MATH 470 Lecture 23

« previous | Thursday, April 11, 2013 | next »

Going back to last time, we defined an elliptic curve over ${\displaystyle k}$ is the zero set (including the point at infinity) in ${\displaystyle K^{2}}$ of a polynomial ${\displaystyle f\in K[x,y]}$ with

1. the Newton polygon having exactly 1 point with integer coordinates in its interior.
2. a smooth curve ${\displaystyle C}$

Let's call this our 2^nd definition.

Let our first definition be the zero set of a polynmial in weierstrass normal form (including the point at infinity)

3^rd (classical) definition: A curve of genus one. So somehow, elliptic curves correspond to tori

So the number of interior lattice points in a Newton polygon is somehow related to the genus (under certain conditions).

What's a Genus

The classification of surfaces boils down to the number of holes (or number of handles, not that holes and handles are the same things...)

• Genus 0: Imagine a sphere
• Genus 1: Imagine a donut
• Genus 2: Handcuffs
• ...

A curve over ${\displaystyle \mathbb {C} }$ is actually a surface over two real dimensions.

For example, zero set of ${\displaystyle x+y-1}$ in ${\displaystyle \mathbb {C} }$ over ${\displaystyle \mathbb {R} }$ is really just the zero set of the real part and the imaginary part.

Finite Fields

A finite field is any set of numbers closed on multiplicative inversion: all nonzero elements in the field have a multiplicative inverse in the same field.

For any prime ${\displaystyle p}$, ${\displaystyle \mathbb {F} _{p}}$ (also written ${\displaystyle \mathrm {GF} (p)}$) is defined to be a field with ${\displaystyle p}$ elements. For example, ${\displaystyle \mathbb {F} _{p}=\mathbb {Z} /p\mathbb {Z} }$.

Can ${\displaystyle \mathbb {Z} /6\mathbb {Z} }$ be a field? No. (2 and 3 do not have inverses)

Finite fields need not have prime number of elements, only a prime power number of elements.

We'll study ${\displaystyle \mathbb {F} _{q}}$ with ${\displaystyle q=p^{k}}$ for any prime ${\displaystyle p}$ (and elliptic curves over ${\displaystyle \mathbb {F} _{q}}$).

We define ${\displaystyle \mathbb {F} _{p}\left[x\right]}$ as the set of polynomials in ${\displaystyle x}$ with coefficients in ${\displaystyle \mathbb {F} _{p}}$.

If ${\displaystyle f\in \mathbb {F} _{p}\left[x\right]}$, we derive

${\displaystyle \mathbb {F} _{p}\left[x\right]/\left\langle f\right\rangle }$

as polynomials mod ${\displaystyle f}$.

(what's with these polynomials mod other polynomials?)

${\displaystyle \mathbb {F} _{p}\left[x\right]/\left\langle f\right\rangle }$ is just the polynomials in ${\displaystyle \mathbb {F} _{p}\left[x\right]}$ of degree less than that of ${\displaystyle f}$ with +, −, and × performed mod ${\displaystyle f}$.

Example

${\displaystyle \mathbb {F} _{2}\left[x\right]/\left\langle x^{2}+x+1\right\rangle =\left\langle 0,1,x,x+1\right\rangle }$

Addition Table

+	0	1	x	x+1
0	0	1	x	x+1
1	1	0	x+1	x
x	x	x+1	0	1
x+1	x+1	x	1	0

Multiplication Table

×	0	1	x	x+1
0	0	0	0	0
1	0	1	x	x+1
x	0	x	x+1	1
x+1	0	x+1	1	x

See that ${\displaystyle {\frac {1}{1}}=1}$, ${\displaystyle {\frac {1}{x}}=x+1}$, and ${\displaystyle {\frac {1}{x+1}}=x}$ are all well-defined, nonzero, invertible elements. Thus we have a realization of ${\displaystyle \mathbb {F} _{4}}$

What if we chose ${\displaystyle \mathbb {F} _{2}\left[x\right]/\left\langle x^{2}+1\right\rangle }$?

Our multiplication table would be different:

Multiplication Table

×	0	1	x	x+1
0	0	0	0	0
1	0	1	x	x+1
x	0	x	1	x+1
x+1	0	x+1	x+1	0

Note that ${\displaystyle {\frac {1}{x+1}}}$ makes no sense.

Irreducibility

We call ${\displaystyle f\in \mathbb {F} _{p}\left[x\right]}$ irreducable iff ${\displaystyle f=g\,h}$ implies that ${\displaystyle g\in \mathbb {F} _{p}}$ or ${\displaystyle h\in \mathbb {F} _{p}}$. In other words, ${\displaystyle f}$ has no non-trivial factorization.

Example 1

${\displaystyle x^{2}-2}$ is irreducable over ${\displaystyle \mathbb {F} _{3}}$.

Proof. Indeed, if ${\displaystyle x^{2}-2}$ had a non-trivial factorization (other than const × degree 2), then it must factor as ${\displaystyle ({\text{deg 1}})({\text{deg 1}})}$.

Then ${\displaystyle x^{2}-2=c(x+a)(x+b)}$ means that ${\displaystyle x^{2}-2}$ has a root in ${\displaystyle \mathbb {F} _{3}}$. But the squares in ${\displaystyle \mathbb {F} _{3}}$ are 0 and 1. ${\displaystyle x^{2}-2}$ vanishes at neither, so ${\displaystyle x^{2}-2}$ is irreducable.

However, ${\displaystyle x^{2}-2}$ is reducable over

• ${\displaystyle \mathbb {F} _{2}}$: ${\displaystyle x^{2}-2=x^{2}=x\,x}$
• ${\displaystyle \mathbb {F} _{7}}$: ${\displaystyle x^{2}-2=(x+3)(x+4)}$

Example 2

${\displaystyle \mathbb {F} _{8}\left[x\right]}$ can be realized as ${\displaystyle \mathbb {F} _{2}\left[x\right]/\left\langle x^{3}+x+1\right\rangle }$:

${\displaystyle \{0,1,x,x+1,x^{2},x^{2}+x,x^{2}+1,x^{2}+x+1\}}$

Deciding Realizations

Which realization you use is very important in practice.

The Intel 8051 is a chip with 256 bytes of onboard RAM running at 12 MHz, used in some smart cards around 2000. This is an incredible hardware limitation, and operations can take a significant amount of time and power if the field realization is not chosen carefully.

Here's a table for the number of cycles needed to multiply two field elements:

Field	Number of Cycles
${\displaystyle \mathbb {F} _{2^{135}}}$	19,600
${\displaystyle \mathbb {F} _{2^{136}}=\mathbb {F} _{(2^{8})^{17}}}$	7479
${\displaystyle \mathbb {F} _{239^{17}}}$	5084

Upshot: Picking the right ${\displaystyle f}$ is key to going faster and saving power

Primitivity

We call an irreducable ${\displaystyle f\in \mathbb {F} _{p}\left[x\right]}$ primitive iff ${\displaystyle f}$ has a primitive element for ${\displaystyle \mathbb {F} _{p^{k}}}$ as one of its roots (generator).

Example

${\displaystyle 1+x+x^{3}}$ is primitive over ${\displaystyle \mathbb {F} _{2}\left[x\right]}$. In particular, observe the powers of ${\displaystyle x}$ in ${\displaystyle \mathbb {F} _{2}\left[x\right]/\left\langle x^{3}+x+1\right\rangle }$

• ${\displaystyle 1}$
• ${\displaystyle x}$
• ${\displaystyle x^{2}}$
• ${\displaystyle x^{3}=x+1}$
• ${\displaystyle x^{4}=x\cdot x^{3}=x^{2}+x}$
• ${\displaystyle x^{5}=x\cdot x^{4}=x^{2}+x+1}$
• ${\displaystyle x^{6}=x\cdot x^{5}=x^{2}+1}$
• ${\displaystyle x^{7}=x\cdot x^{6}=1}$

We've realized ${\displaystyle \mathbb {F} _{8}}$ and with an explicit generator for ${\displaystyle \mathbb {F} _{8}^{*}}$.

Sparsity

${\displaystyle x^{167}+x^{6}+1}$ is irreducible over ${\displaystyle \mathbb {F} _{2}\left[x\right]}$ and has only 3 terms. Therefore, powering is much faster.

For example, ${\displaystyle x^{167}=x^{6}+1}$. If we worked mod a non-sparse polynomial, we'd get ${\displaystyle x^{167}={\text{MESS}}}$

So what's so good about curves over ${\displaystyle \mathbb {F} _{p}}$?

Elliptic curves can be used to factor integers!

Factoring with Elliptic Curves

Classical factoring algorithms worked with arithmetic in ${\displaystyle \mathbb {F} _{p}^{*}}$ or ${\displaystyle \left(\mathbb {Z} /n\mathbb {Z} \right)^{*}}$ for some prime ${\displaystyle p}$. Working with elliptic curves over ${\displaystyle \mathbb {F} _{p}^{*}}$ gives more flexibility

The number of elements in ${\displaystyle \mathbb {F} _{p}^{*}}$ is ${\displaystyle p-1}$. The number of elliptic curves in the same field is ${\displaystyle p+1+{\text{wiggle}}}$

Hasse's Theorem

(1933)

If ${\displaystyle n}$ is the number of points on an elliptic curve over ${\displaystyle \mathbb {F} _{q}}$,

${\displaystyle \left|n-(q+1)\right|\leq 2{\sqrt {q}}}$

And, for any such ${\displaystyle n}$, there is a curve over ${\displaystyle \mathbb {F} _{q}}$ with that many points.