ∗ . There exists such an
u if and only if a0 3 /b0 2 = a3 /b2 . However this has no sense if b or b0 is zero. There is one quantity which
we know is never 0: the discriminant ∆. Here we have ∆ = −16(4a3 + 27b2 ) and ∆0 = −16(4a0 3 + 27b0 2 ).
Hence we can get the same result using the well defined j-invariant
j := −1728(4a3 )/∆.
Proposition 1.1.7. Two simplified Weierstrass models are K̄-isomorphic if and only if they have the same
j-invariant. Moreover given j0 ∈ K, there exists a Weierstrass model over K with j-invariant equal to j0 .
Proof. The direct implication is trivial. Conversely assume that two simplified Weierstrass models have the
same j-invariants, then from
3
2
(4a3 )/(4a3 + 27b2 ) = (4a0 )3 /(4a0 + 27b0 ),
we get
2
3
a3 b0 = a0 b2 .
• if a = 0 then b 6= 0 (since ∆ 6= 0) and we can take u = (b/b0 )1/6 .
• if b = 0 then a 6= 0 and we can take u = (a/a0 )1/4 .
• if ab 6= 0 then we can take u = (a/a0 )1/4 = (b/b0 )1/6 .
5
1.2. The group law
Finally if j0 6= 0 or 1728 we can compute that the j-invariant of
E : y 2 + xy = x3 −
36
1
x−
j0 − 1728
j0 − 1728
is j0 . To complete the list one can use y 2 + y = x3 with j-invariant 0 and y 2 = x3 + x with j-invariant
1728.
This can be extended to all Weierstrass models (and then to characteristic 2 and 3) by defining c4 =
b22 − 24b4 and j = c34 /∆.
1.2
1.2.1
The group law
Definition
The main reason to care about elliptic curves is that they carry an interesting structure, namely their points
form a group under a certain addition law that we will describe now. Let P, Q ∈ E be two points and L be
the line connecting P and Q (tangent to E if P = Q) and R be the third point of intersection of L with E
by Bézout. Let L0 be the line connecting R and O. Then P + Q is the residual point of intersection of L0
and E.
Figure 1.2: Addition on an elliptic curve
Theorem 1.2.1. Let E/K be an elliptic curve. The previous operation is a commutative group law on
E(K 0 ) for all extensions K 0 of K.
Proof. One has to prove several facts:
• P + O = P;
• P + Q = Q + P;
• if P ∈ E then there exists a point Q such that P + Q = O;
• if P, Q ∈ E(K) then P + Q ∈ E(K);
• for P, Q, R ∈ E one has (P + Q) + R = P + (Q + R);
Only the last point is not obvious. It can be proved by direct computation with coordinates of the points
see TP 4. Another geometric proof is given in [Ful89, p.124].
6
1.2.2
Torsion points
Let E : y 2 + a1 xy + a3 y = x3 + a2 x2 + a4 x + a6 be an elliptic curve over a field K. Since E(K̄) is a group
we can consider for all m ∈ Z the homomorphism [m] : E(K̄) → E(K̄) which associate to a point P the
point mP . This map is given by polynomial expressions and is then a morphism of curves. For a general
elliptic curve over a field of characteristic 0, these endomorphisms are the only ones and so End(E) ' Z.
Remark 1.2.2. Here we consider only group endomorphisms. Obviously any translation by a point of E is
also a morphism.
What is the structure of E[m] := ker([m]) ? To answer this question, we need the following lemma.
Lemma 1.2.3.
If m is prime to p then the map [m] is separable and # ker([m]) = deg(m) = m2 .
Proof. The first fact comes easily from the action of [m] on the regular differential and general results from
algebraic geometry [Sil92, Cor.III.5.4]. The first equality can be proved using [Sil92, Prop.II.2.6,Th.III.4.10].
The second equality can be derived using duality [Sil92, Cor.III.6.4], an explicit computation with division
polynomials [Was03, Sec.3.2] or an analogy this the complex torus over C.
Hence ker([m]) when m is prime to p is a commutative group of order m2 which is killed by multiplication
by m: there is only one which is (Z/mZ)2 .
The importance of this Z/mZ-module (even a vector space when m is prime) is that it makes us able to
linearize algebraic properties and to study them with classical tools of linear algebra.
Remark 1.2.4. When m = pr , one has either #ker([m]) = 1 or m.
1.2.3
The Weil pairing
The Weil pairing on the n-torsion points is a major tool in the study of elliptic curves. it has also important
applications in cryptography. Let E be an elliptic curve over a perfect field K and let n be an integer not
divisible by the characteristic of K. Then E[n] ' (Z/nZ)2 . Let µn = {x ∈ K̄|xn = 1} be the group of nth
roots of unity in K̄. It is a cyclic group of order n and any generator ζ of µn is callaed a primitive nth root
of unity.
Theorem 1.2.5. There exists a pairing
en : E[n] × E[n] → µn
called the Weil pairing. It satisfies the following properties:
1. en is bilinear in each variable. This means that
en (S1 + S2 , T ) = en (S1 , T )en (S2 , T )
and
en (S, T1 + T2 ) = en (S, T1 )en (S, T2 ).
2. en is alternated: en (T, T ) = 1 for all T ∈ E[n] and en (T, S) = en (S, T )−1 for all S, T ∈ E[n].
3. en is nondegenerate. This means that if en (S, T ) = 1 for all T ∈ E[n] then S = O and also that if
en (S, T ) = 1 for all S ∈ E[n] then T = O.
4. en (σS, σT ) = σ(en (S, T )) for all automorphisms σ ∈ Gal(K̄/K).
7
1.2. The group law
5. en (u(S), u(T )) = en (S, T )deg(u) for all (separable) endomorphisms u ∈ EndK̄ (E).
We will give proofs for this theorem in the last chapter. Presently we’ll derive some consequences.
Corollary 1.2.6. Let {T1 , T2 } be a basis of E[n]. Then en (T1 , T2 ) is a primitive nth root of unity.
Proof. Suppose en (T1 , T2 ) = ζ with ζ d = 1. Then en (T1 , dT2 ) = 1. Let S ∈ E[n] then S = aT1 + bT2
therefore
en (S, dT2 ) = en (T1 , dT2 )a en (T2 , dT2 ) = 1
which implies dT2 = O and so n|d.
"
#
a b
If u is an endomorphism, we obtain the action of u on the n-torsion by a matrix un =
with
c d
entries in Z/nZ describing the action of u on a basis {T1 , T2 } of E[n].
Corollary 1.2.7. We have det(un ) ≡ deg(u) (mod n).
Proof. By Corollary 1.2.6, ζ = en (T1 , T2 ) is a primitive nth root of unity. Then using Theorem 2.1.6
ζ deg(u) = en (u(T1 ), u(T2 )) = en (aT1 + cT2 , bT1 + dT2 )
= en (T1 , T2 )ab en (T1 , T2 )ad en (T2 , T1 )cb en (T2 , T2 )cd
= ζ ad−bc .
Hence we get the result.
8
2
2.1
2.1.1
Elliptic curves over finite fields
Number of points on elliptic curves over finite fields: theory
An example and an easy result
Example 2.1.1. Let us consider the elliptic curve E : y 2 = x3 + 2 over F7 . One has
E(F7 ) = {O, (0, 3), (0, 4), (3, 1), (3, 6), (5, 1), (5, 6), (6, 1), (6, 6)}.
Hence there is 9 points on this curve.
Could we predict this result ? Or at least give bounds for the number of points of an elliptic curve over
a finite field k ? An obvious upper bound since for all x ∈ k, there are at most two y which are solutions is
2q + 1. Can we do better ?
Example 2.1.2. The elliptic curve E : y 2 + y = x3 + x + 1 has only O as rational point over F2 .
Are there other examples of elliptic curves with no affine rational points ? Infinitely many ?
2.1.2
Hasse-Weil bound
We have seen that when p = 0 then in general the only endomorphisms are the multiplication by [m].
However, when K = k = Fq = Fpn is a finite field, there exists another important morphism: the Frobenius
endomorphism φq : E → E which maps a point (x, y) ∈ E(k̄) to (xq , y q ). Let us check that it is an
endomorphism of E :
(y q )2 + a1 xq y q + a3 y q = (y 2 + +a1 xy + a3 y)q = (x3 + a2 x2 + a4 x + a6 )q = (xq )3 + a2 (xq )2 + a4 xq + a6
since x 7→ xq is k-linear. It also respect the addition since all the formulas have coefficients in k. Finally,
for the same reason, it commutes with the action of [m], hence the subring of End(E) generated by the
multiplication maps [m] and φ is a commutative ring and the composition of elements of this ring will be
denoted multiplicatively.
Lemma 2.1.3. A point (x, y) ∈ E(k̄) belongs to E(k) if and only if φq (x, y) = (x, y).
Since φqr = φrq for all r ≥ 1, we have the following useful result.
Lemma 2.1.4. ker(φrq − 1) = E(Fqr ) for all r ≥ 1.
To continue, we need the following facts.
Lemma 2.1.5.
• deg(φq ) = q;
• The map φrq − 1 is separable and so # ker(φrq − 1) = deg(φrq − 1);
• The degree map d : End(E) → Z is a positive definite quadratic form (i.e. L(a,b)=(d(a+b)-d(a)d(b))/2 is Z-bilinear).
9
10
Chapter 2. Elliptic curves over finite fields
Proof. The first and second points can be proved using some algebraic geometry [Sil92, Prop.II.2.11,Cor.III.5.5].
Since deg(u) ≥ 0 and that the only morphisms of degree 0 are constant, it is clear that the map is positive
definite. To prove that it is bilinear, we will use Corollary ??. Let u, v, w ∈ End(E) and let n be a prime
big enough so that all equivalences of the degrees modulo n are equalities in N. It is then enough to use
the fact that the 2-dimensional determinant is a quadratic form to conclude.
Cauchy-Schwarz inequality implies that |d(a − b) − d(a) − d(b)| ≤ 2 d(a)d(b). Using this with a = φrq
et b = 1, we get
p
q
|d(φrq − 1) − d(1) − d(φrq ) − d(1)| ≤ 2 d(1)d(φrq )
√
|# ker(E(Fqr )) − 1 − q r | ≤ 2 q r .
The last inequality is known as Hasse-Weil bound.
2.1.3
A case of the Weil conjectures
The previous result has a beautiful consequence.
Theorem 2.1.6. Let E be an elliptic curve defined over Fq . Let a = q + 1 − #E(Fq ). Then the Frobenius
endomorphism satisfies the equation
φ2q − [a]φq + [q] = 0.
Moreover a is the unique integer such that
a ≡ Tr((φq )m )
mod m
for all m coprime to p.
Proof. Let u = φ2q − [a]φq + [q]. If u is not zero, then it has a finite kernel. We need to prove that u has a
kernel which is infinite. To do so, let m be a positive integer coprime to p and
"
(φq )m
#
α β
=
.
γ δ
Since φq − 1 is separable we have
# ker(φq − 1) = deg(φq − 1) ≡ det((φq )m − I) ≡ αδ − βγ − (α + δ) + 1
(mod m).
On the other hand det((φq )m ) ≡ deg(φq ) ≡ q (mod m) and since # ker(φq − 1) = q + 1 − a one has
Tr((φq )m ) = α + δ ≡ a (mod m).
By Cayley-Hamilton (if m is prime) or by a straightforward computation with matrices, we have
(φq )2m − [a]m (φq )m + [q]m Im ≡ 0
(mod m).
(Note that X 2 − aX + q is the characteristic polynomial of (φq )m . This means that u is 0 on E[m]. As m
can go to infinity, this means that u is 0.
Definition 2.1.7. The polynomial X 2 − aX + q is called the characteristic polynomial of the Frobenius (or
Weil polynomial). The integer a is called the trace of the elliptic curve.
Remark 2.1.8. This formula is the first example of a beautiful theorem, true for any smooth projective
(absolutely irreducible) algebraic variety over a finite field. This theorem is known as Weil conjectures.
2.2. Number of points on elliptic curves over finite fields: practice
2.1.4
11
Supersingular elliptic curves
Let E be an elliptic curve over Fq . Remember that for the prime p, unlike other m coprime to p, one has
#E[p] = p or 1.
Definition 2.1.9. The curve E is said supersingular if E[p] = {O}.
We can reformulate this definition in terms of the trace a.
Proposition 2.1.10. The curve E is supersingular if and only if a ≡ 0 (mod p).
Proof. With the notation of Exercice 10, assume that a ≡ 0 (mod p). One has
#E(Fqi ) = q i + 1 − si ≡ 1 − si
(mod p).
Since s1 ≡ a ≡ 0 (mod p) by the induction formula si ≡ 0 (mod p) so
#E(Fqi ) ≡ 1
(mod p).
In particular there is no non-trivial p-torsion point.
Conversely, assume that a 6≡ 0 (mod p). The recurrence formula implies that si+1 ≡ asi (mod p) hence
si ≡ ai (mod p). Fermat’s little theorem implies that ap−1 ≡ 1 (mod p) therefore #E(Fqp−1 ) = q p−1 + 1 −
sp−1 ≡ 0 (mod p). This means that E has a non-trivial p-torsion point and so E is not supersingular.
Corollary 2.1.11. Suppose p ≥ 5 is a prime. Then E/Fp is supersingular if and only if a = 0.
2.2
Number of points on elliptic curves over finite fields: practice
With the development of elliptic cryptography and the use of elliptic curves over large finite fields, several
methods have been created to compute very efficiently the number of points on these objects. Unfortunately,
they often rely on deep consideration (cohomology, canonical lift, deformation, complex multiplication,. . . )
and we will not be able to explain them here. However, we can give some easy ways to do this, but less
secure or slower.
2.2.1
Counting points
When p > 2, we can always write our elliptic curve E : y 2 = f (x) with deg f = 3. Hence the number of
points on E(Fp ) is
X f (x) 1+p+
.
p
x∈F
p
Obviously the complexity is O(p) and one can reach in this way p ≈ 230 .
2.2.2
Baby steps-giant steps
This is based on Hasse-Weil bound
√
|p + 1 − #E(Fp )| < 2 p
√
√
The idea is to pick a random point P ∈ E(Fp ) and to compute an integer m ∈ (p + 1 − 2 p, p + 1 + 2 p)
such that mP = 0. If m is the only such number in the interval, it follows that m = #E(Fp ). It is easy
and fast to pick a point P randomly by choosing an x and see if f (x) is a square.
12
√
Baby steps : make a list of the first s = d 4 pe multiples of P . Note that we know −iP as well. Next
compute Q = [2s]P and R = [p + 1]P .
√
√
Giant steps : compute R, R ± Q, R ± 2Q, . . . R ± tQ where t = b2 p/(2s)c ≈ 4 p. Now Theorem 2.1.6
tells us that
√
√
[p + 1]P − [#E(Fp )]P = [k]P, k ∈ {−2 p + 1, . . . , 2 p − 1}.
k
This means that R = [k]P . We can write k = (2s)i + j with i = b 2s
e ∈ {0, ±1, . . . , ±t} (the closest integer).
k
For instance let us assume k positive and the fractional part of 2s less than 1/2 (resp. greater than 1/2)
k
k
k
k
then 2s
− 12 ≤ i ≤ 2s
(resp. 2s
≤ i ≤ 2s
+ 21 ) and so j ∈ {0, ±1, . . . , ±s}. Hence R − [i]Q = [j]P is a match.
√
Putting m = p + 1 + (2s)i − j we get mP = 0 and we get an algorithm is O( 4 p).
Remark 2.2.1. To avoid problem that m is not the only such number in the interval, Mestre showed that
one can work simultaneously with the curve and its quadratic twist.
This improves the previous method but it is still exponential.
2.2.3
To work with extensions
Let E/Fq be an elliptic curve over a small field where we can easily compute its number of points N . Let
t = 1 + q − N and write P (X) = X 2 − tX + q = (X − α)(X − β). Then we can use the Exercise 10 to
get the number of points over large extension: indeed the characteristic polynomial over Fqn is given by the
resultant of P (X) and z − X n . However, note that #E(Fq )|#E(Fqn ) hence we necessarily loose a bit of
efficiency since we do not get a prime order. As there are also attacks for certain primes and certain degree
extensions on the DL problem, this method is generally considered as less safe.
2.2.4
Schoof method
In 1985 Schoof was the first to describe a polynomial time algorithm to count the number of points on an
elliptic curve E over a large prime field Fp . In the remainder of this section, we will assume that p > 3 and
E : y 2 = x3 + a4 x + a6 with a4 , a6 ∈ Fp .
Recall that |E(Fp )| = p+1−t with t the trace of the Frobenius endomorphism p and by Hasse’s Theorem we
√
have |t| ≤ 2 p. The main idea of Schoof’s algorithm is to compute t modulo various small primes `1 , . . . `r
Qr
√
such that i=1 `i > 4 p. The trace t can then be determined using the Chinese Remainder Theorem and
the group order follows. If the largest prime `r is of order O(log p) then from the prime number theorem,
it follows that r can be taken has O(log p/ log log p).
To illustrate the idea, we show how to compute t (mod 2). Since p is an odd prime, we have |E(Fp )| ≡ t
(mod 2), so t ≡ 0 (mod 2) if and only if E(Fp ) has a nontrivial Fp -rational point of order two. The nontrivial
points of order two are given by (ξi , 0) with ξi a root of X 3 + a4 X + a6 . Therefore, if X 3 + a4 X + a6 is
irreducible over Fp we have t ≡ 1 (mod 2) otherwise, t ≡ 0 (mod 2). Note that the polynomial X 3 +a4 X +a6
is irreducible over Fp if and only if gcd(X 3 + a4 X + a6 , X p − X) = 1. The computation of t (mod 2) thus
boils down to polynomial arithmetic modulo X 3 + a4 X + a6 .
More generally, we obtain the trace t modulo a prime ` > 2 by computing with the `-torsion points.
Remark 2.2.2. One can use powers of ` when ` is small as well to get higher congruences. We will not look
at this.
Recall that the Frobenius endomorphism φp is defined by φp : E(Fp ) → E(Fp ) : (x, y) 7→ (xp , y p ) and
that it cancels its characteristic polynomial, i.e.
φ2p − [t]φp + [p] = 0.
2.2. Number of points on elliptic curves over finite fields: practice
13
By restricting to nontrivial `-torsion points P ∈ E(Fp ) we obtain the reduced equation in the F` -vector
space E[`](Fp )
φ2p (P ) + [p` ]P = [t` ]φp (P )
with t` ≡ t (mod l) and pl ≡ p (mod `) and 0 ≤ t` , p` < l.
P = (x1 , y1 ) is a nontrivial `-torsion point if and only if x1 is a root of the `-th division polynomial F`
(because ` > 2, see Exercice 7 for F3 ). The nontrivial `-torsion points can therefore be described as the
solutions of the system of equations
Y 2 − X 3 − a4 X − a6 = 0,
F` (X) = 0.
This implies that the equation
2
2
(X p , Y p ) + [p` ](X, Y ) = [t` ](X p , Y p )
holds modulo the polynomial F` (X) and E(X, Y ) = Y 2 − X 3 − a4 X − a6 . To compute t` one simply try all
τ ∈ {0, . . . , `−1} until we find the unique value τ for which the equation is true modulo F` (X) and E(X, Y ).
The computation of [a](X, Y ) is done using division polynomials and the classical formulas. Recall
that for gcd(`, p) = 1 we have E[`] ' Z/`Z × Z/`Z and thus deg(F` ) = (`2 − 1)/2 (when ` 6= 2). The
2
2
computation of (X p , Y p ) and (X p , Y p ) modulo F` and E(X, Y ) clearly takes O(log p) multiplications
in the ring Fp [X, Y ]/(E(X, Y ), F` (X)). Since deg F` is of order O(`2 ), each of these multiplication takes
O(`2µ logµ p) bit-operations, so computing t (mod `) requires O(`2µ log1+µ p) bit operations. Summing over
all primes `i this gives a complexity of O(log2+3µ p) bit-operations.
Remark 2.2.3. Recall that 1 < µ ≤ 2 depends on the algorithm used for multiplication : school-book
multiplication (µ = 2), Karatsuba (µ = log2 3) or FFT (µ = 1 + ). The choice of Karatsuba or FFT only
become relevant for very large fields (much more than crypto-sizes for FFT).
Note that if we could replace the division polynomials F` by alternative polynomials of lower degree,
the complexity of the algorithm would drop considerably. This is part of the improvements of Atkin and
Elkies leading to the so-called Schoof-Elkies-Atkin (SEA) algorithm. The last record is a computation with
an elliptic curve over Fp with p = 102099 + 6243.
14
3
3.1
3.1.1
Cryptography
Cryptographic protocols
Encryption scheme
The main –historically at least– object of cryptography is to make possible for two persons to exchange data
through a channel, without any unauthorized third person spying this channel, being able to get any piece
of information from the data. In general, the scheme to do this is summarized in the following definition.
Definition 3.1.1. A cryptosystem is a three-uplet (P, C, K) such that :
1. P is a finite set of possible plaintexts ;
2. C is a finite set of possible ciphertexts ;
3. K is a finite set of possible keys ;
4. for each e ∈ K, there exists a d ∈ K such that there exists an encryption function Ee : P → C and a
decryption function Dd : C → P satisfying Dd ◦ Ee = Id.
In the case where e = d, one speaks about symmetric or secret key cryptosystems. Obviously, the key e
must be secret.
If e and d are distinct, one speaks about asymmetric or public key cryptosystems. In such system the
encryption key can be made public, so e is called the public key and d is called the private key.
Figure 3.1: symmetric vs asymmetric systems
There are plenty of asymmetric encryption schemes, the most well-known being RSA. However, there
are in general slower than symmetric encryption schemes, like AES. This is why in general, one prefers to
use the latter. The question is then: how to secretly exchange a (secret key) on a open channel ? We
describe here the elementary Diffie-Hellman key exchange protocol.
15
16
Chapter 3. Cryptography
3.1.2
Diffie-Hellman protocol
A and B want to construct a secret key k. They take a cyclic group (G = hgi, ×) of prime order p (big
enough, see Section 3.2.3) and do as follows.
A
B
A
A
chooses 0 < n < p − 1 which is kept secret;
chooses 0 < m < p − 1 which is kept secret;
sends g n to B and B sends g m to A ;
and B computes k = g mn .
The secrecy of k relies on the difficulty to compute g mn knowing g m and g n : this is the so-called Computational Diffie-Hellman problem (CDH). It is of course an easy problem if the Discrete Logarithm problem
(DLP) is easy: given g and g m compute m. The reciprocal is not known but one does not know examples
where CDH is easy and not DLP. For some prime numbers, it has been proved that the two problems are
equivalent. More precisely, if p − 1 is not divisible by the square of a big prime number, then CDH is not
easier than DLP (see [MW99]).
This protocol has however a severe weakness. The middle-man attack (see Fig. 3.2) is an attack which
can be made on this protocol by an active attacker : the attacker O intercepts the exchanges between A
and B. He constructs then a common key with A and a common key with B. He can then recreate for
A, B the impression of a secure communication whereas he can of course decipher all the messages.
Figure 3.2: Middle-man attack
3.1.3
Signature
Signatures enable to avoid the middle-man attack. Indeed, Alice and Bob not only exchange g n and g m
but send these messages with their signature. More specifically, a signature is a mechanism to prove
authentication of the sender, integrity of data and non-repudiation. We present here an algorithm based
on elliptic curves. But first we need the notion of hash functions.
3.1. Cryptographic protocols
17
Definition 3.1.2. Let Σ be an alphabet. Let denote by Σ∗ the set of all words. A hash function is a map
h : Σ∗ → S to some set S of cardinality n.
Example 3.1.3. The map that sends b1 . . . bk in {0, 1}∗ to b1 ⊕ . . . ⊕ bk is a hash function.
For cryptographic purposes, we add two conditions :
• it must be hard to determine a pre-image of an element.
• it must be resistant to collisions which means that it is practically impossible to find two messages
x1 , x2 such that h(x1 ) = h(x2 ).
As h is never injective, these two properties can be realized only because of the inextricability of the
computations. Due to the birthday paradox, the second condition requires a size of n which is nowadays
128 bits at least.
Example 3.1.4. Among the current hast functions, let us mention : SHA0, SHA1 (Secure Hash Algorithm)
on 128, 160, 224, 256, 384, 512 bits, MD5 (Message Digest) on 128 bits, Whirlpool on 512 bits (this one has
been selected by NESSIE).
Note that some of these functions have been recently successfully attacked (i.e. finding collisions): SHA0
and MD5 have been broken (see Le Monde 01/01/09).
We know present the ElGamal signature scheme, here for elliptic curves. Alice chooses an elliptic curve
E/Fq , a point A ∈ E/Fq of prime order `, an integer a and computes B = aA. She finally chooses a hash
function h : {0, 1}∗ → F` and a function f : E(Fq ) → Z. For example if Fq = Fp , she can use f (x, y) = x
seen as an integer between 0 and p − 1.
Public key : (E, Fq , h, f, A, B) ;
Secret key : a ∈ [0, ` − 1];
Signature : y → (y, R, s) with R = kA, s ≡ k −1 (m − af (R)) (mod `) with m = h(y)
and k ∈ [1, ` − 1] different for each signature;
Verification : compute m = h(y) ; compute V = mA and W = f (R)B + sR ; Check
that V = W .
To find the secret key is equivalent to solve a case of the DLP. Also it is not difficult to see that if a
message y and R are fixed, finding a valid s if also a case of the DLP sR = V − f (R)B.
It is important to change the value of k. Suppose that y1 and y2 are signed by s1 , s2 with the same k.
Then R = kA is the same. Therefore s1 − s2 ≡ k −1 (h(y1 ) − h(y2 )) (mod `). From this congruence k can
be determined if h(y1 ) 6= h(y2 ) (which is the case as h is collision resistant) and the adversary can find the
secret key a. See also Exercice 17 for the importance of the hash function.
We have now moved to the issue of ‘distribution problem of secret keys’ to ‘one of authentically distributing public keys’. Such a problem is usually solved by a certification authority which can insures you
that a given public key really belongs to someone. The reality is however still messy nowadays (attacks on
the chain of certifications, revocation,. . . ). For another point of view, see Section 4.4.
3.1.4
Some groups for the DLP
Let mention some groups, one could think about:
• (Z/pZ, +) is not an option as solving the DLP is equivalent to Euclid algorithm which is fast.
• (F∗q , ×): in this case, one knows sub-exponential attacks based on index-calculus which makes it as
hard to attack as RSA which is based on factorization.
18
• E(Fq ): in general, the best known attack is exponential in complexity, see however Section 3.3 for
exceptions.
In terms of size of the parameters n or Fq in bits, this gives the following comparison
symmetric
RSA module n size of the elliptic
Number of
cryptosystems
or DL in F∗q
group for
curves
years on a
year
general DL over Fq PII 450 Mhz
1982
56
417
102
105
1.11 × 103
2005
74
1149
131
139
2.26 × 108
2010
78
1369
138
146
3.22 × 109
2015
82
1613
145
154
4.59 × 1010
2020
86
1881
151
188
6.54 × 1011
2025
89
2174
158
169
9.33 × 1012
2030
93
2493
165
176
1.33 × 1014
2040
101
3214
179
191
2.7 × 1016
Lately, the factorization of a 768 bit RSA module has been announced http://eprint.iacr.org/2010/
006.
It might seem strange to work with elliptic curves since they carry so much structure because of the
geometry. However, the geometric constraints do not look so evident over big finite fields as it is shown in
Figures 3.3.
Figure 3.3: Rational points of E/Fp : y 2 = x3 + x + 1 with p = 101, 2003 and 10007
3.2
General attacks on DLP and index calculus
We will present several attacks on the DLP. The first four are exponential. The last one is subexponential.
Note that the biggest DLP which has been solved is in (F∗2613 , ×).
Enumeration
The simplest method for computing the DL x from αx = y in G is to test whether x = 0, 1, 2, . . . satisfies
the equation. Of course, as soon as the size of the group is important (60 bits), this method is not possible
anymore.
3.2.1
Shanks Baby-Step Giant-Step
√
We set m = d ne and write x = qm + r with 0 ≤ r, q < m. We have
αqm+r = y ⇒ (αm )q = yα−r .
19
3.2. General attacks on DLP and index calculus
First we compute the set of baby-steps
B = {(yα−r , r), 0 ≤ r < m}.
If we find a pair (1, r) then y = αr . If we do not find such a pair, we determine δ = αm . Then we test for
q = 1, 2, . . . , m whether the element δ q is the first component of an element of B. As soon as it is true we
have a solution for the DLP. The elements δ q are
√ called giant steps.
√
It is easy to see that this algorithm is in O( #G). Note that it requires also a storage for O( #G)
elements.
3.2.2
The Pollard ρ-algorithm
This algorithm has the same running time as the previous one but it only requires constant storage.
We need a partition G1 q G2 q G3 = G. Let f : G → G be defined by
f (β) =



αβ
β2


yβ
if β ∈ G1 ,
if β ∈ G2 ,
if β ∈ G3 .
We choose a random x0 ∈ {1, . . . , n} and compute β0 = αx0 . Then we compute the sequence
βi+1 = f (βi ).
The elements of this sequence can be written as
βi = αxi y δi
where δ0 = 0 and
xi+1 =



x i + 1
2xi


x
(mod n)
(mod n)
i
and
δi+1


δi

(mod n)
= 2δi (mod n)


δ + 1
i
if βi ∈ G1 ,
if βi ∈ G2 ,
if βi ∈ G3 ,
if βi ∈ G1 ,
if βi ∈ G2 ,
if βi ∈ G3 .
At some points, two elements in the sequence (βi ) must be equal, say βi+k = βi . This implies
αxi y δi = αxi+k y δi+k
and therefore
αxi −xi+k = y δi+k −δi .
We obtain a congruence
xi − xi+k ≡ x(δi+k − δi )
(mod n).
The solution is unique if δi+k − δi is invertible modulo n. If the solution is not unique then the discrete
logarithm can be found by testing the different possibilities modulo n. If there are too many possibilities
then the algorithm is applied with a different x0 .
We estimate the√number of βi that must be computed before a match is found. By the birthday paradox if
we compute O( #G) elements then a match is found with a probability greater than 1/2.
Thus far, our algorithm is less good than the previous one. The advantage is that we do not need to store
20
as many elements. Initially (β1 , x1 , δ1 ) is stored. Now suppose that at a certain point in the algorithm
(βi , xi , δi ) is stored. Then (βj , xj , δj ) is computed for j = i + 1, i + 2, . . . until either a match is found or
j = 2i. In the latter case we delete βi and store β2i . Hence we only store the triplets with i = 2k . This
works for the following reason : the sequence (βi ) is periodic after a certain number s of iterations (with the
first match as end point). If l is the length of the period then if 2j ≥ max(s, l) then a period is contained
in the interval [2j , . . . , 2j+1 ] and a match can be found.
3.2.3
The Pohlig-Hellman algorithm
We now show that the DLP can be reduced to DLPs in cyclic groups of prime order if we know the
factorization
Y
n = #G =
pe(p) .
p
1. Reduction to prime powers. For each prime divisor p of n, we set
np = n/pe(p) ,
αp = αnp ,
yp = y np .
Then the order of αp is exactly pe(p) and
αpx = yp .
Assume we can solve the DLP in the prime powers subgroups and call x(p) the results. Then the
Chinese Remainder Theorem shows that x is the unique solution of the congruences
(mod pe(p) ).
x ≡ x(p)
2. Reduction to prime order. Let now assume that #G = pe for a prime p. We want to solve the DLP
in this group. We have x < pe so let us write (in base p)
x = x0 + x1 p + . . . xe−1 pe−1 ,
0 ≤ xi < p,
0 ≤ i ≤ e − 1.
We show that the xi are DLP in a group of order p. Indeed, one has
pe−1 x = x0 pe−1 + pe (x1 + x2 p + . . . + xe−1 pe−2 ).
Now
(αp
e−1
e−1
) x0 = y p
.
This equation shows that x0 is the DL in a group of order p. The other coefficients are determined
recursively. Suppose that x0 , . . . , xi−1 have been determined. Then
i
αxi p +...+xe−1 p
e−1
= yx−(x0 +x1 p+...+xi−1 p
i−1 )
.
Denote the right-hand side by yi , one has by raising to the power pe−i−1
(αp
e−1
)xi = yip
e−i−1
.
We have then reduce the problem of the DLP in G to e DLPs in a group of prime order.
3. Prime order. One applies one of the two previous algorithms (i.e. 3.2.1 or 3.2.2).
We see easily that the running time is dominated by the square root of the largest prime divisor of #G.
21
3.2. General attacks on DLP and index calculus
Example 3.2.1. Let us solve 5x ≡ 3 (mod 2017). The order of the multiplicative group is n = 2016 = 25 ·32 ·7.
First we determine x(2) ≡ x (mod 25 ). We obtain x(2) as a solution of the congruence
2 ·7
(53
2 ·7
)x(2) ≡ 33
(mod 2017).
To solve this congruence, we write
x(2) = x0 (2) + . . . + x4 (2) · 24 .
The coefficient x0 (2) is solution of
2016x0 (2) ≡ 1
(mod 2017).
We obtain x0 (2) = 0. Now y1 = y. Then x1 (2) is solution of
2016x1 (2) ≡ 2016
(mod 2017).
We obtain x1 (2) = 1 and y2 ≡ 1579 (mod 2017). Hence x2 (2) is solution of
2016x2 (2) ≡ 2016
(mod 2017).
We obtain x2 (2) = 1 and y3 ≡ 1 (mod 2017) so x3 (2) = x4 (2) = 0. Concluding those computations, we
obtain x(2) = 6.
Now we compute
x(3) = x0 (3) + x1 (3) · 3.
We obtain x0 (3) as the solution of
294x0 (3) ≡ 294
(mod 2017),
so x0 (3) = 1 and y1 ≡ 294 (mod 2017). Hence x1 (3) = 1 and x(3) = 4.
Finally we compute x(7) as the solution of the congruence
1879x(7) ≡ 1879
(mod 2017),
so x(7) = 1. We obtain x as the solution of the simultaneous congruence
x≡6
(mod 32),
x≡4
(mod 9),
x≡1
(mod 7).
The solution is x = 1030.
3.2.4
Index calculus
When G = (Z/pZ)∗ or more generally the unit group of a finite field, there are more efficient DL algorithms,
the so called index calculus algorithms. They are closely related to integer factoring algorithms such as the
quadratic sieve. We describe a simple index calculus algorithm.
The idea. Let p be a prime number, α a primitive element modulo p and y ∈ {1, . . . , p − 1}. We want
to solve αx ≡ y (mod p). We choose a bound B and determine the set
F (B) = {q ∈ Primes, q ≤ B}.
This is the factor base. An integer b is called B-smooth if it has only prime factor in F (B). We proceed in
two steps. First we compute the discrete logarithm of the factor base elements, i.e. we solve
αx(q) ≡ q
(mod p)
22
for all q ∈ F (B). Then we determine an exponent δ ∈ {1, . . . , p − 1} such that yαδ (mod p) is B-smooth.
We obtain
Y
yαδ ≡
q e(q) (mod p).
q∈F (B)
Together
Y
yαδ ≡
Y
q e(q) ≡
q∈F (B)
αx(q)e(q) ≡ α
P
q∈F (B)
x(q)e(q)
(mod p),
q∈F (B)
and hence
y=α
P
q∈F (B)
x(q)e(q)−δ
(mod p).
Therefore,
X
x≡
x(q)e(q) − δ
(mod p − 1).
(3.1)
q∈F (B)
Discrete logarithms of the factor base elements. To compute the discrete logarithms of the factor base
elements, we choose random numbers z ∈ {1, . . . , p − 1} and compute αz (mod p). We check whether those
numbers are B-smooth. If they are, we compute the decomposition
αz
Y
(mod p) =
q f (q,z) .
q∈F (B)
Each exponent vector (f (q, z))q∈F (B) is called a relation. If we find as many relations as there are factor
base elements, then we try to find the discrete logarithms by solving a linear system. We obtain
z
α ≡
Y
q
f (q,z)
≡
Y
α
x(q)f (q,z)
≡α
P
q∈F (B)
x(q)f (q,z)
(mod p).
q∈F (B)
q∈F (B)
This implies
z≡
X
x(q)f (q, z)
(mod p − 1)
q∈F (B)
for all z, so each relation yields one linear congruence. The system is solved with standards methods.
Individual logarithms. If the discrete logarithm of the factor base elements are computed, then the
discrete logarithm of y to the base α is determined. We choose a random δ ∈ {1, . . . , p − 1}. If yαδ is
B-smooth, then 3.1 is applied. Otherwise, we choose a new δ.
Remark 3.2.2. It can be shown that the running time is Lp (1/2, C) for some constant C. In principle the
index calculus algorithm works in any group. However the factor base must be chosen such that relations
can be found efficiently. (Un)fortunetaly, for some groups, such that elliptic curves over finite fields, it is
not known how to choose the factor base and how to compute relations.
3.3
3.3.1
Attacks on some particular elliptic curves
The MOV attack
the MOV attack is named after Menezes, Okamoto and Vanstone and uses the Weil pairing to convert a
discrete log problem in E(Fq ) to one in F∗qm . Let E/Fq be an elliptic curve over Fq and P, Q ∈ E(Fq ). Let N
be the order of P and assume it is prime to q. We want to find k such that Q = kP . First it is worthwhile
to check that k exists.
Lemma 3.3.1. There exists k such that Q = kP if and only if N Q = O and eN (P, Q) = 1.
3.3. Attacks on some particular elliptic curves
23
Proof. If Q = kP , it is clear that we have the statement. Conversely, if N Q = O then Q ∈ E[N ]. Since
(q, N ) = 1 we know that E[N ] ' (Z/N Z)2 . Choose a point R such that {P, R} is a basis of E[N ]. Then
Q = aP + bR. Since eN (P, Q) = 1 it implies that b = 0.
Now choose m such that E[N ] ⊂ E(Fqm ). Since for a basis of P, R of E[N ], en (P, R) is a N -th root of
unity and because of Galois action µN ⊂ Fqm . Hence all computations will take place in this field. The
attack proceeds as follows.
1. Choose a random point T ∈ E(Fqm ).
2. Compute the order M of T .
3. Let d = (M, N ) and let T1 = (M/d)T . Then T1 has order d which divides N so T1 ∈ E[N ].
4. Compute ζ1 = eN (P, T1 ) and ζ2 = eN (Q, T1 ). Then both ζ1 and ζ2 are in F∗qm .
5. Solve the discrete log problem ζ2 = ζ1k . This will give k (mod d).
6. Repeat with random T until the least common multiple of the various d’s in N . This determined k
modulo N .
Remark 3.3.2. At first it might seem that d = 1 will occur very often. However the opposite is true because
of the structure of E(Fqm ), see [Was03, p.145]
Potentially, the integer m could be large in which case the discrete log problem in Fqm is just as hard than
in the smaller group E(Fq ). However
Proposition 3.3.3. Let E/Fq be an elliptic curve and suppose that the trace is 0. Then if there exists a
point P ∈ E(Fq ) of order N then E[N ] ⊂ E(Fq2 ).
Proof. The Frobenius endomorphism φq satisfies φ2q + q = 0. Since there exists a rational N -torsion point,
N |#E(Fq ) = q + 1 so −q ≡ 1 (mod N ). Therefore for any S ∈ E[N ] one has
φ2q (S) = −qS = S
which means that S ∈ E(Fq2 ).
More generally if E is supersingular one can take k = 2, 3, 4 or 6. For this reason, supersingular curves
must be excluded.
3.3.2
Other restrictions
Other elliptic curves have to be excluded due to different types of attacks:
1. Anomalous curves, i.e. elliptic curves over Fq with E(Fq ) = q.
2. The GHS (Gaudry-Hess-Smart) attack transfers the DLP from elliptic curves over Fqg to a DLP on
genus g curves over Fq in certain cases. It might seem strange but DLP is easier on high genus curves
than on elliptic curves. There have been successful attacks on Fq7 , Fq17 , Fq23 and Fq31 but for instance if
p is prime and belongs to [160, 600] then GHS does not work over F2p . However as a general principle,
people are now cautious when they use elliptic curves defined over field extensions.
24
4
4.1
Pairings
Review on divisors
We are going to assume that an elliptic curve is a genus 1 curve and that in this case, the Riemann-Roch
theorem states that
dim L(D) = deg(D)
for all divisor D on the curve of non negative degree.
Lemma 4.1.1 ([Sil92, Lem.III.3.3]). Let E be an elliptic curve and P, Q ∈ E then (P ) ∼ (Q) if and only
if P = Q.
Proof. Let D = (Q). Since deg(D) = 1 then dim L(D) = 1 and since constants are in L(D) then it is only
the constant. Hence div f = (P ) − (Q) is equivalent to f ∈ L(D) hence f is constant and P = Q.
Proposition 4.1.2 ([Sil92, Prop.III.3.4]). Let E be an elliptic curve.
1. For every divisor D ∈ div0 (E) there exists a unique point P ∈ E so that
D ∼ (P ) − (O).
Let σ : div0 (E) → E be the map given by this association.
2. σ is surjective.
3. Let D1 , D2 ∈ div0 (E). Then σ(D1 ) = σ(D2 ) if and only if D1 ∼ D2 .
4. The inverse to σ is the map
κ : E → Pic0 (E)
P 7→ (P ) − (O)
5. If E is given by a Weierstrass equation then the geometric group law on E and the group law induced
from Pic0 (E) are the same.
Proof. (1) We have that dim(L(D + (O)) = 1 so let f be a generator. Since div(f ) ≥ −D − (O) and
deg(div(f )) = 0 it follows that
div(f ) = −D − (O) + (P )
for some P ∈ E. Hence D ∼ (P ) − (O). Then using the lemma we see that P is unique.
(2) For any P ∈ E we have σ((P ) − (O)) = P .
(3) Let D1 , D2 ∈ div0 (E) and set Pi = σ(Di ). Then from the definition of σ
(P1 ) − (P2 ) ∼ D1 − D2 .
25
26
Chapter 4. Pairings
Hence P1 = P2 certainly implies that D1 ∼ D2 . Conversely we get (P1 ) ∼ (P2 ) hence by the lemma P1 = P2 .
(5) For the last point, let E be given by a Weirstrass equation and P, Q ∈ E. It clearly suffices to show that
κ(P + Q) = κ(P ) + κ(Q).
Let f = αX + βY + γZ a line L going through P, Q and let R be the third intersection point of L with E.
Let f 0 = α0 X + β 0 Y + γ 0 Z be the line through R and O. Then from the definition of the addition on E and
the fact that the line Z = 0 intersects E at O with multiplicity 3, we have
div(f /Z) = (P ) + (Q) + (R) − 3(O)
and
div(f 0 /Z) = (R) + (P + Q) − 2(O).
Hence
(P + Q) − (P ) − (Q) + (O) = div(f 0 /f ) ∼ 0.
So
κ(P + Q) − κ(P ) − κ(Q) = 0.
Corollary 4.1.3 ([Sil92, Cor.III.3.5]). Let E be an elliptic curve and D =
P
P
principal if and only if nP = 0 and nP P = O.
4.2
P
nP (P ) ∈ div(E). Then D is
The Weil pairing
Let E/K be an elliptic curve. For this section we fix an integer n prime to p. Let T ∈ E[n], then there is
a function f such that
div(f ) = n(T ) − n(O).
Letting T 0 ∈ E with [n]T 0 = T (all non constant morphism is surjective), there is similarly a function g
such that
X
(T 0 + R) − (R).
div(g) =
R∈E[n]
One can easily check that f ◦[n] and g n have the same divisor, so after scaling we can assume that f ◦[n] = g n .
Now suppose that S ∈ E[n] then for any point X ∈ E,
g(X + S)n = f ([n]X + [n]S) = f ([n]X) = g(X)n .
Hence we can define the Weil pairing
en : E[n] × E[n] → µn
by en (S, T ) = g(X + S)/g(X). We need to check that it satisfies the properties we stated in Theorem 2.1.6.
Proof. (1) Linearity in the first factor is easy.
en (S1 + S2 , T ) =
g(X + S1 + S2 ) g(X + S1 )
= en (S2 , T )en (S1 , T ).
g(X + S1 )
g(X)
For the second, let f1 , f2 , f3 , g1 , g2 , g3 be functions as above for T1 , T2 and T3 = T1 + T2 . Choose a function h
with divisor (T1 + T2 ) − (T1 ) − (T2 ) + (O). Then div(f3 /(f1 f2 )) = n div h so f3 = cf1 f2 hn for some constant
c. Compose with the multiplication by n-map, use fi ◦ [n] = gin and take n-th roots to find
g3 = c0 g1 g2 (h ◦ [n]).
27
4.2. The Weil pairing
Now
g1 (X + S)g2 (X + S)h([n]X + [n]S)
g3 (X + S)
=
g3 (X)
g1 (X)g2 (X)h([n]X)
= en (S, T1 )en (S, T2 ).
en (S, T1 + T2 ) =
(2) Let τP be the translation by P . Then
div
n−1
Y
!
f ◦ τ[i]T
=n
n−1
X
([1 − i]T ) − ([−i]T ) = 0.
i=0
i=0
n−1
0
0
Hence n−1
i=0 f ◦ τ[i]T is constant and if we choose some T with [n]T = T then
i=0 g ◦ τ[i]T 0 is also constant
because its n-th power is the above product of the f ’s. Evaluating the product of g’s at X and X + T 0
yields
Q
Q
n−1
Y
n−1
Y
g(X + [i]T 0 ) =
i=0
g(X + [i + 1]T 0 ).
i=0
Now cancelling like terms gives
g(X) = g(X + [n]T 0 ) = g(X + T )
so
en (T, T ) = g(X + T )/g(X) = 1.
(3) If en (S, T ) = 1 for all S ∈ E[n], so g(X + S) = g(X) for all S ∈ E[n] then g = h ◦ [n] (see [Sil92,
III.4.10.b]) for some function h. But then
(h ◦ [n])n = g n = f ◦ [n]
so f = hn . Hence n div h = div f = n(T ) − n(O) so div h = (T ) − (O) and T = O.
(4) Let σ ∈ Gal(K̄/K). if f, g are the functions for T then clearly f σ and g σ are the corresponding functions
for T σ . Then
g σ (X σ + S σ )
en (S σ , T σ ) =
= en (S, T )σ .
g σ (X σ )
(5) Let {Q1 , . . . , Qk } = ker(u). Since u is separable then k = deg(u). Let
div(fT ) = n(T ) − n(O),
div(fu(T ) ) = n(u(T )) − n(O)
and
gTn = fT ◦ [n],
n
gu(T
) = fu(T ) ◦ [n].
We have
div(fT ◦ τ−Qi ) = n(T + Qi ) − n(Qi ).
Therefore
X
div(fu(T ) ◦ u) = n
(T 00 ) − n
u(T 00 )=u(T )
= n
X
u(Q)=O
((T + Qi ) − (Qi ))
i
= div(
X
Y
fT ◦ τ−Qi ).
i
For each i choose Q0i with nQ0i = Qi . Then
gT (P − Q0i )n = fT (nP − Qi ).
(Q)
28
Chapter 4. Pairings
Consequently,
div(
Y
Y
i
i
(gT ◦ τ−Q0i )n ) = div(
fT ◦ τ−Qi ◦ [n])
= div(fu(T ) ◦ u ◦ [n])
= div(fu(T ) ◦ [n] ◦ u)
= div(gu(T ) ◦ u)n .
Therefore i gT ◦ τ−Q0i and gu(T ) ◦ u differ only by a constant.
The definition of en yields
Q
en (u(S), u(T )) =
=
gu(T ) (u(X + S))
gu(T ) (u(X))
Y gT (X + S − Q0 )
i
gT (X − Q0i )
i
=
Y
en (S, T )
i
= en (S, T )k = en (S, T )deg(u) .
Note that it works also for the Frobenius endomorphism (even if it is not separable) since
en (φq (S), φq (T )) = φq (en (S, T )) = en (S, T )q
since φq is the q-th power on the element of F̄q .
4.3
Computation of the Weil pairing: practice
If we want to compute the Weil pairing for large values of n we need to find a proper way to avoid massive
computations. Indeed, the definition of the Weil pairing involves a function g whose divisor includes
contributions from all the n2 -torsion points of E[n]. We hence need another definition for the Weil pairing.
Theorem 4.3.1. Let S, T ∈ E[n] and let DS = (S) − (O) and DT = (T + R) − (R) for an n-torsion point
R. Let fS and fT defined (up to a constant) by
div(fS ) = nDS ,
div(fT ) = nDT .
Then the Weil pairing is given by
en (S, T ) =
fT (DS )
.
fS (DT )
By definition, fT (DS ) = ri=1 fT (Pi )ni where DS = ri=1 ni (Pi ) (here we assume also that the support
of div(fT ) is disjoint of the support of DS ). The proof of the theorem relies on Weil’s reciprocity law, see
[Sil92, Ex.III.3.16]. Using this new definition, one sees that one has to be able to compute values of the
type fS (P ) for a given point P and div fS = n(S) − n(O). It is still time-consuming to produce directly a
function fS when n is large. However this can be done efficiently thanks to the following algorithm due to
Victor Miller.
Q
P
Definition 4.3.2. Let m ∈ Z, S ∈ E[n], one calls Miller function fm,S the function defined up to a scalar
by
div(fm,S ) = m(S) − (mS) − (m − 1)(O).
4.4. Application to cryptography
29
Let S1 , S2 ∈ E, we define the function gS1 ,S2 = LS1 ,S2 /LS1 +S2 ,−(S1 +S2 ) where LS,T is the line passing
through S and T (possibly the tangent if S = T ). Clearly from the definition of the addition law, one has
div(gS1 ,S2 ) = (S1 ) + (S2 ) − (S1 + S2 ) − (O).
By computing the divisors, one then sees that Miller functions can be built as follows: f1,S := 1, and for
m1 , m2 ∈ Z
fm1 +m2 ,S = fm1 ,S · fm2 ,S · g[m1 ]S,[m2 ]S ,
m2
m1
fm1 m2 ,S = fm
· fm2 ,[m1 ]S = fm
· fm1 ,[m2 ]S .
1 ,S
2 ,S
In particular
• fm+1,S = fm,S · g[m]S,S ,
2
• f2m,S = fm,S
· g[m]S,[m]S ,
• fn,S = fS .
This yields the following doubling and add algorithm:
Input: S ∈ E[n], P ∈ E[n], n = (nl , . . . , n0 )2 .
Output: fS (P )
R ← S, f ← 1
for (i ← l − 1, i ≥ 0, i − −) do
)
f ← f 2 · gR,R (P )
Doubling
R ← [2]R
if (ni = 1) then
)
f ← f · gR,S (P )
Addition
R←R+S
end if
end for
return f
Remark 4.3.3. This gives only half of the Weil pairing. It is then tempting to define a pairing only using
this computation. It is indeed possible and leads to the notion of reduced Lichtenbaum-Tate pairing, see
[CFA+ 06].
4.4
Application to cryptography
When Bob wants to send a message to Alice thanks to a public key, it would be nice if he could use real
information (her identity Id) on Alice as the public key. He would not have to check that a given public
key really belongs to Alice then. This is identity based cryptography. Such an idea can be used with a
pairing such as the Weil pairing on elliptic curves. Let G = (hP i, +) be a subgroup of order ` (prime to
the characteristic of Fq ) generated by a rational point on an elliptic curve E/Fq and let e be the smallest
integer such that E[`] is completely defined over Fqe . The integer e is called the embedding degree. Let
then H = F∗qe the multiplicative group, which contains a primitive `-th root of unity. We will also need
a trusted authority with a pair of private key aT A and public key PT A = aT A P . We need hash functions
h1 : {0, 1}∗ → G and h2 : H → {0, 1}n for a given n. We let e : G × G → H be a non-degenerate bilinear
pairing (which is not the Weil-pairing, see below).
30
Chapter 4. Pairings
Identity-based encryption
Public: G, H, P, PT A .
Input: a message m ∈ {0, 1}n
Output: the ciphertext (R, y)
Choose r ∈ N then compute R = [r]P and Q = h1 (Id), S = e(PT A , Q).
Then y = m ⊕ h2 ([r]S).
Alice needs one private and authenticate communication with the TA to get her private key.
Private-Key extraction
Input: G, P, aT A and Id
Output: the private key: AId .
Compute Q = h1 (Id) and AId = aT A Q.
Then she can decipher Bob’s message as follows.
Identity-based decryption
Input: (R, y), G, P, PT A and the private key AId .
Output: m.
Compute T = e(R, AId ) and m = y ⊕ h2 (T ).
Of course the cryptosystem is weak if the DLP can be solved in G or H. The TA poses a critical point
of security since it delivers all the private keys. To prevent malicious acts from it, it is recommended to use
a secret sharing scheme to store the master key aT A . Note that once the private key is obtained TA is not
needed anymore. If Bob thinks the public key is compromised, he can append the time to Id. Finally, for a
large group of participants, it is not desirable that all participants need to contact TA to obtain their keys.
Fortunately, the system allows a hierarchical structure.
On the mathematical point of view, one of the main difficulty is that we cannot take e = e` since
obviously e(PT A , Q) = 1 (Q and PT A are multiple of P ). Therefore one usually uses distorsion maps which
map the second factor on a `-torsion point which is not collinear to P . However this is easier to do for
supersingular elliptic curves as we shall see on an example below. Note that to make the DLP hard in F∗q2 ,
one has to consider large values of q (at least 1024 bits).
Example 4.4.1. Consider the supersingular elliptic curve E/Fp : y 2 = x3 + B of Exercice 11 for p ≡ 2
(mod 3). As a distorsion map we can choose u : (x, y) 7→ (jx, y) where j is a primitive third root of unity.
It maps a rational point Q ∈ E(Fp ) on a point defined over Fp2 as there is not root of unity in Fp . Therefore
Q∈
/ hP i and we can use e(P, Q) = e` (P, u(Q)) 6= 1.
5
5.1
5.1.1
Travaux Dirigés
TD 1
Énoncés
Exercice 1 (Dessiner des courbes elliptiques sur R). On fera un tracé des courbes suivantes
E1 : y 2 = x3 − x + 1
et
E2 : y 2 = x3 − x
en
√ étudiant le tableau de variations (domaine de définition, variations,. . . ) des fonctions
x3 − x.
√
x3 − x + 1 et
Exercice 2 (j-invariant en caractéristique 2 et 3). Vérifier à l’aide d’un logiciel de calcul formel que si deux
modèles de Weierstrass sont isomorphes alors leurs j-invariants sont égaux.
Exercice 3 (Loi de groupe algébrique). Écrire explicitement les coordonnées de P + Q pour un modèle
de Weierstrass simplifié dans le cas où P et Q sont distincts et distincts du point à l’infini. Ces formules
sont-elles encore valables lorsque P = Q ?
Vérifier qu’une addition nécessite une inversion (I), 2 multiplications (M) et 1 carré (S) sur K (on négligera les additions).
Exercice 4 (Associativité de la loi de groupe). Grâce à un logiciel de calcul formel, montrer que la loi de
groupe est associative (on se restreindra au cas générique de points distincts).
Exercice 5 (Groupe des automorphismes). Montrer que le groupe des automorphismes d’une courbe elliptique sur un corps algébriquement clos de caractéristique différente de 2 ou 3 est un groupe cyclique d’ordre
2 si le j-invariant est différent de 0 et 1728 (resp. 4 s’il est égal à 1728, resp. 6 s’il est égal à 0).
Remark 5.1.1. En caractéristiques 2 et 3, le groupe des automorphismes est plus gros et non abélien si
j = 0 = 1728.
Exercice 6 (Forme de Legendre). Mettre la courbe elliptique E : y 2 = x(x − 1)(x − λ) avec λ 6= 0, 1 sous
forme de Weierstrass et montrer qu’alors
j = 28
(λ2 − λ + 1)3
.
λ2 (λ − 1)2
31
32
Chapitre 5. Travaux Dirigés
Montrer que si j 6= 0, 1728, il y a six valeurs distinctes de λ donnant ce j et que si λ0 est une de ces valeurs
alors les autres sont donnés par
1
1
λ
λ−1
, 1 − λ,
,
,
.
λ
1−λ λ−1
λ
Exercice 7 (Points de 2-torsion et de 3-torsion). Soit E : y 2 = x3 + Ax + B une courbe elliptique en
caractéristique p 6= 2, 3. Donner les coordonnées des points de 2-torsion et de 3-torsion.
5.1.2
Corrections
Correction exercice 1 Voir les dessins 1.1.1 du cours.
Correction exercice 2 Voir TP.
Correction exercice 3 Soient donc P = (x1 , y1 ) et Q = (x2 , y2 ) deux points d’une courbe E : y 2 = x3 +
Ax+B. La droite passant par P et Q a pour pente λ = (y2 −y1 )/(x2 −x1 ) et a donc pour équation y = λx+µ
avec µ = (y1 x2 − y2 x1 )/(x2 − x1 ). On remplace dans l’équation de la courbe E : (λx + µ)2 = x3 + Ax + B.
On sait que les trois solutions en x de cette équation sont x1 , x2 et x3 l’abscisse du point P + Q. Comme
−(x1 + x2 + x3 ) est le coefficient de degré 2 de l’équation x3 + Ax + B − (λx + µ)2 = 0 on obtient que
x1 +x2 +x3 = −λ2 soit x3 = λ2 −x1 −x2 . L’ordonnée y3 du point P +Q est donnée par (−y3 −y1 )/(x3 −x1 ) = λ
soit y3 = y1 − (x1 − x3 )λ. En résumé :
1. λ = (y2 − y1 )/(x2 − x1 ) (Une inversion et une multiplication) ;
2. x3 = λ2 − x1 − x2 (un carré) ;
3. y3 = y1 − (x1 − x3 )λ (une multiplication).
Ceci n’est plus valable si P = Q car alors x2 = x1 et on ne peut calculer λ. On notera toutefois que
(y2 + y1 )(y2 − y1 )
y22 − y12
x3 + Ax1 + B − (x32 + Ax2 + B)
x2 + x22 + x1 x2 + A
=
= 1
= 1
(y2 + y1 )(x2 − x1 )
(y2 + y1 )(x2 − x1 )
(y2 + y1 )(x2 − x1 )
y2 + y1
pour lequel il n’y a plus de problème lorsque P = Q (mais à nouveau lorsque Q = −P ).
Correction exercice 5 Puisque la caractéristique de k (algébriquement clos) est différente de 2 et 3, on
peut supposer E : y 2 = x3 + Ax + B. Les automorphismes de E sont donc de la forme x0 = u2 x et y 0 = u3 y
avec u ∈ k ∗ . On a alors u6 y 0 2 = u6 x0 3 + Au2 x0 + B soit y 0 2 = x0 3 + A/u4 x0 + B/u6 . Il faut et il suffit donc
que A/u4 = A et que B/u6 = B. On distingue trois cas
1. AB 6= 0 i.e. le j-invariant de E est différent de 0 et de 1728 car j = 1728 · 4A3 /(4A3 + 27B 2 ). Dans
ce cas, on obtient u2 = ± − 1 c’est-à-dire x0 = x et y 0 = ±y.
2. B = 0 alors on a la condition u4 = 1 et le groupe des automorphismes est engendré par x0 = −x et
y 0 = iy.
3. A = 0 alors on a la condtion u6 = 1 et si on note j une racine cubique de l’unité, le groupe des
automorphismes est engendré par x0 = jx et y 0 = −y.
33
5.2. TD 2
Correction exercice 7 Par définition P est un point de 2-torsion
ssi 2P = O. La droite tangente à P doit
√
donc être verticale. En regardant la dérivée de la fonction x3 + Ax + B, ceci se produit pour les zéros de
x3 + Ax + B (et le point à l’infini). Les points de 2-torsion sont donc O et les 3 points (xi , 0) tel xi est
solution de x3 + Ax + B (les points sont distincts puisque le polynôme est sans facteur carré).
De même P est un point de 3-torsion ssi 3P = O i.e. 2P = −P . La droite tangente en P doit donc
recouper la √
courbe E en P uniquement : P est donc un point d’inflexion. On peut les calculer en étudiant
la fonction x3 + Ax + B ou comme les zéros de la hessienne det((∂F/∂xi )) où F (x1 , x2 , x3 ) = x22 x3 −
x31 − Ax1 x23 − Bx33 . On peut aussi écrire 2P = −P algébriquement. Choisissons cette dernière possibilité.
Soit P = (x0 , y0 ) différent du point à l’infini. On calcule 2P en calculant la pente λ de la tangente en P :
λ = −(3x20 + A)/(−(2y0 )) = (3x20 + A)/(2y0 ). On raisonne comme à l’exercice 3 et on obtient que 3x0 = λ2
soit
3x0 (4y02 ) = 12x0 (x30 + Ax0 + B) = (3x20 + A)2
Ce qui nous donne l’équation
3x4 + 6Ax2 + 12Bx − A2 = 0.
Les points de 3-torsion sont le point 0 et les points (x0 , ±y0 ) où x0 est solution de l’équation précédente.
5.2
5.2.1
TD 2
Énoncés
Exercice 8 (Quelques fonctionnalités de Sage). Soit E/F101 : y 2 = x3 + 3x + 5. Demander à Sage
1. De donner l’ordre de E(F101 ) et de lister tous les points rationnels.
2. De donner le polynôme de Weil de la courbe.
3. De donner le polynôme de Weil de la courbe sur F1012 . Vérifier que ceci correspond à l’exercice 10.
4. Tracer les points de la courbe E/Fp : y 2 = x3 + x + 1 pour p = 101, 2003 et 10007.
5. Que remarquez-vous ?
Exercice 9 (Nombre minimum de points des courbes elliptiques). En utilisant la borne de Hasse-Weil,
démontrer que les seuls corps finis pour lesquels il existe une courbe elliptique sans point affine rationnel
sont F2 , F3 et F4 . Pour chacun de ces corps, en utilisant l’ordinateur, trouver explicitement ces courbes.
Exercice 10 (Nombre de points sur les extensions). Soit E/Fq une courbe elliptique de trace a. Soit α, β
√
les racines du polynôme caractéristique du Frobenius φq . Montrer que |α| = |β| = q (on commencera par
√
montrer que |a| ≤ 2 q).
Soit si = αi + β i . Alors s0 = 2, s1 = a et montrer que
sn+1 = asn − qsn−1 .
En utilisant le fait que X 2i − si X i + q i est divisible par X 2 − aX + q, exprimer en fonction de α, β le nombre
de points de E sur une extension de degré i de Fq .
P
ti
Soit Z(E, t) = exp( ∞
i=1 #E(Fq i ) i ) la série formelle en t. Montrer que
Z(E, t) =
1 − at + qt2
.
(1 − t)(1 − qt)
34
Exercice 11 (Une “famille de” courbes supersingulières). Soit q impair et q ≡ 2 (mod 3). Soit B ∈ F∗q .
Montrer que la courbe elliptique E : y 2 = x3 + B est supersingulière (on commencera par montrer que tout
élément de Fq a une unique racine cubique dans Fq ).
Exercice 12 (Nombres de courbes supersingulières). Calculer à l’aide de l’ordinateur pour les 100 premiers
p premiers, le nombre de classes de F̄p -isomorphismes de courbes elliptiques supersingulières sur Fp .
5.2.2
Corrections
√
√
√
Correction exercice 9 D’après Hasse-Weil |E(Fq ) − q − 1| ≤ 2 q, donc |E(Fq )| ≥ q + 1 − 2 q = ( q − 1)2 .
Ce nombre est strictement plus grand que 1 dès que q > 4. Puis voir TP.
√
Correction exercice 10 On sait que #E(Fq ) = q + 1 − a, les bornes de Hasse-Weil donne donc |a| ≤ 2 q.
Puisque le polynôme caractéristique du Frobenius est X 2 − aX + q on a que ∆ = a2 − 4q ≤ 0 avec égalité
√
si et seulement si a = ±2 q. On a donc deux cas :
√
√
√
• Si a = ±2 q (en particulier q est un carré) alors X 2 ± 2 q + q = (X ± q)2 et le résultat est établi.
• Sinon les racines α et β sont complexe conjuguées donc |α| = |β| et puisque leur produit vaut q, on a
le résultat.
Le deuxième résultat s’obtient facilement puisque
asn − qsn−1 = (α + β)(αn + β n ) − αβ(αn−1 ) + β n−1 ) = αn+1 + β n+1 .
Remarquons que X 2i − si X i + q i = (X i − αi )(X i − β i ) et il est divisible par (X − α)(X − β) dans Z[X].
Soit Q(X) ∈ Z[X] le quotient. On a alors
(φiq )2 − (αi + β i )φiq + q i = Q(φq )(φ2q − aφq + q) = 0.
Puisque φiq = φqi et que le polynôme caractéristique de φqi est unique, on a que αi + β i est la trace de
E(Fqi ). Donc #E(Fqi ) = q i + 1 − si .
Pour finir, il suffit de remarquer que
#E(Fqi ) ·
et que
P∞ (zt)i
i=1
i
ti
ti (qt)i (αt)i (βt)i
= +
−
−
i
i
i
i
i
= − log(1 − zt).
Correction exercice 11 Puisque q ≡ 2 (mod 3), q − 1 = 1 + 3n donc 3 et premier à q et donc inversible
modulo q − 1. Soit r tel que 3r = 1 + (q − 1)m. Pour tout a ∈ F∗q (pour a = 0 c’est clair), on a alors
(ar )3 = a3r = a1+(q−1)m = a · (aq−1 )m = a car F∗q est un groupe cyclique d’ordre q − 1. ar est donc une
solution de x3 = a. La solution est de plus unique car si x3 = y 3 (avec x et y non nuls) alors en appliquant
r des deux côtés, on trouve x = y.
Pour toute valeur de y ∈ Fq , il existe donc une unique solution à y 2 − B = x3 . La courbe E a donc q + 1
points (le 1 provient du point à l’infini). Sa trace est nulle donc la courbe est supersingulière.
Remarquez que toutes les courbes E ont même j-invariant égal à 0. On ne peut donc pas vraiment parler
de famille.
35
5.3. TD 3
5.3
TD 3
5.3.1
Énoncés
Exercice 13 (Révisions).
1. Soit E/Q : y 2 = x3 + 2x − 2. Montrer que E est une courbe elliptique.
2. et soit P = (1, 1) ∈ E(Q). Calculer 2P et 3P “à la main" (en se servant de SAGE comme d’une grosse
calculatrice) puis vérifier sur l’ordinateur.
3. Soit E/F5 : y 2 = x3 +x+1. Quel est son nombre de points rationnels ? Même question sur F52 . Vérifier
avec l’ordinateur. La courbe E est-elle supersingulière ?
4. Les courbes E/F7 : y 2 = x3 + x + 1 et E 0 /F7 : y 2 − 3xy − y = x3 − x2 + 2x + 2 sont-elles isomorphes ?
Sur F̄7 ?
Exercice 14. Implémenter en SAGE un algorithme d’exponentiation rapide sur les courbes elliptiques.
Tout comme il existe deux méthodes de développement binaire, il existe deux méthodes d’exponentiation
rapides. Nous allons en étudier une. Nous souhaitons calculer [2005]P où P est un point aléatoire sur la
courbe elliptique E/F101 : y 2 = x3 + x + 1.
• On écrit 2005 = 11111010101 en base 2 ;
• On réalise de la droite vers la gauche les opérations résumées dans le tableau suivant
1
1024P
2005P
1
512P
981P
1
256P
469P
1
128P
213P
1
64P
85P
0
32P
21P
1
16P
21P
0
8P
5P
1
4P
5P
0
2P
P
1
P
P
La première ligne représente les bits de l’exposant. La seconde calcule 2i P = 2(2i−1 P ) pour i =
0, . . . |2005|2 , itérativement. La troisième additionne le résultat de la case précédente, disons i, par le
résultat de la deuxième ligne à la case i + 1, s’il y a un 1 à la case i + 1 de la première ligne, et laisse
le résultat inchangé sinon. Ceci est la traduction de l’identité :
(ni , . . . , n0 )2 P = ni · (2 · 2i−1 )P + (ni − 1, . . . , n0 )2 P.
Remarque : s’il y a un zéro à la dernière case de la première ligne, on met O dans la dernière case de
la troisième ligne (donc tout à droite).
Exercice 15. Effectuer la méthode des pas de bébé-pas de géant pour le calcul de l’ordre de la courbe
elliptique E/F1013 : y 2 = x3 + 7x + 2.
5.3.2
Corrections
Voir TP 3.
5.4
5.4.1
TD 4
Énoncés
Exercice 16. Montrer que si une courbe est anomale sur Fq elle ne l’est pas sur Fq2 . En supposant la
caractéristique différente de 2, montrer que si (x, y) ∈ E(F̄q ) alors
2
2
q(x, y) = (xq , y q ) + (xq , −y q ).
36
Exercice 17. Supposons qu’on n’utilise pas de fonction de hachage dans la signature ElGamal (i.e. que le
message y = m est déjà un élement de F` ). Soit (m, R, s) une signature valide et soit z un entier premier à
`. Soit alors
R0 = zR,
s0 ≡ sf (R0 )f (R)−1 z −1
(mod `),
m0 ≡ mf (R0 )f (R)−1
(mod `).
Montrer que (m0 , R0 , s0 ) est une signature valide (même si m0 n’a pas forcément de sens). Montrer ensuite
pourquoi une fonction de hachage empêche cette falsification.
Exercice 18. On considère les courbes suivantes sur F2 , dites courbes de Koblitz
E1 : y 2 + xy = x3 + 1,
E2 : y 2 + xy = x3 + x2 + 1.
1. Montrer que le polynôme de Weil de Ei est Pi = X 2 − (−1)i X + 2.
2. Ces courbes sont-elles supersingulières ?
On considère maintenant d > 1 un entier et Ei sur F2d pour i = 1, 2.
3. Calculer l’ordre de Ei sur F4 .
4. Existe-t-il un d tel que l’ordre de Ei est premier ?
5. Est-ce un inconvénient ou un avantage en cryptographie ?
L’opération du Frobenius φ2 : (x, y) 7→ (x2 , y 2 ) est rapide en caractéristique 2 pour une base bien choisie.
On souhaite donc écrire la multiplication par un entier k en “base
φ2 ". Pour cela, remarquons que φ2 annule
√
Pi et que donc il correspond à une racine µi = (−(−1)i + −7)/2. Choisissons i = 2 et µ = µ2 . Comme
P
l’anneau Z[µ] est euclidien et que |µ| = 2, on va pouvoir développer k = rj=0 j µj avec j ∈ −1, 0, 1 et
P
ainsi [k] = rj=0 [j ]φj2 . On peut également procéder de manière plus simple en écrivant un élément de Z[µ]
comme a + bµ puis en effectuant la division euclidienne de a et b par 2 en remplaçant 2 par µ − µ2 .
6. Écrire 7 en base µ.
7. Écrire 7 en base 2.
8. Que remarque-t-on au niveau de la longueur du développement ?
9. Conclure pour l’utilisation en cryptographie.
5.4.2
Corrections
Correction exercice 16 Une courbe E/Fq est anomale si et seulement si sa trace a = (q + 1) − q = 1. La
trace de E/Fq2 est égale à 2q − a2 = 2q − 1 qui est toujours différent de 1.
L’endomorphisme de Frobenius φq sur E/Fq satisfait φ2q − φq + [q] = [0] d’où le résultat en prenant un
modèle de Weirstrass de la forme y 2 = f (x).
Correction exercice 17 Effectuons la vérification :
W 0 = f (R0 )B + s0 R0 = f (R0 )B + sf (R0 )f (R)−1 z −1 R0 = f (R0 )B + sf (R0 )f (R)−1 R
= f (R0 )f (R)−1 (f (R)B + sR) = f (R0 )f (R)−1 W = f (R0 )f (R)−1 V.
Maintenant
V 0 = m0 A = mf (R0 )f (R)−1 A = f (R0 )f (R)−1 V
5.5. TD 5
37
donc on a l’égalité.
Si on a une fonction de hachage, il faut, étant donné un m0 construit comme plus haut, trouvé un y 0 tel que
h(y 0 ) = m0 . Si la fonction h est bien choisie, ceci est un problème difficile.
Correction exercice 18
1. Il suffit de calculer le nombre de points sur Ei et on a alors #Ei (F2 ) = 1 − t + 2.
2. Ces courbes ne sont pas supersingulières puisque 2 ne divise pas la trace. Cette propriété reste vraie
sur toute extension car elle est équivalente à #Ei [2](F̄2 ) = 4. L’attaque MOV ne fonctionne donc pas
sur ces courbes.
3. Si Pi = (X −α)(X −β), le polynôme de Weil sur F4 s’écrit (X −α2 )(X −β 2 ) = X 2 −(4−(α+β)2 )X +4.
Donc #E1 (F4 ) = #E2 (F4 ) = 8.
4. Non car 1 < #Ei (F2 )|#Ei (F2d ).
5. C’est un inconvénient car puisqu’on veut un grand facteur premier dans l’ordre de Ei (F2d ) il faudra
augmenter la taille de d d’au moins 2 bits par rapport à l’optimum envisageable.
6.
7 = 1 + 3(µ − µ2 ) = 1 + 3µ − 3µ2 = 1 + µ + (µ − µ2 )µ − µ2 − (µ − µ2 )µ2 = 1 + µ − 2µ3 + µ4 = 1 + µ + µ5 .
7. 7 = 1 + 2 + 22 .
8. 5 > 2 · 2, il semblerait que le développement soit de longueur au moins double. En considérant
22n = (µ − µ2 )2n = µ2n (µ − 1)2n on voit que c’est le cas pour un nombre infini de valeurs.
9. Le doublement de la longueur du développement est problématique mais est contrebalancée par la
rapidité du Frobenius. De plus il existe des algorithmes qui permettent de réduire la longueur du
développement.
5.5
5.5.1
TD 5
Énoncés
Exercice 19. On considère la courbe E/F157 : y 2 = x3 + 153x + 8 et deux points aléatoires P, Q ∈ E(F157 ).
1. En utilisant le couplage de Weil, vérifier si ces deux points sont multiples.
2. Si c’est le cas, en vous inspirant de l’attaque MOV, résoudre le DLP Q = kP .
5.5.2
Correction
Correction exercice 19 voir TP.
38
6
6.1
Devoirs à la maison
Devoir 1 : Courbe elliptique sur C et tore complexe
Soit Λ ⊂ C un réseau, i.e. Λ = Zω1 + Zω2 pour ωi ∈ C linéairement indépendants sur R.
Definition 6.1.1. Une fonction elliptique est une fonction méromorphe f (z) sur C telle que
f (z + ω) = f (z) pour tout ω ∈ Λ, z ∈ C.
Soit la fonction dite fonction ℘ de Weierstrass définie par
X
1
1
1
+
− 2 .
2
2
z
(z + ω)
ω
ω∈Λ\{0}
℘(z, Λ) =
De même pour tout entier n > 0 on définit les séries d’Eisenstein
Gn =
X
ω −n .
ω∈∈Λ\{0}
Commençons par montrer que pour n > 2, les séries d’Eisenstein sont absolument convergentes. Soit F un
parallélogramme fondamental pour Λ : les sommets de ce parallélogramme sont 0, ω1 , ω2 et ω1 + ω2 . Soit D
la longueur de la plus longue diagonale de F .
1. Soit ω = m1 ω1 + m2 ω2 ∈ Λ avec |ω| ≥ 2D. Soient x1 , x2 des réels tels que mi ≤ xi < mi + 1. Montrer
que ω et x1 ω1 + x2 ω2 diffèrent par un élément de F , puis par l’inégalité triangulaire (inférieure) que
|m1 ω1 + m2 ω2 | ≥ |x1 ω1 + x2 ω2 | − D ≥ 0 et enfin que
2
|m1 ω1 + m2 ω2 | ≥ |x1 ω1 + x2 ω2 |.
3
2. En comparant les sommes et les intégrales montrer que
1
≤
|ω|k
|ω|≥2D
X
ZZ
|x1 ω1 +x2 ω2 |≥D
(3/2)k
dx1 dx2 .
|x1 ω1 + x2 ω2 |k
3. En effectuant le changement de variables x1 ω1 +x2 ω2 = u+iv puis un passage en coordonnées polaires,
montrer que la double intégrale est convergente.
4. Conclure.
On étudie maintenant la fonction ℘.
39
40
Chapitre 6. Devoirs à la maison
5. Montrer que ℘ converge absolument et uniformément sur tout sous-ensemble compact C de C \ Λ. On
pourra pour cela montrer que si M = sup(|z|, z ∈ C) et |ω| ≥ 2M alors
1
1 10M
(z − ω)2 − ω 2 ≤ |ω|3
puis utiliser le résultat sur les séries d’Eisenstein.
6. En déduire que ℘ est une fonction méromorphe paire avec un pôle en zéro.
1
7. De même montrer que la fonction P 0 = dP(z, Λ)/dz = −2 ω∈Λ (z−ω)
3 converge absolument et
uniformément sur tout compact et que c’est une fonction elliptique impaire.
P
8. En déduire par intégration et évaluation au point ω/2 que ℘ est une fonction elliptique.
On va relier les fonctions ℘ et ℘0 par une équation de Weierstrass.
9. Montrer qu’autour de z = 0 on a
℘(z) =
∞
X
1
(2j + 1)G2j+2 z 2j .
+
z 2 j=1
10. En utilisant les premiers termes du développement de ℘ et ℘0 en z et le théorème de Liouville1 , montrer
que
2
℘(z)0 = 4℘(z)3 − 60G4 ℘(z) − 140G6 .
Avec un peu plus d’analyse complexe, on peut montrer que l’application
u : C/Λ → E(C)
[z]
7→ (x = ℘(z) : y = ℘(z)0 : 1) z ∈
/Λ
[z]
7→ (0 : 1 : 0)
z∈Λ
où E : y 2 = 4x3 − 60G4 x − 140G6 , est un isomorphisme de surfaces de Riemann et un morphisme de groupe
pour la structure naturelle de C/Λ et que réciproquement si E/C est une courbe elliptique, il existe un
réseau Λ tel que C/Λ est isomorphe à E(C). Ceci permet en particulier de voir que sur C,
E[m] ' {k1 ω1 /m + k2 ω2 /m, k1 , k2 ∈ [0, . . . , m − 1]} ' (Z/mZ)2 .
1
Si f est une fonction définie et holomorphe sur tout le plan complexe, alors f est constante dès lors qu’elle est bornée
6.2. Devoir 2 : Nombre de courbes elliptiques sur les corps finis
6.2
41
Devoir 2 : Nombre de courbes elliptiques sur les corps finis
Soit k = Fp un corps fini à p > 3 éléments. Nous allons compter le nombre de courbes elliptiques sur k à
k-isomorphismes près.
1. Montrer que la courbe elliptique E : y 2 = x3 + a, a 6= 0, a un j-invariant égal à 0. De même montrer
que la courbe elliptique E : y 2 = x3 + bx, b 6= 0, a un j-invariant égal à 1728.
2. Donner lorsque j ∈ k ⊂ {0, 1728}, un modèle de Weierstrass simplifié y 2 = x3 + Ax + B d’une courbe
elliptique E définie sur k ayant ce j-invariant. Déduire de la question précédente que AB 6= 0.
3. En déduire que le nombre de courbes elliptiques sur k à k̄-isomorphismes est égal à p.
Ainsi pour énumérer les courbes elliptiques sur k à k-isomorphisme près, il suffit pour un j-invariant
fixé de déterminer le nombre de courbes elliptiques sur k, k̄-isomorphes sans être k-isomorphe. Considérons
pour commencer le cas où j 6= 0, 1728 et soit donc E/k : y 2 = x3 + Ax + B une courbe elliptique ayant ce
j-invariant (et donc AB 6= 0).
4. Montrer qu’un k̄-isomorphisme entre E et E 0 /k : y 0 2 = x0 3 + A0 x0 + B 0 est donné par x0 = u2 x et
y 0 = u3 y pour u ∈ k̄ ∗ . En déduire les expressions de A0 et B 0 en fonction de A et B.
5. En déduire une expression de u2 en fonction de A, B, A0 , B 0 et que u2 ∈ k.
6. Vérifier alors que l’ensemble des classes d’isomorphismes de courbes elliptiques de j-invariant j est en
bijection avec Sj = k ∗ /(k ∗ )2 .
7. En utilisant le résultat classique que (Z/pZ)∗ ' Z/(p − 1)Z, en déduire que Sj = 2.
Il nous reste à traiter les cas j = 0 et j = 1728. Concentrons nous sur le cas j = 0 et choisissons la
courbe E0 : y 2 = x3 + 1 qui a ce j-invariant.
8. En utilisant la forme des k̄-isomorphismes entre modèles de Weierstrass simplifiés, montrer que toute
courbe elliptique E/k est k̄-isomorphe à E0 si et seulement si elle a un modèle de Weierstrass simplifié
de la forme E : y 2 = x3 + u6 avec u ∈ k̄ ∗ et u6 ∈ k.
9. Vérifier alors que l’ensemble des classes d’isomorphismes de courbes elliptiques de j-invariant 0 est en
bijection avec Sj = k ∗ /(k ∗ )6 .
10. En déduire que Sj = pgcd(6, p − 1)
11. Par analogie, traiter le cas j = 1728 et donner la formule globale pour le nombre de courbes elliptiques
sur k à k-isomorphismes près.
42
Chapitre 6. Devoirs à la maison
Bibliography
[CFA+ 06] Henri Cohen, Gerhard Frey, Roberto Avanzi, Christophe Doche, Tanja Lange, Kim Nguyen, and
Frederik Vercauteren, editors. Handbook of elliptic and hyperelliptic curve cryptography. Discrete
Mathematics and its Applications (Boca Raton). Chapman & Hall/CRC, Boca Raton, FL, 2006.
[Ful89]
William Fulton. Algebraic curves. Advanced Book Classics. Addison-Wesley Publishing Company
Advanced Book Program, Redwood City, CA, 1989. An introduction to algebraic geometry, Notes
written with the collaboration of Richard Weiss, Reprint of 1969 original.
[MW99]
Ueli M. Maurer and Stefan Wolf. The relationship between breaking the Diffie-Hellman protocol
and computing discrete logarithms. SIAM J. Comput., 28(5):1689–1721, 1999.
[Sil92]
Joseph H. Silverman. The arithmetic of elliptic curves, volume 106 of Graduate Texts in Mathematics. Springer-Verlag, New York, 1992. Corrected reprint of the 1986 original.
[Was03]
Lawrence C. Washington. Elliptic curves. Discrete Mathematics and its Applications (Boca
Raton). Chapman & Hall/CRC, Boca Raton, FL, 2003. Number theory and cryptography.
43

Elliptic curves and applications to cryptography

Transcription

Documents pareils

My Family! - Language Stars

1. Besides / Moreover = de plus 2. For example / For instance = par

L`appareil de photo P. 67 le facteur=the mailman mémé=granny s

lenalidomide price

crossraods tour - Taste of Kansas City Food Tours

French Greetings and Phrases - Foreign Language Flashcards

Essay Writing |Topic Notes

La vie est faite de petits bonheurs You look wonderful !

50 inspiring quotes

Newsletter June 2014