# Using elliptic curves and isogenies in SageMath

This is a short tutorial to get started with elliptic curves in SageMath. For a complete reference, see the official documentation:

- [The "getting started" tutorial](http://doc.sagemath.org/html/en/tutorial/index.html);
- [Other SageMath tutorials](http://doc.sagemath.org/html/en/thematic_tutorials/index.html);
- [Finite fields (reference)](http://doc.sagemath.org/html/en/reference/finite_rings/index.html);
- [Number fields](http://doc.sagemath.org/html/en/constructions/number_fields.html), [reference](http://doc.sagemath.org/html/en/reference/number_fields/index.html);
- [Quadratic forms (reference)](http://doc.sagemath.org/html/en/reference/quadratic_forms/index.html);
- [Elliptic curves](http://doc.sagemath.org/html/en/constructions/elliptic_curves.html), [reference](http://doc.sagemath.org/html/en/reference/curves/index.html).

See also the book [Computational Mathematics with SageMath](http://dl.lateralis.org/public/sagebook/sagebook-ba6596d.pdf).

## Finite fields

We create finite fields by passing their cardinality

In [None]:
Fp = GF(11)

In [None]:
Fp

In [None]:
Fq = GF(11^2)
Fq

For extension fields, the generator is obtained with the `.gen()` function.

In [None]:
z = Fq.gen()
z

In [None]:
z^120

In [None]:
z.multiplicative_order()

Same thing in one go

In [None]:
K.<t> = GF(next_prime(2^128)^2)
K

In [None]:
parent(t)

In [None]:
t.minimal_polynomial()

other rings

In [None]:
QQ

In [None]:
ZZ

## Elliptic curves

Curves over $ℚ$

In [None]:
E = EllipticCurve([-10,10])
E

In [None]:
E.plot()

Cuvers over other fields

In [None]:
F = EllipticCurve(GF(11), [1, 0])
F

In [None]:
F.order()

In [None]:
F.cardinality()

In [None]:
F.points()

In [None]:
P = F.random_point()
P

In [None]:
P.order()

Curves over number fields

In [None]:
K = QQ[i]
K

In [None]:
E = EllipticCurve(K, j=0)
E

In [None]:
E.torsion_order()

In [None]:
E.torsion_points()

In [None]:
E.rank()

In [None]:
E = EllipticCurve(j=1)
E

In [None]:
E.short_weierstrass_model()

In [None]:
E.torsion_order()

In [None]:
E.rank()

In [None]:
P, Q = E.gens()
P, Q

In [None]:
P.order()

In [None]:
P + P

In [None]:
13*P

Watch out: computing the rank is not always easy!

In [None]:
EK = E.change_ring(K)
EK

In [None]:
EK.rank()

## Isomorphisms

In [None]:
F = EllipticCurve(GF(11), [1, 0])
F

In [None]:
F.automorphisms()

In [None]:
aut = F.change_ring(GF(11^2)).automorphisms()
aut

In [None]:
aut[3], aut[3]^2

In [None]:
G = EllipticCurve(GF(11), [3, 0])
F.is_isomorphic(G)

In [None]:
G

In [None]:
G.j_invariant()

In [None]:
u = F.isomorphism_to(G)
u

Group structure

In [None]:
F.abelian_group()

In [None]:
g = F.gens()[0]
g

In [None]:
g.order()

## Scalar multiplication

In [None]:
F = EllipticCurve(GF(11), [1, 0])
g = F.gens()[0]
g

In [None]:
12*g

In [None]:
[(i, i*g) for i in range(12)]

Let's print the multiplication maps

In [None]:
F.multiplication_by_m(12)

Using LaTeX-ified output is much nicer

In [None]:
%display latex

In [None]:
F.multiplication_by_m(12, x_only=True)

In [None]:
m3 = F.multiplication_by_m(3)
m3

In [None]:
d3 = m3[0].denominator()
d3

In [None]:
parent(d3)

The multiplication maps are rational fractions in $x$ and $y$, so if we want the denominator as a polynomial in $x$ we need to convert it explicitly

In [None]:
d3 = d3.univariate_polynomial()
parent(d3)

In [None]:
d3.factor()

Given an $x$-coordinate, we can get a point with that coordinate, if it exists

In [None]:
P = F.lift_x(-6)
P

In [None]:
P.order()

In [None]:
Q = F.lift_x(-5)

In [None]:
F

In [None]:
y5 = GF(11)(-5^3 -5)
y5

In [None]:
y5.is_square()

In [None]:
%display plain

If we change the base ring of the curve (e.g. from $𝔽_{11}$ to $𝔽_{121}$), more points appear

In [None]:
F2 = F.change_ring(GF(11^2))
F2

In [None]:
Q = F2.lift_x(-5)
Q

In [None]:
Q.order()

However we cannot mindlessly combine points over $𝔽_{11}$ with points over $𝔽_{121}$

In [None]:
P + Q

We must instead explicitly lift the points from $E/𝔽_{11}$ to $E/𝔽_{121}$

In [None]:
P2 = F2(P)

In [None]:
P2 + Q

Here is the full 3-torsion subgroup

In [None]:
[i*P2 + j*Q for i in range(3) for j in range(3)]

We check that the $x$-coordinates correspond to the roots of the denominator of the multiplication-by-3 map we had previously computed

In [None]:
d3

In [None]:
d3.roots(GF(11^2))

And we check that the denominator is the square of the 3-division polynomial

In [None]:
d3.is_square()

In [None]:
d3.sqrt()

In [None]:
F.division_polynomial(3)

## Your turn!

### Exercise 1 ★

Find a random curve over $𝔽_{127}$ with $129$ points.



#### Exercise 1.2 ★★

Let $E$ be one such curve. What is the degree of the smallest extension $k$ of $𝔽_{127}$ such that $E(k)[129] \simeq ℤ/129ℤ × ℤ/129ℤ$?



### Exercise 2 ★

Implement the Diffie–Hellman key exchange on the curve of exercise 1. That is, write two functions that implement the first and the second phase of the key exchange, and check that the shared key matches

In [None]:
def keyex1(g, n):
    '''
    Parameters: g is the group generator, n its order.
    '''
    pass

In [None]:
def keyex2(ek, sk):
    '''
    Parameters: ek is the received ephemeral key, sk is our secret key.
    '''
    pass

### Exercise 3 ★

Let $E$ be the elliptic curve over $\mathbb{F}_5$ given by the Weierstrass equation $E: y^2 + y = x^3 - x$.

Compute $\#E(\mathbb{F_{5^n}})$ for $n=1,\ldots,20$.


In [None]:
E = EllipticCurve(GF(5), [0,0,1,-1,0])
E

#### Exercise 3.1 ★★

Denote by $\pi:E\to E$ the $5$\-Frobenius endomorphism of the curve in the previous exercise. Find a monic quadratic polynomial of which $\pi$ is a zero in $\mathrm{End}(E)$. 


By finding a root of this polynomial over $\mathbb{C}$, write down a formula for $\pi$ as an algebraic number. That is, give an embedding $\mathbb{Z}[\pi]\to\mathbb{C}$. Show that the conjugate of $\pi$ as a complex number corresponds to the dual isogeny under this embedding.



Write down a formula for $\#E(\mathbb{F_{5^n}})$ in terms of this algebraic number. Check that this agrees with the answer from the first point.

### Exercise 4 ★★

For $p=23$, is there for every $N$ in the Hasse\-Weil interval $[p+1-2\sqrt{p}, p+1+2\sqrt{p}]$ an elliptic curve $E$ over $\mathbb{F}_p$ such that $\#E(\mathbb{F}_p)=N$?
