Prime Numbers
.pdf372 |
Chapter 7 ELLIPTIC CURVE ARITHMETIC |
implemented a highly e cient elliptic curve primality proving (ECPP) scheme [Atkin and Morain 1993b]. The method is now in wide use. There are various ways to proceed in practice with this ECPP; we give just one here.
The idea once again is to find either “closed-form” curve orders, or at least be able to specify orders relatively quickly. One could conceivably use closed forms such as those of Algorithm 7.5.10, but one may well “run out of gas,” not being able to find an order with the proper structure for Theorem 7.6.1. The Atkin–Morain approach is to find curves with complex multiplication, as in Algorithm 7.5.9. In this way, a crucial step (called [Assess curve order], in Algorithm 7.6.2) is a point of entry into the Atkin–Morain order/curve-finding Algorithm 7.5.9. A quick perusal will show the great similarity of Algorithm 7.6.3 below and Algorithm 7.6.2. The di erence is that here one searches for appropriate curve orders first, and only then constructs the corresponding elliptic curve, both using Algorithm 7.5.9, while the Schoof algorithm 7.5.6 is dispensed with.
Algorithm 7.6.3 (Atkin–Morain primality test). Given a nonsquare integer n > 232 strongly suspected of being prime (in particular gcd(n, 6) = 1 and presumably n has already passed a probable prime test), this algorithm attempts to reduce the issue of primality of n to that of a smaller number q. The algorithm returns either the assertion “n is composite” or the assertion “If q is prime, then n is prime,” where q is an integer smaller than n. (Note similar structure of Algorithm 7.6.2.)
1. [Choose discriminant]
Select a fundamental discriminant D by increasing value of h(D) for
which D = 1 and for which we are successful in finding a solution
n
u2 + |D|v2 = 4n via Algorithm 2.3.13, yielding possible curve orders m: m {n + 1 ± u, n + 1 ± 2v}, for D = −4,
m {n + 1 ± u, n + 1 ± (u ± 3v)/2}, for D = −3, m {n + 1 ± u}, for D < −4;
2. [Factor orders]
Find a possible order m that factors as m = kq, where k > 1 and q is a probable prime > (n1/4 + 1)2 (however if this cannot be done according to some time-limit criterion, goto [Choose discriminant]);
3. [Obtain curve parameters]
Using the parameter-generating option of Algorithm 7.5.9, establish the parameters a, b for an elliptic curve that would have order m if n is indeed prime;
4. [Choose point on Ea,b(Zn)]
Choose random x [0, n − 1] such that Q = (x3 + ax + b) mod n has
Q =−1;
n
Apply Algorithm 2.3.8 or 2.3.9 (with a = Q and p = n) to find an integer y that would satisfy y2 ≡ Q (mod n) if n were prime;
if(y2 mod n =Q) return “n is composite”;
P = (x, y);
374 |
Chapter 7 ELLIPTIC CURVE ARITHMETIC |
Leyland number (with general form xy + yx)
N = 44052638 + 26384405
was established, a number of 15071 decimal digits. This “fastECPP” method is based on an asymptotic improvement, due to J. Shallit, that yields a bitcomplexity heuristic of O(ln4+ N ) to prove N prime.
The basic idea is to build a base of small squareroots, and build discriminants from this basis. Let L = ln N where N is the possible prime under scrutiny. Now Algorithm 7.6.3 requires, we expect, O(L2) discriminants D tried before finding a good D. Instead, one may build discriminants of the form −D = (−p)(q), where p, q are primes each taken from a pool of size only O(L). In this way, Step [Choose discriminant] can be enhanced, and the overall operation complexity of Algorithm 7.6.3—which complexity started out as O(ln5+ N ) thus has the 5 turning into a 4.
The details and various primality-proof records are found in [Franke et al. 2004] and (especially for the fastECPP theory) [Morain 2004].
7.7Exercises
7.1.Find a bilinear transformation of the form
(x, y) →(αx + βy, γx + δy)
that renders the curve
y2 + axy + by = x3 + cx2 + dx + e |
(7.11) |
into Weierstrass form (7.4). Indicate, then, where the fact of field characteristic not equal to 2 or 3 is required for the transformation to be legal.
7.2.Show that curve with governing cubic
Y 2 = X3 + CX2 + AX + B
has a ne representation
y2 = x3 + (A − C2/3)x + (B − AC/3 + 2C3/27).
This shows that a Montgomery curve (B = 0) always has an a ne equivalent. But the converse is false. Describe exactly under what conditions
on parameters a, b in
y2 = x3 + ax + b
such an a ne curve does possess a Montgomery equivalent with B = 0. Describe applications of this result, for example in cryptography or pointcounting.
7.3. Show that the curve given by relation (7.4) is nonsingular over a field F with characteristic = 2, 3 if and only if 4a3 + 27b2 = 0.
7.7 Exercises |
375 |
7.4. As in Exercise 7.3 the nonsingularity condition for a ne curves is that the discriminant 4a3 + 27b2 be nonzero in the field Fp. Show that for the
parameterization
Y 2 = X3 + CX2 + AX + B
and characteristic p > 3 the nonsingularity condition is di erent on a discriminant ∆, namely
∆ = 4(A − C2/3)3 + 27(B − AC/3 + 2C3/27)2 = 0.
Then show that in the computationally useful Montgomery parameterization
Y 2 = X3 + CX2 + X
is nonsingular if and only if C2 = 4.
7.5.For an elliptic curve over Fp, p > 3, with cubic
Y 2 = X3 + CX2 + AX + B
we define the j-invariant of E as
j(E) = 4096 (C2 − 3A)3 ,
∆
where the discriminant ∆ is given in Exercise 7.4. Carry out the following computational exercise. By choosing a conveniently small prime that allows hand computation or easy machine work (you might assess curve orders via the direct formula (7.8)), create a table of curve orders vs. j-invariants. Based on such empirical evidence, state an apparent connection between curve orders and j-invariant values. For an excellent overview of the beautiful theory of j-invariants and curve isomorphisms see [Seroussi et al. 1999] and numerous references therein, especially [Silverman 1986].
7.6.Here we investigate just a little of the beautiful classical theory of
elliptic integrals and functions, with a view to the connections of same to the modern theory of elliptic curves. Good introductory references are [Namba 1984], [Silverman 1986], [Kaliski 1988]. One essential connection is the observation of Weierstrass that the elliptic integral
Z(x) = ∞ |
|
ds |
|
|
|
x |
|
4s3 − g2s − g3 |
can be considered as a solution to an implicit relation
g2,g3 (Z) = x,
where is the Weierstrass function. Derive, then, the di erential equations
(z1 + z2) = 1 (z1) − (z2) 2 − (z1) − (z2) 4 (z1) − (z2)
376 |
Chapter 7 ELLIPTIC CURVE ARITHMETIC |
and that
(z)2 = 3(z) − g2 (z) − g3,
and indicate how the parameters g2, g3 need be related to the a ne a, b curve parameters, to render the di erential scheme equivalent to the a ne scheme.
7.7.Prove the first statement of Theorem 7.1.3, that Ea,b(F ) together with the defined operations is an abelian group. A good symbolic processor for abstract algebra might come in handy, especially for the hardest part, which is proving associativity (P1 + P2) + P3 = P1 + (P2 + P3).
7.8.Show that an abelian group of squarefree order is cyclic. Deduce that if a curve order #E is squarefree, then the elliptic-curve group is cyclic. This is an important issue for cryptographic applications [Kaliski 1991], [Morain 1992].
7.9.Compare the operation (multiplies only) counts in Algorithms 7.2.2, 7.2.3, with a view to the di erent e ciencies of doubling and (unequal point) addition. In this way, determine the threshold k at which an inverse must be faster than k multiplies for the first algorithm to be superior. In this connection see Exercise 7.25.
7.10.Show that if we conspire to have parameter a = −3 in the field, the operation count of the doubling operation of Algorithm 7.2.3 can be reduced yet further. Investigate the claim in [Solinas 1998] that “the proportion of
elliptic curves modulo p that can be rescaled so that a = p − 3 is about 1/4 if p ≡ 1 (mod 4) and about 1/2 if p ≡ 3 (mod 4).” Incidentally, the slight speedup for doubling may seem trivial but in practice will always be noticed, because doubling operations constitute a significant portion of a typical pointmultiplying ladder.
7.11.Prove that the elliptic addition test, Algorithm 7.2.8, works. Establish first, for the coordinates x± of P1 ± P2, respectively, algebraic relations for the sum and product x+ + x− and x+x−, using Definition 7.1.2 and Theorem
7.2.6.The resulting relations should be entirely devoid of y dependence. Now from these sum and product relations, infer the quadratic relation.
7.12.Work out the heuristic expected complexity bound for ECM as discussed following Algorithm 7.4.2.
7.13.Recall the method, relevant to the second stage of ECM, and touched upon in the text, for finding a match between two lists but without using Algorithm 7.5.1. The idea is first to form a polynomial
m−1 |
|
i |
(x − Ai), |
f (x) = |
|
=0 |
|
then evaluate this at the n values in |
B; i.e., evaluate for x = Bj , j = |
0, . . . , n − 1. The point is, if a zero of f is found in this way, we have a match
7.7 Exercises |
377 |
(some Bj equals Ai). Give the computational complexity of this polynomial method for finding A ∩ B. How does one handle duplicate matches in this polynomial setting? Note the related material in Sections 5.5, 9.6.3.
7.14.By analyzing the trend of “record” ECM factorizations, estimate in what calendar year we shall be able to discover 70-digit factors via ECM. ([Zimmermann 2000] has projected the year 2010, for example.)
7.15.Verify claims made in reference to Algorithm 7.5.10, as follows. First, show how the tabulated parameters r, s were obtained. For this, one uses the fact of the class polynomial being at most quadratic, and notes also that a defining cubic y2 = x3 + Rx/S + T /S can be cleared of denominator S by multiplying through by S6. Second, use quadratic reciprocity to prove that every explicit square root in the tabulated parameters does, in fact, exist. For this, one presumes that a representation 4p = u2 +|D|v2 has been found for p. Third, show that 4a3 + 27b2 cannot vanish (mod p). This could be done case by case, but it is easier to go back to Algorithm 7.5.9 and see how the final a, b parameters actually arise. Finally, factor the s values of the tabulated data to verify that they tend to be highly smooth. How can this smoothness be explained?
7.16.Recall that for elliptic curve Ea,b(Fp) a twist curve E of E is governed
by a cubic
y2 = x3 + g2ax + g3b,
where gp = −1. Show that the curve orders are related thus:
#E + #E = 2p + 2.
7.17. Suppose the largest order of an element in a finite abelian group G is m. Show there is an absolute constant c > 0 (that is, c does not depend on m or G) such that the proportion of elements of G with order m is at least c/ ln ln(3m). (The presence of the factor 3 is only to ensure that the double log is positive.) This result is relevant to the comments following Theorem 7.5.2 and also to some results in Chapter 3.
7.18.Consider, for p = 229, the curves E, E over Fp governed respectively
by
y2 = x3 − 1,
y2 = x3 − 8,
the latter being a twist curve of the former. Show that #E = 252, #E = 208 with respective group structures
E Z42 × Z6,
=
E Z52 × Z4.
=
Argue thus that every point P E has [252]P = [210]P = O, and similarly every point P E has [208]P = [260]P = O, and therefore that for any point
378 |
Chapter 7 ELLIPTIC CURVE ARITHMETIC |
on either curve there is no unique m in the Hasse interval with [m]P = O. See [Schoof 1995] for this and other special cases pertaining to the Mestre theorems.
7.19.Here we investigate the operation complexity of the Schoof Algorithm
7.5.6.Derive the bound O ln8 p on operation complexity for Schoof’s original method, assuming grammar-school polynomial multiplication (which in turn has complexity O(de) field operations for degrees d, e of operands). Explain
why the Schoof–Elkies–Atkin (SEA) method continuation reduces this to O ln6 p . (To deduce such reduction, one need only know the degree of an SEA polynomial, which is O(l) rather than O(l2) for the prime l.) Describe what then happens to the complexity bound if one also invokes a fast multiplication method not only for integers but also for polynomial multiplication (see text following Algorithm 7.5.6), and perhaps also a Shanks–Mestre boost. Finally, what can be said about bit complexity to resolve curve order for a prime p having n bits?
7.20.Elliptic curve theory can be used to establish certain results on sums of cubes in rings. By way of the Hasse Theorem 7.3.1, prove that if p > 7 is prime, then every element of Fp is a sum of two cubes. By analyzing, then, prime powers, prove the following conjecture (which was motivated numerically and communicated by D. Copeland): Let dN be the density of representables (as (cube+cube)) in the ring ZN . Then
if 63|N then dN = 25/63, otherwise if 7|N then dN = 5/7, or
if 9|N then dN = 5/9,
and in all other cases dN = 1.
An extension is: Study sums of higher powers (see Exercise 9.80).
7.21. Here is an example of how symbolic exercise can tune one’s understanding of the workings a specific, tough algorithm. It is sometimes possible actually to carry out what we might call a “symbolic Schoof algorithm,” to obtain exact results on curve orders, in the following fashion. Consider an elliptic curve E0,b(Fp) for p > 3, and so governed by the cubic
y2 = x3 + b.
We shall determine the order (mod 3) of any such curve, yet do this via symbolic manipulations alone; i.e., without the usual numerical calculations associated with Schoof implementations. Perform the following proofs, without the assistance of computing machinery (although a symbolic machine may be valuable in checking one’s algebra):
(1) Argue that with respect to the division polynomial Ψ3, we have x4 ≡ −4bx (mod Ψ3).
(2) Prove that for k > 0,
x3k ≡ (−4b)k−1x3 (mod Ψ3).
7.7 Exercises |
379 |
This reduction ignites a chain of exact results for the Frobenius relation, as we shall see.
(3) Show that xp can now be given the closed form
xp ≡ (−4b) p/3 xp mod 3 (mod Ψ3),
where our usual mod notation is in force, so p mod 3 = 1 or 2.
(4) Show that xp2 can also be written down exactly as
xp2 ≡ (−4b)(p2−1)/3x (mod Ψ3),
2 |
≡ |
2 (mod 3) the congruence here boils down to |
and argue that for p |
|
xp ≡ x, independent of b.
(5)By way of binomial series and the reduction relation from (2) above, establish the following general identity for positive integer d and γ ≡0 (mod p):
(x3 + γ)d ≡ γd 1 − |
x3 |
4b (1 − 4b/γ)d − 1 (mod Ψ3). |
(6)Starting with the notion that yp ≡ y(x3 + b)(p−1)/2, resolve the power yp as
yp ≡ yb(p−1)/2q(x) (mod Ψ3),
where q(x) = 1 or (1 + x3/(2b)) as p ≡ 1, 2 (mod 3), respectively.
(7) Show that we always have, then,
yp2 ≡ y (mod Ψ3).
Now, given the above preparation, argue from Theorem 7.5.5 that for p ≡ 2 (mod 3) we have, independent of b,
#E ≡ p + 1 ≡ 0 (mod 3).
Finally, for p ≡ 1 (mod 3) argue, on the basis of the remaining possibilities for the Frobenius
(c1x, y) + [1](x, y) = t(c2x, yc3)
for b-dependent parameters ci, that the curve order (mod 3) depends on the quadratic character of b (mod p) in the following way:
#E ≡ p + 1 + |
p |
≡ 2 + |
p |
(mod 3). |
||
|
|
b |
|
|
b |
|
An interesting research question is: How far can this “symbolic Schoof” algorithm be pushed (see Exercise 7.30)?
380 |
Chapter 7 ELLIPTIC CURVE ARITHMETIC |
7.22.For the example prime p = 231 + 1 /3 and its curve orders displayed after Algorithm 7.5.10, which is the best order to use to e ect an ECPP proof that p is prime?
7.23.Use some variant of ECPP to prove primality of every one of the ten consecutive primes claimed in Exercise 1.87.
7.24.Here we apply ECPP ideas to primality testing of Fermat numbers Fm = 22m + 1. By considering representations
4Fm = u2 + 4v2,
prove that if Fm is prime, then there are four curves (mod Fm)
y2 = x3 − 3kx; k = 0, 1, 2, 3,
having, in some ordering, the curve orders
22m + 2m/2+1 + 1,
22m − 2m/2+1 + 1,
22m − 1,
22m + 3.
Prove by computer that F7 (or some even larger Fermat number) is composite, by exhibiting on one of the four curves a point P that is not annihilated by any of the four orders. One should perhaps use the Montgomery representation in Algorithm 7.2.7, so that initial points need have only their x-coordinates checked for validity (see explanation following Algorithm 7.2.1). Otherwise, the whole exercise is doomed because one usually cannot even perform squarerooting for composite Fm, to obtain y coordinates.
Of course, the celebrated Pepin primality test (Theorem 4.1.2) is much more e cient in the matter of weeding out composites, but the notion of CM curves is instructive here. In fact, when the above procedure is invoked for F4 = 65537, one finds that indeed, every one of the four curves has an initial point that is annihilated by one of the four orders. Thus we might regard 65537 as a “probable” prime in the present sense. Just a little more work, along the lines of the ECPP Algorithm 7.5.9, will complete a primality proof for this largest known Fermat prime.
7.8Research problems
7.25. With a view to the complexity tradeo s between Algorithms 7.2.2, 7.2.3, 7.2.7, analyze the complexity of field inversion. One looks longingly at expressions x3 = m2 − x1 − x2, y3 = m(x1 − x3) − y1, in the realization that if only inversion were “free,” the a ne approach would surely be superior. However, known inversion methods are quite expensive. One finds in practice that inversion times tend to be one or two orders of magnitude greater than
7.8 Research problems |
381 |
multiply-mod times. [De Win et al. 1998] explain that it is very hard even to bring down the cost of inversion (modulo a typical cryptographic prime p ≈ 2200) to 20 multiplies. But there are open questions. What about primes of special form, or lookup tables? The lookup notion stems from the simple fact that if y can be found such that xy ≡ z (mod p) for some z whose inverse is already known, then x−1 mod p = yz−1 mod p. In connection with the complexity issue see Algorithm 9.4.5 and Exercise 2.11.
Another research direction is to attempt implementation of the interesting Sorenson-class methods for k-ary (as opposed to binary) gcd’s [Sorenson 1994], which methods admit of an extended form for modular inversion.
7.26.For an elliptic curve E(Fp), prime p with governing cubic
y2 = x(x + 1)(x + c)
(and c ≡0, 1 (mod p)), show by direct appeal to the order relation (7.8) that
#E = p + 1 − T , where
Q |
n |
|
2 |
T = n=0 cn |
, |
||
|
Q |
|
|
|
|
|
with Q = (p − 1)/2 and we interpret the sum to lie modulo p in (−2√p, 2√p). (One way to proceed is to write the Legendre symbol in relation (7.8) as a (p − 1)/2-th power, then formally sum over x.) Then argue that
T ≡ F (1/2, 1/2, 1; c)|Q (mod p),
where F is the standard Gauss hypergeometric function and the notation signifies that we are to take the hypergeometric series F (A, B, C; z) only through the zQ term inclusive. Also derive the formal relation
|
− |
|
Q |
√1 − c |
|
|
T = (1 |
|
c)Q/2P |
|
|
1 − c/2 |
, |
|
|
|
|
|||
where PQ is the classical Legendre polynomial of order Q. Using known transformation properties of such special series, find some closed-form curve orders. For example, taking p ≡ 1 (mod 4) and the known evaluation
|
|
|
|
PQ(0) = Q/2 |
|
|
|
|
|
|
|
|
|
Q |
|
|
|
one can derive that |
curve order is #E = p + 1 |
± |
2a, where the prime p |
|||||
|
a |
2 |
2 |
|
|
|
||
is represented as p = |
|
+ b |
. Actually, this kind of study connects with |
|||||
algebraic number theory; for example, the study of binomial coe cients (mod p) [Crandall et al. 1997] is useful in the present context.
Observe that the hypergeometric series can be evaluated in O √p ln2 p field operations, by appeal to fast series evaluation methods [Borwein and Borwein 1987] (and see Algorithm 9.6.7). This means that, at least for elliptic curves of the type specified, we have yet another point-counting