WSEAS TRANSACTIONS on MATHEMATICS DOI: 10.37394/23206.2020.19.25 Ruslan Skuratovskii, Volodymyr Osadchyy
The Order of Edwards and Montgomery Curves
RUSLAN SKURATOVSKII Department of Computer Science University Igor Sikorsky Kiev Polytechnic Institute, National Technical University of Ukraine Peremogy 37 UKRAINE
VOLODYMYR OSADCHYY ceo IT-GRAVITY-VO, Inc. Orlando, Florida, Edgewater Sr, Suite 1888, Orlando, FL, 32804, USA
Abstract: - The Elliptic Curve Digital Signature Algorithm (ECDSA) is the elliptic curve analogue of the Digital Signature Algorithm (DSA) [2]. It is well kn own that the problem of discrete logarithm is NP-hard on group on elliptic curve (EC) [5]. The orders of groups of an algebraic affine and projective curves of Edwards
[3, 9] over the finite field Fpn is studied by us. We research Edwards algebraic curves over a finite field, which are one of th e most promising supports of sets of points which are used for fast group operations [ 1]. We construct a new method for counting the order of a n Edwards curve Edp[F ] over a finite field Fp . It should be noted that this method can be applied t o the order of elliptic curves due to the birational equivalence between 2 elliptic curves and Edwar ds curves. The method we have proposed has much less complexity Oplog 2 p at Op(log8 n ) not large values p in comparison with the best Schoof basic algorithm with complexity 2 , as well as 4 n a variant of the Schoof algorithm that uses fast arithmetic, which has complexity Op(log2 ) , but works only for Elkis or Atkin primes. We not only find a specific set of coefficients with corresponding field characteristics for which these curves are su persingular, but we additionally find a general for mula by which one can determine whether a curve Edp[F ] is supersingular over this field or not. The symmetric of the Edwards curve form and the parity of all degrees made it possible to represent the shape curves and apply the method of calculating the residual coincidences. A birational isomorphism between the Montgomery curve and the Edwards curve is also constructed. A one- to-one correspondence between the Ed wards supersingular curves and Montg omery supersingular curves is established. The criterion of supersingularity for Edwards curves is found over Fpn . Key-Words: - finite field, elliptic curve, Edwards curve, algor ithm of order counting of group of points of an elliptic curve. Received: January 19, 2020. Revised: May 7, 2020. Re-revised: May 22, 2020. Accepted: May 26, 2020. Published: May 28, 2020.
1 Introduction requirement of all such applications is that the order The method of finding th e order of an algebraic of the EC [22 ]. One of e ssential requirment for EC is its order (num ber of elem ents in the algebraic curve over a finite fiel d F n are relat ed with p structure induced by the EC) possesses cert ain constructing of curves of given order. To construct properties (e.g., robustnes s against known attacks cryptosystem based on ellip tic curve we need to [23], small prime factors [22, 24], etc), which gives analyze the order of a group of el liptic curve rise to the problem of how such E C can be points. Our method gives an approach to co nstruct generated. One of good decision of this tusk is curve Edwards curves of determined order that if very of big prime order [24]. Also very important for this important if cryptography and coding theory. It was goal is avoidance curve of order p + 1 because of it accepted in 1999 as an ANSI standard and in 2000 is tractable by to pairingbased att acks. As we have as IEEE and NIST standards. discussed before, supersi ngular elliptic curves ar e One of the fundamental problems in EC vulnerable to pairingbased attacks. Therefore we cryptography is the generation of cr yptographically find a criterion of Edwards curve supersingularit y secure ECs over prime fields, suitable for use in [25]. The method of finding the order of a n various cryptographic applications. A ty pical
E-ISSN: 2224-2880 253 Volume 19, 2020 WSEAS TRANSACTIONS on MATHEMATICS DOI: 10.37394/23206.2020.19.25 Ruslan Skuratovskii, Volodymyr Osadchyy
p algebraic curve over a fi nite field Fpn is now very singular point 1 . In particular, we note that a loca l relevant and is at the center of many mathematical ring which has two singularities consists of studies in connection with the use of groups of functions with the denominators are not divisible by points of cu rves of genus 1. In our article, this (1)(1)xy . problem is solved. O p We denote b y p dim /O p , where Op denotes Our algorithm has much less complexity for the local ring at the singular point p which is algebraic extensions with a la rge degree of finite fields. This is so because choosing suffi ciently large generated by the relations of regu lar functions 8 n f Op(log2 ) values n, we ontain the value is much Op :(gx ,( 1)( y 1)) 1 and O p denotes the g 2 larger than Op log2 p for a fixed v alue p . The whole closure of the local ring at the singular point criterion of supersingularity of the Edw ards curves p . is found over F n . We additionall y propose a p O p We find that p dim /O p 1 is the dim ension method for counting the points fr om Edwards of the factor as a vector s pace. Because the basis of curves and elliptic curves in response to an earlier paper by Schoof [8]. We consider the algebraic extension O p consists of just one element at O p affine and projective Edw ards curves over a finite field. We not only find a s pecific set of coefficients each distinct point, we obtain that p 1. We then with corresponding field characteristics for which calculate the genus of the curve ac cording to Fulton supersingular, but we additionall y find a general [4]. formula by which one can determ ine whether a * (1)(2)nn ()CC () pp 32 1, curve Edp[F ] is supersingular over this field o r not. pE2 pE
All proofs and anal ytical results belong t o where ()C denotes the arithmetic genus of the Skuratovskii R. and computational examples, curve C with parameter nCdeg( ) 4 . It should be confirming statements, are made by Osadchyy V. noted that the supersingular points were discovered in [10]. Recall the curve has a genus of 1 and as 2 Algebraic analyses of the curve and such it is kn own to be is omorphic to a flat cubic Curve Order Calculation Method curve, however, the curve is i mportantly not elliptic because of its singularity in the projective part. Both We recall that the twisted Edwards curve with the Edwards curve and th e twisted Edwards curve ad F* dpad coefficients , p , 1, 2, , is the are isomorphic to so me affine part of the elliptic curve Ead, : curve. The Edwards curve after normaliz ation is ax22 y1,,,()0, dx 22 y a d F * ad a d precisely a curve in the Weierstrass normal form, p which was proposed by Montgomery [1] and will be
It should be noted that a twisted Edwards curve is denoted by EM . Koblitz [ 4,5] tells us that one ca n called an Edwards curve when a 1 . We denote by detect if a curve is supersingular using the search for * Ed the Edwards curve with coefficient dF p the curve when that curve has the same number of 22 22 E which is defined as x ydxy1 over F . The points as its torsion curve. Also an elliptic curve p over F is called supersingular if for ev ery finite projective curve has form q 22 22 4 2 2 extension F r there are no points in the group F(,xyz ,) axz yz z dxy. The special q EF p points are the infinitely distant points (1, 0, 0) and ()qr of order [17]. It is known [ 1] that the (0,1,0) and therefore we find its singularities at transition from an Edw ards curve to the relat ed infinity in the corresponding affine components torsion curve is determined by the reflection A122242:az y z z dy , A222242:.ax z z z dx 1 xy,,, xy x . These are simple singularities. y We recall an im portant result from Vinogradov We describe the structure of the local ring at the [13] which will act as criterion for supersingularity. point p whose elements are quotients of functions 1 Lemma 2.1. Let k N and p P . Then f xyz (, ,) p1 with the form Fxyz(, ,) , where the n 0 (mod pnp ), | ( 1), g(,xyz ,) k k 1 1 ( mod pnp ), | ( 1), denominator cannot take the value of 0 at the
E-ISSN: 2224-2880 254 Volume 19, 2020 WSEAS TRANSACTIONS on MATHEMATICS DOI: 10.37394/23206.2020.19.25 Ruslan Skuratovskii, Volodymyr Osadchyy
where np|( 1) denotes that n is divisible by p 1. pp11pp11 2222 2 Mxddp[] 1 (( 1)(xpx 1)) ( 1) The order of a curve is precisely the number of its xx00 ppp111 affine points with a neutral ele ment, where the p1 dx222222 x dx p group operation is well defined. It is known that the (1)(1)(1)(mod x0 ). order of x22ydxy1 22 coincides with the order pp11 2222 22 122 By opening the brackets i n (1)(1),xdx we of the curve x ydxy1 over Fp . We will pp11d 22 now strengthen an existing result given in [10]. We have ad22p (1) (mod p). So, using p denote the number of points with a neutral element Lemma 2.1 we have of an affine Edwards curve over the finite field Fp N d by dp[] and the number of points on the projective M dp[] app1(mod ). (4) p curve over the same field by Ndp[] . We need to prove t hat M dp 1( mod p ) if Theorem 2.1. If p 3( mod 4) is prime and [] p 3( mod 8) and M 1( mod p ) . We therefore the following condition of supersingularity dp[] p1 d 2 have to show that M dp[]() app1 (mod ) for jj2 p (Cdp1 ) 0( mod p ), (1) j0 2 p1 2 is true th en the or ders of t he curves jj2 p 3( mod 4) if ()Cdp1 0(mod p). If we 22 22 22 122 j x ydxy1 and x ydxy1 over Fp 0 2 ap d prove that p1 0( mod ) , then it will follow from Np are equal to dp[] 1, when 1, and a p (3). Let us determ ine p1 according to N ewton's
d binomial formula: ap1 is equal to the coef ficient at Npdp[]3, when 1. p1 p x in t he polynomial, which is obtained as a pp11 Proof E 22 . Consider the curve d : product (1)(1)xdx22. So, 22 22 x ydxy1. (2) p1 p1 2222 2 Transform it into the form ydxyx(1 ) 1 , then 2 jj2 adpp11(1) (C ). Actually, the following we express y2 by applying a rational transformation j0 2 equality holds: 1 x2 y2 which lead us to the curve 22 . 1 dx y p1 ppp111 p 1 2 jj() j For analysis we transform it into the curve jjj2222 2 dC()(1)()(1)pp11 dC 22 2 yx(1)(1). dx (3) j0 22 pp11 pp11 p 1 We denote t he number of poin ts from an affine 22 j (1)22dCjj C (1) 2d jj ( C ).2 Edwards curve over the finite field Fp by M dp[] . pp11p 1 jj0022 2 d This curve (3) has MNdp[] dp []1 points, p p1 2 jj2 d Since aCdpp11(), then exact num ber of which is precisely 1 greater than the num ber j0 2 p affine points on no n supersingular curv e (3) is the d following M dp aa p p exactly: of points of curve Ed . Note that denotes the [] 2 2 1 p
p1 Legendre Symbol. Let aa01,, , a 22p be the 2 d jj2 coefficients of the poly nomial M dp[] ()(modCdp 1 p). (5) 22p p j0 2 aax01 a 22p x , which was obtained from pp11 2222 (1)(1)xdx after opening the bra ckets. According to the condition of this theorem ap1 0,
Thus, summing over all x yields therefore M dp[] ap 2 p 2(mod ). Consequently, in the case when p 3( mod 4), where p is prim e and
E-ISSN: 2224-2880 255 Volume 19, 2020 WSEAS TRANSACTIONS on MATHEMATICS DOI: 10.37394/23206.2020.19.25 Ruslan Skuratovskii, Volodymyr Osadchyy
p1 some algebraic manipulation 2 ()Cdjj2 0(mod p), the curve E has pp11 p 1 p 1 p1 d ()(1)( j 1)()! j0 2 p 1 j 22 2 2 ()!C p1 dd d 2122 j Npdp[] (1)12 p (6) pp p pp11 p 1 pp 11 ( )( 1) (j 1)[( )( 1) ... 22 2 22 affine points and a group of points of the curve (1)].j completed by singular points has p 1 points. After applying the congr uence Exact number of the poi nts has upper boun d pp11 ()(1)(modkkp22 ) with 21p because for every x 0 corresponds two 22 valuations of y , but for x 0 we have only one p 1 0 k to the multipliers in previous solution y 0. Taking into account that x Fp we 2 pp11 have exactly p values of x . Also there are 4 pairs parentheses, we obtain [( )( 1) (j 1)] . 22 (1,0) and (0, 1) which are points of Ed thus N 1. Thus, Np1 . This com pletes the pp11 p 1 dp[] dp[] It yields 11 j proof. 22 2 p1 Corollary 2.1. ppp111 j The orders of the curves j 2 22 22 22 122 []1(1). x ydxy1 and x ydxy1 over Fp 222 d are equal to NpN1, when () 1, Thus, as a result of squaring, we have: dp[] dp[] p ppp111j 222 d (() ! Cjjp1 ) ( 1) ( 2) and NpN34, when ()1 iff 222 (7) dp[] dp[] p 2 (1)(modpj2 p). p1 2 p1 jj p 3( mod 4) is prime and ()Cd2 0(mod p). 2 p1 Cpjj2 j0 2 It remains to prove that ()20(modp1 ) if j0 In more details conditions NpN34, 2 dp[] dp[] p 3( mod 4) . d when ()1 and NpN1, when p dp[] dp[] Consider the auxillary polynomial p1 p 1 jj d P()tC ( !)222 ( )t . We are going to show () 1, imply (1), due to the formula of number j0 p1 p 2 2 that P(2) 0 and the refore ap 0( mod ) . Using of points (5) and deduced from (5) form ula (6) of p1 affine points number of curve (2) (7) it can be shown that pp11 p 1 jj dd d aPt 2222 Ct k 2 Np (1)12. p pp11() ( !)jj ( ) ( 1) dp[] Since all 2 00 pp p 2 p 1 transformations in pro of of Theorem 2.1. were (kk 2)22 ...( )tpk ( mod ) equivalent transitions then we obtain the proof of 2 equivalence of conditions. over Fp . We replace d by t in (1) such that we Theorem 2.2. If the coefficient d 2 or d 21 can research a more generalised problem. It should pp11 pp 11 p 1 22 22 2 be noted tha t Pt()(( Qt() t )) t over jj2 and p 3( mod 4) then dC()0(mod)p1 p and p1 p j0 d 1 2 Fp , where Qt() t ... t 1 and denotes the Np1 dp[] . p 1 -th derivative by t, where t is new variable Proof. When p 3( mod 4) , we shall show that 2 but not a coordinate of curve. Observe that p1 ttpp 2 1(1) p1 jj2 Qt() ( t 1) (mod p) and dC()0(modp1 p). We multiply each binomial tt11 j0 d p 1 coefficient in this sum by ()! to obtain after 2
E-ISSN: 2224-2880 256 Volume 19, 2020 WSEAS TRANSACTIONS on MATHEMATICS DOI: 10.37394/23206.2020.19.25 Ruslan Skuratovskii, Volodymyr Osadchyy
therefore the equality Corollary 2.2. The curve Ed is supersingular iff pppp1111 () () p1 E 2222 d 1 is supersingular. Pt()(( ( t 1) t ) t ) holds over F.p Proof. Let us recall the pr oved fact in Theorem 2.1 In order to si mplify notation we let t 1 and that RP() ( 1).For the case t 2 we have 1. p1 d 2 Performing this substitution leads the pol ynomial jj2 Naadp[] 2 p 2 p 1 ()(mod Cdp p 1 ). p P()t of 2 to t he polynomial Rt(1) of 1. Takin g j0 2 jj2 into account the linear nature of the substitution Since ()Cdp1 0(mod p)by condition, and the t 1, it can be seen that that derivation by 2 dd1 and t coincide. Derivat ion leads us to the congruence () ( ) holds, then according to transformation of polynomial R() to form where it pp (6) the number of poi nts on E is has the necess ary coefficient ap-1. Then d pp11 p1 p 1 dd 22p1 2 2 Naa p RP() ( 1) ( 1) ( 1) dp[] 2 p 2 p 1 (mod ) , also (( ) ) pp pp11p1 (1)!p 222 NN 1 . () (1). dp[] dp[] ((p 1) / 2)! Corollary 2.3. If p 3(mod 4) , is pri me then In order to prove that ap 0( mod ) , it is now p1 d sufficient to s how that R() 0 if 1 over F . Npdp[] 12 T, where T is such that p p p1 (1)!ppj 1 p We obtain RCjj(1) 2 ( 1) ( ). 1 p j0 p1 2 1 2 2 jj2 ()! TCdp ()modp1 and Tp 2 . 2 j0 2 We now will manipulate with the expression Proof. Due to equality (5) and the bounds (8) as well pp11 pp 11 as according to generalized Has se-Weil theorem (1)(2)().jj j In 22 22 d Np gp g order to ill ustrate the simplification we now |(1)2|2dp[] , where is genus of p consider the scena rio when p 11 and hence curve, we obtain exact num ber Ndp. As we p 1 [] 5. The expression gets the f orm showed, g 1 . From Theorem 2.1 as well as fro m 2 (5jj 1)(5 2) (5 j 5) (6 jjj )(7 ) (10 ) Corollary 2.2 we get, tha t p1 2 ()(5jj )(4 ) (1 j ) jj2 d ()Cdpd1[ Np] (1)2 p so there exists 5 p (1)(()jj 1)( 2)( j 5)(mod 11). j0 2 Therefore, for a prime p, we can rewrite the TZ , such that Tp 2 and expression as d Npdp[] 12 T. pp11 pp 11 p (1)(2)()jj j 22 22 Example 2.1. If p 13, d 2 gives N213 8 and p1 p 1 1 (1)(2 jj 1)( )(mod p). p 13, d 7 gives that the number of points of 2 E N 20 As a result, the sy mmetrical terms in (7) can be 7 is 7[13] , which i s in contradi ction to t hat reduced yielding app1 0( mod ) . It should be suggested by A. Bessalo v and O. Thsigankova. p1 Moreover, if p 7(mod 8) , then the order of torsion noted that (1)2 1 since pMk3 and NN p subgroup of curve is 2 21 3 , which is p 1 21k . Consequently, we have clearly different to p 1 as suggested by A. 2 Bessalov and O. Thsigankova. PR(2) (1) 0 ap 0( mod ) and henc e p1 as For instance p 31, then p1 j 2 NN 2 Cp 2[31] 2[31]1 28 31 3, which is clearly not required. Thus, j0 ()0(modp1 ), completing 2 equal to p 1. If pd7, 21 (4mod 7) then the the proof of t he of the theorem . The com plexity of E 2 curve 21 has four poi nts, namely calculating of (1) is Op log2 p that will be prove d 0,1; 0,6;1,0; 6,0 , and the in c ase p 7 with in Theorem 2.4.
E-ISSN: 2224-2880 257 Volume 19, 2020 WSEAS TRANSACTIONS on MATHEMATICS DOI: 10.37394/23206.2020.19.25 Ruslan Skuratovskii, Volodymyr Osadchyy
d E 2( mod 7) , the curve 21 also has four points : closure of th e curve singular points w hich are not Npn 0,1 ; 0,6 ; 1,0 ; 6,0 , demonstrating the order affine and therefore dp[] 3 . in this scenario is p 3 . If p 3( mod 8) , then there are no singular NNp n The following theorem shows that the total points, hence dp[] dp [] 1. Consequently the number of affine points u pon the Edw ards curves number of points on the E dwards curve depends on E E d and d 1 are eq ual under certain assu mptions. d n () and is equal to Npdp[]3 if p 7(mod 8) This theorem additionally provides us with a p n formula for enumerating the number of affine points and Npdp[] 1 if p 3( mod 8) where upon the birationally isomorphic Montgomery curve n 1( mod 2). We note that this is because the N . M transformation of (3) i n E depends upon the Theorem 2.3. Let d satisfy the condition of d dx2 n supersingularity (1). If n 1( mod 2) and p is denominator (1). If 1( mod 2) then, with Npn respect to t he sum of root of the c haracteristic prime, then dp[]n 1 and the order of curve is nn equation for the Frobeniu s endomorphism 12 , d Npn which in this case have the same signs, we obtain equal to dpn 12. [] p that the number of points in the group of points of nnn If n 0( mod 2) and p is prime, then the order of the curve is p 112 [19]. In more details curve 12, are eigen values of Frobenius operator F n Npn p2 endomorphism on etale cohomology over the finite dp[]n 32(), and the or der of projective i field F n , where F acts of H ().X The number of n p Npn p2 curve is equal to dp[]n 12(). points, in general cas e, are determined by Lefshitz If n 0( mod 2) and p is prime, then the order of formula: ini nn/2 #X tr H X Np p F(1)(F())pn projective curve is equal to dp[]n 12() , and the order of affi ne curve i s equal to where #X F n is a num ber of points in the nn/2 p Npn 32() p. dp[] n manifold X over F n , F is co mposition of the Proof. We c onsider the extension of the base field p F F Frobenius operator. In our case, Ed is considered as p to pn in order to determ ine the number of the
22 22 the manifold X over F n . points on th e curve x ydxy1 . Let Px p denotes a pol ynomial with degree m 2 whose For n 0( mod 2) we a lways have, that every dF F coefficients are from Fp .To make the p roof, we p is a quadratic residue in pn . Consequently, take into account that it is known [12] that the d because of ()1 four singula r points appe ar on yPx2 number of solutions to () over Fpn will have p nn n the curve. Thus, the num ber of affine points is less the form p 111 ... m , where 11,...,m , 1 by 4, i.e. || p 2 d nn i . nn22 Npn 1 2 2( pp ) 3 2( p ) . In case o f our supersingular curve, if dp[] p n 1( mod 2) the num ber of points o n projective Lemma 2.2. There exists birational iso morphism curve over Fpn is deter mined by the expression between Ed and EM , which is determ ined by pnnn n 1 u 2u 1 12, where i and 12, correspondent mappings x and y . 1 u v || p that' s why ip, ip with i 1 2 Proof. To verify this statement in supersingular case i {1, 2} . In the general case, it is known [ 12, 15,19] 22 22 we suppose that the curve x ydxy1 1 that || p 2 . The or der of the pr ojective curve is d i contains p 12 points (,x y ), with coordinates therefore pn 1. p If p 7(mod 8), then it is known from a result of over prime field F.p Consider the transformation of 22 22 Skuratovskii [10] that Ed has in its projective the curve x ydxy1 into the followi ng form
E-ISSN: 2224-2880 258 Volume 19, 2020 WSEAS TRANSACTIONS on MATHEMATICS DOI: 10.37394/23206.2020.19.25 Ruslan Skuratovskii, Volodymyr Osadchyy
1 u correspondence between points is the following: ydx22(1)1. x 2 Make the substitutions x 1 u 2u Special points of EM Special points of Ed and y . We wil l call the special points of this v (0; 0) – transformations the point in w hich these dd12 – (,0) transformations or inverse transform ations are not d 1 determined. As a re sult the equation of curve the dd12 – equation of the curve takes the form (,0) 4ud22 ( 1) u 2( d 1) ud ( 1) 4 u d 1 . Multipl y vu22(1 ) (1 u ) 2 (1, 2d ) – vu22(1 ) (1, 2d ) – the equation of the curve by . As a result 4u – (1,0) of the reduction, we obtain th e equation – (1, 0) 23 2 vdu(1)2(1)(1). dudu We an alyze what Table 1: Special points of birational maping. new solutions appeared in the resulting equation in 22 2 comparing with ydx(1)1. x First, there is an dd12 dd12 The points (,0),(,0), additional solution (u, v) = (0, 0). Second, if d is a d 1 d 1 quadratic residue by modulo p, then the f ollowing d (1, 2d ) , (1, 2d ) exist on EM only when ()1. (1)2dd p uv solutions appear: (,)11 ,0, d 1 These points are element s of group which can be presented on Rie mann sphere over F . The points (1)2dd d q uv (,)22 ,0. If 1 then as it (1, 2d ) , (1, 2d ) (1, 2d ) have not images on E d 1 p d because of in denominator of transformations was shown above t he order of Ed is equal to p 1 . 1 u d x appears zero. By the same reason points u Therefore, in cas e 1 order of Ed appears 1 p dd12 dd12 one additional solution of from (,0)u more exact it (,0), (,0) have not an d 1 d 1 is point with coordi nates 0, 0 also two points d E (( 1;0),(1;0)) of E have not images on E in result images on d . If 1 then as i t was shown d M p of action of birational map on EM . Thus, in this above the or der of Ed is equal to p-3. Therefore case, number of affine points on EM is equal to order of EM is equal to p because of 5 additional p 121 p . solutions of equation of EM appears but 2 points 1 u If x 1 then equality x transforms to form (( 1;0),(1;0)) of Ed have not images on EM . These 1 u are 5 additional points ap pointed in tableau above. 11uu , or 11 that is i mpossible for p>2. Also it exist s one infinit ely distant point on a n E Therefore point (1,0)have not an im age on M . Montgomery curve. Thus, the order of EM is equal Consider the ca se x 1. As a re sult of the p 1 in this case as supersingular curve has. substitutions x (1uuyuv ) / (1 ), 2 / we get the The proof if complicated. pair (,x y ) corresponding to the pair (,)uv for which It should be noted that the supersingular curve Ed is vdu23(1)2(1)(1) dudu 2 . birationally equivalent to the supersingular elliptic If it occurs that y 0 , then t he preimage having curve which may be presented in Montgomery form vdu23 dudu 2 coordinates u 0 and v is not equal to 0 is suitable (1)2(1)(1). As wel l as 2u exceptional points [1] for the birational equivalence for the birational map y which implies that v (uv , ) (2 u / v , ( u 1) / ( u 1)) ( xy , ) are in one to u 0 and v 0 . But pair (u, v) of such form do not one correspondence to the affine point of order 2 on satisfies the equation of obtained in result of Ed and to the points in pro jective closure of Ed . mapping equation of Montgomery curve Since the form ula for num ber of affine points o n 2 3 2 )1()1(2)1( udududv . The table of EM can b e applied to counting Ndp[]. In such way
E-ISSN: 2224-2880 259 Volume 19, 2020 WSEAS TRANSACTIONS on MATHEMATICS DOI: 10.37394/23206.2020.19.25 Ruslan Skuratovskii, Volodymyr Osadchyy
2 n we apply this result [7, 12], to the ca se yPx (), Npn =1 . Here's one infinitely remote point as Mp[ ] where degP() x m , m 3 . The order N n of the M []p a neutral element of the group of points of the curve. E F curve M over pk can be evaluated due to Considering now an elliptic curve, we have = by [5], which leads to =0. For n =1, Stepanov [12, 15]. The r esearch tells us that th e 12 12 nnn n Np n Np it is clear that M = . When is odd, we have order is Mpn 1,12 where i and [] nn n 12 =0 and therefore NpMn =1 . Because n nn, || p with i {1, 2} . Therefore, we , 12i is even by initial assu mption, we shal l show that conclude when n 1( mod 2), we know the order of n n n 2 Np Npn =12() p holds as required. Montgomery curve is precisely Mp[]n 1. Mp[] This result leads us to the conclusion that the Note that for n =2 we can express the number as 22 22 2 2 number of solutions of x ydxy1 as well as Npdp[ 2 ] =12=1 pp with respect to vdu23 dudu 2 (1)2(1)(1) over the finite Lagrange theorem have to be divisibl e on Ndp[]. field Fpn are determined by the expression Because a group of EF() over square exten sion d p2 pnnn n 1 12 if 1( mod 2). of Fp contains the group Edp(F ) as a proper Example 2.2. The elliptic curve presented in the subgroup. In fact, according to Theorem 1 the order Ev23 u uu 2 form of Mont gomery M :6 is Edp(F ) is p 1 therefore divisibility of orde r birationally equivalent [ 1] to the curve Ed (F2 ) holds because in our case p =7 thus 22 22 p x yxy12 over the field F k . p 2 N E =8 and pN1=8= d [16]. The following Corollary 2.4. If d 2, n 1( mod 2) and d [7] two examples exemplify Corollary 2.4. p 3( mod 8) , then the order of curve E and order d Example 2.3. If p 3( mod 8) and nk 2 then we of the projective curv e are the following: nn have when d 2 , n 2 , p 3 that the num ber of NpNpnn1, 1. dp[] dp[] affine points equals to If d 2 , n 1( mod 2) and p 7(mod 8) , then the n Npn 32() p2 32 32(3)12, number of points of projective curve is 2[3] n Npn 1, and the n umber of pr ojective points is equal t o dp[] n n 2 2 and the number of points on affine curve Ed is also Np2[3] 1 2( p ) 3 1 2 ( 3) 16. n Npn Example 2.4 p nk dp[] 3. . If 7(mod 8) and 2 then we In case d =2, n 0(mod 2) , p 3(mod 4) , the have when d 2 , n 2 , p 7 that the num ber of general formula of the curves order is affine points equals to n n n 2 2 n 2 Np32() p 7 32(7)60, and the Npn =32(). p 2[7] dp[[ number of projective poi nts is equal t o The general formula for n 0(mod 2) and d =2 for n n 2 2 the number of points on projective curve for the Np2[7] 12() p 7 12(7)64. supersingular case is The group of points of the supersingular curve Ed n n n 2 Npdp[]=12(). p d contains p 12 affine points a nd the affine p Proof. We denote by N n the order of the curve M [ p ] d EM over F n . The order N n of EM over F n can singular points whose number is 22. p Mp[ ] p p nnn be evaluated [ 6] as Npn =1 , where Mp[] 12 The singular points were discovered in [ 10] and n nn hence if the curve is free o f singular points then the i C and = , ||= p with i {1,2}. For 12i group order is p 1 . the finite algebraic extension of degree n , we will nnn n Example 2.5. The number of curve points over consider pp= if n 1(mod 2) . 12 finite field when d =2 and p =31 is equal to Therefore, for n 1(mod 2) , the o rder of th e NN2[31]==3=28 1 p . Montgomery curve is precisely given by 2[31]
E-ISSN: 2224-2880 260 Volume 19, 2020 WSEAS TRANSACTIONS on MATHEMATICS DOI: 10.37394/23206.2020.19.25 Ruslan Skuratovskii, Volodymyr Osadchyy
Theorem 2.4. The order of Edwards curve over Fp transformation pp11p p1 1 k is congruent to 22 kk2 (1)(1)=(xdxCx22 (1)) 2 p1 p1 x=0 p1 2 2 d jj 2 2 p p1 Npdp[](12 (1)(Cd )) 1 j p1 jjj2 p j 2 =0 2 ((1)).Cdxp1 p1 x=0 2 p 1 2 d p1 2 jj2 d ((1) (Cdp1 ) 12 )(mod).p 2 Therefore a22p is equal to dp ()(mod) j=0 2 p p p N dp[] p p1 1 The true value of lies in [4;2 ] and is even. jj and aCd=()(1)2 2 2 . Proof. This result follows fro m the num ber of pp11 j=0 2 solutions of the equation yx22=( 1)( dx 2 1) over According to Newton's binom ial formula ap1 F p p which equals to equal to the coefficient at x 1 in the product of two pp11(xdx22 1)( 1) ( xdx22 1)( 1) brackets and when substituting this d instead of 2 is )1 ( )) p xx=0 pp=0 such p1 p 1 p1 pp11 2 2 jj2 22 2 dC ((xdxp 1)(22 1))mod (1) (p1 ), j=0 j=0 2 p1 that is, it has the form o f the poly nomial p1 2 d 2 jj2 with inverse order of coefficients. Indeed, we have (( 1) (Cdp1 ) ( )) mod p . j=0 2 p equality p1 ppp111 p1 2 jj() j jj222 2 2 22 22 dC()(1)()(1)=C The quantity of solutions for x ydxy=1 pp11 j=0 22 22 2 ydxx=( 1)( 1) pp11 differs from the quantity of pp11 p1 22 j d =( 1)22dCjj C =( 1)2d jj ( C )2 . by ()1 due to new solutions in the from pp11 p1 p jj=0 22 =0 2 In form of a su m it is the following (,0),(,0)dd . So this quantity is such p1 ppp111 p1 p1 22 2 jj() j (1)(1)xdx d 2(jjCC222 )(1) 2(j )(1)2 2 = )1 ()1 pp11 j=0 x=0 pp 22 pp11 p1 22 pp11 p 1 (1)(1)xdx d 22 j ())()1p 22jj 2 jj2 =( 1) 2 CCpp11=( 1) 2 (C p 1 ) . x=0 pp jj=0 22 =0 2 p1 2 pp11d dd d 2222 over Fp equals to pp12 1()= ( (x 1) (dx 1) ( ) 1) mod p pp p j=0 p p1 and differs fro m the quantity of solutions of p1 2 d 2 jj2 22 22 d ( 1) (Cdp1 ) (2( ) 1) modp . x ydxy=1 by ()1 due to new solutions of j=0 2 p p ydxx22=( 1)( 2 1). Thus, in general c ase if According to Lemma 1 the last sum p1 p1 jj2 2 p1 aCd2 pp11=()(1)0 j=0 we have pp11 2 2 2222 (( x 1)(dx 1))modp is congruent to p1 pp11 j=0 dd 2 j 22jj2 NpEpp=( ( ) (( ) 1) ( 1) ( CCd11 ) ) aamodppp(), where ai are the coefficients d 122 pp j=0 22 from presentation p1 p1 2 pp d 11 2 jj2 2222 22p (1(1)(pCd p1 ) 2()) (1)(1)=xdxaaxax ...p . 01 22 j=0 2 p Last presentation was obtained due t o p1 p1 2 d 2 jj2 (( 1) (Cdp1 ) 1 2( )) modp . j=0 2 p The exact order is not les s than 4 beca use cofactor of this curve is 4. To determine the order is uniquely
E-ISSN: 2224-2880 261 Volume 19, 2020 WSEAS TRANSACTIONS on MATHEMATICS DOI: 10.37394/23206.2020.19.25 Ruslan Skuratovskii, Volodymyr Osadchyy
enough to take into acco unt that p and 2 p have For x22ydxymodp=1 122 ( ) we could obtai n different parity. Taking into account that the order is that even we chose a term p or 2 p , for the su m which x2 1 y2 mod p (10) define the order. dx121 Let us analyze the complexity of calculating the d p 1 If =1, then for the fixed x0 a quantit y of y 2 p jj2 value of ()Cdp1 . B inomial coefficients of the over Fp can be calcul ated by the for mula j=0 2 l l x2 form C p1 we calculate recursively having C p1 we 1 12 2 2 dx1 12 l 1 ()1 for x such that dx10(mod) p. get C p1 . Such a transformation can be done by one p 2 For solution (,)x y to (10), we have the equality multiplication of one division. But division can be 00 x2 1 avoided by applying the Legendre formula to count ymodp2 0 0 2 and we express the number of occurrences of all prime factors from dx0 1 2 to (1):2p . In b oth cases, the co mplexity of 22 1 11 1 1 calculating all the coeffici ents from the sum (3) is 1 2 21x xx00 1 1 p 1 yd0 d d. equal to Op(log)2 . Squaring the calculated 0 1 22 2 1 111 1 2 2 1d 1 j dx0 dx00x binomial coefficient C p1 also does not exceed 2 Observe that 2 j Oplog2 . Calculate all values of dpmod 1 22(1)2 j1 2 xx11 x optimally applying recursive multiplication d on y = = =d . (11) dx1211 dx12 d d for thi s we use the Ka ratsuba multiplication (( ) 1) x2 log2 3 method requiring Op(log2 ) , than apply the Thus, if (,x00y ) is solution of (2), then Barrett method of modular multip lication. 1 y Therefore, the com plexity of computing th e , 0 is a solution to (10) because last j x0 d entire tuple of degrees dj, 1,...., n is p transformations determines that 1 log2 3 2 Op(log)2 . T otally we obtai n 1 2 d 1 1 p y2 x 1 2 0 0 modp Op(log).2 2 . Therefore last 2 d 1 1 d x Theorem 2.6. If =1, then the orders of the 0 p 1 y0 transformations x00, yx ( , ) = , y curves Ed and E 1 , satisfies to the following d x0 d determines isomorphism and bijection. relation EEd = 1 . d d d In case =1 , then every x Fp is such that If =1 , then E and E are pair of twisted p d d 1 p 2 12 dx 10 and dx10 . If x0 0 , then x0 curves i.e. orders of curves E and E satisfies to d d 1 1 generate 2 solutions of (2) iff x0 gives 0 solution s the following relation of duality of (10) because of (11) yields the following relation EE =2 p 2. xx22 x 2 d d1 11 1 d12 x dx 2d dx 2 Let the curve be defined b y ()=()()=().11 1 (12) pppp x22ydxymodp=1 22 ( ), then we can express y2 in Analogous reasons give us that x give exactly such way: 0 1 2 x x 1 one solution of (2) iff 0 gives 1 solutions of (10). y2 mod p. (9) dx2 1 Consider the set xp{1,2,...., 1} we obtain that the 1 total amount of solution s of form (,)x00y that
represent point of (2) and pairs of form (,)x00y that
E-ISSN: 2224-2880 262 Volume 19, 2020 WSEAS TRANSACTIONS on MATHEMATICS DOI: 10.37394/23206.2020.19.25 Ruslan Skuratovskii, Volodymyr Osadchyy
represent point of curve (10) is 22p . Also we Consider E over F , for instance we 2 p2 have two solutions of (2) of form (0,1) and (0, 1) assume p =3. We define F9 as F(3 ), where is a and two solutions of (10) that has form (0,1) and 2 root of x 1=0 over F9 . Therefore elements of F9 (0, 1) . The proof is fully completed. have form: ab , where ab,F. 3 So we assume Example 2.6. The number of points of E over F d p that x { ( 1), ( 1), } and check its for p =13 and d =2 is given by N2[13] =8. In the belonging to E2 . For instance if x =( 1) then 1 case when p =13 and d =7 we have that the x22=21=2= . Also in this case number of points of E is N =20. Therefore, we 2 1 (2 1)( 1) (2 1)( 1) 7 7[13] y2 =====. have that the sum of orders for these curve is equal 1 ( 1)( 1) ( 1)( 1) 2 to 28 = 2 13 2 which confirms our theorem. The set Therefore the correspondent second coordinate is of points over F13 when d =2 are precisely y =( 1). The si milar computations lead us to {(0,1);(0,12);(1,0);(4, 4);(4,9);(9,4);(9,9);(12,0)}, full the following list of curves points. while for d =7, we have the set (0,1);(0,12);(1,0); x (1) (1) (2, 4);(2,9);(4,2);(4,11);(5,6);(5,7);(6,5);(6,8);(7,5); 1 0 y 0 1 (1) (1) (7,8);(8,6);(8,7);(9,2);(9,11);(11,4);(11,9); (12,0) . Table 2: Points of Edwards curve over square extension. 1 Example 2.7. If p =7 and d =2 4(mod7), then d The total amount is 12 affine poin ts that confirms we have ()=1 and the curve E has four points p 2 1 Corollary 2.4. and Theore m 2.3. because of n which are (0,1);(0,6);(1,0);(6,0). and the in case ppn 32()=332(3)=12 2 2 .
p =7 for d = 2(mod 7) , the curve E also has four 2 1 points which are (0,1);(0,6);(1,0);(6,0) . 4 Conclusion Definition 2.1. We call the embedding degree a The new effective algorithm for the elli ptic and minimal power k of a finite field extension such that Edwards curves order curve counting was founded. the group of points of the curve can be embedded in The criterion for supersingularit y of t hese curves the multiplicative group of F k . was additionally obtained. p Let us obtain conditions of em bedding [14] References: for the grou p of supersingular curves Edp[F ] of [1] Daniel J. Be rnstein, Peter Birkner, Marc Joy e, order p in the multiplicative group of field F Tanja Lange, and Christ iane Peters. T wisted pk edwards curves. Progress in Cryptology -- AFRICACRYPT 2008 (6,5);(6,8);(7,5); , pp. whose embedding degree is k =12 [14]. We now 389--405, Berlin, Heidelberg, 2008. utilise the Zsigmondy theorem which implies that a [2] Don Johnson, Alfred Menezes, Scott Vanstone. F is an arbitrary The Elliptic Curve Digital Signature Algorithm. suitable characteristic of field p International Journal of Information Security prime p which do no t divide 12 and satisfi es the volume 1, Springer, 2014, pp. 36–63. qp x [3] Harold Edwards. A normal form fo r elliptic condition P()12 , where P()12 is the cy clotomic curves. Bulletin of the American mathematical polynomial. This p will satisfy the necessary society, 44(3):393--422, 2007. [4] William Fulton. Algebraic curves. An conditions (1)|xn p for an arbitrary n =1,...,11. Introduction to Algebraic Geometry. Addison- Wesley, 3 edition, 2008.L. Proposition 2.1 The degree of embedding for the [5] Neal Koblitz. Elliptic curve cryptos ystems. group of a supersingular curve Ed is equal to 2. Mathematics of computation, 48(177):203--209, Proof. The o rder of the group of a supersingular 1987. k [6] Rudolf Lidl and Harald Niederreiter. curve Ed is equal to p 1. It sho uld be observed Introduction to Fi nite Fields and t heir k 2k k Applications. Cambridge university press, that p 1 divides p 1, but p 1 does not 1994. divide expressions of the form p2l 1 with lk< . [7] Peter L Montgomery. Speeding the pollard and elliptic curve methods of factorization. This division does not work for smaller values of l Mathematics of computation, 48(177):243--264, due to the decomposition of the expression 1987. 2kkk [8] René Schoof. Counting points on elliptic curves ppp1=( 1)( 1). Therefore, we can use t he over finite fields. Journal de théorie des definition to conclude that the degree o f embedding nombres de Bordeaux, 7(1):219--254, 1995. must be 2, confirming the proposition.
E-ISSN: 2224-2880 263 Volume 19, 2020 WSEAS TRANSACTIONS on MATHEMATICS DOI: 10.37394/23206.2020.19.25 Ruslan Skuratovskii, Volodymyr Osadchyy
[9] Ruslan Viacheslavovich Skuratovskii. The [18] R. V. Skuratovskii, Aled William s (2019) "A order of projective edwards curve ove r an d solution of the inverse problem to doubling of embedding degree of this curve in finite field. twisted Edwards curve poi nt over finite field", In Cait 2018, pp. 75 -- 80, 2018. Processing, transmission and security of [10] Ruslan Viacheslavovich Skur atovskii. information - 2019 vol. 2, Supersingularity of elliptic curves. Research in [19] Deligne, Pierre. La conjecture de Weil, Mathematics and Mechanics, 31(1):17--26, Publications Mathematiques de l’IHES. 1974. 2018. Vol. 43. pp. 273-307.IEEE [11] Ruslan Viacheslavovich Skur atovskii. [20] R. V. Skura tovskii, Employment of Minimal Employment of m inimal generating sets and Generating Sets and Structure of S ylow 2- structure of sy low 2-subgroups alternating Subgroups Alternating Groups in Block groups in block ciphers. In Advances in Ciphers. Springer, Advances in Computer Computer Communication and Computational Communication and Computational Sciences, Sciences, pages 351--364. Springer, 2019. 2019, pp. 351-364. [12] Serge Aleksandrovich Stepanov. Arifmetika [21] R. Skuratovskii, The Derived Subgr oups of algebraicheskikh krivykh (in Russian). Nauka, Sylow 2-Subgroups of the Alternating Group Glav. red. fiziko-matematichesko lit-ry, 1991. and Comm utator Width of Wreath Pr oduct of [13] Ivan Matveevich Vinogradov. Elements of Groups. Mathematics, Basel, Switzerland, number theory. Courier Dover Publ ications, (2020) № 8(4), pp. 1-19. 2016. [22] Craig Costello, Benjam in Smith Montgom ery [14] Paulo S. L. M. Barreto and Michael Naehrig. curves and their arit hmetic. Journal of Pairing-friendly elliptic curves of prime order. Cryptographic Engineering volume 8 no.3, pp. Springer, Selected Areas in Cryptography, 227–240 (2018). pages 319--331, Berlin, Heidelberg, 2006. [23] Andrea Bandini, Laur a Paladino. Fields [15] N.M. Glazunov, Skobelev S.P. Manifolds over generated by torsion poi nts of ellipti c curves the rings. IAMM National Academy of Sciences 2016 Journal of Number Theory 169: pp. 10 3- of Ukraine, Donetsk, 2011. 323 p. 133. [16] P.D Varbanec, P Zarzycki. Divisors of the [24] Daniele di Tullio, Manoj Gy awali. Elliptic Gaussian integers in an ar ithmetic progression. curves of nearly prime order. pp. 1-19. [Source: Journal of Number Theory. Volume 33, Issue 2, iacr.org], access mode: October 1989, Pages 152-169 https://eprint.iacr.org/2020/001.pdf [17] Silverman, Joseph, H.; The Arithmetic of [25] Craig Costello. Com puting Supersingular Elliptic Curves, Graduate Texts in Mathematics, Isogenies on Kummer Surfaces. Springer. 106, Springer-Verlag, 1986. Advances in Cryptology 24 International conference in Theory Cryptography, Part 3.– ASIACRYPT 2018. pp. 428-440.
E-ISSN: 2224-2880 264 Volume 19, 2020