Theory of Elliptic Curves

7/27/2019 Theory of Elliptic Curves

1/104

An Introduction to theTheory of Elliptic Curves

Joseph H. Silverman

Brown University andNTRU Cryptosystems, Inc.

Summer School on

Computational Number Theory andApplications to Cryptography

University of Wyoming

June 19 July 7, 2006

0


2/104

0

An Introduction to the Theory of Elliptic Curves

Outline

Introduction

Elliptic Curves The Geometry of Elliptic Curves The Algebra of Elliptic Curves What DoesE(K) Look Like?

Elliptic Curves Over Finite Fields

The Elliptic Curve Discrete Logarithm Problem Reduction Modulop, Lifting, and Height Functions Canonical Heights on Elliptic Curves Factorization Using Elliptic Curves

L-Series, BirchSwinnerton-Dyer, and $1,000,000

Additional Material Further Reading

An Introduction to the Theory of Elliptic Curves 1


3/104


The Discrete Logarithm Problem

Fix a groupGand an elementg

G. The Discrete

Logarithm Problem(DLP) forGis:

Given an elementh in the subgroupgenerated by g, find an integer msatisfying h=gm.

The smallest integermsatisfyingh=gm is called thelogarithm (or index) ofh with respect to g, and isdenoted

m= logg(h) or m= indg(h).

The Discrete Logarithm Problem is used as the underly-ing hard problem in many cryptographic constructions,including key exchange, encryption, digital signatures,and hash functions.



4/104


Diffie-Hellman Key Exchange

Public Knowledge: GroupGand elementg of ordern.

BOB ALICE

Choose secret 0< b < n Choose secret 0< a < n

ComputeB=gb ComputeA=ga

SendB

to Alice

to Bob SendAComputeAb ComputeBa

Bob and Alice have the shared value

Ab =gab =gba =Ba

And one hopes that computinggab fromga and gb re-quires solving the discrete logarithm problem.



5/104


How Hard is the Discrete Log Problem?

For some groups, DLP is very easy:

Z/mZunder addition (Euclidean algorithm) Ror Cunder multiplication (analytic logarithm)For some groups, DLP is difficult. The classical exampleis: Fp under multiplication

The best known algorithm to solve DLP inFp takestime

O

ec3

(logp)(log logp)2

This is called subexponential, since it is faster thanexponential (in logp), but slower than polynomial.For cryptographic purposes, it would be better to usea group G for which solving DLP takes time that isexponential in the order ofG.



6/104

Elliptic

Curves


7/104

Elliptic Curves

What is an Elliptic Curve?

An elliptic curve is a curve thats also naturally agroup.

The group law is constructed geometrically. Elliptic curves have (almost) nothing to do with

ellipses, so put ellipses and conic sections out ofyour thoughts.

Elliptic curves appear in many diverse areas of math-ematics, ranging from number theory to complexanalysis, and from cryptography to mathematical

physics.

A I t od ctio to the Theo of Elli tic C es 5


8/104

Elliptic Curves

Points on Elliptic Curves

Elliptic curves can have points with coordinates inany field, such asFp,Q,R, orC. Elliptic curves with points in Fpare finite groups.

Elliptic Curve Discrete Logarithm Prob-lem(ECDLP) is the discrete logarithm problemfor the group of points on an elliptic curve over a

finite field. The best known algorithm to solve the ECDLP isexponential, which is why elliptic curve groups areused for cryptography.

More precisely, the best known way to solve ECDLPfor an elliptic curve overFptakes timeOp . The goal of these talks is to tell you somethingabout the theory of elliptic curves, with an em-phasis on those aspects that are of interest in cryp-tography.

An Introduction to the Theory of Elliptic Curves6


9/104

Elliptic Curves

The Equation of an Elliptic Curve

AnElliptic Curveis a curve given by an equation of

the formy2 =x3 + Ax+B

There is also a requirement that thediscriminant

= 4A3 + 27B2 is nonzero.

Equivalently, the polynomialx3 + Ax + B has distinctroots. This ensures that the curve is nonsingular.For reasons to be explained later, we also toss in anextra point, O, that is at infinity, soEis the set

E= (x, y) :y2 =x3 +Ax+ B {O}.Amazing Fact: We can use geometry to make thepoints of an elliptic curve into a group. The next fewslides illustrate how this is accomplished.

An Introduction to the Theory of Elliptic Curves7


10/104

The Geometry ofElliptic Curves


11/104

The Geometry of Elliptic Curves

The Elliptic CurveE :y2 =x3 5x+ 8

E



12/104


Adding Points on an Elliptic Curve

P

Q

E

Start with two pointsP andQonE.



13/104



P

Q

L

E

Draw the lineLthroughP andQ.



14/104



P

Q

R

L

E

The lineLintersects the cubic curveEin a thirdpoint. Call that third pointR.



15/104



P

Q

R

L

E

Draw the vertical line throughR.It hitsEin another point.



16/104



P

Q

R

P Q

L

E

We define thesum ofP and Q on Eto be thereflected point. We denote it byP Qor justP+ Q.



17/104


Adding a Point To Itself on an Elliptic Curve

P

E

How do we add a pointPto itself, since there aremany different lines that go throughP?



18/104



P

Lis tangent toEatP

L

E

If we think of addingP toQand letQapproachP,then the lineLbecomes the tangent line toEatP.



19/104



P

R

2P

Lis tangent toEatP

L

E

Then we take the third intersection pointR, reflectacross thex-axis, and call the resulting point

P P or 2P.An Introduction to the Theory of Elliptic Curves 16


20/104


Vertical Lines and the Extra Point At Infinity

E

P

Q= P

LetP E. We denote the reflected point by P.



21/104



E

L

P

Q= P

Vertical lines have

no third intersection

point withE

Big Problem: The vertical lineLthroughPand Pdoes not intersectEin a third point!

And we need a third point to defineP (P).An Introduction to the Theory of Elliptic Curves 18


22/104



E

L

O

P

Q= P

Create an extra

point O on Elying at infinity

Solution: Since there is no point in the plane thatworks, we create an extra point O at infinity.

Rule:O is a point on every vertical line.An Introduction to the Theory of Elliptic Curves 19


23/104

The Algebra ofElliptic Curves


24/104

The Algebra of Elliptic Curves

Properties of Addition onE

Theorem The addition law on E has the following

properties:

(a) P+ O = O + P =P for allP E.(b)P+ (P) = O for allP E.(c) P+ (Q +R) = (P+Q) +R for allP, Q, R E.(d)P+ Q=Q + P for allP, Q

E.

In other words, the addition law + makes the pointsofE into a commutative group.

All of the group properties are trivial to checkexcept

for the associative law (c). The associative law can beverified by a lengthy computation using explicit formu-las, or by using more advanced algebraic or analyticmethods.



25/104


A Numerical Example

E :y2 =x3

5x+ 8

The pointP = (1, 2) is on the curveE.Using the tangent line construction, we find that

2P =P+ P =

7

4, 27

8

.

Let Q =74, 278

. Using the secant line construc-

tion, we find that

3P =P+Q= 553

121

,

11950

1331 .

Similarly,

4P =

45313

11664, 8655103

1259712

.

As you can see, the coordinates are getting very large.An Introduction to the Theory of Elliptic Curves 21


26/104


Formulas for Addition onE

Suppose that we want to add the points

P1= (x1, y1) and P2= (x2, y2)

on the elliptic curve

E :y2 =x3 + Ax+ B.

Let the line connectingP toQbeL:y =x+

Explicitly, the slope andy-intercept ofLare given by

=

y2

y1x2 x1 ifP1 =P23x21+A

2y1ifP1=P2

and =y1 x1.



27/104


Formulas for Addition onE (continued)

We find the intersection of

E :y2 =x3 +Ax+B and L:y=x+

by solving(x+ )2 =x3 +Ax+B.

We already know that x1and x2are solutions, so we can

find the third solutionx3by comparing the two sides ofx3 +Ax+B (x+ )2

= (x x1)(x x2)(x x3)=x3 (x1+ x2+ x3)x2 + (x1x2+ x1x3+ x2x3)x x1x2x3.

Equating the coefficients ofx2

, for example, gives2 = x1 x2 x3, and hence x3=2 x1 x2.Then we computey3 usingy3=x3+ , and finally

P1+P2= (x3, y3).An Introduction to the Theory of Elliptic Curves 23


28/104


Formulas for Addition onE(Summary)

Addition algorithm forP1= (x1, y1) andP2= (x2, y2)

on the elliptic curveE :y2

=x3

+ Ax+B

IfP1 =P2 andx1=x2, thenP1+P2= O. IfP1=P2 andy1= 0, thenP1+ P2= 2P1= O.

IfP1 =P2 (andx1 =x2),let=

y2 y1x2 x1

and=y1x2 y2x1

x2 x1.

IfP1=P2 (andy1 = 0),

let=3x

2

1+A2y1and=x

3

+ Ax+ 2B2y .

Then



29/104


Formulas for Addition onE(Summary)

Addition algorithm forP1= (x1, y1) andP2= (x2, y2)

on the elliptic curveE :y2

=x3

+ Ax+B

IfP1 =P2 andx1=x2, thenP1+P2= O. IfP1=P2 andy1= 0, thenP1+ P2= 2P1= O.

IfP1 =P2 (andx1 =x2),let=

y2 y1x2 x1

and=y1x2 y2x1

x2 x1.

IfP1=P2 (andy1 = 0),

let=3x

2

1+A2y1and=x

3

+ Ax+ 2B2y .

Then

P1+ P2= (2 x1 x2, 3 + (x1+ x2) ).



30/104


An Observation About the Addition Formulas

The addition formulas look complicated, but for exam-

ple, if P1 = (x1, y1) and P2 = (x2, y2) are distinctpoints, then

x(P1+P2) =

y2 y1x2 x1

2 x1 x2,

and ifP = (x, y) is any point, then

x(2P) =x4 2Ax2 8Bx+A2

4(x3 + Ax+ B) .

Important Observation: IfAandBare in a field K and if P1 and P2 havecoordinates inK, then P1+P2 and 2P1also have coordinates inK.



31/104


The Group of Points onEwith Coordinates in a FieldK

The elementary observation on the previous slide leads

to the important result that points with coordinates in aparticular field form a subgroup of the full set of points.

Theorem. (Poincare,1900) Let Kbe a field andsuppose that an elliptic curve Eis given by an equation

of the formE :y2 =x3 + Ax+ B with A, B K.

Let E(K) denote the set of points ofE with coordi-nates inK,

E(K) = (x, y) E :x, y K {O}.ThenE(K) is asubgroupof the group of all pointsofE.



32/104


A Finite Field Example

The formulas giving the group law onEare valid if the

points have coordinates in any field, even if the geomet-ric pictures dont make sense. For example, we can takepoints with coordinates inFp.Example. The curve

E :y2 =x3

5x+ 8 (mod 37)

contains the points

P = (6, 3) E(F37) and Q= (9, 10) E(F37).Using the addition formulas, we can compute inE(F37):

2P=(35,11), 3P=(34,25),4P=(8,6), 5P=(16,19),. . .

P+Q=(11,10),. . .

3P+4Q=(31,28),. . .



33/104


A Finite Field Example (continued)

Substituting in each possible value x = 0, 1, 2, . . . , 36

and checking ifx3 5x+ 8 is a square modulo 37, wefind that E(F37) consists of the following 45 points mod-ulo 37:

(1, 2), (5, 21), (6, 3), (8, 6), (9, 27), (10, 25),(11, 27), (12, 23), (16, 19), (17, 27), (19, 1), (20, 8),

(21,

5), (22,

1), (26,

8), (28,

8), (30,

25), (31,

9),

(33, 1), (34, 25), (35, 26), (36, 7), O.

There are nine points of order dividing three, so as anabstract group,

E(F37) =C3 C15.

Theorem. Working over a finite field, the group ofpoints E(Fp) is always either a cyclic group or the prod-uct of two cyclic groups.



34/104


Computing Large Multiples of a Point

To use the finite group E(Fp) for Diffie-Hellman, say,

we needpto be quite large (p >2160) and we need tocompute multiples

mP =P+ P+ +P mtimes

E(Fp)

for very large values ofm.

We can compute mP in O(log m) steps by the usualDouble-and-Add Method. First write

m=m0+ m1 2 +m2 22 + + mr 2rwithm0, . . . , mr {0, 1}.

ThenmPcan be computed as

mP =m0P+ m1 2P+m2 22P+ +mr 2rP,where 2kP = 2 2 2Prequires onlykdoublings.



35/104


Computing Large Multiples of a Point (continued)

Thus on average, it takes approximately log2(m) dou-

blings and 12log2(m) additions to computemP.

There is a simple way to reduce the computation timeeven further. Since it takes the same amount of time tosubtract two point as it does to add two points, we can

instead look at a ternary expansion ofm, which meanswriting

m=m0+ m1 2 +m2 22 + + mr 2rwithm0, . . . , mr {1, 0, 1}.

On average, this can be done with approximately 23 ofthe mis equal to 0, which reduces the average number

of additions to 13log2(m).



36/104

What Does E(K)Look Like?

Theres no single answer, itdepends on the field K.


37/104

What Does E(K)Look Like?

Theres no single answer, itdepends on the field K.


38/104

What DoesE(K) Look Like?

What DoesE(R) Look Like?

We have seen a picture of an E(R). It is also possible

forE(R) to have two connected components.

E

Analytically, E(R) is isomorphic tothe circle groupS1 or to two copiesof the circle groupS1 C2.



39/104


What DoesE(C) Look Like?

The points of an elliptic curve with coordinates in the

complex numbersC form a torus, which is the math-ematical term for the surface of a donut.

We can form a torus by choosing two complex num-bers1, 2 C, using them as two sides of a parallelo-gram, and then identifying the opposite sides.

1

2



40/104



The complex numbers 1 and 2 are called periods

ofE. To describe the group law onE(C), we look atL= {n11+n22:n1, n2 Z} C,

the latticespanned by1 and2.

L

1

2 1+ 2

21

22 1+ 22

The latticeLis a regularly spaced array of points in C.An Introduction to the Theory of Elliptic Curves 34


41/104



The lattice L is a subgroup of the complex numbers.

The quotient is both a group and a complex manifold,and there is a a complex analytic isomorphism

C/L

(z),12

(z)

E(C),

where theWeierstrass

-function

is defined by theLaurent series

(z) = 1

z2+

L=0

1

(z )2 1

2

.

It satisfies (z+ ) =(z) for all L.Thus (z) is a doubly periodic function, since ithas two independent periods1 and2. It generalizesthe classical functionez that has the single period 2i.



42/104


Points of Finite Order inE(C)

As an abstract group, the groupE(C) looks like

E(C) =C/L =S1 S1.It is very easy to describe the points of finite order onthe torusS1 S1.For any integerN 1, we write

E(C)N = {P E(C) :N P = O}for the set of elements ofE(C) of order dividingN.

ExerciseIfG is anabeliangroup, prove thatGN is asubgroup ofG. Also find a nonabelian counterexample.

Proposition. For allN 1,E(C)N=CN CN

is the product of two cyclic groups of orderN.An Introduction to the Theory of Elliptic Curves 36


43/104


What DoesE(Q)Look Like?

The group of rational pointsE(Q) is a subgroup of the

group of real pointsE(R), but we can no more draw anice picture ofE(Q) sitting inside E(R) than we candraw a nice picture of the rational numbersQ sittinginside the real numbersR.

Study of the group E(Q) has played and continues toplay a fundamental role in the development of manyareas of number theory.

The modern theory of Diophantine equations, thesolution of polynomial equations using integers or ratio-

nal numbers, was initiated in 1922 when L.J. Mordellproved a landmark result describingE(Q).


( )


44/104


What DoesE(Q)Look Like?Theorem. (Mordell, 1922) LetEbe an elliptic curve

given by an equationE :y2 =x3 + Ax+ B withA, B Q.

Then the group of rational pointsE(Q) is a finitelygenerated abelian group. In other words, there is afinite set of points P

1, . . . , P

t E(Q) so that every

pointP E(Q) can be written in the formP =n1P1+n2P2+ +ntPt

for somen1, n2, . . . , nt Z.

A standard theorem about finitely generated abeliangroups tells us thatE(Q) looks like

E(Q) =(Finite Group) Z Z Z r copies

.



45/104

Wh D E(K) L k Lik ?


46/104


What DoesE(Q)Look Like?The rank is a far more mysterious quantity, althoughthere is a folklore conjecture.

Conjecture. There exist elliptic curve groupsE(Q)of arbitrarily large rank.

The evidence for this conjecture is fragmentary at best.An example of rank at least 24 (Martin-McMillen 2000):

y2 + xy+ y= x3 120039822036992245303534619191166796374 x+ 504224992484910670010801799168082726759443756222911415116

And here is the only example known of higher rank. Ithas rank at least 28 (Elkies 2006):

y2 + xy+y = x3

20067762415575526585033208209338542750930230312178956502 x

+ 34481611795030556467032985690390720374855944359319180361266008296291939448732243429

Slightly more convincing is the fact that there do existelliptic curves with coefficients in the fieldFp(T) suchthat the rank ofE(Fp(T)) is arbitrarily large.


Wh t D E(K) L k Lik ?


47/104


What DoesE(Z) Look Like?

The ringZis not a field, so the set

E(Z) = {(x, y) E(Q) :x, y Z}{O}is usually nota subgroup ofE(Q).

Indeed, even ifP1andP2 have integer coordinates, theformula forP1+ P2is so complicated, it seems unlikely

that the pointP1+ P2 will have integer coordinates.Complementing Mordells Theorem describingE(Q) isa famous finiteness result forE(Z).

Theorem. (Siegel, 1928) Let Ebe an elliptic curvegiven by an equation

E :y2 =x3 + Ax+B withA, B Z.ThenEhas only finitely many pointsP = (x, y) withinteger coordinatesx, y Z, i.e.,E(Z) is a finite set.




48/104


What DoesE(Z) Look Like?

Siegel actually proves something much stronger.

For each pointP E(Q), writex(P) =

a(P)

b(P) Q as a fraction in lowest terms.

Theorem. (Siegel, 1928)

limPE(Q)

max{|a(P)|,|b(P)|}

log |a(P)|log |b(P)| = 1.

Roughly speaking, Siegels result says that the numera-tor and the denominator ofx(P) tend to have approxi-mately the same number of digits.




49/104


What DoesE(Fp) Look Like?

The groupE(Fp) is obviously a finite group. Indeed, it

clearly has no more than 2p+ 1 points.For each x Fp, there is a 50% chance that thevalue off(x) = x3 +Ax+B is a square inFp. Andiff(x) =y2 is a square, then we (usually) get two points(x,

y) inE(Fp). Plus theres the point

O.

Thus we might expectE(Fp) to contain approximately

#E(Fp) 12 2 p+ 1 =p+ 1 pointsA famous theorem of Hasse makes this precise:

Theorem. (Hasse, 1922) LetEbe an elliptic curvey2 =x3 +Ax+ B withA, B Fp.

Then #E(Fp) (p+ 1) 2p.An Introduction to the Theory of Elliptic Curves 43


50/104

Elliptic CurvesOver Finite Fields



51/104


The Order of the GroupE(Fp)

The Frobenius Mapis the function

p:E(Fp) E(Fp), p(x, y) = (xp, yp).One can check thatp is agroup homomorphism.

The quantity ap=p+ 1 #E(Fp)

is called the Trace of Frobinius, because one wayto calculate it is to use the Frobenius map to get alinear transformation on a certain vector spaceV(E).Thenapis the trace of that linear transformation.

Hasses Theorem says that

|ap| 2p.For cryptography, we needE(Fp) to contain a subgroupof large prime order. How does #E(Fp) vary for dif-ferent E?




52/104


The Distribution of the Trace of Frobenius

There are approximately 2pdifferent elliptic curves de-

fined overFp.If the ap(E) values for different Ewere uniformly dis-tributed in the interval from2p to 2p then wewould expect each value to appear approximately 12

p

times.

This is not quite true, but it is true that the valuesapbetween (say)p andp appear quite frequently.The precise statement says that the ap values follow aSato-Tate distribution:

Theorem. (Birch)#

E/Fp: ap(E) 1

4p t2 dt.




53/104


Computing the Order ofE(Fp)

If p is small, we can compute x3 +Ax+B for each

p= 0, 1, . . . , p1 and use quadratic reciprocity to checkif it is a square modulop. This takes timeO(p logp).

Schoof found a deterministic polynomial-time algorithmthat computesE(Fp) in timeO(logp)6.

Elkies and Atkin made Schoofs algorithm more efficient(but probabilistic), so it is now called the

SEA Algorithm.

The details of SEA are somewhat complicated. Roughly,

one studies the set of all maps of a fixed degreefromEto other elliptic curves. These correspond to quotientcurvesE/ for finite subgroups Eof order. Onededuces information aboutapmodulo, from whichapcan be reconstructed.




54/104


Elliptic Curves in Characteristic2

As a practical matter, computers tend to work more

efficiently with fields of characteristic 2 than they dowith fields of (large) prime characteristic.

For this reason, cryptographers often use elliptic curvesdefined over a fieldFqhavingq= 2k elements.

In characteristic 2, the curve y2 =x2 +Ax+ B is al-ways singular, so a more general equation is needed:

E :y2 + a1xy+ a3y=x3 +a2x

2 +a4x+ a6.

The formulas giving the group law are a little more com-plicated, but have the same general form.

A number of people (Sato, Kedlaya, Lauder, Wan, Denef,Vercauteren,. . . ) have worked on methods more effi-cient than SEA to count #E(Fq) whenq=pk andp isa small prime.




55/104


Koblitz Curves

For maximum efficiency, aKoblitz curveis used:

E :y2 + xy=x3 +ax2 + 1 witha= 0 ora= 1.

The Koblitz curveEhas coefficients inF2. For crypto-graphic purposes, one takes points in E(Fq) with q= 2k

andk large, sayk

160.

There are security reasons why one might insist thatkbe prime. But there are certain efficiency gains availableifk is composite.

A nice feature of the Koblitz curves is that it is easy to

count their points:#E(F2k) = 2

k 1+7

2

k 172k

+ 1.




56/104


Computing Multiples on Koblitz Curves

The computational advantage of the Koblitz curves lies

in the existence of the group homomorphism :E(Fq) E(Fq), (x, y) = (x2, y2).

ExerciseUse the fact that squaring is a field automor-phism ofF2 to prove that(P+ Q) =(P) +(Q).

The mapalso satisfies: 2(P) +(P) + 2P = OUsing this relation, every integermhas a -adic ex-pansion (similar to its binary expansion):

m=m0

+m1

+ m2

2 +

+ mrr

withm0, m1, . . . , mr {0, 1}.ThenmPcan be computed without doubling maps as:

mP =m0P+ m1(P) +m22(P) + + mrr(P).



57/104

The Elliptic Curve DiscreteLogarithm Problem

The Elliptic Curve Discrete Logarithm Problem


58/104


Elliptic Curve Discrete Logarithm Problem

ECDLP

LetEbe an elliptic curve defined over a finite fieldFp.E :y2 =x3 +Ax+ B A, B Fp.

LetSandTbe points inE(Fp). Find an integermsothat

T =mS.Recall that the (smallest) integermwith this propertyis called the Discrete Logarithm (or Index) ofTwith respect toSand is denoted:

m= logS(T) = indS(T).

Letnbe the order ofS in the groupE(Fp). Then

logS: (Subgroup ofEgenerated byS) Z/nZ.is a group isomorphism, the inverse ofm mS.




59/104

p g

How To Solve the ECDLP

Exhaustive Search Method

Computem1S, m2S, m3S , . . . for randomly chosen val-uesm1, m2, m3until you find a multiple withmS=T.Expected running time isO(p), since #E(Fp) =O(p).

Collision Search Method

Compute two lists for randomly chosen valuesm1, m2, . . .

List 1: m1S, m2S, m3S , . . .

List 2: T m1S, T m2S, T m3S . . .

until finding a collisionmiS=T mjS.

Expected running time isO(

p ) by the birthday para-dox.




60/104

p g

How To Solve the ECDLP

Pollards Method

The collision method has running timeO(p ), butit takes aboutO(

p ) space to store the two lists.

Pollards method for discrete logs achieves thesame O(

p ) running time while only requiring a

very small amount of storage.

The idea is to traverse a random path throughthe multiples mS+ nT until finding a collision.This path will consist of a loop with a tail attached(just like the letter!!).

It takes O(

p ) steps to arrive on the loop part.

Then we can detect a collision inO(p ) steps bystoring only a small proportion of the visited points.We choose which points to store using a criterionthat is independent of the underlying group law.




61/104

p g

How Else Can DLP Be Solved?

Pollards method works for most discrete log problems.

For an abstract finite groupG whose group law is givenby a black box, one canprovethat the fastest solutionto the DLP has running timeO(

#G ).

But for specific groups with known structure, there areoften faster algorithms.

For Z/NZ, the DLP is inversion modulo N. IttakesO(log N) steps by the Euclidean algorithm.

For R, the DLP can be solved using the standardlogarithm,

if=m, thenm= log()/ log().

For Fp, there is a subexponential algorithm calledtheIndex Calculusthat runs in (roughly)

O ec3logp steps.




62/104

g

Does ECDLP Have a Faster Solution?

The principal reason that elliptic curve groups are used

for cryptography is:

For general elliptic curves, thefastest known method to solveECDLP is PollardsMethod!!

This means that it is not currently feasible to solveECDLP inE(Fq) if (say)q >2160.

A DLP of equivalent difficulty in Fq requiresq 21000.Similarly, ECDLP with q

2160 is approximately as

hard as factoring a 1000 bit number.Hence cryptographic constructions based on ECDLPhave smaller keys, smaller message blocks, and may alsobe faster.




63/104

Solving ECDLP in Special Cases

For most elliptic curves, the best known solution to

ECDLP has running timeO(p ). But for certain spe-cial classes of curves, there are faster methods.It is important to know which curves have fast ECDLPalgorithms so that we can avoid using them.

Elliptic Curves E(Fp) With Exactly p Points

If #E(Fp) =p, then there is a p-adic logarithm mapthat gives an easily computed homomorphism

logp-adic:E(Fp) Z/pZ.It is easy to solve the discrete logarithm problem in

Z/pZ, so if #E(Fp) =p, then we can solve ECDLP intimeO(logp).




64/104

The Weil Pairing

An important tool for studying elliptic curves E over

any field is theWeil Pairing. LetEN = {P E :N P = O} and N = { :N = 1}.

The Weil pairing is a non-degenerate alternating bilinearform

eN :EN

EN

N

The alternating property means thateN(P, P) = 1.

In order to work with the Weil pairing over a finitefieldFq, it is necessary that EN E(Fq). (This alsoensures that

NF

q.)

The Weil pairing has important applications in bothcryptanalysis and in the construction of certain cryp-tosystems. There are various equivalent ways to definethe Weil pairing and various algorithms to compute it.




65/104

Divisors and a Definition of the Weil Pairing

IfEis an elliptic curve, then any functionf(x, y) that

does not vanish identically on E will have zeros andpoles, each of which may occur with multiplicity one orlarger. Thedivisor offis the formal sum

div(f) =n1(P1) +n2(P2) + + nr(Pr),where fhas a zero atPi of orderni (ifni >0) and a

pole atPiof order ni(ifni


66/104

The Tate Pairing

The Weil pairing is alternating. It is often more efficient

to use the Tate pairing, which is symmetric.The Tate Pairing is a non-degenerate symmetricbilinear form

E(Fq)N E(Fq)N E(Fq)

Fq

(Fq)N, (P, Q) P, QTate.

We assume that N Fq, so Fq/(Fq)N is cyclic oforderN, sinceFq is a cyclic group.To compute P, QTate, find a functionfPwith divisor

div(fP) =N(P) N(O)and choose any pointS E. Then

P, QTate =fP(Q +S)/fP(S).




67/104

Reducing ECDLP inE(Fp)to DLP inFpThe Tate pairing can be used to reduce ECDLP in

E(Fp) to DLP in Fqfor a power q=pt

. (MOV method)Precisely, let q=pt be the smallest power ofp satisfying

pt 1 (modN), whereN = #E(Fp).Then the field Fqcontains a primitiveNth root of unity.

Reduction of ECDLP in E(Fp) to DLP in Fp Suppose thatS, T E(Fp) satisfyT =mS. Compute S, STate and S, TTate as elements ofFq.

By linearity, S, TTate = S,mSTate = S, SmTate. Solving DLP inFqrevealsmand solves ECDLP.

Moral: Dont use curves with smallpt (saypt


68/104

Tripartite Diffie-Hellman Key Exchange

The Tate pairing is used in a number of important cryp-

tographic constructions. The first was Jouxs method todo Diffie-Hellman key exchange with three people. (Nofour person method is known!)

We begin by fixing: A primep >21000 and an elliptic curveE/Fp. A point S E(Fp) of order Nwithp 1 (mod N).

Three Person Diffie-Hellman Key Exchange

Alice Bob Carl

Choose secreta Choose secretb Choose secretc

PublishA=aS PublishB =bS PublishC=cS

Do B, CaTate

Do A, CbTate

Do A, BcTate

Alice, Bob, and Carl share the value S, SabcTate



69/104

Reduction Modulo p,Lifting, and ECDLP

Reduction Modulo p, Lifting, and ECDLP


70/104

Reduction of an Elliptic Curve Modulop

LetEbe an elliptic curve given by an equation

E :y2 =x3 +Ax+B withA, B ZWe can reduce the coefficients ofEmodulo a prime pto get an elliptic curve Ewith coefficients inFp,

E :y2 =x3 + Ax+ B with A, B Fp.However, remember we must check that Eis not singu-lar, which means that we need the discriminant

= 4A3 + 27B2 = 0 inFp (alsop = 2).We say thatEhas Good Reduction at pifpdoesnot divide the discrimiannt = 4A3 +27B2 and we saythatEhasBad Reduction at pifpdoes divide .

When we talk about reduction modulop, we will gen-erally assume that we have good reduction atp.




71/104

Reduction of Points ModulopLet P = (x, y) E(Q) be a rational point on an ellipticcurve. We can reduce the coordinates ofP modulopto

get a point P = (x,y) E(Fp).Ifx and y are inZ, this is fine, but what if they havedenominators? Supposex= ab Q. Ifpb, thenbhasan inverse inFp, so we set

x= ab1 inFp.And y is defined similarly.

What happens ifpdivides the denominator ofxory?In that case, it divides both denominators and we set

P = O = point at infinity on E.We have defined aReduction Modulo p Map

E(Q) E(Fp), P P .An Introduction to the Theory of Elliptic Curves 62



72/104

The Reduction ModulopHomomorphismIt is hard to overstate the importance of reduction mod-ulop. A first indication is:

Theorem. IfEhas good reduction, then the reduc-tion modulopmap

E(Q) E(Fp), P P ,

is a group homomorphism.ExampleLetEbe the elliptic curve

E :y2 =x3 + 2x+ 4.

Some points inE(Q) are

P = (2, 4), Q= 14, 178 , P+Q= 5449, 232343.The reduction modulo 11 mapE(Q) E(F11) gives

P = (2, 4), Q= (3, 9), P+ Q= (9, 5) = P+ Q.An Introduction to the Theory of Elliptic Curves 63



73/104

Reduction Modulopand Torsion PointsIfE(Q) is infinite, then obviously the homomorphism

E(Q) E(Fp)

cannot be one-to-one.

Theorem. If gcd(N, p) = 1 andEhas good reduc-tion, then

E(Q)N

E(Fp) is one-to-one.

A similar statement holds ifQ is replaced by a numberfield. It is difficult to overemphasize the importance ofthis theorem.

The theorem gives an efficient way to findE(Q)tors.

Example. E :y2

=x3

5x+ 2. We compute = 392 = 23 72, #E(F3) = 4, #E(F11) = 14.

Hence #E(Q)tors is at most 2. Since (2, 0) E(Q)torsis a point of order 2, this proves thatE(Q)tors=C2.




74/104

Reduction Modulop, Lifting, and ECDLPHere is a possible approach to solving ECDLP:

(1) Start with points S,

T

E(Fp).(2) Choose an elliptic curveEwhose reduction is E.

(3) Lift S, T to pointsS, T E(Q).(4) Find a relationnT =mS inE(Q).(5) Reduce modulopto getnT =mS.

It is easy to find a liftEofEso that Sand ThaveliftsS, T E(Q).

If S and Tare linearly dependent in E(Q), thenthere are efficient methods for finding a relation.

So what makes it hard to solve ECDLP? For someE, it is easy to findSandT, butSandTare almost always independent.

For someE, the liftsSandTexist and are alwaysdependent, butSandTare very hard to find.



75/104

Height FunctionsOn Elliptic Curves

Height Functions on Elliptic Curves


76/104

Height Functions

In order to understand lifting (and for many other pur-

poses), it is important to answer the question:How complicated are the points inE(Q)?

The answer is provided by the Theory of Heights.The Heightof a rational number is defined to be

Ha

b= max|a|, |b|, fora

b Q, gcd(a, b) = 1.Note. There are only finitely many rational numberswith height less than a given bound.

On elliptic curves, it is convenient to take the logarithm,

so theHeight of a Pointon an elliptic curve ish(P) = log H(xP) forP = (xP, yP) E(Q).

(IfP = O, we seth(P) = 0.)Intuition. It takesO(h(P)) bits to storeP.




77/104

Properties of the Height Function on an Elliptic CurveThe reason that the height function plays an importantrole in studyingE(Q) is due to its dual role:(1) hmeasures the arithmetic complexity of points.(2) hs transformations reflect the group law onE

Theorem. There are constantsc1, c2, . . .so that forall pointsP, Q, . . . E(Q):

(a) h(nP) n2h(P) c1.(b)

h(P+ Q) +h(P Q) 2h(P) 2h(Q) c2.(c) For anyc, the set

P E(Q) :h(P) c

is finite.

Property (a) may be written h(nP) =n2h(P) +O(1).

Remember thath(P) is the logarithm, so this says thatthe numerator or denominator ofxnP should have ap-proximatelyn2 digits.




78/104

The Quadratic Growth of the Height on Elliptic Curves

We illustrate with the elliptic curve and point

E :y2 =x3 +x+ 1 and P = (0, 1).Here is a table ofH(xnP)forn= 1, 2, . . . , 25.

1 1

2 2

3 13

4 36

5 6 85

6 7 08 2

7 1 96 24 9

8 9781441

9 645430801

10 54088691834

11 23545957758733

12 3348618159624516

13 3438505996705270765

14 2389279734043328028530

15 3568842156502352911081681

16 9147174028201584695660404993

17 40437302897155037003168469209281

18 144041052884595077187155035625188225

19 4077551427539061268365818617070082487981

20 29247742836717181569573123126609380958628633

21 1644662183623605030943992459758717959368038089933

22 76795559807444450146033952048248025474377706486132570

23 6037390795706541540397642739132383429233648456214266105001

24 816297679393916005694837838808362431503501229559444925278681793

25 242513738949178952234806483689465816559631390124939658301320990605073

26 47803232530993255659471421491008524334965293857886857075847338386784976289

27 67559659782039617237841184516992302782851604142385500859648938761010393239431661

28 32014345486637038681521545788678891610665676156825092102996356573331436095404542962201

29 75366079100860358183774143789438882594269554344230013075428451465317687946832468865183904333

30 235596097713466330738098972552422422374156906907547045290688341377958875910979032848694872594995042

31 949929776724866709094954536710367778326401614961417743163923974793524931042092311077415673676701373662241

32 6939337780803547166840419022721964472182663632045063388197164628060008767530358928827755424306465309623700644865

33 138560009627230805680861712729089150246171433367872626810509092219015283874452951868081163892328387927559567336088640513

34 1470496183658794212496122961743692131111461785062102204982019653166220314029845380022856443720777836633186409902489575338782721

35 107010592458999940561955702180302050658481740392774624430340775789803872514791716886258854994198364978765941985457904860326401460918221

Notice the parabolic shape,

reflecting the quadratic growthin the number of digits.



79/104

Canonical Heightson Elliptic Curves

Canonical Heights on Elliptic Curves


80/104

Canonical Heights

Taking a limit gets rid of those peskyO(1)s.

Theorem. (Neron, Tate). The limit

h(P) = limn

1

n2h([n]P)

exists and has the following properties:

h(P) =h(P) +O(1). h([n]P) =n2h(P). h(P+Q) +h(P Q) = 2h(P) + 2h(Q). h(P) = 0 if and only ifP E(Q)tors. More generally, the canonical heighth induces a

positive definite quadratic form on the real vectorspace

E(Q) R =Rr, wherer= rank E(Q).




81/104

The Height RegulatorThe inner product

P, Q :=h(P+ Q)

h(P)

h(Q)

gives E(Q)R= Rr the structure of a Euclideanspace, andE(Q)/E(Q)tors =Zr is a lattice in Rr. Thevolume of a fundamental domain of this lattice is

RE=Elliptic Regulator ofE.

Concretely, let P1, . . . , P r E(K) be a basis for thequotientE(Q)/E(Q)tors. Then

RE= detPi, Pj1i,jr.

Efficient methods to compute h(P) to high accuracy(e.g., to 10100), even for elliptic curves whose coeffi-

cients have hundreds of digits, use a local decomposition

h(P) =(P) +

p(P).An Introduction to the Theory of Elliptic Curves 70



82/104

Using Heights To Compute Relations

Here is an initially plausible way to solve ECDLP via

lifting. Let S,

T

E(Fp).(1) Lift Eand Tto a curveE/Q and pointT E(Q).

(2) Do this in such a way thatE(Q) has rank 1. (Thiscan probably be done.)

(3) Lift Sto a pointS E(Q).(4) Compute

h(S)/

h(T). This is the square of a ra-tional number, since S and T are both multiples

of a generator ofE(Q). Find that rational num-ber m2/n2. (In practice,nwill be small.)

(5) ThennT =mS, sonT =mS.

The problem is Step (3), because usually m = O(p).Thus the pointS E(Q) satisfiesh(S) =O(p2). Re-member thath(S) is the amount of memory it takes tostoreS. Since typicallyp 2160, we cannot even storethe pointS. An Introduction to the Theory of Elliptic Curves 71



83/104

Using Heights To Compute Relations

Here is an initially plausible way to solve ECDLP vialifting. Let S, T

E(F

p).

(1) Lift Eand Tto a curveE/Q and pointT E(Q).(2) Do this in such a way thatE(Q) has rank 1. (This

can probably be done.)(3) Lift Sto a pointS E(Q).(4) Compute

h(S)/

h(T). This is the square of a ra-tional number, since S and T are both multiples

of a generator ofE(Q). Find that rational num-ber m2/n2. (In practice,nwill be small.)

(5) ThennT =mS, sonT =mS.

Indeed, Neal Koblitzs talk at the Elliptic CurveCryptography Conference in 2000 was entitled:

Miracles of the Height Function:

A Golden Shield Protecting ECC




84/104

Descent and the Mordell-Weil Theorem

Recall that Mordells Theorem (which was later gener-alized by Andre Weil) says:

Mordell-Weil Theorem. The group of rationalpointsE(Q) is a finitely generated abelian group.

The proof proceeds in two steps. The first uses reduction

modulop to limit the ramification in the field extensionQ

[m]1E(K)and deduce theWeak Mordell-Weil Theorem. For somem 2,the groupE(Q)/mE(Q) is a finite.

The second step is prove the implicationWeak Mordell-Weil = Mordell-Weil.

This descent argument uses height functions and is anelegant application of the theory of canonical heights.



85/104


86/104

Factorization UsingElliptic Curves

Factorization Using Elliptic Curves


87/104

Pollardsp 1Factorization AlgorithmLetN =p1p2 pr be a number to be factored.

Pollards p 1 Factorization Algorithm worksif one of the primes pk dividing N has the propertythatpk 1 itself factors as

pk 1 =e11 e22 err with1, . . . , r small.

If1, . . . , r B, then there is a good chance thatgcd

2LCM(1,2,...,B) 1, N

will equalpk.

The idea underlying Pollardsp1 Algorithm is the factthat every element of (Z/pZ)has order dividingp 1.Unfortunately, if nop1 is B-smooth, then Pollardsmethod does not work.




88/104

Using Elliptic Curves for Factorization

Hendrik Lenstra observed that one can replace the mul-tiplicative group F

pwith an elliptic curve groupE(F

p).

More precisely, choose an elliptic curve moduloN anda point on the curve:

E :y2 =x3 + ax+ b, a, b Z/NZ, S E(Z/NZ).

Suppose that there is a primep dividing N for whichthe number of points inE(Fp) isB-smooth.

Then there is a good chance that during the computa-tion of

LCM(1, 2, . . . , B)SmodN,

some inverse (x2x1)1 mod Nwill not exist, yieldinggcd(x2 x1, N) =p.




89/104

Properties of Lenstras Algorithm

The advantage of Lenstras Elliptic Curve Algorithmover Pollards p

1 Algorithm is the introduction of

many finite groupsE(Fp) with many different orders.

The theoretical running time of Lenstras Algorithm canbe calculated using a reasonable assumption about thedistribution ofB-smooth numbers in short intervals:

Letpthe smallest prime dividingN. Thenthe expected running time of Lenstras algo-rithm is

O

ec

(logp)(log logp)

.

The fact that the running time depends on the smallestprime divisor ofNmakes Lenstras algorithm especiallygood for factoring random numbers, but it is slowerthan sieve methods for RSA-type numbersN =pq.



90/104

L-Series, the Conjecture ofBirch and Swinnerton-Dyer,

and a Million Dollar Prize



91/104

The L-Series of an Elliptic Curve

LetEbe an elliptic curve given as usual by an equation

y2

=x3

+ Ax+ B withA, B Z.For each primep, we can reduceEmodulop, count itspoints, and compute the trace of Frobenius:

ap=p+ 1 #E(Fp).TheL-Series ofEencodes all of theap values into asingle function:

L(E, s) =

p prime

1 ap

ps+

1

p2s1

1.

The variable s is a complex variable s C. UsingHasses estimate|ap| 2p, it is easy to prove thatthe product definingL(E, s) converges for Re(s)> 32.




92/104

The Analytic Continuation ofL(E, s)

Wiles Theorem. The functionL(E, s) extends toan analytic function on all ofC. Further, there is anintegerN(the Conductor ofE) so that the function

(E, s) =Ns/2(2)s(s)L(E, s)satisfies the functional equation

(E, 2 s) = (E, s).A more precise form of Wiles Theorem says to write

L(E, s) =

n=1

anns

and set f(E, ) =

n=1

ane2in.

Then f(E, ) is a modular form (weight 2 cusp form)for 0(N). This statement combined with ideas of Freyand Serre and a theorem of Ribet are used to proveFermats Last Theorem.




93/104

The Behavior ofL(E, s)Nears= 1

It is a truth universally acknowledged thatL-series sat-isfying a functional equation have interesting behaviorat the center of their critical strip. For elliptic curves,this is at the points= 1.

A formal (and completely unjustified) calculation yields

L(E, 1) = p

1 app +1

p1

= p

p

#E(Fp).

This suggests that if #E(Fp) is large, thenL(E, 1) = 0.

Birch and Swinnerton-Dyer observed that if E(Q) is

infinite, then the reduction of the points inE(Q) tendto make #E(Fp) larger than usual. So they conjectured

L(E, 1) = 0 if and only if #E(Q) = .




94/104

The Conjecture of Birch and Swinnerton-DyerMore generally, as the group E(Q) gets larger, thesize of #E(Fp) seems to get larger, too.

BirchSwinnerton-Dyer Conjecture.

ords=1 L(E, s) = rank E(Q).

This amazing conjecture says that the order of vanishing

of the functionL(E, s), which recall is created entirelyfrom information about the elliptic curve modulo var-ious primes p, governs how many rational points areneeded to generate the full groupE(Q).

The BSwD conjecture is one of the Clay MilleniumProblems, so its solution is worth $1,000,000.

There is a refined conjectureL(E, s) c(s 1)r. Theconstant cdepends, among other things, on the ellipticregulator RE.




95/104

Epilogue

The preceding slides have barely touched the vast andrich mathematical theory of elliptic curves.

And even in the small stream of cryptography, we havemerely skimmed the surface of the subject.

In the vaster realm of mathematics, the theory of ellip-tic curves appears and reappears in contexts too numer-ous to list, ranging from Wiles proof of Fermats LastTheorem to rings formed from cohomology groups tononcommutative quantum algebras and beyond.

The annotated bibliography includes a few references

to assist you in learning more about the number theoryand cryptographic applications of elliptic curves.



96/104

Additional Material

Additional Material


97/104

The Galois Representation Attached toELet E be an elliptic curve defined over Q. Then thepoints in theN-torsion subgroup

EN=P E(C) :N P = O

have coordinates in the algebraic closure QofQ.Each element of the Galois group Gal(Q/Q) actsonENas a homomorphism. Thus we obtain a map

RE,N : Gal(Q/Q) homomorphismsEN EN.ExerciseVerify thatRE,Nis a homomorphism.

The group of homomorphisms from EN= CN CN

to itself is GL2(Z/NZ), the group of 2-by-2 invertiblematrices with coefficients inZ/NZ.The map

RE,N : Gal(Q/Q) GL2(Z/NZ),is theMod N Representation Attached to E.


Additional Material

f ?


98/104

Why is the Trace of Frobenius a Trace?

Let p be a prime. Then there are Frobenius elementsp

Gal(Q/Q) characterized by the property that

p() =p (mod p),where Qand pis a prime ideal lying abovep.Evaluating the representationRE,N atpyields a ma-trix

RE,N(p) GL2(Z/NZ).Of course, the particular matix depends on the choice ofa basis for EN. But the determinant and trace of thismatrix are independent of the choice of basis.

Theorem. For allN 1,Trace

RE,N(p)

ap (mod N).This explains whyap is theTrace of Frobenius.


Additional Material

M ll Al h C h T P


99/104

Millers Algorithm to Compute the Tate Pairing

1.Choose a random pointS E(Fq) and computeQ= Q + S E(Fq).

2.Set n= log2 N 1, T1= P, f1= 1.3.Whilen 1 do:

Calculate equations of the straight linesL1 and L2 that arise in dou-blingT1 and set

T1= 2T1 and f1=f21 L1(Q

)L2(S)L2(Q)L1(S) .

If the nth bit ofNis 1 then calculate the equations of the straight linesL1andL2that arise when addingT1 to Pand set

T1= T1+ P and f1=f1L1(Q

)L2(S)L2(Q)L1(S)

.

Decrementn by 1.4.Returnf1, which is equal to P, QTate.


Additional Material

A F C i f h T P i i


100/104

A Fancy Construction of the Tate PairingLetGdenote the Galois group ofFqoverFq, and let

EN

={

P

E(Fq

) :N P =O}

.

Take Galois invariants of the short exact sequence

0 EN E(Fq) PN P E(Fq) 0.SinceH1(G, E(Fq)) = 0, this gives

E(Fq)/N E(Fq) =H1(G, EN)LetP E(Fq)N andQ E(Fq)/N E(Fq). IdentifyQwith some Q H1(G, EN) and use the Weil pairingto create an element ofH1(G, N) via the map

eN(P, Q) :G N, eN(P, Q()).This gives an element ofH1(G, N). A similar argu-

ment shows thatH1(G, N)=Fq/FqN.



101/104

Further Reading

Further Reading

F h R di


102/104

Further Reading Blake, I. F.; Seroussi, G.; Smart, N. P. Elliptic curves in cryptography. Lon-

don Mathematical Society Lecture Note Series, 265. Cambridge University

Press, Cambridge, 2000. [A good introduction to the subject.]

Certicom tutorials and white papers . [Certicom isa company that markets products using elliptic curve cryptography.]

Cohen, Henri. A course in computational algebraic number theory. Grad-uate Texts in Mathematics, 138. Springer-Verlag, Berlin, 1993. [A basic

resource for many algorithms, covers lattice algorithms (LLL) and elliptic

curve algorithms.]

Cohen, H.. Elliptic and Hyperelliptic Curve Cryptography: Theory andPractice, Chapman & Hall/CRC, 2005. [Comprehensive study of ECC andbeyond.]

Cremona, J. E. Algorithms for modular elliptic curves. Cambridge Uni-versity Press, Cambridge, 1997. [Extensive coverage of mathematical algo-

rithms for elliptic curves, although not specifically for cryptography.]

Garrett, Paul. Making, Breaking Codes: An Introduction to Cryptology.Prentice-Hall, 2001. [An undergraduate textbook on cryptography, includesdescriptions of ECC and NTRU.]

Hankerson, D., Menezes, A.J., Vanstone, S. Guide to Elliptic Curve Cryp-tography Springer-Verlag, 2004. [A practical guide to ECC.]


Further Reading

F th R di


103/104

Further Reading Koblitz, Neal. Elliptic curve cryptosystems. Mathematics of Computation

48 (1987), 203-209. [One of the original articles that proposed the use of

elliptic curves for cryptography. The other is by Victor Miller.]

Koblitz, Neal. A course in number theory and cryptography. GraduateTexts in Mathematics, 114. Springer-Verlag, New York, 1994. [Covers

basic cryptography.]

Koblitz, Neal. Algebraic aspects of cryptography. Algorithms and Com-putation in Mathematics, 3. Springer-Verlag, Berlin, 1998. [Cryptography

from an algebraic viewpoint.]

Koblitz, Neal. Miracles of the Height Function A Golden Shield Protect-ing ECC, 4th workshop on Elliptic Curve Cryptography (ECC 2000). [Slidesfrom a talk.] www.cacr.math.uwaterloo.ca/conferences/2000/ecc2000/koblitz.ps

Menezes, Alfred J.; Van Oorschot, Paul C.; Vanstone, Scott A.. Handbookof Applied Cryptography (CRC Press Series on Discrete Mathematics and

Its Applications), 1996. [Encyclopedic description of cryptography.]

Menezes, Alfred. Elliptic curve public key cryptosystems. The KluwerInternational Series in Engineering and Computer Science, 234. Commu-nications and Information Theory. Kluwer Academic Publishers, Boston,

MA, 1993. [An early description of ECC with implementation methods.]


Further Reading

F th R di


104/104

Further Reading Miller, Victor. Use of elliptic curves in cryptography. Advances in cryp-

tology CRYPTO 85 (Santa Barbara, CA, 1985), 417426, Lecture Notes

in Comput. Sci., 218, Springer, Berlin, 1986. [One of the original articles

proposing the use of elliptic curves for crypto. The other is by Neal Koblitz.]

Silverman, Joseph H. The arithmetic of elliptic curves. Graduate Texts inMathematics, 106. Springer-Verlag, New York, 1986. [The number theory

of elliptic curves at a level suitable for advanced graduate students.]

Silverman, Joseph H. Advanced topics in the arithmetic of elliptic curves.Graduate Texts in Mathematics, 151. Springer-Verlag, New York, 1994.

[Additional topics in the number theory of elliptic curves.] Silverman, Joseph H.; Tate, John. Rational points on elliptic curves. Un-dergraduate Texts in Mathematics. Springer-Verlag, New York, 1992. [An

introduction to the number theoretic properties of elliptic curves at an ad-

vanced undergraduate level.]

Stinson, Douglas R. Cryptography. Theory and practice. CRC Press Serieson Discrete Mathematics and its Applications. CRC Press, Boca Raton,

FL, 1995. [An excellent introduction to cryptography at the advanced un-dergraduate or beginning graduate level, includes a description of ECC.]

Washington, Lawrence. Elliptic Curves: Number Theory and Cryptography

Theory of Elliptic Curves

Documents

Transcript of Theory of Elliptic Curves