Elliptic curve cryptography

Matthew England
MSc Applied Mathematical Sciences
Heriot-Watt University
Summer 2006
Abstract
This project studies the mathematics of elliptic curves, starting with their
derivation and the proof of how points upon them form an additive abelian
group. We then work on the mathematics neccessary to use these groups
for cryptographic purposes, specically results for the group formed by an
elliptic curve over a nite eld, E(F
q
). We examine the mathematics behind
the group of torsion points, to which every point in E(F
q
) belongs, and
prove Hasses theorem along with a number of other useful results. We nish
by describing how to dene a discrete logarithm problem using E(F
q
) and
showing how this can form public key cryptographic systems for use in both
encryption and key exchange.
Acknowledgments
Many thanks to Dr. Mark Lawson, for his help, supervision and enthusiasm
for this project.
Contents
1 Introduction 1
2 Elliptic curves 2
2.1 A class of algebraic curves . . . . . . . . . . . . . . . . . . . . 2
2.2 Group law . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2.1 Prime curve examples . . . . . . . . . . . . . . . . . . 10
3 Torsion points and endomorphisms of elliptic curves 15
3.1 Endomorphisms of elliptic curves . . . . . . . . . . . . . . . . 15
3.2 Torsion points . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.2.1 Successive doubling . . . . . . . . . . . . . . . . . . . . 35
3.2.2 The basis for E[n] . . . . . . . . . . . . . . . . . . . . 36
3.3 Division polynomials . . . . . . . . . . . . . . . . . . . . . . . 38
3.4 The Weil pairing . . . . . . . . . . . . . . . . . . . . . . . . . 44
4 Elliptic curves over nite elds 47
4.1 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
4.2 Hasses theorem . . . . . . . . . . . . . . . . . . . . . . . . . . 50
4.2.1 The Frobenius endomorphism . . . . . . . . . . . . . . 51
4.3 Orders of points . . . . . . . . . . . . . . . . . . . . . . . . . . 55
4.3.1 Baby Step, giant step . . . . . . . . . . . . . . . . . . . 58
5 Elliptic curve cryptography 61
5.1 The basics of cryptography . . . . . . . . . . . . . . . . . . . . 61
5.2 Public key cryptography . . . . . . . . . . . . . . . . . . . . . 64
5.3 The discrete logarithm problem . . . . . . . . . . . . . . . . . 67
5.3.1 Die-Hellman key exchange . . . . . . . . . . . . . . . 68
5.3.2 The El Gamal cryptosystem . . . . . . . . . . . . . . . 69
i
5.4 Elliptic curve cryptography . . . . . . . . . . . . . . . . . . . 70
5.4.1 The discrete logarithm problem for
elliptic curves . . . . . . . . . . . . . . . . . . . . . . . 70
5.4.2 Die-Hellman key exchange for elliptic curves . . . . . 71
5.4.3 El Gamal cryptosystem for elliptic curves . . . . . . . . 73
6 Summary and conclusions 75
Bibliography 77
APPENDIX 78
A Elliptic curve material 78
A.1 Singular curves . . . . . . . . . . . . . . . . . . . . . . . . . . 78
A.1.1 The relationship between multiple roots
and singular points . . . . . . . . . . . . . . . . . . . . 78
A.1.2 Triple root . . . . . . . . . . . . . . . . . . . . . . . . . 80
A.1.3 Double root . . . . . . . . . . . . . . . . . . . . . . . . 84
A.2 Deriving the condition for distinct roots . . . . . . . . . . . . 94
A.2.1 Determining the roots . . . . . . . . . . . . . . . . . . 94
A.2.2 The discriminant . . . . . . . . . . . . . . . . . . . . . 97
A.2.3 Relating back to elliptic curves . . . . . . . . . . . . . 100
A.3 Elliptic curves in characteristic 2 . . . . . . . . . . . . . . . . 101
A.4 Elliptic curves in characteristic 3 . . . . . . . . . . . . . . . . 105
A.5 The proof of associativity . . . . . . . . . . . . . . . . . . . . 106
A.5.1 Projective geometry and the point at innity . . . . . . 106
A.5.2 Lines in P
2
K
. . . . . . . . . . . . . . . . . . . . . . . . 108
A.5.3 The proof of associativity . . . . . . . . . . . . . . . . 114
A.6 The proofs omitted from Chapter 3 . . . . . . . . . . . . . . . 122
A.7 Methods to determine the order of E(F
q
) exactly . . . . . . . 129
A.7.1 Subeld curves . . . . . . . . . . . . . . . . . . . . . . 129
A.7.2 Legendre symbols . . . . . . . . . . . . . . . . . . . . . 131
A.8 Supersingular curves . . . . . . . . . . . . . . . . . . . . . . . 135
B Mathematical background material 137
B.1 Algebraic curves . . . . . . . . . . . . . . . . . . . . . . . . . . 137
B.2 Fractions in polynomial rings . . . . . . . . . . . . . . . . . . 140
B.3 Number theory . . . . . . . . . . . . . . . . . . . . . . . . . . 141
ii
B.4 Group theory . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
B.5 Field theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
B.5.1 Finite elds . . . . . . . . . . . . . . . . . . . . . . . . 150
B.5.2 Constructing F
9
. . . . . . . . . . . . . . . . . . . . . . 153
B.5.3 Constructing F
8
. . . . . . . . . . . . . . . . . . . . . . 156
B.5.4 Addition and multiplication tables of F
4
. . . . . . . . 157
B.6 Miscellaneous . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
C Matlab Code 161
C.1 The Matlab code for ECAD.m . . . . . . . . . . . . . . . . . . 161
C.2 The Matlab code for PC.m . . . . . . . . . . . . . . . . . . . . 163
C.3 The Matlab code for ECADP.m . . . . . . . . . . . . . . . . . 165
C.4 The Matlab code for inve.m . . . . . . . . . . . . . . . . . . . 167
C.5 The Matlab code for SUCDOB.m . . . . . . . . . . . . . . . . 167
C.6 The Matlab code for check.m . . . . . . . . . . . . . . . . . . 169
C.7 The Matlab code for RR44.m . . . . . . . . . . . . . . . . . . 170
iii
Chapter 1
Introduction
An elliptic curve is usually dened to be the graph of an equation
y
2
= x
3
+Ax +B
where x, y, A and B belong to a specied eld. These curves are of great
use in a number of applications, largely because it possible to take two points
on such a curve and generate a third. In fact, we will show that by dening
an addition operation and introducing an extra point, , the points on an
elliptic curve form an additive abelian group.
Such a group can then be used to create an analogue of the discrete
logarithm problem which is the basis for several public key cryptosystems.
This project will introduce the mathematics behind elliptic curves and then
demonstrate how to use them for cryptography.
The project loosely follows and adds to the work in Chapters 2 to 6 of
[9]. If not otherwise stated the material has been adapted from this source.
Chapter 2 of the project introduces the basic mathematics behind elliptic
curves, such as the proof that the points upon them form an abelian group.
Chapter 3 then considers those points in the group which are torsion while
Chapter 4 considers elliptic curves dened over nite elds. Here we prove
Hasses theorem to give a bound on the size of the group. Chapter 5 demon-
strates how the mathematics of the previous chapters can be employed in a
cryptographic algorithm for use in key exchange or encryption of messages.
Appendix A contains some further results on elliptic curves while Ap-
pendix B contains the mathematical background material that is employed
throughout the project. We also make use of Matlab to speed up calculations
with elliptic curves and the relevant codes can be found in Appendix C.
1
Chapter 2
Elliptic curves
Elliptic curves have, over the last three decades, become an increasingly
important subject of research in number theory and related elds such as
cryptography. They have also played a part in numerous other mathematical
problems over hundreds of years. For example, the congurant number problem
of nding which integers n can occur as the area of a right angled triangle with
rational sides can be expressed using elliptic curves (see Chapter 1 of [9]).
In this chapter we set out the basic mathematics of elliptic curves, starting
with their derivation and denition followed by the proof that points upon
them form an additive abelian group.
2.1 A class of algebraic curves
Elliptic curves are a specic class of algebraic curves. In this section we show
how we arrive at their standard denition, seen in the introduction, from the
more general case. First consider an algebraic curve formed from a conic on
the left and a cubic on the right:
y
2
+
1
xy +
2
y +
3
x +
4
= x
3
+
1
x
2
+
2
x +
3
where
i
,
i
are constants. We can then combine the constant and linear
terms to form what is known as the generalised Weierstrass equation:
y
2
+a
1
xy +a
3
y = x
3
+a
2
x
2
+a
4
x +a
6
(2.1)
where a
1
, ..., a
6
are constants. In practice we must specify which eld these
constants and the variables, x, y belong to. So long as this eld does not have
2
characteristic 2 then we can divide the above equation by 2 and complete
the square. This gives
_
y +
a
1
x
2
+
a
3
2
_
2
= x
3
+
_
a
2
+
a
2
1
4
_
x
2
+
_
a
4
+
a
1
a
3
2
_
x +
_
a
2
3
4
+a
6
_
which can be written as
y
2
1
= x
3
+a

2
x
2
+a

4
x +a

6
with y
1
= y +a
1
x/2+a
3
/2 and some constants a

2
, a

4
, a

6
. If the characteristic
were 2 then 2 would be equivalent to 0 in this eld. We would then not be
able to perform the above operation as we cannot divide by zero.
If the characteristic was neither 3 or 2, then we could perform a further
substitution letting x
1
= x +a

2
/3 to obtain
y
2
1
= x
3
1
+Ax
1
+B
for some constants A, B. This equation is known as the Weierstrass equation
for an elliptic curve and is used in all cases, except those where the charac-
teristic of the eld is either 2 or 3. If the characteristic is 2 then we use the
generalised Weierstrass equation and if it is 3 we use Equation (2.1).
Notice that we assume the coecients of the y
2
and x
3
terms are one.
Suppose we start with an equation
cy
2
= dx
3
+ax +b
with c, d ,= 0. Then multiply both sides of the equation by c
3
d
2
to obtain
(c
2
dy)
2
= (cdx)
3
+ (ac
2
d)(cdx) + (bc
3
d
2
)
and so if we use the change of variables
y
1
= c
2
dy, x
1
= cdx
then we have an equation in Weierstrass form.
We cannot draw meaningful pictures of such curves over most elds, but
for intuition we can think of graphs over the real numbers of which there are
two main types.
3
Figure 2.1: Some examples of elliptic curves dened over the real numbers.
On the left is y
2
= x
3
x and on the right y
2
= x
3
+x
The rst example has three real roots, while the second has one. We
prove in Appendix A.1 that when an elliptic curve has a multiple root it
will have a singular point, which causes problems when dening the addition
operation. We investigate the singular cases in Appendix A.1 but otherwise
assume that all the roots are distinct.
In Appendix A.2 we use the denition of the discriminant applied to this
case when the characteristic is neither 2 or 3 to derive the following condition
for distinct roots.
4A
3
+ 27B
2
,= 0
The general denition for an elliptic curve will be the Weierstrass equation
applied with the above condition.
As mentioned above we must specify what set A, B, x and y belong to.
Usually they will belong to a eld such as R, C or Q, one of the nite elds
F
p
(= Z
p
) for a prime p or one of the nite elds F
q
where q = p
k
with k 1.
If K is a eld with A, B K then we say the elliptic curve E is dened
over K. In general we use E and K to represent an elliptic curve and the
eld over which it is dened. If we wish to consider points in a eld L K
we write E(L), which is dened as below.
E(L) = (x, y) L L [ y
2
= x
3
+Ax +B
We include this point of innity on elliptic curves for use in the group op-
eration dened in the following section. It is easiest to regard it as a point
4
(, ) and denote it simply by sitting at the top of the y-axis. A line
is said to pass through when it is exactly verticle (i.e. x = constant),
and so two verticle lines will meet at . We make sense of this concept and
interpret as being on an elliptic curve in Appendix A.5.1. We also think
of as sitting at the bottom of the y-axis, but this would imply two straight
lines meet at two points. Instead we require this top and bottom to be
the same point, (as if the y-axis were wrapped around to form a circle).
2.2 Group law
As stated in the introduction, we can start with two points on an elliptic curve
(or even one) and produce another. In this section we describe how to carry
out this process and derive the formula for use with the Weierstrass equation.
We then show that by dening this process as an addition operation we can
generate an additive abelian group.
Suppose we have a point P = (x
0
, y
0
) on an elliptic curve (in any char-
acteristic). If L is a line through P and then it is a verticle line x = x
0
.
We denote the other point of intersection between L and E as P

. For the
Weierstrass equation, P

= (x
0
, y
0
) since this curve is symmetric about the
x-axis. For the generalised Weierstrass equation it is as calculated as in the
lemma below.
Lemma 2.1. If P = (x
0
, y
0
) lies on the curve, E, given by
y
2
+a
1
xy +a
3
y = x
3
+a
2
x
2
+a
4
x +a
6
then the other point of intersection between E and x = x
0
is
P

= (x
0
, a
1
x
0
a
3
y
0
)
Proof We know that when x = x
0
there are two points on E, y
0
and y
1
so:
y
2
+a
1
x
0
y +a
3
y = x
3
0
+a
2
x
2
0
+a
4
x
0
+a
6
0 = y
2
+y(a
1
x
1
+a
3
) + (x
3
0
a
2
x
2
0
a
4
x
0
+a
6
)
(y y
0
)(y y
1
) = y
2
y(y
0
+y
1
) +y
0
y
1
We can see that the negative of the coecient of the linear term is the sum
of the roots. Therefore
y
0
+y
1
= a
1
x
0
a
3
y
1
= a
1
x
0
a
3
y
0
5
So P = (x
0
, a
1
x
0
a
3
y
0
) as required.

So if P = (x
0
, y
0
) then P

as dened above is (x
0
, a
1
x
0
a
3
y
0
) if
the characteristic of K is 2 and (x
0
, y
0
) otherwise. Later we conclude that
P

= P in group notation.
We can now dene elliptic curve addition. Suppose we are on an elliptic
curve, E, dened over a eld K of any characteristic. If we start with two
points, P
1
= (x
1
, y
1
) and P
2
= (x
2
, y
2
) on E then we can nd a third point,
P
3
as follows. Draw the line L between P
1
and P
2
, nd the third point
of intersection, denoted P

3
. Finally calculate (P

3
)

= P
3
using the method
above. The addition operation is then dened as
P
1
+P
2
= P
3
Figure 2.2: Adding points on an elliptic curve
We now nd explicit formula for P
3
by looking at the dierent possibilities
for P
1
and P
2
. Suppose that we are on an elliptic curve E given by the
Weierstrass equation y
2
= x
3
+Ax +B.
First assume P
1
,= P
2
and that neither point is . We then know that
the slope of the line L is
m =
y
2
y
1
x
2
x
1
6
Now assume that x
2
,= x
1
in which case the equation of L is
y = m(x x
1
) +y
1
(2.2)
To nd the intersection with E substitute (2.2) into the equation for E:
(m(x x
1
) +y
1
)
2
= x
3
+Ax +B
x
3
m
2
x
2
+... = 0
where the three roots of this cubic are the three points where L intersects
E. Note from Theorem B.16 that the sum of the roots is the negative of the
coecient of the x
2
term in the cubic. We know two of the roots are x
1
and
x
2
and so we can conclude that x

3
= m
2
x
1
x
2
. We can then substitute
back to get y

3
= m(x

3
x
1
) +y
1
. Finally we can reect in the x-axis to nd
P
3
= (x
3
, y
3
)
x
3
= m
2
x
1
x
2
, y
3
= m(x
1
x
3
) y
1
In the case that x
1
= x
2
but y
1
,= y
2
the line through P
1
and P
2
is
verticle and so intersects E at . Reecting in the x-axis gives and
so P
1
+P
2
=
In the case where P
1
= P
2
= (x
1
, y
1
) the line, L, is the tangent at (x
1
, y
1
).
Implicit dierentiation allows us to nd m, the slope of L
2y
dy
dx
= 3x
2
+A = m =
dy
dx
=
3x
2
1
+A
2y
1
If y
1
= 0 then L is verticle so we set P
1
+ P
2
= . Otherwise the equation
of L is
y = m(x x
1
) +y
1
as before. We can substitute in to obtain the same cubic and then use the
fact that x
1
is a double root to obtain P
3
= (x
3
, y
3
)
x
3
= m
2
2x
1
, y
3
= m(x
1
x
3
) y
1
Finally suppose P
2
= in which case the line between P
1
and is a
verticle line that intersects E at P

1
the reection of P
1
in the x-axis. Then
when we reect this back we get P
1
so
P
1
+= P
1
7
we can extend this to include += .
We can now begin to see why elliptic curves are suited for the denition of
such an operation. The right hand side of the Weierstrass equation is cubic
which ensures that the line between any two points will intersect at a third
point, the rst step in the operation. Then the y
2
term on the left hand side
makes the curve symmetric about the x-axis, which is vital for the reection
part. The addition operation is summarised in the box below.
SUMMARY
Let E be an elliptic curve dened by y
2
= x
3
+Ax +B.
Let P
1
= (x
1
, y
1
) and P
2
= (x
2
, y
2
) be points on E with P
1
, P
2
,= .
We then dene P
1
+P
2
= P
3
= (x
3
, y
3
) as follows
1. If x
1
,= x
2
then
x
3
= m
2
x
1
x
2
, y
3
= m(x
1
x
3
) y
1
where m =
y
2
y
1
x
2
x
1
2. If x
1
= x
2
but y
1
,= y
2
then P
1
+P
2
=
3. If P
1
= P
2
and y
1
,= 0 then
x
3
= m
2
2x
1
, y
3
= m(x
1
x
3
) y
1
where m =
3x
2
1
+A
2y
1
4. If P
1
= P
2
and y
1
= 0, then P
1
+P
2
=
Also we dene P += P for all points P on E
If the characteristic of K is 2 or 3 then we use the same method for elliptic
curve addition but the formula are dierent. We consider the characteristic
2 and 3 cases in Appendix A.3 and Appendix A.4 respectively.
Theorem 2.2. The points on E form an additive abelian group with as
the identity element and elliptic curve addition as the group operator.
8
Proof Recall the denition of a group from Appendix B.4. The commuta-
tivity is obvious from the formulas and the intuition of drawing a straight
line through two points, while the identity property holds by denition. It is
also clear from the formulas that the sum of any two points will also be on
the elliptic curve, and if those original points had coordinated in a eld L,
then so does the sum.
For inverses we dene P as P

, (the reection of P in the x-axis in

the characteristic not 2 case). Then P + P

= for all P. Associativity

can be proved with the formulas, trying all cases, or with a number of other
approaches. We use projective space to prove this property in Appendix A.5.
This theorem will also hold for the characteristic not 2 case similarly
(dening P as P

given by Equation (2.1)).

Example 2.1. Let E be the curve y

2
= x
3
25x and suppose we know the
point (4, 6) lies on the curve. To nd another point on E we can add this
point to itself. In the notation of elliptic curve addition we have:
m =
3(4)
2
25
2(6)
=
23
12
Hence
2(4, 6) = (4, 6) + (4, 6) =
_
_
23
12
_
2
2(4),
23
12
(4 x
3
) 6
_
=
_
1681
144
,
62279
1728
_
A Matlab m-le was constructed to perform elliptic curve addition over
the real numbers. Suppose we have an elliptic curve, E, given by y
2
=
x
3
+Ax +B and two points P
1
= (x
1
, y
1
), P
2
= (x
2
, y
2
). The m-le will nd
the sum, P
1
+P
2
= P
3
= (x
3
, y
3
), where + represents elliptic curve addition.
It takes as its inputs x
1
, y
1
, x
2
, y
2
and A and produces x
3
, y
3
and, if requested,
m. In future examples elliptic curve addition is performed with this m-le
to save calculation.
The le is stored in ECAD.m and can be found in Appendix C.1
Note that if P is a point on an elliptic curve and k is a positive integer,
then kP denotes P +P +... +P (with k summands). If k < 0 then
kP = (P) + (P) +... + (P), (with [k[ summands).
9
2.2.1 Prime curve examples
This section contains some examples of working with elliptic curves which
are dened over Z
p
. These are often called the prime curves and can be
far simpler to work with as we can reduce modulo p at each stage. These
examples are derived from those in Section 10.3 of [8].
Suppose we have an elliptic curve, E, over Z
p
. In this case we have a
cubic equation in which the variables and coecients take values on the set
of integers 0, 1, ...(p 1) and all calculations are performed modulo p.
y
2
x
3
+Ax +B (mod p)
We write E
p
(A, B) for the set of integers (x, y) that satisfy the above equa-
tion, together with a point at innity, .
Example 2.2. The set E
11
(1, 6) is the set of integers (x, y) that satisfy
y
2
x
3
+x + 6 (mod 11)
We can see that (x, y) = (7, 9) is in this set as
9
2
(mod 11) = (7
3
+ 7 + 6) (mod 11)
81 (mod 11) = 356 (mod 11) 4 = 4
To nd all the points in E
11
(1, 6) we nd all the possible values x
3
+ x + 6
(mod p) and then see what values of y
2
will match. There are 11 choices of
x, the integers 0, 1, ..., 10. Subbing these values in turn into the cubic and
reducing modulo 11 will give us the possible values of y
2
:
x = 0 = RHS = 6 x = 6 = RHS = 228 8
x = 1 = RHS = 8 x = 7 = RHS = 356 4
x = 2 = RHS = 16 5 x = 8 = RHS = 526 9
x = 3 = RHS = 36 3 x = 9 = RHS = 744 7
x = 4 = RHS = 74 8 x = 10 = RHS = 1016 4
x = 5 = RHS = 136 4
So we can see that the possible values of y
2
are 3, 4, 5, 6, 7, 8, 9
i.e. y
2
cannot be 0,1,2 or 10.
Next examine the 10 possible values of y and identify which values of x
they could be paired with to give a point on the curve.
10
y = 0 y
2
= 0 No Points y = 6 y
2
= 36 3 x = 3
y = 1 y
2
= 1 No Points y = 7 y
2
= 49 5 x = 2
y = 2 y
2
= 4 x = 5, 7, 10 y = 8 y
2
= 64 9 x = 8
y = 3 y
2
= 9 x = 8 y = 9 y
2
= 81 4 x = 5, 7, 10
y = 4 y
2
= 16 5 x = 2 y = 10 y
2
= 100 1 No Points
y = 5 y
2
= 25 3 x = 3
So there are 13 points in E
11
(1, 6) (the 12 found above and ):
E
11
(1, 6) = (2, 4), (2, 7), (3, 5), (3, 6), (5, 2), (5, 9), (7, 2), (7, 9), (8, 3), (8, 8), (10, 2), (10, 9),
An m-le, PC.m, to nd and plot all the points on a prime curve was con-
structed and is stored in Appendix C.2. This m-le takes as its inputs, A, B
and p and produces two vectors X, Y which contain all the points (x, y) that
lie on y
2
x
3
+Ax +B (mod p).
When run on this example it veried that we had found found all the
points in E
11
(1, 6) and plotted the graph below. We can see that the points
are symmetric about the line y = 5.5
11
We can perform the elliptic curve addition operation on prime curves,
however we reduce modulo p at each step. For example, still considering
E
11
(1, 6):
If P = (8, 3) then we know that P = (8, 3). Working modulo 11 we
see that P = (8, 8) which is also a point in E
11
(1, 6).
Let P = (8, 3) and Q = (3, 5). Then to nd R = P +Q:
m =
5 3
3 8
=
2
5

2
6
=
1
3
= 1 4 = 4
The penultimate step involved taking the multiplicative inverse of 3 in
Z
11
. We now proceed to show that
x
R
= 4
2
8 3 = 5, y
R
= 4(8 5) 3 = 9
So in E
11
(1, 6) we nd (8, 3) + (3, 5) = (5, 9).
Again let P = (8, 3). To calculate 2P = P +P:
m =
3(8
2
) + 1
2 3
=
193
6

6
6
= 1 (mod 11)
Then x
2P
= 1
2
2(8) = 15 7 (mod 11)
y
2P
= 1(8 7) 3 = 2 9 (mod 11)
So in E
11
(1, 6) we nd 2(8, 3) = (7, 9).
The earlier m-le for performing elliptic curve addition was modied for use
with prime curves. It now reduces modulo p at each stage using Matlabs mod
function and nd the inverse of elements so the nal answer is an element on
a prime curve.
This new m-le is ECADP.m and can be found in Appendix C.3. It
contains the same inputs and outputs as ECAD.m but the user must input
p in addition. It makes use of the m-le inve.m which is stored in Appendix
C.4. This m-le takes as its inputs a number N and a prime p and outputs
the inverse of N in the group Z
p
.
The m-le ECADP.m was used to calculate the remaining entries in the
addition table overleaf (Table 2.1). In Example 3.4 we show that (2, 7) is a
generator of this group and so it is isomorphic to Z
13
.
12
+
(
2
,
4
)
(
2
,
7
)
(
3
,
5
)
(
3
,
6
)
(
5
,
2
)
(
5
,
9
)
(
7
,
2
)
(
7
,
9
)
(
8
,
3
)
(
8
,
8
)
(
1
0
,
2
)
(
1
0
,
9
)

(
2
,
4
)
(
5
,
9
)

(
7
,
2
)
(
1
0
,
2
)
(
2
,
7
)
(
8
,
8
)
(
7
,
9
)
(
3
,
6
)
(
5
,
2
)
(
1
0
,
9
)
(
8
,
3
)
(
3
,
5
)
(
2
,
4
)
(
2
,
7
)

(
5
,
2
)
(
1
0
,
9
)
(
7
,
9
)
(
8
,
3
)
(
2
,
4
)
(
3
,
5
)
(
7
,
2
)
(
1
0
,
2
)
(
5
,
9
)
(
3
,
6
)
(
8
,
8
)
(
2
,
7
)
(
3
,
5
)
(
7
,
2
)
(
1
0
,
9
)
(
8
,
3
)

(
8
,
8
)
(
7
,
9
)
(
5
,
2
)
(
2
,
7
)
(
5
,
9
)
(
3
,
6
)
(
2
,
4
)
(
1
0
,
2
)
(
3
,
5
)
(
3
,
6
)
(
1
0
,
2
)
(
7
,
9
)

(
8
,
8
)
(
7
,
2
)
(
8
,
3
)
(
2
,
4
)
(
5
,
9
)
(
3
,
5
)
(
5
,
2
)
(
1
0
,
9
)
(
2
,
7
)
(
3
,
6
)
(
5
,
2
)
(
2
,
7
)
(
8
,
3
)
(
8
,
8
)
(
7
,
2
)
(
1
0
,
2
)

(
1
0
,
9
)
(
3
,
5
)
(
3
,
6
)
(
2
,
4
)
(
7
,
9
)
(
5
,
9
)
(
5
,
2
)
(
5
,
9
)
(
8
,
8
)
(
2
,
4
)
(
7
,
9
)
(
8
,
3
)

(
1
0
,
9
)
(
3
,
6
)
(
1
0
,
2
)
(
2
,
7
)
(
3
,
5
)
(
5
,
2
)
(
7
,
2
)
(
5
,
9
)
(
7
,
2
)
(
7
,
9
)
(
3
,
5
)
(
5
,
2
)
(
2
,
4
)
(
1
0
,
9
)
(
3
,
6
)
(
2
,
7
)

(
8
,
8
)
(
1
0
,
2
)
(
5
,
9
)
(
8
,
3
)
(
7
,
2
)
(
7
,
9
)
(
3
,
6
)
(
7
,
2
)
(
2
,
7
)
(
5
,
9
)
(
3
,
5
)
(
1
0
,
2
)

(
2
,
4
)
(
1
0
,
9
)
(
8
,
3
)
(
8
,
8
)
(
5
,
2
)
(
7
,
9
)
(
8
,
3
)
(
5
,
2
)
(
1
0
,
2
)
(
5
,
9
)
(
3
,
5
)
(
3
,
6
)
(
2
,
7
)
(
8
,
8
)
(
1
0
,
9
)
(
7
,
9
)

(
7
,
2
)
(
2
,
4
)
(
8
,
3
)
(
8
,
8
)
(
1
0
,
9
)
(
5
,
9
)
(
3
,
6
)
(
5
,
2
)
(
2
,
4
)
(
3
,
5
)
(
1
0
,
2
)
(
8
,
3
)

(
7
,
2
)
(
2
,
7
)
(
7
,
9
)
(
8
,
8
)
(
1
0
,
2
)
(
8
,
3
)
(
3
,
6
)
(
2
,
4
)
(
1
0
,
9
)
(
7
,
9
)
(
5
,
2
)
(
5
,
9
)
(
8
,
8
)
(
7
,
2
)
(
2
,
7
)
(
3
,
5
)

(
1
0
,
2
)
(
1
0
,
9
)
(
3
,
5
)
(
8
,
8
)
(
1
0
,
2
)
(
2
,
7
)
(
5
,
9
)
(
7
,
2
)
(
8
,
3
)
(
5
,
2
)
(
2
,
4
)
(
7
,
9
)

(
3
,
6
)
(
1
0
,
9
)

(
2
,
4
)
(
2
,
7
)
(
3
,
5
)
(
3
,
6
)
(
5
,
2
)
(
5
,
9
)
(
7
,
2
)
(
7
,
9
)
(
8
,
3
)
(
8
,
8
)
(
1
0
,
2
)
(
1
0
,
9
)

T
a
b
l
e
2
.
1
:
T
h
e
a
d
d
i
t
i
o
n
t
a
b
l
e
f
o
r
E
1
1
(
1
,
6
)
. T
h
i
s
i
s
t
h
e
g
r
o
u
p
o
f
p
o
i
n
t
s
(
x
,
y
)
t
h
a
t
s
a
t
i
s
f
y
y
2
=
x
3
+
x
+
6
w
i
t
h
i
n
t
h
e

e
l
d
Z
1
1
a
l
o
n
g
w
i
t
h
t
h
e
p
o
i
n
t

.
T
h
i
s
g
r
o
u
p
c
a
n
b
e
s
h
o
w
n
t
o
b
e
i
s
o
m
o
r
p
h
i
c
t
o
Z
1
3
a
n
d
g
e
n
e
r
a
t
e
d
b
y
t
h
e
p
o
i
n
t
(
2
,
7
)
.
13
Example 2.3. Consider E
23
(1, 1), the set of integers (x, y) that satisfy
y
2
x
3
+x + 1 (mod 23)
Running PC.m with A = B = 1 and p = 23 produced:
Note that all the point with the exception of (4,0) are symmetric about
the line y = 11.5. If there were another point, symmetric to (4,0) then there
would be a point at (4,23). However this is equivalent to (4,0) in modulo 23,
so its as if the y-axis was wrapped around to form a circle the analogy
given earlier.
An m-le to check whether a point lies on a prime curve, (check.m),
was created and stored in Appendix C.6. This m-le takes as its inputs
x, y, A, B, p and checks whether the point (x, y) lies on the curve
y
2
x
3
+Ax +B (mod p)
14
Chapter 3
Torsion points and
endomorphisms of elliptic
curves
The order, of an element, a, in any additive abelian group dened by an
elliptic curve, is the smallest positive integer m such that ma = . If no such
m exists, we say that a has innite order. Finitely generated abelian groups
can be split into the torsion and torsion free subgroups where the former
contain the torsion points which are those points whose orders are nite.
These points play a large role in the theory of elliptic curves, especially in
elliptic curves dened over nite elds, where all points are torsion. In general
the torsion subgroup is simpler to work with, which is another reason why
elliptic curves over nite elds are of such great interest. In this chapter we
examine the properties of the torsion points as well as deriving some results
for use in Chapter 4. We start by considering endomorphisms of elliptic
curves, which help in our study of the torsion points since multiplication by
n on an elliptic curve can be described as an endomorphism.
3.1 Endomorphisms of elliptic curves
Recall that a homomorphism is a structure-preserving map between two al-
gebraic structures (in this case, groups). Here we use endomorphism to mean
a homomorphism : E(K) E(K) that is given by rational functions. In
other words, (P
1
+ P
2
) = (P
1
) + (P
2
), and there are rational functions
15
R
1
(x, y), R
2
(x, y) with coecients in K such that
(x, y) = (R
1
(x, y), R
2
(x, y))
for all (x, y) E(K). Since is a homomorphism we have () = . Also
assume that is not the trivial endomorphism that maps every point to ,
denoted by = 0.
Example 3.1. Let E be given by y
2
= x
3
+ Ax + B and let (P) = 2P.
Then is a homomorphism and (x, y) = (R
1
(x, y), R
2
(x, y)) where
R
1
(x, y) =
_
3x
2
+A
2y
_
2
2x
R
2
(x, y) =
_
3x
2
+A
2y
_
_
3x
_
3x
2
+A
2y
_
2
_
y
Since is a homomorphism given by rational functions, it is an endomor-
phism of E.
The following theorem will allow us to use a standard form for the rational
functions that describe an endomorphism.
Theorem 3.1. Let E be given by y
2
= x
3
+Ax+B, and dened over a eld
K. Any endomorphism, , can be completely dened by the following, where
p(x), q(x) are polynomials with no common factors and s(x), t(x) likewise.
(x, y) = (r
1
(x), r
2
(x)y) =
_
p(x)
q(x)
, y
s(x)
t(x)
_
Proof is an endomorphism and so can be expressed with rational functions,
(x, y) = (R
1
(x, y), R
2
(x, y)). Now, since y
2
= x
3
+ Ax + B for all (x, y)
E(K) we can replace any even power of y by a polynomial in x, and any odd
power of y by y times a polynomial in x:
R(x, y) =
p
1
(x) +p
2
(x)y
p
3
(x) +p
4
(x)y
We could then rationalize the denominator and replace y
2
to get
R(x, y) =
q
1
(x) +q
2
(x)y
q
3
(x)
(3.1)
16
Since is a homomorphism it will preserve the structure of the curve so
(x, y) = ((x, y)) = (x, y)
This means that
R
1
(x, y) = R
1
(x, y), and R
2
(x, y) = R
2
(x, y)
By writing R
1
in the form of Equation (3.1) we can see that q
2
(x) = 0, and
similarly with R
2
, we nd that q
1
(x) = 0. Therefore we may assume that
(x, y) = (r
1
(x), r
2
(x)y)
for rational functions r
1
(x), r
2
(x).
We must still consider what happens when one of the rational functions
is not dened at a point. Write
r
1
(x) =
p(x)
q(x)
, and r
2
(x) = y
s(x)
t(x)
with polynomials p(x), q(x) that do not have a common factor and s(x), t(x)
likewise. If q(x) = 0 at some point (x, y) then we assume that (x, y) = .
If q(x) ,= 0 then part (ii) of Lemma 3.2 below shows that r
2
(x) will also be
dened. This completes the proof of Theorem 3.1

Lemma 3.2. Let

(x, y) =
_
p(x)
q(x)
, y
s(x)
t(x)
_
be an endomorphism of the elliptic curve E given by y
2
= x
3
+Ax +B. Let
p, q be polynomials with no common root, and s, t likewise. Then
(i) For a polynomial u(x), such that u and q have no common root
(x
3
+Ax +B)s(x)
2
t(x)
2
=
u(x)
q(x)
3
(ii) t(x
0
) = 0 if and only if q(x
0
) = 0.
17
Proof (i) Because is a endomorphism, the point (x, y) also lies on the
elliptic curve E. Hence
(x
3
+Ax +B)s(x)
2
t(x)
2
=
y
2
s(x)
2
t(x)
2
=
_
y
s(x)
t(x)
_
2
=
_
p(x)
q(x)
_
3
+A
p(x)
q(x)
+B
=
p(x)
3
+Ap(x)q(x)
2
+Bq(x)
3
q(x)
3

u(x)
q(x)
3
where u(x) = p(x)
3
+Ap(x)q(x)
2
+Bq(x)
3
. We still need to show that u(x)
and q(x) do not share a root.
Suppose q(a) = 0. If u(a) = 0 also, then
u(a) = p(a)
3
+Ap(a)q(a)
2
+Bq(a)
3
= 0
p(a)
3
= 0 =p(a) = 0
We assumed p(x) and q(x) shared no common roots so this cannot happen.
Therefore if q(a) = 0 then u(a) ,= 0 meaning u and q have no common roots.
(ii) From part (i) we know that
(x
3
+Ax +B)s(x)
2
q(x)
3
= t(x)
2
u(x)
Then if q(x
0
) = 0 we have
t(x
0
)
2
u(x
0
) = 0
Now we know that u and q do not share a common root so u(x
0
) ,= 0 therefore
t(x
0
) = 0 as required.
To prove the converse, suppose t(x
0
) = 0, then
(x
3
0
+Ax
0
+B)s(x
0
)
2
q(x
0
)
3
= 0
But s(x
0
) ,= 0 because t and s are assumed to have no common roots so
(x
3
0
+Ax
0
+B)q(x
0
)
3
= 0
We now consider the following two cases
a) If x
3
0
+Ax
0
+B ,= 0 then q(x
0
)
3
= 0 so q(x
0
) = 0 and we are done.
18
b) If x
3
0
+Ax
0
+B = 0 then (x x
0
) divides (x
3
+Ax +B) so
x
3
+Ax +B = (x x
0
)Q(x)
where Q(x
0
) ,= 0 as we have assumed no multiple roots. Now because
t(x
0
) = 0 we can make a similar factorisation to get t(x) = (x x
0
)T(x)
for some polynomials T(x). Now we can consider again the equation from
part (i)
(x
3
+Ax +B)s(x)
2
q(x)
3
= t(x)
2
u(x)
(x x
0
)Q(x)s(x)
2
q(x)
3
= [(x x
0
)T(x)]
2
q(x)
3
Q(x)s(x)
2
= (x x
0
)T(x)
2
u(x)
Now when x = x
0
we get
q(x
0
)
3
Q(x
0
)s(x
0
)
2
= 0
We have already shown that s(x
0
) ,= 0 and that Q(x
0
) ,= 0 so we have
q(x
0
) = 0 as required.

Dene the degree of to be, deg() = Max deg(p(x)), deg(q(x)) if

is non trivial. If = 0 then dene deg() = 0.
Dene ,= 0 to be a separable endomorphism if the derivative r

1
(x) is
not identically zero. (Recall that if a function is identically zero then it is the
zero function as opposed to merely zero at a particular point.) By Lemma
3.3 below, this is equivalent to saying that at least one of p

(x) and q

(x) is
not identically zero.
Lemma 3.3. Let p(x), q(x) be polynomials with no common roots. Then
d
dx
_
p(x)
q(x)
_
= 0 if and only if p

(x) = 0 and q

(x) = 0
Proof Using the quotient rule
d
dx
_
p(x)
q(x)
_
=
q(x)p

(x) p(x)q

(x)
q(x)
2
19
So if r

1
(x) = 0 then q(x)p

(x) p(x)q

(x) = 0. Suppose for a contradiction

that p

(x) ,= 0. We can then write

q(x) =
p(x)q

(x)
p(x)
Let x
0
be a root of q(x), then by assumption p(x
0
) ,= 0. We can then consider
the following two cases.
(i) If x
0
is not a root of q(x), then q

(x
0
) ,= 0. Now setting x = x
0
gives
q(x
0
) =
p(x
0
)q

(x
0
)
p

(x
0
)
0 = p(x
0
)q

(x
0
)
But p(x
0
) ,= 0 and q

(x
0
) ,= 0 so we have a contradiction.
(ii) If x
0
is a root of q

(x
0
) then
q(x) = (x x
0
)
n
Q(x)
q

(x) = (x x
0
)
m
R(x)
where Q(x
0
) ,= 0, R(x
0
) ,= 0 and m < n. Then substituting gives
(x x
0
)
n
Q(x) =
p(x)(x x
0
)
m
R(x)
p

(x)
(x x
0
)
r
Q(x) =
p(x)R(x)
p

(x)
where r > 0. Now let x = x
0
0 = p(x
0
)R(x
0
)
But p(x
0
) ,= 0 and R(x
0
) ,= 0 so we have a contradiction.
So we must assume that p

(x) = 0. The proof that q

(x) = 0 is similar with

the roles of p and q reversed.

20
Example 3.2. Consider again (P) = 2P which had
R
1
(x, y) =
_
3x
2
+A
2y
_
2
2x
Subbing in for y
2
and simplifying yields
r
1
=
x
4
2Ax
2
8Bx +A
2
4(x
3
+Ax +B)
Therefore deg() = 4. Note that q

(x) = 4(3x
2
+A) which is not zero. This
is true even in characteristic 3 when we set A = 0 because a curve x
3
+ B
will have multiple roots in characteristic 3 (27B
2
0), which is contrary to
assumption. Therefore is a separable endomorphism.
Example 3.3. We now repeat the previous example in characteristic 2, using
the formula from Appendix A.3 for doubling a point.
If y
2
+xy = x
3
+a
2
x
2
+a
6
we have
(x, y) = (r
1
(x), R
2
(x, y))
with r
1
(x) = (x
4
+a
6
)/x
2
. Therefore deg() = 4. Since p

(x) = 4x
3
0 and
q

(x) = 2x 0 the endomorphism is not separable.

Similarly in the case y
2
+a
3
y = x
3
+a
4
x+a
6
, we have r
1
(x) = (x
4
+a
2
4
)/a
2
3
.
Therefore deg() = 4 but is not separable.
In general, when in characteristic p, the map (Q) = pQ has degree p
2
and is not separable.
Suppose E is dened over the nite eld F
q
. Then we dene the
Frobenius Map as

q
(x, y) = (x
q
, y
q
)
Lemma 3.4. Let E be dened over F
q
. Then
q
is an endomorphism of E
with degree q, and
q
is not separable.
Proof The main task of this proof is to show that
q
: E(F
q
) E(F
q
) is
a homomorphism. So we need to show that if (x
1
, y
1
) + (x
2
, y
2
) = (x
3
, y
3
)
then
q
(x
1
, y
1
) +
q
(x
2
, y
2
) =
q
(x
3
, y
3
) for all the possible combinations of
(x
1
, y
1
) and (x
2
, y
2
) E(F
q
). Throughout the proof we can use Proposition
B.14 because E is dened over F
q
. This stated that

q
(x +y) =
q
(x) +
q
(y)

q
(xy) =
q
(x)
q
(y)
21
(i) If x
1
,= x
2
then (x
3
, y
3
) is given by
x
3
= m
2
x
1
x
2
, y
3
= m(x
1
x
2
) y
1
, m =
y
2
y
1
x
2
x
1
Now consider the sum of
q
(x
1
, y
1
) and
q
(x
2
, y
2
) given by (X, Y ) where
X =
_
y
q
2
y
q
1
x
q
2
x
q
1
_
2
x
q
1
x
q
2
=
_
(y
2
y
1
)
q
(x
2
x
1
)
q
_
2
x
q
1
x
q
2
=
_
_
y
2
y
1
x
2
x
1
_
2
x
1
x
2
_
q
= x
q
3
Y =
_
y
q
2
y
q
1
x
q
2
x
q
1
_
(x
q
1
x
q
3
) y
q
1
=
_
y
2
y
1
x
2
x
1
_
q
(x
1
x
3
)
q
y
q
1
=
__
y
2
y
1
x
2
x
1
_
(x
1
x
3
) y
1
_
q
= y
q
3
So
q
(x
1
, y
1
) +
q
(x
2
, y
2
) = (x
q
3
, y
q
3
) =
q
(x
3
, y
3
) as required.
(ii) If (x
1
, y
1
) = (x
2
, y
2
) and y
1
,= 0 then (x
3
, y
3
) is given by
x
3
= m
2
2x
1
, y
3
= m(x
1
x
3
) y
1
, m =
3x
2
1
+A
2y
1
We now show that the sum of
q
(x
1
, y
1
) and
q
(x
2
, y
2
) given by (X, Y )
is
q
(x
3
, y
3
) as before. We use 2
q
= 2, 3
q
= 3, A
q
= A, since 2,3,A F
q
.
X =
_
3x
2q
1
+A
2y
q
1
_
2
2x
q
1
=
_
3
q
x
2q
1
+A
q
2
q
y
q
1
_
2
2x
q
1
=
_
(3x
2
1
+A)
q
(2y
1
)
q
_
2
2x
q
1
=
_
_
3x
2
1
+A
2y
1
_
2
2x
1
_
q
= x
q
3
Y =
_
3x
2q
1
+A
2y
q
1
_
(x
q
1
x
q
3
) y
q
1
=
_
3x
2
1
+A
2y
1
_
q
(x
1
x
3
)
q
y
q
1
=
__
3x
2
1
+A
2y
1
_
(x
1
x
3
) y
1
_
q
= y
q
3
So
q
(x
1
, y
1
) +
q
(x
2
, y
2
) = (x
q
3
, y
q
3
) =
q
(x
3
, y
3
) as required.
22
(iii) If x
1
= x
2
but y
1
,= y
2
(so y
2
= y
1
) then (x
3
, y
3
) = . So

q
(x
1
, y
1
) +
q
(x
2
, y
2
) =
q
(x
1
, y
1
) +
q
(x
1
, y
1
) = (x
q
1
, y
q
1
) + (x
q
1
, y
q
1
)
The nal equality uses the fact that q is a power of a prime and so odd,
meaning (y)
q
= y
q
. Now, by denition the sum of a point on an
elliptic curve and its reection in the x-axis is the point so

q
(x
1
, y
1
) +
q
(x
2
, y
2
) =
Finally we note that

q
() =
q
((X, Y )+(X, Y )) =
q
(X, Y )+
q
(X, Y ) = (X
q
, Y
q
)+(X
q
, Y
q
) =
So
q
(x
1
, y
1
) +
q
(x
2
, y
2
) = =
q
(x
3
, y
3
) as required.
(iv) If (x
1
, y
1
) = (x
2
, y
2
) and y
1
= 0, then (x
3
, y
3
) = by denition. Then

q
(x
1
, y
1
) +
q
(x
2
, y
2
) = (x
q
1
, 0) + (x
q
1
, 0) =
We showed in the case above that
q
() = so

q
(x
1
, y
1
) +
q
(x
2
, y
2
) = =
q
() =
q
(x
3
, y
3
)
as required.
(v) If one of the points, say (x
2
, y
2
) = then (x
3
, y
3
) = (x
1
, y
1
). So

q
(x
1
, y
1
) +
q
(x
2
, y
2
) =
q
(x
1
, y
1
) +=
q
(x
1
, y
1
) =
q
(x
3
, y
3
)
as required
So we have shown that
q
is a homomorphism. Since
q
(x, y) = (x
q
, y
q
),
the map is given by rational functions, making
q
an endomorphism. We
can clearly see that the degree is q, and since q 0 in F
q
, the derivative of
r
1
(x) = x
q
is identically zero, meaning
q
is not separable.

The following is the key result of this section which allows us to relate
the degree of an endomorphism to the size of its kernel. If a homomorphism
maps from G to H then the kernel is the set of elements mapped to, e
H
,
the identity of H. Since a group homomorphism preserves identity elements,
the identity element, e
G
, of G must belong to the kernel. If this is the only
element of the kernel then the homomorphism is injective.
23
Theorem 3.5. Let ,= 0 be a separable endomorphism of an elliptic curve,
E. Then
deg() = #Ker()
where Ker() is the kernel of the homomorphism : E(K) E(K)
If is not separable then
deg() > #Ker()
Proof Write (x, y) = (r
1
(x), yr
2
(x)) with r
1
(x) = p(x)/q(x), as above.
Assume rst that is a separable endomorphism so r

1
,= 0.
r

1
= [p(x)q(x)
1
]

= p

(x)q(x)
1
p(x)q(x)
2
q

(x) ,= 0
So we can multiply by q(x)
2
to see that p

q pq

is not the zero polynomial.

Let S be the set of x K such that (pq

q)(x)q(x) = 0. Since both

pq

q and q(x) are not the zero polynomial we know that S is a set of
zeros to a non zero polynomial and hence nite. Its image under r
1
(x) will
hence be nite as well.
Let (a, b) E(K) be such that
(i) a ,= 0, b ,= 0, (a, b) ,= .
(ii) deg(p(x) aq(x)) = Maxdeg(p), deg(q) = deg()
(iii) a , r
1
(S).
(iv) (a, b) (E(K))
We must prove that such an (a, b) exists. Consider each of the conditions in
turn:
(i) There are innitely many (a, b) E(K) since K is algebraically closed.
So clearly we can exclude those when a = 0, b = 0 and (a, b) = .
(ii) Let p(x) = cx
n
+ lower order terms and q(x) = dx
m
+ lower order terms.
If the deg(p) > deg(q) then n > m so p aq will clearly have deg(n)
as required. Similarly if deg(p) < deg(q) then the condition will always
hold. So consider what happens when n = m. The condition will only
fail if cad = 0. But if this were the case then multiply a by an integer
greater than one, to nd a point for which the condition holds.
24
(iii) We can always nd a point that satises this condition as r
1
(S) is nite,
but we have an innite number of points.
(iv) There are innitely many points in E(K). If the set r
1
(x)[x E(K)
was nite then for at least some k K there are innitely many k so k =
r
1
(x). This would mean that r
1
(x) k = 0 for innitely many k. This
implies that r
1
(x) is a constant, which would make its derivative zero
and give us a contradiction. Hence r
1
(x) is innite, making (E(K))
an innite set. So we can always nd (a, b) (E(K)).
So such a point (a, b) exists. We want to prove that there are exactly
deg() points (x
1
, y
1
) E(K) such that (x
1
, y
1
) = (a, b). For such a point
we have
p(x
1
)
q(x
1
)
= a, y
1
r
2
(x
1
) = b
Since (a, b) ,= we must have q(x
1
) ,= 0, so by Lemma 3.2 r
2
(x
1
) is dened.
Since b ,= 0 and y
1
r
2
(x
1
) = b we know that r
2
(x
1
) ,= 0 so we can set y
1
=
b/r
2
(x
1
). Therefore x
1
determines y
1
so we need only count how many values
of x
1
satisfy
p(x
1
) = aq(x
1
) p(x
1
) aq(x
1
) = 0
By assumption (ii) p(x) aq(x) = 0 has deg() roots, counting multiplic-
ities, so if all the roots are distinct we are done. We must show that p aq
has no multiple roots. Suppose that x
0
is a multiple root of p aq. Then we
know that both the curve and its derivative are zero here:
p(x
0
) aq(x
0
) = 0 = p(x
0
) = aq(x
0
)
p

(x
0
) aq

(x
0
) = 0 = aq

(x
0
) = p

(x
0
)
Multiplying the two equations yields
ap(x
0
)q

(x
0
) = ap

(x
0
)q(x
0
)
Since a ,= 0
p(x
0
)q

(x
0
) p

(x
0
)q(x
0
) = 0
which implies that x
0
is a root of pq

q so x
0
S. Therefore a = r
1
(x
0
) S
which is contrary to assumption. Therefore p aq has deg() distinct roots
and hence there are deg() points (x
1
, y
1
) E(K) such that (x
1
, y
1
) =
(a, b).
25
Since is a homomorphism and this holds for the point (a, b), it will hold
for all (a, b) (E(K)), including the identity meaning the kernel of has
deg() elements.
If is not separable then the above steps hold, but p

aq

is always the
zero polynomial so p(x) aq(x) = 0 always has multiple roots and so fewer
than deg() solutions.

Theorem 3.6. Let E be an elliptic curve dened over a eld K. Let ,= 0

be an endomorphism of E. Then : E(K) E(K) is surjective.
Proof Let (a, b) E(K). We want to prove that there is a point (x, y)
E(K) that maps to it. Since () = , we may assume that (a, b) ,= .
Let r
1
(x) = p(x)/q(x) as above. We consider the two cases:
(i) If p(x) aq(x) is not a constant then it has a root, at x
0
say. Since
p and q have no common roots we know q(x
0
) ,= 0 (if it were, then it
would imply p(x
0
) = 0 which is contrary to assumptions.) So
p(x
0
) aq(x
0
) = 0 = a =
p(x
0
)
q(x
0
)
Choose y
0
K to be either square root of x
3
0
+Ax
0
+B. Then (x
0
, y
0
)
is dened and equals (a, b

) for some b

. Since (b

)
2
= a
3
+Aa +B = b
2
we have b = b

. If b

= b then we have found our point (x, y) that maps

to (a, b) and we are done. If b

= b then (x
0
, y
0
) = (a, b

) = (a, b).
(ii) Now consider the case when p aq is constant. Since E(K) is innite
and the kernel of is nite, only nitely many points of E(K) can
map to a point with a given x coordinate. So either p(x) or q(x) is not
constant.
If p and q are two non constant polynomials then there is at most one
value of a so p aq is constant. Therefore there are at most two points
(a, b) and (a, b) that are not mapped to by . Let (a
1
, b
1
) = (P
1
) be
any other point. We can choose it such that (a
1
, b
1
) + (a, b) ,= (a, b).
So there exists P
2
with (P
2
) = (a
1
, b
1
)+(a, b). Then (P
2
P
1
) = (a, b)
and (P
1
P
2
) = (a, b). So every point (a, b) is mapped to by .
26
We have shown that if ,= 0 is an endomorphism of E then every point
(a, b) E(K) is mapped to by a point (x, y) E(K). Therefore is
surjective.

We next want to derive a criterion for separability (Proposition 3.10). If

(x, y) is a point on y
2
= x
3
+Ax +B, then we can dierentiate to get
2yy

= 3x
2
+A
Similarly we can dierentiate a rational function to get
d
dx
f(x, y) = f
x
(x, y) +f
y
(x, y)y

where f
x
and f
y
are the partial derivatives.
Lemma 3.7. Let E be the elliptic curve y
2
= x
3
+Ax+B. Fix a point (u, v)
on E. For any point (x, y) so x ,= u
(u, v) + (x, y) = (f(x, y), g(x, y))
where f(x, y) and g(x, y) are rational functions whose coecients depend on
(u, v). Then
d
dx
f(x, y)
g(x, y)
=
1
y
Proof From the addition formulas we have
f(x, y) =
_
y v
x u
_
2
u x
g(x, y) =
_
y v
x u
__
u
_
y v
x u
_
+u +x
_
v
=
_
y v
x u
__
2u(x u)
2
(y v)
2
+x(x u)
2
(x u)
2
_
v
=
(y v)
3
+x(y v)(x u)
2
+ 2u(y v)(x u)
2
v(x u)
3
(x u)
3
Then using the quotient rule we can calculate
d
dx
f(x, y) =
2(x u)
2
(y v)y

2(y v)
2
(x u)(1)
(x u)
4
1
=
2y

(y v)(x u) 2(y v)
2
(x u)
3
(x u)
3
27
Because 2yy

= 3x
2
+A we can substitute for y

to give
d
dx
f(x, y) =
2(
3x
2
+A
2y
)(y v)(x u) 2(y v)
2
(x u)
3
(x u)
3
=
(3x
2
+A)(y v)(x u) 2y(y v)
2
y(x u)
3
y(x u)
3
y
d
dx
f(x, y) g(x, y) =
(3x
2
+A)(y v)(x u) 2y(y v)
2
y(x u)
3
(x u)
3
+
(y v)
3
x(y v)(x u)
2
2u(y v)(x u)
2
+v(x u)
3
(x u)
3
Then
(x u)
3
y
d
dx
f(x, y) g(x, y) = (3x
2
+A)(y v)(x u) 2y(y v)
2
y(x u)
3
+(y v)
3
x(y v)(x u)
2
2u(y v)(x u)
2
+v(x u)
3
= Avx +vu
3
yu
3
+yv
2
+y
2
v Ayu +Avu y
3
v
3
+x
3
y x
3
v +Ayx
= v[Au +u
3
v
2
Ax x
3
+y
2
] +y[Au u
3
+v
2
+Ax +x
3
y
2
]
Because (u, v) and (x, y) lie on E we can use v
2
= u
3
+Au +B and
y
2
= x
3
+Ax +B to reduce the above expression
(x u)
3
y
d
dx
f(x, y) g(x, y) = v[Au +u
3
(u
3
+Au +B) Ax x
3
+ (x
3
+Ax +B)]
+y[Au u
3
+ (u
3
+Au +B) +Ax +x
3
(x
3
+Ax +B)]
= v[B +B] +y[+B B] = 0
Then because x ,= u this implies
y
d
dx
f(x, y) = g(x, y)
which can be rearranged to give the desired result

28
Lemma 3.8. Let
1
,
2
,
3
be non-zero endomorphisms of an elliptic curve
E with
1
+
2
=
3
. Write
j
(x, y) = (R

j
(x), yS

j
(x)). Suppose there are
constants c

1
, c

2
such that
R

1
(x)
S

1
(x)
= c

1
and
R

2
(x)
S

2
(x)
= c

2
. Then
R

3
(x)
S

3
(x)
= c

1
+c

2
Proof Let (x
1
, y
1
) and (x
2
, y
2
) be variable points on E, so x
1
,= x
2
. Write
(x
3
, y
3
) = (x
1
, y
1
) + (x
2
, y
2
)
where
(x
1
, y
1
) =
1
(x, y), (x
2
, y
2
) =
2
(x, y)
Then x
3
and y
3
are rational functions of x
1
, y
1
, x
2
, y
2
which in turn are ratio-
nal functions of x, y. By Lemma 3.7 with (x, y) = (x
1
, y
1
) and (u, v) = (x
2
, y
2
)
x
3
x
1
=
y
3
y
1
Similarly with (x, y) = (x
2
, y
2
) and (u, v) = (x
1
, y
1
)
x
3
x
2
=
y
3
y
2
By assumption
x
j
x
= c

j
y
j
y
for j = 1, 2. So by the chain rule
dx
3
dx
=
x
3
x
1
x
1
x
+
x
3
x
2
x
2
x
=
y
3
y
1
c

1
y
1
y
+
y
3
y
2
c

2
y
2
y
= (c

1
+c

2
)
y
3
y
Then dividing by y
3
/y gives the result

Proposition 3.9. Let E be an elliptic curve dened over a eld K, and let
n be a nonzero integer. Suppose that multiplication by n on E is given by
n(x, y) = (R
n
(x), yS
n
(x))
for all (x, y) E(K), where R
n
and S
n
are rational functions. Then
R

n
(x)
S
n
(x)
= n
This then implies that multiplication by n is separable if and only if n is not
a multiple of the characteristic p of the eld.
29
Proof We showed earlier that R
n
= R
n
and S
n
= S
n
and so we have
R

n
/S
n
= R

n
/S
n
. Therefore the result for positive n will imply the result
for negative n.
We will prove that R

n
(x)/S
n
(x) = n for all positive n using proof by
mathematical induction (PMI). We can see this is trivially true for n = 0
and n = 1. Suppose that it is true for n, then Lemma 3.8 will imply that it
is true for the sum, n + 1. Therefore
R

n
(x)
S
n
(x)
= n
n 1 by PMI. This coupled with the fact that if it holds for positive n,
then it holds for negative n implies the result for all integers n.
Now for multiplication by n to be separable we need R

n
(x) ,= 0. This will
be the case if and only if n = R

n
(x)/S
n
(x) ,= 0, which is equivalent to p not
dividing n. So this proves the second part of the proposition, multiplication
by n is separable if and only if n p.

Proposition 3.10. Let E be an elliptic curve dened over F

q
, where q is the
power of the prime p. Let r and s be integers, not both 0. The endomorphism
r
q
+s is separable if and only if p s. (
q
the Frobenius map)
Proof Let the endomorphism that describes multiplication by r be
r(x, y) = (R
r
(x), yS
r
(x))
Then the endomorphism for multiplication by r
q
is
(R
rq
(x), yS
rq
(x)) = (r
q
)(x, y) = (R
q
r
(x), y
q
S
q
r
(x))
= (R
q
r
(x), y(x
3
+Ax +B)
(q1)/2
S
q
r
(x))
Therefore
c
rq
=
R

rq
S
rq
=
qR
q1
r
R

r
S
rq
= 0
Also c
s
= R

s
/S
s
= s by Proposition 3.9. So by Lemma 3.8
R

rq+s
S
rq+s
= c
rq+s
= c
rq
+c
s
= 0 +s = s
Therefore R

rq+s
,= 0, (and hence the endomorphism is separable), if and
only if p s.

30
3.2 Torsion points
The torsion points are those points in E whose orders are nite. Let E be
an elliptic curve dened over a eld K, with algebraic closure K and let n
be a positive integer. For a given n we dene the subgroup
E[n] = P E(K) [ nP =
This group acts as the kernel of the multiplication by n endomorphism, which
maps x nx. We will start by looking at the form of E[2] and E[3] before
moving on to the general case.
When the characteristic is not two E can be expressed in the form
y
2
= x
3
+a

2
x
2
+a

4
x +a
6
= (x e
1
)(x e
2
)(x e
3
)
with e
1
, e
2
, e
3
K. It is easy to calculate E[2], as a point satises 2P =
if and only if the tangent line at P is verticle. When we have a curve in
characteristic not 2 this only happens when y = 0 so
E[2] = , (e
1
, 0), (e
2
, 0), (e
3
, 0)
Because E[n] is a nite abelian group we can apply Theorem B.6 here. When
the characteristic is not 2, E[2] is a group of order 4 and so isomorphic to
either Z
4
or Z
2
Z
2
. We know the group is not cyclic as all points have order
2, so we conclude that in this case
E[2] Z
2
Z
2
If the characteristic is 2 then, from Appendix A.3 E has one of the following
forms
(I) y
2
+xy +x
3
+a
2
x
2
+a
6
= 0
(II) y
2
+a
3
y +x
3
+a
4
x +a
6
= 0
In the rst case a
6
,= 0 and in the second case a
3
,= 0, otherwise the curves
would be singular. If P = (x, y) is a point of order 2 then once again the
tangent at P must be verticle. This time, however, the curve is not symmetric
about the x-axis so we look for the points when the partial derivative with
respect to y vanishes:
31
(I) f
y
= 2y +x x (mod 2)
(II) f
y
= 2y +a
3
a
3
(mod 2)
So in the rst case we need x = 0 meaning 0 = y
2
+ a
6
= (y +

a
6
)
2
.
Therefore (0,

a
6
) is the only point of order 2 and
E[2] = , (0,

a
6
) Z
2
In the second case the partial derivative with respect to y is a
3
,= 0. Therefore
there is no point of order 2 so
E[2] = Z
1
We denote the set of only one element by 0. The following proposition
summarises these results.
Proposition 3.11. Let E be an elliptic curve over a eld K. If the charac-
teristic of K is not 2 then
E[2] Z
2
Z
2
If the characteristic of K is 2 then E[2] 0 or Z
2
Now consider E[3]. Assume rst that the characteristic is neither 2 nor
3, in which case E is given by y
2
= x
3
+ Ax + B. A point P satises
3P = if and only if 2P = P. This means that the x-coordinate of 2P
equals the x-coordinate of P while the y-coordinate will dier in sign. (If
the y-coordinates were equal then 2P = P implying P = .) So using the
addition equations
m
2
2x = x, m =
3x
2
+A
2y
Hence
(3x
2
+A)
2
4y
2
= 3x
(3x
2
+A)
2
= 12x(x
3
+Ax +B)
3x
4
+ 6Ax
2
+ 12Bx A
2
= 0
32
The discriminant of this polynomial is 6912(4A
3
+ 27B
2
)
2
which is clearly
non-zero since we assumed the roots of the Weierstrass equation were distinct.
So this polynomial has no multiple roots, meaning there are 4 distinct values
of x K each yielding 2 values of y, summing to 8 points of order 3. Since
is also in E[3] we see that E[3] is a group of order 9, so from Theorem B.6
we know that it is isomorphic to either Z
9
or Z
3
Z
3
. But, every element is
3-torsion, so no point has order 9, meaning the group is not cyclic. Therefore
E[3] Z
3
Z
3
Next assume we are in characteristic 3 meaning we have an equation of the
form y
2
= x
3
+ a
2
x
2
+ a
4
x + a
6
. We can compute the x-coordinate of 2P
in the usual method. We rst use implicit dierentiation to calculate the
gradient of the tangent, m = (2a
2
x + a
4
)
2
/4y
2
and then we substitute in E
and note that the x
2
coecient has an extra term this time. So setting the
x-coordinate of 2P to that of P gives
_
2a
2
x +a
4
2y
_
2
a
2
= 3x 0
(4a
2
2
x
2
+a
2
4
+ 4a
2
a
4
x) 4a
2
y
2
= 0
a
2
2
x
2
+a
2
4
+a
2
a
4
x a
2
(x
3
+a
2
x
2
+a
4
x +a
6
) = 0
a
2
x
3
+a
2
a
6
a
2
4
= 0
Recall that 3 0, 4 1 in characteristic 3.
Note that we cannot have a
2
= a
4
= 0 as then y
2
= (x+a
1/2
6
)
3
has multiple
roots. If a
2
= 0 then we get a
2
4
= 0 which cannot happen, so E[3] =
Z
1
in this case. If a
2
,= 0 then the equation becomes a
2
(x
3
+a) = 0 for some
constant a. This has a single triple root so there is one value of x and 2
corresponding values of y meaning two points of order 3. Since is also a
point we see that E[3] has order 3 so E[3] Z
3
.
Finally assumes that we are in characteristic 2. We can use the addition
formulas from Appendix A.3 to show that E[3] Z
3
Z
3
. As before we have
two possibilities:
(I) If y
2
+ xy = x
3
+ a
2
x
2
+ a
6
then calculating 2P and setting the x-
coordinate equal to the x-coordinate of P gives
x =
x
4
+a
6
x
2
0 = x
4
x
3
+a
6
33
The discriminant if this polynomial is 256a
3
6
27a
2
6
a
2
6
(mod 2). We
cannot have a
6
= 0 as then the curve would be singular, so we conclude
the discriminant is non zero. So the polynomial has 4 roots, and so 8
points of order 3. Therefore as before E[3] Z
3
Z
3
.
(II) If y
2
+a
3
y = x
3
+a
4
x +a
6
then we get
x =
x
4
+a
2
4
a
2
3
0 = x
4
+a
2
4
xa
2
3
The discriminant of this polynomial is 27(a
2
3
)
4
+256(a
2
4
)
3
a
2
3
(mod
2). We cannot have a
3
= 0 as then the curve would be singular, so we
conclude the discriminant is non-zero and hence E[3] Z
3
Z
3
.
So to conclude, if we are in characteristic not 3, then E[3] Z
3
Z
3
, while
if we are in characteristic 3, then E[3] Z
3
or Z
1
. The following theorem
describes the general case.
Theorem 3.12. Let E be an elliptic curve over a eld K, and let n be a
positive integer. If the characteristic of K does not divide n, or is zero then
E[n] Z
n
Z
n
If the characteristic of K is p > 0 and p[n write n = p
r
n

with p n

. Then
E[n] Z
n
Z
n
or Z
n
Z
n

This theorem will be proved in the next section, but notice how it covers
the two example we have just looked at. For example, when n = 3 as long
as the characteristic did not divide 3 (ie was not 3) then E[3] Z
n
Z
n
=
Z
3
Z
3
. While when the characteristic was 3, we could write 3 = 3
1
1 and
then E[3] Z
1
Z
1
= Z
1
or Z
3
Z
1
= Z
3
.
An elliptic curve E in characteristic p is called ordinary if E[p] Z
p
. It
is called supersingular if E[p] 0 and so only contains the point . As
expected, this was one of the possibilities for E[3] in the characteristic 3 case
above.
34
3.2.1 Successive doubling
Recall that if P is a point on an elliptic curve and k is a positive integer,
then kP denotes P +P +... +P (with k summands). If k is a large integer
it is more ecient to use successive doubling, as used below to compute 19P.
2P = P +P, 4P = 2P + 2P, 8P = 4P = 4P,
16P = 8P + 8P, 19P = 16P + 2P +P
The only problem is that if we are working in the rational numbers the size of
the coordinates increases rapidly. This is not a problem when working with
nite elds though as we can continually reduce modulo p. The following
algorithm uses successive doubling to calculate kP.
The Successive Doubling Algorithm
Let k be a positive integer and let P be a point on an elliptic curve.
The following procedure computes kP.
1. Set a = k, B = and C = P.
2. If a is even let a = a/2, and let B = B, C = 2C.
3. If a is odd let a = a 1, and let B B +C, C = C.
4. If a ,= 0 go to step 2
5. Output B.
The output, B, is kP.
Example 3.4. Consider E
11
(1, 6) from Example 2.2 which was dened by
y
2
x
3
+x + 6 (mod 11)
Let G = (2, 7) and suppose we wish to compute G, 2G, ..., 13G. Working
from the addition formulas:
2G = 1G+ 1G =
_
615
196
,
6117
2744
_

_
1
9
,
10
2
_
(5, 2) (mod 11)
3G = 2G+ 1G =
_
38
9
,
469
27
_

_
6
9
,
4
5
_
(6 5, 4 9) (8, 3) (mod 11)
35
We perform the rest of the calculations with ECADP.m
4G = 2G+ 2G = (10,2) 9G = 5G+ 4G = (10,9)
5G = 4G+ 1G = (3,6) 10G = 5G+ 5G = (8,8)
6G = 3G+ 3G = (7,9) 11G = 8G+ 3G = (5,9)
7G = 4G+ 3G = (7,2) 12G = 6G+ 6G = (2,4)
8G = 4G+ 4G = (3,5) 13G = 6G+ 7G = (, )
As expected all of these points lie on E
11
(1, 6), however this has in fact
generated E
11
(1, 6). This means that E
11
(1, 6) is a cyclic group with
G = (2, 7) a generator.
If we had just wanted to calculate 13G, however, we could have used
the successive doubling algorithm. This would have taken only 6 steps as
opposed to the 12 used above:
(1) a = 13, B = , C = G (5) a = 2, B = 5G, C = 4G
(2) a = 12, B = G, C = G (6) a = 1, B = 5G, C = 8G
(3) a = 6, B = G, C = 2G (7) a = 0, B = 13G, C = 8G
(4) a = 3, B = G, C = 4G
An m-le to perform the successive doubling algorithm over prime curves
(SUCDOB.m) was created and can be found in Appendix C.5. This m-le
takes as its inputs X1, Y 1, k, A, p and outputs X2, Y 2 where
(X2, Y 2) = k(X1, Y 1) = (X1, Y 1)+(X1, Y 1)+...+(X1, Y 1) (k summands)
and addition is performed over the elliptic curve
y
2
x
3
+Ax +B (mod p)
Testing this m-le on the example above gives 12G = (2, 4) and 13G = as
expected.
3.2.2 The basis for E[n]
Let n be a positive integer not divisible by the characteristic of K. We
show here (for use in the following sections) that we can nd a basis
1
,
2

for E[n] Z
n
Z
n
. Every element of E[n] can be expressed in the form
m
1

1
+m
2

2
with integers m
1
, m
2
that are uniquely determined mod n. Let
36
: E(K) E(K) be a homomorphism. maps E[n] to E[n] so there exists
a, b, c, d Z
n
such that
(
1
) = a
1
+c
2
, (
2
) = b
1
+d
2
Therefore each homomorphism is represented by a 2 2 matrix

n
=
_
a b
c d
_
So now composition of homomorphisms corresponds to multiplication of the
corresponding matrices.
Example 3.5. Let E be the elliptic curve dened over R by y
2
= x
3
2 and
let n = 2. Then
E[2] = , (2
1/3
, 0), (2
1/3
, 0), (
2
2
1/3
, 0)
where is a non trivial cube root of unity. Let

1
= (2
1/3
, 0),
2
= (2
1/3
, 0)
Then
1
,
2
is a basis for E[2], and
3
= (
2
2
1/3
, 0) =
1
+
2
.
Let : E(C) E(C) represent complex conjugation: (x, y) = (x, y)
where x is the complex conjugate of x. It is easy to verify is a homomor-
phism and that P
1
+ P
2
= P
1
+P
2
, which is the same as (P
1
) + (P
2
) =
(P
1
+P
2
). We have
(
1
) = 1
1
+ 0
2
, (
2
) = 1
1
+ 1
2
=
3
Therefore

2
=
_
1 1
0 1
_
Note that
2
2
is the identity matrix mod 2, which corresponds to the fact
that is the identity homomorphism.
37
3.3 Division polynomials
This section aims to prove Theorem 3.12 as well as obtain other results for
use in Chapter 4. Dene the division polynomials
m
Z[x, y, A, B] by

0
= 0

1
= 1

2
= 2y

3
= 3x
4
+ 6Ax
2
+ 12Bx A
2

4
= 4y(x
6
+ 5Ax
4
+ 20Bx
3
5A
2
x
2
4ABx 8B
2
A
3
)

2m+1
=
m+2

3
m

m1

3
m+1
, m 2

2m
= (2y)
1
(
m
)(
m+2

2
m1

m2

2
m+1
), m 3
Lemma 3.13.
n
is a polynomial in Z[x, y
2
, A, B] when n is odd, and a
polynomial in 2yZ[x, y
2
, A, B] when n is even.
Proof We can see the lemma is true for n 4. Assume for induction that the
lemma holds for all n < 2m, where 2m > 4, so m > 2. We must now prove
that the lemma holds for n = 2m and n = 2m + 1 to prove the lemma with
PMI. Because 2m > m + 2 we can see that all polynomials in the denition
of
2m
and
2m+1
satisfy the induction assumptions.
First consider the case when m is even: Then
m
,
m+2
,
m2
are in
2yZ[x, y
2
, A, B] and
m1
and
m+1
are in Z[x, y
2
, A, B] so

m+2

3
m
2
4
y
4
Z[x, y
2
, A, B] = Z[x, y
2
, A, B]

m1

3
m+1
Z[x, y
2
, A, B]

2m+1
Z[x, y
2
, A, B]
Similarly

m+2

2
m1
2yZ[x, y
2
, A, B]

m2

2
m+1
2yZ[x, y
2
, A, B]

m+2

2
m1

m2

2
m+1
2yZ[x, y
2
, A, B]
(2y)
1
(
m+2

2
m1

m2

2
m+1
) Z[x, y
2
, A, B]

2m
2yZ[x, y
2
, A, B]
Now consider the case when m is odd: then
m1
and
m+1
are in
2yZ[x, y
2
, A, B] while
m
,
m+2
,
m2
are in Z[x, y
2
, A, B] so

m+2

3
m
Z[x, y
2
, A, B]
38

m1

3
m+1
2
4
y
4
Z[x, y
2
, A, B] = Z[x, y
2
, A, B]

2m+1
Z[x, y
2
, A, B]
Similarly

m+2

2
m1
2
2
y
2
Z[x, y
2
, A, B]

m2

2
m+1
2
2
y
2
Z[x, y
2
, A, B]

m+2

2
m1

m2

2
m+1
2
2
y
2
Z[x, y
2
, A, B]
(2y)
1
(
m+2

2
m1

m2

2
m+1
) 2yZ[x, y
2
, A, B]

2m
2yZ[x, y
2
, A, B]
So we have proved the lemma with PMI for both choices of m.

Dene the polynomials

n
= x
2
n

n+1

n1

n
= (4y)
1
(
n+2

2
n1

n2

2
n+1
))
Lemma 3.14.
n
Z[x, y
2
, A, B] for all n. If n is odd then
n
yZ[x, y
2
, A, B]
while if n is even then
n
Z[x, y
2
, A, B].
Proof This proof is a lengthly but simple application of PMI. The proof can
be found in Appendix A.6.
Next consider an elliptic curve y
2
= x
3
+ Ax + B with no multiple roots
(4A
3
+ 27B
2
,= 0). We dont specify what eld A, B are in so treat them
as variables. We regard the polynomials in Z[x, y
2
, A, B] as polynomials in
Z[x, A, B] by substituting for y
2
. Note that
n
is not necessarily a polynomial
in x alone, but
2
n
(x) is.
Lemma 3.15. When considering points on the elliptic curve y
2
= x
3
+Ax+B
(i)
2
n
(x) = n
2
x
n
2
1
+ lower degree terms
(ii)
n
(x) = x
n
2
+ lower degree terms
Proof This is another lengthly but simple use of PMI which can be found
in Appendix A.6
39
Lemma 3.16. Let = 4A
3
+ 27B
2
and let
F(x, z) = x
4
2Ax
2
z
2
8Bxz
3
+A
2
z
4
G(x, z) = 4z(x
3
+Axz
2
+Bz
3
)
f
1
(x, z) = 12x
2
z + 16Az
3
g
1
(x, z) = 3x
3
5Axz
2
27Bz
3
f
2
(x, z) = 4x
3
4a
2
bx
2
z + 4A(3A
3
+ 22B
2
)xz
2
+ 12B(A
3
+ 8B
2
)z
3
g
2
(x, z) = A
2
Bx
3
+A(5A
3
+ 32B
2
)x
2
z + 2B(13A
3
+ 96B
2
)xz
2
3A
2
(A
3
+ 8B
2
)z
3
Then by simply multiplying out the brackets we see
Ff
1
Gg
1
= 16A
3
z
7
+ 108B
2
z
7
= 4z
7
Ff
2
+Gg
2
= 16x
7
A
3
+ 108x
7
B
2
= 4x
7
Theorem 3.17. Let E be an elliptic curve. The endomorphism of E given
by multiplication by n has degree n
2
.
Proof By Lemma 3.15 we see that the maximum of the degrees of
n
(x) and

2
n
(x) is n
2
. So we can conclude that n
2
is the degree of the endomorphism
by denition, provided that
n
(x) and
2
n
(x) have no common roots.
Suppose for a contradiction that they share common roots, with n the
smallest index for which this happens. First suppose n = 2m is even.

2
(x) = x
4
2Ax
2
8Bx +A
2

2
2
= 4y
2
= 4(x
3
+Ax +B)
From Theorem 3.6
2m(x, y) = 2[m(x, y)] = 2
_

m
(x)

2
m
(x)
,

m
(x, y)

m
(x, y)
3
_
=
_

2
(
m
/
2
m
)

2
2
(
m
/
2
m
)
,

2
(m(x, y))

2
(m(x, y))
3
_
So considering the rst term gives

2m

2
2m
=

2
(
m
/
2
m
)

2
2
(
m
/
2
m
)
=
_

4
m

8
m
2A

2
m

4
m
8B

2
m
+A
2
_
/
_
4(

3
m

6
m
+A

2
m
+B)
_
=

4
m
2A
2
m

4
m
8B
m

6
m
+A
2

8
m
(4
2
m
)(
3
m
+A
m

4
m
+B
6
m
)
=
U
V
40
Then using Lemma 3.16
U f
1
(
m
,
2
m
) V g
1
(
m
,
2
m
) = 4
14
m

U f
2
(
m
,
2
m
) +V g
2
(
m
,
2
m
) = 4
7
m

If U, V have a common root then so do

m
and
2
m
. But since n = 2m is the
rst index for which there is a common root this is impossible, so U and V
do not share a common root.
We need to show that U =
2m
and V =
2
2m
. Since U/V =
2m
/
2
2m
and U, V have no common root it follows that
2m
is a multiple of U and

2
2m
is a multiple of V . But by Lemma 3.15 we can show that both
2m
and
U equal x
4m
2
+ lower order terms, so
2m
= U. Therefore V =
2
2m
and they
share no common roots.
Now suppose that n, the smallest index such that there is a common
roots, is odd so n = 2m+ 1. Let r be a common root of
n
and
2
n
.

n
= x
2
n

n1

n+1
and since
2
n
(r) = 0 it follows that
n1

n+1
(r) = 0. Now,
2
n+1
and
n
n1
are polynomials in x, and their product vanishes in r therefore
2
n+
(r) = 0
where is either 1 or -1.
Since n is odd both
n
and
n+2
are polynomials in x and
(
n

n+2
)
2
=
2
n

2
n+2
vanishes at r, (as
2
n
does). Therefore
n

n+2
vanishes at r also. Since

n+
= x
2
n+

2
n

2
n+2
we nd that
n+
(r) = 0. Therefore
n+
and
2
n+
have a common root
(where n + is even).
When considering the n even case we showed that if
2m
and
2
2m
have a
common root then so do
m
and
2
m
. Since n + is even we can apply this
to 2m = n + . Since n is the smallest index for which there is a common
root
n +
2
n, =n
The only option would be n = 1 but clearly
1
= x and
2
1
= 1 have no
common roots so we have a contradiction.
So
n
and
2
n
have no common roots in all cases. Therefore, we can
conclude that the multiplication by n map has degree n
2
.

41
Theorem 3.18. (Proof omitted - See Section 9.5 of [9]): Let P be a point
on the elliptic curve y
2
= x
3
+ Ax + B over a eld of characteristic not 2.
Let n be a positive integer, then
nP =
_

n
(x)

2
n
(x)
,

n
(x, y)

n
(x, y)
3
_
We now use the above results to prove Theorem 3.12, from the previous
section.
Theorem 3.12 Let E be an elliptic curve over a eld K, and let n be a
positive integer. If the characteristic of K does not divide n, or is zero then
E[n] Z
n
Z
n
If the characteristic of K is p > 0 and p[n write n = p
r
n

with p n

. Then
E[n] Z
n
Z
n
or Z
n
Z
n

Proof We rst deal with the case when p n. Recall that if (x, y) =
(R(x), yS(x)) is an endomorphism on an elliptic curve then is separable
if R

(x) is not identically zero. From Theorem 3.18 and Lemma 3.15 we see
the multiplication by n map has
R(x) =

n
(x)

2
n
(x)
=
x
n
2
+...
n
2
x
n
2
1
+...
So using the quotient rule, the numerator of R

(x) is
R

num
(x) = (n
2
x
n
2
1
+...)(n
2
x
n
2
1
+...) (x
n
2
+...)(n
2
(n
2
1)x
2n
2
2
+...)
= (n
4
x
2n
2
2
+...) ((n
4
n
2
)x
2n
2
2
+...)
= n
2
x
2n
2
2
+... ,= 0
So R

(x) ,= 0 and therefore multiplication by n is separable.

As stated earlier, E[n] is the kernel of the multiplication by n endomor-
phism. We have just shown this to be separable so we can apply Theorem
3.5 to show the group has order equal to the degree of the endomorphism.
By Theorem 3.17 this is n
2
. The structure theorem for nite abelian groups
then says that E[n] is isomorphic to
Z
n
1
Z
n
2
... Z
n
k
42
for some integers n
1
, n
2
, ..., n
k
with n
i
[n
i+1
for all i.
By Lemma B.8 E[l] has order l
k
, but since we proved above that E[l] has
order l
2
we must have k = 2. So E[n] Z
n
1
Z
n
2
where n
1
[n
2
. The order
of E[n] is n
2
= n
1
n
2
so it follows that n
1
= n
2
= n. Therefore
E[n] Z
n
Z
n
when the characteristic p of the eld does not divide n.
Now consider the case when p[n. We consider rst the p-power torsion
on E. By Proposition 3.9 multiplication by p is not separable, and so by
Theorem 3.5 the kernel, E[p], of multiplication by p has order less that the
degree of the endomorphism, which is p
2
by Theorem 3.17. Every element of
E[p] has order 1 or p, so the order of E[p] is either 1 or p. If E[p] was trivial
then E[p
k
] would be for all k, so suppose E[p] has order p.
We will show that E[p
k
] Z
p
k for all k. First we must show that the
order can not be smaller than p
k
. Suppose there exists an element P of order
p
j
. By Theorem 3.6 multiplication by p is surjective so there exists a point
Q with pQ = P. Since
p
j
Q = p
j1
P ,= , P
j+1
Q = p
j
P =
Q has order p
j+1
. There is an element of order 1, (), so by induction there
are points of order p
k
for all k. Therefore p will generate E[p
k
] meaning E[p
k
]
is a cyclic group of order p
k
, and so E[p
k
] Z
p
k.
Finally write n = p
r
n

with r 0 and p n

. Then
E[n] E[n

] E[p
r
]
We have E[n

] Z
n
Z
n
, since p n

and we have just showed that E[p

r
] 0
or Z
p
r . So
E[n] Z
n
Z
n
0 or Z
n
Z
n
Z
p
r
Now since p n

we can use the chinese remainder theorem (B.1) to show

Z
n
Z
p
r Z
n

p
r Z
n
Therefore we obtain
E[n] Z
n
Z
n
or Z
n
Z
n

which completes the proof of Theorem 3.12.

43
3.4 The Weil pairing
Here we consider the Weil pairing which in itself a worthwhile subject. How-
ever, many of its uses are omitted in the project and so we state it here
without proof in order to derive some useful results for the next chapter. For
this section we let E be an elliptic curve over a eld K and let n be an integer
not divisible by the characteristic of K. Then E[n] Z
n
Z
n
. Let

n
= x K[x
n
= 1
be the group of nth roots of unity in K. Since the characteristic of K does
not divide n, the equation x
n
= 1 has no multiple roots, and hence n roots
in K. Therefore
n
is a cyclic group of order n. Any generator, , of
n
is called a primitive nth root of unity, which in Theorem A.14 we show is
equivalent to saying that
k
= 1 if and only if n divides k.
Theorem 3.19. (Proof omitted - See Chapter 11 of [9]): Let E be an elliptic
curve dened over a eld K and let n be a positive integer . Assume that the
characteristic of K does not divide n. Then there is a pairing
e
n
: E[n] E[n]
n
called the Weil pairing that satises the following properties.
1. e
n
is bilinear in each variable. This means
e
n
(S
1
+S
2
, T) = e
n
(S
1
, T)e
n
(S
2
, T)
e
n
(S, T
1
+T
2
) = e
n
(S, T
1
)e
n
(S, T
2
)
for all S, S
1
, S
2
, T, T
1
, T
2
E[n].
2. e
n
is non degenerate in each variable. This means that if e
n
(S, T) = 1
for all T E[n] then S = and also that if e
n
(S, T) = 1 for all
S E[n] then T = .
3. e
n
(T, T) = 1 for all T E[n].
4. e
n
(T, S) = e
n
(S, T)
1
for all S, T E[n].
5. e
n
(S, T) = (e
n
(S, T)) for all automorphisms of K such that is
the identity map on the coecients of E. (If E is in Weierstrass form
this means that (A) = A and (B) = B.)
44
6. e
n
((S), (T)) = e
n
(S, T)
deg()
for all separable endomorphisms of
E. If the coecients of E lie in the nite eld F
q
then the statement
also holds when is the Frobenius endomorphism
q
. (Note this state-
ment holds for all endomorphism , separable or not.)
Corollary 3.20. Let T
1
, T
2
be a basis of E[n]. Then e
n
(T
1
, T
2
) is a prim-
itive nth root of unity.
Proof Suppose e
n
(T
1
, T
2
) = with
d
= 1. Then
e
n
(T
1
, dT
2
) = e
n
(T
1
, T
2
+... +T
2
) = e
n
(T
1
, T
2
)
d
=
d
= 1
e
n
(T
2
, dT
2
) = e
n
(T
2
, T
2
+... +T
2
) = e
n
(T
2
, T
2
)
d
= 1
d
= 1
Let S E[n], then S = aT
1
+bT
2
for some integers a, b. Therefore
e
n
(S, dT
2
) = e
n
(T
1
, dT
2
)
a
e
n
(T
2
, dT
2
)
b
= 1
a
1
b
= 1
This holds for all S so Theorem 3.19(2) implies that dT
2
= . This can
happen only if n[d so it follows from Theorem A.14 that is a primitive nth
root of unity.

Corollary 3.21. If E[n] E(K) (as opposed to E(K)) then

n
K.
Proof Let be an automorphism of K such that is the identity on K.
Let T
1
, T
2
be a basis on E[n]. Since T
1
, T
2
are assumed to have coordinates
in K we have T
1
= T
1
and T
2
= T
2
. Then by Theorem 3.19(5)
= e
n
(T
1
, T
2
) = e
n
(T
1
, T
2
) = (e
n
(T
1
, T
2
)) = ()
The fundamental theorem of Galois theory says that if an element x K is
xed by all automorphisms then x K. Therefore K and by Corollary
3.20, also a primitive nth root of unity. Hence
n
K.

We now deduce two propositions for use in the proof of Hasses theorem.
Recall that if is an endomorphism of E then we obtain

n
=
_
a b
c d
_
with entries in Z
n
, describing the action on on a basis T
1
, T
2
of E[n].
45
Proposition 3.22. Let be an endomorphism of an elliptic curve E dened
over a eld K. Let n be a positive integer not divisible by the characteristic
of K. Then det(
n
) deg() (mod n).
Proof By Corollary 3.20, = e
n
(T
1
, T
2
) is a primitive nth root of unity. By
Theorem A.14(6)

deg()
= e
n
((T
1
), (T
2
)) = e
n
(aT
1
+cT
2
, bT
1
+dT
2
)
= e
n
(T
1
, T
1
)
ab
e
n
(T
1
, T
2
)
ad
e
n
(T
2
, T
1
)
cb
e
n
(T
2
, T
2
)
cd
=
adbc
So
deg()

(adbc)
=
adbc

(adbc)

deg()(adbc)
= 1
is a primitive nth root of unity so by Lemma A.14, n[[deg() (ad bc)]
Therefore deg() (ad bc) 0 (mod n)
deg() ad bc (mod n)

So we can now reduce questions about the degree to calculations with ma-
trices. Propositions 3.22 and 3.23 hold for all endomorphisms (as Theorem
3.19(6) holds for all) but we prove Proposition 3.23 for separable endomor-
phisms only.
Let and be endomorphisms of E and let a, b be integers. The endo-
morphism a +b is dened by
(a +b)(P) = a(P) +b(P)
Proposition 3.23.
deg(a +b) = a
2
deg() +b
2
deg() +ab(deg( +) deg() deg())
Proof Let n be any integer not divisible by the characteristic of K. Rep-
resent and by matrices
n
and
n
, with respect to some bases of E[n].
Then a
n
+b
n
gives the action of a +b on E[n]. By Theorem B.17
det(a
n
+b
n
) = a
2
det(
n
)+b
2
det(
n
)+ab(det(
n
+
n
)det(
n
)det(
n
))
for any matrices
n
,
n
. Therefore by Proposition 3.22
deg(a+b) a
2
det()+b
2
det()+ab(det(+)det()det()) (mod n)
Since this holds for innitely many n it is an equality.

46
Chapter 4
Elliptic curves over nite elds
Let F be a nite eld and E an elliptic curve dened over F. Since there are
only a nite number of pairs (x, y), with x, y F, the group E(F) must itself
be nite. In this chapter we discuss the basic theory of elliptic curves over
nite elds, which is the starting point for cryptographic applications.
During the course of the chapter we prove Hasses theorem which gives a
bound of the size of the group dened by E(F
q
). We also look at methods
to nd the order of a point in E(F).
4.1 Examples
A nite eld will have p
n
elements for some prime p and some integer n 1
(see Appendix B.5.1). Those curves, F
p
where n = 1 are known as the prime
curves and are isomorphic to Z
p
. When working with an elliptic curve dened
over a nite eld F
p
we perform all operations modulo p.
Example 4.1. Let E be y
2
= x
3
+ x + 1 over F
5
(= Z
5
). To nd all the
point on E(F
5
) we consider the possible values of x, the values of x
3
+x + 1
they give, and then what values of y, will give the same value when squared.
x x
3
+x + 1 y Points
0 1 1 (0,1), (0,4)
1 3 - -
2 1 1 (2,1), (2,4)
3 1 1 (3,1), (3,4)
4 4 2 (4,2), (4,3)

47
So we see that E(F
5
) has order 9.
We can perform addition as before. For example lets compute 3(0, 1) =
2(0, 1) + (0, 1). We rst need to calculate 2(0, 1) = (x, y), so using the
notation of the addition formulas:
m =
3(0)
2
+ 1
2
=
1
2
3, then
x = 3
2
2(0) = 9 4 and y = 3(0 4) 1 = 13 2
Next we compute 3(0, 1) = (4, 2) + (0, 1) = (X, Y ) where
m =
1 4
0 2
=
3
2
3 3 = 9 4 (mod 5)
X = 4
2
4 0 = 12 2 (mod 5)
Y = 4(4 2) 2 = 6 1 (mod 5)
So 3(0, 1) = (2, 1). Now we know that E(F
5
) has order 9, so all its elements
have order dividing 9. The only choices are 1,3 or 9 and we have shown that
(0,1) does not have order 1 or 3. Therefore (0,1) has order 9 and hence E(F
5
)
is cyclic and generated by (0,1). For more examples of working with E(F
p
)
see Section 2.2.1.
Example 4.2. Let E be the elliptic curve y
2
+xy = x
3
+1 dened over F
2
.
There are only four points in F
2
and all except (0,0) satisfy the elliptic curve
equation so
E(F
2
) = , (0, 1), (1, 0), (1, 1)
This is a cyclic group of order 4. The point has order 1 and the point (0,1)
has order 2. We can show, (using the formula from Appendix A.3 since we are
in characteristic 2), that (1,0) and (1,1) have order 4 and so are generators
of the group.
Now consider E(F
4
) = E(F
2
2). F
4
is a nite eld with 4 elements which
we can write as F
4
= 0, 1, ,
2
, where
2
++1 = 0 (see Appendix B.5.1).
We can use w
3
= 1 since
0( 1) = (
2
+ + 1)( 1)
0 =
3
+
2
+
2
1 =
3
1
Now lets list the elements of E(F
4
).
48
x = 0 y
2
= 1 y = 1
x = 1 y
2
+y = 0 y = 0, 1
x = y
2
+y = 0 y = 0,
x =
2
y
2
+
2
y = 0 y = 0,
2
x = y =
Therefore E(F
4
) = , (0, 1), (1, 0), (1, 1), (, 0), (, ), (
2
, 0), (
2
,
2
).
Since we are in characteristic 2 we know, by Proposition 3.11, that there
is at most one point of order 2 which we have already identied as (0,1).
E(F
4
) is a group of order 8, so its elements must have order 1,2,4 or 8. We
know only has order 1 and only (0,1) has order 2. By Theorem B.6 we
know that only 4 elements have order dividing 4, so it is those of the order 4
subgroup, E(F
2
). We can conclude that E(F
4
) is cyclic of order 8 where any
of the four point that contain or
2
is a generator.
Let
2
(x, y) = (x
2
, y
2
) be the Frobenius map. We can see that
2
per-
mutes the elements of E(F
4
) as

2
(E(F
4
)) = , (0, 1), (1, 0), (1, 1), (
2
, 0), (
2
,
2
), (
4
, 0), (
4
,
4
)
= , (0, 1), (1, 0), (1, 1), (
2
, 0), (
2
,
2
), (, 0), (, ) = E(F
4
)
using w
3
= 1. Further more we can see that
E(F
2
) = (x, y) E(F
4
) [
2
(x, y) = (x, y)
In general, for any elliptic curve E, dened over F
q
and any extension F of
F
q
, the Frobenius map
q
permutes the elements of E(F) and is the identity
on the subgroup E(F
q
). (See Lemma 4.3)
Theorem 4.1. Let E be an elliptic curve over the nite eld F
q
. Then
E(F
q
) Z
n
, or Z
n
1
Z
n
2
for some integer n 1, or for some integers n
1
, n
2
1 with n
1
[n
2
.
Proof From Theorem B.6 we know that a nite abelian group, such as E(F
q
)
is isomorphic to a direct sum of cyclic groups
E(F
q
) Z
n
1
Z
n
2
... Z
nr
with n
i
[n
i+1
for n 1. We can then apply Corollary B.7 show E(F
q
) has n
r
1
elements of order dividing n
1
. However, by Theorem 3.12 there are at most
n
2
1
such points, therefore r 2, which gives the desired result.

49
4.2 Hasses theorem
The aim of this section is to prove Hasses theorem, which gives a bound on
the size of E(F
q
). We follow the logic in Chapter VI of [5] to understand the
size of E(F
q
).
For each of the q possible values of x, there are at most 2 ys which
together with the x could satisfy the Weierstrass equation. So it is easy to
see that there are at most 2q + 1 points in E(F
q
) along with the 2q
possible pairs (x, y). However, since only half the elements in F
q
have square
roots we might expect around half that number.
Recall the Legendre symbol (Appendix B.6). We can generalise this to a
nite eld F
q
, q odd, by dening for x F
q
_
x
F
q
_
=
_
_
_
+1 if t
2
= x has a solution t F

q
1 if t
2
= x has no solution t F
q
0 if x = 0
We can now give a more accurate solution to the number of points on E(F
q
):
1 +

xFq
_
1 +
_
x
3
+Ax +B
F
q
__
= q + 1 +

xFq
_
x
3
+Ax +B
F
q
_
We would expect x
3
+ Ax + B to be equally likely to have a square root
or not. So we could treat the sum as a random walk where we have equal
chance of taking one step forwards or back at each stage. From probability
theory the net distance traveled after q tosses is of the order

q. So using
this analysis we would expect the size of E(F
q
) to be around q +1 +

q. As
we see from Hasses Theorem below, this is close to the truth.
Theorem 4.2 (Hasse). Let E be an elliptic curve over the nite eld F
q
.
Then the order of E(F
q
) satises the following inequality.
[q + 1 E(F
q
)[ 2

q
The proof is given in the following section
50
4.2.1 The Frobenius endomorphism
Let F
q
be a nite eld with algebraic closure F
q
and let the Frobenius map
for F
q
,
q
: F
q
F
q
be given by

q
: x x
q
Let E be an elliptic curve dened over F
q
, then
q
acts on the coordinates
of points in E(F
q
) as below.

q
(x, y) = (x
q
, y
q
),
q
() =
Lemma 4.3. Let E be dened over F
q
and let (x, y) E(F
q
). Then
(i)
q
(x, y) E(F
q
).
(ii) (x, y) E(F
q
) if and only if
q
(x, y) = (x, y).
Proof We know from Theorem B.14 that in a eld with characteristic q
(a +b)
q
= a
q
+b
q
a
q
= a
This proof will hold for both the Weierstrass and generalised Weierstrass
equation so assume E is given by
y
2
+a
1
xy +a
3
y = x
3
+a
2
x
2
+a
4
x +a
6
with a
i
F
q
. Now raising each side of the equation to the power q gives
(y
2
+a
1
xy +a
3
y)
q
= (x
3
+a
2
x
2
+a
4
x +a
6
)
q
(y
2
)
q
+a
q
1
x
q
y
q
+a
q
3
y
q
= (x
3
)
q
+a
q
2
(x
2
)
q
+a
q
4
x
q
+a
q
6
(y
q
)
2
+a
1
(x
q
y
q
) +a
3
(y
q
) = (x
q
)
3
+a
2
(x
q
)
2
+a
4
(x
q
) +a
6
So we see that (x
q
, y
q
) lies on E, proving part (i).
For part (ii) we recall from Theorem B.14 that x F
q
if and only if

q
(x) = x. The same will be true for y, and so using part (i)
(x, y) E(F
q
) x, y F
q

q
(x) = x,
q
(y) = y

q
(x, y) = (x, y)

51
Let E be an elliptic curve dened over F
q
. Recall from Lemma 3.4 that

q
is then an endomorphism of E of degree q, and is not separable. We also
nd that the kernel of the endomorphism
q
is trivial, (related to the fact
that it is not separable by Theorem 3.5).
Since
q
is an endomorphism of E, so is
2
q
=
q

q
. Moreover so is

n
q
=
q

q
...
n
q
for every n 1. Since multiplication by -1 is also an endomorphism we can
conclude that the sum
n
q
1 is an endomorphism of E.
Proposition 4.4. Let E be dened over F
q
and let n 1. Then
(i) Ker(
n
q
1) = E(F
q
n).
(ii)
n
q
1 is a separable endomorphism, so #E(F
q
n) =deg (
n
q
1).
Proof Part (i) can be seen easily from Lemma 4.3 and the fact that
n
q
1
is separable was proved in Proposition 3.10. Therefore part (ii) follows from
Theorem 3.5.

PROOF OF HASSES THEOREM

Let
a = q + 1 #E(F
q
) = q + 1 deg(
q
1) (4.1)
We need to show that [a[ 2

q. We use the following.

Lemma 4.5. Let r, s be integers with gcd(s, q) = 1. Then
deg(r
q
s) = r
2
q +s
2
rsa
Proof Using Proposition 3.23 with a = r, =
q
, b = s and = 1:
deg(r
q
s) = r
2
deg(
q
) +s
2
deg(1) +rs[deg(
q
1) deg(
q
) deg(1)]
We know that deg(
q
) = q and deg(1) = 1 so using the denition of a
deg(r
q
s) = r
2
q +s
2
+rs[deg(
q
1) q 1]
= r
2
q +s
2
rs[q + 1 deg(
q
1)]
= r
2
q +s
2
rsa

52
Note that the assumption that gcd(s, q) = 1 was included to allow the
use of Proposition 3.23. We now return to the proof of Hasses Theorem.
By denition the deg(r
q
s) 0, so by the above lemma
r
2
q +s
2
rsa 0
_
r
s
_
2
q + 1
_
r
s
_
a 0
for all r, s with gcd(s, q) = 1.
We show here that the set of rational numbers r/s such that
gcd(s, q) = 1 is dense in R.
For a subset X R to be dense in R means that for all integers a R
an interval centered on a will contain points in X.
Let X denote the set in question and let the point s be equal to a
power of 2 or a power of 3. One of these choices will be coprime to q,
since q is a power of a single prime p. It is easy to see that the rationals
of the form r/2
m
or r/3
m
will be dense in R.
Therefore X will contain a subset that is dense in R and so X is itself
dense in R.
Since the set of rationals r/s such that gcd(s, q) = 1 is dense in R we
conclude that for all real numbers x, qx
2
ax + 1 0
Suppose for a contradiction that this were not the case and that there
was r R such that, ar
2
ar + 1 < 0.
Consider a sequence of open intervals about r:
(r , r +) where = 1/n, n = 1, 2, 3, ...
Then within each of these intervals there would be a point x
n
X where
X is the dense set of rationals r/s such that gcd(s, q) = 1.
We would get a sequence, x
1
, x
2
, ... of numbers getting closer and
closer to r. For i suciently large we could nd a value of
qx
2
i
ax
i
+ 1
that was arbitrarily close to ar
2
ar + 1. However, since x
i
X this
rst value would be 0 while the second is strictly less than zero. So we
have a contradiction.
53
So qx
2
ax + 1 0 for all x R. Therefore the polynomial must have
either a double real root or a pair of complex roots. Hence, the discriminant
of the polynomial is negative or 0 :
a
2
4q 0
This means that [a[ 2

2 which completes the proof of Hasses theorem.

The following theorem is another useful consequence of Proposition 4.4

Theorem 4.6. Let E be an elliptic curve dened over F
q
and a as dened
in Equation (4.1). Then

2
q
k
q
+q = 0
as endomorphisms of E, if and only if k = a. In other words, if (x, y)
E(F
q
) then
(x
q
2
, y
q
2
) k(x
q
, y
q
) +q(x, y) =
for all (x, y) E(F
q
) if and only if k = a.
Moreover a is the unique integer satisfying
a Trace((
q
)
m
) (mod m)
for all m with gcd(m, q) = 1.
Proof If
2
q
a
q
+q is not the zero endomorphism, then its kernel is nite
(Proposition 3.5), so we must show that its kernel is innite.
Let m 1 be an integer with gcd(m, q) = 1. Recall that
q
induces a
matrix (
q
)
m
that describes the action of
q
on E[m]. Let
(
q
)
m
=
_
s t
u v
_

q
1 is separable by Proposition 3.10, so we can use Theorem 3.5 and
Proposition 3.22 to show
#Ker(
q
1) = deg(
q
1) det((
q
)
m
I) (mod m)
=

s 1 t
u v 1

= (s 1)(v 1) tu
= sv tu (s +v) + 1
54
By Proposition 3.22, sv tu = det((
q
)
m
) deg(
q
) = q (mod m). Note
also from Equation (4.1) that #Ker(
q
1) = q + 1 a so we can conclude
Trace((
q
)
m
) = s +v a (mod m)
By the Cayley-Hamilton theorem (every square matrix satises its charac-
teristic equation) or straightforward calculation
(
q
)
2
m
a(
q
)
m
+qI 0 (mod m)
where I is the 2 2 identity matrix. This means that the endomorphism

2
q
a
q
+ q is identically zero on E[m]. Since there are innitely many
choices for m, the kernel is innite, making the endomorphism 0, as required.
Suppose a
1
,= a satises
2
q
a
1

q
+q. Then
(a a
1
)
q
= (
2
q
a
q
+q) (
2
q
a
1

q
+q) = (0) (0) = 0
By Theorem 3.6,
q
: E(F
q
) E(F
q
) is surjective, therefore for any element
y E(F
q
) there exists x E(F
q
) such that
q
(x) = y. So for all y E(F
q
)
(a a
1
)y = (a a
1
)
q
= 0
therefore (aa
1
) annihilates E(F
q
). In particular (aa
1
) annihilates E[m] for
every m 1. Since there are points in E[m] of order m when gcd(m, q) = 1,
we nd that a a
1
0 (mod m). Therefore a a
1
= 0, so a is unique.

4.3 Orders of points

Let P E(F
q
). The order of P is the smallest positive integer k such that
kP = . In this section we show how knowing the order of a point in E(F
q
)
can allow us to nd the order of E(F
q
) itself. We then derive and demonstrate
an algorithm to nd the order of a point.
The order of a point will always divide the order of the group, E(F
q
),
(see Theorem B.3). Also, for an integer n, we have nP = if and only if
the order of P divides n. By Hasses Theorem #E(F
q
) lies in an interval of
length 4

q. Therefore if we nd a point of order greater than 4

q, then
#E(F
q
) must be a multiple of this. There could only be one multiple in the
interval which will therefore be #E(F
q
).
55
Even if the order of the point is smaller than 4

q, we will still obtain a

relatively small list of possibilities for #E(F
q
). Also using several more points
could shorten the list to a unique possibility for #E(F
q
). In the following
subsection we will discuss a method for nding the order of a point.
Example 4.3. Let E be y
2
= x
3
10x + 21 over F
557
. The point (2,3) can
be shown to have order 189 (see Example 4.6). Hasses Theorem implies
511 #E(F
557
) 605
The only multiple of 189 in this range is 3(189) = 567, so #E(F
557
) = 567.
Example 4.4. Let E be y
2
= x
3
+ 7x + 12 over F
103
. It is relatively easy
to show that the point (1, 2) has order 13 and the point (19,0) has order
2. Therefore the order of E(F
103
) is a multiple of 26. By Hasses Theorem
84 #E(F
103
) 124 so the order must be 104.
Example 4.5. Let E be y
2
= x
3
+ 7x + 12 over F
7
. In this case E(F
7
)
Z
3
Z
3
and every point except innity has order 3. Hasses theorem gives
3 #E(F
7
) 13 so all we can conclude is that the order is 3,6,9 or 12.
When we are in situations where E(F
q
) Z
n
Z
n
, as in the previous
example, nding the order of the group is far more dicult. However this
situation is fairly rare, as the next theorem shows.
Proposition 4.7. Let E be an elliptic curve over F
q
and suppose
E(F
q
) Z
n
Z
n
for some integer n. Then either q = n
2
+ 1, q = n
2
n + 1 or q = (n 1)
2
.
Proof In this case #E(F
q
) = n
2
, so by Hasses Theorem n
2
= q + 1 a
where [a[ 2

q. We now need the following lemma

Lemma 4.8. a 2 (mod n)
Proof Let p be the characteristic of F
q
. If p[n then, by Theorem B.4, there
would be (p 1) elements of order p in Z
n
and so (including ) p
2
points in
E[p]. However, if p[n then by Theorem 3.12 we write n = p
r
n

and we have
either
E[n] Z
n
Z
n
, or Z
n
Z
n

56
where p n

. If we are in the rst case then E[p] has only 1 element and if
we are in the second it has p, so we must conclude that p n
Since E[n] E(F
q
), we can use Corollary 3.21 to show the nth roots of
unity are in F
q
. Then by Proposition B.15 (q1) is a multiple of n. Therefore
a = q + 1 n
2
= (q 1) + 2 n
2
2 (mod n)

Now write a = 2 +kn for some integer k. Then

n
2
= q + 1 a = q 1 kn = q = n
2
+kn + 1
By Hasses Theorem
2

q [q + 1 #E(F
q
)[ = [n
2
+kn + 1 + 1 n
2
[ = [2 +kn[
Taking squares of both sides gives
4(q) 4 + 4kn +k
2
n
2
4(n
2
+kn + 1) 4 + 4kn +k
2
n
2
=k
2
4
So [k[ 2, meaning the possible values of k are 0, 1, 2. Substituting these
into q = n
2
+kn + 1 give the possible values of q stated in the theorem:
k = 0 q = n
2
+ 1
k = 1 q = n
2
n + 1
k = 2 q = n
2
2n + 1 = (n 1)
2

Most values of q are not in one of these forms, and even for such q it is
unlikely the elliptic curve would have the form E(F
q
) Z
n
Z
n
.
More generally, most q are such that all elliptic curve over F
q
have points
of order greater than 4

q. So we can usually nd points with orders that

will allow us determine #E(F
q
).
We discuss other methods to determine exactly the size of E(F
q
) in Ap-
pendix A.7. We show how we can derive the size of E(F
q
n) from the size of
E(F
q
) if it is known in Section A.7.1. Then in Section A.7.2 we show how to
use the Legendre symbol mentioned earlier in a point counting algorithm.
57
4.3.1 Baby Step, giant step
We want to nd the order of P E(F
q
). We will need to nd an integer k,
so kP = . Let #E(F
q
) = N, then
q + 1 2

q N q + 1 + 2

q
We could try every integer in this range, to see which ones satisfy NP = ,
which would take around 4

q steps. However we can speed this up to 4q

1/4
steps using the following, baby step, giant step algorithm.
(1) Compute Q = (q + 1)P
(2) Choose an integer, m, with m > q
1/4
. Compute and store the points
jP for j = 0, 1, 2, ..., m.
(3) Compute the points
Q+k(2mP) for k = m, (m1), ..., m
until there is a match with a point or its negative in the stored list:
Q+k(2mP) = jP
(4) Conclude that (q + 1 + 2mk j)P = . Let M = q + 1 + 2mk j.
(5) Factor M. Let p
1
, ..., p
r
be the distinct prime factors of M.
(6) Compute (M/p
i
)P for i 1, ..., r. If (M/p
i
)P = for some i replace M
with M/p
i
and go back to step (5).
If (M/p
1
)P ,= for all i then M is the order of the point P.
(7) If we are looking for #E(F
q
) then repeat steps 1-6 with randomly chosen
points in E(F
q
) until the least common multiple of the orders divides only
one integer N with q +1 2

q N q +1 +2

q. Then N = #E(F
q
).
We must now show that this method works. The rst point to prove is
that there will always be a match in step (3):
Lemma 4.9. Let a be an integer with [a[ 2m
2
. There exists integers a
0
and a
1
with m a
0
m and m a
1
m such that
a = a
0
+ 2ma
1
58
Proof Let a
0
a (mod 2m), with m < a
0
m and a
1
= (a a
0
)/2m.
Now the integer a
0
clearly exists and satises the conditions of the lemma.
[a
1
[
2m
2
+m
2m
=
2m+ 1
2
< m + 1
Because a
1
is an integer we see [a
1
[ m, and so also satises the conditions
of the lemma. Finally we see that, as required
a
0
+ 2ma
1
= a
1
+ (a a
0
) = a

Let a = a
0
+ 2ma
1
be as in the lemma. Let k = a
1
which is reasonable
as a
1
will be one of the ks tested. Then
Q+k(2mP) = (q + 1 2ma
1
)P = (q + 1 a +a
0
)P
= NP +a
0
P = a
0
P = jP
where j = [a
0
[. This is again reasonable as one of the js will be [a
0
[. So we
see that we will always nd a match in stage (3).
To make the conclusion of part (4) note that
(q + 1 + 2mk j)P = [Q+k(2mP)] jP
= [jP] jP =
by the rules of elliptic curve addition.
We must now show that step (6) yields the order of P, and the algorithm
will nd the order of the point.
Lemma 4.10. Let G be an additive group (with identity 0), and let g G.
Suppose Mg = 0 for some positive integer M. Let p
1
, ..., p
r
be the distinct
primes dividing M. If (M/p
i
)g ,= 0 for all i, then M is the order of g.
Proof Let k be the order of g, then k[M. Suppose k ,= M and let p
i
be
a prime dividing M/k. Then p
i
k[M so k[(M/p
i
). Therefore (M/p
i
)g = 0
contrary to assumption. Therefore k = m.

Therefore step (6) nds the order of P.

59
Example 4.6. Let E be the elliptic curve y
2
= x
3
10x +21 over F
557
and
let P = (2, 3). We will show P has order 189 as stated in Example 4.3 using
the procedure above.
(1) Q = 558P, which using successive doubling is (418,33...)
(2) Let m = 5 which is greater that 557
1/4
(= 4.858...). The list of jP is
, (2, 3), (58, 164), (44, 294), (56, 339), (132, 364)
(3) When k = 1 we have Q+k(2mP) = (2, 3) which matches a point on the
list, when j = 1
(4) We have (q + 1 + 2mk j)P = 567P = .
(5) Factor 567 = 3
4
7
(6) (567/4)P = 189P . So we now now try again with 189 = 3
3
7.
(7) (189/3)P = (38, 535) ,= and (189/7)P = (136, 360) ,= . Therefore
189 is the order of P.
As stated in Example 4.3 this allows us to determine #E(F
557
) = 567.
Notes on this algorithm:
To save storage space only store the x-coordinates of the points jP.
Computing Q + k(2mp) can be done by computing Q and 2mP once
only, and then using it for all points. Then to get from Q+k(2mP) to
Q+(k+1)(2mP) simply add 2mP rather than recomputing everything.
Similarly once jP has been computed just add P to get (j + 1)P.
The baby steps are from the point jP to (j +1)P, while the giant steps
are from k(2mP) to (k +1)(2mP). The second step is far bigger, 2mP
instead of P, hence the name of the algorithm.
60
Chapter 5
Elliptic curve cryptography
We start this chapter by introducing the basic terms used in cryptography,
and then move on to discuss public key cryptography in more detail. We give
the denitions of two public key systems, one for key exchange and one for
encryption, and show how they can be adapted for use with elliptic curves.
Most of the cryptographic denitions and explanations are well known
and here the basics are adapted from [7] Chapter 1. The background on
public key schemes in Section 5.2 was adapted from Chapter 6 of [8].
5.1 The basics of cryptography
In keeping with the traditions of cryptographic discussion suppose that we
have two users Alice and Bob who wish to communicate securely so that the
evesdropper, Eve, does not learn about the information exchanged. They
will use cryptography, the science of keeping messages secure.
If Alice wishes to send the plaintext, M, (her message) to Bob she will
use some encryption function (E) to transform this message to ciphertext,
C. This ciphertext should be unintelligible to any third party, but also able
to be decrypted once it has been received by Bob.
Plaintext Encryption Ciphertext Decryption Plaintext
We will think of the plaintext (and ciphertext) as strings of 0s and 1s (bits)
which almost all messages (text, pictures etc.) can be converted into.
The cryptographic algorithm that is used for encryption and decryption is
know as the cipher. Restricted algorithms have security based on keeping this
61
algorithm a secret. Such a requirement is unrealistic given any relatively large
system and also allows no quality control or standardization of the algorithm.
Kerchos assumption (1883) was that the secrecy of a cryptosystem must
rely on a key and not the cipher.
It is these key based systems that are used in practice, with the keyspace,
K, dened as the range of possible keys. Increasing the key by 1 bit will
double the size of the key space, so adding 5 bits for example, will make the
keyspace 32 times bigger. There are two main types of key-based cryptosys-
tems:
Symmetric key algorithms use the same key for both encryption and
decryption (or the decryption key can be easily derived from the en-
cryption key).
E
K
(M) = C, D
K
(C) = M
Alice and Bob need to agree on this secret key before they can com-
municate securely.
Public key algorithms use separate keys for encryption and decryption.
E
K
1
(M) = C, D
K
2
(C) = M
The encryption key is often know as the public key and the decryption
key as private. Because the encryption key is known publically, Alice
does not need to have had prior communication with Bob to send him
a message.
A cryptosystem is an algorithm, plus all possible plaintexts, ciphertexts
and keys.
Cryptanalysis is the attempt to obtain the plaintext without access to
the key, by attacking the system. The most basic form of attack would be
to try every possible key until the correct one is found, which is known as a
brute-force attack. It is important to make the keyspace large enough for this
to be infeasible. However a larger key will result in more time and memory
needed to perform the algorithm and so there is a trade o to consider.
There are many other more sophisticated attacks that a cryptanalyst can
employ, which users of a cryptosystem must consider. A cryptosystem would
be unconditionally secure if no matter how much ciphertext an opponent
62
has they are unable to derive the plaintext. There has only ever been one
such cryptosystem, the one time pad. This system had a key as long as the
message itself, which could only be used once and so is not very practical.
Most systems aim for computational security which is when the cryp-
tosystem cannot be broken with available resources. This can be dened in
a variety of ways, including the amount of time, data and memory required.
There are other applications of cryptography in addition to keeping mes-
sages secure that can be of great use. These include:
Authentication: A system with authentication is able to prove the ori-
gin of a message. If Bob receives a message it would be valuable to
know for sure that it was sent by Alice and not some impostor.
Integrity: A system with integrity would allow Bob to be sure that the
message he has received has not been modied.
Nonrepudiation: If a system provides nonrepudiation then Alice would
not be able to falsely deny sending a message to Bob.
Public key systems, in particular, allow for these other applications.
Elliptic curves are used to create public key cryptosystems which we focus
on in the next section. However, at present public key systems are too cum-
bersome for large scale use and so messages are still encoded with symmetric
key algorithms. In most industrial cryptosystems public key is used to create
the key needed for the symmetric algorithm which sends the message. Since
symmetrical algorithms still play such an important part we briey look at
them here.
These algorithms are usually based on substitutions (swapping a bit
stream for another) and permutations (rearranging the ones we have). A
simple example is the Caesar cipher (used by the roman commander to
communicate with his generals). Each letter is substituted for the one three
characters to the right (modulo 26). For example:
CRYPTOGRAPHY FUBSWRJUDSKB
Such a simple example could be easily broken by looking at the letter fre-
quencies, for example. However there are much more sophisticated systems
used in practice. Two such examples are the block ciphers, DES and AES.
63
DES (the data encryption standard) was a 56-bit cipher constructed by
IBM and the NSA and adopted by the USA in 76. It enjoyed widespread
use internationally but in recent years has been considered insecure for many
applications. This is chiey due to the 56-bit key size being too small; DES
keys have been broken in less than 24 hours.
AES (the advanced encryption standard) is a 128-bit cipher constructed
by two Belgian cryptographers, Joan Daemen and Vincent Rijmen which
often goes by its creators name, Rijndael. This cipher was adopted, after a
5-year standardization process, by the USA in 2001 to replace DES. Notice
that the keyspace is substantially bigger (recall that one extra bit doubles
the keyspace).
5.2 Public key cryptography
Public key cryptography (also known as asymmetric) uses two separate keys,
as opposed to symmetric encryption where the decryption key is easily de-
rived from the encryption key. This use of two keys has profound conse-
quences in the areas of key distribution and authentication.
It should also be noted that from its earliest beginnings to modern times
cryptography has been based on permutations and substitutions (from the
rotor machines of WWII to complicated computer code like DES). Public
key revolutionised this, basing algorithms on mathematical functions.
In 1976 Walt Die and Martin Hellman came up with the idea of public
key cryptography as a method of solving the problem of key distribution
and the need for digital signatures in symmetric cryptography, by using two
dierent but related keys for encryption and decryption. They recognised
that it must be computationally infeasible to determine the decryption key
given the knowledge of the cryptographic algorithm and encryption key. Fig-
ure 7.1 demonstrates how such a system would allow Alice to securely send
a message to Bob without any prior contact.
Some algorithms will also have the property that either of the two keys
can be used for encryption with the other used for decryption. In this case
the public key algorithm could be used for authentication as in Figure 7.2. In
addition to knowing the message could only have come from Alice Bob can
also be sure of the data security as no-one without access to Alices private
key could have altered the message.
64
Figure 5.1: Public key encryption: Alice encrypts a message with Bobs
public key and sends it to him. Only Bob could read this message as only he
has access to the private key neccessary for decryption.
Figure 5.2: Public key authentication: Alice encrypts a message with her
private key and sends it to Bob. Only Alice could have sent the message as
only she has access to the private key neccessary for encryption.
65
The authenticated message could be read by anyone who has access to
Alices public key, so it must also be encrypted with Bobs public key to be
secure. To be more ecient Alice should only encrypt a small segment with
her private key for authentication purposes (an authenticator block) and then
encrypt the whole message in Bobs public key.
Die & Hellman recognised the possible uses of such a public key cryp-
tosystems:
Encryption / decryption: The sender encrypts a message with the re-
cipients public key.
Digital signature: The sender signs a message with his public key.
Key exchange: Two sides cooperate to exchange a session key.
Although postulating this system, Die & Hellman did not demonstrating
that such an algorithm for encryption exists (although they did propose a
scheme for key exchange which is examined in more detail in the next section).
Die & Hellman also recognised the need for a trapdoor one-way function
in such a system. A one-way function maps a domain so every function value
has a unique inverse, with the condition that the calculation of the function
value is easy where as the calculation of the inverse is infeasible. (Easy
implies polynomial length computation time.) A trapdoor one-way function
is the same except that the inverse is easy to compute if certain additional
information is known. Therefore we require a function f such that:
Y = f
k
(X) is easy to compute, if k and X are known
X = f
1
k
(Y ) is easy to compute, if k and Y are known
X = f
1
k
(Y ) is infeasible to compute, if Y is known but k is not
The classic example of such a function is the factorisation of large primes
modulo p. While it is relatively easy to multiply the two primes it is extremely
dicult to factorise the product, unless some other information is known.
The rst successful algorithm for public key encryption was RSA in 1978,
named after its creators Ron Rivest, Adi Shamir and Len Adleman. This
system relied on the prime factorisation problem described above and has
since been widely used in a variety of applications. Although an important
66
subject in cryptography it is not used in conjunction with elliptic curves and
so not discussed here.
As with symmetric schemes, the security of a public key system depends
on the size of the key, and any algorithm would be vulnerable to a brute
force attack of trying all possible keys. The countermeasure is to use large
keys, however unlike symmetric schemes the computation time may not rise
linearly with the key size and so there is a trade o between security and
practicality. In practice the key sizes that make brute force attacks imprac-
tical result in encryption speeds that are too slow for general use. This is
why, as mentioned earlier, public key cryptography has been conned to key
management and signature applications, such as key exchange and authen-
tication
The actual message to be transfered is then encoded with a symmetric
key system (eg AES). Due to the level of computation involved in public key
systems this is likely to remain the case for some time with Walt Die himself
saying, the restriction of public key cryptography to key management and
signature applications is almost universally accepted.
5.3 The discrete logarithm problem
Die & Hellman derived an algorithm that allowed users to exchange a key
securely, which can then be used in the subsequent encryption of messages.
It appeared in the original paper by Die & Hellman (76) and has been
employed in a number of commercial products. The algorithm depends of
the diculty of computing discrete logarithms.
Recall that a primitive root of a prime, p is a number whose powers
generate the integers from 1 to (p 1). So if is a primitive root of a prime
number p then the numbers ,
2
,
3
, ...,
p1
(mod p) are distinct and consist
of the integers 1 through p 1 in some permutation. For any integer one
can nd a unique exponent a such that
=
a
(mod p) where 0 a (p 1)
The exponent, a, is referred to as the discrete logarithm and is denoted by
ind
,p
().
We are able to dene a one-way function with discrete logarithms since it
is relatively easy to calculate b =
a
(mod p) but extremely dicult to nd a
67
given b, and p. Die & Hellman originally recognised the problem below for
the multiplicative group Z

p
(see Appendix B.3), however in the next section
we show how it can be redened for the groups formed by elliptic curves.
Discrete log problem: Let p be prime, a primitive element of Z

p
and Z

p
.
Find the unique integer a, 0 a p 2 such that
a
= (mod p).
There is no known ecient (polynomial time) algorithm to solve the dis-
crete log problem, provided p is carefully chosen.
5.3.1 Die-Hellman key exchange
This description of the key exchange and following example was adapted
from Chapter 6.4 of [8]. Suppose Alice and Bob want to securely exchange
a key for future communications. To use the classical version of the Die
Hellman key exchange they would proceed as follows
1. A prime number p and a primitive root of p, , are known publically.
2. Alice selects a random integer X
A
< p & computes Y
A
=
X
A
(mod p)
Bob selects a random integer X
B
< p & computes Y
B
=
X
B
(mod p)
3. Each user keeps X secret and sends Y to the other.
4. Alice computes K = (Y
B
)
X
A
mod p. Bob computes K = (Y
A
)
X
B
mod p
These two calculations produce identical results since
(Y
A
)
X
B
= (
X
A
)
X
B
=
X
A
X
B
= (
X
B
)
X
A
= (Y
B
)
X
A
and so the two sides have exchanged a secret key. The only information
an attacker has to work with is p, , Y
A
and Y
B
. It is believed that it is
computationally infeasible to obtain K from this information. The opponent
would be forced to take a discrete logarithm and compute X
B
= ind
,q
(Y
B
).
This is summarised as the following problem.
The Die-Hellman problem Given p prime, a primitive root modulo p and
elements
a
(mod p) &
b
(mod p), nd
ab
(mod p).
68
The security of the Die Hellman Key Exchange lies in the fact that it is
relatively easy to calculate exponentials modulo a prime but very dicult to
calculate discrete logarithms. For large primes the latter task is considered
infeasible. However it has not been proved that there is no other way to solve
the Die-Hellman problem, other than rst nding the discrete log.
Example 5.1. Suppose p = 97, = 5, X
A
= 36, X
B
= 58. Then
Y
A
= 5
36
50 (mod 97) and Y
B
= 5
58
44 (mod 97)
Alice and Bob will exchange Y s and each compute:
K
A
= (Y
B
)
X
A
= 44
36
= 75 (mod 97), K
B
= (Y
A
)
X
B
= 50
58
= 75 (mod 97)
From 50, 44 the attacker cannot easily compute the shared secret key, 75
5.3.2 The El Gamal cryptosystem
This is a public key cryptosystem based on the discrete log problem, rst
proposed in 1984. It will allow Alice to securely send a message to Bob
without prior communication. This description of the El Gamal system was
adapted from Chapter 6.2 of [10]. For simplicity, assume the message can be
stored as an element of Z

p
and dene the algorithm as follows.
The key is formed from the prime p, the primitive root , an integer a
and =
a
(mod p). The values p, a, are made public while a is kept
private. If Alice wants to send a message, M 0, 1, ..., p 1, to Bob she
proceeds as follows.
1. Alice selects a random integer r Z

p
.
2. Alice computes y
1
=
r
(mod p) and y
2
= M
r
(mod p).
3. Alice sends the ciphertext C = (y
1
, y
2
) to Bob.
4. Bob uses his private key, a, to calculate y
2
y
p1a
1
(mod p) which gives
the message M.
The decryption in the nal step works because
y
2
y
p1a
1
= y
2
y
a
1
since x
p1
1 (mod p)
= (m
r
)(
r
)
a
by the denition of y
1
and y
2
= m(
r
)(
ar
) = m(
ar
)(
ar
) m (mod p)
69
Any third party would know p, , , y
1
=
r
and y
2
= m
r
. To recover m a
third party could attempt to solve the discrete logarithm problem and nd
a from =
a
. If the problem is set up carefully then this is considered
infeasible.
It is important that Alice use a dierent random integer each time she
sends a message. Suppose the same r was used to encrypt both m
1
and m
2
and the resulting ciphertext were (y
1
, y
2
), (z
1
, z
2
). Then
y
2
z
2
=
m
1

r
m
2

r
=
m
1
m
2
Then suppose that the secret message m
1
was made public at some later
point. If this happened then anyone who had stored the ciphertext could
easily compute the new secret message m
2
by calculating m
1
z
2
/y
2
= m
2
.
Even worse, the evesdropper can easily recognise that this mistake had been
made as y
1
would equal z
1
.
5.4 Elliptic curve cryptography
In this section we show how elliptic curves are able to perform the protocalls
of the previous section. We describe the discrete logarithm for elliptic curves,
and how it can be used for key exchange and encryption.
5.4.1 The discrete logarithm problem for
elliptic curves
The systems of the previous system were originally designed for the nite
abelian group F

q
the multiplicative group of a nite eld. We will now
redene then for use with the nite, additive, abelian group formed by elliptic
curves over a nite eld F
q
.
The elliptic curve analogue of multiplying two points in F

q
is adding two
points in E(F
q
). So if we were raising a point P F

q
to the kth power we
are now multiplying P E(F
q
) by k. When using these systems in practice,
with large k, it will be necessary to use the method of successive doubling
described in Section 3.2.1.
Let , E(F
q
) and suppose we know a = for some integer a.
Then the discrete logarithm problem for elliptic curves would be to nd the
integer a.
70
One way of solving the problem would be to try all possible a (brute force
attack), so in cryptographic applications a is usually such that it could be
an integer of several hundred digits. There are also more advanced attacks
on the discrete logarithm problem which mean the the elliptic curve E and
nite eld F
q
need to be selected carefully. We should specically ensure
that the order of E(F
q
) is large enough to maintain security and that E is
not supersingular.
Recall that an elliptic curve E in characteristic p is dened to supersin-
gular if E[p] = . These curves are important as many calculations can
be done more quickly on then than on an arbitrary elliptic curve. Unfor-
tunately, however, discrete logarithms can be signicantly easier to solve on
these curves and the cryptographic algorithms dened on them are open to
specic attacks. Some useful results for identifying supersingular curves can
be found in Appendix A.8.
As in the classical case, there is no known ecient method for solving a
well formed discrete logarithm problem for elliptic curves. We now look at
how the systems described in the previous section can be used with elliptic
curves. The description of these systems is adapted from Chapters 6.2 and
6.4 of [9] respectively.
5.4.2 Die-Hellman key exchange for elliptic curves
Here we describe the Die-Hellman key exchange for use with elliptic curves.
This will enable Alice and Bob to securely construct a key for use in a sym-
metric encryption scheme such as DES or AES.
1. Alice and Bob agree on an elliptic curve E over a nite eld F
q
so the
discrete logarithm problem is hard in E(F
q
).
They also agree on a point P E(F
q
) such that the subgroup generated
by P has large order (usually prime).
2. Alice chooses secret integer, a, computes P
a
= aP and sends P
a
to Bob.
3. Bob chooses secret integer, b, computes P
b
= bP and sends P
b
to Alice.
4. Alice computes aP
b
= abP. Bob computes bP
a
= abP.
5. Alice and Bob agree on a method to extract a key from abP. (For
example, use the last 256 bits of the x-coordinate.)
71
The only information the eavesdropper, Eve, has is the curve, E, the nite
eld, F
q
, and the points P, aP and bP. She will therefore need to solve:
Die-Hellman problem for elliptic curves: Given P, aP and bP in E(F
q
)
compute abP.
If Eve can solve discrete logs in E(F
q
) then she could use P and aP to
nd a. She could then compute a(bP) to get abP. However, if E and F
q
are chosen carefully then this is considered computationally infeasible. It is
not known whether there is a way of computing abP without rst solving a
discrete log problem.
Example 5.2. (From Chapter 6.5 of [8]) The following will allow Alice and
Bob to exchange a secret key:
1. Let E be y
2
= x
3
4 dened over F
211
and let P = (2, 2) E(F
211
).
Both of these are agreed publically by Alice and Bob.
2. Alice chooses a secret integer, a = 121 and calculates
P
a
= aP = 121(2, 2) = (115, 48)
where SUCDOB.m was used for the nal step. Alice sends P
a
to Bob.
3. Bob chooses a secret integer, b = 203 and calculates
P
b
= bP = 203(2, 2) = (130, 203)
where SUCDOB.m was used for the nal step. Bob sends P
b
to Alice.
4. Alice computes aP
b
= 121(130, 203) which using SUCDOB.m = (161, 169).
Bob computes bP
a
= 203(115, 48) which using SUCDOB.m = (161, 169).
5. So Alice and Bob have securely generated the point (161, 169). They
will have previously agreed some way to extract a key from this point.
Any evesdropper would know the systemE(F
211
) and the points (2,2),(115,48)
and (130,203). To obtain (161,169) though, Eve would have to solve the
Die-Hellman problem for elliptic curves.
72
5.4.3 El Gamal cryptosystem for elliptic curves
Here we describe the El Gamal cryptosystem adapted for use with elliptic
curves. Suppose Alice wants to send a message to Bob. Bob will establish his
public key as follows. Choose an elliptic curve E over a nite eld F
q
such
that the discrete log problem is hard for E(F
q
). He also chooses a point, P,
on E (usually so that the order of P is a large prime). He chooses a secret
integer s and computes B = sP
Bobs public key consists of E, F
q
, and the points P and B, while the
integer s is kept private. To send a message to Bob, Alice proceeds as follows:
1. Alice obtains Bobs public key and encodes her message as a point,
M E(F
q
).
2. Alice chooses a secret random integer r and computes
M
1
= rP and M
2
= M +rB
3. Alice sends M
1
, M
2
to Bob.
4. Bob decrypts by calculating M
2
sM
1
The decryption works because
M
2
sM
1
= (M +rB) s(rP)
= (M +rsP) s(rP) = M
An evesdropper would know Bobs public information and the points M
1
, M
2
.
If she could calculate discrete logs then she could use P and B to nd s, and
then decrypt the message. This should be infeasible for a careful choice of
system. There is not any other known way to nd M.
As in the classical case it is important that Alice uses a dierent random
integer, r, each time. If the same r were used to encrypt both M and M

then the evesdropper would notice that M

1
= M

1
. She would then compute
M

2
M
2
= M

+kB M kB = M

M
If at any point in the future the original message, M, were made public then
Eve could easily calculate the new message, M

.
73
Example 5.3. The following is an example of how Alice would send a mes-
sage to Bob using the El Gamal cryptosystem adapted for elliptic curves. It
was generated using the Matlab programs created throughout the project.
Bob chooses E to be y
2
= x
3
+ 8x + 1 dened over F
101
and P to be
(11, 39) E(F
101
). (To generate a list of elements on E(F
101
) PC.m was
used). Bob then chooses s = 96 and calculates
B = sP = 96(11, 39) = (26, 98) using SUCDOB.m
(To ensure no errors were made we use check.m to guarantee this (and all
following points) are on E(F
101
).) Bob makes E, F
q
, P and B public while
keeping s private. To send a message to Bob Alice proceeds as follows.
1. Alice obtains Bobs public key and encodes her message as
M = (74, 91) E(F
101
).
2. Alice chooses her secret integer r = 128 and computes
M
1
= rP = 128(11, 39) = (85, 76)
M
2
= M +rB = (74, 91) + 128(26, 98) = (74, 91) + (3, 70) = (76, 72)
(To perform the multiplication steps SUCDOB.m was used, while ECADP.m
was used for the addition steps.)
3. Alice sends M
1
and M
2
to Bob.
4. Bob calculates
M
2
sM
1
= (76, 72) 96(85, 76) = (76, 72) (3, 70)
= (76, 72) + (3, 70) = (74, 91) = M
So Bob has securely received Alices message M.
74
Chapter 6
Summary and conclusions
In this project we studied the mathematics of elliptic curves, starting with
their denition and the proof that points upon them can form an additive
abelian group. We then showed how, using points on this group, we could
form a discrete logarithm problem which is the basis of several public key
cryptography systems. Finally we demonstrated how elliptic curves could be
used for key exchange and encryption. These cryptosystems are considered
secure providing they are set up carefully, which is where results such as
Hasses theorem on the group size are useful.
There were, however, numerous areas of elliptic curve mathematics that
were omitted from this project. For example, the specic attacks that can
be used against the elliptic curve discrete log problem, or other algorithms
for nding the order of E(F
q
). There are also a number of non-cryptographic
uses for elliptic curves, such as the proof of Fermats last theorem and in
the areas of primality testing and factorisation. This could be considered
ironic since breakthroughs in these areas would damage the security of RSA
the system elliptic curve cryptography could replace. For further details
of the elliptic curve discrete log problem and the non-cryptographic uses of
elliptic curves see Chapters 5 and 7 of [9] respectively. More background on
the history and development of public key cryptography can be found in [6]
while [2] gives a far more detailed examination of elliptic curve cryptography.
We have demonstrated how elliptic curves can be used to create public
key systems for both key exchange and encryption. It is also possible to use
elliptic curve to form an analogue of the popular RSA system. However,
these were not discussed here since they are based on the same underlying
75
hard problem (factorising primes) and oered no real advantage over the
classical RSA system.
This however, is not the case for the elliptic curve schemes using discrete
logarithms. At present the methods for computing elliptic curve discrete
logarithms are much less ecient than there classical counterparts. As a
result shorter key sizes can be employed for the elliptic curves schemes with
obvious memory and performance benets. As mentioned earlier, there are
specic attacks that can be employed against elliptic curves, but these can
be avoided if the system is set up carefully.
When comparing an elliptic curve system with the widely implemented
RSA scheme there are also obvious benets. Since both schemes are largely
used in conjunction with a symmetric scheme we compare them as to the
security needed for this. On the NSA website (see [11]) it is claimed that to
provide security for a 128-bit symmetric key an RSA scheme would require
a 3072-bit key, while an elliptic curve scheme would only require a 256-bit
key. It is also claimed here that, the United States, the UK, Canada and
certain other NATO nations have all adopted some form of elliptic curve
cryptography for future systems to protect classied information throughout
and between their governments.
Despite the obvious advantages elliptic curve schemes are yet to enjoy the
success of RSA. This is because they have yet to generate the same level of
condence that RSA has, through years of testing and use. However, elliptic
curves are the subject of continued research and development, and in future
years their use may become widespread.
76
Bibliography
[1] J. W. Archbold, Algebra, Fourth Edition, Pitman Paperbacks, 1970.
[2] H. Cohen, G. Frey, Handbook of elliptic and hyperelliptic curve cryptog-
raphy, Chapman & Hall/CRC, 2006.
[3] J. B. Fraleigh, A rst course in abstract algebra, 5th edition, Addison-
Wesley, 1994.
[4] W. Fulton, Algebraic curves, W. A. Benjamin, Inc., 1969
[5] N. Koblitz, A course in number theory and cryptography, Springer, 1994.
[6] S. Levy, Crypto, Allen Lane, 2000.
[7] B. Schneier, Applied cryptography, Second Edition, John Wiley, 1996.
[8] W. Stallings, Cryptography and network security, Third Edition, Pren-
tice Hall, 2003.
[9] L. C. Washington, Elliptic curves, Chapman & Hall/CRC, 2003.
[10] Course notes - MT362 Cipher systems, Royal Holloway University of
London, 2004
[11] NSA website: The case for elliptic curve cryptography.
http://www.nsa.gov/ia/industry/crypto_elliptic_curve.cfm?MenuID=10.2.7
77
Appendix A
Elliptic curve material
A.1 Singular curves
Throughout this project we have been working with y
2
= x
3
+Ax+B under
the assumption that x
3
+ Ax + B has distinct roots. The reason given for
this assumption was that an elliptic curve will have a singular point if and
only if it has multiple roots, and these singular points cause problems for
the elliptic curve addition operation. In this section we prove this result and
examine what happens when the curves have multiple roots. We show that
by dening the set E
ns
(K) of non singular points on these curves, the elliptic
curve addition becomes either addition of elements in K, or multiplication
of elements in K

or a quadratic extension of K.
Note that if x
3
+ Ax + B has a triple root then by translating we can
assume the root is at x = 0, and so the curve has equation y
2
= x
3
. Similarly
if there is a double root we may assume this root is at zero and so E has
equation y
2
= x
2
(x +a) for some a ,= 0.
A.1.1 The relationship between multiple roots
and singular points
We show here that an elliptic curve has singular points if and only if it has
multiple roots. This result was not adapted from any reference but proved
directly from the denition.
First recall that a singular point on a curve, is a point where the curve is
not smooth (ie not dierentiable). For algebraic curves the singular points
78
are those points where both partial derivatives vanish. Elliptic curves can be
described as algebraic curves by rewriting the Weierstrass equation as
f(x, y) = y
2
x
3
Ax B = 0
and a point (x
0
, y
0
) is singular if f
x
(x
0
, y
0
) = f
y
(x
0
, y
0
) = 0.
Theorem A.1. : An elliptic curve with multiple roots has a singular point.
Proof We prove this for the two dierent cases
(i) In the case when there is a triple root, y
2
= x
3
so
f(x, y) = x
3
y
2
f
x
= 3x
2
,
f
y
= 2y
At the point (x, y) = (0, 0) all three of the above expressions are zero,
so (0,0) is a singular point.
(ii) In the case when there is a double root, y
2
= x
2
(x +a) so
f(x, y) = x
3
+ax
2
y
2
f
x
= 3x
2
+ 2ax,
f
y
= 2y
At the point (x, y) = (0, 0) all three of the above expressions are zero,
so (0,0) is a singular point.

Theorem A.2. An elliptic curve with a singular point has multiple roots.
Proof Consider the Weierstrass equation
y
2
= x
3
+Ax +B
We can dene this as an algebraic curve and calculate the partial derivatives
f(x, y) = x
3
+Ax +B y
2
f
x
= 3x
2
+A,
f
y
= 2y
79
If a point (x
0
, y
0
) were singular then
f
x
(x
0
, y
0
) = 0 = A = 3x
3
0
f
y
(x
0
, y
0
) = 0 = y
0
= 0
f(x
0
, y
0
) = 0 = B = x
3
0
+ 3x
3
0
= 2x
3
0
But, if this were the case then
4A
3
+ 27B
2
= 4[3x
2
0
]
3
+ 27[2x
3
0
]
2
= 108x
6
0
+ 108x
6
0
= 0
which in Appendix A.2 is shown to imply the existence of a multiple root.

These two theorems together show that an elliptic curve dened by the
Weierstrass equation has singular points if and only if it has multiple roots.
A.1.2 Triple root
Consider the case when x
3
+Ax+B has a triple root. By translating we can
assume the root is at x = 0, and the curve has equation y
2
= x
3
Figure A.1: The graph of y
2
= x
3
80
We can see from the graph, or from a quick check of the conditions that
the point (0,0) is the only singular point on the curve. Consider a straight
line through the origin, y = mx. By substitution we can see where this line
will intersect the elliptic curve:
y
2
= x
3
(mx)
2
= x
3
m
2
= x
So any line through (0,0) will intersect the curve again in, at most, one other
point where x = m
2
and hence y = m
3
x. This will clearly cause problems for
the elliptic curve addition operation since we require for there to be another
point on this line.
However, if we exclude (0,0) then the remaining points, denoted E
ns
(K),
form a group with the same group law as before. We show in the next
theorem that this is an additive group isomorphic to K.
Theorem A.3. Let E be the curve y
2
= x
3
and let E
ns
(K) be the non-
singular points on this curve with coordinates in K, including . The map
E
ns
(K) K : (x, y)
x
y
, 0
is a group isomorphism (bijective structure preserving map) between E
ns
(K)
and K, which is itself an additive group.
Proof Let t = x/y. Then
x =
x
3
x
2
=
y
2
x
2
=
_
y
x
_
2
=
1
t
2
y =
x
t
=
x
3
tx
2
=
y
2
tx
2
=
1
t
3
So every point in E
ns
(K) can be expressed in terms of the parameter t K,
(with t = 0 corresponding to the point ). Also every value of t can produce
a point in E
ns
(K), hence the map is a bijection from E
ns
(K) K.
Suppose (x
1
, y
1
) + (x
2
, y
2
) = (x
3
, y
3
). We must show that in all the
dierent cases, t
1
+ t
1
= t
3
, where t
i
= x
i
/y
i
in order to show that the map
is structure-preserving.
81
(i) If x
1
,= x
2
then the addition formula says that
x
3
=
_
y
2
y
1
x
2
x
1
_
2
x
1
x
2
Substitute x
i
= 1/t
2
i
and y
i
= 1/t
3
i
to get
1
t
2
3
=
_
1
t
3
2

1
t
3
1
1
t
2
2

1
t
2
1
_
2

1
t
2
1

1
t
2
2
=
_
_
t
3
1
t
3
2
(t
1
t
2
)
3
t
2
1
t
2
2
(t
1
t
2
)
2
_
_
2

(t
2
2
+t
2
1
)
(t
1
t
2
)
2
=
_
(t
3
1
t
3
2
)
t
1
t
2
(t
2
1
t
2
2
)
_
2

(t
2
1
+t
2
2
)(t
2
1
t
2
2
)
2
t
2
1
t
2
2
(t
2
1
t
2
2
)
2
=
(t
3
1
t
3
2
)
2
(t
2
1
+t
2
2
)(t
2
1
t
2
2
)
2
t
2
1
t
2
2
(t
2
1
t
2
2
)
2
=
2t
3
1
t
3
2
+t
2
1
t
4
2
+t
4
1
t
2
2
t
2
1
t
2
2
(t
4
1
+t
4
2
2t
2
1
t
2
2
)
=
t
2
1
t
2
2
(2t
1
t
2
+t
2
1
+t
2
2
)
t
2
1
t
2
2
(t
1
t
2
)
2
(t
1
+t
2
)
2
=
(t
1
t
2
)
2
(t
1
t
2
)
2
(t
1
+t
2
)
2
1
t
2
3
=
1
(t
1
+t
2
)
2
Similarly
y
3
=
_
y
2
y
1
x
2
x
1
_
(x
1
x
3
) y
1
gives
1
t
3
3
=
_
1
t
3
2

1
t
3
1
1
t
2
2

1
t
2
1
_
_
1
t
2
1

1
t
2
3
_

1
t
3
1
=
_
(t
3
1
t
3
2
)
t
1
t
2
(t
2
1
t
2
2
)
_ _
(t
1
+t
2
)
2
t
2
1
t
2
1
(t
1
+t
1
)
2
_

1
t
3
1
=
t
2
(t
2
+ 2t
1
)(t
1
t
2
)(t
2
2
+t
1
t
2
+t
2
1
)
t
3
1
t
2
(t
1
t
2
)(t
1
+t
2
)
3

1
t
3
1
=
(t
2
+ 2t
1
)(t
2
2
+t
1
t
2
+t
2
1
)
t
3
1
(t
1
+t
2
)
3

1
t
3
1
=
(t
2
+ 2t
1
)(t
2
2
+t
1
t
2
+t
2
1
) (t
1
+t
2
)
3
t
3
1
(t
1
+t
2
)
3
82
=
t
3
1
t
3
1
(t
1
+t
2
)
3
1
t
3
3
=
1
(t
1
+t
2
)
3
So by taking the ratio of the expressions we can see
1/t
2
3
1/t
3
3
=
1/(t
1
+t
2
)
2
1/(t
1
+t
2
)
3
t
3
= t
1
+t
2
as required.
(ii) If x
1
= x
2
but y
1
,= y
2
then we have t
2
= t
1
, recalling that t = x/y.
Hence t
3
= t
1
+t
2
= 0 which corresponds to the point as required.
(iii) If (x
1
, y
1
) = (x
2
, y
2
) then we need only consider the case when y
1
,= 0.
This is because if y
1
= 0 then we are at the point (0,0) which we have
excluded. Here we have t
1
= t
2
so we must show that t
3
= 2t
1
. Recalling
that A = 0 for this curve, the addition operation gives
x
3
=
_
3x
2
1
2y
1
_
2
2x
1
Substituting x
i
= 1/t
2
i
and y
i
= 1/t
3
i
gives
1
t
2
3
=
_
3/t
4
1
2/t
3
1
_
2

2
t
2
1
=
_
3
2t
1
_
2

8
4t
2
1
=
9 8
4t
2
1
=
1
4t
2
1
Similarly
y
3
=
_
3x
2
1
2y
1
_
(x
1
x
3
) y
1
gives
1
t
3
3
=
_
3
2t
1
__
1
t
2
1

1
4t
2
1
_

1
t
3
1
83
=
_
3
2t
1
__
3
4t
2
1
_

1
t
3
1
=
9
8t
3
1

8
8t
3
1
=
1
8t
3
1
So taking the ration of the expressions gives
1/t
2
3
1/t
3
3
=
1/4t
2
1
1/8t
3
1
t
3
= 2t
1
as required
(iv) If one of (x
1
, y
1
), (x
2
, y
2
) were then (x
3
, y
3
) would is the other point.
This corresponds to either t
1
or t
2
being zero, making this nal case
trivial.
So we have shown that this map is structure preserving in all cases, and
a bijection between E
ns
(K) and K meaning it is a group isomorphism.

A.1.3 Double root

Consider the case where x
3
+ Ax + B has a double root. By translating x,
we may assume this root is at zero and so the curve E has equation
y
2
= x
2
(x +a)
for some a ,= 0.
We can again show that the point (0,0) is the only singularity from the
denition or from the graph below. If we consider the straight line through
the origin, y = mx then we see that as before, it only intersects E at the
origin and, at most, one other point:
y
2
= x
2
(x +a)
(mx)
2
= x
2
(x +a)
m
2
= (x +a)
So we have similar problems with the elliptic curve addition operation.
84
Figure A.2: The graph of y
2
= x
2
(x + 1) = x
3
+x
2
We again dene E
ns
(K) to be the nonsingular points in E with coordi-
nates in K, including the point . Let
2
= a (so might lie in K or an
extension of K). The equation for E may be rewritten
_
y
x
_
2
= a +x
Now when x is near 0 the right hand side is approximately a. Therefore E
is approximated by (y/x)
2
= a or y/x = near x = 0. This means that
the two tangents to E at (0,0) are
y = x, y = x
We will show that E
ns
(K) forms a multiplicative group that is isomorphic to
either K or a quadratic extension of K, depending on whether or not K.
Theorem A.4. Let E be the curve y
2
= x
2
(x + a) with 0 ,= a K. Let
E
ns
(K) be the nonsingular points on E with coordinates in K. Let
2
= a.
Consider the map
: (x, y)
y +x
y x
, 1
85
(i) If K, then gives an isomorphism from E
ns
(K) to K

, which is
the multiplicative group of the eld K.
(ii) If , K then gives an isomorphism
E
ns
(K) u +v [ u, v K, u
2
av
2
= 1
where the right hand side is a group under multiplication.
Proof (i) Let (x, y) = t then
t =
y +x
y x
(A.1)
We show that

t + 1
t 1
=
_
y +x +y x
y x

y x
y +x y +x
_
=
_
2y
2x
_
=
y
x
(A.2)
We can rewrite E as x = (y/x)
2
a, and then use Equation (A.2) to obtain
x =
y
2
x
2
a =
2
(t + 1)
2
(t 1)
2

2
=
4
2
t
(t 1)
2
y = x
y
x
=
4
2
t
(t 1)
2

t + 1
t 1
=
4
3
t(t + 1)
(t 1)
3
So (x, y) determines t and t determines (x, y). In case (i) K, so given
any (x, y) E
ns
(k) we have (x, y) = t K

making injective. Then if

we are given any t K

we can nd the corresponding (x, y) E

ns
(K) so
is surjective. Hence in case (i) the map is a bijection.
We have shown that is bijective, but we must also show it is a homo-
morphism (ie structure preserving) in order to conclude it an isomorphism.
Suppose (x
1
, y
1
) + (x
2
, y
2
) = (x
3
, y
3
) and let
t
i
=
y
i
+x
i
y
i
x
i
We must show that t
1
t
2
= t
3
. First recall that
4
2
t
i
(t
i
1)
2
= x
i
(A.3)
4
3
t
i
(t
i
+ 1)
(t
1
1)
3
= y
i
(A.4)
86
We now consider the various cases, but note that as y
2
= x
2
(x +a) is not in
Weierstrass form, the addition formulas will dier from normal.
(a) If x
1
,= x
2
, then the line through x
1
and x
2
will be given by
y = m(x x
1
) + y
1
as before. However, when subbing in the equation
for E, the coecient for x
2
will have an extra term, a. So
x
3
=
_
y
2
y
1
x
2
x
1
_
2
a x
1
x
2
We can substitute for Equations (A.3) and (A.4) to get
y
2
y
1
x
2
x
1
=
_
4
3
t
2
(t
2
+ 1)
(t
2
1)
3

4
3
t
1
(t
2
+ 1)
(t
1
1)
3
_
/
_
4
3
t
2
(t
2
1)
2

4
2
t
1
(t
1
1)
2
_
=
_
4
3
4
2
__
t
2
(t
2
+ 1)(t
1
1)
3
t
1
(t
1
+ 1)(t
2
1)
3
(t
2
1)
3
(t
1
1)
3
_

_
t
2
(t
1
1)
2
t
1
(t
2
1)
2
(t
2
1)
2
(t
1
1)
2
_
=
t
2
(t
2
+ 1)(t
1
1)
3
t
1
(t
1
+ 1)(t
2
1)
3
(t
2
(t
1
1)
2
t
1
(t
2
1)
2
)(t
2
1)(t
1
1)
=
(t
1
t
2
)(t
2
1
t
2
2
+t
2
t
2
1
+t
1
6t
1
t
2
+t
1
t
2
2
+t
2
+ 1)
(t
1
t
2
1)(t
1
t
2
)(t
2
1)(t
1
1)
=
(t
2
1
t
2
2
+t
2
t
2
1
+t
1
6t
1
t
2
+t
1
t
2
2
+t
2
+ 1)
(t
1
t
2
1)(t
2
1)(t
1
1)
Then the addition equation gives

2
4t
3
(t
3
1)
2
=

2
(t
2
1
t
2
2
+t
2
t
2
1
+t
1
6t
1
t
2
+t
1
t
2
2
+t
2
+ 1)
2
(t
1
t
2
1)
2
(t
2
1)
2
(t
1
1)
2

2

4
2
t
1
(t
1
1)
2

4
2
t
2
(t
2
1)
2
=

2
(t
2
1
t
2
2
+t
2
t
2
1
+t
1
6t
1
t
2
+t
1
t
2
2
+t
2
+ 1)
2
(t
1
t
2
1)
2
(t
2
1)
2
(t
1
1)
2
(t
1
t
2
1)
2
(t
2
1)
2
(t
1
1)
2
+
4t
1
(t
1
t
2
1)
2
(t
2
1)
2
4t
2
(t
1
t
2
1)
2
(t
1
1)
2
(t
1
t
2
1)
2
(t
2
1)
2
(t
1
1)
2
4t
3
(t
3
1)
2
=
4t
1
t
2
(t
2
1)
2
(t
1
1)
2
(t
1
t
2
1)
2
(t
2
1)
2
(t
1
1)
2
t
3
(t
3
1)
2
=
t
1
t
2
(t
1
t
2
1)
2
87
Similarly
y
3
=
_
y
2
y
1
x
2
x
1
_
(x
1
x
3
) y
1
So substituting for Equations (A.3) and (A.4) gives
4
3
t
3
(t
3
+ 1)
(t
3
1)
3
=
_
(t
2
1
t
2
2
+t
2
t
2
1
+t
1
6t
1
t
2
+t
1
t
2
2
+t
2
+ 1)
(t
1
t
2
1)(t
2
1)(t
1
1)
_

_
4
2
t
1
(t
1
1)
2

4
2
t
1
t
2
(t
1
t
2
1)
2
_

4
3
t
1
(t
1
+ 1)
(t
1
1)
3
t
3
(t
3
+ 1)
(t
3
1)
3
=
_
(t
2
1
t
2
2
+t
2
t
2
1
+t
1
6t
1
t
2
+t
1
t
2
2
+t
2
+ 1)
(t
1
t
2
1)(t
2
1)(t
1
1)
_

_
t
1
(t
1
t
2
1)
2
t
1
t
2
(t
1
1)
2
(t
1
t
2
1)
2
(t
1
1)
2
_

t
1
(t
1
+ 1)
(t
1
1)
3
=
(t
2
1
t
2
2
+t
2
t
2
1
+t
1
6t
1
t
2
+t
1
t
2
2
+t
2
+ 1)(t
1
(t
1
t
2
1)
2
t
1
t
2
(t
1
1)
2
)
(t
1
t
2
1)
3
(t
1
1)
3
(t
2
1)

t
1
(t
1
+ 1)(t
1
t
2
1)
3
(t
2
1)
(t
1
t
2
1)
3
(t
1
1)
3
(t
2
1)
=
t
1
t
2
(t
1
1)
3
(t
2
1)
(t
1
t
2
1)
3
(t
1
1)
3
(t
2
1)
t
3
(t
3
+ 1)
(t
3
1)
3
=
t
1
t
2
(t
1
t
2
+ 1)
(t
1
t
2
1)
3
Then taking the ratio yields
t
3
1
t
3
+ 1
=
t
1
t
2
1
t
1
t
2
+ 1
(t
3
1)(t
1
t
2
+ 1) = (t
3
+ 1)(t
1
t
2
1)
t
1
t
2
t
3
+t
3
t
1
t
2
1 = t
1
t
2
t
3
t
3
+t
1
t
2
1
2t
3
2t
1
t
2
= 0
t
1
t
2
= t
3
as desired.
(b) If x
1
= x
2
but y
1
,= y
2
then we know (x
3
, y
3
) = . Recall that

t + 1
t 1
=
x
y
88
So because, x
1
= x
2
and y
1
= y
2
we have

t
1
+ 1
t
1
1
=
t
2
+ 1
t
2
1
(t
1
+ 1)(t
2
1) = (t
2
+ 1)(t
1
1)
t
1
t
2
+t
2
t
1
1 = t
1
t
2
t
1
+t
2
+ 1
2t
1
t
2
= 2
t
2
=
1
t
1
So we nd that t
3
= t
1
t
2
= 1 which corresponds to the point (x, y) =
as required.
(c) If (x
1
, y
1
) = (x
2
, y
2
) and y
1
,= 0 then to add the points we draw the
tangent at (x
1
, y
1
). Using implicit dierentiation we see this has gradient
m = (3x
2
+ 2ax)/(2y). So the addition operation gives
x
3
=
_
3x
2
1
+ 2
2
x
1
2y
1
_
2

2
2x
1
We can substitute to get
3x
2
1
+ 2
2
x
1
2y
1
=
_
48
4
t
2
1
(t
1
1)
4
+
8
4
t
1
(t
1
1)
2
_
/
_
8
3
t
1
(t
1
+ 1)
(t
1
1)
3
_
=
_
48
4
t
2
1
+ 8
4
t
1
(t
1
1)
2
(t
1
1)
4
_
/
_
8
3
t
1
(t
1
+ 1)
(t
1
1)
3
_
=
_
8
4
8
3
__
6t
2
1
+t
1
(t
1
1)
2
(t
1
1)
4
_

_
(t
1
1)
3
t
1
(t
1
+ 1)
_
=
(4t
1
+t
2
1
+ 1)t
1
t
1
(t
1
+ 1)(t
1
1)
=
(4t
1
+t
2
1
+ 1)
(t
1
+ 1)(t
1
1)
Then the addition operation gives
4
2
t
3
(t
3
1)
2
=

2
(4t
1
+t
2
1
+ 1)
2
(t
1
+ 1)
2
(t
1
1)
2

8
2
t
1
(t
1
1)
2

2
4t
3
(t
3
1)
2
=
(4t
1
+t
2
1
+ 1)
2
8t
1
(t
1
+ 1)
2
(t
1
+ 1)
2
(t
1
1)
2
(t
1
+ 1)
2
(t
1
1)
2
=
4t
2
1
(t
1
+ 1)
2
(t
1
1)
2
t
3
(t
3
1)
2
=
t
2
1
(t
1
+ 1)
2
(t
1
1)
2
89
Similarly
y
3
=
_
3x
2
1
+ 2
2
x
1
2y
1
_
(x
1
x
3
) y
1
gives
4
3
t
3
(t
3
+ 1)
(t
3
1)
3
=
_
(4t
1
+t
2
1
+ 1)
(t
1
+ 1)(t
1
1)
_ _
4
2
t
1
(t
1
1)
2

4
2
t
2
1
(t
1
+ 1)
2
(t
1
1)
2
_

4
3
t
1
(t
1
+ 1)
(t
1
1)
3
=
_
(4t
1
+t
2
1
+ 1)
(t
1
+ 1)(t
1
1)
_ _
4
2
t
1
(t
1
+ 1)
2
4
2
t
2
1
(t
1
1)
2
(t
1
+ 1)
2
_

4
3
t
1
(t
1
+ 1)
(t
1
1)
3
t
3
(t
3
+ 1)
(t
3
1)
3
=
[4t
1
+t
2
1
+ 1] (t
1
(t
1
+ 1)
2
t
2
1
) t
1
(t
1
+ 1)
4
(t
1
1)
3
(t
1
+ 1)
3
=
t
2
1
(t
2
1
+ 1)
(t
1
+ 1)
3
(t
1
1)
3
So taking the ratio yields
_
t
3
(t
3
1)
2
_
/
_
t
3
(t
3
+ 1)
(t
3
1)
3
_
=
_
t
2
1
(t
1
+ 1)
2
(t
1
1)
2
_
/
_
t
2
1
(1 +t
2
1
)
(t
1
+ 1)
3
(t
1
1)
3
_
t
3
1
t
3
+ 1
=
(t
1
+ 1)(t
1
1)
1 +t
2
1
=
(t
2
1
1
t
2
1
+ 1)
So
(t
3
1)(t
2
1
+ 1) = (t
2
1
1)(t
3
1)
t
3
+t
3
t
2
1
1 t
2
1
= t
3
t
2
1
+t
2
1
t
3
1
2t
3
2t
2
1
= 0
So t
3
= t
2
1
= t
1
t
2
as required.
(d) If (x
1
, y
1
) = (x
2
, y
2
) and y
1
= 0 then either x
1
= 0 or x
1
= a. We cannot
have x
1
= 0 as we have excluded the point (0,0). So x
1
= a =
2
.
This implies

2
=
4
2
t
1
(t
1
1)
2
(t
1
1)
2
= 4t
1
(t
1
+ 1)
2
= 0
So t
1
= 1 meaning t
3
= t
2
1
= 1 corresponding to the point as
required.
90
(e) Finally consider the case when one of (x
1
, y
1
), (x
2
, y
2
) is . In this case
(x
3
, y
3
) would be the other point, which corresponds to either t
1
or t
2
being one, making this nal case trivial.
So we have show that preserves the stricture of the group E
ns
(K). We
also showed earlier that is a bijective map from E
ns
(K) to K

and so we
conclude that in case (i) it is an isomorphism.

Proof (ii) We will rst show that in case (ii) the map is a bijection. Notice
that we can rationalise the denominator of (y +x)/(y x) by multiplying
top and bottom by (y +x) to get an expression of the form u +v:
(x, y) =
y +x
y x
=
y +x
y x

y +x
y +x
=
(y +x)
2
y
2

2
x
2
=
(y +x)
2
y
2
ax
2
=
(y +x)
2
x
3
=
y
2
+ax
2
x
3
+
_
2yx
x
3
_
u +v
Now notice that we can change the sign of throughout this equation while
preserving the equality (because
2
= a also) so
y x
y +x
= u v
We can now show that
u
2
av
2
= (u +v)(u v) =
(y +x)(y x)
(y x)(y +x)
= 1
So for any x, y E
ns
(K), (x, y) is a function of the form u + v where
u, v K and u
2
av
2
= 1. Therefore is injective.
Conversely let us suppose that we have u, v K such that that
u
2
av
2
= 1. Let
x =
_
u + 1
v
_
2
a, y =
_
u + 1
v
_
x
=
y
x
=
u + 1
v
91
Then (x, y) satisfy y
2
= x
2
(x +a) and so lie on the curve E. Also
(x, y) =
y +x
y x
=
(y/x) +
(y/x)
=
_
u+1
v
_
+
_
u+1
v
_

=
u + 1 +v
u + 1 v
=
(u + 1) +v
(u + 1) v

(u + 1) +v
(u + 1) +v
=
(u + 1)
2
+ 2v(u + 1) +
2
v
2
(u + 1)
2

2
v
2
=
u
2
+ 2u + 1 + 2v(u + 1) +av
2
u
2
+ 2u + 1 av
2
=
u
2
+ 2u +u
2
+ 2v(u + 1)
2u + 1
=
u
2
+u +v(u + 1)
u + 1
= u +v
So for any u, v K such that u
2
av
2
= 1 we can nd x, y E
ns
(K) such
that (x, y) = u+v. Therefore is surjective and hence a bijection in case
(ii) as well.
We must also show that is structure preserving for this case as well,
but the details will be almost identical to those given in the proof of case (i)
so we omit them here.
The nal task is to check that the set, G = u+v [ u, v K, u
2
av
2
= 1
on the right hand side of case (ii) is a multiplicative group.
If (u, v) and (u

, v

) G then:
(u, v) (u

, v

) (u +v) (u

+v

)
= uu

+uv

+vu

+
2
vv

= (uu

+avv

) +(uv

+vu

)
U +V
and for this U, V
U
2
V
2
= (uu

+
2
vv

)
2
(uv

+vu

)
2
92
= u
2
u
2
+ 2uu

vv

2
+
4
v
2
v
2
u
2
v
2

2
2uv

vu

2
v
2
u
2
= u
2
[u
2
v
2
]
2
v
2
[u
2

2
v
2
] + (2uu

vv

2
2uu

vv

2
)
= u
2
[1]
2
v
2
[1] (0) = 1
So (u, v) (u

, v

) gives a point U +V where U, V K and

U
2
V
2
= 1. Hence G is closed
We check that all elements have inverses:
1
u +v
=
1
u +v

u v
u v
=
u v
u
2

2
v
2
= u v
So the inverse of u +v is u v. So all elements have inverses.
There is an identity element, I = (u + v) = (1 + 0), such that
g I = g for all g G.
The group operation is standard multiplication which is associative.
So we have veried that G = u + v [ u, v K, u
2
av
2
= 1 is a
multiplicative group.

One situation where singular curves arise naturally is when curves have in-
tegral coecients and we reduce modulo various primes. For example let E
be
y
2
= x(x + 35)(x 55)
Then
E (mod 5) : y
2
x
3
E (mod 7) : y
2
x
2
(x + 1)
E (mod 11) : y
2
x
2
(x + 2)
The rst case is called additive reduction and was treated by Theorem A.3.
The second case is split multiplicative reduction and was covered by Theorem
A.4(1). In the nal case =

2 , F
11
, so we are in the situation of Theorem
A.4(2). This is called non-split multiplicative reduction.
It can be shown that for all primes, p 13 the cubic polynomial has
distinct roots mod p, so E mod p is nonsingular. This situation is called
good reduction.
93
A.2 Deriving the condition for distinct roots
In Appendix A.1 we proved that if an elliptic curve has multiple roots then
it will have a singular point. In the project we considered only those elliptic
curves without multiple roots. It was stated earlier that this was equivalent
to imposing the condition 4A
3
+ 27B
2
,= 0. In this section we prove this
result by calculating the discriminant using the method in Chapter 12 of [1].
A.2.1 Determining the roots
Let f(x) be a general cubic polynomial given by
f(x) = a
0
x
3
+ 3a
1
x
2
+ 3a
2
x +a
3
, a
0
,= 0
with coecients in the eld F. The cubic has three roots in C
We wish to nd an expression for the discriminant of the cubic polynomial
in terms of, not the roots, but the coecients. To derive this formula we will
have to rst determine an expression for the roots
It will be easier to perform the calculation on a reduced version of the
polynomial so dene
g(x) = a
2
0
f
_
x a
1
a
0
_
= a
3
0
_
x a
1
a
0
_
3
+ 3a
1
a
2
0
_
x a
1
a
0
_
2
+ 3a
2
a
2
0
_
x a
1
a
0
_
+a
2
0
a
3
= (x a
1
)
3
+ 3a
1
(x a
1
)
2
+ 3a
0
a
2
(x a
1
) +a
2
0
a
3
= x
3
+x(3a
0
a
2
3a
2
1
) + (a
2
0
a
3
3a
0
a
1
a
2
+ 2a
3
1
= x
3
+ 3Hx +G
where
G = a
2
0
a
3
3a
0
a
1
a
2
+ 2a
2
1
, H = a
0
a
2
a
2
1
Dene g(x) as the reduced cubic of f(x). Note g(a
0
x +a
1
) = a
2
0
f(x) and so
1. On multiplying the roots of f(x) by a
0
and then adding a
1
we obtain
the roots of g(x).
2. g(x) has no term in x
2
and its coecients are in F.
94
Recall that the nth roots of unity are the complex numbers which yield 1
when raised to a given power, n. The third roots (cubic roots) of unity are
1,
1 +

3i
2
,
1

3i
2
where i is the imaginary unit; the latter two roots are primitive. Let w be a
primitive cube root of 1 and u, v any numbers. Since
(x u v)(x uw vw
2
)(x uw
2
vw) = x
3
3uvx u
3
v
3
using either of the cube roots, we know that the roots of
x
3
3uvx u
3
v
3
are
u +v, uw +vw
2
, uw
2
+vw
We want to determine the roots of g(x) by choosing u and v so that
uv = H, u
3
+v
3
= G
Here we show that this implies u
3
and v
3
are the roots of the quadratic
C(x) = x
2
+Gx H
3
Using the quadratic formula the roots of C(x) are
=
1
2
(G+

G
2
+ 4H
3
), =
1
2
(G

G
2
+ 4H
3
)
Now set u to be any cube root of . This implies v = H/u because
v
3
= =
1
2
(G

G
2
+ 4H
3
)
=
_
1
2
(G

G
2
+ 4H
3
)
_
(G+

G
2
+ 4H
3
)
G+

G
2
+ 4H
3
=
(1/2)(G
2
G

+G

G
2
4H
3
G+

G
2
+ 4H
3
=
2H
3
G+

G
2
+ 4H
3
=
H
3

So the necessary choices of u and v satisfy

u
3
= , v
3
=
95
u =
3
_
, v =
H
u
We can now see that this choice of u and v satisfy the conditions.
uv = u
H
u
= H

u
3
+v
3
= +
=
1
2
(G+

G
2
+ 4H
3
) +
1
2
(G

G
2
+ 4H
3
)
= G

So the roots of g(x) can now be found.
Note that if = 0 then this implies that H = 0 and so the roots of g(x)
are the cube roots of G.
Example
Solve x
3
+ 3x
2
3x 14 = 0
a
0
= 1, a
1
= 1, a
2
= 1, a
3
= 14
H = +1(1) (1
2
) = 2
G = (1
2
)(14) 3(1)(1)(1) + 2(1
2
) = 9
So C(x) = x
2
9x + 8 giving = 1, = 8.
We know u is the cube root of so take u = 1, then v = H/u = 2.
Hence the roots of g(x) are
1 + 2, w + 2w
2
, w
2
+ 2w
which using either of the two options for w gives
3,
1
2
(3 +i

3),
1
2
(3 i

3)
Finally we subtract a
1
and divide by a
0
to get the roots of the unre-
duced equation, f(x)
2,
1
2
(5 +i

3),
1
2
(5 i

3)
96
A.2.2 The discriminant
The discriminant of a polynomial is a number that can be easily computed
from the coecients of the polynomial and which is zero if and only if the
polynomial has a multiple root. If the polynomial, p(x) has roots r
1
, ..., r
n
and leading coecient a
0
then
p(x) = (x r
1
)(x r
2
)...(x r
n
)
and it can be shown that the discriminant is
D = a
4
0

i<j
(r
i
r
j
)
2
Note that for a quadratic polynomial
ax
2
+bx +c = 0
The discriminant is b
2
4ac.
Let , , be the roots of f(x), then the discriminant of f(x) is
D = a
4
0
( )
2
( )
2
( )
2
This term helps to discriminant between dierent types of cubics in the
following obvious ways:
D = 0 if and only if f(x) has at least two equal roots.
If all the roots of f(x) are dierent and D/a
4
0
is real then
(i) D/a
4
0
> 0 when all the roots are real.
(ii) D/a
4
0
< 0 if at least one root is not real.
Theorem A.5. When f(x) has real coecients then these further statements
hold
D > 0 The cubic has three distinct real roots.
D = 0 The cubic has three real roots of which at least two are equal.
D < 0 The cubic has one real root and two conjugate unreal roots.
97
Proof Since f(x) is real it can denitely be written as a product of two real
factors, one linear and one quadratic, and so assuming is the real root:
f(x) = (x )(a
0
x
2
+b
0
x +c
0
)
This is the same a
0
term as we know the coecient of x
3
is a
0
. However, b
0
and c
0
are new constants.
Now, and are the roots of a
0
x
2
+b
0
x +c
0
so
D = a
4
0
( )( )
2
( )
2
= a
4
0

2
( ) +
2

2
( +)
2
4
= ( )( )
2
(a
4
0
)[( )]
2

= a
0

2
+b
0
+c
0

2
b
2
0
4a
0
c
0

For the nal step note that the second term is the discriminant of the
quadratic which can be dened using the general formula above or the specic
quadratic form.
Now, the rst term is positive unless is also a (real) root of a
0
x
2
+b
0
x+c
0
which would make the rst term zero and imply the third root is real. The
second term is only zero when a
0
x
2
+ b
0
x + c
0
has equal real roots making
the part of the quadratic formula redundant.
Hence D = 0 if and only if f(x) has three real roots of which at least two
are equal.
If D ,= 0 then the sign of D is the same as that of the second term,
b
2
0
4a
0
c
0
. This is the determinant of the quadratic and clearly if it is
positive then the roots of the cubic are all real, and if it is negative then two
of them are complex.

We want to get the discriminant of the cubic in terms of the coecients so

that we can apply the theorem without knowing the roots. We still assume
that f(x) has roots , , and so g(x) has by denition the roots
p = a
0
+a
1
, q = a
0
+a
1
, r = a
0
+a
1
Because g(x) is monic the discriminant is
(q r)
2
(r p)
2
(p q)
2
= (a
0
+a
1
a
0
a
1
)
2
(a
0
+a
1
a
0
a
1
)
2
(a
0
+a
1
a
0
a
1
)
2
= a
6
0
( )( )( )
= a
2
0
D
98
So if we nd the discriminant of g(x) we can easily calculate the discriminant
of f(x). So we choose the easier task of calculating the discriminant of g(x).
Set p = u + v, q = uw + vw
2
and r = uw
2
+ vw, the three roots of g(x)
found earlier. Then using either value of w we nd that
p +q +r = 0
pq +pr +rq = 3uv
pqr = u
3
+v
3
So
p +q +r = 0, pq +pr +rq = 3H, pqr = G
We can then show
p(q r)
2
= p(q +r)
2
4pqr = (u
3
+ 3u
2
v + 3uv
2
+v
3
) + 4G
= (u +v)
3
+ 4G = p
3
+ 4G
= u
3
+v
3
+ 3uv(u +v) + 4G
= G3Hp + 4G
= 3(HP +G)
Similarly
q(r p)
2
= 3(Hq +G)
r(p q)
2
= 3(Hr +G)
We can now calculate the discriminant g(x) when multiplied by G:
G(q r)
2
(r p)
2
(p q)
2
= p(q 4)
2
q(r p)
2
r(p q)
2
= 27(Hp +G)(Hq +G)(Hr +g)
= 27H
3
pqr +GH
2
(qr +rp +pq)
G
2
H(p +q +r) +G
3

= 27H
3
G+GH
2
(3H) + 0 +G
3

= 27G(G
2
+ 4H
3
)
Thus we can see that if G ,= 0 then g(x) has discriminant 27(G
2
+ 4H
3
).
If G = 0 then the roots of g(x) are 0,

3H making the squared dif-

ferences 3H, 3H and 12H. This then makes the discriminant 108H
3
which is 27(G
2
+ 4H
3
) with G set to zero.
99
Thus in all cases the discriminant of g(x) is 27(G
2
+ 4H
3
).
It then follows that the discriminant of f(x) is
D =
27(G
2
+ 4H
3
)
a
2
0
=
27(a
2
0
a
3
3a
0
a
1
a
2
+ 2a
3
1
)
2
+ 4(a
0
a
2
a
2
1
)
3

a
2
0
= 27(a
2
0
a
2
3
6a
0
a
1
a
2
a
3
+ 4a
0
a
3
2
3a
2
1
a
2
2
+ 4a
3
1
a
3
)
A.2.3 Relating back to elliptic curves
We are considering elliptic curves that are the solutions to the Weierstrass
equation
y
2
= x
3
+Ax +B
The roots of this curve will be the same as the roots of the cubic on the left
hand side. We can calculate the discriminant of the cubic by relating it to
g(x) = x
3
+ 3Hx +G which had discriminant 27(G
2
+ 4H
3
).
We can see that here
3H = A H =
A
3
H
3
=
A
3
27
G = B G
2
= B
2
So the elliptic curve cubic has discriminant
27(G
2
+ 4H
3
) = 27(B
2
+
4A
3
27
) = (27B
2
+ 4A
3
)
as required.
So to impose the condition that all roots are distinct we will require
4A
3
+ 27B
2
,= 0
If we are working with the generalised Weierstrass equation then a similar
calculation will have to be performed to nd the discriminant, using the
equation for D, the discriminant of f(x).
100
A.3 Elliptic curves in characteristic 2
The formula for elliptic curve addition in Section 2.2 were derived using the
Weierstrass equation, y
2
= x
3
+Ax+B and so do not apply when the eld K
has characteristic 2. When in characteristic 2 we work with the generalised
Weierstrass equation:
y
2
+a
1
xy +a
3
y = x
3
+a
2
x
2
+a
4
x +a
6
for an elliptic curve E. We now consider two dierent possibilities:
(I) If a
1
,= 0 then letting
x = a
2
1
x
1
+
a
3
a
1
, y = a
3
1
y
1
+
a
2
1
a
4
+a
2
3
a
3
1
will change the generalised Weierstrass equation to
_
a
3
1
y
1
+
a
2
1
a
4
+a
2
3
a
3
1
_
2
+a
1
_
a
2
1
x
1
+
a
3
a
1
__
a
3
1
y
1
+
a
2
1
a
4
+a
2
3
a
3
1
_
+a
3
_
a
3
1
y
1
+
a
2
1
a
4
+a
2
3
a
3
1
_
=
_
a
2
1
x
1
+
a
3
a
1
_
3
+a
2
_
a
2
1
x
1
+
a
3
a
1
_
2
+a
4
_
a
2
1
x
1
+
a
3
a
1
_
+a
6
Collecting powers of x
1
and y
1
gives
a
6
1
y
2
1
+a
6
1
x
1
y
1
+y
1
_
2a
3
1
_
a
2
1
a
4
+a
2
3
a
3
1
_
+
a
1
a
3
a
1
a
3
1
+a
3
1
a
3
_
= a
6
1
x
3
1
+Cx
2
1
+x
1
_
a
2
1
a
4
+a
2
3
+ 3
a
2
1
a
2
3
a
2
1
+a
2
_
2a
2
1
a
3
a
1
__
+D.
a
6
1
y
2
1
+a
6
1
x
1
y
1
+y
1
_
2(a
2
1
a
4
+a
2
3
) + 2(a
3
1
+a
3
)
_
= a
6
1
x
3
1
+Cx
2
1
+x
1
_
4a
2
3
+ 2a
2
a
1
a
3
_
+D
where C and D are new constants. Because we are in characteristic 2
we can reduce modulo 2, to give
a
6
1
y
2
1
+a
6
1
x
1
y
1
= a
6
1
x
3
1
+Cx
2
1
+D
y
2
1
+x
1
y
1
= x
3
1
+a

2
x
2
1
+a

6
for new constants a

2
, a

6
.
101
Considering the partial derivatives:
f(x
1
, y
1
) = y
2
1
+x
1
y
1
x
3
1
a

2
x
2
1
a

6
f
y
(x
1
, y
1
) = 2y
1
+x
1
x
1
(mod 2), f
x
(x
1
, y
1
) = y
1
3x
2
1
2a

2
x
1
So a singular point on this curve must have x
1
= 0, which in turn
implies y
1
= 0. So the curve will have a singular point if and only
if the origin lies on the curve. So we can conclude that this curve is
nonsingular if and only if a

6
,= 0.
(II) If a
1
= 0 then let
x = x
1
+a
2
, y = y
1
Then the generalised Weierstrass equation becomes
y
2
1
+a
3
y
1
= (x
1
+a
2
)
3
+a
2
(x
1
+a
2
)
2
+a
4
(x
1
+a
2
) +a
6
= x
3
1
+ 4a
2
x
2
1
+ 5a
2
2
x
1
+a
4
x
1
+ 2a
3
2
+a
4
a
2
+a
6
y
2
1
+a

3
y
1
x
3
1
+a

4
x
1
+a

6
for constants a

3
, a

4
, a

6
.
Considering the partial derivatives:
f(x
1
, y
1
) = y
2
1
+a

3
y
1
x
3
1
a

4
x
1
a

6
f
y
(x
1
, y
1
) = 2y
1
+a

3
a

3
(mod 2)
f
x
(x
1
, y
1
) = 3x
2
1
a

4
So we see that this curve is nonsingular if and only if a

3
,= 0.
Addition of points is similar to the simple case. To add two points P
1
and P
2
on E we draw the line, L, through them (the tangent if P
1
= P
2
) and
nd the third point of intersection P

3
. We then compute P
3
= P

3
using
Equation (2.1) not simply reecting in x-axis. Then P
1
+ P
2
= P
3
. We
still have P += P, for all points P.
As before, the points on E, form an additive abelian group with as the
identity element. We now explicitly nd the formulas for doubling a point,
treating the two cases separately.
(I) y
2
+ xy = x
3
+ a
2
x
2
+ a
6
: Because we are in characteristic 2 we can
rewrite this as
0 = y
2
+xy +x
3
+a
2
x
2
+a
6
102
Implicit dierentiation yields
0 = 2yy

+y +xy

+ 3x
2
+ 2a
2
x (y +x
2
) +xy

(mod 2)
Therefore the slope of the tangent line, L, through P
0
= (x
0
, y
0
) is
m =
y
0
+x
2
0
x
0
The line, L, is given by
y = m(x x
0
) +y
0
= mx +b
for a constant b. To nd the other point where L intersects E, (x
1
, y
1
),
we substitute:
0 = (mx +b)
2
+x(mx +b) +x
3
+a
2
x
2
+a
6
= x
3
+ (m
2
+m+a
2
)x
2
+...
We know the sum of the roots, (x
0
+x
0
+x
1
) is equal to the negative
of the x
2
coecient. So we obtain
x
1
= (m
2
+m+a
2
) 2x
0
m
2
+m+a
2
=
_
y
0
+x
2
0
x
0
_
2
+
_
y
0
+x
2
0
x
0
_
+a
2
=
(y
2
0
) + 2y
0
x
2
0
+x
4
0
+x
0
y
0
+x
3
0
+a
2
x
2
0
x
2
0
=
(x
3
0
+a
2
x
2
0
+a
6
+x
0
y
0
) + 2y
0
x
2
0
+x
4
0
+x
0
y
0
+x
3
0
+a
2
x
2
0
x
2
0
=
2(x
3
0
+a
2
x
2
0
+x
0
y
0
+y
0
x
2
0
) +x
4
0
+a
6
x
2
0

x
4
0
+a
6
x
2
0
(mod 2)
The y-coordinate of this intersection is y
1
= m(x
1
x
0
) + y
0
). Since
(x
1
, y
1
) = 2P we get 2P = (x
2
, y
2
) where x
2
= x
1
and y
2
is given by
Equation (2.1). (Note the coecients in (2.1) refer to the Generalised
Weierstrass equation, so here a
1
= 1, a
3
= 0.)
So if P = (x
0
, y
0
) we obtain 2P = (x
2
, y
2
) where
x
2
= x
1
=
x
4
0
+a
6
x
2
0
y
2
= x
1
y
1
+x
2
+m(x
2
x
0
) +y
0
, m =
y
0
+x
2
0
x
0
103
(II) y
2
+ a
3
y = x
3
+ a
4
x + a
6
: Because we are in characteristic 2 we can
rewrite this as
0 = y
2
+a
3
y +x
3
+a
4
x +a
6
Implicit dierentiation yields
0 = 2yy

+a
3
y

+ 3x
2
+a
4
a
3
y

+ (x
2
+a
4
)
The tangent line L at P = (x
0
, y
0
) is
y = m(x x
0
) +y
0
, m =
x
2
0
+a
4
a
3
Note that earlier we showed a
3
,= 0 otherwise the curve would be
singular. Now, substituting to nd the third point of intersection,
(x
1
, y
1
) gives
0 = (mx +b)
2
+a
3
(mx +b) +x
3
+a
4
x +a
6
= x
3
+m
2
x
2
+...
So
x
1
= m
2
2x
0
m
2
=
x
4
0
+ 2a
4
x
2
0
a
2
4
a
2
3

x
4
0
+a
2
4
a
2
3
and y
1
= m(x
1
x
0
) +y
0
. Therefore 2P = (x
2
, y
2
) where
x
2
= x
1
=
x
4
0
+a
2
4
a
2
3
y
2
= a
3
y
1
a
3
+y
1
= a
3
+m(x
2
x
0
) +y
0
, m =
x
2
0
+a
4
a
3
If we want to add two distinct points so (x
0
, y
0
) +(x
1
, y
1
) = (x
2
, y
2
) then
we proceed as before. The line L will have gradient
m =
y
1
y
0
x
1
x
0
, and equation y = m(x x
0
) +y
0
(I) If y
2
+ xy = x
3
+ a
2
x
2
+ a
6
then substituting into E to nd the third
point of intersection gives
x

2
= m
2
+mx
0
x
1
, y

2
= m(x

2
x
0
) +y
0
Then using Equation (2.1) we nd
x
2
= x

2
= m
2
+mx
0
x
1
y
2
= x

2
y

2
= x
2
+m(x
2
x
0
) +y
0
104
(II) If y
2
+a
3
y = x
3
+a
4
x +a
6
then substituting in E gives
x

2
= m
2
x
0
x
1
, y

2
= m(x

2
x
0
) +y
0
Then using Equation (2.1) we nd
x
2
= x

2
= m
2
x
0
x
1
y
2
= x

2
y

2
= x
2
+m(x
2
x
0
) +y
0
A.4 Elliptic curves in characteristic 3
The case in characteristic 3 is simpler. We will have an equation of the form
y
2
= x
3
+a
2
x
2
+a
4
x +a
6
As always to add two points P
1
and P
2
on E we draw the line, L, through
them (the tangent if P
1
= P
2
). We then nd the third point of intersection
P

3
. We can compute P
3
= P

3
by reecting in the x-axis as in the original
case, because here the curve in symmetric about the x-axis as with
y
2
= x
3
+Ax +B. Then P
1
+P
2
= P
3
.
105
A.5 The proof of associativity
In this section we introduce the topic of projective geometry. This will allow
us to interpret the point at innity as being on an elliptic curve, and give us
the necessary background to tackle the proof of associativity.
A.5.1 Projective geometry and the point at innity
Two dimensional projective space over K, P
2
K
, is given by equivalence classes
of triples (x, y, z) with x, y, z K and at least one of x, y, z non-zero. We say
two triples (x
1
, y
1
, z
1
) and (x
2
, y
2
, z
2
) are equivalent if there exists a non-zero
element K such that
(x
1
, y
1
, z
1
) = (x
2
, y
2
, z
2
)
We then write (x
1
, y
1
, z
1
) (x
2
, y
2
, z
2
). The equivalence class of an element
is the set of elements that are equivalent to it. So here, the equivalence class
of a triple only depends on the ratios of x to y to z. Therefore the equivalence
class of (x, y, z) is denoted (x : y : z).
If (x : y : z) is a point with z ,= 0 then (x : y : z) = (x/z : y/z : 1). These
are the nite points in P
2
K
. However if z = 0 then we think of this as setting
the x or y coordinate to . Therefore the points (x : y : 0) are the points at
innity in P
2
K
. Later in this section the point at innity on an elliptic curve
will be identied as one of these points.
The 2-dimensional ane plane over K is usually denoted
A
2
K
= (x, y) K K
Clearly the map (x, y) (x : y : 1) maps all the points of A
2
K
to points in
P
2
K
and so is an inclusion relation A
2
K
P
2
K
. So the ane plane is identied
within the nite points in P
2
K
.
A polynomial is homogeneous of degree n if it is a sum of terms of the
form ax
i
y
j
z
k
with a K and i +j +k = n. For example
F(x, y, z) = 2x
3
5xyz + 7yz
3
is homogeneous of degree 3. If a polynomial, F, is homogeneous of degree n
then F(x, y, z) =
n
F(x, y, z) for all K. So if F is homogeneous of
some degree and (x
1
, y
1
, z
1
) (x
2
, y
2
, z
2
) then F(x
1
, y
1
, z
1
) = 0 if and only if
106
F(x
2
, y
2
, z
2
) = 0. Therefore a zero of F in P
2
K
does not depend on how the
equivalence class is represented, so the set of zeros of F in P
2
K
is well dened.
If F(x, y, z) is an arbitrary polynomial in x, y, z then we cannot discuss the
point in P
2
K
where F = 0 as this depends on the equivalence class of (x, y, z).
For example if F = x
2
+ 2y 3z, then F(1, 1, 1) = 0. But F(2, 2, 2) = 2
and we need (1 : 1 : 1) = (2 : 2 : 2) so to avoid this problem we work with
homogeneous polynomials as described above.
If f(x, y) is a polynomials in x, y then we can make in homogeneous by
inserting the appropriate powers of z. For example if f(x, y) = y
2
x
3

AxB then the homogeneous polynomials would be F(x, y, z) = y

2
z x
3

Axz
2
Bz
3
. Explicitly if
f(x, y) =

i
a
i
x
p
i
y
q
i
with max
i
(p
i
+q
i
) = n, then its homogeneous form is
F(x, y, z) =

i
a
i
x
p
i
y
q
i
z
np
i
q
i
We show that
F(x, y, z) = z
n

i
a
i
x
p
i
z
p
i
y
q
i
z
q
i
= z
n

i
a
i
_
x
z
_
p
i
_
y
z
_
q
i
= z
n
f
_
x
z
,
y
z
_
(A.5)
Also, it is clear that
F(x, y, 1) = f(x, y)
We can now see why two parallel lines are said to meet at innity. Let
y = mx +b
1
, y = mx +b
2
be two non-verticle parallel lines, with b
1
,= b
2
. Their homogeneous forms
can be found as before (in the form F = 0), or expressed as below by simply
rearranging.
y = mx +b
1
z, y = mx +b
2
z
To nd the point of intersection we solve these simultaneously, to get
z(b
1
b
2
) = 0 z = 0
y = mx
107
We cannot have all of x, y, z equal to 0, so x ,= 0. This allows us to rescale
by x to show the intersection is at
(x : mx : 0) = (1 : m : 0)
Similarly if x = c
1
and x = c
2
are two verticle lines then they intersect at
(0 : 1 : 0), which is also one of the points at innity in P
2
K
.
Now consider the elliptic curve y
2
= x
3
+Ax+B with homogeneous form
y
2
z = x
3
+Axz
2
+Bz
3
The points (x, y) on the original curve correspond to (x : y : 1) on the
projective curve. To see which points on E lie at innity, set z = 0 to obtain
0 = x
3
. Therefore x = 0 and y is any nonzero number. We rescale by y to
show that
(0 : y : 0) = (0 : 1 : 0)
is the only point at innity of E. This is why we think of the innity point
as being at the end of the y-axis. Also since (0 : 1 : 0) = (0 : 1 : 0) the
points at innity at the top and bottom of the y-axis are the same.
Next look for points at innity on the generalised Weierstrass equation.
The homogeneous form of the equation is
y
2
z +a
1
xyz +a
3
yz
2
= x
3
+a
2
x
2
z +a
4
xz
2
+a
6
z
3
When we set z = 0 we get 0 = x
3
. Therefore = (0 : 1 : 0) is the only point
at innity here, just as it was with the Weierstrass equation.
Throughout this project we usually work in the standard ane coordi-
nates. However, there are situations where projective coordinates speeds up
calculations, such as the proof of associativity, which is simpler to prove in
projective notation.
A.5.2 Lines in P
2
K
The standard way to describe a line in P
2
K
is by a linear equation
sx +ty +rz = 0. Sometimes it is useful to give a parametric description:
x = a
1
u +b
1
v
y = a
2
u +b
2
v
z = a
3
u +b
3
v (A.6)
108
where u, v run through K, and at least one of u, v is non-zero. For example
if s ,= 0 the line sx +ty +rz = 0 can be described by
x =
_
t
s
_
u
_
r
s
_
v
y = 1 u + 0 v = u
z = 0 u + 1 v = v
Suppose all the vectors (a
i
, b
i
) are multiples of each other, so (a
i
, b
i
) =

i
(a
1
, b
1
). Then (x, y, z) = x(1,
2
,
3
) for all u, v such that x ,= 0. So we get
a point, rather than a line in projective space. We need to impose a condition
on the coecients a
1
, ..., b
3
that ensures we actually get a line. This can be
expressed as making sure the matrix
_
_
a
1
b
1
a
2
b
2
a
3
b
3
_
_
has rank 2.
If (u
1
, v
1
) = (u
2
, v
2
) for some K

then (u
1
, v
1
) and (u
2
, v
2
) yield
equivalent triples (x, y, z). Therefore we can regard (u, v) as running through
points (u : v) in 1-dimensional projective space P
1
K
.
We want to quantify the order to which a line intersects a curve at a
point.
Lemma A.6. Let G(u, v) be a non zero homogeneous polynomial and let
(u
0
: v
0
) P
1
K
. Then there exists an integer k 0 and a polynomial H(u, v)
with H(u
0
, v
0
) ,= 0 such that
G(u, v) = (v
0
u u
0
v)
k
H(u, v)
Proof Suppose v
0
,= 0. Let m be the degree of G and let g(u) = G(u, v
0
).
Factor out as large a power of (u u
0
) as possible so
g(u) = (u u
0
)
k
h(u)
for some k 0 and for some polynomial h, with degree (m k) and with
h(u
0
) ,= 0. Let H(u, v) = (v
mk
/v
m
0
)h(uu
0
/v) so H(u, v) is homogeneous of
109
degree (mk). Then by Equation (A.5)
G(u, v) =
_
v
v
0
_
m
g
_
uv
0
v
_
=
_
v
v
0
_
m
(
uv
0
v
u
0
)
k
h(
uu
0
v
)
=
v
mk
v
m
0
(v
0
u u
0
v)
k
h
_
uu
0
v
_
= (v
0
u u
0
v)
k
H(u, v)
as desired.
If v
0
= 0 then u
0
,= 0 and the proof would be the same with the roles of
u and v reversed.

Let f(x, y) = 0 describe a curve C in the ane plane and let

x = a
1
t +b
1
, y = a
2
t +b
2
be a line L written in terms of the parameter t. Let

f(t) = f(a
1
t +b
1
, a
2
t +b
2
)
Then L intersects C when t = t
0
if

f(t
0
) = 0. If (tt
0
)
2
divides

f(t), and the
point corresponding to t
0
is nonsingular, then L is tangent to C (see Lemma
A.8). Generally, we say that L intersects C to order n at the point (x, y)
corresponding to t = t
0
if (t t
0
)
n
is the highest power of (t t
0
) that divides

f(t).
The homogeneous version of this is as follows. Let F(x, y, z) be a homo-
geneous polynomial, so F = 0 describes a curve C in P
2
K
. Let L be a line
given parametrically and let

F(u, v) = F(a
1
u +b
1
v, a
2
u +b
2
v, a
3
u +b
3
v)
We say that L intersects C to order n at the point P = (x
0
: y
0
: z
0
)
corresponding to (u : v) = (u
0
: v
0
) if (v
0
u u
0
v)
n
is the highest power of
(v
0
u u
0
v) dividing

F(u, v). We denote this by
ord
L,P
(F) = n
110
If

F is identically zero, then we let ord
L,P
(F) = . This order is independent
of the chosen parameterization of L. Note that v = v
0
= 1 corresponds to
the non-homogeneous case above, and the benet of this formulation is that
we can treat the points at innity along with the nite points in a uniform
manner.
Lemma A.7. Let L
1
and L
2
be lines intersecting at a point P. For i = 1, 2
let L
i
(x, y, z) be a linear polynomial dening L
i
. Then ord
L
1
,P
(L
2
) = 1 unless
L
1
(x, y, z) = L
2
(x, y, z) for a constant , in which case ord
L
1
,P
(L
2
) = .
Proof When we substitute the parameterization for L
1
into L
2
(x, y, z), we
obtain

L
2
which is a linear expansion in u, v. Let P correspond to (u
0
: v
0
).
Since

L
2
(u
0
, v
0
) = 0, it follows that

L
2
(u, v) = (v
0
uu
0
v) for some constant
. If ,= 0 then ord
L
1
,P
(L
2
) = 1.
If = 0 then all points on L
1
lie on L
2
. Since two points in P
2
K
determine
a line, and L
1
has at least three points it follows that L
1
and L
2
are the same
line. Therefore L
1
(x, y, z) is proportional to L
2
(x, y, z),

F is identically zero
and ord
L
1
,P
(L
2
) = .

A line that intersects a curve to order at least 2 is usually tangent to the

curve. But consider the curve C dened by
F(x, y, z) = y
2
z x
3
= 0
Let
x = au, y = bu, z = v
be a line through the point P = (0 : 0 : 1). Note that P corresponds to
(u : v) = (0 : 1).

F(u, v) = (b
2
u
2
)v a
3
u
3
= u
2
(b
2
v a
3
u) so every line
through P intersects C to order at least 2. The line with b = 0 intersects
with order 3, and is the best choice for the tangent at P. We can see that
the ane part of C is y
2
= x
3
which had the singular point at (0,0).
A curve C in P
2
K
dened by F(x, y, z) = 0 is said to be non-singular at a
point P if at least one of the partial derivatives F
x
, F
y
, F
z
is nonzero at P.
Consider the elliptic curve dened by
F(x, y, z) = y
2
z x
3
Axz
2
Bz
3
= 0
Assume the characteristic of our eld, K, is not 2 or 3. We have
F
x
= 3x
2
Az
2
, F
y
= 2yz, F
z
= y
2
2Axz 3Bz
2
111
Now suppose P = (x : y : z) is a singular point, so the partial derivatives at
this point all vanish. If z = 0 then F
x
= 0 implies x = 0 and F
z
= 0 implies
y = 0 so P = (0 : 0 : 0) which is impossible. Therefore z ,= 0 so take z = 1.
Now F
y
= 0 will give y = 0. Since (x : y : 1) lies on the curve we know x
satises both
x
3
+Ax +B = 0, &
F
x
= 3x
2
A = 0
So x is a root of the polynomial and its derivative, making it a double root.
However we assumed this was not the case so we have a contradiction. There-
fore an elliptic curve (with no multiple roots) has no singular points.
Note this is true even if considering points in K, the algebraic closure of
K. In general a non-singular curve will mean a curve with no singular points
in K.
If P is a non-singular point of a curve F(x, y, z) = 0 then the tangent line
at P is, F
x
(P)x +F
y
(P)y +F
z
(P)z = 0.
For example if F(x, y, z) = y
2
z x
3
Axz
2
Bz
3
= 0, then the tangent
line at (x
0
: y
0
: z
0
) is
(3x
2
0
Az
2
0
)x + (2y
0
z
0
)y + (y
2
0
2Ax
0
z
0
3Bz
2
0
)z = 0
If we set z
0
= z = 1 then we obtain
(3x
2
0
A)x + (2y
0
)y + (y
2
0
2Ax
0
3B) = 0
Then using y
2
0
= x
3
0
+Ax
0
+B gives
(3x
2
0
A)(x x
0
) + 2y
0
(y y
0
) = 0
which is the tangent line in ane coordinates that was used in deriving the
addition formulas. Now consider the point of innity on this curve. We have
(x
0
: y
0
: z
0
) = (0 : 1 : 0). The tangent line is given by 0x + 0y + 0z = 0,
which is the line at innity in P
2
K
. It intersects the elliptic curve only at
(0 : 1 : 0), which corresponds to the fact that + = on an elliptic
curve.
Lemma A.8. Let F(x, y, z) = 0 dene a curve C. If P is a nonsingular
point of C, then there is exactly one line in P
2
K
that intersects C to order at
least 2, and it is the tangent to C at P.
112
Proof Let L be a line intersecting C to order k 1. Parameterize L
and sub into F to give

F(u, v). Let (u
0
: v
0
) correspond to P, then

F =
(v
0
u u
0
v)
k
H(u, v) for some H, with H(u
0
, v
0
) ,= 0. Then using the chain
rule

F
u
(u, v) = +kv
0
(v
0
u u
0
v)
k1
H(u, v) + (v
0
u u
0
v)
k
H
u
(u, v)

F
v
(u, v) = ku
0
(v
0
u u
0
v)
k1
H(u, v) + (v
0
u u
0
v)
k
H
v
(u, v)
We know that k 2 if and only if

F
u
(u, v) =

F
v
(u, v) = 0.
Suppose k 2, then the chain rule shows that at P

F
u
= a
1
F
x
+a
2
F
y
+a
3
F
z
= 0,

F
v
= b
1
F
x
+b
2
F
y
+b
3
F
z
= 0 (A.7)
Recall that since we are dealing with a line the vectors, (a
1
, a
2
, a
3
) and
(b
1
, b
2
, b
3
) are linearly independent.
Suppose that L

were another line that intersects C to order at least 2.

Then we obtain the second set of equations
a

1
F
x
+a

2
F
y
+a

3
F
z
= 0, b

1
F
x
+b

2
F
y
+b

3
F
z
= 0
at P.
If the vectors a = (a

1
, a

2
, a

3
) and b = (b

1
, b

2
, b

3
) span the same plane in
K
3
as a = (a
1
, a
2
, a
3
) and b = (b
1
, b
2
, b
3
) then
a

= a +b, b

= a +b
for some invertible matrix
_

2
_
Therefore
ua

+vb

= (u +v)a + (u +v)b u
1
a +v
1
b
for a new choice of parameters u
1
, v
1
. This means that L and L

are the same

line.
If the vectors spanned dierent planes then they would be dierent lines.
However if this were the case then a,b,a,b span all of K
3
. Since (F
x
, F
y
, F
z
)
has dot product zero with these vectors this implies it is the zero vector.
This in turn means P is a singular point, contrary to assumption.
So we have shown that there is only one line that intersects with order
k 2. We must now show that this is the tangent line. Suppose that F
x
,= 0.
113
The tangent line can be given the parameterization
x = (F
y
/F
x
)u (F
z
/F
x
)v, y = u, z = v
so, in the notation of Equation (A.6)
a
1
= F
y
/F
x
, b
1
= F
z
/F
x
, a
2
= 1, b
2
= 0, a
3
= 0, b
3
= 1
Substitute into Equation (A.7) to get

F
u
= (F
y
/F
x
)F
x
+F
y
= 0,

F
v
= (F
z
/F
x
)F
x
+F
z
= 0
Therefore the tangent line intersects the curve to order k 2.

A.5.3 The proof of associativity

The proof of associativity will follow easily from the next theorem. The
proof of this theorem would be considerably simplied if the points P
ij
were
assumed to be distinct. The cases where they are equal correspond to the
cases when a tangent line is used in the group operation.
Theorem A.9. Let C(x, y, z) be a homogeneous cubic polynomial and let C
be the curve in P
2
K
described by C(x, y, z) = 0. Let l
1
, l
2
, l
3
and m
1
, m
2
, m
3
be
lines in P
2
K
such that l
i
,= m
j
for all i,j. Let P
ij
be the point of intersection
of l
i
and m
j
. Suppose P
ij
is a nonsingular point on the curve C for all
(i, j) ,= (3, 3).
In addition we require that if , for some i, there are k 2 of the points
P
i1
, P
i2
, P
i3
equal to the same point, then l
i
intersects C to order at least k.
Similarly, if for some j there are k 2 of the points P
1j
, P
2j
, P
3j
equal to the
same point, then m
j
intersects C to order at least k.
Then P
33
also lies on the curve C.
Proof Express l
1
in the parametric form of Equation (A.6) so C(x, y, z)
becomes

C(u, v). The line l
1
passes through P
11
, P
12
, P
13
. Let (u
1
: v
1
),
(u
2
: v
2
), (u
3
: v
3
) be the parameters on l
1
for these points. Since these points
lie on C we have

C(u
i
, v
i
) = 0 for i = 1, 2, 3.
Let m
j
have equation m
j
(x, y, z) = a
j
x + b
j
y + c
j
z = 0. Subbing in
the parameterization for l
1
yields m
j
(u, v). Since P
ij
lies on m
j
we have
m
j
(u
j
, v
j
) = 0 for j = 1, 2, 3. Since l
1
,= m
j
and since the zeros of m
j
yield
114
the intersections of l
1
and m
j
, the function m
j
(u, v) will vanish only at P
ij
,
so its linear form m
j
is nonzero.
Therefore m
1
(u, v) m
2
(u, v) m
3
(u, v) is a nonzero cubic homogeneous poly-
nomial. We need to relate this to

C.
Lemma A.10. Let R(u, v) and S(u, v) be homogeneous polynomials of degree
3, with S not identically zero. Suppose there are three points (u
i
, v
i
), i = 1, 2, 3
at which R and S vanish. If k of these points are equal to the same point
then let (v
i
u u
i
v)
k
divide R and S.
Then there is a constant K such that R = S.
Proof First we prove that a non-zero cubic homogeneous polynomial S(u, v)
can have at most 3 zeros (u : v) in P
1
K
(counting multiplicities). Factor o
the highest power of v, say v
k
, so S(u, v) vanishes to order k at (1:0) and
S(u, v) = v
k
S
0
(u, v) with S
0
(1, 0) ,= 0. Since S
0
(u, 1) is a polynomial of
degree (3 k), it can have at most (3 k) zeros and exactly this if K is
algebraically closed. All points (u : v) ,= (1, 0) can be written in the form
(u : 1) so S
0
(u, v) has at most 3 k zeros in P
1
K
. Therefore S(u, v) has at
most k + (3 k) = 3 zeros in P
1
K
.
Let (u
0
: v
0
) be any point in P
1
K
not equal to any of the (u
i
, v
i
). Since
S can have at most three zeros, S(u
0
, v
0
) ,= 0. Let = R(u
0
, v
0
)/S(u
0
, v
0
).
Then R(u, v) S(u, v) is a cubic homogeneous polynomial that vanishes at
the four points (u
i
, v
i
), i = 0, 1, 2, 3. Therefore R S must be identically
zero.

Now we can note that

C and m
1
m
2
m
3
vanish at the points (u
i
: v
i
), i =
1, 2, 3. Also if k of the points P
1j
are the same point then k of the linear
functions vanish at this point, so m
1
m
2
m
3
vanishes to order at least k, and
by assumption so does

C. So by the lemma there is a constant so

C = m
1
m
2
m
3
Let
C
1
(x, y, z) = C(x, y, z) m
1
(x, y, z)m
2
(x, y, z)m
3
(x, y, z)
The line l
1
can be described by the linear equation l
1
(x, y, z) = ax+by+cz =
0. At least one coecient is non zero so assume a ,= 0 (the other cases will
be similar). The parameterization of l
1
can be taken to be
x = (b/a)u (c/a)v, y = u, z = v (A.8)
115
Then

C
1
(u, v) = C
1
((b/a)u(c/a)v, u, v). We can regroup to write C
1
(x, y, z)
as a polynomial in x with polynomials in y, z as coecients. Then writing
x
n
= [(b/a)u (c/a)v]
n
= (1/a
n
)[(by +cz)]
n
= (1/a
n
)[(ax +by +cz) (by +cz)]
n
= (1/a
n
)[(ax +by +cz)
n
+...]
allows us to give C
1
(x, y, z) as a polynomial in ax+by +cz whose coecients
are polynomials in y, z:
C
1
(x, y, z) = a
3
(y, z)(ax +by +cz)
3
+... +a
0
(y, z) (A.9)
for some function a
i
(y, z), i = 0, 1, 2, 3. Substituting Equation (A.8) into
Equation (A.9) yields
0 =

C
1
(u, v) = a
0
(u, v)
Therefore a
0
(y, z) = a
0
(u, v) is the zero polynomial. It follows from Equation
(A.8) that C
1
(x, y, z) is a multiple of l
1
(x, y, z) = ax +by +cx.
Similarly there is a constant such that C(x, y, z) l
1
l
2
l
3
is a multiple
of m
1
. Let
D(x, y, z) = C m
1
m
2
m
3
l
1
l
2
l
3
Then D is a multiple of l
1
and a multiple of m
1
.
Lemma A.11. D(x, y, z) is a multiple of l
1
(x, y, z)m
1
(x, y, z).
Proof Write D = m
1
D
1
, so we need to show that l
1
divides D
1
. Parameterize
l
1
as in Equation (A.8) (again considering the case a ,= 0). Then substituting
yields

D = m
1

D
1
. Since l
1
divides D, we have

D = 0, and since m
1
,= l
1
we
have m
1
,= 0. Therefore

D
1
(u, v) is the zero polynomial. This implies that
D
1
(x, y, z) is a multiple of l
1
as required.

So by the lemma D(x, y, z) = l

1
m
1
l where l(x, y, z) is linear. By as-
sumption C = 0 at P
22
, P
23
, P
24
and l
1
l
2
l
3
& m
1
m
2
m
3
vanish at these points.
Therefore D(x, y, z) vanishes at these three points. We must show that D is
identically zero.
Lemma A.12. l(P
22
) = l(P
23
) = l(P
32
) = 0.
Proof Suppose that P
13
,= P
23
. If l
1
(P
23
) = 0 then P
23
is on the line l
1
, as
well as on l
2
and m
3
by denition. Therefore P
23
= P
13
, the intersection of
116
l
1
and m
3
, which is a contradiction. If l
1
(P
23
) ,= 0 then because D(P
23
) = 0,
we have m
1
(P
23
)l(P
23
) = 0.
Next suppose that P
13
= P
23
. Then by the assumption of Theorem A.9,
m
3
is tangent to C at P
23
, so ord
m
3
,P
23
(C) 2. Since P
13
= P
23
and P
23
lies
on m
3
we have
ord
m
3
,P
23
(l
1
) = ord
m
3
,P
23
(l
2
) = 1
Therefore ord
m
3
,P
23
(l
1
l
2
l
3
) 2. Also ord
m
3
,P
23
(m
1
m
2
m
3
) = , therefore
ord
m
3
,P
23
(D) 2 since D is the sum of terms, each of which vanishes to order
at least 2. But ord
m
3
,P
23
(l
1
) = 1, so
ord
m
3
,P
23
(m
1
l) = ord
m
3
,P
23
(D) ord
m
3
,P
23
(l
1
) 1
Therefore m
1
(P
23
)l(P
23
) = 0.
So in both cases we have m
1
(P
23
)l(P
23
) = 0.
If m
1
(P
23
) ,= 0 then l(P
23
) = 0 as required.
If m
1
(P
23
) = 0 then P
23
lies on m
1
, as well as on l
2
and m
3
. Therefore
P
23
= P
21
, since l
2
and m
1
intersect at a unique point. By the assumption
of Theorem A.9 l
2
is tangent to C at P
23
and so ord
l
2
,P
23
(C) 2. As above
ord
l
2
,P
23
(D) 2 so
ord
l
2
,P
23
(l
1
l) 1
If l
1
(P
23
) = 0 then P
23
lies on l
1
, l
2
, m
3
and therefore P
13
= P
23
. By assump-
tion m
3
is tangent to C at P
23
. Since P
23
is a nonsingular point of C, by
Lemma A.8 we have l
2
= m
3
, a contradiction.
Therefore l
1
(P
23
) ,= 0 and so l(P
23
) = 0 as required.
l(P
22
) = l(P
32
) = 0 similarly.

Suppose for a contradiction that l(x, y, z) is not zero, and so denes a line l.
First suppose that P
23
, P
22
, P
32
are distinct. Then l and l
2
are lines
through P
23
and P
22
, and so l = l
2
. Similarly l = m
2
and so l
2
= m
2
which is a contradiction
Next suppose P
32
= P
22
, so m
2
is tangent to C at P
22
. As before
ord
m
2
,P
22
(l
1
m
1
l) 2
We will show this forces l = m
2
117
If m
1
(P
22
) = 0, then P
22
lies on m
1
, m
2
, l
2
and so P
21
= P
22
. This means
that l
2
is tangent to C at P
22
. By Lemma A.8, l
2
= m
2
a contradiction.
Therefore m
1
(P
22
) ,= 0
If l
1
(P
22
) ,= 0, then ord
m
2
,P
22
(l) 2, which means l = m
2
.
If l
1
(P
22
) = 0, then P
22
= P
32
lies on l
1
, l
2
, l
3
, m
2
so P
12
= P
22
= P
32
.
Therefore ord
m
2
,P
22
(C) 3 and so by the reasoning above ord
m
2
,P
22
(l
1
m
1
l)
3. We proved m
1
(P
22
) ,= 0 so ord
m
2
,P
22
(l) 2. This means l = m
2
.
So under the assumption that P
32
= P
22
l is the same line as m
2
. Now
by Lemma A.12 P
23
lies on l and therefore on m
2
, as well as on l
2
and m
3
by
denition. Therefore P
22
= P
23
, and so l
2
is tangent to C at P
22
. However
P
32
= P
22
means m
2
is tangent to C at P
22
as well. This means that l
2
= m
2
contrary to assumption, so P
32
,= P
22
.
We can show that P
23
,= P
22
similarly with the roles of the indicies reversed.
Finally suppose that P
23
= P
32
, so P
23
lies on l
2
, l
3
, m
2
, m
3
. This implies
P
22
= P
32
which we know is impossible.
So all possibilities lead to contradictions so we conclude that l(x, y, z) is
identically zero. This in turn gives D = 0 so
C = l
1
l
2
l
3
+m
1
m
2
m
3
Since l
3
and m
3
vanish at P
33
, we have C(P
33
) = 0 as desired, completing
the proof of Theorem A.9.

Proof Of Associativity
Let P, Q, R be points on an elliptic curve E. Dene the lines
l
1
= P, Q, l
2
= , Q+R, l
3
= R, P +Q
m
1
= Q, R, m
2
= , P +Q, m
3
= P, Q+R
were + refers to elliptic curve addition. It can be easily veried that these
line have the following intersections (where X is unknown).
l
1
l
2
l
3
m
1
Q (Q+R) R
m
2
(P +Q) P +Q
m
3
P Q+R X
118
We rst deal with some special cases:
(i) If P, Q or R is then association is trivial. For example, if P =
then, as required
(P +Q) +R = (Q) +R = Q+R
P + (Q+R) = (Q+R) = Q+R
(ii) If P +Q = then
(P +Q) +R = +R = R
To nd (Q+R) we draw the line L through Q and R, which intersects
E again at (Q + R). Since P + Q = we have the reection of Q
in the x-axis, Q = P. So the reection of L we be the line L

which
passes through P, R and (Q + R). Now P + (Q + R) is found by
drawing the line through P and (Q + R) which is L

. The third point

of intersection of L

with E is R. Therefore
P + (Q+R) = R
So associativity holds in this case.
(iii) If Q+R = then associativity holds similarly to above.
So now assume that P, Q, R, (P +Q), (Q+R) ,= . We must now verify
the assumptions of Theorem A.9 for the remaining cases. Now, if two of the
points on a line are equal then by denition the line through them will be
the tangent line, and will intersect to order 2. If three of the points are equal
then it implies that all three are . Earlier we saw that if the tangent line to
the curve intersects at then it will intersect to order 3, so this assumption
is satised.
Suppose that l
i
,= m
j
for all i, j. Then the assumptions of Theorem A.9
are all satised and so all the points in the table, including X lie on E. Now
l
3
will have three points of intersection with E; R, (P + Q) and X. By the
denition of elliptic curve addition we have
X = [(P +Q) +R]
Similarly m
3
intersects E in three places; P, (Q+R) and X so
X = [P + (Q+R)]
119
So we see that, (P +Q) +R = P + (Q+R) as desired.
Our nal task will be to consider what happens if some line l
i
equals some
line m
j
. First observe the following three results:
(i) If P, Q, R are collinear then
(P +Q) +R = (R) +R = and P + (Q+R) = P + (P) =
So associativity holds.
(ii) If P,Q,(Q+R) are collinear then P + (Q+R) = Q.
Also P +Q = (Q+R) so
(P +Q) +R = (Q+R) +R = Q
where the second equality is proved by Lemma A.13 below.
(iii) If Q, R, (P +Q) are collinear then associativity holds as above.
Lemma A.13. Let P
1
, P
2
be points on an elliptic curve. Then
(P
1
+P
2
) P
2
= P
1
and (P
1
+P
2
) +P
2
= P
1
Proof The rst equation is the reection of the second so we just prove the
second. The line, L, through P
1
and P
2
intersects the elliptic curve again at
(P
1
+P
2
). So to calculate (P
1
+P
2
) +P
2
we would draw the line between
them which is L. This cuts again at P
1
so its reection is P
1
.

Now suppose l
i
= m
j
for some i, j. We can assume the all the points of
intersection except and possibly X are nite. Consider the various cases.
(i) l
1
= m
1
: Then P, Q, R are on the same line. This means they are
collinear and so associativity follows.
(ii) l
1
= m
2
: , P +Q is a verticle line so PQ is too. Therefore P+Q = ,
and by the earlier argument associativity follows.
(iii) l
2
= m
1
: In this case its Q+R = so associativity holds similarly.
(iv) l
1
= m
3
: Then P, Q and (Q+R) are collinear, so associativity holds.
120
(v) l
3
= m
1
: Then Q, R and (P +Q) are collinear, so associativity holds.
(vi) l
2
= m
2
: So we know that (P +Q), (Q+R) and are on this line. So
P +Q = (Q+R). If P +Q = Q+R then by Lemma A.13
P = (P +Q) Q = (Q+R) Q = R
Therefore
(P +Q)+R = R+(P +Q) = P +(P +Q) = P +(R+Q) = P +(Q+R)
as required. If P +Q = (Q+R), then
(P +Q) +R = (Q+R) +R = Q
P + (Q+R) = P (P +Q) = Q
So associativity holds.
(vii) l
2
= m
3
: We have a line with P, (Q+R), on it meaning P = (Q+R).
Since Q, R and (Q + R) are collinear by denition we have that Q
and R are on this line as well. So P, Q, R are collinear and associativity
holds.
(viii) l
3
= m
2
: We have a line with R, (P +Q), on it so associativity holds
similarly to the previous case.
(ix) l
3
= m
3
: So P, R, (Q + R) and (P + Q) lie on the same line, but
this line cannot intersect in 4 points, so either P = R, P = P + Q or
Q + R = P + Q (other combinations would imply was on the line.
If P = R then we are in the case l
2
= m
2
. If P = P +Q then
P P = (P +Q) P
= Q
and so associativity follows. If Q + R = P + Q then similarly adding
Q, gives P = R which we have already treated.
So this completes the proof of associativity for all possible cases. When
we are working in characteristic 2 the proof of associativity is very similar
to this case, since with the generalised Weierstrass equation E can still be
given as a homogeneous cubic polynomial and so Theorem A.9 can still be
applied.

121
A.6 The proofs omitted from Chapter 3
In Chapter 3 the proofs of Lemmas 3.14 and 3.15 were omitted and said to
be lengthly but simple exercises in proof by mathematical induction (PMI).
We give the proofs of these lemmas here along with Theorem A.14 which was
used in Section 3.4.
Lemma 3.14
n
Z[x, y
2
, A, B] for all n. If n is odd then
n
yZ[x, y
2
, A, B]
while if n is even then
n
Z[x, y
2
, A, B].
Proof If n is odd then
n+1
and
n1
are in yZ[x, y
2
, A, B] so their product
is in Z[x, y
2
, A, B] and so is x
2
n
. If n is even then
n
is in yZ[x, y
2
, A, B]
so
2
n
is in Z[x, y
2
, A, B] and so is
n+1
and
n1
. So either way all the
components of
n
are in Z[x, y
2
, A, B] so
n
is as well.
Now consider
n
. If n is odd then
n+2
and
n2
are in Z[x, y
2
, A, B],
while
n+1
and
n1
are in 2yZ[x, y
2
, A, B]. So

n+2

2
n1
2
2
y
2
Z[x, y
2
, A, B]

n2

2
n+1
2
2
y
2
Z[x, y
2
, A, B]

n
yZ[x, y, A, B]
While if n is even then
n+2
and
n2
are in 2yZ[x, y
2
, A, B], while
n+1
and

n1
are in Z[x, y
2
, A, B]. So

n+2

2
n1
2yZ[x, y
2
, A, B]

n2

2
n+1
2yZ[x, y
2
, A, B]

n

1
2
Z[x, y, A, B]
This result will suce for future applications, but to prove the lemma we
need to get rid of the 2 in the denominator when n is even. We will prove
with PMI that

n
(x
2
+A)
(n
2
1)/4
(mod 2) n-odd

n
(yn)(x
2
+A)
(n
2
4)/4
(mod 2) n-even
We can see the hypothesis is true for n 4:

0
= 0, (yn)(x
2
+A)
(n
2
4)/4
= 0

1
= 1, (x
2
+A)
(n
2
1)/4
= (x
2
+A)
(11)/4
= 1

122

2
= 2y, (yn)(x
2
+A)
(n
2
4)/4
= 2y(x
2
+A)
44
= 2y

3
= 3x
4
+ 6Ax
2
+ 12Bx A
2
x
4
+A
2
(mod 2),
(x
2
+A)
(n
2
1)/4
= (x
2
+A)
2
x
4
+A
2
(mod 2)

4
= 4y(x
6
+...) 0 (ny)(x
2
+A)
(n
2
4)/4
= 4y(x
2
+A)
3
0

Assume for induction that the lemma holds for all n < 2m, where 2m > 4,
so m > 2. We must now prove that the lemma holds for n = 2m and
n = 2m + 1 to prove the lemma with PMI. Because 2m > m + 2 we can see
that all polynomials in the denition of
2m
and
2m+1
satisfy the induction
assumptions.
First assume m is odd, so m2 is odd also and m1 is even. Then

2m+1
=
m+2

3
m

m1

3
m+1
= (x
2
+A)
1
4
((m+2)
2
1+3m
2
3)
(m1)(m+ 1)
3
y
3
(x
2
+A)
1
4
((m1)
2
4+3(m+1)
2
3)
Because (m1) is odd the second term will be even and so 0 (mod 2)

2m+1
(x
2
+A)
1
4
(4m
2
+4m)
+ 0 (mod 2)
= (x
2
+A)
1
4
((2m+1)
2
1)
as required. Similarly

2m
= (2y)
1
(
m
)(
m+2

2
m1

m2

2
m+1
)
= +
1
2y
(x
2
+A)
m
2
1
4
_
(x
2
+A)
1
4
((m+2)
2
1)
y
2
(m1)
2
(x
2
+A)
2
4
((m1)
2
4)
_

1
2y
(x
2
+A)
m
2
1
4
_
(x
2
+A)
1
4
((m2)
2
1)
y
2
(m+ 1)
2
(x
2
+A)
2
4
((m+1)
2
4)
_
= (x
2
+A)
m
2
1
4
y
_
(m1)
2
2
(x
2
+A)
1
4
(3m
2
3)

(m+ 1)
2
2
(x
2
+A)
1
4
(3m
2
3)
_
= y(x
2
+A)
1
4
(4m
2
4)
_
(m1)
2
2

(m+ 1)
2
2
_
= y(x
2
+A)
1
4
(2m)
2
4)
_
4m
2
_
[2m]y(x
2
+A)
1
4
((2m)
2
4)
0 (mod 2)
as required.
123
Now assume m is even, so m2 is even also and m1 is odd. Then

2m+1
= (m+ 2)m
3
y
4
(x
2
+A)
1
4
((m+2)
2
43m
2
12)
(x
2
+A)
1
4
((m1)
2
1+3(m+1)
2
3)
Because (m+ 2) and m are even the rst term will be 0 (mod 2)

2m+1
0 + (x
2
+A)
1
4
(4m
2
+4m)
= (x
2
+A)
1
4
((2m+1)
2
1
as required. Similarly

2m
+
1
2y
(my(x
2
+A)
m
2
4
4
)
_
(m+ 2)y(x
2
+A)
1
4
((m+2)
2
4+2(m1)
2
2)
_

1
2y
(my(x
2
+A)
m
2
4
4
)
_
(m2)y(x
2
+A)
1
4
((m2)
2
4+2(m+1)
2
2)
_
=
my
2
(x
2
+A)
m
2
4
4
_
(m+ 2)(x
2
+A)
3m
2
(m2)(x
2
+A)
3m
2
_
=
my
2
(x
2
+A)
4m
2
4
4
[m+ 2 m+ 2]
= (2m)y(x
2
+A)
1
4
((2m)
2
4)
as required. So by PMI we conclude that

n
(x
2
+A)
(n
2
1)/4
(mod 2) n-odd

n
(yn)(x
2
+A)
(n
2
4)/4
(mod 2) n-even
Now if n is even then (n 2) is even and (n 1) is odd so

n
= (4y)
1
(
n+2

2
n1

n2

2
n+1
))
+
1
4y
_
(n + 2)y(x
2
+A)
1
4
((n+2)
2
4+2(n1)
2
2)
_

1
4y
_
(n 2)y(x
2
+A)
1
4
((n2)
2
4+2(n+1)
2
2)
_
(mod 2)
=
1
4
_
(n + 2)(x
2
+A)
3n
2
(n 2)(x
2
+A)
3n
2
_
=
1
4
(x
2
+A)
3n
2
[n + 2 n + 2]
= (x
2
+A)
3n
2
So now we have
n
Z[x, y
2
, A, B] if n is even, completing the proof.

124
Lemma 3.15 When considering points on the elliptic curve y
2
= x
3
+Ax+B
(i)
2
n
(x) = n
2
x
n
2
1
+ lower degree terms
(ii)
n
(x) = x
n
2
+ lower degree terms
Proof We will rst show by induction that

n
= y(nx
(n
2
4)/2
+...) n even

n
= nx
(n
2
1)/2
+... n odd
where (+...) represents lower order terms. The hypothesis is true for n 4:

0
= 0, y(nx
(n
2
4)/2
+...) = 0

1
= 1, nx
(n
2
1)/2
+... = x
0
= 1

2
= 2y, y(nx
(n
2
4)/2
+...) = 2yx
0
+... = 2y

3
= 3x
4
+..., nx
(n
2
1)/2
+... = 3x
(91)/2
+... = 3x
4
+...

4
= 4y(x
6
+...), y(nx
(n
2
4)/2
+...) = 4yx
(164)/2
+... = 4yx
6
+...

Assume for induction that the lemma holds for all n < 2m, where 2m > 4,
so m > 2. We must now prove that the lemma holds for n = 2m and
n = 2m + 1 to prove the lemma with PMI. Because 2m > m + 2 we can see
that all polynomials in the denition of
2m
and
2m+1
satisfy the induction
assumptions.
First assume m is odd, so m2 is odd also and m1 is even. Then

2m+1
=
m+2

3
m

m1

3
m+1
= [(m+ 2)m
3
x
[(m+2)
2
1+3m
2
3]/2
+...]
y
4
[(m1)(m+ 1)
3
x
[(m1)
2
4+3(m+1)
2
12]/2
+...]
= [(m
4
+ 2m
3
)x
2m
2
+2m
+...] (x
6
+...)[(m
4
+ 2m
3
2m1)x
2m
2
+2m6
+...]
= [(m
4
+ 2m
3
)x
2m
2
+2m
+...] [(m
4
+ 2m
3
2m1)x
2m
2
+2m
+...]
= (2m+ 1)x
[(2m+1)
2
1]/2
+...
as required. Similarly

2m
= (2y)
1
(
m
)(
m+2

2
m1

m2

2
m+1
)
= +
1
2y
(mx
m
2
1
2
) y
2
_
(m+ 2)(m1)
3
x
[(m+2)
2
1+2(m1)
2
8]/2
+...
_
125

1
2y
(mx
m
2
1
2
) y
2
_
(m2)(m+ 1)
3
x
[(m2)
2
1+2(m+1)
2
8]/2
+...
_
=
y
2
(mx
m
2
1
2
)
_
((m+ 2)(m1)
3
x
[3m
2
3]/2
+...) ((m2)(m+ 1)
3
x
[3m
2
3]/2
+...)
_
=
my
2
x
[4m
2
4]/2
_
(m+ 2)(m1)
2
(m2)(m+ 1)
2
_
+...
=
my
2
x
[4m
2
4]/2
_
(m
3
3m+ 2) (m
3
3m2)
_
+... = (2m)yx
[(2m)
2
4]/2
as required.
Now assume m is even, so m2 is even also and m1 is odd. Then

2m+1
= y
4
_
(m+ 2)m
3
x
[(m+2)
2
4+3m
2
12]/2
+...
_

_
(m1)(m+ 1)
3
x
[(m1)
2
1+3(m+1)
2
3]/2
+...
_
= (x
6
+...)
_
(m+ 2)m
3
x
[4m
2
+4m12]/2
+...
_

_
(m1)(m+ 1)
3
x
[4m
2
+4m]/2
+...
_
= [(m
4
+ 2m
3
) (m
4
+ 2m
3
2m1)]x
[4m
2
+4m]/2
+...
= (2m+ 1)x
[(2m+1)
2
1]/2
as required. Similarly

2m
= +
1
2y
(ymx
[m
2
4]/2
)y
_
(m+ 2)(m1)
2
x
[(m+2)
2
4+2(m1)
2
2]/2
+...
_

1
2y
(ymx
[m
2
4]/2
)y
_
(m2)(m+ 1)
2
x
[(m2)
2
4+2(m+1)
2
2]/2
+...
_
=
my
2
x
[m
2
4]/2
_
((m+ 2)(m1)
2
x
3m
2
+...) ((m2)(m+ 1)
2
x
3m
2
+...)
_
=
my
2
[(m+ 2)(m1)
2
(m2)(m+ 1)
2
]x
[4m
2
4]/2
+...
= (2m)yx
[(2m)
2
4]/2
+...
as required. So, by PMI we can conclude that

n
= y(nx
(n
2
4)/2
+...) n even

n
= nx
(n
2
1)/2
+... n odd
We can now use this to prove the lemma. Consider the case when n is odd:

2
n
= (nx
(n
2
1)/2
+...) (nx
(n
2
1)/2
+...)
126
= n
2
x
n
2
1
+...
as required. Next consider the case when n is even

2
n
= y(nx
(n
2
4)/2
+...) y(nx
(n
2
4)/2
+...)
= y
2
n
2
(x
n
2
4
+...) = (x
3
+Ax +B)n
2
(x
n
2
4
+...)
= n
2
x
n
2
1
+...
as required, proving part (i) of the lemma
Now for part (ii). First let n be odd, so (n 1) is even:

n
= x
2
n

n+1

n1
= x(n
2
x
n
2
1
+...) y
2
((n + 1)(n 1)x
[(n+1)
2
4+(n1)
2
4]/2
+...)
= (n
2
x
n
2
+...) (x
3
+...)((n
2
1)x
n
2
3
+...)
= (n
2
x
n
2
+...) ((n
2
1)x
n
2
+...) = x
n
2
+...
as required. Finally consider the case when n is even, so (n 1) is odd:

n
= x(n
2
x
n
2
1
+...) ((n + 1)(n 1)x
[(n+1)
2
1+(n1)
2
1]/2
+...)
= (n
2
x
n
2
+...) ((n
2
1)x
n
2
+...)
= n
2
x
n
2
+...
as required. This completes the proof of part (ii) and the lemma.

We now state and prove Theorem A.14 which was used in the corollaries
of the Weil pairing given in Section 3.4. For this theorem we suppose that
E is an elliptic curve over a eld K and n is an integer not divisible by the
characteristic of K. Let

n
= x K[x
n
= 1
be the group of nth roots of unity in K. Since the characteristic of K does
not divide n, the equation x
n
= 1 has no multiple roots, and hence n roots
in K. Therefore
n
is a cyclic group of order n. Any generator, , of
n
is
called a primitive nth root of unity.
Lemma A.14. being a primitive nth root of unity is equivalent to saying
that
k
= 1 if and only if n divides k.
127
Proof To prove the lemma we need to prove the following two statements:
(i) Let be a primitive nth root of unity. Then
k
= 1 if and only if n[k.
(ii) Let
k
= 1 if and only if n[k. Then is a primitive nth root of unity.
First consider statement (i). is a primitive nth root if unity. So

n
=
i
, i = 0...(n 1)
a. If n[k then

k
=
nj
= (
n
)
j
= 1
j
= 1
as required
b. If
k
= 1 then k = qn +r for some r such that 0 r < n. Then

k
=
qn

r
=
r
so
r
= 1. But 0 is the only r in the range 0 r < n such that
r
= 0 so
r = 0 meaning k = qn. So n[k as required.
Next consider statement (ii). Suppose
k
= 1 n[k, then
n
= 1 =
0
.
Suppose for a contradiction that
i
=
j
for some i, j < n, i ,= j. Then

ij
= 1 so (i j)[n. This would imply that i j (mod n) which is a
contradiction. Therefore
i
for i = 0...(n 1) are all distinct elements.
Further
(
i
)
n
= (
n
)
i
= (
0
)
i
= 1
i
= 1.
So
i
, i = 0, ..., (n 1) =
n
as required.

128
A.7 Methods to determine the order of E(F
q
)
exactly
Hasses theorem gave bounds for the group of points on an elliptic curve over
a nite eld. In this section we discuss methods for determining the group
order exactly.
A.7.1 Subeld curves
Suppose we have an elliptic curve dened over a small nite eld F
q
, so that
we can determine the order of E(F
q
) by listing the points, or some other
elementary procedure. We can then determine the order of E(F
q
n) for all n.
Theorem A.15. Let #E(F
q
) = q + 1 a and write X
2
aX + q =
(X )(X ). Then for all n 1
#E(F
q
n) = q
n
+ 1 (
n
+
n
) (A.10)
Proof We rst need to show that
n
+
n
is an integer, which is implied by
the following.
Lemma A.16. Let s
n
=
n
+
n
. Then s
0
= 2, s
1
= a and s
n+1
= as
n
qs
n1
for all n 1.
Proof Clearly s
0
=
0
+
0
= 1 + 1 = 2 and s
1
= + . By considering
Equation (A.10) with n = 1 and eq(4.1) we see that + = a as required.
Let g(X) = X
2
aX+q = (X)(X) so g() = g() = 0. Therefore

2
a +q = 0,
2
a +q = 0
Multiplying by
n1
and
n1
respectively gives

n+1
a
n
+q
n1
= 0,
n+1
a
n
+q
n1
= 0

n+1
= a
n
q
n1
,
n+1
= a
n
q
n1
Then
s
n+1
=
n+1
+
n+1
= a
n
q
n1
+a
n
q
n1
= a(
n
+
n
) q(
n1
+
n1
) = as
n
qs
n1

129
So
n
+
n
is an integer for all n 0. Let
f(X) = (X
n

n
)(X
n

n
) = X
2n
(
n
+
n
)X
n
+q
n
Then X
2
aX + q = (X a)(X b) divides f(X). It follows from the
standard algorithm for dividing polynomials that the quotient, Q(x), is a
polynomial with integer coecients. Therefore, letting X =
q
gives
(
n
q
)
2
(
n
+
n
)
n
q
+q
n
= f(
q
) = Q(
q
)(
2
q
a
q
+q) = 0
with the nal equality using Theorem 4.6. Note that
n
q
=
q
n so
(
q
n)
2
(
n
+
n
)
q
n +q
n
= 0
We know from Theorem 4.6, that there is only one k such that (
q
n)
2
k
q
n +
q
n
= 0, and that it is k = q
n
+ 1 #E(F
q
n). Therefore

n
+
n
= q
n
+ 1 #E(F
q
n)
which can be rearranged to complete the proof of Theorem A.15.

Example A.1. We showed in Example 4.2 that the curve, E, given by

y
2
+xy = x
3
+1 over F
2
satises #E(F
2
) = 4. Therefore a = q+1#E(F
q
) =
2 + 1 4 = 1 and we obtain the polynomial
X
2
+X + 2 =
_
X
1 +

7
2
__
X
1

7
2
_
Theorem A.15 tells us that
#E(F
4
) = 4 + 1
_
1 +

7
2
_
2

_
1

7
2
_
2
We could compute the last expression directly, but better use the recurrence
relation of Lemma A.16

2
+
2
= s
2
= as
1
2s
0
= (1)(1) 2(2) = 3
So, #E(F
4
) = 4 + 1 (3) = 8, (as we calculated when listing points).
130
We could perform a similar calculation to nd the size of much larger
elds. A matlab m-le (RR44.m) was created to encode the recurrence rela-
tion, and can be found in Appendix C.7. This takes as its inputs, n, q and
#E(F
q
) and outputs s
n
as dened by Lemma A.16. It was used to calculate
s
101
=
_
1 +

7
2
_
101

_
1

7
2
_
101
= 2969292210605269
We can then show that
#E(F
2
101) = 2
101
+ 1 2969292210605269
= 2.535301200456456 10
30
to 16 signicant gures, using Matlab.
A.7.2 Legendre symbols
To make a list of all the points on y
2
= x
3
+ Ax + B over a nite eld,
we listed every possible value of x, and then found the square roots, y, of
(x
3
+ Ax + B) if they existed. This procedure will be the basis for a simple
point counting algorithm.
Recall our generalisation of the Legendre symbol to a nite eld F
q
, q
odd:
_
x
F
q
_
=
_
_
_
+1 if t
2
= x has a solution t F

q
1 if t
2
= x has no solution t F
q
0 if x = 0
Theorem A.17. Let E be an elliptic curve, y
2
= x
3
+Ax+B over F
q
. Then
#E(F
q
) = q + 1 +

xFq
_
x
3
+Ax +B
F
q
_
Proof Consider a point x
0
F
q
. There are points on E with x-coordinate
x
0
if x
3
0
+Ax
0
+B is a non-zero square in F
q
. There is one such point if it is
zero, and no such points if it is square. It follows that the number of points
in E with x coordinate x
0
is
1 +
_
x
3
0
+Ax
0
+B
F
q
_
131
So to nd the order of E(F
q
) we must sum over all x
0
F
q
and add 1 for the
point at innity:
#E(F
q
) = 1 +

xFq
_
1 +
_
x
3
+Ax +B
F
q
__
= 1 +q +

xFq
_
x
3
+Ax +B
F
q
_

Corollary A.18. Let x

3
+Ax +B be a polynomial with A, B, F
q
, q odd.
Then

xFq
_
x
3
+Ax +B
F
q
_

q
Proof Suppose x
3
+Ax +B has no repeated roots, so y
2
= x
3
+Ax +B is
an elliptic curve. By Theorem A.17

xFq
_
x
3
+Ax +B
F
q
_

xFq
_
x
3
+Ax +B
F
q
_

= [q + 1 #E(F
q
)[ 2

q
as required (the inequality follows from Hasses Theorem).
We now consider the case when x
3
+ Ax + B has repeated roots. First
recall that for a nite eld, F
q
with q odd, F

q
is cyclic of even order q 1.
This means that half the elements of F

q
are squares and half are non squares.
Therefore

xFq
_
x
F
q
_
= 0 + 1 1 + 1 1 +... = 0
Now consider u F
q
. Since the set x +u : x F
q
= F
q
we have

xFq
_
x +u
F
q
_
= 0 (A.11)
Now let the cubic have repeated root r, so

xFq
_
x
3
+Ax +B
F
q
_
=

xFq
_
(x r)
2
(x s)
F
q
_
132
Now if x ,= r then (x r)
2
(x s) is only a square when (x s) is.

xFq
_
x
3
+Ax +B
F
q
_
=
_

xFx
_
x s
F
q
_
_

_
r s
F
q
_
+
_
f(r)
F
q
_
using (A.11) = 0
_
r s
F
q
_
+
_
0
F
q
_
=
_
r s
F
q
_
Since the absolute value of this will be 1 we can easily conclude that it is
2

q completing the proof of the corollary.

Example A.2. Let E be the curve y

2
= x
3
+x + 1 over F
5
(as in Ex 4.1).
1
2
= 1, 2
2
= 4, 3
2
= 9 4 (mod 5), 4
2
= 16 1 (mod 5)
So the non-zero squares modulo 5 are 1 and 4. Using Theorem A.17
#E(F
q
) = q + 1 +

xFq
_
x
3
+Ax +B
F
q
_
= 5 + 1 +
4

x=0
_
x
3
+x + 1
F
5
_
= 6 +
_
1
F
5
_
+
_
3
F
5
_
+
_
11
F
5
_
+
_
31
F
5
_
+
_
69
F
5
_
= 6 +
_
1
F
5
_
+
_
3
F
5
_
+
_
1
F
5
_
+
_
1
F
5
_
+
_
4
F
5
_
= 6 + 1 1 + 1 + 1 + 1 = 9
which is what we calculated in Example 4.1. Note also that this veries
Corollary A.18

xFq
_
x
3
+Ax +B
F
q
_

= 9 10 = 2

q
Lemma A.19. Let x F
q
with q odd. Then as elements of F
q
_
x
F
q
_
= x
(q1)/2
133
Proof The Lemma is trivially true in the case when x = 0:
_
x
F
q
_
=
_
0
F
q
_
= 0 = 0
(q1)/2
= x
(q1)/2
Now if t
2
= x for some t then
x
(q1)/2
= t
q1
=
t
q
t

t
t
= 1 =
_
x
F
q
_
so the lemma is true here also. Finally suppose x does not have a square
root. Now note that
_
x
(q1)/2
1
_ _
x
(q1)/2
+ 1
_
= x
q1
1 1 1 = 0
So if we show that, given x is not a perfect square, x
(q1)/2
,= 1 then we must
have x
(q1)/2
= 1 by the equation above.
Let G = F

q
the cyclic group of order q 1. Let H be the subgroup of G
which contains those elements of G whose order divides (q 1)/2. Since G is
cyclic we know that H exists and has (q 1)/2 elements. Let H

be another
subset of G whose elements are perfect squares. Now since G is cyclic we
have for a primitive root, g
G = g
0
, g
1
, g
2
, ..., g
q2

So we can see that half the elements are squares and half are non squares.
Therefore H

is also of order (q 1)/2 and hence H = H

. Therefore the
elements in F

q
that are squares are also those whose order divides (q 1)/2.
Hence if x is not a perfect square then x
(q1)/2
,= 1, which implies x
(q1)/2
= 1,
completing the proof.

When using Theorem A.17 it is possible to compute each individual gen-

eralised Legendre symbol quickly (using the method above for example).
However, it is more ecient to square all the elements of F

q
and store the
list of squares for future use.
Consider the case of F
p
. Make a vector with p entries, one for each element
of F
p
and initially set all entries to 1. Now, for each j with 1 j (p1)/2
square j, reduce j to get k mod p and change the kth entry in the vector to
+1. Finally change the 0th entry to 0 which will leave the resulting vector
as a list of the values of the Legendre symbol.
134
A.8 Supersingular curves
Recall that an elliptic curve E in characteristic p is dened to supersingular if
E[p] = . This means there are no points of order p, even with coordinates
in an algebraically closed eld.
These curves are important as many calculations can be done more quickly
on then than on arbitrary elliptic curve. Unfortunately, however, discrete
logarithms can be signicantly easier to solve on these curves and the cryp-
tographic algorithms dened on them are open to specic attacks.
So when using elliptic curves for cryptographic purposes it is useful to
ensure the curve is not supersingular. The following result gives a way of
determining this.
Proposition A.20. Let E be an elliptic curve over F
q
, where q is a power
of a prime number p. Let a = q + 1 #E(F
q
). Then E is supersingular if
and only if a 0 (mod p), which is if and only if #E(F
q
) 1 (mod p).
Proof Write X
2
aX +q = (X )(X ). Theorem A.15 implies
#E(F
q
n) = q
n
+ 1 (
n
+
n
)
Lemma A.16 says that s
n
=
n
+
n
satises the recurrence relation
s
0
= 2, s
1
= a, s
n+1
= as
n
qs
n1
Suppose a 0 (mod p). Then s
1
= a 0, s
2
= as
0
qs
1
0 and so s
n+1
0
(mod p) for all n 1 by the recurrence relation. Therefore
#E(F
q
n) = q
n
+ 1 (
n
+
n
) = p
m
+ 1 s
n
1 (mod p)
This means that #E(F
q
n) = 1 + pR for some integer r, so p is clearly not a
divisor of #E(F
q
n). Therefore there are no points of order p in E(F
q
n) for
any n 1. Since F
q
=
n1
F
q
n (Appendix B.5.1) there are no points of order
p in E(F
q
). Therefore E is supersingular, proving the if of the theorem.
Now suppose a , 0 (mod p). Then s
n+1
as
n
(mod p) for n 1. Since
s
1
= a we have s
n
a
n
(mod p) for all n 1. Therefore
#E(F
q
n) = q
n
+ 1 s
n
1 a
n
(mod p)
By Fermats Little Theorem a
p1
1 (mod p). Therefore E(F
q
p1) has order
divisible by p, and hence contains at least one point of order p (Theorem
135
B.4). This means that E is not supersingular as there is a point of order p
in the algebraically closed eld.
Finally note that
#E(F
q
) q + 1 a 1 a (mod p)
So #E(F
q
) 1 (mod p) if and only if a 0 (mod p).

Corollary A.21. Suppose p 5 is a prime. Then an elliptic curve E,

dened over F
q
, is supersingular if and only if a = 0, which is the case if and
only if #E(F
p
) = p + 1.
Proof If a = 0 then E is supersingular by Proposition A.20. Conversely
suppose that E is supersingular but a ,= 0. Since a 0 (mod p) we must
have [a[ p. By Hasses Theorem [a[ 2

p, so p 2

p. This means that

p 2 so p 4 as required.

The curve y
2
+ a
3
y = x
3
+ a
4
x + a
6
is supersingular in characteristic
2. Similarly in characteristic 3 the curve y
2
= x
3
+ a
2
x
2
+ a
4
x + a
6
is
supersingular if and only if a
2
= 0. The following allows us to construct
supersingular curves in other characteristics.
Proposition A.22. Suppose q is odd and q 2 (mod 3). Let B F

q
. Then
the elliptic curve E given by y
2
= x
3
+B is supersingular.
Proof Let : F

q
F

q
be a homomorphism dened by (x) = x
3
. F

q
will
have q 1 elements and since q 1 is not a multiple of 3 we can conclude
that there are no elements of order 3 in F

q
. Therefore the kernel of (set
of elements that maps to the identity) is trivial. Therefore is injective
and hence must be surjective as its a map from a nite group to itself. In
particular this shows that every element in F
q
has a cube root in F
q
.
For each y F
q
there is exactly one x F
q
such that (x, y) lies on the
curve, the unique cube root of y
2
B. Since there are q values of y there are
q points. Including the point gives
#E(F
q
) = q + 1 = p
n
+ 1 1 (mod p)
Therefore, by Theorem A.20, E is supersingular.

136
Appendix B
Mathematical background
material
In this chapter we summarise the background mathematics that is used
throughout the project. Some of the results are well-known and as such
are stated without proof or reference.
B.1 Algebraic curves
An algebraic curve is a set of common zeros of a polynomial. An elliptic curve
can be dened as an algebraic curve in two variables, (x, y), by rewriting the
Weierstrass equation as, nd (x, y) so
y
2
x
3
Ax B = 0
A dening feature of an algebraic curve is that a straight line can only in-
tersect it at a nite number of points. So sin(x) is not an algebraic curve,
for example, as the straight line y = 1/2 intersects it at an innite number
of points.
The benet of elliptic curves being algebraic curves is that we can use
techniques other than calculus to study them. This section denes many of
the terms and techniques used with algebraic curves and follows Chapter 1
of [4]
137
A domain (or integral domain) is a ring with at least two elements in
which the cancellation law holds. A Field is a domain in which every non-
zero element is a unit has a multiplicative inverse (for full denition see
Appendix B.5). Throughout this project Z denotes the domain of integers,
while Q, R and C are the elds of rational, real and complex numbers respec-
tively.
For any ring R, R[x] is the ring of polynomials with coecients in R. The
degree of a polynomial

a
i
x
i
is the largest integer d such that a
d
,= 0. The
polynomial is monic if a
d
= 1. The ring of polynomials in n variables over R
is written R[X
1
, ..., X
n
] although we often write R[X, Y ] and R[X, Y, Z] when
n = 2, 3. The monomials in R[X
1
, ..., X
n
] are the polynomials X
i
1
1
X
i
2
2
...X
in
n
where i
j
are non-negative integers. The degree of a monomial is i
1
+i
2
+...+i
n
.
Every F R[X
1
, ..., X
n
] has a unique expression F =

a
i
x
i
where the
x
i
are the monomials and a
i
R. F is homogeneous, or a form of degree d,
if all coecients a
i
are zero except possibly those belonging to monomials of
degree d. Any polynomial F has a unique expression F = F
0
+ F
1
+ ...F
d
,
where F
i
is a form of degree i. If F
d
,= 0 then d is the degree of F, written
deg(F). The terms F
0
, F
1
, F
2
, ... are called the constant, linear, quadratic,...
terms of F. F is constant if F = F
0
Let R be a ring and with (R, +) the abelian group of the ring. Then a
subset I of R is called right ideal if
(I, +) is a subgroup of (R, +).
xr is in I for all x in I and all r in R.
The subset is called left ideal if
(I, +) is a subgroup of (R, +).
rx is in I for all x in I and all r in R
An ideal I in a ring R is proper if I ,= R. A proper ideal is maximal if
it is not contained in any larger proper ideal. I is a prime ideal if whenever
ab I either a I or b I.
A set S of elements of a ring R generate an ideal
I =
_

a
i
s
i
[ s
i
S, a
i
R
_
138
The ideal in nitely generated if S is a nite set S = f
1
, ...f
n
.
Let I be an ideal in a ring R. The residue class ring of modulo I is
written R/I. It is the set of equivalent classes of elements in R, under the
equivalence relation: a b if a b I. The equivalence class containing a
is called the I-residue of a, denoted a.
R/I forms a ring so that the function : R R/I taking each element to
its I-residue is a ring homomorphism. If : R S is a ring homomorphism
to a ring S, and (I) = 0, then there is a unique ring homomorphism :
R/I S such that = . A proper ideal I R is prime if and only if
R/I is a domain, and maximal if and only if R/I is a eld. Every maximal
ideal is prime.
If R is a ring, a R, F R[X] and a is a root of F, then F = (X a)G,
G R[X]. A eld k is algebraically closed if any non-constant F k[X] has
a root. It follows that F =

(X
i
)
e
i
, ,
i
k, where the
i
are the
distinct roots of F. e
i
is called the multiplicity of k.
A polynomial of degree d had d roots in k, counting multiplicities.
Let R be a ring. The derivative of a polynomial F =

a
i
X
i
R[X] is
dened to be

ia
i
X
i1
, and is written F
X
or F/X. If F R[X
1
, ..., X
n
]
then F
X
i
is dened by considering F as a polynomial in X
i
with coecients
in R[X
1
, ..., X
i1
, X
i+1
, ..., X
n
]. The following rules can be easily veried:
1. (aF +bG)
X
= aF
X
+bG
X
, where a, b R.
2. F
X
= 0 if F is a constant.
3. (FG)
X
= F
X
G+FG
X
4. (F
n
)
X
= nF
n1
F
X
5. If G
1
, ..., G
n
R[X] and F R[X
1
, ..., X
n
]
then F(G
1
, ..., G
n
)
X
=

i=1
F
X
i
(G
1
, ..., G
n
)G
iX
6. F
X
i
X
j
= F
X
j
X
i
, where F
X
i
X
j
= (F
X
i
)
X
j
7. (Eulers Thm) If F is a form of degree m in R[X
1
, ..., X
n
] then mF =

n
i=1
X
i
F
X
i
139
B.2 Fractions in polynomial rings
This section, adapted from Chapter 9 of [1], describes how to work with
fractions inside polynomial rings, which is necessary throughout the project.
The properties of a polynomial ring F[x] closely resemble the properties
of a number eld. However, one aspect where it diers is that given two
polynomials a(x), b(x) where b(x) ,= 0 in F[x], it is not always possible to
nd a polynomial q(x) such that a(x) = b(x)q(x). For example, the ring F[x]
may contain the polynomials x and (1 + x), but x does not properly divide
(1 +x).
Consider a second pair of polynomials (x), (x) such that (x) ,= 0.
These polynomials are said to be equivalent to a(x), b(x) when
a(x)(x) = (x)b(x)
Let a(x)/b(x) denote the equivalence class of pairs equivalent to a(x), b(x).
The class is then also representable by (x)/(x) and so we write
a(x)
b(x)
=
(x)
(x)
Addition and multiplication are dened as for polynomials
a(x)
b(x)
+
c(x)
d(x)
=
a(x) d(x) +b(x) c(x)
b(x) d(x)
a(x)
b(x)

c(x)
d(x)
=
a(x) c(x)
b(x) d(x)
If a(x)/b(x) = (x)/(x) and c(x)/d(x) = (x)/(x) then it follows that
a(x)
b(x)
+
c(x)
d(x)
=
(x)
(x)
+
(x)
(x)
a(x)
b(x)

c(x)
d(x)
=
(x)
(x)

(x)
(x)
We call a(x)/b(x) a rational function of x over F
It can be easily veried that these laws for addition and multiplication
satisfy commutativity, associativity and distribution
A unique rational function p(x)/q(x) can always be found so that
a(x)
b(x)
=
c(x)
d(x)
+
p(x)
q(x)
140

p(x)
q(x)
=
a(x)
b(x)

c(x)
d(x)
=
a(x)d(x) b(x)c(x)
b(x)d(x)
This rational function is called the dierence.
Similarly if c(x) ,= 0 then a unique rational function r(x)/s(x) can always
be found so that
a(x)
b(x)
=
c(x)
d(x)

r(x)
s(x)

r(x)
s(x)
=
a(x)d(x)
b(x)c(x)
This rational function is called the quotient of a(x)/b(x) by c(x)/d(x).
The sum, product, dierence and quotient (when there is one) of two
rational functions over F is also a rational function over F. This system of
rational functions forms a eld.
We observe that the rational integral functions a(x)/1 have the same
properties as the polynomials a(x). So we can take the system of rational
functions and replace all those of the form a(x)/1 by a(x). This resulting
set of polynomials and rational functions is called the quotient eld of the
polynomial ring F[x]. Now if b(x) ,= 0 and if a(x) = b(x)q(x) then q(x) =
a(x)/b(x).
B.3 Number theory
The greatest common divisor (gcd), of two non-zero integers, is the
largest positive integer that divides both numbers.
The integers a and b are said to be coprime if they have no common
factor other than 1 and -1, or equivalently, if their gcd is 1.
The Euler totient function (n) of a positive integer n is dened to be
the number of positive integers less than or equal to n and coprime to
n. For example, (8) = 4 since the four numbers 1, 3, 5 and 7 are
coprime to 8, but 2,4 and 6 are not.
Let n be a positive integer. Then Z
n
is the set of integers modulo n:
Z
n
= 0, 1, 2, ..., n 1
141
and Z
n
is a group under addition. Dene Z

n
as
Z

n
= a [ 1 a n, gcd(a, n) = 1
Z

n
is a group with respect to multiplication mod n.
Let a Z

n
. The order of a mod n is the smallest integer k > 0 such
that a
k
1 (mod n). The order of a mod n divides (n) (the Euler
totient function).
A primitive root modulo n is an integer g such that, modulo n, every
integer coprime to n is congruent to a power of g. Consider, for exam-
ple, when n = 14 so Z

n
= 1, 3, 5, 9, 11, 13. We then see that 3 is a
primitive root modulo 14 as
3
1
, 3
2
, 3
3
, 3
4
, 3
5
, 3
6
= 3, 9, 27, 81, 243, 729 3, 9, 13, 11, 5, 1 = Z

n
The only other primitive root modulo 14 is 5.
Let p be prime and a Z

p
. The order of a mod p divides (p 1). A
primitive root mod p is an integer, g, such that the order of g mod p
equals (p 1). Then every integer is congurant modulo p to 0 or a
power of g. For example, 3 is a primitive root mod 7:
1, 3, 9, 27, 81, 243 1, 3, 2, 6, 4, 5 (mod 7) Z

7
There are (p 1) primitive roots mod p. A primitive root mod p
always exists and so Z

p
is a cyclic group.
Theorem B.1 (Chinese remainder theorem). Let n
1
, n
2
, ..., n
r
be posi-
tive integers such that gcd(n
i
, n
j
) = 1 when i ,= j. Let a
1
, a
2
, ..., a
r
be integers.
There exists an x such that
x a
i
(mod n
i
) for all i
The integer x is uniquely determined modulo n
1
n
2
...n
r
.
Example B.1. Let n
1
= 4, n
2
= 3, n
3
= 5 and let a
1
= 1, a
2
= 2, a
3
= 3.
Then x = 53 is a solution to the simultaneous congruences
x 1 (mod 4), x 2 (mod 3), x 3 (mod 5)
and any solution to the congruences is equivalent to 53 modulo 60.
Theorem B.2 (Fermats little theorem). If p is a prime number then for
any integer a
a
p
a (mod p)
142
B.4 Group theory
A set is a collection of objects considered as a whole. The objects of a
set are called elements. If A and B are sets and every element of A is
also an element of B, then A is a subset of B.
A group (G, ) is a nonempty set, G, together with a group operator,
, which satisfy the group axioms:
Associativity: a, b, c G, (a b) c = a (b c)
Identity element: e G such that a G, e a = a e = a
Inverse element: a G b G such that, a b = b a = e
(where e is the neutral element).
Closure: a, b G, a b G
A group G is said to be abelian (or commutative) if for every a, b G,
a b = b a. Groups lacking this property are called non-abelian.
The integers under addition form an abelian group while the integers
under multiplication do not (as not ever integer has an inverse that is
also an integer under multiplication)
If the operation is thought of as an analogue of multiplication, then the
group operations are written multiplicatively. That is:
write a b or even ab for a b and call it the product of a and b.
write 1 (or e) for the identity element and call it the unit element.
write a
1
for the inverse of a and call it the reciprocal of a.
However, sometimes the group operation is thought of as analogous to
addition and written additively:
write a +b for a b and call it the sum of a and b.
write 0 for the identity element and call it the zero element.
write a for the inverse of a and call it the opposite of a.
Usually, only abelian groups are written additively, although abelian
groups may also be written multiplicatively.
143
As elliptic curves form additive abelian groups we use additive group
notation in this project (although we use for the identity element).
The order of a group G, denoted by [G[, is the number of elements of
the set G. A group is called nite if it has nitely many elements.
The order of an element g G is the smallest integer k > 0 such that
gg... g (k times) = e. So using the additive notation of this product
the order of g G is the smallest integer k > 0 such that kg = 0. Note
that if k is the order of g then
g
i
= g
j
i j (mod k)
Given a group G under a binary operation , we say that a subset H
of G is a subgroup of G if H also forms a group under the operation .
Theorem B.3 ( Lagranges theorem). Let G be a nite group.
(i) Let H be a subgroup of G. Then the order of H divides the order of G.
(ii) Let g G. Then the order of g divides the order of G.
Consider two sets of elements, the domain and the codomain, and a func-
tion f that maps elements from the domain to the codomain.
f is injective (1-1) if, for every y in the codomain, there is at most one
x in the domain such that f(x) = y.
f is surjective (onto) if, for every y in the codomain, there is at least
one x in the domain such that f(x) = y.
f is bijective if, for every y in the codomain there is exactly one x in
the domain such that f(x) = y.
So the function f is bijective if it is both injective and surjective
A homomorphism is a structure-preserving map between two algebraic
structures (such as groups, rings, or vector spaces). So a homomor-
phism between groups preserves the structure of the group operation.
An isomorphism is a bijective (1-1 & onto) map f such that both f
and its inverse f
1
are homomorphisms.
144
An automorphism is an isomorphism from an object to itself.
An endomorphism is a homomorphism from an object to itself.
The diagram below denotes implication.
Automorphism Isomorphism

Endomorphism Homomorphism
A cyclic group is a group isomorphic to either Z or Z
n
for some n. These
groups can be generated by one element. For example Z
4
is generated by 3:
0, 3, 3 + 3, 3 + 3 + 3 = 0, 3, 6, 9 0, 3, 2, 1 (mod 4) = Z
4
Theorem B.4. Let G be a nite cyclic group of order n and let d > 0 divide
n. Then
(i) G has a unique subgroup of order d.
(ii) G has d elements of order dividing d, and G has (d) elements of order
exactly d (where (d) is the Euler Totient function).
Example B.2. Consider Z
6
. Since 3[6 there is a unique subgroup of Z
6
,
0, 2, 4, which is of order 3. Also (3) = 2 and as expected, Z
6
has two
elements of order three (2 & 4)
The direct sum of two groups G
1
and G
2
is dened to be the set of ordered
pairs formed from elements of G
1
and G
2
:
G
1
G
2
= (g
1
, g
2
) [ g
1
G
1
, g
2
G
2

Ordered pairs can be added componentwise:

(g
1
, g
2
) + (h
1
, h
2
) = (g
1
+h
1
, g
2
+h
2
)
This makes G
1
G
2
into a group with (0,0) as the identity element. These
denitions can be extended for the sum of more than two groups.
Remark B.5. Suppose Y = A B ... R is a direct sum of R groups.
Then any point in H of order dividing n satises
(0, 0, ..., 0) = (a, b, ..., r)
n
= (a
n
, b
n
, ..., r
n
)
where a, b, ... represent elements in A, B, ...
This implies that any point in H of order dividing n is composed of points
in A, B, ... that also have order dividing n.
145
Theorem B.6. A nite abelian group, G, is isomorphic to
Z
n
1
Z
n
2
... Z
ns
with n
i
[n
i+1
for i = 1, 2, ..., s 1. The n
i
are uniquely determined by G.
Example B.3. If we have a nite abelian group of order 12, then n
1
...n
s
multiply to give 12. So the only options are (n
1
, n
2
) = (1, 12), (2, 6) and
(3, 4). Of these only (1,12) and (2,6) satisfy n
1
[n
2
so we conclude that the
group is isomorphic to either Z
12
or Z
2
Z
6
.
Example B.4. Similarly, if we have a nite abelian group of order 27 then
it is isomorphic to either Z
27
, Z
3
Z
9
or Z
3
Z
3
Z
3
.
Corollary B.7. Suppose we have a nite abelian group G in the form of
Theorem B.6 above. Then G will have n
r
1
elements of order dividing n
1
.
Proof For each i, we have n
1
[n
i
and so by Theorem B.4 Z
n
i
will have n
1
elements of order dividing n
1
. By Remark B.5 any element of G with order
dividing n
1
will be composed of i elements, each of which have order dividing
n
1
themselves. Therefore, since each group Z
n
i
has n
1
candidates there will
be n
r
1
elements in G of order dividing n
1
.

Lemma B.8. Suppose E[n] is isomorphic to the direct product of groups.

E[n] Z
n
1
Z
n
2
... Z
n
k
Let l be a prime dividing n
1
. Then E[l] E[n] and has order l
k
.
Proof l[n
1
and l[n
i
n
i
[n
i+1
for all i. So l[n
i
for all i and also l[n. Therefore
any point in E[l] will also be in E[n] so E[l] E[n].
Recall Theorem B.4 part(2): A group G has (d) elements of order exactly
d ( the Euler Totient Function). So if G = Z
n
, and p were prime then there
would be p 1 points of order p. Now the set x Z
n
: px = 0 will contain
these p 1 points as well as the innity point and so has size p.
Finally apply this to the direct product of groups that we are working
with. The size of E[l] will be the number of points in the set
x E[n] : l x =
which considering the form of E[n] is p
k
. So E[l] E[n] and has order l
k
.

146
B.5 Field theory
A eld is a set in which we can perform analogues of the operations (+, , )
for all elements and also by all elements except for 0. We usually think of
division by an element as multiplying by that elements inverse. So b/a = ba
1
where a
1
is the element such that a
1
a = 1. The formal denition of a
eld follows.
A eld is a commutative ring (F, +, ) such that 0 does not equal 1 and
all elements of F except 0 have a multiplicative inverse.
(Note: 0 and 1 here stand for the identity elements for the + and opera-
tions,and not the real numbers.) This means that the following all hold:
Closure of F under + and
For all a, b belonging to F, both a +b and a b belong to F (or more
formally, + and are binary operations on F).
Both + and are associative
For all a, b, c F, a +(b +c) = (a +b) +c and a (b c) = (a b) c.
Both + and are commutative
For all a, b belonging to F, a +b = b +a and a b = b a.
The operation is distributive over the operation +
For all a, b, c, belonging to F, a (b +c) = (a b) + (a c).
Existence of an additive identity
There exists an element 0 F, such that for all a belonging to F,
a + 0 = a.
Existence of a multiplicative identity
There exists an element 1 F dierent from 0, such that for all a
belonging to F, a 1 = a.
Existence of additive inverses
For every a F, there is an element a F, such that a + (a) = 0.
Existence of multiplicative inverses
For every a ,= 0 in F, there is an element a
1
F, such that aa
1
= 1.
The requirement 0 ,= 1 ensures that the set which only contains a single
element is not a eld
147
We get innite elds with an innite number of elements such as Q, R
and C. There are also nite elds with a nite number of elements such as
Z
p
for p prime.
Example B.5. The set, Z
5
= 0, 1, 2, 3, 4, is a nite eld. To see this we
calculate the addition and multiplication tables.
+ 0 1 2 3 4
0 0 1 2 3 4
1 1 2 3 4 0
2 2 3 4 0 1
3 3 4 0 1 2
4 4 0 1 2 3
0 1 2 3 4
0 0 0 0 0 0
1 0 1 2 3 4
2 0 2 4 1 3
3 0 3 1 4 2
4 0 4 3 2 1
So we can clearly see that both the addition and multiplication operations
are closed, commutative and associative. Further analysis shows the rest of
the rules hold, with 0 as the additive identity and 1 as the multiplicative
identity. We can also see that each element has an additive inverse and each
element (except 0) has a multiplicative inverse.
For example 4 + 1 = 5 0 (mod 5) and 4 4 = 16 1 (mod 5) so the
additive inverse for 4 is 2, while its multiplicative inverse is itself.
Let K be a eld. There is a ring homomorphism : Z K that sends
1 Z to 1 K. If is injective then we say K has characteristic 0.
Otherwise there is a smallest positive integer p such that (p) = 0 and we
say K has characteristic p.
So if we are in a eld (K, +, ) with identities 0 and 1 then consider the
elements,
1, 1 + 1, 1 + 1 + 1, ...
Now if there is n such that
1 + 1 +...1
n times
0
then we say the eld K has characteristic n. If however all those elements
are unique then we say K has characteristic 0.
(Clearly if K is a nite eld then it cannot have characteristic zero, but there
are innite elds with positive characteristic.)
Theorem B.9. The characteristic p is prime.
148
Proof By Contradiction Assume p = ab with 1 < a b < p
Then (a)(b) = (p) = 0 (a) = 0 or (b) = 0
CONTRADICTION so p is prime
A multiplicative group is formed from a eld K(+, ) under the multi-
plication operator with the zero element removed. This group is usually
denoted K

.
When K has characteristic 0 the eld Q of rational numbers is con-
tained in K. When K has characteristic p the eld F
p
of integers
modulo p is contained in K.
Let K and L be elds with K L. If L we say that is algebraic
over K if there exists a non-constant polynomial
f(X) = X
n
+a
n1
X
n1
+... +a
0
with a
0
, ..., a
n1
K such that f() = 0.
We say that the eld L is algebraic over K (or that L is an algebraic
extension of K) if every element of L is algebraic over K.
An algebraic closure of a eld K is a eld K containing K such that:
1. K is algebraic over K.
2. Every non-constant polynomial g(X) with coecients in K has a
root in K (=K is algebraically closed).
If g(X) has degree n and has a root K, then we can write
g(X) = (X )g
1
(X) with g
1
(X) of degree (n 1). By induction we
see that g(X) has exactly n roots (counting multiplicatively) in K.
It can be shown that every eld K has an algebraic closure, and that any
two algebraic closures of K are isomorphic. Assume that a particular
algebraic closure of a eld K has been chosen, and refer to it as the
algebraic closure of K.
A eld K is said to be algebraically closed if every polynomial (in one
variable of degree at least 1), with coecients in K, has a zero (root) in
K. C is algebraically closed (by the fundamental theorem of algebra).
The algebraic closure of K can also be dened as the smallest alge-
braically closed eld containing K.
149
Example B.6. C is the algebraic closure of R:
x
2
+1 ,= (x+n)(x+m) for n, m R So we can see that R is not algebraically
closed as its roots are not in R. However C is algebraically closed and is the
smallest such eld containing R.
x
2
+ 1 = (x +i)(x i) C
When K = Q the algebraic closure, Q is the set of complex numbers that
are algebraic over Q. When K = C the algebraic closure is C itself, since C
is algebraically closed.
B.5.1 Finite elds
A nite eld is a eld that contains only nitely many elements. The nite
elds are completely known as described below.
1. Every nite eld has p
n
elements for some prime p and some integer
n 1. (This p is the characteristic of the eld.)
2. For every prime p and integer n 1, there exists a nite eld with p
n
elements.
3. All elds with p
n
elements are isomorphic, which justies using the
same name for all of them, F
p
n (in other literature GF(p
n
) is often
used).
So for example, there is a nite eld F
8
= F
2
3 with 8 elements, and every
eld with 8 elements is isomorphic to this one. However, there is no nite
eld with 6 elements, because 6 is not a power of any prime.
Example B.7. Let p be prime, the integers mod p form a nite eld F
p
with
p elements (ie with n = 1 in the above denition). However the ring Z
p
n is
not a eld when n 2 since then p does not have a multiplicative inverse.
Theorem B.10. F
p
m F
p
n m[n
Theorem B.11. The algebraic closure of F
p
is
F
p
=
_
n1
F
p
n
150
Theorem B.12. If F is a nite eld with q = p
n
elements then x
q
= x for
all elements x F.
Theorem B.13. Let F
p
be the algebraic closure of F
p
and let q = p
n
. Then
F
q
= F
p
[
q
=
Proof Let F

q
be the set of non-zero elements of F
q
under the multiplication
operator. F

q
is a group of order q 1. We know that an element 0 ,= F
q
will have order dividing q 1 so
q1
= 1. Therefore
q
= for all F
q
.
Next recall that a polynomial g(X) has multiple roots if and only if it
shares a common root with g

(X). Let g(X) = X

q
X dened in F
p
. Then
d
dx
(X
q
X) = qX
q1
1 = 1
since q = p
n
= 0 in F
p
. So the polynomial X
q
X has no multiple roots.
Therefore there are q distinct F
p
such that
q
= .
Because F
p
=

n1
F
p
n we know F
q
F
p
. There are q elements in F
q
,
all of which satisfy
q
= . There are exactly q elements in F
p
with this
property so
F
q
= F
p
[
q
=
as required.

Dene the q-th power Frobenius automorphism

q
of F
q
by

q
(x) = x
q
for all x F
q
Proposition B.14. Let q be a power of the prime p. Then
(i) F
q
= F
p
(ii)
q
is an automorphism of F
q
. In particular,

q
(x +y) =
q
(x) +
q
(y)

q
(xy) =
q
(x)
q
(y)
for all x, y F
q
.
(iii) Let F
q
. Then
F
q
n
n
q
() =
151
Proof
(i) This is a special case of the fact that if K L and every element of
L is algebraic over K, then L = K. We prove this as follows. If is
algebraic over L and L is algebraic over K then is algebraic over K.
Therefore L is algebraic over K, and is algebraically closed. Therefore
it is the algebraic closure of K.
(ii) If 1 j p 1 then the binomial coecient
_
p
j
_
has a factor of p
in the numerator, that is not canceled by the denominator and so is
equivalent to 0 modulo p. Therefore
(x +y)
p
= x
p
+
_
p
1
_
x
p1
y +
_
p
2
_
x
p2
y
2
+... +y
p
= x
p
+y
p
Now assume this holds for p
n
, so (x +y)
p
n
= x
p
n
+y
p
n
, then
(x +y)
p
n+1
= [(x +y)
p
n
]
p
= [x
p
n
+y
p
n
]
p
= x
p
n+1
+y
p
n+1
So by PMI, for all n 1 we have
(x +y)
p
n
= x
p
n
+y
p
n

q
(x +y) =
q
(x) +
q
(y)
The fact that
q
(xy) =
q
(x)
q
(y) is clear from the denition of
q
.
So together these show that
q
is a homomorphism of elds. We need
to show that
q
is bijective. We can see that both 0 and 1 are mapped
to themselves, so let x be an element not equal to zero or one. Then
1 = xx
1
=
q
(x)
q
(x)
1
so
q
is injective. Now it remains to show
that
q
is surjective. If F
p
, then F
q
n for some n, so
n
q
() = .
Therefore is in the image of
q
meaning
q
is surjective and hence an
automorphism.
(iii) This is a restatement of Theorem B.13 with q
n
in place of q. The
theorem still holds as q
n
is still a power of the prime p.

Let F

p
be the group formed from the nonzero elements of F
p
under the
multiplication operator. In Appendix B.3 we showed that F

p
= Z

p
is a cyclic
group which has the following useful consequence.
152
Proposition B.15. Let m be a positive integer such that p m and let
m
be the group of m
th
roots of unity. Then

m
F

q
m[(q 1)
Proof Because
m
is a group of order m, and F

q
is a group of order q 1
we have by Lagranges theorem (B.3) that m[(q 1).
Conversely suppose m[(q 1). Since F

q
is a cyclic group of order q 1,
by Theorem B.4 it has a subgroup of order m. Then by Lagranges theorem
(B.3) the elements of this subgroup satisfy x
m
= 1. Hence they must be the
m elements of
m
.

If we are dealing with F

p
, the nite eld of order p, where p is prime then
this is isomorphic to Z
p
= 0, 1, 2, ..., p 1. Addition and multiplication of
elements can then be performed modulo p. However F
p
n is not isomorphic
to Z
p
n as discussed earlier, so these elds must be explicitly constructed.
To do this we rst select an irreducible polynomial of degree n, f(x), with
elements in F
p
= Z
p
. Then F
q
= F
p
(x)/ < f(x) > where F
p
(x) is the ring of
polynomials with coecients in F
p
and < f(x) > is the ideal generated by
f(x).
Example B.8. Consider F
4
. The polynomial f(x) = x
2
+x+1 is irreducible
over F
2
so we have F
4
= F
2
(x)/ < x
2
+ x + 1 >. This is written as the set
0, 1, x, x + 1 where we work under the relation x
2
+ x + 1 = 0. Since we
are working under characteristic 2, we can write this as x
2
= x+1. Then for
example
x
3
= x(x
2
) = x
2
+x = 2x + 1 1
B.5.2 Constructing F
9
Since 9 = 3
2
, we will be working in F
3
, whose elements we will represented
by 0,1 and 2, and where addition and multiplication are done modulo 3. We
seek an extension of degree 2 over the prime eld, so our rst task is to nd
a monic irreducible polynomial of degree 2 with coecients in F
3
. For large
eld this can be a dicult assignment, and there are some theorems that
can help. However when the prime eld is small the brute force procedure is
eective. We can in fact easily list all of the monic quadratics in F
3
[x]:
153
(1) x
2
(4) x
2
+x (7) x
2
+ 2x
(2) x
2
+ 1 (5) x
2
+x + 1 (8) x
2
+ 2x + 1
(3) x
2
+ 2 (6) x
2
+x + 2 (9) x
2
+ 2x + 2
Now the problem is to nd the irreducible ones in this list. Clearly, any
polynomial without a constant term is factorable (x is a factor), so the rst,
fourth and seventh can immediately be crossed out. For the remaining six
polynomials, we may opt for one of two procedures:
(a) We could substitute in turn, for x, all the elements of the prime eld in
which we are working. If none of these substitutions evaluates to zero
then the polynomial is irreducible (i.e. it has no root in the eld). So, for
example, substituting in the polynomial x
2
+2 gave the following values:
(i) x = 0 = 0
2
+ 2 = 2 (ii) x = 1 =1
2
+ 2 = 0
(iii) x = 2 = 2
2
+ 2 = 0
Thus x
2
+2 factors, in fact x
2
+2 = (x +1)(x +2). On the other hand,
the same procedure for x
2
+ 1 gives:
(i) x = 0 = 0
2
+ 1 = 1 (ii) x = 1 =1
2
+ 1 = 2
(iii) x = 2 = 2
2
+ 1 = 2
meaning x
2
+ 1 is irreducible. We could do this to each polynomial in
turn to nd the irreducible ones.
(b) The second possible procedure is to take all the linear factors and multi-
ply them in all possible pairs to get a list of all the factorable quadratics,
removing these from our list leaves all the irreducible quadratics. So
(i) (x + 1)(x + 1) = x
2
+ 2x + 1 (ii) (x + 1)(x + 2) = x
2
+ 2
(iii) (x + 2)(x + 2) = x
2
+x + 1
implying that the remaining polynomials x
2
+1, x
2
+x+2 and x
2
+2x+2
are the only irreducible monic quadratic polynomials in F
3
[x].
We could now use any one of these polynomials to construct the group. We
would let be a zero of the chosen polynomial and write out the elements of
F
9
in its vector form representation using the basis (1, ). For example if we
used the polynomial x
2
+ 1 and let be the root then
F
9
0, 1, 2, , + 1, + 2, 2, 2 + 1, 2 + 2
154
where
2
+ 1 = 0.
This however does not give us the most useful representation of the eld.
We will use the fact that the multiplicative group of a eld is cyclic, so there
exists a primitive element (a generator of the cyclic group) that could give
us a handy representation of the elements. Now the primitive elements are
to be found among the roots of the irreducible polynomials (they cannot be
elements of the prime eld). The cyclic group we are after has order 8, so not
every root need be primitive. For example, was a root of x2+1
2
+1 = 0,
so
2
= 2. We can now write out the powers of :
(i)
1
= (iii)
3
= (
2
) = 2
(ii)
2
= 2 (iv)
4
= (
3
) = 2
2
= 2(2) 1 (mod 3)
So has order 4 and so does not generate the cyclic group of order and is not
a primitive element. On the other hand, consider a root of the polynomial
x
2
+x + 2. Then
2
+ + 2 = 0 so
2
= 2 + 1. Now the powers of give us:
i
1
=
ii
2
= 2 + 1
iii
3
= (
2
) = (2 + 1) = 2
2
+ = 2(2 + 1) + = 5 + 2 2 + 2
iv
4
= (
3
) = 2
2
+ 2 = 4 + 2 + 2 = 6 + 2 2
v
5
= (
4
) = 2
vi
6
= (
5
) = 2
2
= 4 + 2 + 2
vii
7
= (
6
) =
2
+ 2 = 2 + 1 + 2 + 1
viii
8
= (
4
)
2
= 2
2
= 4 1
So is a primitive element and can represent the elements of F
9
as the 8
powers of together with 0. Notice also that the terms on the right are all
the possible terms that can be written as linear combinations of the basis
(1, ) over F
3
. When working with nite elds it is convenient to have both
of the above representations, since the terms on the left are easy to multiply
and the terms on the right are easy to add. For example:
(2 + 2)
3
= (
3
)
3
=
9
=
(2 + 2)
3
+ + 2 = + + 2 = 2 + 2 =
3
155
B.5.3 Constructing F
8
Since 8 = 2
3
, the prime eld is F
2
and we need to nd a monic irreducible
cubic polynomial over that eld. Since the coecients can only be 0 and 1,
the list of irreducible candidates is easily obtained:
(1) x
3
+ 1
(2) x
3
+x + 1
(3) x
3
+x
2
+ 1
(4) x
3
+x
2
+x + 1
Now substituting 0 gives 1 in all cases, and substituting 1 will give 0 only if
there are an odd number of x terms. So the irreducible cubics are x
3
+x +1
and x
3
+ x
2
+ 1. Now the multiplicative group of this eld is a cyclic group
of order 7 and so every nonidentity element is a generator. Letting be a
root of the rst polynomial, we have
3
+ + 1 = 0, so
3
= + 1. The
powers of are:
i
1
=
ii
2
=
2
iii
3
= + 1
iv
4
= (
3
) =
2
+
v
5
= (
4
) =
2
+ + 1
vi
6
= (
5
) =
3
+
2
+ =
2
+ 2 + 1 =
2
+ 1
vii
7
= (
6
) =
3
+ = 2 + 1 = 1
So is a generator. Now suppose we had chosen a root of the second poly-
nomial, say , . We would then have
3
=
2
+1 and the the powers of arho
are
i
1
=
ii
2
=
2
iii
3
=
2
+ 1
156
iv
4
= (
3
) =
3
+ =
2
+ + 1
v
5
= (
4
) =
3
+
2
+ = 2
2
+ + 1 + 1
vi
6
= (
5
) =
2
+
vii
7
= (
6
) =
3
+
2
= 2
2
+ 1 1
We know that these two representations must be isomorphic, and in fact the
isomorphism is given by the map
6
.
B.5.4 Addition and multiplication tables of F
4
Earlier we showed that F
4
= 0, 1, w, w + 1 where w
2
+ w + 1 = 0 which
in turn implied that w
3
= 2w + 1. We now construct the addition and
multiplication tables:
0 x = 0 x F
4
1 x = x x F
4
w w = w
2
= w 1 w + 1
w (w + 1) = w
2
+w = 2w + 1 = 1
(w + 1) (w + 1) = w
2
+ 2w + 1 = 3w + 2 = w
0 +x = x x F
4
1 + 1 = 2 0
1 +w = w + 1
1 + (w + 1) = w + 2 w
w +w = 2w 0
w + (w + 1) = 2w + 1 1
(w + 1) + (w + 1) = 2w + 2 0
So
0 1 w w+1
0 0 0 0 0
1 0 1 w w+1
w 0 w w+1 1
w+1 0 w+1 1 0
+ 0 1 w w+1
0 0 1 w w+1
1 1 0 w+1 w
w w w+1 0 1
w+1 w+1 w 1 0
157
B.6 Miscellaneous
The nth roots of unity are the complex numbers which yield 1 when raised
to a given power n. So they are the complex numbers z which solve
z
n
= 1, n = 1, 2, ...
The nth roots of unity form, under multiplication, a cyclic group of order n.
A generator for this group is a primitive nth root of unity. The primitive
nth roots of unity are
e
(2pik)/n
where k and n are coprime
Example B.9. The third roots (cubic roots) of unity are
1,
1 +

3i
2
,
1

3i
2
where i is the imaginary unit. The latter two roots are primitive.
The kernel of a homomorphism measures the degree to which the
homomorphism fails to be injective. Let G and H be groups and let f be a
group homomorphism from G to H. If e
H
is the identity element of H, then
the kernel of f is the set
g G [ f(g) = e
H

This is the subset of G consisting of all those elements of G that are mapped
by f to the element e
H
. The kernel is usually denoted ker(f).
Since a group homomorphism preserves identity elements, the identity
element e
G
of G must belong to the kernel. The homomorphism f is injective
if and only if its kernel contains just one element, e
G
.
Let p be a prime number and x an integer. The Legendre symbol is
then dened as
_
x
p
_
=
_
_
_
+1 if t
2
x (mod p) has a solution t , 0 (mod p)
1 if t
2
x (mod p) has no solution t
0 if x 0 (mod p)
158
Theorem B.16. Suppose the roots of a cubic polynomial sum to give a value,
V . Then V is the coecient of the x
2
term in the cubic.
Proof Let the three roots of the cubic be a, b and c. We can then represent
the cubic as
(x a)(x b)(x c) = (x a)(x
2
bx cx +bc)
= x
3
bx
2
cx
2
+bcx ax
2
+abx +acx abc
= x
3
(a +b +c)x
2
+ (ab +ac +bc)x abs
So clearly the coecient of the x
2
term is the negative of the sum of the
roots.

Theorem B.17. Let M and N be arbitrary 2 2 matrices:

M =
_
A B
C D
_
, N =
_
W X
Y Z
_
Dene

N =
_
Z X
Y W
_
Then
(i) Tr(M

N) = det(M + N) - det(M) - det(N)
(ii) det(aM + bN) - a
2
det(M) - b
2
det(N) = ab[det(M + N) - det(M) -
det(N)]
Proof (i)
M

N =
_
AZ BY BW AX
CZ DY DW CX
_
Tr(M

N) = AZ BY +DW CX
M +N =
_
A +W B +X
C +Y D +Z
_
det(M +N) = (A +W)(D +Z) (B +X)(C +Y )
= AD +AZ +WD +WZ BC BY XC XY
159
det(M) = AD BC, det(N) = WZ XY
Therefore
det(M +N) det(M) det(N) = AD +AZ +WD +WZ BC BY XC XY
AD +BC WZ +XY
= AZ +WD BY XC
= AZ BY +DW CX = Tr(M

N)

Proof (ii)
aM +bN =
_
aA +bW aB +bX
aC +bY aD +bZ
_
det(aM +bN) = (aA +bW)(aD +bZ) (aC +bY )(aB +bX)
= a
2
AD +abAZ +abWD +b
2
WZ a
2
BC abCX baY B b
2
Y X
So the LHS of the identity is
LHS = det(aM +bN) a
2
det(M) b
2
det(N)
= abAZ +abWD abCX abY B
= ab[AZ BY +DW CX]
Then the RHS is
RHS = ab[det(M +N) det(M) det(N)]
= ab[Tr(M

N] by part (a)
= ab Tr
_
AZ BY BW AX
CZ DY DW CX
_
= ab[AZ BY +DW CX] = LHS

160
Appendix C
Matlab Code
This Appendix contains the code for all the Matlab programs that were
constructed during the course of this project. Below is a table summarising
the programs.
Appendix Code Description
C.1 ECAD.m Performs elliptic curve addition over the real numbers.
C.2 PC.m Finds all the points on a prime curve, and plots them.
C.3 ECADP.m Performs elliptic curve addition over a prime curve.
C.4 inve.m Finds the inverse of an element in Z
p
for p prime.
C.5 SUCDOB.m Performs the successive doubling algorithm.
C.6 check.m Checks whether a point lies on a particular prime curve.
C.7 RR44.m Performs the recurrence relation of Lemma A.16.
C.1 The Matlab code for ECAD.m
Below is the matlab code for the ECAD.m which performed elliptic curve
addition over the real numbers.
Let E be the elliptic curve y
2
= x
3
+Ax +B and let P
1
= (x
1
, y
1
),
P
2
= (x
2
, y
2
). The m-le will then produce
P
1
+P
2
= P
3
= (x
3
, y
3
)
where + is the elliptic curve addition operation over E. The user must input
the coordinates x
1
, y
1
, x
2
, y
2
and, if P
1
= P
2
, also the parameter A. The
161
m-le will then produce x
3
, y
3
and, if requested, the value of m.
function [x3,y3,m] = ECAD(x1,y1,x2,y2,A)
% This function m-file performs the Elliptic Curve addition
% operation over the real numbers.
% Suppose we are working on the elliptic curve y^2 = x^3 + Ax + B
% Define P1 = (x1,y1)
% P2 = (x2,y2)
% Then P1 + P2 = P3 = (x3,y3) is defined as below
% If one if the variables in infinity then we define P + infinity = P
% The user should type in infinity for both the x and y values.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
if x1==infinity
x3=x2; y3=y2;
return
end
if x2==infinity
x3=x1; y3=y1;
return
end
if x1==x2
if y1==y2
if y1==0
display(P3 is infinity)
x3=infinty;, y3=infinity;
return
end
m = sym( (3*(x1)^2 + A)/(2*(y1)) );
162
x3 = sym( m^2 - x1 - x2);
y3 = sym( m*(x1 - x3) - y1 );
return
end
display(P3 is infinity)
x3=infinty;, y3=infinity;
return
end
m = sym( (y2-y1)/(x2-x1) );
x3 = sym( m^2 - x1 - x2 );
y3 = sym( m*(x1 - x3) - y1 );
C.2 The Matlab code for PC.m
Below is the Matlab code for PC.m which will nd and plot all the points
on a specic prime curve. This m-le takes as its inputs, A, B and p and
produces two vectors X, Y which contain all the points (x, y) that lie on
y
2
x
3
+Ax +B (mod p)
function [X,Y,n] = PC(A,B,p)
% This function m-file finds and plots all the points that lie in E_p(A,B)
% These points are on the curve y^2 = x^3 + AX + b (mod p)
RHS = zeros(3,1);
LHS = zeros(3,1);
X = zeros(2,1);
Y = zeros(2,1);
for i=0:1:(p-1)
RHS(i+1) = (i)^3 + A*(i) + B;
RHS(i+1) = rmp(RHS(i+1),p);
LHS(i+1) = (i)^2;
LHS(i+1) = rmp(LHS(i+1),p);
163
end
ii=1;
for z=0:1:(p-1)
I=find(RHS==z);
J=find(LHS==z);
q1 = isempty(I);
q2 = isempty(J);
if (q1) == 0
if q2 == 0
n=length(I);
m=length(J);
for h=1:1:n
for g=1:m
X(ii)=I(h)-1;
Y(ii)=J(g)-1;
ii=ii+1;
end
end
end
end
end
n=length(X) + 1;
%%%%%%%PLOTTING%%%%%%%%%%%
h=plot(X,Y,ko);
set(h(1),LineWidth,1.5)
axis([0, (max(X)+1), 0,(max(Y)+1) ])
xlabel(X,FontSize,15,FontWeight,bold)
ylabel(Y,FontSize,15,FontWeight,bold)
title([The points in E_{,int2str(p),}(,int2str(A),,,int2str(B),)],
FontSize,12,FontWeight,bold)
164
C.3 The Matlab code for ECADP.m
Below is the Matlab code for ECADP.m which is a modied version of
ECAD.m for use with prime curves. It contains the same inputs and outputs
as ECAD.m but the user must input p in addition. It makes use of the m-le
inve.m which is stored in Appendix C.4.
function [x3,y3,m] = ECADP(x1,y1,x2,y2,A,p)
% This function m-file performs Elliptic Curve addition over prime curves.
% Suppose we are working on the elliptic curve y^2 = x^3 + Ax + B
% Define P1 = (x1,y1)
% P2 = (x2,y2)
% Then P1 + P2 = P3 = (x3,y3) is defined by as below
% If one if the variables in infinity then we define P + infinity = P
% and the user should type in infinity for both the x and y values
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
if x1==infinity
x3=x2; y3=y2;
return
end
if x2==infinity
x3=x1; y3=y1;
return
end
if x1==x2
if y1==y2
if y1==0
display(P3 is infinity)
x3=infinty;, y3=infinity;
return
end
165
%m = sym( (3*(x1)^2 + A)/(2*(y1)) );
mnum = 3*(x1)^2 + A;
mden = 2*(y1);
m = mod( (mnum * inve(mden,p)) , p );
% x3 = sym( m^2 - x1 - x2);
x3 = mod( (m^2 - x1 - x2) , p);
% y3 = sym( m*(x1 - x3) - y1 );
y3 = mod( (m*(x1 - x3) - y1) , p);
return
end
display(P3 is infinity)
x3=infinty;, y3=infinity;
return
end
% m = sym( (y2-y1)/(x2-x1) );
mnum = y2 - y1;
mden = x2 - x1;
m = mod( (mnum * inve(mden,p)) , p);
% x3 = sym( m^2 - x1 - x2 );
x3 = mod( (m^2 - x1 - x2) , p);
% y3 = sym( m*(x1 - x3) - y1 );
y3 = mod( (m*(x1 - x3) - y1) , p);
166
C.4 The Matlab code for inve.m
Below is the Matlab code for inve.m which nds the inverse of an element,
N, in the group Z
n
. This is used for working with prime curves, where we
can reduce modulo p. The user must input the element N and prime p.
function [I] = inve(N,p)
% This m-file finds the inverse of an element, N, in the group Z_p
% for use with prime curves.
N = mod(N,p);
H = zeros(3,1);
for i = 1:(p-1)
H(i) = mod(N*i,p);
end
I = find(H==1);
C.5 The Matlab code for SUCDOB.m
Below is the Matlab code for SUCDOB.m which performs the successive dou-
bling algorithm over prime curves. This m-le takes as its inputs X1, Y 1, k, A, p
and outputs X2, Y 2 where
(X2, Y 2) = k(X1, Y 1) = (X1, Y 1)+(X1, Y 1)+...+(X1, Y 1) (k summands)
and addition is performed over the elliptic curve
y
2
x
3
+Ax +B (mod p)
167
function [X2,Y2] = SUCDOB(X1,Y1,k,A,p)
% This is a function m-file to perform the successive doubling algorithm
% on prime curves. If P = (X1,Y1) and k is an integer, then this algorithm
% will find kP = (X2,Y2) where we are operating over the elliptic curve
% y^2 = x^3 + Ax + B (mod p), p prime
a = k;
BX = infinity;
BY = infinity;
CX = X1;
CY = Y1;
while a~=0
gg = mod(a,2);
if gg == 0
a = a/2;
BX = BX; BY = BY;
[CX,CY] = ECADP(CX,CY,CX,CY,A,p);
end
if gg == 1
a = a-1;
[BX,BY] = ECADP(BX,BY,CX,CY,A,p);
CX = CX; CY = CY;
end
end
X2 = BX;
Y2 = BY;
168
C.6 The Matlab code for check.m
Below is the Matlab code for check.m which checks whether a specic point
lies on a prime curve. This m-le takes as its inputs x, y, A, B, p and checks
whether the point (x, y) lies on the curve
y
2
x
3
+Ax +B (mod p)
function [flag] = check(x,y,A,B,p)
% An m-file to check if the point (x,y) lies on the prime curve
% y^2 = x^3 + Ax + B (mod p)
R = x^3 + A*x + B;
R = rmp(R,p);
L = y^2;
L = rmp(L,p);
if L == R
flag = YES;
display(This point lies on the curve)
else
flag = NO;
display(This point does not lie on the curve)
end
169
C.7 The Matlab code for RR44.m
Below is the Matlab code for RR44.m which performs the recurrence relation
of Lemma A.16. It takes as its inputs, n, q and #E(F
q
), and outputs s(n)
where s(n) is dened by the reccurence relation of Lemma A.16:
s(0) = 2, s(1) = a, s(n + 1) = as(n) qs(n 1)
function [A] = RR44(n,q,EFQ)
% Function m-file to calculate s(n) where s is defined by
% s(0)=2, s(1)=a, s(n+1) = as(n) - qs(n-1)
% a = q + 1 - #E(F_q)
% Inputs - n,q & EFQ = #E(F_q)
% Outputs - A = s(n)
a = q + 1 - EFQ
s = zeros(3,1);
s(1) = 2;
s(2) = a;
for i = 3:n+1
s(i) = a*s(i-1) - q*s(i-2);
end
A = s(n+1);
170