Elliptic Curve Cryptography - UvA · As the title suggests, this thesis is about elliptic curve...

Elliptic Curve CryptographyTom Veerman

June 21, 2010

Master’s Thesis

Supervisor: Dr. B.J.J. Moonen

KdV Institute for Mathematics

Faculty of Science

University of Amsterdam

Abstract

In this thesis, we examine the mathematics behind elliptic curve cryptog-raphy. We first discuss the notion of a public key cryptosystems (PKC), whichare based on mathematical problems that take much time to solve. Ellipticcurve cryptosystems form examples of PKC’s, and are based on the discretelogarithm problem (DLP). This is the problem of finding a number k, suchthat kg = h for some elements g, h in an abelian group. We examine the diffi-culty of this problem by investigating some algorithms for solving it, namelythe baby-step giant-step algorithm, the Pollard ρ-algorithm, index calculuson F∗

p, and also the Pohlig-Hellman algorithm that speeds up finding discretelogarithms.

We also treat some theory about elliptic curves, especially the ones overfinite fields. Important for cryptographic purposes, and therefore included inthis thesis, are torsion points, the Weil-pairing from torsion points to rootsof unity, the Schoof-algorithm for determining the number of points, andsupersingular elliptic curves.

Finally we glue all the theory together, and define PKC’s over elliptic curvegroups. We also discuss the MOV-algorithm, which uses the Weil-pairing totranslate a DLP on elliptic curves to a DLP on the multiplicative group ofa finite field. When the elliptic curve in consideration is supersingular, thisalgorithm is relatively fast, so we should exclude this class from being usedfor cryptographic purposes.

Keywords: cryptography, elliptic curves, discrete logarithm problem

1

Acknowledgement

Now my thesis is finally finished, I would like to take a moment to thank mysupervisor Ben Moonen. He has supported me very well throughout the entireprocess, by helping me to find an interesting topic, handing me good literature,discussing the theory with me so I could get a good grasp on it, and reading andcommenting on my writings. I really appreciate all the efforts he has put into thisproject.

2

Contents

Acknowledgement 2

1 Introduction 4

2 Public Key Cryptography 62.1 Encryption schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.2 Public key cryptosystems . . . . . . . . . . . . . . . . . . . . . . . . 62.3 The discrete logarithm problem . . . . . . . . . . . . . . . . . . . . . 72.4 Examples of public key cryptosystems based on the DLP . . . . . . . 82.5 Algorithms for solving the DLP . . . . . . . . . . . . . . . . . . . . . 10

3 Elliptic Curves 163.1 Elliptic curves as sets . . . . . . . . . . . . . . . . . . . . . . . . . . 163.2 The group structure of an elliptic curve . . . . . . . . . . . . . . . . 163.3 Torsion groups on elliptic curves . . . . . . . . . . . . . . . . . . . . 173.4 The Weil-pairing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183.5 Elliptic curves over finite fields . . . . . . . . . . . . . . . . . . . . . 193.6 Division polynomials and a formula for [m] . . . . . . . . . . . . . . 193.7 Schoof’s algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203.8 Supersingular elliptic curves . . . . . . . . . . . . . . . . . . . . . . . 22

4 Elliptic Curve Cryptography 244.1 Diffie-Hellman and ElGamal over elliptic curve groups . . . . . . . . 244.2 Security of PKC’s based on elliptic curves . . . . . . . . . . . . . . . 244.3 The MOV-algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . 254.4 The MOV-algorithm in action . . . . . . . . . . . . . . . . . . . . . . 27

5 Conclusion 29

A Appendix: Background Information 30A.1 Running time of algorithms . . . . . . . . . . . . . . . . . . . . . . . 30A.2 Divisors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

References 32

3

1 Introduction

As the title suggests, this thesis is about elliptic curve cryptography. An ellipticcurve is a non-singular projective curve, given by a cubic equation over an arbitraryfield. It turns out that we can define a group structure on elliptic curves, and thisstructure is quite complex.

We will use this special class of algebraic curves in the field of cryptography. Thisis a science, with the purpose of keeping communication secure, so communicatingparties can safely share secret information with each other. Although you may notbe aware of it, cryptography is widely applied in everyday life. For instance, it isused when you send an e-mail to a friend, when you look into your financial recordsonline, or when a doctor consults your medical records. Governments and militariesalso rely heavily on cryptography to keep certain information classified, like attackorders or obtained intelligence.

In securing communication, several aspects can be distinguished. First, themessage can be scrambled in such a way, that only sender and receiver can obtainthe information. Second, the sender and receiver can be identified, so it is absolutelycertain that these parties are who they claim to be. Finally, it can be ensured that demessage was not edited while being sent. In this thesis, we only treat the scramblingof messages.

In the literature on cryptography, it is very common to name the communicatingparties Alice and Bob. The adversary, who should not be able to access the secretinformation, is called Eve. In this thesis, we stick to that convention.

So Alice has some confidential information that she wants to share with Bob, butshe does not want Eve to obtain it. We assume that Alice can only send messagesover an insecure line, so Eve can retrieve everything that Alice sends. How canAlice keep her information secure? Like mentioned before, this can be achieved byscrambling the message, in such a way that only Bob can unscramble it.

To do this, Alice and Bob use an encryption scheme, which consists of six sets:one set of symbols that Alice may use for her original message, one set of symbolsfor the scrambled message, one set of encryption keys, one set of decryption keys,a set consisting of one encryption function for every encryption key, and finally aset with for every decryption key a decryption function. Furthermore, for everyencryption function, there should be a uniquely determined inverse in the set ofdecryption functions.

Alice and Bob use encryption schemes as follows. First they agree on an encryp-tion scheme, then they choose an encryption key, and the corresponding decryptionkey. After that, Alice makes a message consisting of allowed symbols. Then sheencrypts this using the encryption function given by the encryption key, and sendsthe outcome to Bob. He then uses the decryption function to find the original text.

Encryption schemes can be classified in two distinct categories: symmetric andasymmetric. We will call an encryption schemes symmetric, if the decryption keyis identical to the encryption key, or can be easily determined from it. Otherwise,we call it asymmetric. Asymmetric encryption schemes give rise to public key cryp-tosystems, since it causes no problems if the encryption key is published, contraryto symmetric schemes.

Now in elliptic curve cryptography, we use groups defined by elliptic curves tomake up public key cryptosystems. It turns out, that the complex group structuremakes these encryption schemes very secure at this time. Until now, there is noknown algorithm that can crack cryptosystems over general elliptic curves in poly-nomial or subexponential time. Therefore, the group size can be kept relativelysmall compared to other kinds of encryption schemes. This makes elliptic curvecryptography especially useful for small devices, like mobile phones.

4

In this thesis, we will examine the mathematics behind elliptic curve cryptographyand shed some light on the safety of it. It turns out, that there is a special class ofelliptic curve that should be excluded for cryptographic purposes: the supersingularcurves. But to arrive at this result, we will have to do a lot of preliminary work.

In Section 2 we will examine public key cryptosystems (PKC’s). First we willlist the conditions that encryption schemes must meet in order to be usable. Thenwe will discuss how PKC’s are utilized using asymmetric encryption schemes. Allpublic key cryptosystems that we treat in this thesis are based on the difficulty ofthe discrete logarithm problem. Therefore we will define and examine this problemthoroughly, give examples of PKC’s based on this problem, and finally we willexplore some algorithms that solve it.

Section 3 will be dedicated to elliptic curves. We give a precise definition, andexamine the group structure. Important aspect of elliptic curves are the torsionsubgroups, on which we can define the Weil-pairing. This pairing is at the heart ofthe MOV-algorithm. After that, we discuss elliptic curves over finite fields, whichof course yield finite groups. We will explain the Schoof-algorithm, that computesthe number of points of such a group. We finish the Section with the definition ofsupersingular curves, which form a class we must exclude for cryptographic uses.

We will put all the theory together in Section 4. Here we will translate thepreviously defined PKC’s to the language of elliptic curves. We will also discussthe MOV-algorithm, that solves a DLP over an elliptic curve group in subexponen-tial time if the chosen elliptic curve is supersingular. We end the thesis with anapplication of the MOV algorithm.

Finally, we have included an Appendix, containing some background informationon running times of algorithms and divisors on curves. We only give definitions andsome properties here, without giving proofs.

5

2 Public Key Cryptography

2.1 Encryption schemes

In the introduction, we have introduced the notion of an encryption scheme. Wenow make this idea mathematically precise. We will use a definition like the onein [4].

Definition. An encryption scheme is a tuple (P, C,KE ,KD, E ,D), where P, C,KEand KD are arbitrary sets (not necessarily distinct), and E and D are sets of func-tions, such that for each k ∈ KE there is a function Ek : P → C in E , and for everyk ∈ KD there is a function Dk : C → P in D. This tuple must satisfy the conditionthat for every t ∈ KE , there is a unique s ∈ KD, such that Ds(Et(p)) = p for allp ∈ P.

The sets P, C, KE , KD in the above definition are called the plaintext space, theciphertext space, the encryption key space and the decryption key space respectively.The functions of E are encryption functions, and those of D are decryption functions.

The definition is quite technical, so we first give a well-known example of anencryption scheme, in order to clarify it

Example. Define P = C = KE = KD = Z/26Z and let the encryption functionsbe given by Ek(x) = x + k mod 26 and the decryption functions by Dk(y) = y −k mod 26. It’s not hard to see that these sets satisfy all conditions of an encryptionscheme. This scheme is commonly known as the Caesar Cipher, named after JuliusCaesar, who has used this scheme for communication with his army.

Not every encryption scheme satisfies the needs of Alice and Bob. The tuple(A,A, {1}, {1}, {E1 : x 7→ x}, {D1 : x 7→ x}) is certainly an encryption schemeaccording to the definition. It is clear however, that it does not give secure com-munication. One can thus ask which properties must be satisfied in order to get a‘good’ encryption scheme.

The main purpose of encrypting messages, is that someone who intercepts thatmessage does not get knowledge of the original content. Therefore, it seems rea-sonable to demand from an encryption scheme, that it should be hard to decryptciphertexts for someone who does not have the decryption key. So guessing or cal-culating the plaintext should be a difficult task. Furthermore, it should be easy toencrypt and decrypt for someone who does know the keys.

Obviously, if Eve is in possession of the decryption key, she can decrypt inter-cepted ciphertexts. So in addition it is desirable that decryption keys are hard todetermine, even if some plaintext and ciphertexts are known to the adversary.

At first thought, it also seems a good idea that Alice and Bob keep the usedencryption scheme a secret. However, according to Kerckhoff’s principle (See Sec-tion 1.7.1 of [6], or [2]), the security of communication should not be based on thesecrecy of the encryption scheme. In other words, Alice and Bob should presumethat Eve knows what encryption scheme is used.

Above I used the vague words ‘difficult’, ‘hard’ and ‘easy’. It’s not at all clearwhat is meant by these words. From now on, with an ‘easy’ problem, we will meana problem that can be solved by some algorithm in polynomial time, and a problemis ‘hard’ if it cannot be solved in polynomial time. In practice, this means that hardproblems take huge amounts of time to solve, while easy problems can be solvedrelatively fast. (See Appendix A.1 for some background information).

2.2 Public key cryptosystems

When looking at the example of an encryption scheme in the previous Section, wenotice that the encryption key and the decryption key are the same. When this

6

happens for every encryption function, the encryption scheme is called symmetric.In this case, we usually do not distinguish between the encryption key and thedecryption key, and we treat them as one object.

A big disadvantage of symmetric encryption schemes, is that the chosen key mustremain secret at all times. Even if the encryption scheme is highly sophisticatedand extremely safe, once the key gets out in the open, security is breached.

The biggest security-threat is the exchange of the key. When Alice and Bobcommunicate with each other about the key, there is often a possibility for Eve tointercept this key. She could for example listen in on the conversation, bribe thecourier or break in on an insecure line.

To overcome this disadvantage of symmetric encryption schemes, so called publickey cryptosystems were invented. A public key cryptosystems (or PKC) is basedon an asymmetric encryption scheme, in which some (preferably many) encryptionkeys are different from their corresponding decryption keys. The idea behind aPKC is that Alice chooses an encryption key, which she publishes. Hence this keyis public knowledge. She also determines the decryption key, but she keeps it forherself. Now Bob retrieves Alice’s public key, and uses it to encrypt his message,which he sends to Alice. She can then decrypt Bob’s message using her secret key.To get a secure cryptosystem this way, determining the secret key from the publickey should be a hard problem.

To achieve this, we could try to relate the problem of determining the secret keyto a mathematical problem which is believed to be difficult to solve. For example theinteger factorization problem is a hard problem. According to [4] (Section 9.5), thereare no polynomial time algorithms known today to factor large integers, althoughthere do exist algorithms with subexponential running time. Another example of aproblem that is hard to solve is the discrete logarithm problem. We will treat thisproblem thoroughly in Section 2.3, and discuss some algorithms for solving it inSection 2.5.

2.3 The discrete logarithm problem

All PKC’s we treat in this thesis are based on the difficulty of the discrete logarithmproblem. We will now define this problem.

Let G be an abelian (additive) group, and g ∈ G. Now suppose that h ∈ 〈g〉 ⊂ G.We can ask ourselves which k ∈ Z satisfies the identity kg = h. Finding such a k isthe discrete logarithm problem. More general:

Definition. Given an abelian group G and g, h ∈ G, the problem of finding a k ∈ Zsuch that kg = h (if it exists) is called the discrete logarithm problem (or DLP).Such an integer k is called a discrete logarithm of h to the base g.

If we write the identity of the DLP multiplicatively, it becomes gk = h. In thisnotation, the use of the word logarithm is more clear. Notice that we speak of adiscrete logarithm in stead of the discrete logarithm. This number is not uniquelydetermined when the order of g ∈ G is finite, say n. If k is a solution for kg = h,then k + an is also a solution for every a ∈ Z. In other words, a discrete logarithmis uniquely determined modulo the order of the base. Therefore, we will see discretelogarithms as elements of Z/nZ. Following notation as in [6], we sometimes writelogg(h) for the discrete logarithm of h to base g, if it exists.

Example. Let G be the group Z/nZ, and 1 ∈ Z/nZ. Then for every h ∈ Z/nZ,h = h · 1. So h is the discrete logarithm of h over 1 in Z/nZ. Furthermore, ifa ∈ Z/nZ∗, then loga(h) = a−1h.

Example. Let G be the group Z/11Z∗. We’ll try do determine a discrete logarithmof 10 to the base 2 in Z/11Z. The most obvious way to do this, is writing down all

7

powers of 2 in Z/11Z until we hit 10. Now

21 = 2, 22 = 4, 23 = 8, 24 = 5, 25 = 10

Hence log2(10) = 5. Note that the discrete logarithm of 10 to base 4 does not existin Z/11Z, since 10 6∈ 〈4〉.

We see that in the group of the first example, the DLP is not hard at all, since thegroup structure is completely apparent. In the second example, the group structureis much harder to grasp at first sight. This makes the problem harder. Hence wemay say that the DLP can only be difficult, if the structure of the underlying groupis complex at first sight.

We have seen that the difficulty of the DLP depends on the underlying group.In this thesis, we will focus on the groups of the form Z/nZ∗, and on groups givenby elliptic curves. In Section 2.5 we will encounter some general algorithms thatwill solve the DLP for any group. Unfortunately, these algorithms are slow, in thesense that they take exponential time. For the groups of the form F∗p there existsa slightly faster algorithm, which we discuss in Section 2.5. This algorithm takessubexponential time.

2.4 Examples of public key cryptosystems based on the DLP

In Section 2.2 we have introduced the notion of a public key cryptosystem. Now,we give two examples. Both examples are based on the DLP.

Diffie-Hellman key exchange

We have already seen that exchanging a secret key is a major problem in cryp-tosystems using a symmetric encryption scheme. The Diffie-Hellman key exchangeprotocol solves this problem, and serves as an example of a PKC.

Alice and Bob first agree on a prime number p, and a element g ∈ F∗p. Letord(g) = n. Alice chooses a ∈ Z/nZ, and she calculates A = ga. She sends Ato Bob, and keeps a secret. Note that A becomes public knowledge. Bob choosesb ∈ Z/nZ, calculates B = gb, and sends this number to Alice, while keeping b tohimself. Now Alice computes Ba, and Bob computes Ab. They will both get thesame result, since Ab = (ga)b = (gb)a = Ba. This element of F∗p will be the keythey use for encryption and decryption.

Example. Alice and Bob choose the prime number 170.303, and 123 ∈ F170.303.Alice now chooses the number 14 as her secret key, and computes her public keyA = 12314 ≡ 104.540 (mod 170.303) (this can be done efficiently using the square-and-multiply algorithm). Bob chooses secret key 9, and sends B = 1239 ≡ 45.207(mod 170.303) to Alice. They can now compute 45.20714 ≡ 67.950 (mod 170.303) ≡104.5409, and this will be their secret key.

A naturally arising question now is, whether or not this is a safe way of exchang-ing keys. Before answering it, let us summarize what is publicly known and what isnot. The number p, and the element g ∈ F∗p must be communicated, hence we mayassume that Eve knows them too. The order n is not really out in the open, butcan be computed. Furthermore, Eve can intercept A and B. The numbers a and bhowever remain secret. Can Eve compute gab from p, g, n,A and B?

Definition. The problem of determining gab in Fp from p, g, n,A and B is calledthe Diffie-Hellman problem (or DHP).

8

It is clear, that if Eve can solve arbitrary discrete logarithm problems in Fp,she can solve the Diffie-Hellman problem as well. This is true, since Eve can thendetermine a from A by solving a DLP, and next she can compute Ba = gab. There-fore, the DHP is no harder than the DLP. However, it is an open problem whetherthe DLP can be solved if the DHP can be solved. So we don’t know if the DHP isexactly as difficult as the DLP.

ElGamal cryptosystem

The method of Diffie and Hellman is a ‘safe’ way of exchanging the encryption key.However, we can not encrypt messages with it. We will now describe the ElGamalcryptosystem, that was designed for this purpose.

First, Bob and Alice settle on a prime number p. Then Alice chooses g ∈ F∗pand some a < ord(g), and calculates A = ga (mod p). She publishes g and A, andkeeps the number a secret. Bob has a message m ∈ F∗p \ {1}. He picks k < ord(g),computes c1 = gk (mod p) and c2 = mAk (mod p), and then sends the pair (c1, c2)to Alice.

Example. Alice and Bob choose again the prime number 170.303, and the element123 ∈ F170.303. Alice now chooses the number 14 as her secret key, and computes herpublic key A ≡ 104.540 (mod 170.303). Bob wants to encrypt 1.000. He picks secretkey 9, and computes c1 ≡ 45.207 (mod 170.303), A9 ≡ 67.950 (mod 170.303) andc2 = 1.000 ·67.950 ≡ 169.406 (mod 170.303). Hence Alice receives (45.207, 169.406)from Bob.

How can Alice recover Bob’s message m from (c1, c2) using her secret key? Thenext Lemma answers this question.

Lemma 2.4.1. c−a1 · c2 ≡ m (mod p).

Proof. c−a1 · c2 ≡ (gk)−a ·mAk ≡ (gak)−1 · gak ·m ≡ m (mod p)

From this Lemma, we can conclude, that Alice can indeed retrieve Bob’s messagefrom the data he sends, using her secret key. In other words, for every encryptionfunction, there is a decryption function. Hence, the method just described is a validcryptosystem.

Now, we will examine the safety of the ElGamal cryptosystem. As before, wesummarize what is publicly known, and what is not. Alice and Bob communicatea prime number p, and an element g ∈ Fp. We can again assume that the order nof g is also public knowledge. Besides that, A = ga, c1 = gk and c2 = mAk are outin the open. The unknowns are a, k and m. The main goal of Eve, is of course todetermine the secret message m.

Definition. The problem of determining m in Fp from p, g, A, c1 and c2 is calledthe ElGamal Problem (or EGP).

It is clear from Lemma 2.4.1, that if Eve knows a, she can easily determinem. Finding a from g, p and A is a discrete logarithm problem. So the EGP isno harder than the DLP, just like the Diffie-Hellman problem. Unfortunately, it isagain unknown if it is just as hard to solve. However, the next Proposition shows,that there is a close relation between solving EGP and DHP.

Proposition 2.4.2. Solving the Diffie-Hellman problem is just as hard as solvingthe ElGamal Problem.

Proof. Suppose we can solve DHP, that is, for arbitrary a and b, we can determinegab from ga and gb. Furthermore assume that g, p, A, c1 and c2 are given. Now

9

m = c−a1 c2 ≡ g−akc2 (mod p). But we can compute g−a = A−1, and we knowgk = c1. Hence, by assumption, we can determine g−ak. Therefore, we can find outm, and thus we can solve the EGP.

Now suppose we can solve EGP, so from c1, c2, ga we can find m. And suppose

that ga and gb are given. Pick an arbitrary c2 6= 0, and set c1 = gb. Then byassumption we can determine m = c−a1 c2 ≡ g−abc2 (mod p). And gab ≡ c2m

−1

(mod p), so we can solve DHP.

If Eve knows the k Bob chose, she can also solve the ElGamal problem, sincem = c2A

−k. Finding a k from the known quantities comes again down to solvinga DLP. However, Bob and Alice need to be careful here. If they use the same p,g and k for encrypting other, different messages, Eve can crack the system if sheknows just one of the messages. This is true, because c2 ≡ Akm and c′2 ≡ Akm′

imply c2m−1 ≡ c′2m′−1, from which we deduce m′ ≡ c′2c−12 m (mod p). So it would

be wise if Bob discarded k after using it to encrypt a message.

2.5 Algorithms for solving the DLP

In this Section we discuss some algorithms for solving the discrete logarithm prob-lem. This should also give us an idea of how hard the DLP actually is.

Let G be an abelian group, and g ∈ G an element of order n, and finally leth ∈ 〈g〉 ⊂ G. Of course, there is the naive algorithm to find k with kg = h. Wejust compute all multiples of g, until the result is h. In the worst case, we have tocheck n multiples of g, hence the DLP can always be solved in O(n) steps.

The naive algorithm is quite slow, in the sense that it takes exponential time.For big n, it becomes infeasible to run the algorithm. Can we do better than that?For general groups, there exist some faster algorithms. However, these still takeexponential time. We will discuss two of them: the baby-step giant-step algorithm,and Pollard’s ρ-algorithm.

The baby-step giant-step algorithm

Again, pick an abelian group G, an element g ∈ G of order n, and some h in thesubgroup generated by g. Let m = d

√ne. Now execute the following steps:

1. Make a list L1 = {0, g, 2g, . . .mg}. If h ∈ L1, we are done, otherwise go tonext step.

2. Make a list L2 = {h, h − mg, h − 2mg, . . . h − m2g}. If 0 ∈ L2, we’re done,otherwise go to next step.

3. Determine x ∈ L1 ∩ L2.

4. x = ig = h− jmg for some 0 ≤ i, j ≤ m, hence h = (i+ jm)g.

Theorem 2.5.1. If h ∈ 〈g〉, the baby-step giant-step algorithm will solve the DLPin O(

√n · log(n)) steps.

Proof. We will need to show that the algorithm indeed gives the discrete logarithmof h to base g in G. Suppose h ∈ L1, then h = ig for some i, and we have found thediscrete logarithm. Suppose 0 ∈ L2, then h − jmg = 0 for some j, and h = jmg,hence jm is the discrete logarithm.

Now suppose that neither h ∈ L1 nor 0 ∈ L2. We have assumed h ∈ 〈g〉, sothe discrete logarithm of h to base g exists. Hence h = kg for some 0 ≤ k ≤ n.We can write k = qm + r for some q ≤ m and r < m (division with remainder).Hence h = (qm + r)g, so h − qmg = rg. Now h − qmg ∈ L2, and rg ∈ L1, so the

10

intersection is non-empty. From the element in the intersection, we can computethe discrete logarithm, so the algorithm indeed solves the DLP.

Now we will determine the running time. For step 3, two lists have to becompared. Using a binary search, this takes in the worst case O(m log(m)) steps(see [1]). Making the first list takes m multiplications, and the same holds for thesecond list. In total, 2m multiplications are to be done. So the algorithm needsO(m log(m) + 2m) = O(

√n · log(n)) steps.

The baby-step giant-step algorithm solves the DLP significantly faster then thenaive algorithm. Unfortunately, it still takes exponential time. Another downside,is that this algorithm could require a lot of memory, since two lists of size

√n need

to be stored.

Pollard ρ-algorithm

Another algorithm for solving the DLP is the Pollard ρ-algorithm. It is slightlyfaster than the baby-step giant-step method and it needs much less storage.

Suppose the identity kg = h holds in some abelian group G. Split the group Gin three pairwise disjoint subsets G1, G2, G3, such that the union is G. Define afunction f : G→ G as follows:

f(x) =

g + x if x ∈ G1

2x if x ∈ G2

h+ x if x ∈ G3

Now pick a random a0 ≤ n = ordG(g), and set x0 = a0g. This x0 is the firstelement of a sequence (x0, x1, x2, . . .), defined by the recursive relation xi+1 = f(xi).Every entry of this sequence can be written as a linear combination of g and h, soxi = aig + bih. We know a0, and of course b0 = 0. The ai’s and bi’s can bedetermined for i > 0 by the following recursive relations:

ai+1 =

ai + 1 (mod n) if xi ∈ G1

2ai (mod n) if xi ∈ G2

ai (mod n) if xi ∈ G3

bi+1 =

bi (mod n) if xi ∈ G1

2bi (mod n) if xi ∈ G2

bi + 1 (mod n) if xi ∈ G3

Since we are working in a finite group, eventually some entry of the sequencewe defined will have occurred before. More mathematically, there is some i ≥ 0,and some t ≥ 1, such that xi+t = xi. Then by definition of the function f , wehave x(i+1)+t = xi+1, x(i+2)+t = xi+2, and so on. In other the words, the sequencemakes loops, starting from the smallest m for which xm is repeated. The size of theloop equals the smallest positive t for which xi+t = xi.

The fact that a subsequence repeats itself comes in handy for us. If xi = xi+t,then aig + bih = ai+tg + bi+th. We can rewrite this to (ai − ai+t)g = (bi+t − bi)h,and by assumption this is equivalent with (ai − ai+t)g = (bi+t − bi)kg. From thiswe conclude ai − ai+t ≡ (bi+t − bi)k (mod n).

Now set v = ai − ai+t and w = bi+t − bi. We thus have the congruence

wk ≡ v (mod n) (1)

If w is invertible modulo n (or equivalently, if gcd(w, n) = 1), then the discretelogarithm k can be computed by k ≡ vw−1 (mod n). So suppose d = gcd(w, n) ≥ 2.We can find an integer s satisfying sw ≡ d (mod n). Now multiply both sides of(1) by this s to get

dk ≡ sv (mod n) (2)

But we know that d|n. Now dk = sv+qn for some q, so d|n implies d|sv. Therefore,k = sv+qn

d is an integer, and is a solution for congruence (2) for every 0 ≤ q ≤ d−1.

11

And for some q, this k also satisfies congruence (1), and this k is a discrete logarithmof h to base g.

Let’s summarize the steps we’ve taken to find the discrete logarithm:

1. Define the function f , based on g and h.

2. Pick some a0 and compute x0.

3. If xi is known, compute xi+1 = f(xi). If xi+1 has already occurred before, wemove on to the next step. Otherwise, repeat this step.

4. Solve the congruence ai−ai+t ≡ (bi+t− bi)k obtained from the previous step.

We have seen that this algorithm solves the discrete logarithm problem. But inthis form, it still requires a lot of storage, since every xi has to be stored. But thereis a clever solution for this memory problem. Besides the sequence (x0, x1, x2, . . .),we make another sequence (y0, y1, y2, . . .), where y0 = x0 and yi+1 = f(f(yi)).Hence yi = x2i.

When we make these sequences, we discard every xi and yi from our memorythat do not satisfy xi = yi (of course, after computing xi+1 and yi+1). So only twogroup elements have to be stored at all time. Once we’ve found the desired i, wehave xi = yi = x2i, and we have a repetition in our original sequence.

One can ask if this procedure slows down the process of finding the discretelogarithm. The answer is no. In our original algorithm, the sequence gets into aloop after m steps, and the loop itself takes t steps, so it takes m+ t steps to find arepetition. In the ‘improvement’, we need to find i for which xi = x2i. This happensif i ≥ m and i ≡ 2i (mod t). The equivalence implies that t divides i. But one ofm,m + 1,m + 2, . . .m + t − 1 is divisible by t. Hence x2i = xi for 1 ≤ i < t + m.Hence our improvement does not slow down the process.

The actual speed of the algorithm depends on chance, since it depends on therandom a0, and the (random) partition of G. The expected value of m + t isapproximately 1, 25

√n. A prove of this can be found in Section 4.4 of [6]. So it is

likely that the Pollard ρ-algorithm takes O(√n) steps.

The Pohlig-Hellman algorithm

The next algorithm that we present here, does not solve the DLP itself. However, itdoes speed up other algorithms (like the ones presented before) when the order of gis a composite number. But first, we’ll give a method that speeds up an algorithmwhen the order of g is a power of a prime.

So suppose that we know an algorithm that finds k satisfying kg = h in anabelian group G in O(Sp) steps, where p = ordG(g) is prime. Here Sp is somefunction of p. For example, for Pollard’s ρ-algorithm, Sp =

√p.

Now assume that g ∈ G has order pe, and that we are trying to find k such thatkg = h for some h. It is well-known (Theorem 1.3.3 of [4]) that we can uniquelywrite k as

k = k0 + k1p+ . . . ke−1pe−1, with 0 ≤ xi < p, (3)

since k < pe. We will try to determine the coefficients of this expression. Since ghas order pe, the element pe−1g has order p. Then

pe−1h = pe−1kg

= pe−1(k0 + k1p+ . . . ke−1pe−1)g

= pe−1k0g + peg(k1 + . . . ke−1pe−2)

= k0(pe−1g)

12

and the equation k0(pe−1g) = pe−1h is a DLP. So it can be solved by our assumedalgorithm in O(Sp) steps. In other words, we can find the first coefficient of expres-sion (3).

Next we compute

pe−2h = pe−2kg

= pe−2(k0 + k1p+ . . . ke−1pe−1)g

= pe−2k0g + pe−1k1g + peg(k2 + . . . ke−1pe−3)

= k0pe−2g + k1(pe−1g)

Note that we already know k0, hence we can compute h1 = pe−2h − k0pe−2g =

pe−2(h− k0g). And since pe−1g has order p, we can solve the DLP k1(pe−1g) = h1

to get the second coefficient of (3).We can of course continue in this fashion. Assuming we have already computed

k0, . . . , ki, we solve ki+1(pe−1g) = pe−i−1(h − (k0 + k1p + . . . + kipi)g) with the

assumed algorithm. In total, we have to apply the algorithm e times to obtain allcoefficients of (3). Each algorithm takes O(Sp) steps, therefore this methods takesO(eSp) steps.

If we use the Pollard ρ-algorithm, it takes O(√pe) steps to solves the DLP if

g has order pe. Using the method described above, we can reduce the number ofsteps to O(e

√p). This is a significant improvement when e ≥ 2.

Now suppose kg = h in an abelian group G, with n = pe11 ·pe22 · . . . p

ett = ordG(g).

Compute k as follows:

1. For each 1 ≤ i ≤ t, Let gi = npeii

g and hi = npeii

h, and solve kigi = hi usingthe method described above.

2. Solve the system k = k1 (mod pe11 ), . . . , k = kt (mod pett ) using the Chineseremainder theorem.

This method is known as the Pohlig-Hellman algorithm. If we assume that solvingthe DLP for some base g with prime order p takes O(Sp) steps, we get the followingtheorem:

Theorem 2.5.2. If h ∈ 〈g〉, the Pohlig-Hellman algorithm will solve the DLP inO(∑ti=1 eiSpi + log2(n)) steps.

Proof. Suppose x is a solution for the system of congruences in step 2. Then forevery i, we can write x = xi + qip

eii for some qi. Thus we can compute

n

peii(xg) =

n

peii((xi + qip

eii )g)

=nxipeii

g + qing

= xigi

= hi =n

peiih

Hence (n/peii )x ≡ (n/peii )k (mod n), since discrete logarithms are only definedmodulo the order of g. Now the numbers (n/pe11 ), . . . , (n/pett ) are pairwise relativelyprime. Hence we can find c1, . . . ct, such that

∑ti=1 ci(n/p

eii ) = 1.

From (n/peii )x ≡ (n/peii )k (mod n) for all i we can deduce

t∑i=1

ci(n/peii )x ≡t∑i=1

ci(n/peii )k (mod n)

13

And from this, we can conclude that x ≡ k (mod n). So the algorithm indeedproduces a discrete logarithm of h to base g.

Solving the system of congruences in step 2 can be done in O(log2(n)) steps (seeSection 2.15 of [4]), and solving each DLP of step 1 can be solved in O(eiSpi) steps.So indeed, the Pohlig-Hellman algorithm takes O(

∑ti=1 eiSpi + log2(n)) steps.

Index calculus in F∗pFor general groups, the only algorithms known to solve the DLP take exponentialtime. For some specific groups however, there do exist faster algorithms. We willnow describe index calculus on F∗p, which solves the DLP in subexponential time.For details we refer to Section 3.8 of [6].

First we need some definitions:

Definition. Let n,B ∈ N. Then n is called B-smooth if every prime factor of n issmaller than or equal to B. If x ∈ (Z/nZ)∗, then x is called B-smooth if its smallestpositive representative in N is B-smooth.

Definition. Let π : N→ N be the function that assigns to each n ∈ N the numberof primes smaller than or equal to n.

Let g ∈ F∗p be an element of order p − 1. Our first goal is to determine logg(`)for small primes `. Let gi be the smallest positive representative of gi. If gi isB-smooth for some number B, we can write

gi ≡ gi ≡∏`≤B

`e`(i) (mod p)

and therefore,i ≡

∑`≤B

e`(i) · logg(`) (mod p− 1).

Note that this gives a linear equation in ‘logg(`)’ with ` prime. So if the numberof B-smooth gi’s exceeds π(B), we get a system of linear equations with a uniquesolution. We expect to find π(B) numbers that are B-smooth in subexponentialtime (Proposition 3.47 of [6]).

Once we have determined the ‘logg(`)’, finding k such that gk = h in F∗p is easy.We first search for a j, with 0 < j < p − 1, such that hg−j is B-smooth. We onlyneed one j, so we expect to find it quite fast. The B-smoothness implies

hg−j ≡∏`≤B

`e` (mod p).

Thuslogg(h) ≡ j +

∑`≤B

e` · logg(`) (mod p− 1).

And we have found the discrete logarithm we wanted.The method described above also works in other groups, as long as the concept

of B-smoothness exist. At this time, it is not known whether elliptic curve groupsdescribed in Section 3 have B-smoothness. According to [8], there is also no indexcalculus possible in F∗pk if p > 2 and k > 1.

14

Consequences for cryptography

We have seen four algorithms in this Section, that solve the discrete logarithmproblem in general groups. The discovery of a fast algorithm is a cryptographer’sworst nightmare, since it makes cryptosystems less secure. These security issueshave to be dealt with, in order to keep some kind of security. Luckily, until now,there are no known algorithms that solve the DLP for general groups in polynomialtime. But the exponential time algorithms do place some restrictions on the groups,elements and exponents we use.

For example, we have already mentioned that the naive algorithm forces us touse elements with very large order. The order should be > 280 according to [6].Also, the exponent needs to be large. But the baby-step giant-step algorithm, andthe Pollard ρ-algorithm dramatically reduced the number of steps needed to solvethe DLP. So in order to keep cryptosystems secure, the order of the base needed tobe dramatically larger, > 2160 to be precise.

That’s not all. The Pohlig-Hellman algorithm also influences our choices. Whenthe order of the base element is a product of small primes, this algorithm makes theDLP quite easy to solve. Hence this base should have at least one enormous factor,larger than 2160.

It is also a bad idea to use F∗p for cryptographic purposes, especially when p issmall. Since then index calculus will give a discrete logarithm relatively fast.

Of course, the speed of the algorithms described is relative. On average, it takesa (too) long time to solve the DLP. But there will always be instances for whichsome algorithm finishes exceptionally fast. For instance, the finishing time of thePollard ρ-algorithm depends on chance. Perhaps for some lucky shot, it producesa discrete logarithm in reasonable time.

Furthermore, computers get faster every day. The time an algorithm needs tofinish depends on the speed of computer calculations. Therefore, algorithms becomefaster. So the lower limit for order and exponent needs to be increased regularly.

15

3 Elliptic Curves

3.1 Elliptic curves as sets

Let K be a field, and K its algebraic closure. An elliptic curve E ⊂ P2(K) is anon-singular, projective curve given by an (affine) equation of the form

y2 + a1xy + a3y = x3 + a2x2 + a4x+ a6 (4)

with all ai ∈ K. An equation of this form is called a Weierstrass equation. Thenumbering of the coefficients follows most (perhaps all) textbooks on elliptic curves,like [7] or [13]. We will sometimes write E/K if we want to stress the field K.

When the characteristic of K does not equal 2 or 3, we can rewrite the Weier-strass equation to

y2 = x3 +Ax+B,

with A,B ∈ K (See Section III.1 of [13]). Most of the time we will work in fieldsof characteristic unequal to 2 and 3, and this notation is a lot more convenient towork with.

Although we represent an elliptic curve by an affine equation, we must not forgetthat it is a projective curve. It always has exactly one point on the line at infinity,which is O = [0 : 1 : 0]. This point plays an important role, as we will see inSection 3.2.

Checking whether or not a curve defined by a Weierstrass equation is non-singular, comes down to computing the discriminant ∆, which equals −16(4A3 +27B2) when char(K) 6= 2, 3. According to Proposition III.1.4 of [13], the curve isnon-singular iff ∆ 6= 0.

Suppose that all coefficients in equation (4) are in K ⊂ K. We then say thatthe curve is defined over K, and write E/K. When E is defined over K, we defineE(K) to be the set of K-rational points of E. That is, the subset of E, consistingof points with coordinates in K. Hence E(K) ⊂ P2(K).

3.2 The group structure of an elliptic curve

Although it is not obvious, we can define an abelian group structure on ellipticcurves. For this, we use Bezout’s Theorem, which forces a projective line to intersecta projective cubic in three points, counted with multiplicity.

Now let E/K be an elliptic curve, and let P,Q be points on E. From Bezout’sTheorem, the line through P and Q will intersect E in another point R (not nec-essarily different from P or Q). The line through this R and O = [0 : 1 : 0] willalso intersect E in another point, and we will define P +Q to be this point. Whentwo points coincide somewhere in the construction, we use the tangent line throughthat point instead of the line through two points. Now E will be a group under thisoperation, with identity element O. For a proof of this claim, see Theorem 3.1.2of [7], or Proposition III.3.4 of [13].

If E is defined over K ⊂ K, then the group law described above is preservedon E(K). This is true, since when a line intersects E/K in two points of E(K),then the third point will also be in E(K). This is easy to see, because findingintersection points of a line and a cubic over K comes down to finding zeros of acubic polynomial in K. Since two zeros are in K, the third one must be too. Hence,if P,Q ∈ E(K), then P +Q ∈ E(K).

This geometrical definition of the group law on E is not useful when we want toperform computations. Therefore, we give formulas for this addition.

16

Theorem 3.2.1 (Inverse elements on elliptic curves). Let E be the elliptic curvedefined by y2 + a1xy + a3y = x3 + a2x

2 + a4x + a6. Let P = (xP , yP ). Then−P = (xP ,−yP − a1xP − a3)

Theorem 3.2.2 (Addition formulas on elliptic curves). Again let E be the ellipticcurve defined by y2 + a1xy + a3y = x3 + a2x

2 + a4x + a6. Let P = (xP , yP ) andQ = (xQ, yQ). If Q = −P , the P +Q = O. Otherwise define

λ =yQ − yPxQ − xP

, υ =yPxQ − yQxPxQ − xP

if xP 6= xQ

λ =3x2

P + 2a2xP + a4 − a1yP2yP + a1xP + a3

, υ =−x3

P + a4xP + 2a6 − a3yP2yP + a1xP + a3

if xP = xQ

Then xP+Q = λ2 + a1λ− a2 − xP − xQ and yP+Q = −(λ+ a1)xP+Q − υ − a3.

Proof. See Theorem III.2.3 of [13] or Theorem 2.3.13 of [17].

Of course, when we work in characteristic other than 2 and 3, these formulascan be simplified. We state these formulas in the following Corollary.

Corollary 3.2.3. If char(K) 6= 2, 3 and E : y2 = x3 + Ax + B, and the points Pand Q are given, then −P = (xP ,−yP ). Furthermore, if Q = −P , then P +Q = O.Otherwise, define

λ =yQ − yPxQ − xP

, υ =yPxQ − yQxPxQ − xP

if xP 6= xQ

λ =3x2

P +A

2yP, υ =

−x3P +AxP + 2B

2yPif xP = xQ

Then xP+Q = λ2 − xP − xQ and yP+Q = −λxP+Q − υ.

Example. Define E/C : y2 = x3 + 2x + 4. It is non-singular, since ∆ 6= 0. It isnot hard to see that P = (2, 4) and Q = (0, 2) are points on E. When we want toadd P and Q, then λ = 1 and υ = 2, hence P + Q = (−1,−1), and this point liesindeed on E. Now we will compute P + P . Then λ = 1 3

4 and υ = 12 , and a simple

calculation tells us that P + P = (− 1516 , 1

964 ).

Definition. Let E/K be an elliptic curve. For m ∈ Z, we define a map [m] : E → Eas follows:

[m]P =

P + . . .+ P (m times) if m > 0O if m = 0(−P ) + . . .+ (−P ) (−m times) if m < 0

This map is an example of an isogeny. An isogeny is a non-constant morphismbetween elliptic curves that maps O to O. One can show that an isogeny is alwaysa group homomorphism (Theorem III.4.8 of [13]).

3.3 Torsion groups on elliptic curves

In this Section we define the torsion groups of an elliptic curve. It turns out, thatthey play an important role in the theory.

Definition. Let E be an elliptic curve, and m ∈ Z, then we denote the m-torsiongroup of E by E[m], that is E[m] = {P ∈ E(K) | [m]P = O}.

17

Note that E[m] is always the m-torsion group of E(K), even if E is defined overK. The m-torsion group of E(K) could be a proper subgroup. The next Theoremgives us the structure of E[m].

Theorem 3.3.1. Let E/K be an elliptic curve, and m ∈ Z \ {0}.

1. If char(K) = 0, or gcd(char(K),m) = 1, then E[m] ∼= (Z/mZ)× (Z/mZ).

2. If char(K) = p, then either E[pe] ∼= Z/peZ or E[pe] ∼= {O} for every e.

Proof. See Corollary III.6.4 of [13].

3.4 The Weil-pairing

In this Section we assume that gcd(char(K),m) = 1. Then we can define a pairingfrom E[m] × E[m] onto µm(K), the mth roots of unity of K. This so-called Weil-pairing will be essential for the MOV-algorithm that we will encounter in Section 4.3.But first, we need a result on divisors on elliptic curves. (See Section A.2 for adefinition of a divisor, and some elementary facts about them)

Proposition 3.4.1. Let E be an elliptic curve, and D =∑P∈E nPP a divisor

on E. Then D is principal if and only if deg(D) = 0 and∑P∈E [nP ]P = O.

Proof. See Corollary III.3.5 of [13].

Now, if P ∈ E[m], then it is clear from this Proposition that D = mP −mO isa principal divisor, hence D = div(fP ) for some fP ∈ K(E)∗.

Definition. Let E be an elliptic curve. We define the Weil-pairings to be functionsem : E[m]× E[m]→ K given by

em(P,Q) =fP (Q+ S)fP (S)

/fQ(P − S)fQ(−S)

,

where div(fP ) = mP −mO, div(fQ) = mQ−mO and S ∈ E \ {O,P,−Q,P −Q}.

This definition does not depend on the chosen fP and fQ by Lemma A.2.1. Nowif we fix P and Q, we can view em as a function on E, which we call F . Then

div(F (S)) = div(fP (Q+ S))− div(fP (S))− div(fQ(P − S)) + div(fQ(−S))= m(P −Q)−m(−Q)−mP +mO −m(P −Q) +m(P )

+m(−Q)−mO= 0

But then by Lemma A.2.1, F is constant. Hence we have showed that em does notdepend on S.

Theorem 3.4.2. The Weil-parings em satisfy the following properties:

1. em(P,Q)m = 1 for all P,Q ∈ E[m] (hence em maps to µm(K)).

2. em(P1 + P2, Q) = em(P1, Q)em(P2, Q) andem(P,Q1 +Q2) = em(P,Q1)em(P,Q2) (hence em is bilinear).

3. em(P, P ) = 1, and em(P,Q) = em(Q,P )−1 (hence em is alternating).

4. If em(P,Q) = 1 for all Q ∈ E[m], then P = O (hence em is non-degenerate).

5. There exist points P,Q ∈ E[m], such that em(P,Q) is a primitive root of unity(hence em is surjective onto µm(K)).

18

6. If P,Q ∈ E[m](K), then em(P,Q) ∈ µm(K).

Proof. See Section III.8 of [13].

Determining the Weil-pairing of two points in some torsion group can be doneefficiently. An algorithm for this purpose is discussed in Section 5.8.4 of [6].

3.5 Elliptic curves over finite fields

In the rest of this Chapter, we will consider elliptic curves E over finite fields Fq,where q is a power of some prime p. It is clear that E(Fq) can only have a finitenumber of points. This is a useful fact when we use computers.

Finding out the number of points on the curve is an important issue in the theoryof elliptic curves over finite fields. In Section 3.7, we will discuss an algorithm bySchoof, that gives us the number of points in polynomial time. This algorithm usesthe fact that there is a famous upper bound on the number of points, which we willstate in this Section.

Definition. Given an elliptic curve E/Fq, the number tE/Fq := q + 1−#E(Fq) iscalled its trace of Frobenius.

Theorem 3.5.1 (Hasse-Weil bound). Let E/Fq be an elliptic curve, then

|tE/Fq | ≤ 2√q.

Proof. See Theorem V.1.1 of [13].

As the name suggests, the number tE/Fq is closely related to the qth-powerFrobenius map φq : E(Fq)→ E(Fq), given by φq(x, y) = (xq, yq) (when the field Fqis clear from the context, we usually write φ instead of φq). This map is an isogeny,and it is the identity map on E(Fq). It is also easy to see that φ commutes withthe maps [m] for m ∈ Z.

It turns out that the Frobenius map on E satisfies the relation

φ2(P )− [q + 1−#E(Fq)]φ(P ) + [q]P = O (5)

for all P ∈ E(Fq). An elaborate proof of this is found on pages 134-136 of [13].For this reason, the number tE/Fq = q + 1 −#E(Fq) is referred to as the trace ofFrobenius.

3.6 Division polynomials and a formula for [m]

In this Section, we will state recursive formulas for the isogenies [m], with m ∈ Z.With these formulas, we will be able to do calculations on elliptic curves muchfaster than with the formulas stated in Section 3.2. We will first define the divisionpolynomials on elliptic curves.

Definition. Given an elliptic curve E : y2 = x3 + Ax = B over a field of charac-teristic unequal to 2 and 3, its division polynomials are given by:

Ψ0 = 0Ψ1 = 1Ψ2 = 2yΨ3 = 3Ax4 + 6Bx2 + 12x−A2

Ψ4 = 2y(2x6 + 10Ax4 + 40Bx3 − 10A2x2 − 8ABx− 16B2 − 2A3)

19

And continuing recursively by

Ψ2n+1 = Ψn+2Ψ3n −Ψn−1Ψ3

n+1

Ψ2n = (Ψn

2y)(Ψm+2Ψ2

m−1 −Ψm−2Ψ2m+1)

These polynomials seem to be very mysterious at first sight. They follow fromthe theory of elliptic functions on C, where elliptic curves themselves find theirorigin. Giving the background story on division polynomials requires treating a lotof technical theory on elliptic functions, and we do not need this for the rest of thethesis. For the sake of readability, we leave this matter out, and refer the interestedreader to Chapter 2 of [9] for an elaborate discussion on this subject.

The polynomials Ψn have some interesting properties. We now state two ofthese properties that we need later.

Proposition 3.6.1. If n is odd, Ψn is a polynomial in x.

Proposition 3.6.2. P ∈ E[n] \ {O} iff Ψn(P ) = 0.

We are now able to give formulas for [m]. The isogenies [0] and [1] are trivial.For m ≥ 2, We use the following Theorem.

Theorem 3.6.3. Let E : y2 = x3 + Ax + B be an elliptic curve over a field ofcharacteristic unequal to 2 or 3. Then for m ≥ 2

[m](x, y) = (ϕ1(x, y), ϕ2(x, y)) =(x− Ψm−1Ψm+1

Ψ2m

,Ψm+2Ψ2

m−1 −Ψm−2Ψ2m+1

4yΨ3m

)(with Ψi we mean Ψi(x, y)). The functions ϕ1 and ϕ2

y are functions in x.

Proof. Theorem 2.1 of [9] or Theorem 9.5 of [15].

3.7 Schoof’s algorithm

We will now discuss a polynomial time algorithm by Schoof for computing the traceof Frobenius tE/Fq on an elliptic curve E : y2 = x3 + Ax + B over a finite field ofcharacteristic p 6= 2, 3. This number also gives us the number of points on E. Thealgorithm was introduced by Rene Schoof in an article in 1985 [12]. The reasoningpresented in this thesis is based on [11].

The algorithm makes clever use of the Hasse-Weil bound (Theorem 3.5.1). Theidea is that we compute t = tE/Fq by determining t mod ì for a number of primesì 6= 2, p, and use the Chinese remainder theorem to fit it all together. If we makesure that

∏i ì ≥ 4

√q, then tE/Fq is uniquely determined, by the Hasse-Weil bound

|tE/Fq | < 2√q.

In order to use this trick, we have to find out t mod `, for a number of primes` unequal to 2 and p. For this, we use the characteristic equation of the Frobeniusmap: φ2(P )− [t]φ(P ) + [q]P = O for all P ∈ E (equation (5) in Section 3.5).

This identity will also hold for all P ∈ E[`]. If we set t ≡ t (mod `) andq ≡ q (mod `), then [t]φ(P ) = φ([t]P ) = φ([t]P ) = [t]φ(P ) and [q]P = [q]P for allP ∈ E[`]. Hence on E[`], we also have the identity

φ2(P )− [t]φ(P ) + [q]P = O mod `. (6)

Therefore, our goal is to find t mod `, such that φ2(P ) + [q]P = [t]φ(P ) for allP ∈ E[`] \ {O}.

We will first perform the addition on the left side of the equation. This additioncauses some problems, since we do not know whether or not φ2(P ) = ±[q](P )

20

for arbitrary P ∈ E[`] \ {O}. For now we assume that there is a P such thatφ2(P ) 6= ±[q](P ). If the assumption is wrong, we will run into trouble, but we willsolve this problem later.

Write [m](P ) = (xm, ym) for m ∈ Z, and φ2(P ) + [q]P = (x′, y′). For now, wewill only compute x′, and worry about y′ later.

x′ =

(yq

2 − yqxq2 − xq

)2

− xq2− xq.

Using division polynomials Ψi of Section 3.6, we could write down this formulamore explicitly.

From Theorem 3.6.3 we know that yq is a function in x, multiplied with y. Moremathematically yq = yϕ(x) for some function ϕ. Hence

(yq2− yq)2 = y2(yq

2−1 − ϕ(x))2,

thus x′ is a rational function in x, since y2 = x3 +Ax+B, and q is odd.Note that x′ is fixed. Now, we will have to find a t ∈ Z/`Z, such that

x′ = (xt)q,

or equivalentlyx := x′ − (xt)

q = 0 (7)

The function x is rational in x, since (xt)q is rational in x by Theorem 3.6.3. So

we can write x = nx,t(x)/dx,t(x).If (7) has a solution t, then −t will also give a solution, since [t]P and [−t]P

have the same x-coordinate. We will discuss how to pick the right solution of (7),that also satisfies (6), but first we will explain how we can find a solution in thefirst place (if it exists).

We started out with an arbitrary point P = (x, y) ∈ E[`] \ {O}. Now since `is odd, by Proposition 3.6.1 Ψ` is a polynomial in x, and by Proposition 3.6.2 weknow that Ψ`(x) = 0. But, assuming there is a t satisfying (7), also x(x) = 0, hencenx,t(x) = 0. Since both Ψ` and nx,t are polynomials, we conclude that they have acommon factor. In other words, if there is a t satisfying (7), then gcd(Ψ`, nx,t) 6= 1.

Guided by this idea, we check for all 0 ≤ t < (`− 1)/2 whether

gcd(Ψ`, nx,t) 6= 1 (8)

Once this inequality holds for some t, we conclude t and −t satisfy (7). Hence

φ2(P ) + [q]P = ±[t]φ(P ) = [±t]φ(P )

for some P ∈ E[`] \ {O}, and therefore on all of E[`].Now the function y′ comes into play. If t satisfies (6) for P = (x, y), then

y := y′ − (yt)q = 0. By Theorem 3.6.3, y/y is a rational function in x, so we can

write y/y = ny,t(x)/dy,t(x). By the same argument as before, gcd(Ψ`, ny,t) 6= 1.So, to find out whether we need t or −t, we determine gcd(Ψ`, ny,t). If it is 1, weconclude t ≡ −t mod `, otherwise t ≡ t mod `.

The argument above fails if φ2(P ) = ±[q](P ) for all P ∈ E[`] \ {O}. In that casethe equation (7) has no solutions. We will now solve this problem.

Assume that there is a P such that φ2(P ) = [q](P ). This assumption could againbe wrong, but as we will see later, that will not be a problem. If φ2(P ) = [q](P ),then automatically t 6≡ 0 mod `, since (6) then gives [t]φ(P ) = [2q]P . From (6)

21

we can then also derive [t2q]P = ([t]φ)2(P ), hence [t2q]P = [(2q)2]P . Thus q is asquare in Z/`Z, so q ≡ s2 mod ` for some s.

But then t = ±2s, since [t2]P = [4q]P . How can we determine which onesatisfies our needs? We know [2s2]P = [t]φ(P ) = [±2s]φ(P ), hence [±s]P = φ(P ).So whether we need t = 2s or t = −2s depends on ys. If it equals yq, then we needthe first, otherwise it is the second.

If it turns out that q is not a square mod `, then the assumption φ2(P ) = [q](P )was wrong. In that case φ2(P ) = −[q](P ), and it is then immediately clear thatt ≡ 0 mod `.

However, it is possible that φ2(P ) = −[q](P ) and that q is a square. In thatcase φ(P ) 6= [s]P , or x := xq − xs = nx,s/dx,s 6= 0. This is checked in the same wayas above, by determining gcd(Ψ`, nx,s). If it is 1 , we also know t ≡ 0 mod `. Wealso define ny,s to be the numerator of y = (yq − ys)/y.

We will now combine this theory into Schoof’s algorithm for determining the traceof Frobenius on an elliptic curve over Fq:

1. Determine a collection of primes ì, unequal to 2 and p, such that∏i ì ≥ 4

√q.

2. Determine the division polynomials Ψj up to j = max(ì) + 2.

3. For each ì determined in step 1, compute ti ≡ t mod ` as follows:

(a) Determine q ≡ q mod `, and x′ as above.

(b) For 0 ≤ t ≤ (` − 1)/2, compute nx,t as described above, and determinegcd(Ψ`, nx,t). If it is 1 for all t, go to step d. Otherwise, pick the t forwhich the gcd is not 1, and continue with step c.

(c) Determine ny,t as above and compute gcd(Ψ`, ny,t). If it equals 1, setti ≡ t mod `, otherwise set ti ≡ −t mod `.

(d) Find a square root of q in Z/`Z. If they do not exist, set ti ≡ 0 mod `.If they do exist, pick one, call it s and continue with step e.

(e) Determine nx,s and compute gcd(Ψ`, nx,s). If it is 1, set ti ≡ 0 mod `,otherwise continue to step f.

(f) Determine ny,s and compute gcd(Ψ`, ny,s). If it is 1, set ti ≡ −2s mod `.Otherwise ti ≡ 2s mod `.

4. Use the Chinese remainder theorem find the unique t with |t| < 2√q that

solves t ≡ ti mod ì for all i. This is the trace of Frobenius tE/Fq , and wederive #E(Fq) = q + 1− t.

Theorem 3.7.1 (Schoof’s algorithm). Given an elliptic curve E defined over Fq,Schoof’s algorithm described above will find the trace of Frobenius in polynomialtime.

Proof. That Schoof’s algorithm does what it is supposed to do, is clear from thediscussion above. For an analysis of the running time, we refer to Schoof’s arti-cle [12].

3.8 Supersingular elliptic curves

In this Section, we will treat supersingular elliptic curves, which form a special classof elliptic curves over finite fields. In Chapter 4 we will see that it is a bad idea touse a supersingular elliptic curve for cryptographic purposes. Here, we will examinesome properties of this special class.

22

Definition. Let Fq be a finite field of characteristic p. An elliptic curve E(Fq) iscalled supersingular if p divides tE/Fq (the trace of Frobenius)

At this point, we have to be careful with this definition. When an elliptic curveE is defined over Fq, it might be possible that E(Fq) is supersingular, but that thisproperty is lost when we consider E on some extension field. Fortunately, this cannot happen by the following Lemma.

Lemma 3.8.1. If E(Fq) is supersingular, then for all k ≥ 0, the elliptic curveE(Fqk) is also supersingular.

Proof. Lemma 3.4.2 of [17].

So, instead of saying that E(Fq) is supersingular, we can just say that E/Fq is.When we want to check for supersingularity, we can of course compute the trace ofFrobenius of E(Fq) with Schoof’s algorithm and determine if it is divisible by p. Thenext Lemma gives another way of determining whether some curve is supersingularor not.

Lemma 3.8.2. Let char(Fq) 6= 2, 3, and f(x) = x3 + Ax + B. Let E/Fq be givenby the equation y2 = f(x). Then E is supersingular if and only if the coefficient ofxp−1 in the polynomial f

12 (p−1) is 0.

Proof. Theorem 4.1 of [13] or Proposition 3.4.3 of [17].

We will now state a deep result of Waterhouse, that gives a condition for whenthere exists an elliptic curve with a given trace of Frobenius.

Theorem 3.8.3 (Waterhouse). Let p > 3 be a prime number, and t, k ∈ N suchthat with |t| ≤ 2

√pk. Then there exists an elliptic curve E/Fpk with t as its trace

of Frobenius, if and only if one of the following conditions holds:

1. gcd(t, p) = 1.

2. t = ±2√pk and k is even.

3. t = ±√pk, k is even and p 6≡ 1 mod 3.

4. t = 0 and k is odd

5. t = 0, k is even and p 6≡ 1 mod 4.

Proof. Theorem 4.1 of [16]

Note that in the cases 2 to 4 of this Theorem, the curve is supersingular. Fromthis Theorem we can thus conclude, that if an elliptic curve over Fq is supersingular,the number of possibilities for the trace of Frobenius is very limited.

23

4 Elliptic Curve Cryptography

In Chapter 2 we have introduced Diffie-Hellman key exchange, and the ElGamalcryptosystem as examples of PKC’s. To define these systems, we have used thegroups F∗p. It is not hard to imagine that we also could have used other finiteabelian groups. In this Section, we will examine how Diffie-Hellman key exchangeand the ElGamal cryptosystem work, when we use an elliptic curve. We will onlyconsider elliptic curves over finite fields of characteristic bigger than 3.

4.1 Diffie-Hellman and ElGamal over elliptic curve groups

We will start with the translation of the Diffie-Hellman key exchange from Sec-tion 2.4 to elliptic curves. Alice and Bob want to exchange an encryption key ofsome symmetric encryption scheme. To do this safely, they choose an elliptic curveE/Fq, and they pick a point P ∈ E(Fq) of order n. Alice then picks 1 < a < nand computes A = [a]P . Her number a remains secret, and A is made public. Bobalso picks some secret number 1 < b < n, and determines a public point B = [b]P .Now both Alice and Bob can determine K = [b]A = [a]B, and they use this pointas encryption key.

Adjusting the ElGamal cryptosystem is also not too hard. Alice and Bob wishto communicate. They first settle on an elliptic curve E/Fq, and pick some point Pon this curve of order n. Alice picks her secret key 1 < a < n, and determines thepublic key A = [a]P . Bob has a message M ∈ E(Fq). He then chooses 1 < k < n,and computes C1 = [k]P and C2 = M + [k]A. He sends (C1, C2) to Alice. She canretrieve the message by computing

C2 − [a]C1 = M + [k]A− [a][k]P = M

4.2 Security of PKC’s based on elliptic curves

Like before, it is clear that if someone can solve arbitrary discrete logarithm prob-lems on elliptic curve groups in reasonable time, he can easily crack Diffie-Hellmanand ElGamal defined over elliptic curve groups.

The algorithms of Section 2.5 apply to elliptic curve groups as well, but thesealgorithms have exponential running time. For groups F∗p, there exists an algorithmbased on index calculus, that has only subexponential running time. According to[8], it is not known whether elliptic curve groups also allow something like indexcalculus. Hence, at this time, for arbitrary elliptic curves, the best known generalalgorithm takes exponential time.

However, we still have to be careful. There do exist some algorithms, that solvethe DLP rather fast for special elliptic curves. Hence, in order to keep communica-tion secure, we have to stay away from these special cases.

An example of this is the SSSA-algorithm. When an elliptic curve E(Fq) consistsof exactly q points, this algorithm solves a DLP on the group defined by E inpolynomial time. Such elliptic curves are called anomalous. We will not treatthis algorithm in this thesis, but we refer to [17] for a detailed explanation of theSSSA-algorithm when q is prime number.

Another algorithm that speeds up solving the DLP on certain elliptic curves isthe MOV-algorithm. It’s running time is subexponential when the elliptic curve onwhich we work is supersingular. In the next Section, we thoroughly examine thisalgorithm.

The discoveries of these algorithms have shown that we have to be careful inchoosing elliptic curves for cryptographic purposes. We should not consider anoma-lous nor supersingular elliptic curves. According to [8], these are until now the onlyknown dangerous classes of elliptic curves when it comes to cryptography.

24

4.3 The MOV-algorithm

In this Section, we describe the MOV-algorithm, that speeds up solving the DLPon supersingular elliptic curves. It was first introduced by Menezes, Okamoto andVanstone in an article in 1991 (See [10]). Their idea was to translate the DLP on anelliptic curve group to a DLP on F∗q using the Weil-pairing. We will now describethis technique in detail.

Suppose an elliptic curve E/Fq, and a point P ∈ E(Fq) of order n are givenwith gcd(n, p) = 1. Furthermore assume that the identity [k]P = Q holds in E(Fq)for some k and Q. Our mission is to determine k.

Recall the Weil pairing en : E[n] × E[n] → µn(Fq) satisfying the properties ofTheorem 3.4.2. Now the MOV-algorithm is based on the following Lemma:

Lemma 4.3.1. Let P ∈ E(Fq) be a point of order n. The identity [k]P = Q holdson E(Fq), if and only if en(P,R)k = en(Q,R), where R ∈ E[n], such that en(P,R)is a primitive root of unity in µ(Fq).

Proof. The map en([x]P,R) from 〈P 〉 to µ(Fq) is bijective, because the order ofP equals the order of en(P,R), since en(P,R) is primitive. Hence [k]P = Q iffen(P,R)k = en([k]P,R) = en(Q,R).

Using this Lemma, we can translate our DLP on E(Fq), to a DLP on µ(Fq) ⊂ Fq.If the order of P ∈ E is n, and [k]P = Q for some k, then we first search for anR ∈ E[n] such that en(P,R) is a primitive root of unity. Once we have found such apoint, we just compute a = en(P,R) and b = en(Q,R), and we get the DLP ak = bin µ(Fq). And this DLP might be easier to solve.

The n-torsion group E[n] usually does not lie in E(Fq). It lives in E(Fq).However, we know that E[n] is a finite group. So there is a l ∈ N, such that allcoordinates of points in E[n] are in Fql . Hence E[n] ⊂ E(Fql) for some l. Byproperty 6 of Theorem 3.4.2, en(E[n]× E[n]) ⊂ µn(Fql) ⊂ F∗ql . Hence the inducedDLP is one in the unit group of a finite field.

Given a point P of order n, and [k]P = Q, the MOV-algorithm now runs asfollows:

1. Determine l such that E[n] ⊂ E(Fql).

2. Find R ∈ E[n], such that a = en(P,R) is a primitive root of unity in µn(Fql).

3. Determine b = en(Q,R).

4. Solve the DLP ak = b in F∗ql .

In order for the MOV-algorithm to be efficient, finding l and R should not be atime-expensive task, and l should be rather small. We will see that for supersingularcurves, this is the case.

Recall from Theorem 3.8.3, that if an elliptic curve (over a field of characteristicgreater than 3) is supersingular, there are very few possibilities for the trace ofFrobenius tE/Fq : only 0, ±√q and ±2

√q are possible. When q = pk and k is odd,

the trace of Frobenius is even fixed, since it must be 0.It turns out, that for supersingular elliptic curves, the determination of the

number l, such that E[n] ⊂ E(Fql) is very easy once there is some point P of ordern in E(Fq), since the number of cases we need to check is so limited. Furthermore,the number l turns out to be quite small. The possible l’s are summarized in thefollowing Proposition.

25

Proposition 4.3.2. Let Fq be a field of characteristic greater than 3, let E/Fq bea supersingular elliptic curve. Suppose there exists a point P ∈ E(Fq) of order n,then

1. E[n] ⊂ E(Fq2) if tE/Fq = 0.

2. E[n] ⊂ E(Fq3) if tE/Fq = ±√q.

3. E[n] ⊂ E(Fq) if tE/Fq = ±2√q.

Proof. Suppose first that tE/Fq = 0. Since there is some point P ∈ E(Fq) of order n,we know that n|q+1 (by definition of the trace of Frobenius). Hence q ≡ −1 mod n.Let R ∈ E(Fq) be an arbitrary point of order dividing n. Then, by equation (5) ofSection 3.5, φq2(R) = φ2

q(R) = −[q]R = R. Hence R ∈ E(Fq2), and since R wasarbitrary, it holds that E[n] ⊂ E(Fq2).

Now suppose that tE/Fq =√q. Then φq3 = [−q√q] on E(Fq), since

φq3(P ) = φ3q(P )

= φq([√q]φq(P )− [q]P )

= [√q]([√q]φq(P )− [q]P )− φq[q]P

= −[q√q]P.

Now suppose there exists some point P ∈ E(Fq) of order n. Then n|(q −√q + 1).Hence q

√q ≡ (

√q − 1)

√q ≡ q − √q ≡ −1 mod n. Therefore, if R is an arbitrary

point of order dividing n, it holds that φq3(P ) = P . So we conclude E[n] ⊂ E(Fq3).The case where tE/Fq = −√q is proved by a similar argument.

Finally, suppose that tE/Fq = 2√q. Then 0 = φ2 − [2

√q]φ + [q] = (φ − [

√q])2.

Since End(E) is an integral domain (see Section III.9 of [13]), we conclude thatφ = [

√q]. Now suppose that there exists a point P ∈ E(Fq) of order n. Then

n|(q − 2√q + 1), hence

√q(√q − 1) ≡ q − √q ≡ √q − 1 mod n. From this we

conclude√q ≡ 1 mod n. Now if R is an arbitrary point of order dividing n, then

φ(R) = [√q]R = R, hence E[n] ⊂ E(Fq). Like before, the assertions made for

tE/Fq = −2√q are proved by a similar argument.

We also need the following Proposition.

Proposition 4.3.3. Let E/Fq be a supersingular elliptic curve, with Fq of charac-teristic bigger then 3. Then

1. [q + 1]P = O for all P ∈ E(Fq2), if tE/Fq = 0.

2. [q√q ± 1]P = O for all P ∈ E(Fq3), if tE/Fq = ±√q.

3. [√q ∓ 1]P = O for all P ∈ E(Fq), if tE/Fq = ±2

√q.

Proof. Suppose tE/Fq = 0 and P ∈ E(Fq2). Then

[q + 1]P = [q]P + P = −φ2q(P ) + P = −φq2(P ) + P = −P + P = O.

Now suppose tE/Fq =√q and P ∈ E(Fq3). Then

[q√q + 1]P = [q

√q]P + P = −φq3(P ) + P = −P + P = O.

(The second equality holds since φq3 = −[q√q]). A similar argument proves the

assertion for tE/Fq = −√q.Finally suppose tE/Fq = 2

√q and P ∈ E(Fq). In the proof of the previous

Proposition, we have already concluded that in this case φ = [√q]. Hence

[√q − 1]P = φ(P )− P = P − P = O.

The case where tE/Fq = −2√q is proved in a similar manner.

26

When E/Fq is supersingular, and P ∈ E(Fq) is of order n, determining l suchthat E[n] ⊂ E(Fql) is no big deal. Furthermore, this l is not too big. So theonly thing we still have to worry about is finding an R ∈ E[n] such that en(P,R)is primitive. To solve this problem, we adjust the MOV-algorithm slightly forsupersingular elliptic curves as follows:

1. Determine the trace of Frobenius tE/Fq (for example using Schoof’s algorithm).Proceed if E/Fq is supersingular.

2. Determine l such that E[n] ⊂ E(Fql) and a number d for which [d]P = O forall P ∈ E(Fql) (using Propositions 4.3.2 and 4.3.3).

3. Pick an arbitrary point R ∈ E(Fql), and compute R = dnR.

4. Compute a = en(P, R) and b = en(Q, R).

5. Solve the DLP ak = b in Fql .

6. If [k]P 6= Q, go back to step 3, and choose another point R.

In step 3, we assume that n divides d. This is true, since P ∈ E(Fql), and P

has order n, and so divides the exponent d. Furthermore, dnR is in E[n], hence we

can indeed apply the Weil-pairing in step 4.If it happens that en(P,R) is a primitive root of unity, we already know that we

are done after the fifth step. But it is of course possible that it is not a primitiveroot of unity, hence we really need to check whether we have solved our DLP.

The downside of the adjustment of the MOV-algorithm, is that it is highlyprobable that we have to go trough the steps 3 to 6 multiple times. However, thenumber of loops we expect to make until we find a primitive root of unity (and thussolve the DLP) is not too high. The chance that a random element of µn(Fqk) isprimitive equals φ(n)/n, hence we expect to try n/φ(n) random elements until wefind a primitive element. According to [10] and [17], n

φ(n) ≤ 6 log(log(n)) for n ≥ 5,so the expected number of loops is reasonable.

4.4 The MOV-algorithm in action

In this section we will play the role of Eve, and we will try to crack the secretmessage that Bob has sent to Alice. This way, we will see how the theory comes topractice.

We stress that the example is simplified. In reality, much larger fields are used,and the curves are more sophisticated, but we lack computer power and time tohandle these kinds of problems.

Even for our example, doing calculations by hand would be crazy. Therefore,we use the computer algebra system Sage [3]. The worksheets with the calculationsmade below are publicly available. See [14].

Suppose we have intercepted some messages that Bob and Alice have sent to eachother. In these messages, they have agreed to use the ElGamal cryptosystem, basedon the group defined by the elliptic curve E : y2 = x3 + 1 over F2069. Furthermore,they have selected a point P = (11, 411). A little while later, Alice publishes herpublic key: A = (104, 589). Bob replies with the message ((1329, 1741), (1836, 609)).We wonder what the original message is.

From Section 2.4 we know that if we solve the DLP (104, 589) = [k](11, 411), wecan find out the message sent by Bob. Therefore, we will use the MOV-algorithm.First we determine the trace of Frobenius. We find that tE/F2069 = 0. So luckily forus, Alice and Bob picked a supersingular elliptic curve.

27

Next, we will determine the order of P = (11, 411). We know by definition ofthe trace of Frobenius that #E(F2069) = 2070 = 2 ·32 ·5 ·23. This limits the numberof possibilities for the order. We find that [138](11, 411) = O and [m](11, 411) 6= Ofor m = 2, 3, 6, 9, 18, 23, 46, 69. Hence the order of (11, 411) is 138.

From Proposition 4.3.2 we determine that E[138] ⊂ E(F20692) and [2070]S = Ofor all S ∈ E(F20692). Note that we can only determine this so easily, since E issupersingular.

The next step in the MOV-algorithm requires finding a point on E(F20692). Wewill represent elements of F20692 as a + bα, with a, b ∈ F2069, and α a root of thepolynomial x2 + 2065x + 2 ∈ F2069[x]. We quickly find R1 = (α, 1876 + 193α) ∈E(F20692). Then

R1 = [2070138

]R1 = [15]R1 = (1920 + 332α, 347 + 1143α).

Now we use the Weil-pairing:

a1 = e138(P, R1) = 1073 + 1523α b1 = e138(A, R1) = 1038 + 595α

Finally, we will have to solve the DLP (1073+1523α)k = 1038+595α in F∗20692 . Thisgives k = 64. However, since we are using the modified MOV-algorithm, we need tocheck whether this k also solves the original DLP in E(F2069). A simple calculationshows that [64](11, 411) = (1536, 1467) 6= A. Apparently, 1073 + 1523α is not aprimitive root of unity. This is true, since [69](1920 + 332α, 347 + 1143α) = O, soit’s order is not 138.

Next, we will try finding the right k using the point R2 = (1 + α, 1468 + 76α).Then

R2 = [15](1 + α, 1468 + 76α) = (956 + 968α, 1009 + 1228α).

This gives

a2 = e138(P, R2) = 66 + 241α b2 = e138(A, R2) = 1464 + 2011α.

Solving (66 + 241α)k = 1464 + 2011α in F20692 gives k = 133. Furthermore,[133](11, 411) = (104, 589) = A, so we have solved the DLP. Finally we can dis-cover Bob’s message by computing (1836, 609)− [133](1329, 1741) = (200, 837).

28

5 Conclusion

The invention of the computer and the internet have made communication a loteasier. In a couple of mouseclicks, we can share information with everyone every-where. However, this has made communication also a lot more dangerous, becausethe messages we send, can easily be intercepted by someone unwanted. Therefore,cryptography has become indispensable in our lives.

In this thesis we have examined some public key cryptosystems, especially thosedefined over elliptic curve groups. PKC’s consist of encryption schemes, where thedifficulty of finding the decryption key without knowledge of the encryption key,is based on a mathematical problem which is believed to be nearly impossible tosolve in reasonable time. This way, the encryption key can be made public, and thissolves the problem of exchanging keys in the traditional secret key cryptosystems.

One such difficult mathematical problem is the discrete logarithm problem forabelian groups. In additive notation, this problem is to find a number k, such thatkg = h for some elements g, h in the group. For general groups, there do existsome algorithms that solve a DLP, like the Baby-step Giant-step algorithm and thePollard ρ-algorithm, possibly in combination with the Pohlig-Hellman algorithm.But these all have exponential running time, and are therefore not considered tobe fast. However, for the multiplicative group Fp∗, there is a method that solves aDLP in subexponential time, namely index calculus. As a consequence, these kindof groups can only be used in cryptography if their cardinality is enormous.

That is where elliptic curves come into play. These are non-singular projectivecubic curves over algebraically closed fields. It is possible to define an abelian groupstructure on these curves. Therefore, we can define discrete logarithm problems onthem. So elliptic curves can be used to define public key cryptosystems.

Public key cryptosystems based on elliptic curve groups, also called elliptic curvecryptosystems are surprisingly safe. Until now, there are no known algorithms thatsolve a random DLP on a random elliptic curve group in polynomial or subexpo-nential time. Therefore, the group size can be kept relatively small, and this makeselliptic curve cryptosystems especially useful for small communication devices.

However, we still have to be careful. Not every elliptic can be used for crypto-graphic purposes. We have to rule out supersingular and anomalous elliptic curves.For these classes of curves, there exists relatively fast algorithms for solving theDLP, namely the MOV-algorithm and the SSSA-algorithm respectively. But if westay away from these cases, elliptic curve cryptography is a safe way of encryptingmessages. For now at least.

29

A Appendix: Background Information

A.1 Running time of algorithms

In this thesis, we describe quite a few algorithms. These are useful when calculationsby hand take too much time. We then write a program, and let a computer executethe steps of the algorithm. Although computers execute algorithms a lot fasterthan humans, they could still take a lot of time to solve a problem. We want to beable to estimate the time that is needed. Therefore, we analyze the running timeof algorithms. In computer sciences, there are different ways of doing that. In thisthesis, we only consider the running time of the worst case.

For analyzing running times, it is useful to introduce big-O notation.

Definition. Let f, g : N → R≥0 be functions. If there exist positive constants cand N , such that f(x) ≤ cg(x) for all x ≥ N , we write f(x) = O(g(x)).

A way of proving that f(x) = O(g(x)), is showing that

limx→∞

f(x)g(x)

exists, and is finite. See Proposition 2.15 of [6] for a proof.In the literature, we sometimes come across the notation f(x) � g(x), instead

of f(x) = O(g(x)). In this Section, the latter notation is more convenient. However,in the main text of this thesis, we stick to the more common big-O notation.

When we analyze an algorithm, we express the number of ‘steps’ needed (in theworst case), in the size of the input in bits, using big-O notation. The word ‘steps’is kept vague, since it depends on the situation we are in. It could for examplemean additions, or multiplications.

Example. Consider the algorithm that adds all non-negative binary numbers smallerthan the input one by one. If the input has k bits, in the worst case the number ofsteps (in this case, this means additions) needed to execute the algorithm is 2k − 1,so in this case we can say that this algorithm takes O(2k) steps.

The next definition gives us a way to categorize algorithms in terms of ‘fastness’.

Definition. A function f : N→ R≥0 is said to grow polynomially, if there exist pos-itive constants α and β, such that xα � f(x)� xβ . It is said to grow exponentiallyif there exist positive constants α and β, such that ex

α � f(x) � exβ

. Finally, itis said to grow subexponentially, if there for every pair of positive constants α andβ, it holds that xα � f(x)� ex

β

When the number of steps of an algorithm grows polynomially, we say that ithas polynomial running time. If it grows (sub)exponentially, we say that it has(sub)exponential running time.

Normally, if the input of an algorithm is an integer, we do not express thenumber of steps needed to finish the algorithm in the bitsize of the input. We thenjust express it in the integers themselves. However, we must always keep in mind,that the fastness of algorithms we work with depends on the number of bits. Wecan translate as follows.

Lemma A.1.1. Let f be the function that assigns to each integer the number ofsteps needed to execute the algorithm we are working with, with that integer asinput. Then the algorithm has polynomial running time if there exist some positiveconstants α and β, such that (log n)α � f(n) � (log n)β. It has exponentialrunning time if there exist positive constants α and β, such that nα � f(n)� nβ.Finally, it has subexponential running time, if for every pair of positive constantsα and β it holds that (log n)α � f(n)� nβ.

30

Algorithms with polynomial running time are considered to be fast, and thosewith exponential running time are considered to be slow. This is of course relative.It is possible that an algorithm with exponential running time solves a problemquicker than one with polynomial running time. In general, when the number ofbits of the input becomes very large, polynomial time algorithms are expected tofinish faster than (sub)exponential time algorithms, although it could still take alot of time.

Sometimes, the running time depends on chance, for example when the inputis random. If the running time of such an algorithm is expected to be polynomial,we usually say that it has probabilistic polynomial running time. Probabilistic(sub)exponential running time is defined likewise.

A.2 Divisors

Algebraic geometry is the field of mathematics that studies algebraic varieties, whichare zero sets of prime ideals in affine or (more commonly) projective spaces, andmorphisms between them. Treating this subject in full detail is unnecessary for therest of this thesis. We only assume that the reader has some knowledge of the basicsof algebraic geometry. For theoretical background, we refer to Chapter 1 of [5] orChapters 1 and 2 of [13].

In this thesis, we are only interested in algebraic curves, which are algebraicvarieties of dimension 1. All the curves we treat, lie in affine or projective planes, sowe usually define a curve by giving a single equation in two unknowns. The theoryon curves is quite extensive, and falls outside the scope of this thesis. The onlytheory on algebraic curves that requires some more background, is about divisors.In the following section we give a definition, and state some properties.

Let C be a algebraic curve. A divisor D on C is a formal sum on all points ofC:

D =∑P∈C

nPP,

with nP ∈ Z, and nP 6= 0 for finitely many P . We define the degree of a divisor asthe sum of all coefficients: degD =

∑P∈C nP .

Divisors form a tool to administrate zeros and poles of functions. If f ∈ K(C)∗,we let

div(f) =∑P∈C

ordP (f)(P ),

and we will call it the divisor of f . A divisor is called principal if it is the divisorof some function in K(C)∗.

Divisors of functions have some nice properties if we are working on a non-singular curve, which are summarized in the following Lemma.

Lemma A.2.1. Let C be a non-singular curve. Then

1. div(f) = 0 if and only if f is a non-zero constant function.

2. div(f) = div(f ′) if and only if f ′ = cf for some c ∈ K∗.

3. deg(div(f)) = 0 for all f ∈ K(C)∗.

31

References

[1] Binary search algorithm, November 2009. available at: http://en.wikipedia.org/wiki.

[2] Kerckhoffs’ principle, June 2010. available at: http://en.wikipedia.org/wiki.

[3] Sage, April 2010. available at: http://www.sagemath.nl.

[4] J. A. Buchman. Introduction to cryptography. Springer-Verlag, New York,second edition, 2004.

[5] R. Hartshorne. Algebraic geometry. Springer-Verlag, New York, 1977.

[6] J. Hoffstein, J. Pipher, and J. H. Silverman. An introduction to mathematicalcryptography. Springer-Verlag, New York, 2008.

[7] D. Husemoller. Elliptic curves. Springer-Verlag, New York, second edition,2004.

[8] N. Koblitz, A. Menezes, and S. Vanstone. The state of elliptic curve cryptog-raphy. Designs, Codes and Cryptography, 19:173–193, 2000.

[9] S. Lang. Elliptic curves, Diophantine analysis. Springer-Verlag, Berlin, 1978.

[10] A. Menezes, T. Okamoto, and S. Vanstone. Reducing elliptic curve logarithmsto logarithms in a finite field. IEEE Transactions on Information Theory,39:1639–1649, 1991.

[11] G. Musiker. Schoof’s algorithm for counting points on e(Fq), 2005. availableat: http://en.wikipedia.org/wiki.

[12] R. Schoof. Elliptic curves over finite fields and the computation of square rootsmod p. Mathematics of computation, 44(170):483–494, 1985.

[13] J. H. Silverman. The arithmetic of elliptic curves. Springer-Verlag, New York,1986.

[14] T. A. Veerman. Calculations made in section 4.4, May 2010. available at:http://www.sagenb.org/home/pub/2065/.

[15] L. C. Washington. Elliptic curves, number theory and cryptography. Chapman& Hall/CRC, Boca Raton, 2003.

[16] W. C. Waterhouse. Abelian varieties over finite fields. Annales Scientifiquesde l’Ecole Normale Superieure, 2:521–560, 1969.

[17] A. Werner. Elliptische Kurven in der Kryptographie. Springer-Verlag, Berlin,2002.

32

Elliptic Curve Cryptography - UvA · As the title suggests, this thesis is about elliptic curve...

Documents

Transcript of Elliptic Curve Cryptography - UvA · As the title suggests, this thesis is about elliptic curve...