THE MATHEMATICAL PRINCIPLESOF MODERN

ATHESIS SUBMITTEDTO THE UNIVERSITYOF MANCHESTER FORA MASTER’S DEGREEIN MATHEMATICS INTHE FACULTY OF SCIENCEAND ENGINEERING

May 2021

Sam Holmes Department of Mathematics 1 Abstract

In this thesis we study the mathematics that underpins cryptogra- phy and the RSA . The security of most cryptographic protocols used across the internet is currently based on the difficulty of factorising large semiprimes (RSA) or solving the elliptic curve problem (ECDLP). To study these problems in detail we first provide an extensive background in the theory elliptic curves by proving that the set of points on an elliptic curve forms a finitely generated, abelian group and computing the subgroup of points of finite order. After introducing bilinear pairings we then move on to studying some of the applications of this theory which include secure schemes, exchange protocols and schemes. We also implement pollard’s p − 1 fac- torisation algorithm and Lenstra’s elliptic curve factorisation algorithm in Python to compare their ability to factorise large semiprimes. Contents

1 Introduction5

2 The Theory of Elliptic Curves9 2.1 The Projective Plane ...... 10 2.2 Algebraic Representations of Elliptic Curves...... 11 2.2.1 Weierstrass Normal Form ...... 11 2.2.2 Singular cubic Curves ...... 13 2.2.3 Isomorphic Elliptic Curves...... 17 2.3 The Group of Points on an Elliptic Curve ...... 20 2.3.1 Point Addition ...... 21 2.3.2 Proving the Associativity of Point Addition ...... 26 2.3.3 Explicit Formulas for Point Addition ...... 28 2.4 Mordell’s Theorem...... 30 2.4.1 The Height Function...... 30 2.4.2 Bounding the Height of P + P0 ...... 31 2.4.3 Bounding the Height of [2]P ...... 34 2.4.4 The Subgroup of Points of Order 2...... 38 2.4.5 The Descent Theorem ...... 43 2.5 Points of Finite Order...... 47 2.5.1 The Nagell-Lutz Theorem...... 47 2.5.2 Reduction Modulo p ...... 50 2.6 Bilinear Pairings ...... 52 2.6.1 Divisors...... 53 2.6.2 The Weil Pairing...... 54

3 Cryptographic Applications 58 3.1 Preliminaries ...... 59 3.2 Factorising Large Semiprimes ...... 61 3.2.1 The RSA public key encryption scheme...... 61 3.2.2 Comparing Pollard’s p-1 and Lenstra Elliptic Curve Fac- torisation Algorithms...... 64 3.3 The Discrete Logarithm Problem and Diffie-Hellman protocol . . 68 3.3.1 Choosing a Suitable Elliptic Curve for the ECDLP . . . . 69 3.3.2 The Double-and-Add algorithm...... 71 3.4 Comparing Digital Signature Schemes...... 73 3.4.1 The RSA Digital Signature Scheme...... 75 3.4.2 The Elliptic Curve Digital Signature Algorithm ...... 76 3.4.3 BLS Signatures...... 77

4 Conclusion 79

A Appendix 81 A.1 Curve.py...... 81 A.2 Point.py...... 82

2 A.3 Plotting the Performance of the ECM and Pollard’s p-1 ...... 84 A.4 Plotting the Performance of the Double-and-Add algorithm . . . . 85

Bibliography 87

List of Figures

2.1 Examples of smooth elliptic curves...... 13 2.2 Examples of singular elliptic curves ...... 14 2.3 Elliptic curve point addition ...... 23 2.4 The associativity of elliptic curve point addition...... 27

3.1 Comparing the time complexity of various algorithms used to fac- tor semiprimes n = pq, where B = min p,q ...... 64 3.2 Comparing the performance of Pollard’s p−1 and the ECM integer factorisation algorithms...... 67 3.3 The performance of the Double-and-Add algorithm to compute multiples of a point on an elliptic curve...... 73

List of Tables

3.1 The RSA encryption scheme...... 63 3.2 Comparing digital signature schemes...... 74 3.3 The RSA digital signature scheme...... 75 3.4 The elliptic curve digital signature algorithm (ECDSA) ...... 76 3.5 The BLS digital signature scheme ...... 77

3 LIST OF ALGORITHMS 4

List of Algorithms

1 Computing Etors (Q) using the Nagell-Lutz Theorem...... 49 2 Pollard’s p − 1 factorisation algorithm...... 65 3 Lenstra’s elliptic curve factorisation algorithm (ECM)...... 66 4 The binary point multiplication algorithm...... 72 Chapter 1

Introduction

Cryptography is a fascinating field which draws inspiration from many areas of Mathematics and Computer Science in order to design protocols that enable secure communications between users in the presence of a potentially malicious adver- sary. Such adversaries may intend to eavesdrop on, tamper with or forge mes- sages between other users. The field is particularly relevant in today’s digital so- ciety because a large proportion of our online communications contain sensitive information, such as credit card details, which we would like to rigorously secure. Communication systems which use cryptographic protocols are often referred to as cryptographic systems or . Before we define the concept of security or explain the mathematics behind how cryptosystems operate in practice, we shall first state the four fundamental goals of cryptography which have remained at the heart of the subject since it’s inception [10].

(a) Confidentiality of the message: The primary goal of most cryptosystems is to allow messages to be sent in a disguised (or encrypted) form so that only the intended recipient(s) can obtain any information 1 from a transmitted message.

(b) Message integrity: The recipient of a message must be able to determine whether the message was altered during transmission. This is often achieved through the usage of cryptographic hash functions (Definition 22).

(c) Authentication of the sender: The recipient should be able to identify the sender and verify that no one else could have sent a given message. This is achieved through digital signatures. We study three examples in Section 3.4.

(d) Irrevocability of the sender: If a message originated from a given user of a cryptosystem then it should be impossible for the user to deny the authorship of the message.

1This means that obtaining any information about the contents of the message (such as the statis- tical distribution of characters) known as meta-data should not be possible as such systems can be easily broken by a technique known as frequency analysis.

5 CHAPTER 1. INTRODUCTION 6

Not all modern cryptosystems are designed to achieve all four of these goals and several other attributes of information transmission can also be mathematically as- sured. For example, such as Bitcoin aim to solve the problem of double spending [4] to provide an efficient, secure and anonymous digital currency. A given cryptosystem which aims to provide confidentiality usually consists of the following three algorithms:

(a)A key generation algorithm defines two distinct but related pieces of infor- mation: A user’s public and private keys.

(b) An encryption algorithm or bijective function is used to convert the original message or plaintext into illegible using a public key.

(c)A decryption algorithm, another bijective function which carries out the reverse computation (from ciphertext back to plaintext) using the private key.

A cryptosystem is considered semantically secure (or simply secure for our purposes) if only negligible information about the plaintext can be extracted from the ciphertext using any probabilistic, polynomial time algorithm. In practice se- mantic security is considered an insufficient condition. One also needs to ensure that an adversary with access to a message and the message’s corresponding cipher- text is not able to decrypt any other messages2. Cryptosystems with larger keys (or signatures) are usually more secure, but less efficient. Modern cryptography aims to optimise this trade-off to design efficient cryptosystems which use the smallest keys (or signatures) possible whilst providing sufficient security. Cryptosystems can be divided into two main categories depending on whether the encryption and decryption keys for a given message are the same. A user of a Private key (or symmetric ) cryptosystem encrypts their message with the same key the recipient uses to decrypt the message. This was the only form of encryption used throughout history until 1976. The earliest use of private key cryptography arguably dates back to around 1900 BC where hieroglyphics were systematically substituted with other unusual symbols in the tomb of the ancient Egyptian noble- man Khnumhotep II. There is substantial evidence that the ancient Greeks, partic- ularly the Spartan Military later popularised the usage of private key cryptography with early protocols such as the Caeser Cipher [2]. Private key systems are usually faster but less secure than their public key coun- terparts because the decryption algorithm can be implemented in approximately the same order of magnitude of time as the encryption algorithm. One important dis- advantage of private key cryptosystems is that each distinct pair of users requires a unique shared key. This leads to extensive key management as the total number of keys required increases with the square of the number of users. Due to their speed,

2This technique is referred to as a “known-plaintext attack” and was used by Alan Turing and others at Bletchley Park during World War 2 to allow the western Allies to defeat the Nazis in several crucial engagements. Many historians believe their efforts may have shortened the war by several years, saving millions of lives [29]. CHAPTER 1. INTRODUCTION 7 several private key cryptosystems are widely used today and can be split into the following two categories:

(a) Block ciphers use a private key to encrypt and decrypt fixed length segments of bits known as blocks. Examples of block ciphers include DES - The Data Encryption Standard 3 developed at IBM in the early 1970s and it’s successor Rijndael / AES which is used today to secure protocols such as HTTPS on the web.

(b) Stream ciphers use a pseudorandom stream of digits known as a key stream as the private key to continuously encrypt streams of data. Such systems are only considered secure if the key stream is indistinguishable from random noise. The most widely used is RC4 which was designed by Ron Rivest of RSA Security in 1987. RC4 has been used to ensure the confidentiality of wireless traffic, first using the deprecated WEP protocol and now with the WPA2 protocol.

Whitfield Diffie and Martin Hellman’s seminal 1976 paper [23] begins with the bold statement “We stand today on the brink of a revolution in cryptography.” This was no understatement. The introduction of public key (or asymmetric) cryp- tography instigated a new era of secure and efficient digital communications. In a public key cryptosystem (PKC) two different but mathematically related keys are used, each with a unique function - a public key4 used to encrypt messages and a corresponding private key used to decrypt messages. The security of a PKC re- lies on the assumption that computing a given private key using only encrypted data and the corresponding public key would be at least as hard as solving a com- putationally hard (Definition 19) problem. Of course this notion of difficulty is purely based on the efficiency of currently available algorithms, quoting [30] “The situation is somewhat analogous to theories in physics that gain credibility over time, as they fail to be disproved and continue to explain or generate interesting phenomena.” The cryptographic protocols used in cryptosystems are usually built from mul- tiple cryptographic primitives, such as the encryption algorithms, protocols and digital signature schemes we will study in Chapter3. Whilst public key primitives are usually slower than their private key counterparts, it is possi- ble to combine both types to benefit from the most useful properties of both. The TLS and SSH protocols used by modern web browsers make extensive use of this combination. In TLS an ephemeral (short lived) is first established using a variant of the Diffie-Hellman key exchange (Example7) to provide perfect forward secrecy (Remark 37). Next, authentication is established through a digital

3DES is now deprecated due to it’s vulnerability to brute force attacks, this insecurity is attributed to the relatively short 56-bit . 4Throughout this thesis we will assume that a user of a PKC can openly share their public key with other users without risk. In practice this is achieved through certification authorities, which act as trusted third parties. CHAPTER 1. INTRODUCTION 8 signature scheme (Section 3.4). Finally an efficient, symmetric such as AES uses the shared key to provide confidentiality of the message. Some public key primitives aim to provide confidentiality through establishing a shared secret key to be used in an encryption scheme. Others provide authenti- cation through digital signatures. The RSA cryptosystem, patented in 1983, was the first standardised to provide both confidentiality and au- thentication. RSA is still widely used across the internet at the time of writing, its security is based on the hard problem of factorising large semiprimes. In Section 3.2 we will implement and compare two efficient integer factorisation algorithms which can be used to break a poorly implemented RSA cryptosystem. Even when implemented correctly, RSA requires large (usually 1024 bit) keys to provide suf- ficient security in the modern world. This led to a search for other hard problems to use as the basis for more efficient cryptosystems. One of the most famous and well researched hard problems throughout mathematics is the discrete logarithm problem (DLP) in a suitable group G:

Problem 1. The discrete logarithm problem (DLP) in a group G

Given: A generator g of G and an element h ∈ G Compute: An integer x such that gx = h.

Diffie and Hellman’s paper [23] describes a key exchange protocol based on the difficulty of the DLP in the multiplicative group of a finite field. Unfortunately index-calculus [42] algorithms amongst others can solve the DLP in such groups within subexponential time, meaning relatively large keys are needed to provide sufficient security. This led to a search for other groups in which the DLP is more difficult. Possible candidates included extension fields, matrix groups and ideal class groups of number fields. In each of these cases either the group operation was too inefficient or a sub exponential algorithm was found to solve the DLP. In 1985 Neal Koblitz [33] and Victor Miller [42] independently proposed key distribution algorithms based on the difficulty of the DLP in the group of points on an elliptic curve. Protocols based on the elliptic curve discrete logarithm problem (ECDLP) formed the foundation of a rapidly expanding field known as Elliptic curve cryptography (ECC). It is widely believed that the ECDLP on a suitably chosen curve is much harder than both the DLP in the multiplicative group of a finite field and the integer factorisation problem. This means that one can use much shorter keys to gain the same level of security in a range of applications. It turns out that elliptic curves can be used for much more than just exchanging keys. Other applications of ECC studied throughout this thesis include the Lenstra elliptic curve integer factorisation method (Section3) and the elliptic curve digital signature algorithm (Section 3.4.2). Chapter 2

The Theory of Elliptic Curves

Elliptic curves have an extensive academic history stretching back to the second century A.D. where they were first used to study diophantine equations [8]. The theory of elliptic curves was continually developed by many of the greatest math- ematicians throughout history including Fermat, Euler, Newton and many others. Studying elliptic curves as purely abstract mathematical objects has also led to several important breakthroughs in recent years. For example, in 1995 Andrew Wiles famously proved Fermat’s last Theorem as a special case of the modularity Theorem for elliptic curves [57]. Other unexpected applications of elliptic curves include finding the optimal way of packing n-dimensional spheres in Euclidean space and the Lenstra elliptic curve factorization algorithm. Our aim throughout this Chapter is to build up the necessary background required to implement modern ECC protocols. Quoting Serge Lang “it is possible to write endlessly on elliptic curves,” [36] this sentiment will certainly become clear once the depth of the field is exposed throughout the Chapter. The general structure of the Chapter is as follows. We shall first study elliptic curves as abstract geometric objects defined in projective space. We will then in- troduce the standard algebraic representation of a given elliptic curve known as the short Weierstrass normal form. Next, we shall use discriminants of cubic curves to determine when they are singular and j-invariants of elliptic curves to determine when they are isomorphic. Using these results we will prove that the set of points on an elliptic curve together with a point addition operation forms an abelian group. We will also provide a explicit formulas for the sum of two points. With these fun- damentals in place we give a reformulated proof of Mordell’s Theorem, one of the fundamental results in the theory of elliptic curves which states that the group of points of a given elliptic curve defined over the rationals is finitely generated. Then, in Section 2.5 we state and apply the Nagell-Lutz and Reduction Theorems to de- termine the subgroup of points of finite order on a given curve. We conclude the Chapter with an introduction to bilinear pairings, a relatively recent development in the theory of elliptic curves which has many important applications. We shall mainly follow the ideas presented in two of the standard texts on the

9 CHAPTER 2. THE THEORY OF ELLIPTIC CURVES 10 subject [53] and [31]. Independent contributions in the form of further examples, solutions to exercises, additional explanations and reformulations of proofs to well established results will be highlighted throughout the Chapter. The reader is not assumed to have any prior knowledge from algebraic number theory, Galois theory or algebraic geometry.

2.1 The Projective Plane

Many texts on elliptic curves begin with the standard algebraic definition of an elliptic curve given in Section 2.2. We will instead provide some background from the point of view of geometry to build up an understanding of the projective space in which elliptic curves are defined.

Definition 1. The projective plane defined over a field K, denoted P2 (K), is the set of equivalence classes of all homogeneous triples [a : b : c] with a,b,c ∈ K, excluding [0 : 0 : 0], such that

[a : b : c] ∼ [a0 : b0 : c0], whenever a = ta0, b = tb0, c = tc0 for some nonzero t.

Remark 1. We refer to these equivalence classes as points in the projective plane. In order to visualize the projective plane it may help to start with the usual Cartesian plane but instead of distinguishing a special point at (0,0), we define points at infinity which lie on each set of parallel lines within the plane.1 To describe curves in the projective plane we will sometimes use polynomials in three variables, since points in P2 are represented by homogeneous triples. Taking care to note that each point in P2 can be represented by infinitely many distinct homogeneous triples, since if F (a,b,c) = 0, we must also have F (at,bt,ct) = 0 for all t 6= 0.

Definition 2. A polynomial F (X,Y,Z) ∈ K[X,Y,Z] is a homogeneous polynomial of degree d if it satisfies

F (tX,tY,tZ) = tdF (X,Y,Z).

Furthermore, a projective or algebraic curve C in the projective plane is defined as the set of solutions to the following equation

C : F (X,Y,Z) = 0, where F is a non constant homogeneous polynomial. Subsets defined by zeroes of polynomial are often referred to as varieties in algebraic geometry, however we will use the term curve throughout this thesis to avoid confusion. 1We will later require a point at infinity to act as the neutral element in the group of points on an elliptic curve. CHAPTER 2. THE THEORY OF ELLIPTIC CURVES 11

Definition 3. Points in P2 of the form [x,y,1] are called affine points. They form an affine plane A2 embedded in P2. We will usually refer to the equation of a projective curve simply by it’s affine part, denoted f (x,y), where

f (x,y) = F (x,y,1).

Definition 4. An elliptic curve defined over a field K is a smooth2, projective, al- gebraic curve of genus one with a specified K-rational point O = [0 : 1 : 0]. We will often refer to such objects using the notation E/K or simply E when the underlying field is clear.

Remark 2. It may be of interest to the reader that elliptic curves are neither el- liptic, nor curves in the usual sense. The word “elliptic” is used in this context due to the connection with elliptic integrals used to find the arc length of an el- lipse. Furthermore, using the theory of elliptic functions, one can show that elliptic curves defined over the complex numbers are actually isomorphic to embeddings of a torus (or equivalently a Riemann surface of genus one) in the complex projec- tive plane. However, this topological view of elliptic curves is outside the scope of this book.

2.2 Algebraic Representations of Elliptic Curves

The main goal of this section is to introduce the standard algebraic representation of an elliptic curve - the Weierstrass normal form. Alternative algebraic represen- tations of elliptic curves such as the Edwards form and Hessian form are often preferred in practical applications because computations on these curves are often more efficient [14] and require less memory [26]. We have chosen to work only with the Weierstrass normal form due to its concise notation and ease of calcula- tions. Using the Weierstrass normal form we will be able to identify when a cubic curve is singular and when two elliptic curves are isomorphic. We will mainly be following well established results from [53] whilst reformulating certain proofs and providing additional examples.

2.2.1 Weierstrass Normal Form We begin by introducing the long Weierstrass normal form of an elliptic curve. Then, working over fields of characteristic not equal to two or three we shall derive the medium and short Weierstrass normal forms respectively. The Riemann-Roch theorem is a fundamental result in the study of algebraic geometry, see Section 3.3 of [31] for a proof. It can be used to show that every elliptic curve E/K can be described by an equation of the form

2 2 3 2 2 3 Y Z + a1XYZ + a3YZ = X + a2X Z + a4XZ + a6Z , (2.1)

2See section 2.2.2 for an explanation of why we ensure an elliptic curve is smooth. CHAPTER 2. THE THEORY OF ELLIPTIC CURVES 12 written in the homogeneous coordinates X,Y and Z, where O = [0 : 1 : 0] is the base point at infinity and a1,...,a6 ∈ K. Rewriting equation 2.1 using the non- homogeneous coordinates x = X/Z and y = Y/Z, we obtain the long Weierstrass normal form of E

2 3 2 E : y + a1xy + a3y = x + a2x + a4x + a6.

Assuming the characteristic of K is not equal to 2 we then make the substitution 1 y → 2 (y − a1x − a3) and obtain the medium Weierstrass normal form of E,

E : y2 = x3 + Ax2 + Bx +C, where

2 2 A = b2 = a1 + 4a4, B = 2b4 = 2(2a4 + a1a3), C = b6 = a3 + 4a6.

Finally, assuming the characteristic of K is not equal to 3 we perform another 2 change of variables, (x,y) → ((x − 3b2)/36,y/108) to eliminate the x term, giving us the short Weierstrass normal form of E/K

E : y2 = x3 + Bx +C, where

2  3  B = −27c4 = −27 b2 − 24b4 and C = −54c6 = −54 −b2 + 36b2b4 − 216b4 .

This derivation leads us to the following standard algebraic definition of an elliptic curve.

Definition 5. Let K be a field of characteristic not equal to 2 or 3. The set of K-rational points on an elliptic curve E/K in short Weierstrass normal form, where

E : y2 = x3 + Bx +C for some B,C ∈ K, is defined as follows

E(K) = {(x,y) ∈ K2 : y2 = x3 + Bx +C and − 164B3 + 27C2 6= 0} ∪ {O}.

Remark 3. Throughout this Thesis when an elliptic E/K is introduced we shall al- ways assume that the underlying field K is not of characteristic 2 or 3. Although, it is possible to redefine the elliptic curve addition operation given in the next Section to allow for curves of the form E(F2k ) and E(F3k ) for some integer k. In fact Sec- tion 6.7 of [30] uses special properties of elliptic curves defined over finite fields of characteristic two are to speed up computations 3 at the cost of reduced security - a common trade-off seen throughout cryptography. 3Operations within finite fields of characteristic 2 are often much faster on modern processors. CHAPTER 2. THE THEORY OF ELLIPTIC CURVES 13

Definition 6. Let E/K be an elliptic curve,

E : y2 = x3 + Bx +C.

We define the discriminant of the Weierstrass equation for E/K, denoted ∆E , as follows 3 2 ∆E = −16 4B + 27C . Furthermore, we define the j-invariant of E/K, denoted j (E), as follows

(4B)3 j (E) = . ∆E Remark 4. Weierstrass equations describing isomorphic elliptic curves may have different discriminants, as we will see in Example1.

2.2.2 Singular cubic Curves Recall that in our initial geometric definition of an elliptic curve we specified that the curve must be smooth. In this Section we will show that a singular point on a cubic curve corresponds to a double root in the curve’s Weierstrass equation. We also give a proof that a cubic curve is singular if and only if the discriminant of the curve’s Weierstrass equation is zero. The latter result allows us to easily identify and avoid singular curves for the purposes of elliptic curve cryptography. Figure 2.1 illustrates the two types of smooth cubic curves defined over the rationals in the affine plane. Note that a unique derivative and therefore unique tangent line can be computed for any point on either of these curves.

2 2 (a) A : y = x + 5, ∆A = −10864. (b) B : y = −5x, ∆B = 8000.

Figure 2.1: Examples of smooth elliptic curves

Alternatively, Figure 2.2 illustrates the two main4 types of singular cubic curves defined over the rationals in the affine plane. Such curves contain either a point in which the curve intersects itself (a node) or a point where the curve changes direction (a cusp).

4Cubic curves with an isolated point are a a third type. CHAPTER 2. THE THEORY OF ELLIPTIC CURVES 14

2 3 2 2 3 (a) C : y = x + x , ∆C = 0. (b) D : y = x , ∆D = 0.

Figure 2.2: Examples of singular elliptic curves

Let P = (r,s) be a point on the cubic curve E/K, where

E : f (X,Y) = 0.

Elementary calculus tells us that the tangent line to E at P is given by the following equation ∂ f ∂ f (r,s)(X − r) + (r,s)(Y − s) = 0. ∂X ∂Y One immediate consequence of this equation is that a tangent line to the curve E at the point P will not exist if both of the above partial derivatives are 0, this leads us to the following definition. Definition 7. If P = (x,y) is a point on a cubic curve E/K, where

E : y2 = f (X,Y). such that ∂ f ∂ f (P) = (P) = 0, ∂x ∂y then we say that P is a singular point of E. Otherwise we say that P is a non- singular point of E. Furthermore, the curve E is defined as smooth if every point on E is non-singular. Conversely, E is defined to be singular if it contains a singular point. Proposition 1. (Exercise 6.3 from [30]). Suppose that the cubic polynomial x3 + Bx +C factors as

3 x + Bx +C = (x − α1)(x − α2)(x − α3).

3 2 Prove that 4B +27C = 0 if and only if two or more of α1,α2 and α3 are the same. Proof. First we multiply out the right hand side to obtain

3 3 2 x + Bx +C = x − (α1 + α2 + α3)x + (α1α2 + α1α3 + α2α3)x − α1α2α3. CHAPTER 2. THE THEORY OF ELLIPTIC CURVES 15

Then, comparing coefficients we find that

α1 + α2 + α3 = 0, α1α2 + α1α3 + α2α3 = B, −α1α2α3 = C.

Without loss of generality we can use the first equality to rewrite B and C in terms of α1 and α2, since α3 = −(α1 + α2). We obtain

2 2 2 2 B = −α1 − α1α2 − α2 , C = α1 α2 + α1α2 . After some further algebra we find that

3 2 6 5 4 2 3 3 2 4 5 6 4B + 27C = − 4α1 − 12α1 α2 + 3α1 α2 + 26α1 α2 + 3α1 α2 − 12α1α2 − 4α2 2 2 2 =(α1 − α2) (2α1 + α2) (α1 + 2α2) = 0, if and only if, n α o α ∈ − 1 ,α ,−2α . 2 2 1 1 But we can repeat the above argument with α1 = −(α2 + α3) in place of α3 = −(α1 + α2) to find that n α o α ∈ − 3 ,α ,−2α . 2 2 3 3 1 Therefore, α2 = c1α1 and α2 = c2α3 for some c1,c2 ∈ {− 2 ,1,−2}. But we can repeat the above argument again, interchanging the roles of α1 and α3, to conclude that α2 = c1α1 and α2 = c2α3, hence

α2 = c1α3 = c1α1, which implies α3 = α1, as required.

Lemma 1. The point at infinity on an projective, cubic curve is never singular.

Proof. Consider the short Weierstrass normal form of a cubic curve in homoge- neous coordinates,

f (X,Y,Z) = Y 2Z − X3 + BXZ2 +CZ3 = 0.

Clearly we have that, ∂ f = Y 2 + 2BXZ + 3CZ2. ∂Z Hence, [0 : 1 : 0] is never a singular point, since ∂ f ([0 : 1 : 0]) = 1 6= 0. ∂Z

The following Theorem provides an algebraic procedure which allows one to identify the presence and type of any singularities in a given elliptic curve, using only its short Weierstrass normal form. CHAPTER 2. THE THEORY OF ELLIPTIC CURVES 16

Theorem 1. Let F/K be a cubic curve, where

F : f (x,y) = y2 − x3 + Bx +C = 0.

Then, F is singular if and only if ∆F = 0.

Proof. First, suppose that F is singular at the point P0 = (x0,y0). By Lemma1 we know that O is never singular, hence we must have

2 3 y0 − x0 − Bx0 −C = 0. (2.2)

Then, by Definition7 we have that

∂ f (x ,y ) = −3x2 + B = 0, ∂x 0 0 0 and similarly ∂ f (x ,y ) = 2y = 0. ∂y 0 0 0 2 So we have that B = −3x0 and y0 = 0. Substituting these values into equation 2.2 we obtain 3 3 −x0 + 3x0 +C = 0, 3 which implies that C = 2x0. Then, using definition6 we see that

3 2  3 32 ∆F = −16 4B + 27C = −16 4(−3x0) + 27 2x0 = 0 as required. 3 Conversely, suppose that ∆F = 0. This can only happen if the cubic x +Bx+C has a double root at some value x0, which in turn can only happen if x0 is a root of both x3 + Bx +C and its derivative 3x2 + B. See Section 3 of [31] for further justification of this argument. Consider the point (x0,0) ∈ F(K), clearly

∂ f (x ,0) = −3x2 − B = 0. ∂x 0 0 Similarly we have that ∂ f (x ,0) = 2(0) = 0. ∂y 0

Therefore, we see that (x0,0) ∈ F is a singular point, meaning F is a singular curve as required.

Remark 5. We have seen that each singular point on a cubic curve corresponds to a double root in the corresponding curve’s Weierstrass equation. Clearly cubic polynomials have at most three roots, therefore singular cubic curves always have exactly one singular point. CHAPTER 2. THE THEORY OF ELLIPTIC CURVES 17

2.2.3 Isomorphic Elliptic Curves Various elliptic curves are used in ECC, but does each elliptic curve have a unique Weierstrass equation? We will now follow Chapter 3, Section 1 from [31] to study a change of coordinates which can produce isomorphic elliptic curves. We will then prove that two elliptic curves are isomorphic if and only if they have the same j-invariant. Definition 8. A field K is algebraically closed if for every polynomial f ∈ K[X], there exists a root of f in K. We denote the largest algebraic extension or algebraic closure of a field K as K. Remark 6. The inverse of the bijective maps between two curves in the following results takes square and cube roots. Therefore, we need to take care to note that this map is actually defined between the K-rational points of each curve.

Theorem 2. Let E1/K and E2/K be two elliptic curves with respective points at infinity O1 and O2. Then, the morphism

  2 3  φ : E1 K → E2 K , (x,y) 7→ u x,u y

× is a group isomorphism for all choices of u ∈ K .

Proof. It is easy to see that the inverse of φ is the map φ −1 : (x,y) 7→ u−2x,u−3y, hence φ is bijective. It remains to show that φ is a group homomorphism. It suffices to show that when φ maps E1 to E2, the neutral element and group structure of E1 is preserved. Rewriting φ in projective coordinates we have that

φ ([X : Y : Z]) = [u2X : u3y : Z].

Note that φ (O1) = O2, since in projective coordinates we can arbitrarily rescale the Y component of a point on the line at infinity to one

3 φ (O1) = φ ([0 : 1 : 0]) = [0 : u : 0] = [0 : 1 : 0] = O2.

Next, let L1 : aX + bY + cZ = 0, for some a,b,c ∈ K, be the line intersecting E1 at three points F,G and H, where F +G+H = O1, hence

φ(F + G + H) = φ(O1) = O2. (2.3)

The image of L1 under φ is the line

2 3 L2 := au X + bu Y + cZ = 0.

By Bezout’s´ Theorem we know that L2 intersects E2 at three points (counting mul- tiplicity). These points of intersection are necessarily the images under φ of the three points where L1 intersects E. But from this we know that if P ∈ E1 ∩ L1 then CHAPTER 2. THE THEORY OF ELLIPTIC CURVES 18

φ (P) ∈ E2 ∩L2, for all P ∈ E1(K), hence φ (F),φ (G) and φ (H) are all on the line L2, hence collinear. Therefore, we have

φ (F) + φ (G) + φ (H) = O2 by Corollary2. Combining this with equation (2.3) we conclude that φ preserves the group structure, since

φ (F) + φ (G) + φ (H) = O2 = φ(F + G + H).

Corollary 1. Let E/K be an elliptic curve, where

E : y2 = x3 + Bx +C.

Then, the short Weierstrass normal form of E/K is unique up to the following change of coordinates:

× B 7→ u4B and C 7→ u6C, for some u ∈ K .

Proof. Consider the elliptic curve E1/K, given by

2 3 E1 : y = x + B1x +C1,

3 2 with discriminant ∆E1 = −16 4B1 + 27C1 . Applying the isomorphism (x,y) 7→ 2 3 × (u x,u y) for some u ∈ K we obtain a new curve E2/K as follows

3 2 2 3 2 E2 : (u y) = (u x) + B(u x) +C 2 3 −4 −6 E2 : y = x + Bu +Cu . ∼ Furthermore, E2(K) = E1(K) by Theorem2. Note that

 4 3 6 2 12 ∆E2 = −16 4 u B1 + 27 u C1 = u ∆E1 .

It is easy to see that any other choice for the change of constants would not allow us to preserve the form of the short Weierstrass equation and rewrite ∆E2 in terms of u and ∆E1 .

Example 1. We will now provide an example involving three elliptic curves E1,E2 and E3 defined over a field K, some or all of these curves are isomorphic depending on the choice of K. Note that the discriminant of the Weierstrass equation for each curve is distinct - this motivates our need for the j-invariant to determine which curves are isomorphic.

2 3 E1 : y = x + 16x + 64 ∆E1 = −2031616 j(E1) = 6912/31 2 3 E2 : y = x + x + 1 ∆E2 = −496 j(E2) = 6912/31 2 3 E3 : y = x + 4x + 8 ∆E3 = −31744 j(E3) = 6912/31 CHAPTER 2. THE THEORY OF ELLIPTIC CURVES 19

∼ Note that when K = Q we can take u = 2 in Proposition2 to conclude that E1/Q = E2/Q. It is easy to check that E√1 and E3 are not isomorphic√ when defined over the rationals. However, when Q( 2) ⊆ K we can take u = 2 in Proposition2 to ∼ conclude that E1/K = E3/K. 2 3 2 3 Theorem 3. E1 : y = x + B1x +C1 and E2 : y = x + B2x +C2 are isomorphic over some field extension of K if and only if j (E1) = j (E2).

Proof. First suppose E1/K and E2/K are isomorphic. By Corollary1 this means × 4 6 12 there is some u ∈ K such that B2 = u B1, C2 = u C1 and ∆2 = u ∆1. Hence

3 4 3 3 4B2 4 u B1 4B1 j (E2) = 1728 = 1728 12 = 1728 = j (E1), ∆2 u ∆1 ∆1 as required, since elliptic curves always have non zero discriminants. Conversely, suppose that j (E1) = j (E2) =: j, so that 3 3 (4B1) (4B2) j = 1728 3 2 = 1728 3 2 . 4B1 + 27C1 4B2 + 27C2 After some rearrangement and cancellation we obtain

3 2 3 2 j = B1C2 = B2C1. There are three cases for the possible values of j, in each case we can find a value 2 3  of u which gives the isomorphism φ : (x1,y1) → u x2,u y2 as follows.

(a) If j = 0 suppose without loss of generality that B1 = 0. Then, since ∆1 6= 0 6 we must have that C1 6= 0. By Corollary1 we have that C2 = u C1 so u = 1 (C1/C2) 6 gives us the required isomorphism. (b) If j = 1728 then we are in the following situation

3 3 4B1 4B2 1728 = 1728 3 2 = 1728 3 2 . 4B1 + 27C1 4B2 + 27C2

So, clearly B1,B2 6= 0 and C1 = C2 = 0. By Corollary1 we have that B2 = 4 1 u B1, hence u = (B1/B2) 4 gives us the required isomorphism. (c) If j 6= 0,1728 computing j/( j − 1728) makes it easy to see what value of u we must use in order to find a valid isomorphism. Using the fact that 3 2 ∆1 = 4B1 + 27C1, after some algebraic manipulation we obtain 3 3 j 4B1 4B2 = − 2 = − 2 , j − 1728 27C1 27C2

since we assumed j (E1) = j (E2). Cancelling the constants and rearranging, we have that 3 2 B1 C1 3 = 2 . (2.4) B2 C2 CHAPTER 2. THE THEORY OF ELLIPTIC CURVES 20

2 Setting u = (B1/B2)(C2/C1) and using equation (2.4) we can compute

B 2 C 2 B 2 B 3 B u4 = 1 2 = 1 2 = 2 . B2 C1 B2 B1 B1

4 4 2 So, we know that B1u = B2. Then, multiplying our equations for u and u together we see that

B B C  C u6 = 2 1 2 = 2 . B1 B2 C1 C1

6 So, we know that C1u = C2. From these two pieces of information we have 1/4 1/6 shown that taking u = (B1/B2) = (C1/C2) gives the desired isomor- phism.

Remark 7. In light of this Theorem, the reader may now be curious if it is pos- sible to find an elliptic curve with a given j-invariant? The following proposition explains that this is indeed always possible.

Proposition 2. For any j0 ∈ N, there exists an elliptic curve E such that j (E) = j0.

Proof. If j0 = 0 or j0 = 1728 we take one of the following elliptic curves:

2 3 2 3 E0 : y = x + 1, E1728 : y = x + x.

It is easy to show that E0 and E1728 are smooth and that their j-invariants are 0 and 1728 respectively. If j0 6= 0,1728 then consider the following elliptic curve,

2 3 3 j0 2 j0 E j0 : y = x + x + , 1728 − j0 1728 − j0 where j (E j0 ) = j0 for all j0 6= 0,1728.

2.3 The Group of Points on an Elliptic Curve

In this Section we will define the addition operation on the set of points on an elliptic curve and provide some examples of computing the sum of two points directly from this definition. We will then prove that the set of points on an elliptic curve together with this operation forms an abelian group. Deviating from [53] we provide a geometric proof of the associativity of the addition operation. Once we have established the group structure we can then derive explicit formulas for several standard arithmetic calculations on the points of an elliptic curve - such as adding and doubling points. We will make frequent use of these formulas throughout the remainder of the Thesis. CHAPTER 2. THE THEORY OF ELLIPTIC CURVES 21

2.3.1 Point Addition We shall now introduce the natural binary operation, denoted +, used to add any two points on a given elliptic curve to produce a third point which is also on the curve. We will see that computing the sum of two points on an elliptic curve is entirely different to simply computing the pointwise sum of their coordinates in the underlying field.

Definition 9. Let E/K be an elliptic curve, let P = (x,y),Q ∈ E(K).

(a) Let L denote the line intersecting P and Q. Then, the third point of intersec- tion between L and E is denoted P∗Q, so that E ∩L = {P,Q,P∗Q}. We also define O ∗ O = O.

(b) We can obtain the point −P by reflecting P = (x,y) across the x-axis as follows5 −P = O ∗ P = (x,−y).

(c) Finally, we define the following two functions, X,Y : E(K) → K which will be used throughout the Thesis:

X : (x,y) 7→ x and Y : (x,y) 7→ y.

Definition 10. Let P and Q be two points on an elliptic curve E/K. The addition operation to compute P + Q is defined as follows

(a) Let L be the unique straight line between the points P and Q.

(b) Find the third point where L intersects E/K, label this point P ∗ Q.

(c) P + Q is defined as the point obtained by reflecting P ∗ Q in the x-axis6.

Remark 8. Note that it is always possible to find the unique third point of inter- section between a line and an elliptic curve by Bezout’s´ Theorem - a fundamental result from algebraic geometry we will use frequently which states that the num- ber of points of intersection between two curves is given by the product of their degrees.

Definition 11. Let E/K be an elliptic curve. For all natural numbers n we denote the function which multiplies a given point P ∈ E(K) by n ∈ N as

[n] : P 7→ P + P + ··· + P | {zn } 5In general, computing inverses is often computationally expensive. However, computing the inverse of a point on an elliptic curve is as simple as changing the sign of the y coordinate. 6In some settings the addition operation may be defined with a reflection across another line in the affine plane. For the purposes of cryptography we will always assume that a given elliptic curve is symmetric across the x-axis. CHAPTER 2. THE THEORY OF ELLIPTIC CURVES 22

Remark 9. Computing multiples of a point on an elliptic curve is vital for several applications such as the elliptic curve Diffie-Hellman protocol9. In Chapter3 we will study some of these applications aswell as two efficient algorithms to compute multiples of a point. Example 2. We shall now provide an independent example of computing the sum of two distinct points on an elliptic curve. We will be working with curves defined over the rationals for the majority of this Chapter so for variety let E/R be an elliptic curve, where E : y2 = x3 − 2x + 4,  √  √ for ease of calculations. It is easy to check that P = −1, 5 and Q = 1, 3 are both points on E/R. To compute P+Q we first find the straight line L between the points P and Q. It is easy to show that the equation for the line L is given by √ √ √ √ 3 − 5 5 + 3 L : y = mx + c = x + . (2.5) 2 2 Then, we aim to find P∗Q, the unique third point where L intersects E. Setting the equation for L equal to the equation for E we obtain

y2 = (mx + c)2 = −x3 − 2x + 4.

After some rearrangement we obtain the following cubic in x

3 2 2 2 0 = x − m x − 2mcx + 4 − c = (x − r1)(x − r2)(x − r3).

With three roots r1,r2 and r3 corresponding to the x coordinates of the intersections of L and E. We know that two of these solutions for x will be at the points P (where x = −1) and Q (where x = 1). Therefore, we can rewrite the previous equation as follows 3 2 2 2 x − m x − 2mcx + 4 − c = (x + 1)(x − 1)(x − r3). Equating the coefficients of x2 on both sides we find that √ √ !2 √ 3 − 5 4 − 15 r = m2 = = . 3 2 2

Since P ∗ Q lies on L we can then substitute r3 into equation (2.5) to find that √ √ −5 5 + 11 3 Y(P ∗ Q) = . 4 Finally, we then reflect P ∗ Q across the x-axis to obtain √ √ √ ! 4 − 15 5 5 − 11 3 P + Q = , . 2 4

It is easy to check that P + Q also lies on E/R. CHAPTER 2. THE THEORY OF ELLIPTIC CURVES 23

Remark 10. There are a few technicalities that need to be dealt with to ensure that P + Q is well defined for all points P,Q on a given elliptic curve E/K. Firstly, when computing P + (−P) the third point of intersection between the vertical line L and the curve E is not immediately obvious. To deal with this case we define P + (−P) = O and P + O = P for all points P on the curve, where O is the point at infinity which lies on every pair of parallel lines.

(a) P + Q = R. (b) P + P = R. (c) P + P0 = O.

Figure 2.3: Elliptic curve point addition

Remark 11. We also need to define [2]P = P + P. To do this, imagine computing P + Q for another point Q which is continuously moving towards P. In the limit as Q → P the line L connecting P and Q is the tangent line to E at P. Thus we compute P + P as illustrated through the following example. Example 3. We will now provide an example of computing [2]P directly from the definition of point addition, an explicit formula for the coordinates of 2[P] in terms of the coordinates of P is derived in Corollary3. Let E/R be an elliptic curve, where E : y2 = x3 − x + 2.  √  Note that P = 1, 2 ∈ E(R). To compute [2]P = P+P, we first find the equation for the tangent line L to E at the point P. We know that the equation for the line L must be of the form y = mx + c for some m,c ∈ R. (2.6) To find m we first implicitly differentiate our equation for E with respect to x, to obtain dy 2y = 3x2 − 1. (2.7) dx √ Evaluating equation (2.7) at x = X(P) = 1,y = Y(P) = 2 we find that the gradient of L is given by 1 m = √ . 2 Since P lies√ on L we can substitute X(P),Y(P) and m into equation (2.6) to find that c = 1/ 2. From this we obtain the following equation for L 1 1 L : y = √ x + √ . (2.8) 2 2 CHAPTER 2. THE THEORY OF ELLIPTIC CURVES 24

Next, we aim to find P ∗ P, the unique third point where L intersects E. To do this we first set the equation for L equal to the equation for E

y2 = (mx + c)2 = x3 − x + 2.

After some rearrangement we obtain the following cubic in x

x2 3 0 = x3 − − 2x + = (x − r )(x − r )(x − r ). 2 2 1 2 3

Where the three roots r1,r2 and r3 of this cubic are the x coordinates of the inter- sections of L and E. We know that two of these solutions for x will be at the point P (where x = 1.) Therefore, we can rewrite the previous equation as follows

x2 3 x3 − − 2x + = (x − 1)2 (x − r ), 2 2 3 where r3 := X(P ∗ P). Equating the constant terms on both sides of the previous equation we find that 3 r = − . 3 2 Then, since P ∗ P lies on L we can substitute r3 into equation (2.8) to find that √ 2 Y(P ∗ P) = − . 4 Finally, reflecting P ∗ P across the x-axis we obtain the point √ ! 3 2 P + P = − ,− . 2 4

It is easy to check that P + P also lies on E/R. Theorem 4. Let E/K be an elliptic curve. For all P,Q,R ∈ E(K), the addition operation (Definition 10) satisfies the following properties:

(a) P + O = O + P = P (Existence of identity)

(b) P + (−P) = O for all P ∈ E. (Existence of inverses)

(c) (P + Q) + R = P + (Q + R) for all P,Q,R ∈ E. (Associativity)

(d) P + Q = Q + P for all P,Q ∈ E. (Commutativity)

Hence, the set of points E(K) together with the addition operation forms an abelian group. CHAPTER 2. THE THEORY OF ELLIPTIC CURVES 25

Proof. First note that E(K) is non empty since we must have O ∈ E(K) by def- inition. Moreover, when computing P + Q the only operations used are addition, subtraction, multiplication and division of the coefficients of the curve E and the coordinates of P and Q, all of which are in the field K, hence the point P + Q al- ways has coordinates in K. Therefore, the set of points on an elliptic curve is closed under point addition. (a) When computing P + O we draw a vertical line L through P and the point at infinity. The third point of intersection between L and E is P ∗ O = −P. We then reflect −P across the x-axis to obtain P+O = P by Definition9. Similarly, to compute O + P we find that the third point of intersection between L and E and is O ∗ P = −P. We then reflect −P in the x-axis to obtain O + P = P. We see that O acts as the identity element for elliptic curve addition. (b) Let P = (x,y), recall that −P = (x,−y) by Definition9, hence to compute P + (−P) we first draw a vertical line L through the points P and −P. The third point of intersection between L and E is P ∗ (−P) = O, the point at infinity, which when reflected in the x-axis remains at infinity by Definition9. We conclude that P + (−P) = O as required. (c) See Section 2.3.2 for a full geometric proof. (d) The addition operation is clearly commutative because when computing P + Q and Q + P we draw the same line L to intersect the points P and Q. Note that L will intersect exactly one other point (P ∗ Q = Q ∗ P) on the elliptic curve due to Bezout’s´ Theorem, hence P + Q = (P ∗ Q) ∗ O = (Q ∗ P) ∗ O = Q + P as required.

Corollary 2. A line L intersects an elliptic curve E/K at three (not necessarily distinct) collinear points P,Q and R if and only if

P + Q + R = O.

Proof. Let L be a line intersecting an elliptic curve E/K. By Bezout’s´ Theorem we know that there are three collinear points of intersection between L and E, say P,Q and R. Note that the point P + Q is the third point of intersection with E and the line between O and (P ∗ Q), hence

P + Q = O ∗ (P ∗ Q) = O ∗ R = −R.

Where P ∗ Q = R since we assumed P,Q and R are collinear. We then note that the third point on the intersection of the line between O and R is −R. By Theorem4.b we can add R to both sides of this equation to obtain the desired equality

P + Q + R = −R + R = O. CHAPTER 2. THE THEORY OF ELLIPTIC CURVES 26

2.3.2 Proving the Associativity of Point Addition It is possible to verify the associativity of elliptic curve point addition directly using the explicit formulas we will derive in Theorem6. Alternatively, to give a more enlightening geometric proof we will expand on the proof given in [53] which relies on the following Theorem from geometry.

Theorem 5. (Cayley-Bacharach Theorem). Let K be an algebraically closed field. Suppose two cubics C1/K and C2/K intersect at nine distinct points in the projec- tive plane. Then, every cubic curve C/K that passes through eight of these points also necessarily intersects the ninth shared point of C1 and C2. Proof. Before using this Theorem to the prove associativity of elliptic curve point addition we shall first briefly explain why the Cayley–Bacharach Theorem holds. A more rigorous proof which accounts for the multiplicity of points of intersection can be found in [25]. Let C1 and C2 be two cubic curves defined over an alge- 2 braically closed field K which intersect at the distinct points P1,...,P9 ∈ P . To define a cubic curve C/K in the projective plane we must provide ten coefficients A,B,C,...,J ∈ K such that

F (X,Y,Z) = AX2 + BY 3 +CZ3 + DX2Y+ EX2Z + FY 2X + GY 2Z + HZ2XIZ2Y + JXYZ = 0.

This means that the set of all possible cubic curves is a nine dimensional projective space over the given field K. If we want to ensure that a given cubic intersects the point P1, this imposes a linear condition on the ten coefficients A,B,C ...,J. Hence we can consider the set of all cubic curves which pass through P1 as eight dimensional. Then, the set of all cubics which pass through the two points P1,P2 is seven dimensional, since there are two linear constraints on the ten coefficients. Repeating this argument we see that the set of all cubics which intersect P1,...,P8 (exactly eight of the given intersection points of C1 and C2) is one dimensional. So, let F1 (x,y) = 0 and F2 (x,y) = 0 be the equations for C1 and C2 respectively. Then, we know that for any choice of λ1,λ2 ∈ K, the cubic curve C given by

C : λ1F1 + λ2F2 = 0 passes through P1,...,P8 since C1 and C2 intersect P1,...,P8. Noting that P9 is on both C1 and C2 we see that F1 (P9) = F2 (P9) = 0. It follows that λ1F1 + λ2F2 also vanishes at P9, hence P9 must be on C as required. Proof. We now return to our goal of proving the associativity of elliptic curve point addition. For a more rigorous proof of this result which accounts for the multiplicities of the points of intersection see [27]. Let E/K be an elliptic curve. Our aim is to show that

(P + Q) + R = P + (Q + R), CHAPTER 2. THE THEORY OF ELLIPTIC CURVES 27 for any three points P,Q,R ∈ E (K). The geometry of this situation is illustrated in Figure 2.4.

Figure 2.4: The associativity of elliptic curve point addition.

We shall first explain why it is enough to show that (P + Q) ∗ R = P ∗ (Q + R). If we first construct a vertical line V1 which intersects (P + Q)∗R and O we can see that the third point of intersection between E and V1 is (P + Q) + R. Similarly we can construct another vertical line V2 between P ∗ (Q + R) and O. Clearly, V2 has a third intersection with E at the point P+(Q + R). Therefore, to prove associativity it suffices to show that (P + Q)∗R and P∗(Q + R) are the same point, say X, since in this case V1 and V2 are the same line, say V, and V can only intersect E at three distinct points, two of which we know are O and X. This argument is illustrated in figure 2.5a.

(a) If (P + Q) ∗ R = P ∗ (Q + R) then V1 = V2 and we have associativity. (b) X = (P + Q) ∗ R = P ∗ (Q + R)

It remains to show that (P + Q) ∗ R = P ∗ (Q + R). To do this we first let L1 denote the line intersecting the points P,Q and P ∗ Q on E. We then define the line M1 as the vertical line which intersects P ∗ Q, P + Q and O. We repeat this process forming 6 lines in total where each of the six lines L1,L2,L3,M1,M2,M3 has three unique points of intersection with E by Bezout’s´ Theorem. The resulting lines are illustrated in figure 2.5b. CHAPTER 2. THE THEORY OF ELLIPTIC CURVES 28

Then, let l1,l2 and l3 be degree one homogeneous polynomials describing the lines L1,L2 and L3 respectively. The homogeneous polynomial l1l2l3 defines a S S degenerate cubic curve Cl = L1 L2 L3 intersecting the following nine points O,P,Q,R,(P ∗ Q),(Q ∗ R),(P + Q),(Q + R),(P + Q) ∗ R.

We can apply a similar process to the three lines M1M2M3 to obtain a second degen- S S erate cubic Cm = M1 M2 M3 defined by the homogeneous polynomial m1m2m3 which intersects the following nine points O,P,Q,R,(P ∗ Q),(Q ∗ R),(P + Q),(Q + R),P ∗ (Q + R).

Note that E is a third cubic which certainly intersects the following eight points shared by Cl and Cm O,P,Q,R,(P ∗ Q),(Q ∗ R),(P + Q),(Q + R).

So, we are in an ideal situation to apply the Cayley–Bacharach Theorem to con- clude that E must also passes through a ninth point, shared by Cl and Cm. There- fore, we must have (P + Q) ∗ R = P ∗ (Q + R) hence (P + Q) + R = P + (Q + R) as required.

2.3.3 Explicit Formulas for Point Addition We have now proved that the set of points on an elliptic curve forms a group. Our next goal is to derive explicit formulas we shall use frequently to compute the sum of two points and the duplication of a given point on an elliptic curve. Theorem 6. (The Point Addition Algorithm). Let E/K be an elliptic curve, where E : y2 = x3 + Ax2 + Bx +C. (2.9)

Let P1 = (x1,y1) and P2 = (x2,y2) be points on E/K.

(a) If P1 = O, then P1 + P2 = P2.

(b) If P2 = O, then P1 + P2 = P1.

(c) If x1 = x2 and y1 = −y2, then P1 + P2 = O. (d) Otherwise, let  (y − y )/(x − x ), if P 6= P λ = 2 1 2 1 1 2 2 (3x1 + 2Bx1 +C)/(2y1), if P1 = P2.

So that P1 + P2 = (x3,y3), where 2 x3 = λ − x1 − x2, and y3 = λ(x1 − x3) − y1. CHAPTER 2. THE THEORY OF ELLIPTIC CURVES 29

Proof. We proved (a) and (b) in the first part of Theorem4. For (c) note that if x1 = x2 and y1 = −y2, then we have

P1 + P2 = (x1,y1) + (x2,y2) = (x2,−y2) + (x2,y2) = (−P2) + P2 = O, by part (b) of Theorem4. For (d) first note that the formula for the straight line L between P1 and P2 is of the form

y = λx + ν, (2.10) for some constants λ and ν. We assumed that P1 6= P2, so we have

y2 − y1 λ = and ν = y1 − λx1 = y2 − λx2, x2 − x1 since x1 6= x2. We now aim to find formulas for the coordinates x3 and y3. Substi- tuting equation (2.10) into equation (2.9) gives

(λx + ν)2 = x3 + Ax2 + Bx +C.

Expanding and collecting all terms to one side of this equation we obtain

x3 + A − λ 2x2 + (Bλν)x +C − ν2 = 0.

To factorise this cubic we note that two of the roots are x1 and x2 since P1 and P2 clearly lie on L. The third root of this cubic is of course x3, since −P3 = P1 ∗ P2 is the third point of intersection between L and E, hence

3 2 2 2 x + A − λ x + (Bλν)x +C − ν = (x − x1)(x − x2)(x − x3).

Note that the coefficient of x2 on each side of this equation must be equal so we have that 2 2 A − λ = −x1 − x2 − x3, hence x3 = λ − A − x1 − x2.

We know that the point P1 ∗ P2 = (x3,−y3) lies on L, hence

−y3 = λx3 + ν, where ν = y1 − λx1 = y2 − λx2.

So we conclude that

2  P3 = (x3,y3) = λ − A − x1 − x2,λx1 − λx3 − y1 .

The proof of (e) also uses this argument, however to find λ in the case where x1 = x2 we first implicitly differentiate the equation for E with respect to x and evaluate the result at the point P1 = P2 to obtain 3x2 + 2Ax + B λ = 1 , 2y1 as required. CHAPTER 2. THE THEORY OF ELLIPTIC CURVES 30

Remark 12. When given a point P on an elliptic curve E/K, we can use the previ- ous result to find explicit formulas for the coordinates of [2]P,[3]P,...[n]P, where n ∈ N. For maany cryptographic applications it often suffices to only calculate the x-coordinate. This is because for each x value there are only two possibilities for y. Many modern ECC algorithms use a technique known as point compression where the x coordinate of a point is stored together with a single bit which determines the corresponding y coordinate. Corollary 3. (The Duplication Formula.) Let P = (x,y) be a point on an elliptic curve E/K. Let ξ be the x−coordinate of the point [2]P. Then,

x4 − 2Bx2 − 8Cx + B2 − 4AC ξ = . 4x3 + 4Ax2 + 4Bx + 4C

Proof. Applying Theorem6 in the case where P1 = P2 = P = (x,y) we have that

ξ = λ 2 − A − 2x.

Substituting 3x2 + 2Ax + B λ = 2y into the previous equation and using the fact that y2 = x3 +Ax2 +Bx+C we obtain

x4 − 2Bx2 − 8Cx + B2 − 4AC ξ = , 4x3 + 4Ax2 + 4Bx + 4C as required.

2.4 Mordell’s Theorem

In 1901 Poincare´ asked whether the group of rational points on an elliptic curve is always finitely generated. Louis Mordell proved this result (now known as Mordell’s Theorem) in 1922. In 1929 Andre´ Weil managed to generalise Mordell’s Theorem to elliptic curves defined over arbitrary fields [56]. In this Section we will reformulate the proof of Mordell’s Theorem given in Chapter 3 of Silverman’s book[53]. A proof of the Mordell-Weil Theorem can be found in [31]. Neither of these Theorems provide us with a procedure to compute the generating points in practice. However, they do allow us to identify the structure of the group of points on an elliptic curve. We begin by defining the height function, the remainder of the Section is then structured by three Lemmas relating to properties of the height function and one additional result required to prove Mordell’s Theorem.

2.4.1 The Height Function Height functions are tools from number theory used to quantify the arithmetic com- plexity or size of mathematical objects. For example, using our height function the CHAPTER 2. THE THEORY OF ELLIPTIC CURVES 31

1 relatively simple rational number 2 has a height of 2, whilst the almost equal in 99 value but more complicated rational 200 has a height of 200. For the purpose of proving Mordell’s Theorem we will only use the following naive height function and hence refer to it as the height function.

Definition 12. The height function H : Q → N is defined as follows. Let q = a/b be a rational number with gcd(a,b) = 1. Then,

H (q) = max{|a|,|b|}.

By convention we define H(0) = 1. Furthermore, if P is a rational point on an elliptic curve we define the P as the height of X(P). By convention we define H (O) = 1.

Remark 13. Note that the height of any nonzero rational number is always a pos- itive integer. We shall now introduce the related notion of logarithmic height, a useful additive function which is defined as follows.

Definition 13. Let E/Q be an elliptic curve and P ∈ E (Q). The logarithmic height is a function, h : E (Q) −→ R such that  logH (P), if P 6= 0, h(P) = (2.11) 0, if P = 0.

Note that h(P) is always a nonnegative real number.

Lemma 2. For every real number M, the set {P ∈ E (Q) : h(p) 6 M} is finite.

Proof. Fix M ∈ R and let P = (x,y) ∈ E (Q), where x = x1/x2 with gcd(x1,x2) = 1, such that h(P) 6 M. Note that if h(P) 6 M then we have that log(max{|x1|,|x2|}) 6 M, by definition of h. But this means that both log|x1| and log|x2| must be less than or equal to M, hence there are only finitely many choices for x1 and x2, since M itself is finite. Let P = (x,y) ∈ E (Q) be a point with height less than or equal to M. Clearly, there are only finitely many choices for x, each with two corresponding choices for y. So, we conclude that the set in question is finite for any choice of M.

2.4.2 Bounding the Height of P + P0 We will now prove the second of the three Lemmas relating to the height function which states that when given any fixed rational point P0 on an elliptic curve, for any other point P we can find an upper bound on the height of the point P + P0 which is approximately two times the height of the point P. This result is one of the essential assumptions used in the descent Theorem at the end of this Section. CHAPTER 2. THE THEORY OF ELLIPTIC CURVES 32

Lemma 3. Let E/Q be an elliptic curve given by the equation E : y2 = x3 +Bx+C. For every P0 ∈ E (Q) there is a constant κ0 that depends only on P0,B and C such that h(P + P0) 6 2h(P) + κ0 for all P ∈ E (Q).

Proof. In order to prove this upper bound on the height of P + P0 we shall first  show that we can write any point P = (x,y) ∈ E (Q) in the form u/r2,v/r3 where u,v and r are integers and gcdu,r2 = gcdv,r3 = 1. Let x = u/U,y = v/V with gcd(u,U) = gcd(v,V) = 1. We will prove that U3 = V 2 by showing that U3|V 2 and V 2|U3. Substituting x = u/U2 and y = v/V 3 into the short Weierstrass equation for E/Q we obtain v2 u3 Bu = + +C. V 2 U3 U Cancelling the denominators we obtain

U3v2 = V 2u3 +V 2U2Au + BV 2U3.

Note that each term on the right hand side of this equation contain a factor of V 2, from this we conclude that V 2|U3v2, therefore V 2|U3, since V and v are coprime. We still need to show that U3|V 2. Rearrange the previous equation we obtain

V 2u3 = U3v2 −V 2U2Au − BV 2U3.

Then, by the previous argument U2|V 2u3 hence U|V since we assumed U and u are coprime. This means we can write V = U f for some integer f and rewrite the previous equation as follows

V 2u3 = U3v2 −U4 f 2Au − BV 2U3.

From this equation we see that U3|V 2u3, therefore U3|V 2 and U3 = V 2 as required. Finally, let r = V/U so that

V 2 U3 V 3 V 3 r2 = = = U and, r3 = = = V. U2 U2 U3 V 2 Therefore, we have x = u/U = u/r2 and y = (v/V)v/r3 in their required forms. The strategy for the remainder of the proof is to find upper bounds on u,v and r which depend only on B,C and P0 = (x0,y0), this will allow us to find an upper bound on h(P + P0) which does not depend on P. Substituting our new forms for x and y into the equation for the height of P = (x,y) we obtain,  u v   u  H (P) = H , = H = max{|u|,|r2|}. r2 r3 r2 This provides us with the following upper bounds on |u| and |r|,

1/2 |u| 6 H (p), |r| 6 H (p) . (2.12) CHAPTER 2. THE THEORY OF ELLIPTIC CURVES 33

Our next goal is to find an upper bound on v in terms of H (P). To do this we note that since the point P = (x,y) lies on E/Q we can also substitute x = u/r2 and y = v/r3 into the short Weierstrass equation for E/Q. After cancelling denominators we obtain v2 = u3r6 + Aur4 + Br6. Taking the absolute value of both sides, we can then use equation (2.12) and the triangle inequality to show that

2 3 6 4 6 3 3 3 |v | 6 |u r | + |Bur | + |Cr | 6 H (P) + |B|H (P) + |C|H (P) . From this inequality we see that there is a constant K = p1 + |B| + |C| > 0 de- pending only on B and C such that  u v  |v| KH (P)3/2 , for all P = , ∈ E ( ). (2.13) 6 r2 r3 Q We shall now use bounds (2.12) and (2.13) to find an upper bound on the x- coordinate of P + P0 which depends only on B,C and P0. Let P0 = (x0,y0) ∈ E (Q) 0 and let x denote the x-coordinate of the point P+P0. Using Theorem6 we can find 0 an explicit formula for x in terms of x,y,x0 and y0  2 2 2 0 y − y0 (y0 − y) − (x0 − x) (x + x0) x = − x − x0 = 2 . x − x0 (x0 − x) Upon expanding this fraction a y2 − x3 term appears in the numerator, we can use the fact that the point P satisfies the short Weierstrass equation for E by substituting Bx +C in for y2 − x3. From this we obtain an equation of the form ay + bx2 + cx + d x0 = , ex2 + f x + g where a,...,g depend only on B,C,x0 and y0. Furthermore, we can ensure a,b,...,g are all integers by multiplying the numerator and denominator by their least com- mon denominator. We can then use our previous representation of the point P = (x,y) as u/r2,v/r3 to rewrite the previous equation as follows

avr + bu2 + cur2 + dr4 x0 = . eu2 + f ur2 + gr4 This expression for x0 may not be in lowest terms, but cancellation can only de- crease the height of x0, so

0 2 2 4 2 2 4 H (P + P0) = H x 6 max{avr + bu + cur + dr |,|eu + f ur + gr |}.

It is important to note that once the curve E/Q and the point P0 are fixed this inequality holds for all points P. Using the bounds (2.12), (2.13) and the triangle inequality we obtain

2 2 4 2 2 4 2 |avr+bu +cur +dr | 6 |avr|+|bu |+|cur |+|dr | 6 (|aK| + |b| + |c| + |d|)H (P) , CHAPTER 2. THE THEORY OF ELLIPTIC CURVES 34 and

2 2 4 2 2 4 2 |eu + f ur + gr | 6 |eu | + | f ur | + |gr | 6 (|e| + | f | + |g|)H (P) . Then, combining both of these inequalities we find that

0 2 H (P + P0) = H x 6 max{|aK| + |b| + |c| + |d|,|e| + | f | + |g|}H (P) . Finally, taking logarithms of both sides we obtain the desired upper bound

h(P + P0) 6 2h(P) + κ0, where the constant

κ0 = log(max{|aK| + |b| + |c| + |d|,|e| + | f | + |g|}) depends only on B,C and the point P0 = (x0,y0), as required.

2.4.3 Bounding the Height of [2]P We now aim to prove the third and final Lemma related to the height function which establishes that the height of a doubled point is approximately four times greater than the height of the original point. This is the penultimate assumption used in the descent Theorem at the end of this Section.

Lemma 4. Let E/Q be an elliptic curve, where E : y2 = x3 + Ax2 + Bx +C for some constants A,B and C. There is a constant κ depending only on A,B and C such that h([2]P) > 4h(P) − κ for all P ∈ E (Q). Proof. We want to prove the desired bound on the height of a given doubled point [2]P for a potentially infinite number of points P. Note that we do not need to prove this bound for the finitely many points P where [2]P = O because in this finite case we could simply compute 4h(P) − h([2]P) for each point P and take κ to be as large as needed to ensure it provides a valid bound for all such points. Let P = (x,y) be a point on an elliptic curve E/Q, where E : y2 = f (x) = x3 + Ax2 + Bx +C, for some constants A,B and C with [2]P 6= O. Let ξ denote the x-coordinate of [2]P. We can use the duplication formula we derived in Corollary3 to obtain an explicit formula for ξ in terms of x,

f 0 (x)2 − (8x + 4A) f (x) x4 + ... ξ = = . 4 f (x) 4x3 + ... CHAPTER 2. THE THEORY OF ELLIPTIC CURVES 35

Where f (x) 6= O, since we assumed [2]P 6= O. If we write the numerator and denominator of ξ as φ and ψ respectively we see that both are polynomials in x with integer coefficients. Since the elliptic curve E/Q is smooth by definition we know that it’s Weierstrass form y2 = f (x) is also non-singular. Therefore both f (x) and f 0 (x) have no common complex roots, from this we note that both φ and ξ also have no common roots. From the definition of the height function we have that h(P) = h(x) and h([2]P) = h(ξ). Our goal is to prove that the following bound holds for all points P.  φ (x)  h([2]P) = h(ξ) = h 4h(x) − κ. (2.14) ψ (x) > To do this we will state and prove the following Sublemma, for which we claim that Lemma4 is a specific case of. Lemma 4.1. Let φ (X) and ψ (X) be polynomials with integer coefficients and no common complex roots. Let d be the maximum of the degrees of φ and ψ. Then,

(a) There is an integer R > 1, depending on φ and ψ such that for all rational numbers m/n with gcd(m,n) = 1,  m m gcd ndφ ,ndψ divides R. n n

(b) There is a constant κ1, depending on φ and ψ, such that for all rational numbers m/n that are not roots of ψ, we have m  φ (m/n)  dh − κ h . n 1 6 ψ (m/n)

Proof. (a) First note that φ and ψ are interchangeable so without loss of generality we take deg(φ) = d and deg(ψ) = e, where e 6 d. Note that φ and ψ have degree at most d. From this we know that both ndφ (m/n) and ndψ (m/n) are integers, hence they have a greatest common divisor. The strategy of this proof is to prove there is not too much cancellation when taking the quotient of these two integers by finding an upper bound on their greatest common divisor which does not depend on m or n. Since φ and ψ are general polynomials in Z[X], let m Φ(m,n) = ndφ = a md + a md−1n + ··· + a nd ∈ , (2.15) n 0 1 d Z for some integers a0,...,ad. Similarly, let m Ψ(m,n) = ndψ = b mend−e + b me−1nd−e+1 + ··· + b nd ∈ , n 0 1 e Z d for some integers b0,...,be. Here we have multiplied throughout by n to cancel the denominators of φ (m/n) and ψ (m/n), since both have degree at most d. Next, let γ = gcd(Φ(m,n),Ψ(m,n)). CHAPTER 2. THE THEORY OF ELLIPTIC CURVES 36

Our goal is to find a positive integer R which γ divides that does not depend on m or n. Note that we assumed that φ (X) and ψ (X) have no common complex roots, this means they have no common factors, hence they are relatively prime in Q[X]. Therefore, we can find polynomials F (X) and G(X) with rational coefficients such that, F (X)φ (X) + G(X)ψ (X) = 1. (2.16) In order to cancel the denominators of F (X) and G(X) we need to multiply both sides of equation (2.16) by a sufficiently large integer A to ensure that AF (X) and AG(X) have integer coefficients. Let D be the maximum of the degrees of F and G, where both A and D do not depend on m or n. Evaluating equation (2.16) at X = m/n and multiplying by AnD+d gives us m m m m nDAF ·ndφ +nDAG ·ndψ = AnD+d. n n n n | {z } | {z } | {z } | {z } integer Φ integer Ψ Recall that we defined γ as the greatest common divisor of Φ and Ψ, this means that γ divides both Φ and Ψ. From the previous equation it is clear to see that γ also divides AnD+d. However this is not quite what we wanted to show, as we want to prove that γ divides a positive integer which does not depend on m or n. We will now use the fact that γ divides AnD+d to show that γ also divides D+d Aa0 , where a0 is the coefficient of the first term of φ (X). Multiplying our equa- tion for Φ(m,n) throughout by AnD+d−1 produces the following,

D+d−1 d D+d−1 D+d d−1 D+2d−1 An · Φ(m,n) = Aa0m n + An · a1m +···+ An · ad. | {z } | {z } | {z } multiple o f γ multiple o f γ multiple o f γ Here we observe that nD+d appears as a factor in every term of the sum on the right hand except the first one. From this we see that γ also divides the first d D+d−1 D+d term Aa0m n , since we already know that γ divides both Φ(m,n) and n . Hence, we have that

 D+d d D+d−1 γ divides gcd An ,Aa0m n .

D+d−1 Therefore we have that γ divides Aa0n since we assumed gcd(m,n) = 1. We D+d−2 now repeat this argument, multiplying both sides of equation 2.15 by Aa0n to 2 D+d−2 show that γ divides Aa0n and so on, reducing the power of n and increasing D+d the power of a0 each time. We conclude that γ divides R = Aa0 , a positive integer not depending on m or n. (b) As in the proof of (a) we first note that φ and ψ are interchangeable, since h(z) = h(1/z) for any non zero rational z, by the definition of h. So, we can assume that φ has degree d and ψ has degree e 6 d. Then, let m/n be a rational number that is not a root of ψ. We aim to find a lower bound on the height of the rational ξ, where ndφ (m/n) Φ(m,n) ξ = = . ndψ (m/n) Ψ(m,n) CHAPTER 2. THE THEORY OF ELLIPTIC CURVES 37

Recall that H (ξ) is defined as the maximum of the integers |Φ(m,n)| and |Ψ(m,n)|, however there is a possibility these two integers may have common factors. Can- celling these potential common factors can only reduce the height of ξ, which is of course desirable to find an accurate lower bound for H (ξ), but by how much could H (ξ) be reduced by such cancellation? Let γ denote the greatest common divisor of Φ(m,n) and Ψ(m,n). We can use the integer R > 1 found in (a) to bound the maximum cancellation due to γ, since we already proved that γ divides R, thus γ 6 R. So, we have that 1 H (ξ) max{|Φ(m,n)|,|Ψ(m,n)|} > R 1 m m = max{|ndφ |,|ndψ |} R n n 1  m m  |ndφ | + |ndψ | . > 2R n n Where the last inequality follows from the fact that for any two integers a and b we 1 have max{a,b} > 2 (a + b) trivially. Dividing both sides of the previous equation by H (m/n)d = max{|md|,|nd|} we obtain

d m  d m  ! H (ξ) 1 |n φ n | + |n ψ n | > . (2.17) H (m/n)d 2R max{|md|,|nd|} To simplify the fraction on the right hand side of equation (2.17) we can divide the top and bottom by |n|d to obtain H (ξ) 1 |φ(m/n)| + |ψ(m/n)| > . H (m/n)d 2R max{|(m/n)|d,1} So, we consider the function p(m,n) given by |φ (m,n)| + |ψ (m,n)| p(m,n) = . max{|m/n|d,1}

To prove the desired inequality between H (ξ) and H (m/n)d we first need to prove that p(m,n) is bounded below by a non zero constant C1. First, let t := m/n and note that the real valued function f (t) is clearly continuous on any bounded closed interval I ⊂ R. Recall that we assumed e 6 d, there are two cases for the limit as |t| approaches infinity. In the case where e 0, the coefficient of the term of Φ with the highest power of m. Otherwise, if e = d then f (t) tends to |a0| + |b0| > 0, the sum of the coefficients of Φ and Ψ with greatest powers of m. In either case we conclude that the real valued function f (t) is continuous on any closed interval I and so attains a positive lower bound, say C1 > 0 by the Extreme Value Theorem. Returning to equation (2.17) we have that

H (ξ) p(m,n) C1 > > . H (m/n)d 2R 2R CHAPTER 2. THE THEORY OF ELLIPTIC CURVES 38

Rearranging this we find C H (ξ) 1 H (m/n)d . > 2R Finally, taking logs of both sides we obtain

h(ξ) > dh(m/n) − κ1, where the constant κ1 = log(2R/C1) depends only on φ and ψ as required. We will now show that Lemma4 is indeed a special case of Lemma 4.1. Let E/Q be an elliptic curve in medium Weierstrass form with constants A,B and C defined as usual. Let P ∈ E (Q). Take the polynomials φ and ψ to be the numerator and denominator of [2]P = ξ where gcd(φ,ψ) = 1. We showed previously that degφ = 4, so we can apply Lemma 4.1 to see that  φ (X)  h(ξ) = h 4h(x) − κ , ψ (X) > 1 where κ1 depends only on φ and ψ (and consequently only on the constants A,B and C) as required.

2.4.4 The Subgroup of Points of Order 2

We now aim to investigate the index of 2E(Q) in E (Q), our main tool for this is Corollary3 (the duplication formula). The general strategy is to write the degree four P 7→ [2]P map as a composition of two degree two maps, each of which is easier to work with. The first, denoted φ1, will map points from the original curve E1 to a second curve E2. Then the second, denoted φ2, will map points from E2 to another curve E3, which we will then prove is in fact isomorphic to our original curve E1 via the map Φ. This new version of the P 7→ [2]P map can be described as follows Φ φ1 φ2 ∼ E1 → E2 → E3 = E1. (2.18)

Lemma 5. Let E/Q be an elliptic curve. The subgroup 2E (Q) has finite index in E (Q). 7 Proof. Let E1/Q be an elliptic curve with a rational root x0, where 2 3 2 E1 : y = f (x) = x + A1x + B1x = 0

With a change of coordinates we can move the point (x0,0) to the origin to obtain the point T = (0,0) ∈ E1 (Q) where 2T = O. Let a second elliptic curve E2/Q be given by the following equation

2 3 2 E2 : y = x + A2x + B2x, 7To avoid the requirement for a background in algebraic number theory we have made the as- sumption that the polynomial f (x) has at least one rational root. The reader familiar with the unit group and ideal class group of Q may prefer the proof in Chapter 8 of [31]. CHAPTER 2. THE THEORY OF ELLIPTIC CURVES 39 where 2 A2 = −2A1 and B2 = A1 − 4B1. This choice of curve may at first seem arbitrary but if we apply this process again to produce the curve E3, it becomes clear why E3 is in fact isomorphic to the original curve E1. Let 2 3 2 E3 : y = x + A3x + B3x, where

2 2 2  A3 = −2A2 = 4A1 and B3 = A2 − 4B2 = 4A1 − 4 A1 − 4B1 = 16B1.

Hence, we can rewrite E3 as follows

2 3 2 E3 : y = x + 4A1x + 16B1x.

In the following sublemma we define the maps φ1 and φ2, prove they are homo- morphisms and prove that their composition φ1 ◦φ2 does indeed map points P ∈ E1 ∼ to [2]P ∈ E3 = E1.

Lemma 5.1. Let E1 and E2 be elliptic curves given by the equations

2 3 2 2 3 2 E1 : y = x + A1x + B1x and E2 : y = x + A2x + B2x, (2.19) where 2 A2 = −2A1 and B2 = A1 − 4B1.

Let T = (0,0) ∈ E1.

(a) Let P1 = (x1,y1) ∈ E1 (Q), there is a homomorphism φ1 : E1 → E2, with kernel {O1,T}, defined by  2 2 2  2  y1/x1,y1 x1 − B1 /x1 , if P 6= O1,T, φ1 (P1) = (2.20) O2, if P = O1 or P = T.

(b) Let P2 = (x2, y2) ∈ E2 (Q), there is a homomorphism φ2 : E2 → E3 defined by  2 2 2  2  y2/x2, y2 x2 − B2 /x2 , if P2 6= O2,T2, φ2 (P2) = (2.21)  O1, if P = O1 or P = T,

such that the curve E3 is isomorphic to E1 via Φ.

(c) Let P ∈ E1(Q). The composition φ2 ◦ φ1 : E1 → E1 is the multiplication by two map, φ2 ◦ φ1 (P) = φ1 ◦ φ2(P) = [2]P. CHAPTER 2. THE THEORY OF ELLIPTIC CURVES 40

Proof. (a) We first need to show that φ1 is well defined. Let φ1 (P1) = (x2,y2). If P1 = O or T then we are done. Otherwise note that (x2,y2) satisfies equation (2.19), since

3 2 2 2  2 x2 + A2x2 + B2x2 = x2 x2 − 2A1x2 + A1 − 4B1 since B2 = A1 − 4B1 2  4 2  y1 y1 y1 2 2 = 2 4 − 2A1 2 + A1 − 4B1 substituting y2/x2 for x2 x1 x1 x1 2 2 22 4 ! y1 y1 − A1x1 − 4B1x1 = 2 4 x1 x1 2 y1  3 2 4 = 6 x1 + B1x1 − 4B1x1 x1 2 !2 y x1 − B1 2 = 2 = y2. x1

So, in all cases we see that φ1 does indeed map points on E1 to points on E2 as required. We also need to show that φ1 is a homomorphism, meaning

0 0 0 φ1 P + P = φ (P) + φ P for all P,P ∈ E1.

This amounts to checking several cases. When P = O1, we see that

0 0 0 0 φ1 P + P = φ1 O1 + P = φ1 P = φ1 (P) + φ1 P

0 0 trivially. The same argument holds for the case that P = O1. If one of P or P is T, 0 say P = T, we need to show that φ1 (P + T) = φ1 (P), since we defined φ1 (T) = O2. Using Theorem6 we see that if P = (x,y) ∈ E1(Q), then B B y P + T = (x,y) + (0,0) = 1 ,− 1 . x x2

Applying φ1 we obtain,

y2 y(x2 − B ) φ(P + T) = , 1 = φ (P), x2 x2 1 as required. If both P and P0 are T then we have

φ1(T + T) = φ1(O1) = O2 = O2 + O2 = φ1(T) + φ1(T).

Moreover, note that φ1 preserves the negation of points, since ! −y2 −y(x2 − B ) φ (−P) = φ (x,−y) = , 1 = −φ (x,y) = −φ (P). 1 1 x x2 1 1 CHAPTER 2. THE THEORY OF ELLIPTIC CURVES 41

Finally, let P1,P2,P3 ∈ E1(Q), with none of the three points equal to O1 or T. We aim to show that if P1 + P2 + P3 = O, then φ1(P1) + φ1(P2) + φ1(P3) = O2 as we can then use this fact to show that φ1 is a homomorphism, since in this case

φ1(P1 + P2) = φ1(−P3) = −φ1(P3) = φ1(P1) + φ(P2).

Recall that if P1 +P2 +P3 = O then P1,P2 and P3 are collinear by Corollary2. Then, let L1 : y = λ1x + ν1 be the unique line intersecting P1,P2 and P3, note that ν1 6= 0 since we assumed none of the points are equal to T. We aim to find a corresponding line L2 to intersect the points φ1(P1),φ1(P2) and φ1(P3) in E2. For this we use the line

2 2 ν1λ1 − B1 ν1 − A1ν1λ1 + B1λ1 L2 : y = λ2x + ν2, where λ2 = and ν2 = . ν1 ν1

Without loss of generality we shall now check that φ1(P1) lies on the line L2. Let φ1(P1) = φ1(x1,y1) = (x2,y2). Substituting x2 into the equation for L2 gives

 2 2 2 ν1λ1 − B1 y1 ν1 − A1ν1λ1 + B1λ1 λ2x2 + ν2 = + ν1 x1 ν1 2 2 2 2 (ν1λ1 − B1)y1 + (ν1 − A1ν1λ1 + B1λ1 )x1 = 2 ν1x1 2 2 2 2 ν1λ1(y1 − A1x1) − B1(y1 − λ1x1)(y1 + λ1x1) + ν1 x1 = 2 . ν1x1

2 2 3 Then, using the fact that y1 − λ1x1 = ν1 and y1 − A1x2 = x1 + B1x1, since P1 is a point on both the line L1 and the curve E1, we obtain

3 2 λ1(x1 + B1x1) − B1(y1 − λ1x1) + ν1x1 = 2 x1 2 2 x1(λ1x1 + ν1) − B1y1 x1 − B1)y1 = 2 = 2 = y2. x1 x1

This same computation applies for the points φ1(P2) and φ1(P3) hence φ is a ho- momorphism as required. (b) The previous argument can also be used to prove that ψ is a homomorphism since the definition of φ2 is the same as that of φ1 simply replacing A1 and B1 with A2 and B2 respectively. Then, to see that our original curve E1 is isomorphic to E3 we first use the map Φ : (x,y) → (4x,8y) and divide the resulting equation by 64 as follows:

2 3 2 E3 : y = x + 4A1x + 16B1x 2 3 2 Φ(E3) : 64y = 64x + 64A1x + 64B1x 2 3 2 Φ(E3) : y = x + A1x + B1x. CHAPTER 2. THE THEORY OF ELLIPTIC CURVES 42

Since Φ is clearly an isomorphism we conclude that E1 and E3 are indeed isomor- phic. (c) It remains to show that φ2 ◦ φ1(P) = φ1 ◦ φ2(P) = [2]P for all points P ∈ E1(Q). It is easy to check that this holds for P = O1 and P = T. Otherwise, let P = (x,y). Using Corollary3 we obtain

(x2 − B )2 (x2 − B )(x4 + 2A x3 + 6B x2 + 2A B x + B2) [2]P = 1 , 1 1 1 1 1 1 . 4y2 8y3

Then, from the definition of φ we have that

y2 y(x2 − B) φ (P) = φ (x,y) = , . 1 1 x2 x2

Then, applying φ2 we can compute the desired composition as follows

y2 y(x2 − B) φ ◦ φ (P) = φ , Using the fact that B = A2 − 4B 2 1 2 x2 x2 2 1 1

 2 2 2  2  y(x −B) y(x −B1)  2  y − A2 − 4B   x2 x2 x2 1 1  =  ,   2  2 2   x y  8 x2

2 ! x2 − B  x2 − B y4 − A2 − 4B x4 = 1 , 1 1 1 . 4y2 8y3x2

4 2 2 2 Using the fact that y = x (x + A1x + B1) , we conclude that

φ2 ◦ φ1(P) = [2](P) (2.22)

By part (a) we know that φ1 is a homomorphism, hence

φ1([2]P) = φ(P + P) = φ1(P) + φ1(P) = 2φ1(P).

Combining this with equation (2.22) we have that

φ1 ◦ φ2(φ1(P)) = 2(φ1(P)).

0 Then, because our choice of φ2 is clearly surjective we know that for any P ∈ 0 E2(Q) we can find a point P ∈ E1(Q) with φ1(P) = P . Therefore,

0 0 φ1 ◦ φ2(P ) = [2]P , as required.

Remark 14. Continuing with the notation from the previous results. One can prove the following three results related to the image of φ1. CHAPTER 2. THE THEORY OF ELLIPTIC CURVES 43

Lemma 5.2. 1. O2 ∈ φ1(E1(Q). 2 2. T2 = (0,0) ∈ φ1(E1(Q) if and only if B2 = A1 − 4B1 is a perfect square. 0 0 0 0 0 0 3. Let P = (x ,y ) ∈ E2(Q) with x 6= 0. Then P ∈ φ1(E1(Q) if and only if x is the square of a rational number.

Proof. See Section 3.5 of [53].

Lemma 5.3. (E2(Q) : φ1(E(Q)) and (E1(Q) : φ2 (E2(Q)) are finite. Proof. See Section 3.5 of [53].

We are now ready to restate and prove Lemma5. Lemma 5. Let E/Q be an elliptic curve. The subgroup 2E (Q) has finite index in E (Q). Proof. Continuing with the notation from the previous results, recall that φ2(E2(Q) has finite index in E1(Q). So, let a1,...,an be representatives of the finitely many cosets. Similarly let b1,...,bm be the finitely many cosets of φ1(E1(Q)) in E2(Q). We will now show that the set S, where

S = {ai + φ2(b j) : 1 6 i 6 n,1 6 j 6 m}, contains a set of representatives for the cosets of 2E1(Q) in E1(Q). Let a ∈ E1(Q), we aim to show that a can be written as a sum of elements from S plus an element of 2E1(Q). First, choose ai from S so that a − ai ∈ φ2(E2(Q), say

a − ai = φ2(b) for some b ∈ E2(Q).

We know this is possible since a1,...,an are representatives of the cosets of φ2(E2(Q). Then, we choose b j from S so that b − b j ∈ φ1(E(Q), say

0 0 b − b j = φ1(a ) for some a ∈ E1(Q). Finally observe that

0 a = ai + φ1(b) =ai + φ2(b j + φ1(a )) 0 =ai + φ2(b j) + φ2(φ1(a )) 0 =ai + φ2(b j) + 2a .

2.4.5 The Descent Theorem We are now ready to use Lemmas2,3,4 and5 to prove that the group of points on an elliptic curve defined over the rationals is finitely generated. This result is widely known as the Descent Theorem because the proof follows a similar strategy to Fermat’s method of infinite descent, which he famously used to show that some Diophantine equations have no solutions. CHAPTER 2. THE THEORY OF ELLIPTIC CURVES 44

Theorem 7. (Descent Theorem). Let E/Q be an elliptic curve in short Weierstrass form, where E : y2 = x3 + Ax + B for some constants A and B. Suppose there exists a function

h : E (K) −→ [0,∞) with the following three properties:

(a) For every real number M, the set {P ∈ E (Q) : h(p) 6 M} is finite.

(b) For every P0 ∈ E (Q) there is a constant κ0 ∈ R that depends on P0,A and B such that h(P + P0) 6 2h(P) + κ0 for all P ∈ E (Q).

(c) There is an integer m > 2 and a constant C2, depending only on E (Q), such that 2 h(mP) > m h(P) −C2 for all P ∈ A. Furthermore, suppose:

(d) The subgroup 2E (Q) has finite index in E (Q) Then, the set of points E (Q) is finitely generated. Proof. Throughout this proof it is vital to use assumption (d) to suppose there are only finitely many cosets of 2E (Q) in E (Q). Labelling these cosets Q1,...,Qn we see that any point P ∈ E (Q) must be in one of these n cosets. Therefore, we can find an index i1 depending on P such that,

P − Qi1 ∈ 2E (Q). Hence, we can write,

P − Qi1 = [2]P1 (1) for some P1 ∈ E (Q). Each point in E (Q) must also lie in one of the n cosets of 2E (Q), so we can repeat this process to obtain the following chain of m equalities:

P1 − Qi2 = [2]P2, (2)

P2 − Qi3 = [2]P3, (3) ...

Pm−1 − Qim = [2]Pm, (m) where Qi1 ,...,Qim forms a subset of the coset representatives Q1,...,Qn and P1,...,Pm are distinct elements of E (Q). We now aim to combine this chain of equalities to write P in terms of Qi1 ,...,Qim and Pm. From equation (1) we have that,

P = Qi1 + [2]P1. CHAPTER 2. THE THEORY OF ELLIPTIC CURVES 45

Substituting this into equation (2) yields

P = Qi1 + [2](Qi2 + [2]P2) = Qi1 + [2]Qi2 + [4]P2.

We then repeat this process, substituting equation e − 1 into equation e for e = 2,...,m to obtain

m−1 m P = Qi1 + 2Qi2 + 4Qi3 + ··· + 2 Qim + 2 Pm.

We have written P as a linear combination of Qi1 ,...,Qim ,Pm, hence P is in the subgroup of E (Q) generated by the Qis and Pm. We now aim to show that if we choose a large enough m we can find a bound on h(Pm) which does not depend on the initial point P. We will then take the finite set of points with height less than this bound and the Qis as our generators for E (Q). To prove that the height of Pm is bounded we will show that the sequence of points P,P1,P2,...Pm has decreasing height. Let Pj be a point in the sequence P,P1,P2,...,Pm. We aim to show that h(Pj) 6 h(Pj−1). First, use assumption (b) n times, with −Qi taking the place of P0 for i = 1,2,...,n so that,

h(P − Qi) 6 2h(P) + κi, for all P ∈ Q.

0 Recalling that property (d) implies there are only finitely many Qis we let κ = max(κi), so that

0 h(P − Qi) 6 2h(P) + κ for all P ∈ E (Q) and all 1 6 i 6 n. (2.23) We then use assumption (c) to suppose there exists a constant κ such that,

4h(Pj) 6 h([2]Pj) + κ. We can see from the previous chain of equalities that this means,  4h(Pj) 6 h Pj−1 − Qi j + κ. Then, using (2.23) we obtain

0 4h(Pj) 6 2h(Pj−1) + κ + κ, which can be rewritten as follows 1 κ0 + κ h(P ) h(P ) + j 6 2 j−1 4 3 h(P ) − (κ0 + κ) = h(P ) − j−1 . 4 j−1 4 0 0 So, if h(Pj−1) > κ + κ then we have h(Pj−1) − (κ + κ) > 0, hence 3 h(P ) h(P ) (2.24) j 6 4 j−1 CHAPTER 2. THE THEORY OF ELLIPTIC CURVES 46

So in the (potentially infinite) sequence of points P,P1,P2,..., we have shown that each point Pj satisfies inequality (2.24). Therefore, consecutive points in the se- quence decrease by a factor of up to 3/4. This means it is possible to eventually 0 0 find an index m such that h(Pm) 6 κ + κ, where κ and κ do not depend on P. Hence, any point P ∈ E (Q) can be written in the form m P = a1Q1 + a2Q2 + ··· + anQn + 2 R, where a1,...,an are integers and R is some point in E (Q) satisfying the inequality 0 0 h(R) 6 κ + κ. From assumption (a) we know that {R ∈ E (Q) : h(R) 6 κ + κ} is finite. Furthermore, recall that there are finitely many Qis due to property (d), hence the group of points E (Q) is indeed finitely generated, with generator [ 0 {Q1,Q2,...,Qn} {R ∈ E (Q) : h(R) 6 κ + κ}.

We have just proved that the group of points on an elliptic curve defined over the rationals is finitely generated. The Mordell-Weil Theorem [31] generalises this result to elliptic curves defined over any field. By the fundamental Theorem of finitely generated abelian groups, we conclude that the group of points on an elliptic curve is isomorphic to a direct sum of infinite cyclic groups and finite cyclic groups of prime power order. That is, for any elliptic curve E/K we have

∼ v v vs E(K) = Z ⊕ Z ⊕ ··· ⊕ Z⊕Zp 1 ⊕ Zp 2 ··· ⊕ Zps , | {z } 1 2 r copies

v1 vs where r ∈ N0 is an important invariant of the curve known as its rank and p1 ,..., ps are powers of ( not necessarily distinct ) prime numbers p1,..., ps. Therefore, any point P ∈ E (K) can be written in the form

P = [n1]P1 + ··· + [nr]Pr + [m1]Q1 + ··· + [ms]Qs, for some non unique generating points P1,...,Pr,Q1,...,Qs ∈ E (K), integers n1,...nr v j and integers m j modulo p j . Note that the group of points on an elliptic curve is finite if only if the curve has rank zero. Remark 15. There is much we currently do not know about the rank of an elliptic curve. For example, there is no known effective procedure to compute the rank of a given curve. The Mordell-Weil Theorem establishes that the rank of an elliptic curve is always finite and a folklore conjecture states that there is no upper bound on the possible rank, though this has yet to be rigorously proved. At the time of writing the world record for the greatest lower bound on the rank of an elliptic curve is held by American mathematician Noam Elkies for discovering an elliptic curve which has at least 28 points of infinite order [6]. The rank of an elliptic curve is closely related to the Birch and Swinnerton-Dyer conjecture [58], one of the famous Millenium Prize Problems. CHAPTER 2. THE THEORY OF ELLIPTIC CURVES 47

2.5 Points of Finite Order

In this Section we shall follow Chapter 2 of [53] to develop our understanding of the theory of elliptic curves by studying points of finite order. Our primary aim is to develop two methods for computing the torsion subgroup of a given ellip- tic curve defined over the rationals using the Nagell-Lutz and Reduction Modulo p Theorems respectively. The latter Theorem maps elliptic curves defined over the rationals to elliptic curves defined over finite fields. Such curves are preferred for cryptographic applications for several reasons. Firstly, computers store finite values so any rounding of long or infinite rational values could lead to errors. Fur- thermore, the number of bits required to store and transmit points is consistent, hence algorithms on such curves are easier to analyse.

2.5.1 The Nagell-Lutz Theorem We begin by defining the order of a given point on an elliptic curve and proving that the set of all points of finite order form a subgroup of the group of points on the curve. We will then state the Nagell-Lutz Theorem, published in 1935 by Trygve Nagell and Elisabeth´ Lutz. We will then prove a stronger version of this result and apply it to find a procedure for computing the torsion subgroup of a given elliptic curve defined over the rationals. Definition 14. Let n be a natural number. Let E/K be an elliptic curve. A point P ∈ E (K) has order n if n is the minimal positive integer such that [n]P = O. If such an n exists, then P has finite order8. Otherwise, the point P has infinite order. Proposition 3. Let E/K be an elliptic curve and m be a positive integer. The set of points of order m in E/K, denoted E[m] = {P ∈ E(K) : [m]P = O}, forms a subgroup of E (K).

Proof. Let E/K be an elliptic curve, let P,Q be two points of order m ∈ N in E (K), so we have that [m]P = [m]Q = O. First note that [m]P = 0 clearly implies that [m](−P) = 0, since   [m](−P) = (−P) + (−P) + ··· + (−P) = −P + P + ··· + P = −O = O. | {z } | {zm } m Hence, E[m] is closed under taking inverses. Moreover, [m](P + Q) = (P + Q) + ··· + (P + Q) = P + ··· + P+Q + ··· + Q = O, | {z } | {z } | {zm } m m

8In some texts the points of finite order on an elliptic curve are referred to as torsion points. A point of order two is then referred to as a 2-torsion point. CHAPTER 2. THE THEORY OF ELLIPTIC CURVES 48 so P + Q ∈ E[m]. We conclude that E[m] is a subgroup of E (K) as required.

Proposition 4. Let E/K be an elliptic curve. The set of points of finite order, denoted

Etors (K) = {P ∈ E (K) : [n]P = O for some n ∈ N} ∪ {O}. forms a subgroup of E (K) known as the torsion subgroup.

Proof. Let E/K be an elliptic curve. Clearly, Etors is non empty since O ∈ E(K) by definition. Then, let P1 and P2 be points of finite order in E (Q), meaning [m1]P1 = [m2]P2 = O for some positive integers m1 and m2. This implies that

[m1m2](P1 ± P2) = [m1]([m2]P1 + [m2]P2) = [m2]([m1]P1) = [m2]O = O, hence the points P1 + P2 and P1 − P2 must also be of finite order so we conclude that Etors (Q) is indeed a subgroup of E (K). Remark 16. The following famous result attributed to Mazur [35] in 1977 estab- lishes that there are only 15 possible structures for the torsion subgroup of a given elliptic curve defined over the rationals.

Theorem 8. Let E/Q be an elliptic curve. Then, ∼ n (a) Either Etors (Q) = Z for n ∈ {1,2,3,...,9,10,12}. ∼ (b) Or Etors (Q) = (Z2) ⊕ (Z2n) for 1 6 n 6 4. Proof. The proof of Theorem8 requires an extensive background in the modular form of elliptic curves. Instead of developing this theory we will omit the proof and aim to combine this result with a stronger form of Theorem9 to find a procedure to compute the torsion subgroup of a given elliptic curve over the rationals.

Theorem 9. (Nagell-Lutz Theorem). Let E/Q be an elliptic curve with integer coefficients B and C, where 2 3 3 2 E : y = x + Bx +C, ∆E = −16 4B + 27C .

Let P = (x,y) ∈ E (Q) be a point of finite order. Then, (a) x and y are integers.

(b) Either y = 0, in which case P has order two, or y divides ∆E . Proof. See Chapter 2 of [53].

Remark 17. One immediate application of Theorem9 is to confirm that a rational point P on an elliptic curve has infinite order. We first use Corollary3 (the duplica- tion formula), to compute the x-coordinates of [2]P,[4]P,[8]P,.... If at any stage a non-integer x value is found for some point [n]P, then one concludes that [n]P and hence P cannot have finite order by the contrapositive of Theorem9. A stronger form of this Theorem is given below. CHAPTER 2. THE THEORY OF ELLIPTIC CURVES 49

Corollary 4. Let E/Q be an elliptic curve with integer coefficients, let P = (x,y) be a rational point of finite order on E. If both P and [2]P have integral coordinates 2 then y = 0 or y |∆E .

2 Proof. (Exercise 2.11 from [53]). Let P = (x1,y1) ∈ Z be a point on an elliptic curve E/Q, where E : y2 = g(x) for some cubic g(x) ∈ Z[x]. Suppose [2]P = (x2,y2) also has integral coordinates. Since P ∈ E(Q) we have that 2 2 y1 = g(x1), hence y1|g(x1). Then, using Corollary3 (the duplication formula) we find that

 0 2 g (x1) 2 0 2x1 + x2 = , hence y1|g (x1). 2y1 Finally, since

3 2 0 2 ∆E = −27(x + Bx − B)g(x) + (3x + 4B)g (x) ,

2 we conclude that y1|∆E as required. Remark 18. It is important to note that neither versions of the Nagell-Lutz The- orem cannot independently determine whether a given point has finite order. A curve E/Q may indeed contain points (x,y) of infinite order such that x and y are integers with y diving ∆E . Instead we use Corollary4 to compile a list of points containing all points of finite order. We then simply check which points in the list have finite order as follows.

Algorithm 1: Computing Etors (Q) using the Nagell-Lutz Theorem Input: E/Q : y2 = f (x) 2 2 1 for each point P = (x,y) ∈ Z such that y divides ∆E . do 2 for n = 2,3,4, . . . , 9, 10, 12 do 3 if X([n]P) or Y([n]P) 6∈ Z 4 P 6∈ E(Q)tors 5 else if [n]P = 0 6 P ∈ E(Qtors)

Output: Etors

Remark 19. This procedure will always terminate in a finite number of steps be- cause for a given elliptic curve E/Q there are only finitely many integers y such 2 that y divides ∆E and for each corresponding point P = (x,y) there are at most 11 choices for the order of P, by Theorem8. CHAPTER 2. THE THEORY OF ELLIPTIC CURVES 50

Example 4. A few examples of computing the torsion subgroup of an elliptic curve over the rationals are included in [53], we have chosen9 to instead use the following elliptic curve E/Q, where E : y2 = x3 + 9. (2.25) 4 7 First note that ∆E = −34992 = −2 · 3 . Applying Corollary4 we know that if 2 P = (x,y) ∈ Etors (Q) then we must have that y = 0 or y |∆E , hence

y ∈ {0,±1,±2,±3,±4,±9,±27}.

It is easy to check using equation (2.25) that (−2,±1),(0,±3) ∈ E/Q are the only integral points . Then, using Corollary3 observe

X ([2](−2,±1)) = 40.

Applying Corollary3 again we find that 61120 X ([4](−2,±1)) = 6∈ , 256036 Z so we conclude that the original points (−2,±1) cannot have finite order by Theo- rem9. Applying Corollary3 to (0,±3) we see that

[2](0,±3) = (0,∓3).

Note that

[3](0,±3) = [2](0,±3) + (0,±3) = (0,∓3) + (0,±3) = O, hence both (0,3) and (0,−3) have an order of three. We conclude that ∼ Etors (Q) = {O,(0,3),(0,−3)} = Z3.

2.5.2 Reduction Modulo p

For a given elliptic curve E/Q and a prime p we can carry out a process known as reduction modulo p to produce a corresponding reduced curve E˜ defined over the finite field Fp. We will see several applications of such curves in Chapter 3. Through applications of the reduction modulo p Theorem we will find that the torsion subgroup of an elliptic curve E/K is isomorphic to subgroups of the reduced curves defined over finite fields of order p where p is coprime to 2∆E . This process will also provide us with a second method to determine the torsion subgroup of a given elliptic curve. Let E/Q be an elliptic curve, where

E : y2 = x3 + Bx +C,

9Elliptic curves with B = 0 are commonly used throughout cryptography for increased efficiency. CHAPTER 2. THE THEORY OF ELLIPTIC CURVES 51

10 for some integer coefficients B and C. Then, let p > 5 be a prime and ψ : Z → Fp, be the homomorphism such that

a˜ := ψ (a) = a mod p, for all a ∈ Z.

The curve E/Q is reduced modulo p to form a new curve E˜/Fp by simply replacing the coefficients B and C with ψ (B) = B˜ and ψ (C) = C˜. One then needs to check if the new curve E˜/Fp is singular. First, recall that the discriminant of the Weierstrass equation for E is given by

3 2 ∆E = −16 4B + 27C .

Then, since ψ is a homomorphism we see that ∆E˜ is just the reduction modulo p of ∆E ,

 3 2 3 2 ∆E˜ = −16 4(ψ (B)) + 27(ψ (C)) = −16 4B + 27C mod p = ∆E mod p.

Hence the reduced curve E˜/Fp is non singular provided p does not divide ∆E . In this case we say that E/Q has good reduction at p, otherwise we say that E/Q has a bad reduction at p.

Definition 15. Let p > 5. An elliptic curve E/Fp in short Weierstrass normal form is defined as the set of solutions to an equation of the form:

2 3 3 2 E : y = x +Bx+C mod p, for B,C ∈ Fp such that 5 > p - −16(4B +27C ) 6= 0, together with the point O at infinity. We denote the group of all points on E/Fp by

2 3 E(Fp) = {(x,y) : x,y ∈ Fp satisfy y = x + Bx +C} ∪ {O}.

Remark 20. We have described how one can reduce an elliptic curve defined over the rationals to obtain a new curve defined over a finite field of order p > 5. One may then ask how the points on the original curve relate to points on this new reduced curve. Clearly, we can take a general point P = (x,y) ∈ E (Q) and reduce it modulo p to obtain a corresponding point P˜ = (x˜,y˜) ∈ E˜/Fp provided p does not divide the denominator of x or y. In particular, we can reduce any point with integer coordinates to obtain a corresponding point in the reduced curve. We know from Theorem9 (the Nagell-Lutz Theorem) that the points of finite order on an elliptic curve have integer coordinates. So, we define the “reduction modulo p” map Etors (Q) → E˜ (Fp) as follows

Theorem 10. (The Reduction Modulo p Theorem). Let E/Q be an elliptic curve, where E : y2 = x3 + Bx +C,

10Throughout this section we require that p 6= 2,3 so that the resulting curve can also be written in short Weierstrass normal form. CHAPTER 2. THE THEORY OF ELLIPTIC CURVES 52 for some integers B and C. If p does not divide 2∆E then the reduction modulo p map θ : Etors(Q) → E˜(Fp) given by  O˜ , if P = O. θ(P) = P˜ = for all P ∈ Etors(Q), (x˜,y˜), otherwise is an isomorphism of Etors (Q) onto a subgroup of E˜ (Fp). Proof. See Section 4.3 of [53].

Example 5. We will now provide an example of how Theorem 10 can be used to calculate the torsion subgroup of the following elliptic curve E/Q, where E : y2 = x3 + 2.

6 2 First note that ∆E = −1 · 2 · 3 . Then, let

θ : Etors (Q) → E˜ (Fp).

By Theorem 10 we know that θ is an isomorphism onto a subgroup of E˜ (Fp) for all primes p which do not divide 2∆E , in our case this clearly holds for all p > 5. It is easy to check that

#E˜ (F5) = 5 and #E˜ (F7) = 8. Moreover, we know that the order of a subgroup must divide the order of the whole group. So, we conclude that #Etors (Q) divides both 5 and 8, hence #Etors (Q) = 1. So we see in this case there are no torsion points on E/Q besides O.

2.6 Bilinear Pairings

For some elliptic curves the group of points has additional structure in the form of pairings. Due to their range of applications to cryptography, pairings deserve a Thesis of their own. In this Section we will aim to provide an overview of some of the useful properties of the Weil pairing. The more efficient Tate pairing defined in Section 6.8.5 of [30] uses curves defined over finite fields and is often preferred for cryptographic applications. Either pairing can be used to implement the BLS digital signature scheme we will study in Section 3.4.3. A pairing e is a linear function of the form

e : G1 × G2 × ··· × Gn → GT , which maps two or more points from one or more source groups to a point in a target group. If all of the Gi are equal then the pairing is known as symmetric, otherwise we say the pairing is asymmetric. For cryptographic applications we use Fpa , for some prime p and integer a as our target group. In this context the integer CHAPTER 2. THE THEORY OF ELLIPTIC CURVES 53 a is known as the pairing’s embedding degree, an important property which will be mentioned throughout the Section. We will mainly be following Chapter 6 from [30]. Pairings must satisfy the following properties

(a) GT and each Gi for i = 1,...,n are groups of the same order.

n an Π ai (b) e(g1,...,gn ) = e(g1,...,gn) i=1 . (linearity)

(c) If g1,...,gn are generators for G1,...,Gn respectively, then e(g1,...,gn) is a generator of GT . (non-degeneracy) (d) There exists an efficient algorithm to compute e. (computability)

For cryptographic applications we also need to require that the DLP (Problem 3.3) is hard in each of the source groups. The problem of constructing valid multilinear maps (pairings with n > 2) is an active area of research in cryptography, with the security of several proposed candidates remaining unclear [1]. In this Section we will construct and compute a frequently used symmetric, bilinear pairing (n = 2) known as the Weil pairing.

2.6.1 Divisors In order to define the Weil pairing we need some understanding of divisors. A divi- sor describes the zeroes and poles of a rational function. We shall state a Theorem which allows us to determine which divisors are divisors of rational functions on an elliptic curve and to what extent the divisor of a function determines the function. Let K be a field. A rational function f : K[X] → K[X] can be written as the ratio of two polynomials in X

2 n a0 + a1X + a2X + ··· + anX f (X) = 2 m . b0 + b1X + b2X + ··· + bmX This expression can be factored over the complex numbers as follows,

a(X − α )c1 (X − α )c2 ...(X − a )cr f (X) = 1 2 r d d2 ds b(X − β1)1(X − β2) ...(X − βs) with the zeroes α1 ...,αr ∈ C and poles β1,...,βs ∈ C distinct. The divisor of f (X), denoted by the formal sum

div( f (X)) = c1[α1] + c2[α2] + ··· + cr[αr] − d1[β1] − d2[β2] − ··· − dr[βr], allows us to summarise the multiplicities of the zeroes and poles of f . Note that the coordinates of the zeroes and poles of f are not necessarily in K, but must lie in K. CHAPTER 2. THE THEORY OF ELLIPTIC CURVES 54

Definition 16. A divisor D on an elliptic curve E/K is a formal sum of the form

D = ∑ nP(P), with finitely many of the nP ∈ Z nonzero. P∈E(K) Furthermore, the degree and sum of a divisor is defined as follows

deg(D) = ∑ nP, Sum(D) = ∑ [nP]P. P∈E(K) P∈E(K)

Theorem 11. Let E/K be an elliptic curve. (a) Let f and g be nonzero rational functions on E. If div( f ) = div(g), then there is a nonzero constant c such that f = cg

(b) Let D = ∑P∈E nP(P) be a divisor on E. Then, D is the divisor of a rational function on E if and only if

deg(D) = 0 and Sum(D) = O

Proof. See Propositions II.3.1 and III.3.4 of [31]

Example 6. Let E/K be an elliptic curve, where

3 E : x + Bx +C = (x − α1)(x − α2)(x − α3), for some α1,α2,α3 ∈ C. We know that the points P1 = (α1,0),P2 = (α2,0) and P3 = (α3,0) are distinct and of order 2 by Proposition1 and Theorem9 respectively. Clearly the rational function Y on E, defined by

Y(P) = y, ∀P = (x,y) ∈ E(K), has zeroes only at P1,P2 and P3. Using Theorem 11 we find that the divisor of Y is of the form div(Y) = (P1) + (P2) + (P3) − 3(O).

2.6.2 The Weil Pairing

The Weil em- pairing takes as input a pair of points of order m on an elliptic curve and outputs a primitive m-th root of unity. Since its introduction by Andre´ Weil in 1940 the Weil pairing has had a large impact on the theory of elliptic curves. The MOV attack [41] uses the Weil pairing to reduce the ECDLP4 on supersingular elliptic curves to the DLP on a corresponding multiplicative group of integers. Other applications of the Weil pairing which are outside the scope of this Thesis include counting the number of points on an elliptic curve defined over a finite field [31] and the construction of identity based cryptosystems [17]. In this Section we shall construct the Weil pairing and prove some of its many useful properties. Throughout this Section we fix an integer m > 2, coprime to p = char(K) when p > 0. CHAPTER 2. THE THEORY OF ELLIPTIC CURVES 55

Definition 17. The group of m-th roots of unity of a field K is defined as

m µm = {u ∈ K : u = 1}.

We will now briefly describe how to construct the Weil pairing. First, let T ∈ E[m]. Consider the divisor

D f = m(T) − m(O).

By Theorem 11 there is a function f ∈ K(E) such that div( f ) = D f , since

deg(D f ) = m − m = 0 and Sum(D f ) = [m]T − [m]O = O.

Next, let T 0 ∈ E such that [m]T 0 = T. Consider the divisor

0  Dg = ∑ T + P − (P). P∈E[m]

Again, by Theorem 11 there is a function g ∈ K(E) such that div(g) = Dg, since

2 2 0 2 0 deg(Dg) = m − m = 0 and Sum(Dg) = ∑ T = [m ]T = [m]T = O. P∈E[m]

2 ∼ Here we have used the fact that #E[m] = m , which holds since E[m] = Zm × Zm by Theorem8. Next, note that div(gm) = m · div(g) = ∑ m(T 0 + P) − m(P) = div( f ([m])). P∈E[m]

We conclude that both f ◦ [m] and gm have the same divisor. So, by Theorem 11 ∗ we can multiplying f by a suitable constant from K so that

f ◦ [m] = gm.

Now, let S ∈ E[m]. For any point X ∈ E(K) we have

g(X + S)m = f ([m]X + [m]S) = f ([m]X) = g(X)m, since S is a point of order m. From this we can produce a root of unity as follows g(X + S)m g(X + S) = 1, hence ∈ µ K. g(X) g(X) m (

Using Theorem 2.3 from [31] one concludes that the morphism E(K) → P given by g(X + S) S 7→ g(X) is constant for all X, since it is not surjective. This construction leads to the fol- lowing definition of the Weil pairing which we will use to prove some of its useful properties. CHAPTER 2. THE THEORY OF ELLIPTIC CURVES 56

Definition 18. Let E/K be an elliptic curve. let S,T ∈ E[m]. The Weil em-pairing is defined as follows g(X + S) e : E[m] × E[m] → µ , by e (S,T) = , m m m g(X) where X ∈ E is any point such that g(X + S) and g(X) are both well defined and non zero.

Proposition 5. Let E/K be an elliptic curve, let S1,S2,S and T be points of order m on E. The Weil pairing satisfies the following properties

(a) Bilinear: em(S1 + S2,T) = em(S1,T)em(S2,T),

em(S,T1 + T2) = em(S,T1)em(S,T2).

(b) Alternating:

−1 em(T,T) = 1, hence em(S,T) = em(T,S)

(c) Nondegenerate:

If em(S,T) = 1, for all S ∈ E[m], then T = 0.

Proof. (a) From the definition of the Weil pairing we have

g(X + S + S ) e (S + S ,T) = 1 2 m 1 2 g(X)

Multiplying the top and bottom of this fraction by g(X + S1) and rearranging we obtain g(X + S1 + S2) g(X + S1) em(S1 + S2,T) = g(X + S1) g(X)

In our construction of the Weil pairing we proved that the quantity em(S,T) = 0 g(X + S)/g(X) is independent of the choice of X. So, taking X = X + S1 in the first factor of the previous equation we have

g(X0 + S ) g(X + S ) e (S + S ,T) = 2 1 . m 1 2 g(X0) g(X)

Then, using the fact that roots of unity commute we obtain linearity in the first factor g(X0 + S ) g(X + S ) e (S +S ,T) = 2 1 = e (S ,T)e (S ,T) = e (S ,T)e (S ,T). m 1 2 g(X) g(X) m 2 m 1 m 1 m 2

A proof of linearity in the second factor can be found in [31], Proposition 8.1. CHAPTER 2. THE THEORY OF ELLIPTIC CURVES 57

(b) Let τP : E(K) → E(K) be the function which maps Q 7→ Q+P for all points Q ∈ E(K). Let f be a function with div( f ) = m(T) − m(O)

Composing f with τ[n]T has the effect of translating all the poles and zeroes of f by [n], so we obtain the following divisor

div( f ◦ τ[n]T ) = m([1 − n](T) − [−n](T)). Taking the product of all possible translations we have that

m−1 ! m−1 ! div ∏ f ◦ τ[n]T = m ∑ [1 − n](T) − [−n](T) = 0. n=0 n=0 We conclude that m−1 G := ∏ f ◦ τ[n]T n=0 is constant. Then, choose a T 0 ∈ E(K) such that [m]T 0 = T and define

m−1 0 G = ∏ f ◦ τ[n]T 0 . n=0 Since G itself is constant we have that m−1 0m G = ∏ f ◦ τ[n]T = G. n=0 is also constant, therefore equal at X and X + T 0, hence

m−1 m−1 G0(X) = ∏ g(X + [n]T 0) = ∏ g(X + [n + 1]T 0) = G0(X + T 0). n=0 n=0 Cancelling common terms, we obtain g(X) = g(X + [m]T 0) = g(X + T), which implies g(X + T) e (T,T) = = 1, m g(X) as required. −1 To see that em(S,T) = em(T,S) first use (a) to obtain

em(S + T,S + T) = em(S,S)em(S,T)em(T,S)em(T,T).

Then, note that we have just proved em(S + T,S + T) = em(S,S) = em(T,T) = 1, so the result follows directly from the fact that

1 = em(S,T)em(T,S). (c) See Proposition 8.1.c in [31] Chapter 3

Cryptographic Applications

As with many abstract mathematical objects, it wasn’t immediately clear how the theory of elliptic curves could be applied. This belief quickly changed, first in 1985 when Neal Koblitz and Victor Miller independently proposed methods of elliptic curve based cryptography (ECC) based on the difficulty of the elliptic curve dis- crete logarithm problem (ECDLP). Then, again in 1987 with the Lenstra elliptic- curve factorization method, a sub exponential algorithm for factorizing up to 50 digit integers. In this Chapter we primarily be following mainly be following [30] to investigate how the theory of elliptic curves and some fundamental concepts from number theory and be applied to produce secure and highly efficient crypto- graphic primitives. The structure of the Chapter is as follows. We begin by introducing some fundamental definitions and standard functions required to analyse and implement cryptographic protocols. In Section 3.2 we will study the hard problem of fac- torising large semiprimes and investigate how it can be applied to form the RSA encryption scheme. We will then implement and compare two efficient integer fac- torisation algorithms. The running time of both Pollard’s p − 1 and the Lenstra elliptic curve factorisation methods is based on the size of the largest prime factor of the integer to be factorised. From this insight we will conclude that both factors of the semiprime used in RSA need to be of similar magnitude to provide sufficient security. In Section 3.3 we will study the DLP in detail and explain why the ECDLP is believed to be more difficult than the DLP in the multiplicative group of a finite field. We then move onto a discussion of the subtleties involved in choosing a suitable elliptic curve for which the ECDLP is sufficiently difficult. We conclude the Section by implementing and comparing two algorithms used to efficiently compute multiples of a point on an elliptic curve - a process vital to the efficiency of the elliptic curve Diffie-Hellman key exchange protocol9. The aforementioned key distribution protocols and encryption schemes illus- trate a few of the ways cryptographic protocols are used to provide confidentiality over an insecure network. In Section 3.4 we will study another important applica-

58 CHAPTER 3. CRYPTOGRAPHIC APPLICATIONS 59 tion of public key cryptography - reliable authentication through digital signatures. A digital signature is similar to a physical signature, they both aim to be easy for a user to produce but difficult for an adversary to forge. Digital signatures allow the recipient to verify that any information received (including vital system updates) has originated from a trusted source. All of the Python3 [55] code implemented throughout this Section is available in the AppendixA. In order to run any of my ECC algorithms one will need to use the point.py curve.py A.1 and A.2 files which contain the classes required to perform point operations on elliptic curves. I chose Python as the language is very user friendly and can be used to implement object oriented code.

3.1 Preliminaries

Before implementing any specific cryptographic protocols we shall first provide some fundamental definitions which allow us to compare the efficiency of multiple algorithms throughout the Chapter.

Definition 19. The time complexity (or simply the complexity) of a given algorithm describes the order of magnitude of time required to run until its completion, as a function of the length of the algorithm’s input - based on currently known algo- rithms. If there exists an algorithm to solve a given problem in a length of time which is a polynomial function of the algorithm’s input length then we say the problem is easy, otherwise the problem is hard

Remark 21. Separate from the notion of complexity is that of realistic computabil- ity, a more heuristic concept which describes problems which can be solved in a reasonable amount of time on modern computers. Of course the notion of suffi- ciently secure is highly dependant on the rate of advances in computing technology such as new, more efficient algorithms and parallel processing techniques.

Definition 20. A one-way function f is an invertible function that is easy to com- pute in one direction and hard to compute in the other direction.

Remark 22. Surprisingly, it is still unknown whether true one-way functions ac- tually exist. If one-way functions were proven to exist this would imply P 6= NP - the foremost open conjecture in theoretical Computer Science [39]. We will study some of the most popular candidates for one-way functions used in modern cryp- tography throughout this Thesis but it is important to note that the security of public key cryptosystems relies on the assumption that inverting the underlying one-way function is a hard problem.

Definition 21. A closely related notion is that of a , a special type of one-way function which can only be inverted in polynomial time using some additional trapdoor information. 1 1For example, a private key acts as the trapdoor information for many encryption function. CHAPTER 3. CRYPTOGRAPHIC APPLICATIONS 60

Remark 23. The following two types of function will be applied throughout the Chapter, particularly in Section 3.4 to implement digital signature schemes. Definition 22. A cryptographic hash function, denoted H, is essentially a one way encryption function used to condense an arbitrary length segment of bits into a unique short string. We require such functions to satisfy the following properties (a) The same input always results in the same hash. (Deterministic) (b) It should be hard to find two inputs which produce the same hash value. (Collision resistant) (c) Computation in the forward direction is easy, while computing the inverse of the function is necessarily hard. (One way function) Remark 24. Examples of popular cryptographic hash functions include SHA-256 and MD52 which produce 128 and 256 bit outputs (sometimes known as digests) respectively. R Definition 23. A pseudo random number generator, denoted ←−, takes as input a random seed 3 and aims to produce an output which is indistinguishable from the output of a truly random number generator. Remark 25. Several devastating attacks on popular cryptosystems were made pos- sible by poor implementations of random number generators. For example, in De- cember 2010, hackers were able to recover the private keys used in Sony’s Playsta- tion 3 elliptic curve digital signature scheme 3.4.2 because a new random number was not generated for each signature [20]. Definition 24. A PRNG is said to be cryptographically secure if it satisfies the following (a) There can be no polynomial time algorithm to predict whether the next out- put bit is a 0 or 1, even with arbitrary knowledge of previous output.

(b) Knowledge of bits bk,bk+1,bk+2,... should not provide any advantage for computing bits b0,b1,...,bk−1. All PRNGs used throughout this Thesis are assumed to be cryptographically se- cure. Remark 26. The theory of elliptic curves can actually be applied to produce cryp- tographically secure PRNGs. A controversial example of an insecure PRNG is the dual elliptic curve deterministic random bit generator published by the NSA in 2006. 4 2MD5 is now deprecated because collisions can be found within seconds on modern computers. 3random seeds are ideally produced from the truly random rate of decay of a radioactive sub- stance, but in practice more commonly derived from the ambient noise around the device. 4This algorithm was withdrawn by NIST in 2014 [7] after Edward Snowdon confirmed widespread suspicions of a weakness in the algorithm due to suspicious, unexplained parameters used in defining the underlying curve. CHAPTER 3. CRYPTOGRAPHIC APPLICATIONS 61

Several widespread cryptosystems, including RSA require an efficient algo- rithm to produce random, large prime numbers. The prime number Theorem tells us that a random chosen integer N has probability 1/ln(N) of being prime. This reduces our search for large primes to the problem of finding an efficient algorithm to test whether a large integer is prime. The following result from 2002 was the first deterministic polynomial-time primality testing algorithm to be published that does not depend on any unproven hypotheses.

Theorem 12. (AKS Primality Test). For every ε > 0, there is an algorithm to   determine whether a given natural number n is prime which runs in O ( ln n)6+ε steps.

Proof. See [12].

Remark 27. Cryptographic hash functions (Definition 22), cryptographically se- cure pseudo random number generators (Definition 23) and primality testing algo- rithms are outside of our scope. We will instead use them as black box functions denoted, H and ,← R respectively throughout the Chapter.

3.2 Factorising Large Semiprimes

The security of both the RSA encryption scheme 3.2.1 and the RSA digital signa- ture scheme 3.4.1 is based on the difficulty of factorising sufficiently large semiprimes. In this Section we will first study some fundamental concepts from number theory which form the basis of the RSA cryptosystem. We then move on to implementing and comparing two special case integer factorisation algorithms. Both algorithms can be used to factor semiprimes n = pq in polynomial time (regardless of the size of n) if either p − 1 or q − 1 contain small prime factors. The existence of these efficient algorithms means that RSA moduli need to be carefully chosen so that p and q are of a similar magnitude.

3.2.1 The RSA public key encryption scheme Named after its inventors Ron Rivest, Adi Shamir and Leonard Adleman, the RSA public key cryptosystem is one of the most widely used cryptosystems across the internet. We begin by studying some fundamental results from number theory which underlie the RSA public key cryptosystem. These results are famous and can be found in most texts on number theory, we will follow [30] which focuses on the cryptographic applications. We conclude the Section with a description of the RSA encryption scheme, adapted from [34].

Definition 25. Let n be a positive integer. The Euler phi-function of n is defined as the number of nonnegative integers a less than n which are coprime with n

ϕ(n) := #{0 ≤ a < n : gcd(a,n) = 1}. CHAPTER 3. CRYPTOGRAPHIC APPLICATIONS 62

Remark 28. It is easy to see that ϕ(1) = 1 and ϕ(p) = p − 1 for any prime p.

Remark 29. Modern implementations of the RSA cryptosystem often use Carmichael’s totient function in place of Euler’s totient function. This provides the same level of security but increases efficiency by allowing smaller keys to be used in the decryp- tion algorithm [49].

Lemma 6. φ(ab) = φ(a)φ(b), for any two integers a and b.

Proof. Omitted for brevity.

Remark 30. It is trivial to compute φ(n) for a given semiprime n = pq, since

φ(n) = φ(p)φ(q) = (p − 1)(q − 1)

Theorem 13. (Fermat’s Little Theorem.) Let p be a prime. Any integer a satis- fies ap ≡ a mod p. Furthermore, any integer a not divisible by p satisfies ap−1 ≡ 1 mod p.

Proof. Omitted for brevity.

Remark 31. It is possible to generalise Fermat’s little Theorem in the case that p is any composite number m. The security of the RSA cryptosystem relies on the case where m is a semiprime.

Theorem 14. (Euler’s formula for pq). Let p and q be distinct odd primes. Then,

a(p−1)(q−1)/2 ≡ 1 mod pq for all a with gcd(a, pq) = 1

Proof. Omitted for brevity. CHAPTER 3. CRYPTOGRAPHIC APPLICATIONS 63

Table 3.1: The RSA encryption scheme. Alice Bob Key generation: R R pA,qA ←− random large primes. pB,qB ←− random large primes. nA ← pAqA. nB ← pBqB. φ(nA) ← (pA − 1)(qA − 1). φ(nB) ← (pB − 1)(qB − 1). R R eA ←− 1 < random integer < φ(nA), eB ←− 1 < random integer < φ(nB), such that gcd(eA,φ(nA)) = 1. such that gcd(eB,φ(nB)) = 1. −1 −1 dA ← eA mod φ(nA) dB ← eB mod φ(nB) Apub ← (nA,eA). Bpub ← (nB,eB). Apri ← (nA,dA). Bpri ← (nB,dB). Key distribution:

Apub ← usually obtained from a certification authority. Encryption: Alice transmits the encrypted e 5 message, M B mod nB, to Bob. Decryption: e d Bob computes M = M B B mod nB. Remark 32. For an adversary to efficiently compute a user of the RSA encryption scheme’s public key (n,d), where d = e−1 mod φ(n) clearly they would need to compute φ(n). Proposition 6. Let n = pq be a semiprime. The problem of computing ϕ(n) with- out knowledge of p and q is at least as difficult as factorising n into p and q.

Proof. Let n = pq be a semiprime. Suppose one knows ϕ(n), then by Definition 25 we have that ϕ(n) = (p − 1)(q − 1) = pq − (p + q) + 1 = n + 1 − (p + q). Rearranging this equation for p + q we obtain, p + q = n + 1 − ϕ(n). So, clearly if one knows n and ϕ(n) then it is trivial to compute p+q. Substituting the previous equation for the sum of p and q into the equation n = pq and rear- ranging gives us the following quadratic equations for p and q in terms of n and ϕ(n) p2 − p(n + 1 + ϕ(n)) + n = 0, q2 − q(n + 1 + ϕ(n)) + n = 0.

5In this scenario Alice would actually transmit a padded version of M using an agreed-upon padding scheme so that all messages are of a fixed length. CHAPTER 3. CRYPTOGRAPHIC APPLICATIONS 64

Clearly these quadratic equations for p and q can be solved in constant time. There- fore if one can compute ϕ(n) then one can also find p and p.

3.2.2 Comparing Pollard’s p-1 and Lenstra Elliptic Curve Factorisa- tion Algorithms In this Section we will implement and compare two special case integer factorisa- tion algorithms, however we will only compare their ability to factorise semiprimes of the form n = pq as this is most relevant to the security of the RSA cryptosystem. We begin with Pollard’s p − 1 integer factorisation algorithm, introduced by J.M. Pollard in 1974 [47]. This algorithm is the simplest of the two and only uses basic properties from number theory. We will then implement Hendrik Lenstra’s [38] elliptic curve method (ECM).

Definition 26. An integer n is said to be B-smooth if all prime factors of n are less than or equal to B. We are only concerned with factorising semiprimes. Hence throughout the section we define B = min(p,q), where n = pq.

Figure 3.1: Comparing the time complexity of various algorithms used to factor semiprimes n = pq, where B = min p,q

Algorithm Time complexity Reference √ Brute force n Trivial √ Pollard-Rho n [30] Pollard’s p − 1 BlogBlog2n [47] √ √  ECM exp 2 + O(1) lnBln2 B [38] √ Quadratic Sieve exp(1 + O(1)) lnnln2 n [48] General Number Field Sieve exp(64/9)1/3(lnN)1/3(lnlnN)2/3 [48] CHAPTER 3. CRYPTOGRAPHIC APPLICATIONS 65

Algorithm 2: Pollard’s p − 1 factorisation algorithm import sympy import math

# Implementation of pollards p-1 factorisation algorithm def pollard(n, B = None): if n <= 0: raise Exception("Enter a positive integer to factor.")

elif (n <= 2 or sympy.isprime(n)): return n

# Check for divisibility by 2 elif (n % 2 == 0): return 2

# Sets default bound to the square root of n if (B == None): B = math.sqrt(n) a = 2 primes = list(sympy.primerange(1,B)) for p in primes: q = p # For each prime q less than the bound while q < B: # Compute a^(q!) mod n a = pow(a, p, n) q = q * p # Check to see if non trivial divisor of n is found d = math.gcd(a-1, n) if 1 < d < n: return d

raise Exception("Pollard’s p-1 algorithm failed to factorise {}".format(n)) CHAPTER 3. CRYPTOGRAPHIC APPLICATIONS 66

Algorithm 3: Lenstra’s elliptic curve factorisation algorithm (ECM) import random import math import sympy

from Curve import curve from Point import point from Point import LenstraException

# Returns a factor of the integer n def ECM(n, max_curves = int(50), max_multiple = int(100)): if n <= 0: raise Exception("Enter a positive integer to factor.")

elif n <= 2 or sympy.isprime(n): return n

for i in range(max_curves): # Generate a random curve # random.randint(a,b) returns a random integer z such that a <= z <= b B, x,y = random.randint(0,n-1), random.randint(0,n-1), random.randint(0,n-1) C = ( pow(y, 2) - pow(x,3) - B*x) % n

try: E = curve(B,C,n) P = point(E,x,y) except: # If E is not a valid curve or P is not a point on E, # then generate a new curve. print("Invalid curve") return ECM(n, max_curves)

# Attemps to compute [multiple]P for j in range(2,max_multiple): try: P = j * P # If inverse cannot be computed, # then we have found a divisor of n except LenstraException as success:

if 1 < success.factor < n: return math.gcd(success.factor,n)

raise Exception("ECM failed to factorise {} after computing [{}]P on {} random curves".format(n,max_multiple,max_curves)) CHAPTER 3. CRYPTOGRAPHIC APPLICATIONS 67

Figure 3.2: Comparing the performance of Pollard’s p − 1 and the ECM integer factorisation algorithms.

In Chapter 2 we defined elliptic curves over a field K. Note that Algorithm3 instead uses elliptic curves defined over Zn. First, a random point P on a random elliptic curve E/Zn is generated. Then, the algorithm computes P,[2]P,[3]P,.... To compute multiples of P one must compute an inverse in Zn. If at some stage this inverse cannot be computed then we have successfully found a factor of n. Whilst both Algorithm2 and Algorithm3 are effective for factorising integers containing small prime factors, they are both probabilistic and hence not guaran- teed to terminate on any input. If Algorithm2 fails to find a factor we can increase the bound B, similarly if Algorithm3 fails to find a factor one can increase the max curve and multiple parameters. This means there is a trade-off between the run time of each Algorithm and the probability of successfully finding a prime factor. In Figure 3.1 we can see that our implementation of the ECM outperforms our implementation of Pollard’s p − 1 factorisation algorithm - as one would expect due to the time complexities of each algorithm given in Table 3.1. The code used to produce and plot these data is available in the Appendix A.3. The performance of the ECM varies significantly due to the random parameters involved in its com- putation so we ran each factorisation algorithm several times to plot the average time taken to find a factor. Each computation on one of the elliptic curves used in the ECM is independent of the computation on all other curves. This means that the ECM can be eas- ily parallelised to boost performance. A two phase factorisation algorithm which uses both Pollard’s p−1 and Lenstra’s factorisation algorithms in combination was reportedly able to factor integers with smallest prime factors up to 1020 approxi- CHAPTER 3. CRYPTOGRAPHIC APPLICATIONS 68 mately four times faster than a standard ECM implementation [19].

Remark 33. To gain further insight into the performance of both implementations one could generate and attempt to factorise much larger semiprimes - this was not feasible on my home desktop. However, it is clear that when B is at all large ECM factorises n much faster.

3.3 The Discrete Logarithm Problem and Diffie-Hellman protocol

In this Section we will study the DLP (Problem1), which is believed to be in- tractable in certain groups. Several standardised protocols, such as the Diffie- Hellman key exchange protocol, and encryption schemes, such the Elgamal en- cryption scheme, are made secure by the difficulty of the DLP in the multiplicative group of a carefully chosen finite field (Problem2). We will provide an overview of the problem and mention a few of the current state of the art algorithms used to solve the DLP in this setting. Our main goal is to study the ECDLP and corre- sponding elliptic curve Diffie-Hellman key exchange protocol. We will provide an overview overview of the subtleties involved in choosing suitable elliptic curves for which the ECDLP is believed to be hard. Finally, we shall implement and compare two algorithms which compute multiples of a given point on an elliptic curve, for modern cryptography it is vital to make this process as efficient as possible.

Problem 2. The discrete logarithm problem (DLP) in Fp ∗ Given: a large prime p, a primitive element g ∈ Fp, x ∗ g for some natural number x and a nonzero element h ∈ Fp. Compute: the minimal exponent x such that gx ≡ h mod p.

Remark 34. Most integer factorisation algorithms have corresponding algorithms used to solve Problem2. The probabilistic index calculus method which runs in subexponential   p  O exp c (log p)(loglog p) time is usually cited as the fastest general purpose algorithm to solve Problem2 [32]. Clearly the difficulty of the DLP in Fp depends on the magnitude of the prime p. Unfortunately this means that to provide sufficient security most protocols based on the difficulty of Problem2 currently require 1024 bit keys.

Remark 35. However, the situation is not this simple. The Pohlig-Hellman algo- rithm can solve Problem2 in a group of order n where n is B-smooth in ! √ ai O ∑ai(lnn + pi time, where n = ∏ pi , i i CHAPTER 3. CRYPTOGRAPHIC APPLICATIONS 69 time, where n is B-smooth. Note that the performance of the Pohlig-Hellman al- gorithm and therefore the security of the DLP depends on the size of the largest prime which divides the order of the underlying group.

Problem 3. The Computational Diffie-Hellman problem (CDHP) in Fp a b Given: g ,g for some a and b in the finite field Fp. Compute: gab

Remark 36. We shall now explain how the difficulty of the CDHP can be used to allow two users of a public key cryptosystem to establish a shared secret key over an insecure channel using the Diffie-Hellman protocol. Example 7. (The Diffie-Hellman key exchange). Let Alice and Bob be two users ∗ of a public key cryptosystem. Alice and Bob first publicly agree on a group Fp and ∗ a generator g ∈ Fp. Alice then selects a random a ∈ N such that 1 < a < p and a sends g to Bob. Similarly, Bob selects a random b ∈ N such that 1 < b < p and sends gb mod p to Alice. At this stage Alice computes (gb)a mod p, whilst Bob computes (ga)b mod p. Due to the associative property of groups Alice and Bob now both possess the group element gab which acts as their shared secret key. An eavesdropper would have access to the values g mod p, ga mod p and gb mod p but would have to solve Problem3 to obtain the secret key gab mod p. Remark 37. Several variants of the Diffie-Hellman protocol are supported by TLS in order to establish ephemeral (short lived) shared keys for use in secure commu- nications over the internet. These keys are regularly renewed and used as part of an encryption scheme. This also provides the protocol with a property known as perfect forward secrecy which means that even if the latest key is compromised by an adversary, only a small portion of the victim’s sensitive data is exposed.

3.3.1 Choosing a Suitable Elliptic Curve for the ECDLP In the previous Section we saw that Problem2 (the DLP in the multiplicative group of a finite field) can be solved in sub expotential time. In this Section we will study the DLP in the group of points on an elliptic curve, known as the elliptic curve discrete logarithm problem (ECDLP) which is believed to be more difficult. At the time of writing the fastest known algorithms to solve the elliptic curve discrete √ logarithm problem on a suitably chosen curve E/Fp take O( p) time. Examples of cryptographic primitives made secure by the difficulty of the ECDLP include the elliptic curve Diffie-Hellman protocol (Example9), the elliptic curve integrated encryption scheme and the elliptic curve digital signature scheme (Section 3.4.2). Problem 4. The elliptic curve discrete logarithm problem (ECDLP).

Given: an elliptic curve E/Fp, a base point P ∈ E[m] and another point Q ∈ E(K) where Q = [n]P for some secret n ∈ N. Compute: Compute n CHAPTER 3. CRYPTOGRAPHIC APPLICATIONS 70

Remark 38. The difficulty of the ECDLP on a given curve depends on the number of points on the curve. The following famous Theorem gives an upper bound for the number of points on a given curve. Moreover, the exact value can be computed by Schoof’s algorithm and the Schoof-Elkies-Atkin (SEA) algorithm [51].

Theorem 15. (Hasse) Let E/Fp. be an elliptic curve. Then √ #E(Fp) = p + 1 −tp where |tp| 6 2 p. Proof. See [31], Section 5.1. √ Proposition 7. It is possible to solve the ECDLP for E(Fp) in O( p) steps.

Proof. First randomly select two lists of r integers between 1 and p, say j1,..., jr and k1,...,kr. In order to solve Q = [n]P for some integer n and points P,Q ∈ E(Fp), first transform the list of integers into a list of points on the curve as follows

List 1: [ j1]P,[ j2]P,[ j3]P,...,[ jr]P,

List 2: [k1](P + Q),[k2](P + Q),[k3](P + Q),...,[kr](P + Q),

If a point from list 1 is equal to any value from list 2 (known as a collision) then we have found a solution to the ECDLP because in this case

[ ju]P = [kv](P + Q), hence Q = [ ju − kv]P for some 1 6 ju,kv 6 p

Remark 39. The previous proposition provides an upper bound on the complexity of the ECDLP. The main reason protocols based on the ECDLP have become so prevalent in modern cryptography is that decades of research has failed to produce a more efficient algorithm to solve the ECDLP. This means that in order to gain 128 bit security, modern protocols based on Problem2 require 3092 bit keys, whereas protocols based on Problem4 require only require 256 bit keys.

Example 8. Choosing a suitable curve for which the ECDLP is sufficiently difficult is far from trivial. Most modern ECC protocols use curves of the form E/F2p for some large prime p, usually a generalised Mersenne prime, such as 2192 − 264 − 1 for performance reasons outside the scope of this Thesis. Several bad choices of elliptic curve and base point include:

(a) Curves of the form E/F2nm for some natural numbers n and m. These curves offer significant performance advantages to the usual curves of the form p E/F2 for some prime p. Unfortunately they are vulnerable to polynomial time Weil Descent attacks [40]. CHAPTER 3. CRYPTOGRAPHIC APPLICATIONS 71

(b) Curves with small embedding degree, in particularly supersingular elliptic curves. These curves are famously vulnerable to the MOV attack [41] which uses the Weil pairing (Section 2.6.2) to reduce the ECDLP on a given curve E/Fp for some prime p to the easier DLP on the target group Fpk .

(c) Curves of the form E/Fp where #E(Fq) = q. These curves are known as anomolous, the ECDLP on such curves can be solved in O(ln p) operations [50]. (d) To avoid variants of the Pohlig-Hellman attack the order of the base point needs to be a large prime, usually greater than 2160. Remark 40. The above observations are not intended to be comprehensive but should give an indication of how subtle the choice of elliptic curve is in ECC. For a list of “safe curves” see [13]. It would seem that implementing curves standardised by NIST, the NSA and other organisations will not necessarily lead to sufficient security depending on the application. This is because the standards are often only focused on ensuring that the ECDLP is sufficiently hard, in practice some “safe” curves can still be exploited by side channel attacks [43]. Example 9. (The elliptic curve Diffie-Hellman protocol). We will now outline how two users of a public key cryptosystem can establish a shared secret key using the elliptic curve Diffie-Hellman protocol. Alice and Bob first publicly agree on a group E(Fp) for which the ECDLP is hard and a point P ∈ E[m]. Alice then selects a random a ∈ N such that 1 < a < p and sends [a]P to Bob. Similarly, Bob selects a random b ∈ N such that 1 < b < p and sends [b]P to Alice. At this stage Alice computes [a]([b]P) = [ab]P, whilst Bob computes [b]([a]P) = [ba]P. Alice and Bob then use the point [ab]P = [ba]P as their shared secret key. An eavesdropper would have access to the values [a]P and [b]P but would have to solve the ECDLP to obtain the secret key [ab]P.

3.3.2 The Double-and-Add algorithm The addition of any two points (including the duplication of a point) on an elliptic curve is known as a point operation. In the previous section we saw that both parties in the elliptic curve Diffie-Hellman protocol (Example9) need to compute multiples of a point on an elliptic curve. The naive approach to compute [n]P for a given point P on an elliptic curve is to compute P + P + ··· + P using n − 1 applications of the elliptic curve addition algorithm (Theorem6). In this section we will reduce the number of point operations by computing this sum using the binary expansion of n6 A more detailed analysis of various point multiplication algorithms can be found in [24].

Proposition 8. Let n > 2 be a natural number and P be a point on an elliptic curve E/Fp. Then, it is possible to compute [n]P in at most 2log2(n) point operations. 6My Python implementation of Algorithm4 is available in the Appendix A.2. CHAPTER 3. CRYPTOGRAPHIC APPLICATIONS 72

Proof. Let P be a point on the elliptic curve E/Fp. First, write n ∈ N in binary form as

r−1 r n = n0 + 2n1 + 4n2 + 8n3 + ··· + 2 nr−1 + 2 , where n0,n1,...,nr−1 ∈ {0,1}.

Next, using r = blog2 nc applications of Corollary3 (the duplication formula), i compute the points Qi = 2 P for i = 1,...r. We can now rewrite [n]P as a linear combination of Qis,

[n]P = n0Q0 + n1Q1 + n2Q2 + ··· + nrQr.

Clearly, computing [n]P in this way requires at most 2r point operations (r duplica- r tions and r point additions.) From the binary expansion of n we know that n > 2 . Then, taking logs and multiplying both sides of this inequality by two, we obtain the desired upper bound on the number of point operations required, since

2log2(n) > 2r.

Algorithm 4: The binary point multiplication algorithm. Input: P ∈ E(Fp),2 6 n ∈ N 1 Q ← O 2 while n > 0 : 3 if n mod 2 = 1 4 Q ← Q + P

5 P ← [2]P n 6 n ← b 2 c Output: Q = [n]P CHAPTER 3. CRYPTOGRAPHIC APPLICATIONS 73

Figure 3.3: The performance of the Double-and-Add algorithm to compute multiples of a point on an elliptic curve.

Remark 41. The binary expansion of a random number has approximately the same number of 1s and 0s. Thus, computing [n]P using algorithm4 takes approxi- mately 3/2k point operations (k duplications and k/2 additions).

This point multiplication algorithm illustrates one of the most important ad- vantages of ECC over other protocols. Computing the inversion of a point on an elliptic curve is trivial since we can just change the sign of the y coordinate. Alter- natively, to compute the inverse of an element in a finite field we would need to use the extended Euclidean algorithm which is much more computationally expensive.

3.4 Comparing Digital Signature Schemes

In this Section we will implement and compare three secure digital signature schemes. We will assume throughout that a signer S intends to sign a message M with their private key Spriv before a verifier V verifies the signed message MS with the public key Spub. Definition 27. A digital signature scheme is said to be secure if it satisfies the following properties:

(a) Given a user’s public key, an adversary cannot compute a key that produces the same signatures as the user’s private key.

(b) Given a user’s public key, a list of messages and their corresponding signa- tures an attacker cannot determine a valid signature on any other message. CHAPTER 3. CRYPTOGRAPHIC APPLICATIONS 74

Remark 42. Secure digital signature schemes are often quite slow. To solve this problem a cryptographic hash 22 of the original message is usually signed instead of signing the entire message. In practice an identification number and record of the time the message was sent is also included as input to the hash function to achieve message integrity.

Figure 3.2 summarises the sizes of signatures required by various signature schemes to achieve the same level of security [44]. It is clear that the BLS signature scheme studied at the end of this Section provides the smallest signature size.

Table 3.2: Comparing digital signature schemes.

Digital signature Signature size (λ) Signature size when scheme λ = 128 (bits) RSA O(λ 3) 2048 bits ECDSA 4λ 512 bits Schnorr 3λ 384 bits BLS 2λ 256 bits CHAPTER 3. CRYPTOGRAPHIC APPLICATIONS 75

3.4.1 The RSA Digital Signature Scheme Our first example of a secure digital signature scheme is based on the hard problem of factorising integers. This scheme uses the same key generation algorithm as the RSA encryption scheme 3.2.1. However, the integers e and d previously used to encrypt and decrypt are now used to sign and verify a given message respectively.

Table 3.3: The RSA digital signature scheme Signer Verifier Key generation:

pS,qS ← random large primes. pV ,qV ← random large primes. nS ← pSqS. nV ← pV qV . φ(nS) ← (pS − 1)(qS − 1). φ(nV ) ← (pV − 1)(qV − 1). eS ← 1 < random integer < φ(nS), eV ← 1 < random integer < φ(nV ), such that gcd(eS,φ(nS)) = 1. such that gcd(eV ,φ(nV )) = 1. −1 −1 dA ← eA mod φ(nA) dB ← eB mod φ(nB) Spub ← (nS,eS) Vpub ← (nV ,eV ) Spri ← (nS,dS) Vpri ← (nV ,dV ) Key distribution:

Spub ← usually obtained from a certification authority. Signing: d MS ← M S mod nS Verification:

Verify(M,MS,Spub) = 1 eS if MS = M and 0 otherwise. Remark 43. Both the above RSA Verify function and the RSA decryption function rely on Theorem 14 (Euler’s formula), which tells us that (MdS )eS = M. Clearly, if an adversary can factor nS then they can efficiently compute dS. To forge a signature an adversary would need to find an eS-th root of M modulo nS. This means we need to choose nS carefully, as in the RSA encryption scheme 3.2.1. CHAPTER 3. CRYPTOGRAPHIC APPLICATIONS 76

3.4.2 The Elliptic Curve Digital Signature Algorithm In 1985 the Elgamal digital signature scheme became the first standardised algo- rithm to provide digital authentication. In 1991 this scheme was modified to form the digital signature algorithm [9]. The security of both schemes is based on the difficulty of the DLP in the multiplicative grouop of a finite field (Problem2). We have already indicated that the ECDLP is believed to be more difficult so we will instead study the elliptic curve digital signature algorithm (ECDSA). The ECDSA uses the theory of elliptic curves to establish relatively short digital signatures.

Table 3.4: The elliptic curve digital signature algorithm (ECDSA) Public parameters: A trusted third party chooses a a suitable elliptic curve E(FP) and a point G ∈ E(Fp) of large prime order q. Signer Verifier Key creation:

Spriv ← 1 < random integer < q − 1 Spub ← [Spriv]G ∈ E(Fp) Signing: r ← 1 < random integer < q − 1.

s1 ← X([r]G) mod q. −1 s2 ← (M + k1Spriv)r mod q. MS ← (k1,k2). Verification: −1 v1 ← Ms2 mod q. −1 v2 ← s1s2 mod q. Verify(M,MS,Spub) = 1 if X(v1G + v2Spub) mod q = s1 and 0 otherwise. CHAPTER 3. CRYPTOGRAPHIC APPLICATIONS 77

3.4.3 BLS Signatures One simple application of the bilinear pairings studied in Section 2.6 is the BLS signature scheme developed by Dan Boneh and Lynn-Shacham [18]. This signa- ture scheme has two main advantages over the ECDSA and RSA digital signature schemes. Firstly, only one element from a group G is needed to sign a given mes- sage m. Moreover, suppose n users want to sign n messages and aggregate the n signatures into one concise signature. This is made possible by the BLS signature scheme and was recently applied in the second version of the Etherium [21]. Table 3.5: The BLS digital signature scheme Public parameters: A trusted third party chooses a a suitable elliptic curve E(FP) and a point G ∈ E(Fp) of large prime order q. Signer Verifier Key creation: R ∗ Spriv ←− Fp Spub ← [Spriv]G Signing: h ← H(M) S MS ← h priv Verification:

Verify(Spub,M,MS) = 1 if e(G,H(M)x) = e(Gx,H(M)) and 0 otherwise.

The BLS Verify function works because for any bilinear pairing e we have

e(G,H(M)x) = e(G,H(M))x = e(Gx,H(M))

Remark 44. The linearity of bilinear pairings allows us to aggregate multiple BLS signatures. This is useful to collect multiple digital signatures into one more con- cise signature, particularly in blockchain applications. Suppose we want to aggregate n signatures produced by n users signing n messages into a single concise signature S. We first define each user’s public and private keys as follows xi upub ← xi, upriv = g , for some g ∈ G and prime p. Then each message mi is signed using the hash function H as follows xi si = Sign(mi) = H(mi) CHAPTER 3. CRYPTOGRAPHIC APPLICATIONS 78

Our aggregate signature S is then defined as

n S = ∏si. i=1 By the linearity of the bilinear pairing we have that

n n n ! xi xi xi ∏e(H (mi),g ) = ∏e(H(mi) ,g) = e ∏H(mi) ,g i=1 i=1 i=1

So we can verify an aggregated BLS signature as follows  n x 1, if ∏ e(H(mi),g i ) = e(S,g), Verify(S,g) = i=1 0, otherwise.

Remark 45. Several other digital signature aggregation Techniques are sum- marised in [18]. Chapter 4

Conclusion

ECC was originally viewed with scepticism by the mathematical community. In 1997 RSA co-Inventor Ron Rivest made a statement on his company’s website: “The security of cryptosystems based on elliptic curves is not well understood, due in large part to the abstruse nature of elliptic curve ... I would advise against field- ing any large-scale applications based on them.” After much open source develop- ment, ECC has now been accepted by the mathematical community and is being adopted at an increasing rate by individuals and corporations around the world. In Chapter 3 we discussed some of the ways in which cryptosystems can be poorly implemented. We shall now briefly compare the security of two prop- erly implemented primitives, one based on the hard problem of factorising large semiprimes and another based on the difficulty of the ECDLP. Both the security and key length of a given cryptosystem is measured in bits, unfortunately the re- lationship between the two is not consistent from primitive to primitive. In 2013 Lenstra [37] introduced the concept of “Universal security” to compare the secu- rity of different cryptosystems using the approximate amount of energy required to break them. In this model, breaking a 228-bit RSA key requires less energy than boiling a teaspoon of water. Comparatively, breaking a 228-bit elliptic curve key requires enough energy to boil all water on earth. This means that a 256-bit elliptic curve public key provides comparable security to a 3072-bit RSA public key. We conclude that in general, cryptographic primitives based on the difficulty of the ECDLP are much more efficient than analogous primitives based on the difficulty of factorising large semiprimes. Whilst RSA may be easier to implement for com- panies and individuals without an extensive mathematical background, it should now be clear to the reader why ECC has found applications in almost all areas of information security. In fact the mobile phone in your pocket and the computer that you are reading this on most likely use some form of ECC on a regular basis. Furthermore, the field is expanding so quickly that it would appear many of the possible applications of ECC are yet to be implemented. A good example of this is pairing based cryptography, which was originally used in 1991 to efficiently solve the ECDLP on supersingular elliptic curves [41]. Just a decade later, several

79 CHAPTER 4. CONCLUSION 80 other applications were published including Boneh and Franklin’s identity based encryption scheme [17] and the BLS signature scheme 3.4.3. Today, hundreds (if not thousands) of papers on pairing based cryptography are published every year and pairing based primitives are beginning to be standardised by several interna- tional organisations. In Section 3.4 we studied several examples of digital signature schemes used to establish the authenticity of communications. In recent years these concepts have been extended to implement blinded digital signatures, which provide authentica- tion without allowing the signer to view the contents of the message. This has important applications in situations where the sender’s privacy is important, such as digital currencies and online voting protocols [46]. Several ECC protocols have recently been applied to blockchain technology. However, at the time of writing, a trusted third party known as a certification au- thority is required in order to be sure that a public key really belongs to the intended recipient. This public-key infrastructure is currently required to prevent “man in the middle” attacks on secure cryptosystems where an adversary intercepts mes- sages from both communicating parties to forge illegitimate signatures. models such as PGP attempted to remove the need for certification authorities by creating a “decentralised fault-tolerant web of confidence for all public keys.” PGP was heavily criticised for its lack of forward secrecy and large key lengths. Perhaps another will achieve the goal of true decentralisa- tion in future? Throughout this Thesis we have primarily focused on public key cryptosystems secured by some variant of the integer factorisation or discrete logarithm prob- lems. Unfortunately, a sufficiently powerful quantum computer running Shor’s algorithm [52] could solve both problems in most settings within polynomial time (and hence crack the vast majority of encryption across the internet). There is now a race to develop efficient “post-quantum” algorithms based on problems that are sufficiently hard for both quantum and classical computers. At the time of writing NIST is considering 26 potential candidates for standardisation, one of these ap- proaches relies on certain properties of supersingular elliptic curves and supersin- gular isogeny graphs to create a new version of the Diffie-Hellman key exchange protocol [22]. Other candidates include lattice based cryptography such as the NTRU system which is based on the difficulty of the shortest vector problem [45]. Other lattice based cryptosystems are currently being researched due to their potential applications in performing operations on encrypted data. This process is known as “homomorphic encryption” and is viewed by many as the next major goal of cryptography. If realised, fully homomorphic cryptosystems could have a range of applications ranging from privacy-preserving cloud computing to predic- tive healthcare analytics. Appendix A

Appendix

Given more time I would have liked to implement more of the algorithms studied throughout Chapter3. I would also make the following optimisations to improve the efficiency of my code:

1. Only compute the x coordinate of points on elliptic curves with an additional bit to determine the corresponding y value which could then be computed only when needed.

2. Rewrite the code in a more performance focused language such as C + +.

A.1 Curve.py

# The curve class to allow for construction of elliptic curves objects # in short Weierstrass normal form where $y^2 = x^3 + Bx + C \mod mod$ class curve(object):

def __init__(self, B, C, mod): self.mod = mod self.B = B self.C = C

#Checks that the curve to be defined is non singular self.discriminant = -16 * (4 * B*B*B + 27 * C * C) if (self.discriminant == 0): raise Exception("Error! The curve {} is not smooth. Exiting".format(self)) # Allows object to be printed as a string def __str__(self): return "y^2 = x^3 + {}x + {} mod {}".format(self.B,self.C,self.mod)

def __repr__(self): return str(self)

# Overloads the equality operator to allow program to check if two curves are "equal" def __eq__(self, curve2): return (self.B, self.C) == (curve2.B, curve2.C)

81 APPENDIX A. APPENDIX 82

A.2 Point.py import sympy

# This exception is raised when the inverse of a point cannot be computed to find a factor in the ECM class LenstraException(Exception): def __init__(self, factor): self.factor = factor

# Computes the inverse of an element a in the finite field $F_mod$ def inverse(a, mod): try: return sympy.mod_inverse(a, mod) except: # Raises the above exception if there is no inverse raise LenstraException(a) class point(object): # Class to represent points on a given elliptic curve, contains methods for several point operations def __init__(self, curve, x, y): self.curve = curve self.x = x self.y = y

# Check point is on curve if pow(self.y, 2) % self.curve.mod != (pow(self.x, 3) + self.curve.B*self.x + self.curve.C) % self.curve.mod: raise Exception( "Error. The point {} is not on the curve {}".format(self, curve))

def __str__(self): return "({},{})".format(self.x, self.y)

def __repr__(self): return str(self)

def __eq__(self, point2): return (self.x, self.y) == (point2.x, point2.y)

def __neg__(self): return point(self.curve, self.x, -self.y)

def __sub__(self, Q): return self + (-Q)

def order(self): # Calculates the order of a point on an elliptic curve for i in range(1, self.curve.mod + 1): if isinstance(i*self, identity): return i+1

def validate(self): if isinstance(self, identity): APPENDIX A. APPENDIX 83

return True else: return (self.y ** 2 - (self.x ** 3 + self.curve.B * self.x + self.curve.C)) % self.curve.mod == 0 and 0 <= self.x < self.curve.mod and -self.curve.mod <= self.y < self.curve.mod

# Elliptic curve addition algorithm (Theorem 2.24) def __add__(self, Q): P = self

# Check both P and Q are on the curve if P.validate() == False: raise ValueError("Error! {} is not on curve".format(P))

if Q.validate() == False: raise ValueError("Error! {} is not on curve".format(Q))

# P + 0 = P elif isinstance(Q, identity): return P

# 0 + Q = Q if isinstance(P, identity): return Q

# P + -P = 0 elif (P.x == Q.x and P.y == -Q.y): return identity(P.curve)

# P + P = 2P else: if (P == Q): m = (3 * (P.x * P.x) + P.curve.B) * inverse(2 * P.y, P.curve.mod) else: m = (Q.y - P.y) * inverse(Q.x - P.x, P.curve.mod)

x3 = (m * m - P.x - Q.x) % P.curve.mod y3 = (m * (P.x - x3) - P.y) % P.curve.mod R = point(P.curve, x3, y3)

# Ensure R is on the curve assert(R.validate())

return point(P.curve, x3, y3)

# The binary Double-and-Add algorithm to compute multiples of a point (Section 3.3.2) def __rmul__(self, n): P = self Q = identity(self.curve) while n > 0: if n % 2 == 1: Q = Q + P P = P + P n = n // 2 APPENDIX A. APPENDIX 84

return Q

# Class for the point at infinity on a given elliptic curve class identity(point): def __init__(self, curve): self.curve = curve

def __str__(self): return "O"

def __repr__(self): return str(self)

def __neg__(self): return self

A.3 Plotting the Performance of the ECM and Pollard’s p-1 import numpy as np import sympy import time import math from matplotlib import pyplot as plt from Pollard import pollard from lenstras import ECM def plot_comparison(repeats): print("working") semiprimes = [] B = [] ub = int(1e12) count = 1 while count < ub: p = sympy.nextprime(count) q = sympy.nextprime(ub-count) B.append(min(p,q)) n = sympy.nextprime(count) * sympy.nextprime(ub-count) semiprimes.append(n) count = count * 2

print(semiprimes) print(len(semiprimes))

performance = [] for i in range (len(semiprimes)): n = semiprimes[i] print("{} Computations remaining (n= {})".format(len(semiprimes) - i,n))

total_p_time = 0 total_ecm_time = 0 APPENDIX A. APPENDIX 85

for iteration in range(repeats): try: p_start = time.time() pollard(n) p_end = time.time() total_p_time += p_end - p_start avg_p_time = total_p_time / repeats

except Exception: print("pollard failed for n=", n) avg_p_time = -1

try: ecm_start = time.time() ECM(n) ecm_end = time.time() total_ecm_time += ecm_end - ecm_start avg_ecm_time = total_ecm_time / repeats

except Exception: print("ECM failed for n=", n) avg_ecm_time = -1

performance.append((math.log(B[i])/math.log(2), avg_p_time , avg_ecm_time))

matrixDat = np.array(performance) plt.plot(matrixDat[:,0], matrixDat[:,1], ’+’, color=’red’,label=’Pollard\’s -1 method’); plt.plot(matrixDat[:,0], matrixDat[:,2], ’x’, color=’green’,label=’ECM’); plt.xlabel("B (bits)") plt.ylabel(’Time taken to compute B (seconds)’) plt.legend(numpoints=1) plt.show() print(plot_comparison(5))

A.4 Plotting the Performance of the Double-and-Add al- gorithm import time import sympy import numpy as np from matplotlib import pyplot as plt import random from Curve import curve from Point import point def compare(curves, multiple, repeats): mod = sympy.nextprime(multiple) total_bin_time = 0

for r in range(repeats): APPENDIX A. APPENDIX 86

for i in range(curves): B, x,y = random.randint(0,mod-1), random.randint(0,mod-1), random.randint(0,mod-1) C = ( pow(y, 2) - pow(x,3) - B*x) % mod

try: E = curve(B,C,mod) P = point(E,x,y)

except: print("invalid curve") continue

try: bin_start = time.time() multiple*P bin_end = time.time() total_bin_time += bin_end - bin_start

except Exception: print("multiplication failed") continue

return [multiple, total_bin_time / repeats] def plot(curves, max_multiple, repeats):

step = max_multiple // 19 remaining = (max_multiple - step ) // step data = []

for multiple in range(step,max_multiple,step): print("{} Computations remaining".format(remaining)) remaining -= 1 data.append(compare(curves,multiple,repeats))

data = np.array(data) plt.plot(data[:,0], data[:,1], ’+’, color=’red’,label=’Binary Double-And-Add Algorithm’); plt.xlabel("Multiple n") plt.ylabel(’Average Time taken to compute (seconds)’) plt.legend(numpoints=1) plt.show() plot(50,int(1e20),50) Bibliography

[1] Are graded encoding schemes broken yet? https://malb.io/ are-graded-encoding-schemes-broken-yet.html. Accessed: 2010-09-30.

[2] A brief . http://www.cypher.com.au/crypto_history.htm. Ac- cessed: 2010-02-13.

[3] Css demystified. https://cs.stanford.edu/people/eroberts/cs201/projects/ 1999-00/dmca-2k/css.html. Accessed: 2010-02-13.

[4] Double spending explained. https://academy.binance.com/en/articles/ double-spending-explained. Accessed: 2010-02-13.

[5] Encrypting file system. https://www.sciencedirect.com/topics/ computer-science/encrypting-file-system. Accessed: 2010-02-13.

[6] History of elliptic curves rank records. https://web.math.pmf.unizg.hr/~duje/tors/ rankhist.html. Accessed: 2010-09-30.

[7] Nist removes cryptography algorithm from random number generator rec- ommendations. https://www.nist.gov/news-events/news/2014/04/ nist-removes-cryptography-algorithm-random-number-generator-recommendations. Accessed: 2021-04-27.

[8] Overview of history of elliptic curves and their use in cryptography. https://www.ijser.org/researchpaper/ Overview-of-History-of-Elliptic-Curves-and-its-use-in-cryptography.pdf.

[9] Secure hash standard. https://csrc.nist.gov/csrc/media/publications/fips/180/ 2/archive/2002-08-01/documents/fips180-2withchangenotice.pdf. Accessed: 2021-28-04.

[10] What is cryptography and how do we use it in modern day computing? https://www. beaming.co.uk/knowledge-base/cryptography-use-modern-day-networking/. Accessed: 2010-02-13.

[11] What is tls (transport layer security)? https://www.cloudflare.com/learning/ssl/ transport-layer-security-tls/. Accessed: 2010-02-13.

[12] Manindra Agrawal, Neeraj Kayal, and Nitin Saxena. Primes is in p. Annals of mathematics, pages 781–793, 2004.

[13] Daniel J. Bernstein and Tanja Lange. Choosing safe curves for elliptic-curve cryptography. https://safecurves.cr.yp.to/. Accessed: 2021-04-30.

87 BIBLIOGRAPHY 88

[14] Daniel J Bernstein and Tanja Lange. Faster addition and doubling on elliptic curves. In Inter- national Conference on the Theory and Application of Cryptology and Information Security, pages 29–50. Springer, 2007.

[15] Manjul Bhargava and Arul Shankar. Binary quartic forms having bounded invariants, and the boundedness of the average rank of elliptic curves. Annals of Mathematics, pages 191–242, 2015.

[16] Dan Boneh et al. Twenty years of attacks on the cryptosystem. Notices of the AMS, 46(2):203–213, 1999.

[17] Dan Boneh and Matt Franklin. Identity-based encryption from the weil pairing. In Annual international cryptology conference, pages 213–229. Springer, 2001.

[18] Dan Boneh, Craig Gentry, Ben Lynn, Hovav Shacham, et al. A survey of two signature aggre- gation techniques, 2003.

[19] Richard P Brent. Some algorithms using elliptic curves. arXiv preprint arXiv:1004.3366, 2010.

[20] Bill Buchanan. Not playing randomly: The sony ps3 and bitcoin crypto hacks. https://medium.com/asecuritysite-when-bob-met-alice/ not-playing-randomly-the-sony-ps3-and-bitcoin-crypto-hacks-c1fe92bea9bc.

[21] Multiple contributors. 2.0 phase 0 github. https://github.com/ethereum/ eth2.0-specs/blob/dev/specs/phase0/beacon-chain.md#bls-signatures. Ac- cessed: 2021-04-30.

[22] Craig Costello, Patrick Longa, and Michael Naehrig. Efficient algorithms for supersingu- lar isogeny diffie-hellman. In Annual International Cryptology Conference, pages 572–601. Springer, 2016.

[23] Whitfield Diffie and Martin Hellman. New directions in cryptography. IEEE transactions on Information Theory, 22(6):644–654, 1976.

[24] Nishant Doshi. A novel approach for cryptography technique on perturbed data for distributed environment. International Journal on Cryptography and Information Security (IJCIS), 2(3), 2012.

[25] David Eisenbud, Mark Green, and Joe Harris. Cayley-bacharach theorems and conjectures. Bulletin of the American Mathematical Society, 33(3):295–324, 1996.

[26] Reza R Farashahi and Marc Joye. Efficient arithmetic on hessian curves. In International Workshop on Public Key Cryptography, pages 243–260. Springer, 2010.

[27] William Fulton. Algebraic curves. An Introduction to Algebraic Geom, page 54, 2008.

[28] Glenn Greenwald. Revealed: how us and uk spy agencies defeat internet pri- vacy and security. https://www.theguardian.com/world/2013/sep/05/ nsa-gchq-encryption-codes-security. Accessed: 2021-04-27.

[29] Andrew Hodges. Alan Turing: the Enigma: The Book That Inspired the Film” The Imitation Game”. Princeton University Press, 2014.

[30] Jeffrey Hoffstein, Jill Pipher, Joseph H Silverman, and Joseph H Silverman. An introduction to mathematical cryptography, volume 1. Springer, 2008.

[31] H Silverman Joseph. Arithmetic of Elliptic Curves (1). Springer, 1986. BIBLIOGRAPHY 89

[32] Antoine Joux. Faster index calculus for the medium prime case application to 1175-bit and 1425-bit finite fields. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 177–193. Springer, 2013.

[33] Neal Koblitz. Elliptic curve cryptosystems. Mathematics of computation, 48(177):203–209, 1987.

[34] Neal Koblitz. A course in number theory and cryptography, volume 114. Springer Science & Business Media, 1994.

[35] Daniel Sion Kubert. Universal bounds on the torsion of elliptic curves. Proceedings of the London Mathematical Society, 3(2):193–237, 1976.

[36] Serge Lang. Elliptic curves: Diophantine analysis, volume 231. Springer, 1978.

[37] Arjen K Lenstra, Thorsten Kleinjung, and Emmanuel Thome.´ Universal security. In Number theory and cryptography, pages 121–124. Springer, 2013.

[38] Hendrik W Lenstra Jr. Factoring integers with elliptic curves. Annals of mathematics, pages 649–673, 1987.

[39] Leonid A Levin. The tale of one-way functions. Problems of Information Transmission, 39(1):92–103, 2003.

[40] Alfred Menezes and Minghua Qu. Analysis of the weil descent attack of gaudry, hess and smart. In Cryptographers’ Track at the RSA Conference, pages 308–318. Springer, 2001.

[41] Alfred J Menezes, Tatsuaki Okamoto, and Scott A Vanstone. Reducing elliptic curve logarithms to logarithms in a finite field. iEEE Transactions on information Theory, 39(5):1639–1646, 1993.

[42] Victor S Miller. Use of elliptic curves in cryptography. In Conference on the theory and application of cryptographic techniques, pages 417–426. Springer, 1985.

[43] Bodo Moller.¨ Securing elliptic curve point multiplication against side-channel attacks. In International Conference on Information Security, pages 324–334. Springer, 2001.

[44] Mehran Alidoost Nia, Ali Sajedi, and Aryo Jamshidpey. An introduction to digital signature schemes. arXiv preprint arXiv:1404.2820, 2014.

[45] Chris Peikert. A decade of lattice cryptography. Foundations and Trends® in Theoretical Computer Science, 10(4):283–424, 2016.

[46] David Pointcheval and Jacques Stern. Security arguments for digital signatures and blind sig- natures. Journal of cryptology, 13(3):361–396, 2000.

[47] John M Pollard. Theorems on factorization and primality testing. In Mathematical Proceedings of the Cambridge Philosophical Society, volume 76, pages 521–528. Cambridge University Press, 1974.

[48] Carl Pomerance. A tale of two sieves. In Notices Amer. Math. Soc. Citeseer, 1996.

[49] N Ramanjaneya Reddy, Pakanati Chenna Reddy, and Mokkala Padmavathamma. Study the impact of carmichael function on rsa. In International Conference on Smart Trends for Infor- mation Technology and Computer Communications, pages 752–756. Springer, 2016.

[50] Takakazu Satoh, Kiyomichi Araki, et al. Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves. Rikkyo Daigaku sugaku zasshi, 47(1):81–92, 1998. BIBLIOGRAPHY 90

[51] Rene´ Schoof. Counting points on elliptic curves over finite fields. Journal de theorie´ des nombres de Bordeaux, 7(1):219–254, 1995.

[52] Peter W Shor. Algorithms for quantum computation: discrete logarithms and factoring. In Proceedings 35th annual symposium on foundations of computer science, pages 124–134. Ieee, 1994.

[53] Joseph H Silverman and John Torrence Tate. Rational points on elliptic curves, volume 9. Springer, 1992.

[54] Alberto Sonnino and Giorgio Sonnino. Elliptic-curves cryptography on high-dimensional sur- faces. arXiv preprint arXiv:1610.01518, 2016.

[55] Guido Van Rossum and Fred L Drake Jr. Python tutorial. Centrum voor Wiskunde en Infor- matica Amsterdam, The Netherlands, 1995.

[56] Andre´ Weil. L’arithmetique´ sur les courbes algebriques.´ Acta Mathematica, 52:281 – 315, 1929.

[57] Andrew Wiles. Modular elliptic curves and fermat’s last theorem. Annals of mathematics, pages 443–551, 1995.

[58] Andrew Wiles. The birch and swinnerton-dyer conjecture, 2006.