3.1 Finite Fields, Elliptic Curves and Tate Pairing

3.1.3 Elliptic Curves

The theory of elliptic curves is quite old. Application to cryptography was indepen- dently proposed by Koblitz [122] and Miller [134]. Since then a lot of work has been done on this topic. Below we provide a brief background on elliptic curves.

See [163] for a standard introduction to the theory of elliptic curves.

Let K be a field. An elliptic curve in Weierstraß form over K is given by the following equation.

E/K: y²+a₁xy+a₃y=x³+a₂x²+a₄x+a₆, (3.1.1) where ai∈Kand there are no “singular points” and there is one rational pointO called the point at infinity. Suppose L is an extension field of K. Then the set of L-rational points on E is defined to be the set

E(L) ={(x,y)∈L×L: y²+a1xy+a3y=x³+a2x²+a4x+a₆=0} ∪ {O}. If L⊇K, then E(L)⊇E(K). The algebraic closure of K is denoted by K and E denotes the set E(K).

If the characteristic of K is not equal to 2 or 3, then the above form can be simplified as follows. Replacing y by ¹₂(y−a1x−a3)gives

y²=4x³+b2x²+2b4x+b6

where b2=a²₁+4a2,b₄=2a4+a₁a₃,b₆=a²₃+4a6. Replacing(x,y) by ((x− 3b2)/36,y/108)gives

y²=x³−27c4x−54c6. Define

b8=a²₁a6+4a2a6−a1a3a4+a2a²₃−a²₄ c₄=b²₂−24b4

c₆=−b³₂+36b2b₄−216b6

∆ =−b²₂b8−8b³₄−27b²₆+9b2b4b₆ j=c³₄/∆

ω =dx/(2y+a1x+a3)

=dy/(3x²+2a2x+a₄−a₁y).

∆ is called the discriminant, j is called the j-invariant andω is called the invariant differential. The following relations hold: 4b8=b2b₆−b²₄and 1728∆=c³₄−c²₆.

So, if the characteristic of K is not equal to 2 or 3, then Equation (3.1.1) simplifies to the form

y²=x³+ax+b (3.1.2)

where a,b∈Kand 4a³+27b²6=0. The last condition ensures that x³+ax+bdoes not have repeated roots. (x³+ax+bhas repeated roots if and only if x³+ax+b and _dx^d(x³+ax+b) =3x²+ahave a common root; eliminating x from these two relations gives the condition 4a³+27b²=0 and this corresponds to∆=0.)

If the characteristic of K is equal to 2 then the Equation (3.1.1) can be simplified to [123]

• y²+xy=x³+ax²+b, a,b∈K, b6=0 (non-supersingular), or

• y²+cy=x³+ax+b, a,b,c∈K, c6=0 (supersingular).

Later, we explain what is meant by a supersingular elliptic curve.

Group law. The set of points E together with a special point at infinity (denoted byO) can be made into a group using a suitably defined group law. The group law is written additively and is geometrically defined using the so-called chord-and- tangent rule. Suppose P and Q are any two points on E given by (3.1.2). The basic rules are as follows.

• P+O=O+P=P.

• −O=O.

• If P= (x,y), then−P= (x,−y).

• If Q=−P, then P+Q=O.

Suppose now that P= (x1,y1),Q= (x2,y2)and P6=−Q. If P6=Q, then the line ℓ(x,y): y=λ^x+νthrough P and Q intersects the curve E at a third point R; the reflection of R on the x-axis is defined to be the point P+Qgiven by(x3,y3). If

P=Q, then the tangentℓ(x,y): y=λ^x+ν intersects the curve at a point R; the reflection of R on the x-axis is defined to be the point 2P given by(x3,y3).

If P6=Q,−Q, then λ ^{= (y}2−y1)/(x2−x1),ν=y1−λ^x1=y2−λ^x2.Putting ℓ(x,y)into the equation of the curve we get(λ^x+ν)²=x³+ax+bwhich is the same as x³−λ^2x2+(a−2νλ^)x+b−ν²=0.This equation has three roots and x1,x2

are two of the roots. So the third root is x3=λ²₋x1−x2. Also,−y3=λx3+νand y1=λx1+ν gives y3=λ(x1−x3)−y1. (Note that the line through(x1,y1)and (x₂,y₂)passes through(x₃,−y₃).) Now suppose that P=Q. Using the equation of the curve y²=x³+ax+b we have, 2y^dy_dx =3x²+aand so the slopeλ at(x₁,y₁) is ^3x_2y^21+a

1 . The rest of the analysis is the same as the previous case. The obtained formula for(x3,y3)is same except for the changed value ofλ. Algebraically these two cases are computed as follows.

If P= (x₁,y₁), Q= (x₂,y₂), with P6=−Q, then P+Q= (x₃,y₃), where x3= λ²−x₁−x₂and y3=λ^(x1−x₃)−y₁, with

λ =







= ^y_x²₂⁻₋^y_x¹₁ if P6=Q;

= ^3x_2y^21+a

1 if P=Q.

The group axioms can be directly verified using the above addition law, the only difficult case being the associative rule. The associative rule can be better seen from a more sophisticated algebraic approach using the notion of divisors. Later we will briefly mention divisors.

If K is a finite field and L is a finite extension of K, then the set E(L)of the L-rational points of E form a finite subgroup of the group E. Cryptography is done over a suitable prime order subgroup of E(L).

Some properties of elliptic curves. An important map in the context of elliptic curve defined over a finite field is the Frobenius map.

τp: E(IFp)→E(IFp), τp:(x,y)7→(x^p,y^p).

The map τpis a group homomorphism and the trace of Frobenius is defined to be tp=p+1−#E(IFp).

If L is a finite extension of a finite field K, then the number of points in E(L)is given by Hasse’s theorem to be #E(L) =#L+1−t, where|t| ≤2p

(#L). Con- sequently, #E(L)≈#L. Weil’s theorem relates the number of points in E(K) to the number of points in E(L)where L is a degree k extension of K with #K=q.

Let t=q+1−#E(K)andα,β be the complex roots of T²−tT+#E(K). Then

#E(L) = (#E(K))^k+1−α^k−β^kfor all k≥1.

A polynomial time algorithm for counting the number of points in E(L) was given by Schoof. The idea is to compute t modulo small primes and then use the Chi- nese Remainder theorem. Schoof’s algorithm was improved by Elkies and Atkin and the algorithm is referred to as the SEA algorithm in the literature whereby #E(IFp)

can be computed in time O((log p)⁶)by SEA algorithm. Subsequently work has been done for computing points on elliptic curves over different fields.

In the case of characteristic two curves, K=IF2and L is a degree k extension of Ksuch that #L=2^k. The so-called Koblitz curves are given by the equation

E: y²+xy=x³+ax²+1, a∈ {0,1}.

These curves were proposed by Koblitz for reasons of efficiency and for security reasons k is taken to be a prime. The following result gives the number of points in E(L).

#E(L) =2^k−

−1+√

−7 2

k

−

−1−√

−7 2

k

+1.

The structure of the group of points on an elliptic curve is well known. Let E be an elliptic curve defined over K. Then

E(K)∼=ZZn₁⊕ZZn₂,

where n2|n1and n2|(#K−1). As a consequence E(K)is cyclic if and only if n2=1.

A point P∈E is an n-torsion point if nP=O and E[n]is the set of all n-torsion points. It is known that if gcd(n,q) =1, then E[n]∼=Zn⊕Zn.

An elliptic curve E/K is supersingular if p|t where t =#K+1−#E(K). A result due to Waterhouse states that E/K is supersingular if and only if t²= 0,#K,2#K,3#K or 4#K.

Inversion-free arithmetic. An important issue regarding the efficient implementa- tion of elliptic curve arithmetic is the inversion operation over the underlying finite field. According to the addition and doubling formulae described above, an inver- sion over the underlying field is required. As discussed earlier, an inversion can be significantly slower compared to a field multiplication. The inversion operation can be avoided by using a different coordinate system which provides a more redundant representation of a point.

The representation of P as a pair of finite field elements is said to be in affine coordinates. There are several alternatives including the so-called projective and Ja- cobian coordinates. In the projective coordinate system, a point is given by a triplet (X,Y,Z)which represents the affine point(X/Z,Y/Z). In the Jacobian coordinate system, the triplet(X,Y,Z)represents the affine point(X/Z²,Y/Z³). Group oper- ations in both projective and Jacobian coordinate systems avoid inversions and the operations in the Jacobian system is faster. Below we provide the details of the group operation in the Jacobian system.

Let the curve equation be y²=x³+ax+band suppose(X₁,Y₁,Z₁)is doubled to obtain(X₃,Y₃,Z₃). Then

x₃= (3X₁²+aZ₁⁴)²−8X1Y₁² 4Y₁²Z₁²

y3= 3X₁²+aZ⁴₁ 2Y1Z₁

X1

Z₁²−X₃^′

−Y1

Z³₁ X₃= (3X₁²+aZ⁴₁)²−8X1Y₁²

Y3= (3X₁²+aZ⁴₁)(4X1Y₁²−X3)−8Y₁⁴ Z₃=2Y1Z₁.

For addition, suppose(X1,Y1,Z1)and P= (X,Y,1)are added to obtain(X3,Y3,Z3).

This is called mixed addition, since the point P is actually given by affine coordi- nates.

x₃=



Y−^Y_Z¹3 1

X−^X_Z¹2 1





2

−X₁ Z²₁−X

y3=

Y Z₁³−Y1

(XZ₁²−X1)Z1

X1

Z₁²−X₃^′

−Y1

Z₁³ X₃=x₃Z₃

= (Y Z₁³−Y1)²−X1(XZ₁²−X1)²−X(XZ²₁−X1)²Z₁²

= (Y Z₁³−Y₁)²−(XZ₁²−X₁)²(X₁+XZ₁²) Y3=y3Z3

= (Y Z₁³−Y₁)((XZ₁²−X₁)²X₁−X₃)−Y₁(XZ²₁−X₁)³ Z₃= (XZ₁²−X₁)Z₁.

Scalar multiplication. The basic operation is that of scalar multiplication. Given a point P of order r and an integer a∈ZZr, the task is to compute the a-fold of P which is written as[a]Por more simply as aP. The basic left-to-right “double- and-add” algorithm is used. Recall that for left-to-right method, addition is always by P which is usually given in affine coordinates. This underlines the importance of mixed addition. There are many important issues regarding efficient and secure scalar multiplication. These are scattered throughout the literature and we refer the reader to [103] for a good idea of some of these issues.

Other forms of elliptic curves. We have mentioned only the Weierstraß form of an elliptic curve. There are other curve forms. The Montgomery form is ay²= x³+bx+x, a6=0 and this allows x-coordinate only scalar multiplication. The (twisted) Edwards form is ax²+y²=1+dx²y²; a,d 6=0, a6=d, which allows complete (and hence unified) formulae for addition and doubling. Among the other important forms are the Jacobi quartic form.

Finding a random point of an elliptic curve. Before we can perform crypto- graphic operations, we need to be able to find at least one point in the required group. The basic idea for doing this is the following: choose a random x; compute z=x³+ax+band find a square root y of z (if one exists). This brings us to the prob- lem of computing square roots modulo a prime p. Checking whether an element has

a square root modulo p can be done by computing the Legendre symbol

zp

which is 1 if z is a square mod p and−1 otherwise. The Legendre symbol is computed using the law of quadratic reciprocity. For computing square roots modulo a prime power p^eone first computes a square root modulo p and then uses “Hensel lifting”

to obtain a square root modulo p^e.

Finding square roots modulo a prime is an old problem. Deterministic algorithms are known in certain cases, whereas effective randomised algorithms are known for the other cases. The basic method is due to Lagrange and works if p≡3 mod 4:

(±z^(p+1)/4)²=z^(p+1)/2=z×z^(p−1)/2=z since z^(p−1)/2=

zp

=1. If p≡5 mod 8, then a modification of the above due to Legendre can be used. On the other hand, for p≡1 mod 8 there are no known deterministic algorithms. If a quadratic nonresidue mod p is known, then a method due to Tonelli and Cipolla can be used. There are no known deterministic method for finding quadratic nonresidues. But, since about half the numbers modulo p are quadratic nonresidues, finding one can be easily done using a randomised method:

choose a numberα inZZ^∗_pand compute the Legendre symbol_α

p

; if this is−1, thenαis a quadratic nonresidue. In about two trials, we can expect to obtain such a number.

Finding a generator of a prime subgroup. Let E be an elliptic curve over a finite field K and L be a finite extension of K. Let r be a prime such that r|#E(L). Then there is a cyclic subgrouphPiof E(L)which is of order r. The problem is to find a generator P of this group. The following method is used to find P. Let r1=#E(L)/r;

choose a random point R of E(L); then with high probability P=r₁Ris a point of order r; r being a prime, P is a generator of the required subgroup and it is possible to do cryptography over this group.

Mapping into an elliptic curve. Some cryptographic protocols require a function which maps an arbitrary string into an elliptic curve point. We briefly describe an efficient technique to hash into an element of G1where the order of G1is r (a prime).

For simplicity, we consider a general characteristic field. Assume that the curve is defined overZZ_pand is given by the short Weierstraß form E(IFp): y²=x³+ax+b, i.e., x and y are elements of rFp. Let H be a collision resistant hash function (i.e., a function for which it is computationally difficult to find distinct v1and v2 such that H(v1) =H(v2)) which maps intoZZp. Given a stringstr, let xi=H(str||i)for i=0,1, . . ., and zi=x³_i+axi+b. Then within a small range of values of i, it is likely that one of the zi’s will be a square IFp. For the first such i, let yibe the square root of ziwith yi<p/2 (one of the square roots will be less than p/2 and the other will be greater). Then P^′= (x_i,y_i)is a point on the elliptic curve E(IFp). Let #E(IFp) denote the number of points on E(IFp), then the point corresponding to the string stris obtained by multiplying P^′ by the cofactor #(E(Fp))/rto obtain a r-torsion point P∈E(IFp). This method requires computing a few Legendre symbols and computing one square root. A similar approach gives an efficient method to hash

into G2in the case of Type 3 pairing. However, no method is known to securely hash into G2when we are in the Type 2 setting (see [88] for a more detailed discussion).

Note that, the approach outlined above is probabilistic in nature, though the prob- ability of failure is extremely small. On the other hand, Icart [107] has recently suggested a method to deterministically hash into an elliptic curve.

To summarise, elliptic curves defined over finite fields provide rich examples of abelian groups. The main advantage is that no (generic) sub-exponential algorithm is known for solving the discrete log problem (we will qualify this statement later).

Consequently, one can work over comparatively smaller fields. The gains from do- ing this is two-fold: the finite field arithmetic is more efficient and the storage re- quirement is smaller which is important for implementation on resource constrained devices.