An elliptic curve defined over K is of the form: $$y^2 = x^3 + Ax + B$$ with $$4A^3 + 27B^2 \not = 0$$

- the condition is to ensure there are no repeated (cubic) roots

We will work with finite fields (or rings)

- for example, we could think of the above equation $\pmod{N}$

In [None]:
N = 10
R = Integers(N)
E = EllipticCurve(R,[1,4])

In [None]:
E

In [None]:
for a in range(10):
    for b in range(10):
        if (b^2) % N == (a^3 + 1*a + 4) % N:
            print(a,b)

In [None]:
E.points() #Doesn't work when E is defined over general rings

In [None]:
#define a point on E, doesn't matter if it is a ring
P = E(1,4)
Q = E(3,8)

Points on elliptic curves have the structure of a group, with the group law given by:
    
$$E : y^2 = x^3+Ax+B.$$

- $P + Q$ for $x_P \not = x_Q$ is given by
  - *Step 1:* $\quad \lambda = \displaystyle (y_Q - y_P)(x_Q- x_P)^{-1} \quad $ (slope of the line through $P$ and $Q$)
  - *Step 2:* $\quad x _R = \lambda^2 - x_Q - x_P, \quad y_R = y_P + \lambda(x_R - x_P)$
  - *Step 3:* $\quad P + Q = (x_R, - y_R)$
- $P + Q$ for $x_P = x_Q$ is given by
  - *Step 1:* $\quad \lambda = \displaystyle (3x_P^2 + A)(2y_P)^{-1} \quad $ (slope of tangent at $P$)
  - *Step 2:* $\quad x_R = \lambda^2  - 2 x_P, \quad  y_R = y_P + \lambda(x_R - x_P)$
  - *Step 3:* $\quad 2P =  P+ P = (x_R, - y_R)$
- $O = (0:1:0)$ is the identity
- Associativity is harder to check (skip)
- Inverse of $P = (x_P,y_P)$ is $-P = (x_P, -y_P)$

Related webpage on [Elliptic curves over finite fields](https://doc.sagemath.org/html/en/reference/arithmetic_curves/sage/schemes/elliptic_curves/ell_finite_field.html)

In [None]:
p = random_prime(2^8)
F = GF(p)
E = EllipticCurve(F,[1,2])

In [None]:
E.points()

In [None]:
#random point on curve

P = E.random_element()
Q = E.random_point()

In [None]:
3*P , P + Q, E(0)

In [None]:
P.order(), Q.order()

In [None]:
P.order()*P == E(0) #identity element

In [None]:
E.cardinality(),len(E.points()), E.count_points(), E.order()

In [None]:
print(E.order())
print(E.abelian_group())

In [None]:
N = 10
R = Integers(N)
E = EllipticCurve(R,[1,4])

In [None]:
#define a point on E, doesn't matter if it is a ring
P = E(1,4)
Q = E(3,8)

In [None]:
P + Q #error here, modular inversion

In [None]:
# Exercise:

# Given E: y^2 = x^3 + x + 3 defined over Z/11Z

# Use the Jacobi/Kronecker symbols to determine which y-coordinates are possible on E
# e.g., (5/11) = 1, 5 = 16 = 4^2 = 1^3 + 1 + 3 mod 11

In [None]:
# Exercise:
# Implement group law on the elliptic curve y^2 = x^3 + Ax + B defined over Z/NZ, raise suitable errors at each step
# Checks: discriminant, division by 0 in P+Q, doubling or adding points

def P_plus_Q(A,B,N):
    return

Lenstra's elliptic curve factorisation method

Ideas: use Pollard p-1 on elliptic curves

Input: N = to be factored
Output: factorisation of N

Algorithm:
- random A,a,b mod N
- set P = (a,b) and B = b^2 - a^3 - A*a mod N
- set E : y^2 = x^3 + A*x + B
- consider list ```[P,2!P,3!p,..., k!P]```
- if error occurs at ```k!P```, report k
- if 1< k < N, return gcd(k,N), restart with N = N//gcd(k,N), and different A,a,b
- elif k = N, restart with different A,a,b

Hint:
- check discriminant
- remember that n! = n*(n-1)!
- error occurs when modular inversion fails

In [None]:
def lenstra_ecm(N):
    return

In [None]:
# Exercise:
# N = 5959
# E: y^2 = x^3 + Ax + 1 with (0,1) on it
# Find a factorisation of N using ECM by picking a suitable A

Pollard's p-1:

Observe that if N = pq, with p,q primes and p-1 having small factors, then
- Fermat's little theorem: $a^{K(p-1)} \equiv 1 \pmod{p}$

For large enough $i$, suppose $p-1| i!$, then $x = a^{i!} \equiv 1 \pmod{p}$, so $p | x-1$ and if $p | n$, we get $p | gcd(x-1,n)$


Algorithm:

Input: - N = to be factored
       - B = smooth bound

- set a = 2
- for i in [2,...,B], compute a^i! mod N
- if d = gcd(a^i - 1, N) > 1, record d (and factorisation)
- replace N = N // d