An elliptic curve defined over K is of the form: $$y^2 = x^3 + Ax + B$$ with $$4A^3 + 27B^2 \not = 0$$

- the condition is to ensure there are no repeated (cubic) roots

We will work with finite fields (or rings)

- for example, we could think of the above equation $\pmod{N}$

In [1]:
N = 10
R = Integers(N)
E = EllipticCurve(R,[1,4])

In [2]:
E

Elliptic Curve defined by y^2 = x^3 + x + 4 over Ring of integers modulo 10

In [None]:
#zy^2 = x^3 + xz^2 + 4z^3

In [9]:
for a in range(10):
    for b in range(10):
        if (b^2) % N == (a^3 + 1*a + 4) % N:
            print(a,b)
# need to include O or \infty = (0:1:0)

# (1 : 0 : 0) is never a point on E

0 2
0 8
1 4
1 6
2 2
2 8
3 2
3 8
5 2
5 8
6 4
6 6
7 2
7 8
8 2
8 8


In [10]:
E.points() #Doesn't work when E is defined over general rings

AttributeError: 'EllipticCurve_generic_with_category' object has no attribute 'points'

In [11]:
#define a point on E, doesn't matter if it is a ring
P = E(1,4)
Q = E(3,8)

Points on elliptic curves have the structure of a group, with the group law given by:
    
$$E : y^2 = x^3+Ax+B.$$

- $P + Q$ for $x_P \not = x_Q$ is given by
  - *Step 1:* $\quad \lambda = \displaystyle (y_Q - y_P)(x_Q- x_P)^{-1} \quad $ (slope of the line through $P$ and $Q$)
  - *Step 2:* $\quad x _R = \lambda^2 - x_Q - x_P, \quad y_R = y_P + \lambda(x_R - x_P)$
  - *Step 3:* $\quad P + Q = (x_R, - y_R)$
- $P + Q$ for $x_P = x_Q$ is given by
  - *Step 1:* $\quad \lambda = \displaystyle (3x_P^2 + A)(2y_P)^{-1} \quad $ (slope of tangent at $P$)
  - *Step 2:* $\quad x_R = \lambda^2  - 2 x_P, \quad  y_R = y_P + \lambda(x_R - x_P)$
  - *Step 3:* $\quad 2P =  P+ P = (x_R, - y_R)$
- $O = (0:1:0)$ is the identity
- Associativity is harder to check (skip)
- Inverse of $P = (x_P,y_P)$ is $-P = (x_P, -y_P)$

Related webpage on [Elliptic curves over finite fields](https://doc.sagemath.org/html/en/reference/arithmetic_curves/sage/schemes/elliptic_curves/ell_finite_field.html)

In [None]:
a^N == prod (a^(2^i)) #exponentiation/squaring
k*P == sum (2^i * P)  #doubling

In [None]:
9*P == 2^3 * P + P

In [31]:
p = random_prime(2^8)
F = Integers(p) # or GF(p)
E = EllipticCurve(F,[1,2])

In [32]:
E

Elliptic Curve defined by y^2 = x^3 + x + 2 over Ring of integers modulo 79

In [33]:
E.points() #F is a field

[(0 : 1 : 0), (0 : 9 : 1), (0 : 70 : 1), (1 : 2 : 1), (1 : 77 : 1), (3 : 36 : 1), (3 : 43 : 1), (7 : 6 : 1), (7 : 73 : 1), (10 : 8 : 1), (10 : 71 : 1), (11 : 1 : 1), (11 : 78 : 1), (12 : 2 : 1), (12 : 77 : 1), (13 : 0 : 1), (23 : 37 : 1), (23 : 42 : 1), (24 : 5 : 1), (24 : 74 : 1), (25 : 22 : 1), (25 : 57 : 1), (28 : 39 : 1), (28 : 40 : 1), (29 : 3 : 1), (29 : 76 : 1), (36 : 20 : 1), (36 : 59 : 1), (39 : 30 : 1), (39 : 49 : 1), (40 : 17 : 1), (40 : 62 : 1), (41 : 32 : 1), (41 : 47 : 1), (48 : 11 : 1), (48 : 68 : 1), (52 : 11 : 1), (52 : 68 : 1), (54 : 28 : 1), (54 : 51 : 1), (57 : 32 : 1), (57 : 47 : 1), (58 : 11 : 1), (58 : 68 : 1), (59 : 35 : 1), (59 : 44 : 1), (60 : 32 : 1), (60 : 47 : 1), (62 : 7 : 1), (62 : 72 : 1), (64 : 3 : 1), (64 : 76 : 1), (65 : 3 : 1), (65 : 76 : 1), (66 : 2 : 1), (66 : 77 : 1), (67 : 0 : 1), (69 : 16 : 1), (69 : 63 : 1), (75 : 31 : 1), (75 : 48 : 1), (76 : 29 : 1), (76 : 50 : 1), (78 : 0 : 1)]

In [None]:
#(x:y:z)
# z =/= 0 -> scale z = 1
# z = 0 -> only one point (0:1:0)

In [36]:
#random point on curve

P = E.random_element()
Q = E.random_point()

In [37]:
P

(66 : 77 : 1)

In [38]:
3*P , P + Q, E(0)

((0 : 9 : 1), (3 : 36 : 1), (0 : 1 : 0))

In [39]:
P.order(), Q.order()

(32, 8)

In [40]:
R = E(0,9);
32*R

(0 : 1 : 0)

In [41]:
P.order()*P == E(0) #identity element

True

In [42]:
E.cardinality(),len(E.points()), E.count_points(), E.order()

(64, 64, 64, 64)

In [43]:
print(E.order())
print(E.abelian_group())

64
Additive abelian group isomorphic to Z/32 + Z/2 embedded in Abelian group of points on Elliptic Curve defined by y^2 = x^3 + x + 2 over Ring of integers modulo 79


In [47]:
N = 10
R = Integers(N)
E = EllipticCurve(R,[1,4])
E

Elliptic Curve defined by y^2 = x^3 + x + 4 over Ring of integers modulo 10

In [48]:
#define a point on E, doesn't matter if it is a ring
P = E(1,4)
Q = E(3,8)

In [49]:
P + P

ZeroDivisionError: Inverse of 8 does not exist (characteristic = 10 = 2*5)

In [46]:
P + Q #error here, modular inversion

ZeroDivisionError: Inverse of 8 does not exist (characteristic = 10 = 2*5)

In [None]:
# Exercise:

# Given E: y^2 = x^3 + x + 3 defined over Z/11Z

# Use the Jacobi/Kronecker symbols to determine which y-coordinates are possible on E
# e.g., (5/11) = 1, 5 = 16 = 4^2 = 1^3 + 1 + 3 mod 11
# jacobi_symbol(), kronecker()

# y^2 = k where k = x^3 + x + 3

In [None]:
# Exercise:
# Implement group law on the elliptic curve y^2 = x^3 + Ax + B defined over Z/NZ, raise suitable errors at each step
# Checks: discriminant, division by 0 in P+Q, doubling or adding points, point at infinity
# functions: Integers(N),...
# Output: (x,y)

def P_plus_Q(A,B,N,P,Q):
    return

Lenstra's elliptic curve factorisation method

Ideas: use Pollard p-1 on elliptic curves

Input: N = to be factored

Output: factorisation of N

Algorithm:
- random A,a,b mod N
- set P = (a,b) and B = b^2 - a^3 - A*a mod N
- set E : y^2 = x^3 + A*x + B
- consider list ```[P,2!P,3!p,..., k!P]```
- if error occurs at ```k!P```, report k
- if 1< k < N, return gcd(k,N), restart with N = N//gcd(k,N), and different A,a,b
- elif k = N, restart with different A,a,b

Hint:
- check discriminant
- remember that n! = n*(n-1)! + repeated doubling
- error occurs when modular inversion fails

In [None]:
def lenstra_ecm(N):
    return

In [None]:
# Exercise:
# N = 5959
# E: y^2 = x^3 + Ax + 1 with (0,1) on it
# Find a factorisation of N using ECM by picking a suitable A

Pollard's p-1:

Observe that if N = pq, with p,q primes and p-1 having small factors, then
- Fermat's little theorem: $a^{K(p-1)} \equiv 1 \pmod{p}$

For large enough $i$, suppose $p-1| i!$, then $x = a^{i!} \equiv 1 \pmod{p}$, so $p | x-1$ and if $p | n$, we get $p | gcd(x-1,n)$


Algorithm:

Input: - N = to be factored
       - B = smooth bound

- set a = 2
- for i in [2,...,B], compute a^i! mod N
- if d = gcd(a^i - 1, N) > 1, record d (and factorisation)
- replace N = N // d