Elliptic Nets How To Catch an Elliptic Curve

1
Elliptic NetsHow To Catch an Elliptic Curve

• Kate Stange
• Brown University Graduate Student
  SeminarFebruary 7, 2007

http//www.math.brown.edu/stange/
2
Timeline
1573 Potato results in birth of Caravaggio1
Circa 4000 B.C.pre-Colombian farmers discover
potato
February 7, 2004 Inventor of Poutine diesof
pulmonary disease
Last spring A cute potato named George is born
July 12 2005 Sonja Thomas wins 2500 by eating 53
potato skins in 12 minutes
Now That samosa you are eating is George
1The Potato Fan Club http//tombutton.users.btope
nworld.com/
3
Part I Elliptic Curves are Groups
4
Elliptic Curves
5
A Typical Elliptic Curve E
E Y2 X3 5X 8
The lack of shame involved in the theft of this
slide from Joe Silvermans website should make
any graduate student proud.
6
Adding Points P Q on E
The lack of shame involved in the theft of this
slide from Joe Silvermans website should make
any graduate student proud.
- 6 -
7
Doubling a Point P on E
The lack of shame involved in the theft of this
slide from Joe Silvermans website should make
any graduate student proud.
- 7 -
8
Vertical Lines and an Extra Point at Infinity
Add an extra point O at infinity. The point O
lies on every vertical line.
The lack of shame involved in the theft of this
slide from Joe Silvermans website should make
any graduate student proud.
9
Part II Elliptic Divisibility Sequences
10
Elliptic Divisibility SequencesSeen In Their
Natural Habitat
11
Example
12
Elliptic Curve Group Law
13
So What Happens to Point Multiples?

14
An Elliptic Divisibility Sequence is an integer
sequence satisfying the following recurrence
relation.


15
Some Example Sequences

• 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13,
  14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25,
  26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37,
  38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49,
  50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61,
  62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73,
  74, 75, 76, 77,

16
Some Example Sequences

• 0, 1, 1, 2, 3, 5, 8, 13, 21, 34, 55, 89, 144,
  233, 377, 610, 987, 1597, 2584, 4181, 6765,
  10946, 17711, 28657, 46368, 75025, 121393,
  196418, 317811, 514229, 832040, 1346269, 2178309,
  3524578, 5702887, 9227465, 14930352, 24157817,
  39088169,

17
Some Example Sequences

• 0, 1, 1, -1, 1, 2, -1, -3, -5, 7, -4, -23, 29,
  59, 129, -314, -65, 1529, -3689, -8209, -16264,
  83313, 113689, -620297, 2382785, 7869898,
  7001471, -126742987, -398035821, 1687054711,
  -7911171596, -47301104551, 43244638645,

18
Our First Example

• 0, 1, 1, -3, 11, 38, 249, -2357, 8767, 496035,
  -3769372, -299154043, -12064147359, 632926474117,
  -65604679199921, -6662962874355342,
  -720710377683595651, 285131375126739646739,
  5206174703484724719135, -3604215776624692378883720
  9, 14146372186375322613610002376,

19
Some more terms

• 0,
• 1,
• 1,
• -3,
• 11,
• 38,
• 249,
• -2357,
• 8767,
• 496035,
• -3769372,
• -299154043,
• -12064147359,
• 632926474117,
• -65604679199921,
• -6662962874355342,
• -720710377683595651,
• 285131375126739646739,
• 5206174703484724719135,

20
Part III Elliptic Curves over Complex Numbers
21
Take a Lattice ? in the Complex Plane
22
Elliptic Curves over Complex Numbers
C/?
23
Elliptic Functions
Zeroes at z a and zb
Poles at z c and zd
24
Example Elliptic Functions
25
Part IV Elliptic Divisibility Sequences from
Elliptic Functions
26
Elliptic Divisibility SequencesTwo Good
Definitions
Definition A

This is just an elliptic function with zeroes all
the n-torsion points and a pole of order n2 at
the point at infinity.
Yes, this is the same as before!
27
Elliptic Divisibility SequencesTwo Good
Definitions
Definition B
Definition A

28
Theorem (M Ward, 1948) A and B are equivalent.
From the initial conditions in Definition B, one
can explicitly calculate the curve and point
needed for Definition A.
Definition B
Definition A

29
Part V Reduction Mod p
30
Reduction of a curve mod p







6
5
X
4
3
(0,-3)
2
1
0
0 1 2 3 4 5 6
31
Reduction Mod p
0, 1, 1, -3, 11, 38, 249, -2357, 8767, 496035,
-3769372, -299154043, -12064147359,
632926474117, -65604679199921, -6662962874355342,
-720710377683595651, 285131375126739646739,
5206174703484724719135, -360421577662469237888372
09, 14146372186375322613610002376,
0, 1, 1, 8, 0, 5, 7, 8, 0, 1, 9, 10, 0, 3, 7, 6,
0, 3, 1, 10, 0, 1,10, 8, 0, 5, 4, 8, 0, 1, 2, 10,
0, 3, 4, 6, 0, 3, 10, 10, 0, 1, 1, 8, 0, 5, 7, 8,
0,
This is the elliptic divisibility sequence
associated to the curve reduced modulo 11
32
What do the zeroes mean??
33
Reduction Mod p
0, 1, 1, -3, 11, 38, 249, -2357, 8767, 496035,
-3769372, -299154043, -12064147359,
632926474117, -65604679199921, -6662962874355342,
-720710377683595651, 285131375126739646739,
5206174703484724719135, -360421577662469237888372
09, 14146372186375322613610002376,
0, 1, 1, 8, 0, 5, 7, 8, 0, 1, 9, 10, 0, 3, 7, 6,
0, 3, 1, 10, 0, 1,10, 8, 0, 5, 4, 8, 0, 1, 2, 10,
0, 3, 4, 6, 0, 3, 10, 10, 0, 1, 1, 8, 0, 5, 7, 8,
0,
The point has order 4, but the sequence has
period 40!
34
Periodicity of Sequences
35
Periodicity Example
0, 1, 1, 8, 0, 5, 7, 8, 0, 1, 9, 10, 0, 3, 7, 6,
0, 3, 1, 10, 0,
36
Research (Partial List)

• Applications to Elliptic Curve Discrete Logarithm
  Problem in cryptography (R. Shipsey)
• Finding integral points (M. Ayad)
• Study of nonlinear recurrence sequences
  (Fibonacci numbers, Lucas numbers, and integers
  are special cases of EDS)
• Appearance of primes (G. Everest, T. Ward, )
• EDS are a special case of Somos Sequences (A. van
  der Poorten, J. Propp, M. Somos, C. Swart, )
• p-adic function field cases (J. Silverman)
• Continued fractions elliptic curve group law
  (W. Adams, A. van der Poorten, M. Razar)
• Sigma function perspective (A. Hone, )
• Hyper-elliptic curves (A. Hone, A. van der
  Poorten, )
• More

37
Part VI Elliptic Nets Jacking up the Dimension
38
The Mordell-Weil Group
39
From Sequences to Nets

• It is natural to look for a generalisation
  that reflects the structure of the entire
  Mordell-Weil group

40
In this talk, we work with a rank 2 example


Nearly everything can be done for general rank
41
Elliptic Nets Rank 2 Case
Zeroes at (P,Q) such that mP nQ 0. Some crazy
poles.
Definition A

42
Elliptic Nets Rank 2 Case
Definition B

43
Example
4335 5959 12016 -55287 23921 1587077 -7159461
94 479 919 -2591 13751 68428 424345
-31 53 -33 -350 493 6627 48191
-5 8 -19 -41 -151 989 -1466
1 3 -1 -13 -36 181 -1535
1 1 2 -5 7 89 -149
0 1 1 -3 11 38 249
? Q
P?
44
Example
4335 5959 12016 -55287 23921 1587077 -7159461
94 479 919 -2591 13751 68428 424345
-31 53 -33 -350 493 6627 48191
-5 8 -19 -41 -151 989 -1466
1 3 -1 -13 -36 181 -1535
1 1 2 -5 7 89 -149
0 1 1 -3 11 38 249
? Q
P?
45
Example
4335 5959 12016 -55287 23921 1587077 -7159461
94 479 919 -2591 13751 68428 424345
-31 53 -33 -350 493 6627 48191
-5 8 -19 -41 -151 989 -1466
1 3 -1 -13 -36 181 -1535
1 1 2 -5 7 89 -149
0 1 1 -3 11 38 249
? Q
P?
46
Example
4335 5959 12016 -55287 23921 1587077 -7159461
94 479 919 -2591 13751 68428 424345
-31 53 -33 -350 493 6627 48191
-5 8 -19 -41 -151 989 -1466
1 3 -1 -13 -36 181 -1535
1 1 2 -5 7 89 -149
0 1 1 -3 11 38 249
? Q
P?
47
Example
4335 5959 12016 -55287 23921 1587077 -7159461
94 479 919 -2591 13751 68428 424345
-31 53 -33 -350 493 6627 48191
-5 8 -19 -41 -151 989 -1466
1 3 -1 -13 -36 181 -1535
1 1 2 -5 7 89 -149
0 1 1 -3 11 38 249
? Q
P?
48
Example
4335 5959 12016 -55287 23921 1587077 -7159461
94 479 919 -2591 13751 68428 424345
-31 53 -33 -350 493 6627 48191
-5 8 -19 -41 -151 989 -1466
1 3 -1 -13 -36 181 -1535
1 1 2 -5 7 89 -149
0 1 1 -3 11 38 249
? Q
P?
49
Equivalence of Definitions
50
For any given n, one can compute the explicit
bijection
51
Nets are Integral
52
Reduction Mod p
53
Divisibility Property
54
Example
4335 5959 12016 -55287 23921 1587077 -7159461
94 479 919 -2591 13751 68428 424345
-31 53 -33 -350 493 6627 48191
-5 8 -19 -41 -151 989 -1466
1 3 -1 -13 -36 181 -1535
1 1 2 -5 7 89 -149
0 1 1 -3 11 38 249
? Q
P?
55
Example
0 4 1 3 1 2 4
4 4 4 4 1 3 0
4 3 2 0 3 2 1
0 3 1 4 4 4 4
1 3 4 2 4 1 0
1 1 2 0 2 4 1
0 1 1 2 1 3 4
? Q
P?
56
Periodicity of Sequences Restatement
57
Periodicity of Nets
58
Part VII Elliptic Curve Cryptography
59
Elliptic Curve Cryptography
For cryptography you need something that is easy
to do but difficult to undo.
Like multiplying vs. factoring.
Or getting pregnant.
(No one has realised any cryptographic protocols
based on this Possible thesis topic anyone?)
60
The (Elliptic Curve) Discrete Log Problem
Let A be a group and let P and Q be known
elements of A.

• Hard but not too hard in Fp.
• Koblitz and Miller (1985) independently suggested
  using the group E(Fp) of points modulo p on an
  elliptic curve.
• It seems pretty hard there.

61
Elliptic Curve Diffie-Hellman Key Exchange
Public Knowledge A group E(Fp) and a point P of
order n.
BOB
ALICE
Choose secret 0 lt b lt n Choose
secret 0 lt a lt n
Compute QBob bP Compute
QAlice aP
Compute bQAlice
Compute aQBob
Bob and Alice have the shared value bQAlice abP
aQBob
Presumably(?) recovering abP from aP and bP
requires solving the elliptic curve discrete
logarithm problem.
Yeah, I stole this one too.
62
The Tate Pairing
This is a bilinear nondegenerate pairing.
63
Tate Pairing in Cryptography Tripartite
Diffie-Hellman Key Exchange
Public Knowledge A group E(Fp) and a point P of
order n.
ALICE BOB
CHANTAL
Secret 0 lt a lt n 0 lt b lt n
0 lt c lt n
Compute QAlice aP QBob bP
QChantal cP
Reveal QAlice QBob
QChantal
Compute tn(QBob,QChantal)a
tn(QAlice,QChantal)b tn(QAlice,QBob)c
These three values are equal to tn(P,P)abc
Security (presumably?) relies on Discrete Log
Problem in Fp
64
Part VIII Elliptic Nets and the Tate Pairing
65
Tate Pairing from Elliptic Nets

66
Choosing a Nice Net
This is just the value of a from the periodicity
relation
67
Calculating the Net (Rank 2)
Based on an algorithm by Rachel Shipsey
Double
DoubleAdd
68
Calculating the Tate Pairing

• Find the initial values of the net associated to
  E, P, Q (there are simple formulae)
• Use a Double Add algorithm to calculate the
  block centred on m
• Use the terms in this block to calculate

69
Embedding Degree k
70
Efficiency
71
Possible Research Directions

• Extend this to Jacobians of higher genus curves?
• Use periodicity relations to find integer points?
  (M. Ayad does this for sequences)
• Other computational applications counting points
  on elliptic curves over finite fields?
• Other cryptographic applications of Tate pairing
  relationship?

72
References

• Morgan Ward. Memoir on Elliptic Divisibility
  Sequences. American Journal of Mathematics,
  7013-74, 1948.
• Christine S. Swart. Elliptic Curves and Related
  Sequences. PhD thesis, Royal Holloway and
  Bedford New College, University of London, 2003.
• Graham Everest, Alf van der Poorten, Igor
  Shparlinski, and Thomas Ward. Recurrence
  Sequences. Mathematical Surveys and Monographs,
  vol 104. American Mathematical Society, 2003.
• Elliptic net algorithm for Tate pairing
  implemented in the PBC Library,
  http//crypto.stanford.edu/pbc/

Slides, preprint, scripts at http//www.math.brown
.edu/stange/