利用複乘法產生質數點數之橢圓曲線

全文

(1)國立交通大學資訊科學與工程研究所碩士論文. 利用複乘法產生質數點數之橢圓曲線 Generating Elliptic Curves with Prime Order by Complex Multiplication. 研究生：蔡佩娟指導教授：陳榮傑. 中華民國. 教授. 九十八年十月.

(2) 利用複乘法產生質數點數之橢圓曲線 Generating Elliptic Curves with Prime Order by Complex Multiplication. 研究生：蔡佩娟. Student：Pei-Chuan Tsai. 指導教授：陳榮傑. Advisor：Dr. Rong-Jaye Chen. 國立交通大學資訊科學與工程研究所碩士論文. A Thesis Submitted to Institute of Computer Science and Engineering College of Computer Science National Chiao Tung University in partial Fulfillment of the Requirements for the Degree of Master in. Computer Science October 2009 Hsinchu, Taiwan, Republic of China. 中華民國九十八年十月.

(3) ¿à¶°®ß²óFóYià .ß|Á

(4). ¼0>0Wvo}ÿ. »ñø;.£GI.

(5) ~X Æÿ°. ` Koblitz õ Miller y 1985 O´¿àYiàxÛDÙ|¼Yi` aÛD..ÍýC´·Õ[£Ý8FÚSÝ&9ÛD.7áh ~r½A¢b[£Ý®ß)HmOYià¼xÛDÙ×àÎ¥ ÝÈÞ

(6) yÔaPgEÛDÙ ×ËYiàÛDÙxhÛD ÙYià6)Ìb´Ý¶áó (embedding degree) 3êGÆáÝ℄° ©b¶°È®ß)hËOYià ¶°.&¸àïXÝLyb§YiàîÝFóÍó¡ ¿àó.℄°®ßÌbhFóYiàãy¯XFóÍóÆ×F óÍó¸ÿ®ßYiàÞºÌb´¶áó¨×℄«8ý ^®ß` aÕFóÎÍ)HmOÝ℄°A Schoof Õ° SEA Õ°×ËXó ÝFó)ó.§ÝO¶°-ãÝÕà3ÍS¡Z& ÆÞ2+Û¶°8nó.eÿ¬®Õ Weber v½94P ( Weber class polynomial) Õ°hI53¶° t` ÕM» n"CYià¶°v½94P i.

(7) Generating Elliptic Curves with Prime Order by Complex Multiplication Student: Pei-Chuan Tsai. Advisor: Dr. Rong-Jaye Chen. Institute of Computer Science and Engineering National Chiao Tung University. ABSTRACT From the use of elliptic curves in cryptosystem first proposed by Koblitz and Miller in 1985, elliptic curve cryptography had attracted lots of cryptographic researchers. The benefits, such as shorter key size and efficient computation, make it become a popular and better solution to constructing cryptosystems. It is an important issue that efficiently generating the suitable elliptic curves for constructing the cryptosystem. One of the cryptosystems is the pairing based cryptosystem. For the pairing based cryptosystem, the smaller embedding degree is the main requirement of the elliptic curves. Currently, the only way to generate such curves is complex multiplication. The complex multiplication allows us to determine the number of points on the elliptic curves defined over finite field first, then compute the curves with the desired order. Comparing to the method that selects random curves and uses point counting algorithm to generate secure elliptic curves, complex multiplication is a deterministic algorithm. In this thesis, we summarize the mathematical backgrounds for complex multiplication and implement the algorithm of computing the Weber class polynomial which plays an important role in complex multiplication. Keywords: elliptic curve, complex multiplication, class polynomial. ii.

(8) * 9SÆÿ¡ZÈ5¿W´ ¼0/Wvo>0/G3 .îÝT>0&åÍ9EyO.ÄÝï)|Cß

(9) ¯îÝ èF/&F3Tã=2 /!` ù$6>0Ä×M>0 fÆ}ÿH&Ýý õ¬3ý`èF|CE¡ZèºÑ ÑÈK¸ÿÍS¡Z?ǑJ Cryptanalysis Ý¯.E.5(.º.T. õ!.à B»©Î~îÝD¡TÎßþîÝB5²KÝ& ÝQ

(10) ¯Æ h²©½ îÝ4#tÝÜð&P&ø±b¶Ýþ¯&Ý ~ßþþæKî²ð¯&bá¶ÎTÝå9KÎ¥Ý×I 53hǑ©½ Zõ} t¡ &Ýß lÒÝyÇ|C3&O.Ä&ÝÈY ¹ ÝnT¯ÆÝY¹Î&5¿W.¼ÄTþÝ×I 5 Xb3&~ß}Q

(11) Ä&Ýß¯|hZ¡¤&ÝÝß| CXbnT&Ý/B ¯Æ. iii.

(12) Contents Z`. i. Abstract. ii. Acknowledge. iii. Table of Contenes. iv. List of Tables. vi. List of Figures. vii. 1 Introduction. 1. 2 Mathematical Backgrounds. 4. 2.1. 2.2. Algebraic Backgrounds . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 4. 2.1.1. Group, Ring, and Field . . . . . . . . . . . . . . . . . . . . . . . .. 4. 2.1.2. Imaginary Quadratic Field . . . . . . . . . . . . . . . . . . . . . .. 8. 2.1.3. Homomorphism . . . . . . . . . . . . . . . . . . . . . . . . . . .. 14. 2.1.4. Modular Functions . . . . . . . . . . . . . . . . . . . . . . . . . .. 15. Elliptic Curves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 15. 2.2.1. General Elliptic Curves . . . . . . . . . . . . . . . . . . . . . . . .. 16. 2.2.2. Elliptic Curves over Fq , q. ¡3 iv. . . . . . . . . . . . . . . . . . . . .. 20.

(13) 2.2.3. Elliptic Curves over C . . . . . . . . . . . . . . . . . . . . . . . .. 3 Generate Elliptic Curves. 24 31. 3.1. Subfield Curves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 31. 3.2. Schoof’s Algorithm and SEA Algorithm . . . . . . . . . . . . . . . . . .. 34. 3.2.1. Schoof’s Algorithm . . . . . . . . . . . . . . . . . . . . . . . . .. 34. 3.2.2. SEA Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 37. Complex Multiplication Method . . . . . . . . . . . . . . . . . . . . . . .. 45. 3.3. 4 Complex Multiplication for Elliptic Curve. 52. 4.1. Outline of the Complex Multiplication Method . . . . . . . . . . . . . . .. 52. 4.2. Endomorphism Ring . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 55. 4.3. Ideal Class Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 64. 4.4. j-invariant . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 67. 4.5. Hilbert Polynomial . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 71. 4.6. Weber Polynomial . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 73. 4.7. Finding Roots of Polynomial over Fp . . . . . . . . . . . . . . . . . . . . .. 75. 4.8. Twist Curves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 78. 5 Experimental Result. 81. 5.1. Distribution of Computation Time . . . . . . . . . . . . . . . . . . . . . .. 81. 5.2. Computation of Class Polynomial . . . . . . . . . . . . . . . . . . . . . .. 83. 5.2.1. Class Number Distribution . . . . . . . . . . . . . . . . . . . . . .. 84. 5.2.2. Precision of the Computation . . . . . . . . . . . . . . . . . . . .. 84. 5.2.3. Computation Time . . . . . . . . . . . . . . . . . . . . . . . . . .. 87. 6 Conclusion & Future Work. 90. v.

(14) List of Tables 1.1. NIST recommended key sizes . . . . . . . . . . . . . . . . . . . . . . . .. 2.1. Properties related to the quadratic field Q. 2.2. Properties related to an order in the quadratic field Q. . . . . . . . . .. 13. 3.4. Conditions proposed by Miyaji, Nakabayashi, and Takano . . . . . . . . .. 46. 5.1. Number of class polynomials computed . . . . . . . . . . . . . . . . . . .. 83. vi. ?. d. . . . . . . . . . . . . . . . .. ?. d. . 2 13.

(15) List of Figures 2.1. Examples of elliptic curves over R . . . . . . . . . . . . . . . . . . . . . .. 17. 2.2. Point addition (chord process) . . . . . . . . . . . . . . . . . . . . . . . .. 18. 2.3. Point doubling (tangent process) . . . . . . . . . . . . . . . . . . . . . . .. 19. 2.4. Lattic L Zω1. 24. 2.5. Fundamental domain for SL2 pZq. 4.1. Square lattice L Zω. 4.2. Examples of EndC pE q tβ. . . . . . . . . . . . . . . . . .. 58. 4.3. The illustration of the morphisms proved of Theorem 4.3 - (1) . . . . . . .. 59. 4.4. The illustration of the morphisms proved of Theorem 4.3 - (2) . . . . . . .. 61. 5.1. Proportion of computing time of each step . . . . . . . . . . . . . . . . . .. 82. 5.2. Computing time of Hilbert and Weber polynomial . . . . . . . . . . . . . .. 85. (a). Full scale . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 85. (b). Scale to 0 – 1 second . . . . . . . . . . . . . . . . . . . . . . . . . .. 85. 5.3. Trend of the class number . . . . . . . . . . . . . . . . . . . . . . . . . . .. 86. 5.4. Estimated and actual precision required . . . . . . . . . . . . . . . . . . .. 87. 5.5. Computation time of Weber polynomial . . . . . . . . . . . . . . . . . . .. 88. Zω2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 28. Ziω . . . . . . . . . . . . . . . . . . . . . . . . .. 56. P C|βL Lu. vii.

(16) 5.6. 5.6. Computation time of Weber polynomials - partitioned by precision . . . . .. 88. (a). 1024 bits used . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 88. Computation time of Weber polynomials - partitioned by precision . . . . .. 89. (b). 2048 bits used . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 89. (c). 4096 bits used . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 89. viii.

(17) Chapter 1 Introduction In 1985, Koblitz and Miller first proposed the crytosystems based on elliptic curves. The advantages of the elliptic cryptography attract the researchers to involve in the related area. Since there does not exist efficient attacks, e.g. index calculus attacks, in elliptic curve cryptosystems (ECCs), the key size of ECCs can be much shorter comparing to the traditional cryptosystems based on the hardness of the discrete logarithm or the factoring problem. Table 1.1 shows the recommended key sizes provided by NIST (National Institute of Standards and Technology). Nowadays, more applications and systems apply the technology of the elliptic curve cryptography as security solutions. A lot of standards and protocols related to elliptic curve cryptography are also proposed. For standards, there are IEEE 1363, ANSI X9.62, X9.63, and ECDSA, ECMQV, ECIES are for protocols. The points of an elliptic curve would form an addition group and it can define a variant of discrete logarithm problem on it, called elliptic curve discrete logarithm problem (ECDLP). The ECCs can devide into two categories: one based on the hardness of ECDLP and the other based on the bilinear pairing. The bilinear pairing defined on the elliptic curve makes. 1.

(18) Symmetric Key Size. RSA and Diffie-Hellman Key Size. Elliptic Curve Key Size. (bits). (bits). (bits). 80. 1024. 160. 112. 2048. 224. 128. 3072. 256. 192. 7680. 384. 256. 15360. 521. Table 1.1: NIST recommended key sizes the identity based (ID-based) cryptosystem proposed by Shamir in 1984 feasible. The first ID-based encryption scheme proposed by Boneh and Franklin is using the pairings defined over elliptic curve and finite field. To setup a cryptosystem, the parameters must be chosen carefully to satisfy the security requirements. The generation of suitable elliptic curves is a crucial problem. The best known algorithm for generating the curves used in ECCs based on ECDLP is Schoof’s algorithm and the improved version, SEA algorithm. These algorithms randomly select curves and count the number of points of the curves repeatedly until the curves satisfy the ssecurity properties. In pairing based cryptosystem, the security requirements of the curve are different and the SEA algorithm can not be used. These elliptic curves suitable for pairing cryptosystems are called pairing-friendly curves. The complex multiplication is the only way to generate these kind of curves. In this thesis, we present a clear view of complex multiplication and implement the algo-. 2.

(19) rithm to show how it works. Observing that computation of the class polynomial takes the most time of whole computing, we focus on this part and show our experimental results. The rest of the thesis was organized as following. In Chapter 2, we review the related mathematical backgrounds for this thesis. The algebraic backgrounds were presented first, including the definitions of algebraic structures, the properties of finite fields. Then review the elliptic curve cryptography by introducing the general elliptic curves and the elliptic curves defined over finite fields. For the theory of complex multiplication involves the complex plane closely, we describe the elliptic curves defined over complex field more detailed. In Chapter 3, we use examples to introduce the algorithms known to generating elliptic curves. The first one is using subfield curves. The second is the Schoof’s algorithm and the SEA algorithm mentioned above. The last is the complex multiplication. We also provide an example for generating the pairing-friendly elliptic curves. In Chapter 4, each step of the complex multiplication are described particularly. Besides point out the relevant theorems and properties, we also provide the algorithms may be used in practical. Then in Chapter 5, the experimental results of the implementation of computing the class polynomial are presented. Finally, the conlusion is given in Chapter 6.. 3.

(20) Chapter 2 Mathematical Backgrounds The researches of elliptic curve cryptography are related to algebraic theory closely. In this chapter, we review the mathematical backgrounds of this work in Section 2.1. And then introduce the definition of elliptic curves and its propoerties in Section 2.2.. 2.1 Algebraic Backgrounds In this section, we introduce the elementary algebraic structures and the algebraic backgrounds of the material related to the complex multiplication method (CM method), including imaginary quadratic fields, homomorphisms, and modular functions.. 2.1.1 Group, Ring, and Field The elliptic curve cryptosystems are mainly based on the hard problem of the elliptic curve discrete logarithm problem. Since the points on an elliptic curve defined over a finite field form a group, we introduce the elementary algebraic structures and some propositions, the-. 4.

(21) orems related. Definition 2.1 (Group). A group G is a set with a composition law. if it satisfies the. following conditions: •. is associative, i.e. for all x, y, z P G, pxyq x x pyzq. •. has an identity element, i.e., for all x P G, xe ex x. • For all x. P G, there exists an element y P G such that xy yx e. y is called the. inverse of x, usually denoted y. x1. If the composition law is commutative, the group is said to be commutative or abelian. The cardinality of a group is also called its order, denoted by |G|, therefore, a group is finite if its order is finite. Definition 2.2 (Subgroup). Let G be a group. A group H is a subgroup of G if H satisfies: • H is a subset of G • e P H, where e is the identity of group G • for all x, y. P H, xy must also be in H. • if x P H, x1. PH. For x P G, denote xxy as the subgroup of G generated by x. xxy txn|n P Zu Definition 2.3. A group G is said cyclic if there is an element x such an element x exists, it is called a generator of G. 5. P G such that xxy G. If.

(22) Theorem 2.4 (Lagrange). Let G be a finite group and H be a subgroup of G. Then. |H | devides |G| . As a result, the order of every element also divides |G|. Definition 2.5 (Ring). A ring R is a set together with two composition laws. and such. that • R is a commutative group with respect to •. is associative and has an identity element e and e e. , where e is the identity. of •. is distributive over yx. , i.e., for all x, y, z. P R, x py. zq. xy. xz and py. zq x . zx. Also, the ring R is commutative, if the law such that xy. is commutative.. A commutative ring R. 0 implies x 0 or y 0 for all x, y P R is called an integral domain.. Definition 2.6. Let R be a ring. Define the ideal I of R as a nonempty subset of R such that • I is a subgroup of R with respect to the law • for all x P R and y. P I, xy P I and yx P I. Remark 2.7. In a commutative ring R of prime characteristic p, the binomial formula can be simplified as. pα. β qp. n. αp. n. βp. n. 6. α, β P Rand n P N..

(23) Theorem 2.8 (Fermat’s little theorem). Let p be a prime integer, x. P N and gcd px, pq 1,. then xp1. 1. (mod p). ¥. Definition 2.9 ( Euler totient function). Let n. 1 and define the Euler totient function. ( Euler’s phi function) as ϕ pnq |tx|1 ¤ x ¤ n, gcd px, nq 1u| . Theorem 2.10 (Euler). Let n, x be integers and gcd px, nq 1, then xϕpnq. 1. (mod n). Definition 2.11. Let R be a ring. An element x is said to be invertible if there exists an unique element y such that xy. . ya. . e. . 1, denoted y. . x1 . The set of all the. invertible elements of R forms a group under multiplication, denoted by R .. Definition 2.12 (Field). A field K is a commutative ring such that every nonzero element is invertible.. Definition 2.13 (Extension field). Let K and L be fields. If there exists a field homomorphism from K into L, then L is an extension field of K, denoted by L{K.. Definition 2.14 (Number field). A number field K is an algebraic extension of Q of finite degree. An element of K is called an algebraic number.. 7.

(24) 2.1.2 Imaginary Quadratic Field Definition 2.15 (Quadratic field). A quadratic field is a number field K of degree 2 over Q.. A quadratic field Q. ?. . d is said to be real if d is positive, imaginary if d is negative.. Proposition 2.16. The quadratic fields are precisely those of the form Q. ?. . d for d a square-. free rational integer. Proof. Express the quadratic field K as Q pθq, then θ is an algebraic integer and θ is a zero of x2. ax. b a, b P Z.. Thus. a θ. ?. a2 4b . 2. Let a2 4b r 2 d for some r, d P Z and d be squarefree, then. a r θ. ?. d. 2. and so Q pθq Q. ?. . d .. Definition 2.17 (Algebraic integer). Let K {Q be a number field. An algebraic number α is called integral over Z or an algebraic integer if α is a zero of a monic polynomial with coefficients in Z. The set of all the algebraic integers of K under the addition and multiplication of K is a ring, called the integer ring of K and is denoted by OK .. Theorem 2.18. Let d be a squarefree rational integer. Then the integers of Q. 8. ?. . d are:.

(25) (1) Z (2) Z. ?. . 1 2. . d if d 1 (mod 4), 1 2. ?. . d if d 1 (mod 4).. Proof. Given an element α P Q. ?. Then we can write α. ?. . d , it can be expressed as α r s d for some r, s P Q.. ?. a. b d , c. a, b, c P Z, c ¡ 0. and no prime divides all of a, b, c. By Definition 2.17, α is an algebraic integer if and only if the minimal polynomial of α . t. . a. ?. . t. b d c. . ?. ab d c. . t2 2ac t. a2 b2 d c2. has all the coefficients in Z. Thus 2a P Z, c a2 b2 d P Z. c2. (2.1) (2.2). From Equation 2.1, c must divides either 2 or a. Assume gcd pa, cq. p, then Equation. 2.2 implies that p divides b since d is squarefree. That contradicts the assumption: no prime divides all of a, b, c. Hence we have c divides 2,. ñc. 1 or 2. If c. . 1, then α is an. algebraic integer in any case. If c. 2, by assumption, we have both a and b be odd integers. For the square of an odd. integer 2k. 1 is 4k 2. 4k. 11. (mod 4), and for Equation 2.2 a2 b2 d c2. ñ it implies that a2. b2 1. . a2 b2 d 4. a2 b2 d 0. (mod 4) and d. 1. P Z,. (mod 4), (mod 4). Conversely, if d. 1. (mod 4),. then for odd a and b, α can still be an algebraic integer because Equation 2.1 and 2.2 hold. 9.

(26) So we proved that: (1) If d 1 (mod 4), then c 1. Hence the integers of Q (2) If d. 1. ?. . d is Z. ?. . . d .. 2, a, b odd and α also be an algebraic integer. ? 1 1. (mod 4), we can have c. Hence the integers of Q. ?. . d is Z. 2. 2. d .. Definition 2.19 (Integral bases). If OK is the ring of integers of an algebraic number field K, then a basis for OK over Z, or simply a Z-basis, is called an integral basis for K. Definition 2.20 (Discriminant of a basis). Let K. Q pαq be an algebraic number field of. degree d over Q. If B. tα1 , α2, . . . , αdu. is a Q-basis for K, and σi p1 ¤ i ¤ dq are all of the embeddings of Kin C, then the discriminant of the basis is given by disc pBq det pσi pαj qq2 , where det denotes the determinant of the matrix with entry σi pαj q in the ith row and j th column.. Note: An embedding of K in C is a ring homomorphism K Example 2.21. Let B. . ?. (. Ñ C.. 1, 2 be an integral basis for K, and σ1 :. ?. 2 ÞÑ. ?. 2,. σ2 :. 10. ?. ?. 2 ÞÑ 2,.

(27) be the embeddings of K in C. Thus, . disc pBq det pσi pαj qq2 . .

(28) 2. ?. 1 det . 2 Æ. . 1. pq. σ1 1. det Æ. ?. σ1. σ2 p1q σ2. . 2. ?. 2. 2. ? ?. .

(29) 2. 2 Æ 2. Æ . 8.. 2. Lemma 2.22. Let B1 and B2 be two integral bases for an algebraic number field K. Then disc pB1 q disc pB2 q . Definition 2.23. Let B be an integral basis for an algebraic number field K. Then the discriminant of K is disc pBq, denoted by ∆K .. Theorem 2.24. Let d. 1 be a squarefree integer and set K Q. ∆K . Then. $ ' ' &. B. ' ' %. 1, 12. ∆K. ?. ?. d. (. (. 1, d $ ' ' &. and. 1 2. '. d. if d 1. (mod 4). if d 1. (mod 4). . d , with discriminant. ,. if d 1. (mod 4). 1. (mod 4). ' % 4d if d. ?. ,. where d is called the radicand of K.. Proof. By Theorem 2.18, the assertions regarding bases are clear. For the definition of the discriminant of a field, we compute the ∆K in both cases:. 11.

(30) (1) If d 1. (mod 4), . ∆K. (2) If d 1. 1. 1 2. 1 2. 1. 1 2. 12. disc pBq det . ?.

(31) 2. ?. Æ. ? 2 d d.. d Æ d. (mod 4), . ∆K. disc pBq . 1 det . ?.

(32) 2. ? d. Æ. d Æ. 1. . 2. ?. 2. 4d.. d. An order in an imaginary quadratic field is a ring R such that Z R OK and Z R. Therefore, an order has the form $ ' ' &. RZ. Zf δ,. where f. ¡ 0, δ '. 1 2. 1 2. ?. ?. ' %. d if d 1. (mod 4). if d 1. (mod 4). d. The integer f is called the conductor of R and is the index of R in OK . As the result, a basis of an order in an imaginary field R can be BR. t1, f δu .. Use the same concept of the discriminant of a number field, we obtain the discriminant of the order (1) If d 1. (mod 4), . ∆R. disc pBR q . 1 f det . 1 f. 12. 1 2 1 2. ? 1 2. ? 1. 2. .

(33) 2. d Æ. Æ . d. . f. ?. 2. d. f 2 d..

(34) Quadratic Field K. ?. Q. d. Integer Ring. Integral Basis. Discriminant. OK. B. ∆K. . d1. (mod 4). d1. (mod 4). Z. 1. 1 2. 2. ?. Z. ?. d. d. . 1, 21. . 1 2. ?. ?. 1, d. (. d. d. (. 4d. Table 2.1: Properties related to the quadratic field Q. Quadratic Field K. Q. ?. d. . Order with Index f. Basis. Discriminant. R. BR. ∆R. . d. d 1 (mod 4). ?. . Z f. d 1 (mod 4). 1 2. 1 2. ?. ?. d. . 1 2. 1, f. . Z f d. 1 2. ?. ?. 1, f d. (. f 2d. d. (. 4f 2 d. Table 2.2: Properties related to an order in the quadratic field Q (2) If d 1. ?. d. . (mod 4), . ∆R. 1. disc pBR q det . 1.

(35) 2. ?. f d Æ. f. ?. Æ. . 2f. ?. d. 2. 4f 2d.. d. We summarize the results related to a quadratic field Q. ?. . d , for d 0, 1 an squarefree. integer, discussed above in Table 2.1. And for an order R in K. Q. ?. . d with index f , the related results are also concluded. in Table 2.2.. 13.

(36) 2.1.3 Homomorphism Definition 2.25 (Group homomorphism). Let G1 and G2 be two groups with respective composition laws and b and identities e1 and e2 . • A group homomorphism ψ between G1 and G2 is a map from G1 to G2 such that for all x, y. P G1 ψ px y q ψ pxq b ψ py q .. • The kernel of ψ is Ker pψ q tx P G1 |ψ pxq e2 u. Definition 2.26 (Ring homomorphism). Let R1 and R2 be two rings with the respective operations all x, y. , and `, b. A ring homomorphism ψ is a map from R1 to R2 such that for. P R1. • ψ px. y q ψ pxq ` ψ py q.. • ψ px y q ψ pxq b ψ py q. • ψ pe q eb .. Definition 2.27 (Field homomorphism). Let K and L be fields. A homomorphism of fields is a ring homomorphism between K and L.. Definition 2.28. Let R be a ring and let ψ be the natural ring homomorphism from Z to R. ψ pnq . $ ' ' &. p1 . ' ' %. p1 . 1q 1q. 14. n times if n ¥ 0. n times otherwise..

(37) Definition 2.29 (Characteristic). Let R be a ring and ψ be a natural ring homomorphism defined as above. The kernel of ψ is of the form mZ, for some nonnegative integer m. Then the nonnegative integer m is called the characteristic of R, denoted by char pRq.. 2.1.4 Modular Functions Definition 2.30. Let N be a positive integer. The modular group Γ0 pN q is defined as Γ0 pN q . $

(38) ' ' & a b Æ Æ SL2 Z : c . ' ' %. p q. P. 0. , / / .. (mod N). c d. / / -. .. The matrix SLn pF q, or SL pn, F q, known as the special linear group of degree n over a field F is the set of n n matrices with determinant 1 with group operations of ordinary matrix multiplication and matrix inversion. Definition 2.31 (Modular function). A complex function f which is meromorphic on the upper half plane H tτ. P C|ℑm pτ q ¡ 0u. and which satisfies f pτ q f pMτ q ,. where M. P Γ0 pN q. is called a modular function.. 2.2 Elliptic Curves Here we introduce the difinitions of elliptic curves and illustrate some propoerties of elliptic curves.. 15.

(39) 2.2.1 General Elliptic Curves We illustrate the general definitions of elliptic curves in this section and focus on the elliptic curves defined over finite fields and the complex field C in the Section 2.2.2 and Section 2.2.3. Definition 2.32. An elliptic curve E defined over a field K, denoted by E {K, is given by the Weierstrass equation E : y2 where a1 , a2 , a3 , a4 , a6. a1 xy. a3 y. x3. a2 x2. a4 x. a6. (2.3). P K.. The set of K-rational points of the elliptic curve, E pK q, is defined as the set of the solutions to the elliptic curve equation in K 2 and the point at infinity 8, E pK q . . px, yqy2. a1 xy. a3 y. x3. a2 x2. a4 x. a6 , x, y. (. P K Y 8.. Figure 2.1 shows some examples of the elliptic curves defined over R. For an elliptic curve given by Equation 2.3, defining the following constants to be used in later definition: b2. a21. b8. a21 a6. c4. b22 24b4 ,. 4a2 ,. b4. a1a3. 4a2 a6 a1 a3 a4 c6. b32. 2a4 ,. b6. a23. 4a6 ,. a2 a23 a24 , 36b2 b4 216b6 .. Definition 2.33 (Discriminant). Define the discriminant of the curve be ∆ b22 b8 8b34 27b26. 16. 9b2 b4 b6 ..

(40) y2 = x3 - 1. y2 = x3 + 1. y2 = x3. y2 = x3. 4x. y2 = x3. 3x + 3. x. Figure 2.1: Examples of elliptic curves over R. If the characteristic of K, char pK q 2, 3, the discriminant can be expressed as ∆. c34 c26 . 1728. After defining the discriminant, we say a curve is non-singular if and only if ∆ 0. Definition 2.34 (j-invariant). For a non-singular curve, i.e. ∆ 0, define the j-invariant of the curve as j pE q . c34 ∆. We focus on the properties of the K-rational points in the following. Definition 2.35 (Group law). Define the addition and doubling of points as below. Addition: Given two distinct K-rational points of E, denoted as P, Q. The straight line joining P and Q must intersect the curve E at one further points, said R1 . Reflecting point R1 in the x-axis, we obtain the point R. Define R P. Q. 17.

(41) -R=R. Q P. R. Figure 2.2: Point addition (chord process). Doubling: Given a rational point P on E, define the doubling, or the addition of P to itself, as the following proccess. Take the tangent to the curve E at P , the line would intersect the curve in one other point, said R1 . Also, reflecting point R1 in the x-axis and obtaining the point R, Then the doubling of P is defined by R P. P. 2P .. Note that if the tangent of the point is vertical, we say that it intersect the curve at the point at infinity, and define P. P. 2P 8.. The process of addition and doubling is often called the chord-tangent process. Figure 2.2 illustrates the proccess of addition and Figure 2.3 of doubling. According to the group law defined above, it can be shown that the set of the rational points of E including point at. 8 forms an additive abelian group with the point 8 as the. zero. Lemma 2.36. Let E be an elliptic curve given by E : y2. a1 xy. a3 y. x3 18. a2 x2. a4 x. a6.

(42) P. -R. R=2P. Figure 2.3: Point doubling (tangent process). and let P1. px1 , y1q and P2 px2 , y2q be the points on the curve. Then P px1 , y1 a1 x1 a3q .. Set. $ ' ' & y2. y1 if x1 x2 x1 , λ 2 ' ' % 3x1 2a2 x1 a4 a1 y1 , if x1 2y1 a1 x1 a3. x2. y2x1 if x1 x2 x1 , µ 3 ' ' % x1 a4 x1 2a6 a3 y1 , if x1 2y1 a1 x1 a3. x2. $ ' ' & y1 x2. x2 and P2 P1 x2 and P2 P1. ,. .. If P3. px3 , y3q P1. x3. λ2. y3. pλ. P2. 8,. then x3 , y3 would be a1 λ a2 x1 x2 , a1 q x3 µ a3 .. Definition 2.37 (Multiplication-by-m map). For a positive integer m, let mP denote the 19.

(43) map that takes a point P to P to m ¤ 0 by defining 0P. . P. P (m summands). The notation mP is extended. 8 and mP pmP q.. 2.2.2 Elliptic Curves over Fq , q. ¡3. After introducing the general elliptic curves in Section 2.2.1, now we focus on the elliptic curves defined over the finite field Fq for q. ¡ 3.. Recall the general elliptic curve equation, the Weierstrass equation: E : y2. a1 xy. a3 y. x3. a2 x2. a4 x. a6 .. If the characteristic of the field is not 2, the equation can be wirtten as . y. a3 2 2. a1 x 2. ñ where y1. y. a1 x 2. a2. . 2. x. a4. a16 ,. and new constants a12. a2. x. a12 3. x3. a12 x2. a21 4. a14 x. y12 a3 2. x. . 3. If the characteristic is also not 3, let x1. ñ. a1 a3 x 2. 1. a21 , a4 4. y12. x3. a12 x2. a14 x. y12. x31. Ax1. B,. a4. . a23 4. a6. 1. a1 a3 , a6 2. a4. 2 3. a6 .. a16. for some constants A, B. In the following, since the elliptic curves we are interested are defined over the fields with characteristic neither 2 nor 3, we use the simplified equation instead of the Weierstrass equation. We reduce the related definitions and the group law for the elliptic curve equation E : y2. x3. Ax. B. 20.

(44) Definition 2.38. The discriminant of the curve can be reduced as . ∆ 16 4A3. 27B 2 .. Definition 2.39. For a non-singular curve, i.e. ∆. 0, the j-invariant of the curve can be. reduced as j pE q 1728 We obtain that when j. 4A3 ∆. 3. 1728 4A3 4A27B 2 .. 0, 1728, it is the j-invariant of the elliptic curve y2. x3. 3j x 1728 j. 2j . 1728 j. Therefore, we can construct an elliptic curve with a known j-invariant. This would be helpful in the construction of elliptic curve with complex multiplication method. Lemma 2.40. Let E be an elliptic curve defined over K. Assume the characteristic of K is prime to 6 and E is given by the simplified Weierstrass equation E : y2. x3. Ax. B.. The j-invariant jE depends only on the isomorphism class of E. • jE. 0 if and only if A 0.. • jE. 1728 if and only if B 0.. • If jE. P K is not equal to 0, 1728, then E is a quadratic twist of the elliptic curve E˜jE : y 2. x3. 3jE x 1728 jE. 21. 2jE . 1728 jE.

(45) Corollary 2.41. Assume gcd pchar pK q , 6q 1. The isomorphism classes of elliptic curves E over K are, up to twists, uniquely determined by the absolute invariant jE , and for every j. P K there exists an elliptic curve with absolute invariant j. If K is algebraically closed then the isomorphism classes of elliptic curves over K cor-. ÞÑ jE .. respond one-to-one to the elements in K via the map E. Definition 2.42. Let E be an elliptic curve given by E : y2 and let P1. x3. Ax. B. px1 , y1q, P2 px2 , y2q be points on E with P1, P2 8.. Then. P1 px1 , y1q . $ ' ' & y2. Set. If P3. px3 , y3q P1. y1 x2 x1 , if x1 λ 2 ' ' % 3x1 A , if x1 2y1 P2. x2 x2 , y1 0. .. 8, then x3. λ2 x1 x2 ,. y3. px1 x3q λ y1.. The number of rational points on an elliptic curve E defined over a finite field Fq is finite, we usally denote the quantity by #E pFq q. Theorem 2.43 ( Hasse theorem). Let E be an elliptic curve defined over Fq . Then #E pFq q q. ?. 1 t and |t| ¤ 2 q.. 22.

(46) Remark 2.44. The integer t is equal to the trace of the Frobenius endomorphism. For any integer t. P 2?p, 2?p , there is at least one elliptic curve E defined over Fp. such that #E pFp q p. . . 1 t.. Now we introduce the Frobenius endomorphism. Definition 2.45 ( Frobenius endomorphism). The Frobenius endormorphism φq on an elliptic curve E over Fq is a group endomorphism of defined by $ ' ' ' E Fq ' ' ' &. φq :. ' ' ' ' ' ' %. ÝÑ. E Fq. . px, yq ÞÝÑ pxq , yq q 8. ÞÝÑ. 8. The characteristic polynomial of φq is φ2q tφq Proposition 2.46. The endomorphism φ2q tφq. .. q. q is equal to the zero map on E.. It means that for any point px, y q P E pFq q, we have φ2q. px, yq tφq px, yq. . q px, y q x , y q2. q2. t pxq , yq q. q px, y q. 8. Theorem 2.47. For the endomorphism of an elliptic curve E over Fq defined by φ2q aφq. q.. Then the Frobenius trace t is the unique integer such that φ2q tφq i.e. makes the endomorphism to zero map. 23. q. 0..

(47) ω1 ω2. Figure 2.4: Lattic L Zω1. Zω2. 2.2.3 Elliptic Curves over C An elliptic curve defined over complex number C is isomorphic to a complex torus, denoted by C{L. In this section, we introduce the isomorphism and the properties. Let ω1 , ω2 be complex numbers that are linearly independent over R. A lattice L is of the form L Zω1. Zω2. tn1 ω1. n2 ω2 |n1 , n2. P Zu .. Figure 2.4 gives an illustration of a lattice. A torus over C can be expressed by C{L. Definition 2.48. An elliptic function with periods tω1 , ω2 u is a meromorphic function f pxq on C such that f px. ω1 q f px. ω2 q f pxq ,. x P C. Definition 2.49 ( Weierstrass ℘-function). Given a lattice L, the Weierstrass ℘-function is defined by the series ℘ pz q ℘ pz, Lq . 1 z2. ¸. P zt u. ω L 0. 24. . 1. pz ωq2. . 1 ω2. ..

(48) Theorem 2.50. The Weierstrass ℘-function has the following properties • The sum defining ℘ pz q converges absolutely and uniformly on compact sets not containing elements of L. • ℘ pz q is meromorphic in C and has a double pole at each ω • ℘ pz q ℘ pz q , z • ℘ pz. P L.. P C.. ω q ℘ pz q , ω. P L.. • The set of doubly periodic functions for L is C p℘, ℘1 q. It means that every doubly periodic function is a rational function of ℘ and its derivative ℘1 .. Defferentiating ℘ pz q term by term yields ℘1 pz q 2. ¸. 1. 3 ω PL pz ω q. .. Definition 2.51 ( Eisenstein series). Define the Eisenstein series Gn : Gn pLq of weight n for lattice L by Gn pLq . ¸. P zt u. ω n .. ω L 0. Proposition 2.52. The discriminant ∆ g23 27g32. 0.. Theorem 2.53. The elliptic functions ℘ and ℘1 satisfy the function ℘1 pz q2. 4℘ pzq3 60G4℘ pzq 140G6.. To show the isomorphism of a torus C{L and an elliptic curve E, it is usually to set g2. 60G4,. g3 25. 140G6..

(49) Theorem 2.54. Let L be a lattice and let E be the elliptic curve y 2 map. $ ' ' ' C L ' ' ' &. { ÝÑ. Φ:. ' ' ' ' ' ' %. 4x3 g2x g3 . The. E pCq. z. ÞÝÑ p℘ pzq , ℘1 pzqq. 0. ÞÝÑ. 8. is an isomorphism of groups. For now, given a torus C{L, it can be found the corresponding elliptic curve E over C by the Weierstrass ℘-function. The following shows the converse, given an elliptic curve E over C, there is a lattice such that the torus C{L is isomorphic to E. Definition 2.55. Two lattices L1 L2 are homothetic if there is an α P C suth that αL1. L2 .. Let L be a lattice in C with basis tω1 , ω2 u and let τ. ωω1 2. such that the imaginary part of τ , ℑm pτ q Lτ. Z. ¡. 0 (switching ω1 and ω2 if necessary). Let. Zτ , then Lτ is homothetic to L.. Theorem 2.56. There is a canonical isomorphism between the set of C-isomorphism classes of elliptic curves and the set of homothety classes of lattices in C.. Corollary 2.57. Let L. Zω1. Zω2 and Lτ. Z. Zτ with τ. ω1{ω2 such that τ is a. complex number with ℑm pτ q ¡ 0. Then the elliptic curve EL is isomorphic to ELτ .. Theorem 2.58. There is a canonical isomorphism between the set of C-isomorphism classes of elliptic curves and the set of homothety classes of lattices in C.. 26.

(50) Recall the definitions for lattice L Zω1. Zω2 , now we restrict to Lτ. The Eisenstein series defined for L Zω1 Gk pτ q Gk pLτ q . Z. Zω2 by Definition 2.51, define ¸. pm,nqp0,0q pmτ. 1. nqk. ,. g2 pτ q g2 pLτ q 60G4 pLτ q , g3 pτ q g3 pLτ q 140G6 pLτ q and let q. e2πiτ .. Calculation of the discriminant ∆ will get ∆ pτ q g23 pτ q 27g32 pτ q p2π q12 pq. q.. Definition 2.59. Define j pτ q 1728. g23 ∆. 1q. 744. .. 21493760q 2. 196884q. Define the matrix SL2 pZq . $

(51) ' ' & a b Æ Æa, b, c, d ' ' % c d . , / / .. P Z, ad bc 1/ . / -. and it performs on the upper half plane H by .

(52). a b Æ Æτ . c d. aτ cτ. b , d. τ P H.. The upper half plane of the complex plane is defined by H tx. iy. P C|y ¡ 0u .. 27. Zτ ..

(53) i. -1. −. 1 2. 1 2. 0. 1. Figure 2.5: Fundamental domain for SL2 pZq . Proposition 2.60. Let τ.

(54). a b Æ Æ SL2 Z . Then. P. P H and let . p q. c d . j. aτ cτ. b d. j pτ q .. Definition 2.61 (Fundamental domain for SL2 pZq). Let F be the subset of z. |z| ¥ 1, 12 ¤ ℜ pzq 12 ,. z. eiθ for π3 θ π2 .. Figure 2.5 is the illustration of F . Proposition 2.62. Given τ. P H, there exists .

(55). a b Æ Æ SL2 Z . P. p q. c d such that aτ cτ Moreover, z. b d. z P F.. P F is uniquely determined by τ . 28. P H such that.

(56) Corollary 2.63. If z. P C, then there is exactly one τ P F such that j pτ q z.. Now we can prove the theorem below. Theorem 2.64. Let y 2. 4x3 Ax B be an elliptic curve E over C. Then there exists a. lattice L such that g2 pLq A. and g3 pLq B.. There is an isomorphism of groups C{L E pCq . Proof. Recall the j-invariant defined by Definition 2.34, then j pE q . c34 ∆. 2 3 3 1728 c4 c3 c6 1728 A3 A27B 2 . 4. By Corollary 2.63, there exists a lattice Lτ. Z. Zτ such that j pτ q. j pLτ q j.. Consider the following cases: 1. g2 pLτ q 0 Then j pτ q 0 ñ A 0. Choose λ P C such that g2 pλLτ q λ4 g2 pLτ q A. The equality j. j pLτ q implies that g3 pλLτ q2. so g3 pλLτ q set λ1. B2,. B. If g3 pλLτ q B, we prove the theorem. If g3 pλLτ q B, then. iλ g2 pλ1 Lτ q g2 piλLτ q i4 g2 pλLτ q A, g3 pλ1 Lτ q g3 piλLτ q i6 g3 pλLτ q B. 29.

(57) Hence, either λLτ or iλLτ would be the lattice isomorphic to E. 2. g2 pLτ q 0 Then j pτ q g2 pLτ q3. 0 ñ A 0.. 27g3 pLτ q2 . According to the assumption that A3. 0 by Proposition 2.52, we have B. . 27B 2 0, and. 0 and g3 pLτ q. . 0.. Choose µ P C such that g3 pµLτ q µ6 g3 pLτ q B. Then g2 pµLτ q µ4 g2 pLτ q 0 A. The lattice µL is the one we want. Let the lattice L be the one we get by the above, by Theorem 2.54, the map C{L ÝÑ E pCq is an isomorphism.. 30.

(58) Chapter 3 Generate Elliptic Curves After reveiwing the mathematical backgrounds, we summarize the approaches to generate elliptic curves currently. One of these approaches is based on the efficient point counting algorithm because it can allow us to test random curves until finding a suitable one to use.. 3.1 Subfield Curves We describe the relation of the order of an elliptic curve defined over a finite field Fq and the one defined over the extesion field Fqn . We prove the thoerem bellow first. Theorem 3.1. Let #E pFq q q. 1 t. Write X 2 tX. #E pFqn q q n. 1 pαn. q. pX αq pX β q. Then. β nq ,. for all n ¥ 1. Proof. To prove the theorem, we start with showing that pαn Lemma 3.2. Let sn. pαn. β n q. Then s0. β n q is an integer.. 2, s1 t, and sn 1 tsn qsn1 for all. 31.

(59) n ¥ 1. Proof. Since α is a root of the equation f pX q. X 2 tX. q. pX αq pX β q, then. f pα q. pα αq pα β q α2 tα. αn. tαn qαn1. This relation holds for β, too. Adding these relations. 1. αn. 1. βn. 1. q. 0. By multiplying both side with αn1, we get. sn 1 tαn qαn1 t pα n. tβ n qβ n1. β n q q αn1. β n1. . tsn qsn1. For s0 , s1 , t, q are all integers, sn. pαn. β n q will be integer for all n ¥ 0.. Let g pX q pX n αn q pX n β n q X 2n pαn for α, β are roots of g pX q, we can write g pX q and pX 2 tX. β nq X n. Q pX q pX 2 tX. qn, q q. Since g pX q. q q are both integer polynomials, the quotient Q pX q would be with integer. coefficients. Hence g pφq q φnq. 2. pαn. pφq q2 pαn n. Q pφ q q. β n q φnq. qn. β n q φq n. φ2q tφq. q. . qn. 0. would be an endomorphism of E. By Theorem 2.47, there is an unique integer k such that φ2qn kφqn. qn. 0, and k is determined by k qn αn. βn. qn. 1 #E pFqn q. Therefore,. 1 #E pFqn q .. 32.

(60) According Theorem 3.1, in order to compute the order of an elliptic curve defined over Fqn , we only need to count the points of the curve over a smaller field Fq instead couting the points over Fqn . Example 3.3. Assume we want to find out the order of the elliptic curve E : y 2. y. x3. over F2101 . We start from counting the points of E pF2 q. These points are E pF2 q t8, p0, 0q, p0, 1q, p1, 0q, p1, 1qu . We get #E pF2 q 5, t q X. 2. tX. q. X. 1 #E pF2 q 2 . 2. 2X. 2 2 X pX p1. 1 5 2, and the relation. ? ? 4 X 2 4. 2. 2. iqq pX. p1 iqq .. By Theroem 3.1, we can calculate #E pF2101 q 2101. 1. p1. 1 251. 2101. iq101. p1 iq101. 2101 251. We also can compute the order by the recursive relation sn. 1.. 1. tsn qsn1. s0. 2,. s2. ts1 qs0 2 ps1. s0 q 0,. s3. ts2 qs1 2 ps2. s1 q 4,. s4. ts3 qs2 2 ps3. s2 q 8,. s1. t 2,. .. . s101. 251 , 33. . x.

(61) 101 hence we get the same result, #E pF101 251 2 q 2. 1.. The properties of subfield curves let us compute the order of the same elliptic curve equation defined over an extension field. However, the constraint that the coefficients of the equation must be defined over the subfield makes it rarely be used to generate elliptic curves for cryptosystems in practice.. 3.2. Schoof’s Algorithm and SEA Algorithm. Both Shcoof’s algorithm and SEA algorithm are designed to solve the point counting problem on elliptic curve. The point counting problem is to determine the number of the rational points of a randomly chosen elliptic curve over a finite field Fq . To find the suitable elliptic curves, one usually random chooses the parameters of elliptic curve and uses the point counting algorithm to find the order of the elliptic curve. If the curve does not satisfy the requirement, then repeat the process until obtaining an appropriate curve. In this section, we introduce the Schoof’s idea first and the improvements proposed by Elkies and Atkin next.. 3.2.1. Schoof’s Algorithm. We focus on the elliptic curve over prime field Fp . By Hasse theorem, Theorem 2.43, the order of an elliptic curve E defined over Fp is #E pFp q p. 1 t,. |t| ¤ 2?p. where t is called the Frobenius trace. The idea of Schoof is to determine the Frobenius trace t by finding tl. t (mod l) for some small primes and using Chinese Remainder Theorem. 34.

(62) ¤ 2?p, as long as we compute enough tl such that ? ± ? ? l ¡ 4 p, then the unique t P 2 p, 2 p can be determined. According to the Hasse bound, |t|. For computing each tl , we discuss the case l. 2 first. For determining t2 t (mod 2),. observing the order modulo 2 #E pFp q. (mod 2) p. t Hence, t2 otherwise t2. . 1t. (mod 2). (mod 2) t2 ,. for odd prime field Fp .. #E pFp q (mod 2). If there exists a subgroup of order 2, then t2. . 0,. 1. Since the y-coordinate of the points with order 2 would be 0, if the elliptic. curve equation E : y 2. x3. Ax. B. 0 has a root in Fp, then t2 0. Using the fact that. the product of all the irreducible polynomial of degree 1 in Fp would be g pxq. xp x, we. can determine t2 as below. $ ' ' &. t2. '. 0 if deg pgcd px3. ' % 1 otherwise. Now considering the case that l curve, for every point P. B, xp xqq ¡ 0. Ax. PE. Fp. ¡ 2. Since the Frobenius map is a zero map on elliptic. . φ2p pP q tφp pP q. pP. We can restrict to the non-trivial l-torsion points P. 8.. P E rls z t8u to reduce the map. φ2p pP q tl φp pP q where tl. .. pl P. 8. t (mod l) and pl p (mod l).. Definition 3.4 (Torsion points). Let E be an elliptic curve over K and n P Z. The kernel of the multiplication-by-n map, denoted by E rns, is the set satisfies E rns P. PE 35. . K nP. 8. (. ..

(63) An element P. P E rns is called a n-torsion point.. And we introduce the concept of division polynomial. For each positive integer n, there exists a polynomial ψn such that the x-coordinates of n-torsion points are the roots of ψn . Lemma 3.5. Let n be a positive integer. There exists polynomials ψn , θn , ωn For P. px, yq P E. . Fq , where q nP. Theorem 3.6. Let P. P Fq rx, ys.. ¡ 2 and nP 8,. . px, yq P E. . θn px, y q ωn px, y q , ψn px, y q2 ψn px, y q3 . Fq where 2P. .. 8, and let n ¥ 3 be an odd integer.. The division polynomial ψn px, y q can be expressed as ψn pxq, i.e. ψn has no y terms. Then P. P E rns if and only if ψn pxq 0. Therefore, a point P. pxP , yP q P E rls would satisfy the equations. yP2. x3P AxP B 0. and. ψl pxP q 0. When dealing with the l-torsion points, the theorem allows us to reduce the computation modulo the polynomials ψl pxq and the elliptic curve equation. For determing tl , we then try all i P t0, 1, , l 1u to find the one that makes φ2p pP q. pl P. iφp pP q. holds modulo ψl pxP q and the elliptic curve equation, where P We give the Schoof’s algorithm in the following.. 36. pxP , yP q P E rls..

(64) Algorithm : Schoof’s algorithm INPUT: An elliptic curve E over a finite field Fp . OUTPUT: The order of E, #E pFp q.. t (mod 2), store pt2 , 2q. 1.. find t2. 2.. M. 3.. while M. 2,. l3. 4?p do. 4.. find point P px, y q P E rls. 5.. compute Q pX px, y q , Y px, y qq φ2p pP q. 6.. compute Q pX px, y q , Y px, y qq φp pP q. 7.. for tl. 0, 1, , l21. 8.. if x-coordinates of tl R and Q are equal. 9.. compare y-coordinates of tl P and Q. 10.. if the same, store ptl , lq. 11.. else, store pl tl , lq. 12.. pl P. M. M l,. l nextprimeplq, and break. 13.. compute t by using ptl , lq pairs and CRT. 14.. return p. 1t. 3.2.2 SEA Algorithm Although Schoof proposed the polynomial time point counting algorithm in 1985, it remains inefficient while dealing with curves with large group order. Atkin and Elkies improved 37.

(65) the Schoof’s work and makes the algorithm, SEA algorithm practical. The key observation is to consider the roots of the characteristic polynomial of Frobenius map, x2 tx. p. In Schoof’s algorithm, when computing tl. t (mod l), it separates into. two cases: (1) If there is a root of x2 tl x (2) If there is no root of x2 tl x. pl. 0 in Fl , then l is an Elkies prime.. pl. 0 in Fl , then l is an Atkin prime.. We briefly list some definitions and properties related to SEA algorithm below. Definition 3.7 (Classical modular polynomial). Define the classical modular polynomial as below Φl px, j pτ qq px j plτ qq. l1 ¹. . . xj. k 0. Then Φ px, y q P Z rx, y s.. . τ. k. l. .. Definition 3.8 (Isogeny). A non-constant morphism ψ which maps the identity element of E1 to the identity element of E2 is called an isogeny, ψ : E1. ÝÑ E2.. Lemma 3.9. Let E1 , E2 be two elliptic curves. There is an isogeny of degree l from E1 to E2 if and only if Φl pj pE1 q , j pE2 qq 0. Since the coefficients of the classical modular polynomial increase significant while l increases, we usually use the alternative modular polynomial instead. The alternative modular polynomial was proposed by Müller in 1995. Let s. 12 , gcd p12, l 1q. v. . s pl 1q , 12 38. fl pτ q l. s. η plτ q η pτ q. 2s.

(66) where η pτ q is the Dedekind’s η-function η pτ q q 24 1. 8 ¹ . p1 qnq ,. q. e2πiτ .. n 1. Definition 3.10. Define the canonical modular polynomial as Φcl. px, j pτ qq px fl pτ qq. l1 ¹. . . x fl. . i 0. 1 τ. .. i. According to [10] we determine the type of the prime by following theorem. Theorem 3.11. Let E be a non-supersingular elliptic curve over Fp with j-invariant j 0, 1728. For an odd prime l, Φl px, j q. . P Fp rxs is an univariate polynomial. Then there are. three cases of the number of roots of Φl px, j q on the field Fp (1) 1 root or l. 1 roots.. l is Elkies prime and t2 4p 0 (mod l). (2) 2 roots. l is Elkies prime and t2 4p has square roots in Fl . (3) No root. l is Atkin prime and all roots would lie in Fpr for some r. l. 1.. It can be shown that the splitting type of the canonical modular polynomial Φcl px, j q is the same as the splitting type of classical modular polynomial Φl px, j q. Hence, to determine which type the prime l belongs to, we compute the degree of gcd pΦcl px, j q , xp xq. If the degree is larger then 0, l is Elkies prime, otherwise, l is Atkin prime. Following we introduce the Elkies and Atkin’s improvements.. 39.

(67) Elkies’s Improvement If l is an Elkies prime, according to Theorem 3.11, there exists an isogeny I1 and elliptic curve E1 such that. ÝÑ E1,. k1 pxq g1 px, y q , P E1, for P px, yq P E. I1 pP px, y qq ph1 pxqq2 ph1 pxqq3 And the degree of I1 is l, hence |Ker pI1 q| l. By definition of isogeny, I1 p8q 8, we I1 : E. have deg ph1 pxqq. l21 . There is a crucial result that I1 is a homomorphism and the kernel. of the isogeny I1 is a subgroup of E. Moreover, Ker pI1 q contains a subgroup of E rls and φ pP q λP,. for P. P Ker pI1q,. where φ is the Frobenius endomorphism and λ is a root of the characteristic polynomial of Frobenius endomorphism over Fl . By relation of roots and coefficients, we have the other root µ pl {λ and tl. µ. λ (mod l).. Using the same concept of Schoof, since the points we deal with are Ker pI1 q, while finding the value λ P Fl by testing the equality of φ pP q and λP , we can take the computation modulo the polynomial h1 pxq. This will improve the efficiency because deg ph1 pxqq. l21. is less than deg pψl pxqq l2 , the division polynomial. Following we simply list the process of computing h1 pxq. Refer to [11] for more details of the computation. Given an elliptic curve E : y 2 such an isogenous curve E1 : y 2. x3. x3. B over field K where char pK q. Ax ˜ Ax. ¡ 3, then. ˜ and h1 pxq satisfied the above descriptions B. can be derived from the root of Φcl px, j q, Φcl px, y q, and some invariants of E. Let j and a root g of the polynomial Φcl px, j q. Set A E4 , 3. B E6 , 2 40. ∆. E4 E6 , 1728 3. 2. j pE q.

(68) and. . . B Φc px, yq pg, j q , Bx l. B c Dg g Dj j By Φl px, yq pg, j q . The notation means that the derivatives are to be evaluated at pg, j q. By this setting, we. plq. plq. denote the invariants of the desired curve to be E 4 , E 6 , ∆plq . Then ∆plq. . l12 ∆g 12{s ,. where s 12{ pgcd p12, l 1qq. If Dj. 0 then. . plq. E4. plq A˜ 3l4 E 4 , If Dj. ˜ B. j plq. . ∆plq. b. 2l pj plq 1728q ∆plq , 6. p1. 0.. 0, then set E2. . where E 2. l2E 4 ,. plq 3. E4. 12E 6 Dj ,. E0. sE 4 Dg. . E6. ,. E4E2. 2. s g 1 E 2 g,. E E6 j1 4 .. 12. ∆. 12g1{ psgq. And compute . B Φc px, yq pg, j q g Bx l 2. B c 1 g g Bx2 Φl px, yq pg, j q . B 1 1 c Dj j By Φl px, yq pg, j q. D1. g1. . j j1. B2 Φc px, yq pg, j q By2 l. j1. g1. . B2 Φc px, yq pg, j q , BxBy l. . B2 Φc px, yq pg, j q , BxBy l. to determine. 1. E0. . 1 s 1 1 12 Dg E 0Dj . Dj. Then we have. plq. E4. . 1 l2. . . E4 E2. . 1. E 12 0 E0. 2 E4. 6 4 E6 E6 E4 41. . 2. E2. ,. j plq. . plq3. E4 . ∆plq.

(69) Let f. ls{g, f 1 sE 2 f {12, the other invariant E p6lq is computed as D g. . B Φc px, yq. Bx l. f, j plq ,. D . . j. B Φc px, yq. By l. then f 1 Dg 1p lq j , lD. plq. E6. j. . f, j plq ,. plq. E 4 j 1plq j plq .. Therefore, we have the parameters of the curve E1. pq A˜ 3l4 E 4 ,. ˜ B. . 2l6E p6lq,. p1. lE2 2 .. Now use these values to derive the polynomial h1 pxq. Recall the Weierstrass ℘-function of the elliptic curve E : y 2 ℘ pz q . x3. Ax ¸. 1 z2. B. . 2 . 1. pz ωq. P zt u. ω L 0. 1 ω2. 8 ¸. z12. . ck z 2k. k 1. where c1 ck. . A5 ,. 3 pk 2q p2k. c2. . k¸2. 3q j 1. B7 ,. cj ck1j , for k. ¥ 3.. Let ℘ pz q and ℘1 pz q denote the Weierstrass ℘-function of E and E1 , respectively, ℘ pz q . 1 z2. 8 ¸ . 2k. ck z ,. ℘1 pz q . k 1. 1 z2. 8 ¸ . c˜k z 2k .. k 1. Then the polynomial h1 pxq satisfies . 8. ¸ 1 c˜k lck z l1 h1 p℘ pz qq exp p1 z 2 2 p2k 1q p2k k 1. 2q. z 2k. 2. .. For h1 pxq is a monic polynomial with degree pl 1q {2, we can derive h1 pxq by expanding the series and comparing the coefficients of z. We summarize the Elkies procedure in the following.. 42.

(70) Algorithm : Elkies procedure INPUT: An elliptic curve E over a finite field Fp and an Elkies prime l. OUTPUT: tl. t (mod l).. 1.. compute the polynomial h1 pxq. 2.. calculate Q pX px, y q , Y px, y qq φp pP q, where P. 3.. for λ 0, 1, , l21. 4.. if x-coordinates of λP and Q are equal. 5.. compare y-coordinates of λP and Q. P E and satisfies h1 pxq. 6.. if the same, then µ pl {λ. 7.. if the sum of y-coordinates of λP and Q is 0, then λ l λ,. 8. 9.. µ pl {λ. break retuen λ. µ mod l. Atkin’s Improvement Now considering the case that l is an Atkin prime. From the Theorem 3.11, the equation x2 tl x. pl. 0 has no root in Fl . The two roots will lie on Fl . 2. Theorem 3.12. If the roots of Φcl px, j q lie on Fpr for the smallest r, then the roots λ and µ of the equation x2 tl x. pl. 0 satisfy that µλ is an element of order exactly r in Fl. 2. Hence, in the case that l is an Atkin prime, we will get a set of possible value of tl. t. (mod l). Let the value r of Theprem 3.11 of an Atkin prime l be rl . It can be determined by com43.

(71) . puting the degree of gcd. Φcl. px, j q , x x qj. l. for increasing i. 1. Once rl determined,. we find the set of possible values of tl next. Let Fl2. Fl. ?. . d for a quadratic non-residue d P Fl . Since λ, µ P Fl2 zFl , denote. λ x1 Let γ. ?. x2 d,. ?. µ x1 x2 d,. for some x1 , x2. P Fl. λµ . By Theorem 3.12, the order of γ is rl and we can write γ. g1. Then γ. g1. ?. g2 d,. ?. g2 d . λ µ. . for some g1 , g2. λ2 λµ. . x21. P Fl . ?. x22 d. 2x1 x2 d pl. .. Hence pl g 1. x21. pl g 2. 2x1x2. pl. x22 d. (mod l),. (mod l),. λ µ x21 x22d. (mod l).. So we can get a possible value of tl by tl. λ. µ 2x1. . pl pg1 2. 1q. .. All the possible values of tl can then be determined by finding all the elements in Fl2 with order rl . It can be done by finding a generator g of Fl2 and γ and gcd pi, rl q 1. The Atkin procedure is processed as below.. 44. g. p q. i l2. rl. 1. for 0. i rl.

(72) Algorithm : Atkin procedure INPUT: An elliptic curve E over a finite field Fp and an Atkin prime l. OUTPUT: A set of possible values of tl 1.. for rl. 2, 3, , l. 1 where rl. if gcd Φcl px, j q , xp l r. 2. 3.. t (mod l).. l. 1. . x 1. break. 4.. find a quadratic non-residue d. 5.. find a generator g of Fl. 6.. S. 7.. for i 1, 2, , rl 1 and gcd pi, rl q 1. ?. d. . tu g. p q. i l2. 1. g1. ?. g2 d. 8.. compute γ. 9.. find a square root x1 of pl pg21 1q in Fl. 10.. store t2x1 , 2x1 u in S. 11.. rl. return S. 3.3 Complex Multiplication Method The two ways to generate elliptic curve introduced in previous sections select parameters of a curve and then count the rational points on it. These kinds of methods need to test several elliptic curves until getting a desired one satisfied the security constraints. The complex multiplication method (CM method) to be introduced makes us determine the order of the. 45.

(73) Fq pq. pr q. t trace pE q. embedding degree k. 12l2 1. 1 6l. 3. l2. 1, l. 4. l. 4l2. 1. 1. 1 2l. 1. q. 6. t¥3. k. ¥ loglogptq1q ǫ. Table 3.4: Conditions proposed by Miyaji, Nakabayashi, and Takano curves first and compute the curves with the exact order. Since we explain each step of CM method in next chapter, we use an example to show how the CM method works in this section. We generate a MNT curve as an example to demonstrate the process. The MNT curves are curves used to construct the pairing-based cryptosystem. These curves satisfy the conditions proposed by Miyaji, Nakabayashi, and Takano. The conditions ensure that the curves will have small embedding degree, which is important when dealing with the pairing computation. Refer to [8] for more details about the MNT curves. Table 3.4 lists the MNT conditions, suppose we want an elliptic curve E over Fp with embedding degree k. 4. According to the Table 3.4, we have p l2. l. 1,. tl. 46. 1 or. l..

(74) Take l. 71, then p l2. l. tl. 1 or. #E pFp q p. We use t. l. 1. 1 5113 P prime number. l 72 or 71. 1t. $ ' ' &. 5042 2 2521. ' ' % 5185. 5 17 61. for t 72 for t 71. 72 to make the curve have larger subgroup order.. Therefore, let. denote the discriminant of the endomorphism ring of the elliptic curve we want, i.e.. D. D is a. discriminant of an order of an imaginary quadratic field. Then. D t2 4p 722 4 5113 15268. For constructing the Hilbert polynomial, we find out all reduced binary quadratic forms. pa, b, cq with discriminant D, it means that searching the triples pa, b, cq satisfies (1) b2 4ac D (2) |b| ¤ a ¤ c (3) b ¥ 0 if a |b| or a c (4) gcd pa, b, cq 1 For D. 15268, the triples are:. pa, b, cq p1, 0, 3817q, p11, 0, 347q, p2, 2, 1909q, p23, 2, 166q, p46, 2, 83q, p17, 10, 226q, p17, 10, 226q, p34, 10, 113q, p22, 22, 179q, p43, 30, 94q, p47, 30, 86q, p41, 36, 101q, p53, 46, 82q. 47.

(75) Let τi. bi. a. b2i 4ai ci 2ai. bi. ? 2ai. D ,. for i 1, 2, , 20,. compute the Hilbert polynomial HD pxq HD. . 20 ¹. . px j pτi qq ,. i 1. where j pτ q . p256h pτ q 1q3 , h pτ q. ∆ pτ q q. 8 ¹ . h pτ q . p1 qnq24 ,. q. ∆ p2τ q , ∆ pτ q. e2πiτ .. n 1. Notice that while computing the Hilbert polynomial, the computations are under complex plane. The fact is the coefficients of the Hilbert polynomial will be integer, hence we must calculate with appropriate precision to approximate the correct coefficients. In this case, the integer polynomial modulo p is HD pxqP. HD pxq (mod p) HD pxq (mod 5113) . x20 1384x19 5068x18. 4023x13. 2897x17. 3489x12 3358x11. 1992x6 724x5. 1625x4. 4303x16. 1792x10. 636x3. 4515x15. 4864x9. 1264x2. 964x14. 5026x8. 2625x. 4573x7. 2987.. We can use the Cantor-Zassenhaus algorithm to factor the polynomial and find the roots over Fp . These roots of the HD pxqp will be the j-invariants of the desired elliptic curves over Fp . The roots of the polynomial above are jp. 1186, 50, 2556, 514, 3089, 3535, 3218, 263, 2799, 565, 2226, 3258, 3859, 1963, 2189, 2841, 2921, 1051, 1542, 2663. 48.

(76) Select jp. 1186 and get the elliptic curve E1: x3. y2. ñ y2 x3 x3. 3jp x 1728 jp. 2jp 1728 jp. 3 1186 x 1728 1186 1365x. 2 1186 1728 1186. 910. Using Schoof’s algorithm to count the points of the curve E1 will get the order #E1 pF5113 q 5186. 5113. 1. 72. Therefore, the curve with order 5042 we desired is the twist of E1 .. For 5 is a quadratic non-residue in F5113 , let E1t be the quadratic twist of E1 E1t : y 2. x3. 1365 52 x. x3. 3447x. 910 53. 1264.. And the Schoof’s algorithm shows that the order #E1t pF5113 q 5042. So we have p 5113, E1t : y 2. x3. 3447x. t 72,. D 15268,. 1264 (mod 5113),. jp. 1186,. #E1t pF5113 q 5042 2 2521. and 2521 k 51134 1 683444370987360 2521 271100504160. The notation ”n k pk 1” denotes n pk 1 and n pi 1 for 1 ¤ i k. Assume we select another j-invarinat jp. 50, use the same process to find the desired. curve and we will get p 5113, E2 : y 2. x3. t 72,. 2389x. D 15268, E2t : y 2. 3297, 49. x3. jp. 50,. 3482x. 3085,.

(77) and #E2 pF5113 q 5186,. #E2t pF5113 q 5042.. We illustrate how the CM method can be used to generate pairing-friendly elliptic curves, next we use another example with larger discriminant D to show the process for generating elliptic curves with prime order. Suppose we want an elliptic curve with prime order 101111, then we select a prime p 101359 in Hasse bound. The parameters of the elliptic curve E we desired will be #E pF101359 q 101111,. t 249.. Set the input parameters for CM method as below p 101359,. D t2 4p 343435.. The CM algorithm will find the reduced binary quadratic forms. pa, b, cq p1, 1, 85859q, p23, 1, 3733q, p19, 3, 4519q, p5, 5, 17173q, p13, 5, 6605q, p65, 5, 1321q, p43, 7, 1997q, p157, 9, 547q, p17, 13, 5053q, p31, 13, 2771q, p163, 13, 527q, p61, 19, 1409q, ,. 50.

(78) and the Hilbert polynomial modulo p will be HD pxqp. x94. 6067x93. 46253x92 64761x91. 100404x88 77983x87. 8636x90. 85336x86 80849x85. 70547x89 80880x84. 96778x83. 95307x82. 27454x81. 5092x80 23203x79. 13278x78. 89668x77. 69176x76 48263x75. 48176x74. 76726x73. 14898x72. 92125x71. 46898x70. 42889x69. 64592x68 19972x67. 82390x66. .. Therefore, we have 94 roots modulo 101359. Random select jp E : y2. x3. 83394x. Et : y2. 55596,. x3. 59501, then we have 83394x 55596. and #E pF101359 q 101609,. #E t pF101359 q 101111.. Therefore, we get the desired elliptic curve E. E t.. 51.

(79) Chapter 4 Complex Multiplication for Elliptic Curve In this chapter, we outline the complex multiplication method (CM method) first, and then describe each step in detail to show how it works.. 4.1 Outline of the Complex Multiplication Method First of all, by the property of the j-invariant of an elliptic curve over finite field Fq , where Char pq q. ¡ 3, if we know the j-invariant, we can construct an elliptic curve with this j-. invariant. Let j be the j-invariant and the equation of elliptic curve E be defined as y2. x3. 3j x 1728 j. 2j . 1728 j. Then elliptic curve E will be an elliptic curve with j pE q j. Now we review the elliptic curves defined over C. 52. (4.1).

(80) From Section 2.2.3, an elliptic curve EC defined over C is isomorphic to C{L, where L. . Zω1. Zω2 , ω1, ω2. the lattice L as L. . Z. P. C, and ω1 , ω2 are linearly independent in R. We can rewrite Zτ such that the imaginary part of τ is positive, and we get. j pEC q j pτ q. Furthermore, the endomorphism ring of EC will be End pEC q tβ. P C|βL Lu. i.e. corresponds to an ideal A of an order O in an imaginary quadratic field K. It can be shown that the minimal polynomial of j pEC q is the Hilbert class polynomial HD pxq . hD ¹. . px j pAiqq. i 1. where hD is the order of the ideal class group of OK , Ai are representatives of elements of the class group of OK , and j pAi q is the j-invariant of the elliptic curve corresponding to Ai . By Deuring’s Lifting Theorem, we can obtain an elliptic curve with complex multiplication over a finite field by reducing an elliptic curve with complex multiplication in characteristic zero. Theorem 4.1 (Deuring’s Lifting Theorem). Let E be an elliptic curve defined over a finite ˜ defined over field and let α be an endomorphism of E. Then there exists an elliptic curve E ˜ such that E is the reduction of E˜ a finite extension K of Q and an endomorphism α ˜ of E mod some prime ideal of the ring of algebraic integers of K and the reduction of α ˜ is α.. The j-invariant of the elliptic curve E over a finite field Fp reduced from the elliptic curve EC will be the root of the Hilbert polynomial HD pxq (mod p). The idea of generating elliptic curve with presribed order by CM method is 53.

(81) 1. Determine the prime order N of the elliptic curve and the finite field Fp over that E defined. By the order N, it determined the structure of the endomorphism ring End pE q and the Hilbert class field. 2. Compute the Hilbert polynomial HD pX q and find a root jp of HD pxqp (mod p). 3. Compute the elliptic curve E {Fp and its twist E 1 {Fp . Then check which one of E and E 1 has the order equal to N, and it would be the elliptic curve we want. According to the idea of the CM method, the algorithm of generating elliptic curves by CM method can be designed as below. Since the Hilbert polynomials can be computed in advance, the algorithm takes the Hilbert polynomials as input.. Algorithm : Construct elliptic curve using CM method INPUT: A squarefree integer d 1, 3, parameters ǫ and δ, Hilbert class polynomial HD pX q, desired size of p and l. OUTPUT: A prime p of the desired size, an elliptic curve E {Fp with l a large prime. 1. 2. 3.. do do choose prime p of desired size. 4.. until ǫp x2. 5.. Let n1. 6.. p. dy 2 for some x, y 1. 2x , δ. n2. p. PZ 2x δ. 1. until n1 or n2 has a large prime factor l. 54. #E pFpq, where l is.

(82) 7.. find a root jp of HD pxq (mod p). 8.. compute the elliptic curve Ej {Fp by 4.1 and its twist Ej1 {Fp. 9.. do. P Ej pFpq and compute Q n1 P. 10.. find a point P. 11.. if Q 8 and n2 P. 12.. else if Q 8, return p and Ej1. 8, return p and Ej. 4.2 Endomorphism Ring In Section 2.1.3, we formulate some definitions related to homomorphism. For studying the details of the CM-method, we start from introducing the endomorphism ring of an elliptic curve. Definition 4.2 (Endomorphism). Let A1 and A2 are abelian varieties over K and HomK pA1 , A2 q denote the set of homomorphisms from A1 to A2 . Then the homomorphisms EndK pA1 q : HomK pA1 , A1 q are the endomorphisms of A1 . The set EndK pA1 q is a ring with composition as multiplicative structure. Given an elliptic curve E defined over K, we say that the elliptic curve E has complex multiplication if the endomorphism ring of E, EndK pE q, is strickly larger than Z. We now utilize the elliptic curves defined over C as examples to illustrate the endomorphism rings, then show that all the elliptic curves defined over finite fields have complex multiplication. We use the elliptic curve E : y 2. 4x3 4x defined over C as example. 55.

(83) iω ω. L = Ζ(ω ) + Ζ(iω ). Figure 4.1: Square lattice L Zω. Zω1. As we had proved, we can find a lattice L. Ziω. Zω2 such that E pCq. this case, it can be computed that the lattice L can be written as L Zω ω. C{L.. In. Ziω for a certain. P R. Figure 4.1 shows an example of this square lattice. L. Considering the endomorphism α pxq . The square lattice was symmetic, i.e. iL ix acts on the Weierstrass ℘-function ℘ piz q . . . ¸. 1 pizq2. P zt u. ω L 0. ¸. 1 pizq2. piz ωq2. . P zt u. iω L 0. 1. 1. . piz iωq2. 1 ω2. . 1 piωq2. ℘ pzq , ℘1 piz q i℘1 pz q . Hence, we have the corresponding endomorphism on the elliptic curve E given by i px, y q px, iy q. 56.

(84) i.e. we get the the corresponding map of the endomorphism between E and C{L C {L : E pCq :. ÞÑ. z. iz. px, yq p℘ pzq , ℘1 pzqq ÞÑ p℘ pizq , ℘1 pizqq px, iyq. It shows that given α a bi P Z ris and px, y q P E pCq, where Z ris ta. bi|a, b P Zu,. then α would be an endomorphism of E defined by. px, yq ÞÑ pa. biq px, y q a pxq. b px, iy q. since point multiplication by integer a and b can be expressed by rational functions. Therefore, in this cases, Z ris EndC pE q . Figure 4.2 shows two examples of EndC pE q, one is multiplication by integer and the other by i. Now we deal with the endomorphism rings of the arbitrary elliptic curve over C. We prove the following theorem. Theorem 4.3. Let E be an elliptic curve defined over C and L be the lattice such that E pCq C{L. Then EndC pE q tβ. P C|βL Lu .. Proof. Let E be an elliptic curve defined over C and L. Zω1. Zω2 be the corresponding. lattice. To prove the theorem, we need to show the followings: 1. All endomorphisms of E pCq can be expressed by β such that βL L 2. All such β’s define endomorphisms of E pCq Here we start the proof. 57.

(85) ×i. iω ω. i·(iω). L = Ζ(ω ) + Ζ(iω ). iL = L ⊆ L. ×2. iω. i·ω. ω. 2·(iω) 2·ω. L = Ζ(ω ) + Ζ(iω ). 2L ⊂ L. Figure 4.2: Examples of EndC pE q tβ. 58. P C|βL Lu.

(86) α P=(x, y). E(C). α(P) =(R(x), yS(x)) Φ-1. Φ. C/L z. α~. α~(z). Figure 4.3: The illustration of the morphisms proved of Theorem 4.3 - (1). 1. Given an endomorphism α of E pCq, by definition of the endomorphism, it maps a point P. px, yq P E pCq to αP α px, yq P E pCq and can be expressed by rational. functions α px, y q pR pxq , yS pxqq . Since there exists an isomorphism Φ between C{L and E pCq Φ : C{L ÝÑ E pCq , Φ pz q p℘ pz q , ℘1 pz qq , the map α ˜ Φ1 pα pΦ pz qqq would be an endomorphism of C{L. Figure 4.3 illustrates the relations of these morphisms. To show that α ˜ pz q βz for some β. P C, we focus on the action of the endomorphism. applying on a sufficiently small area U near z. 0. Then we obtain the map from U to. C such that α ˜ pz1. z2 q α ˜ pz1 q. and we may assume that α ˜ p0q. 0.. α ˜ pz2 q. mod L,. By continuity, α ˜ pz q 59. z1 , z2 P U Ñ 0 when z Ñ 0.. If U is.