Presentation is loading. Please wait.

Presentation is loading. Please wait.

Elliptic Nets How To Catch an Elliptic Curve

Published byCalvin Henderson Modified over 9 years ago

Similar presentations

Presentation on theme: "Elliptic Nets How To Catch an Elliptic Curve"— Presentation transcript:

1 Elliptic Nets How To Catch an Elliptic Curve
Kate Stange Brown University Graduate Student Seminar February 7, 2007

2 Timeline 1573 Potato results in birth of Caravaggio1
Circa 4000 B.C. pre-Colombian farmers discover potato February 7, 2004 Inventor of Poutine dies of pulmonary disease Last spring A cute potato named George is born July Sonja Thomas wins $2500 by eating 53 potato skins in 12 minutes Now That samosa you are eating is George 1The Potato Fan Club:

3 Part I: Elliptic Curves are Groups

4 Elliptic Curves

5 A Typical Elliptic Curve E
E : Y2 = X3 – 5X + 8 The lack of shame involved in the theft of this slide from Joe Silverman’s website should make any graduate student proud.

6 Adding Points P + Q on E R Q P P+Q
The lack of shame involved in the theft of this slide from Joe Silverman’s website should make any graduate student proud. - 6 -

7 Doubling a Point P on E R P 2*P Tangent Line to E at P
The lack of shame involved in the theft of this slide from Joe Silverman’s website should make any graduate student proud. - 7 -

8 Vertical Lines and an Extra Point at Infinity
Add an extra point O “at infinity.” The point O lies on every vertical line. Vertical lines have no third intersection point P Q = –P Q The lack of shame involved in the theft of this slide from Joe Silverman’s website should make any graduate student proud.

9 Part II: Elliptic Divisibility Sequences

10 Elliptic Divisibility Sequences: Seen In Their Natural Habitat
Associated to a point and a curve.

11 Example

12 Elliptic Curve Group Law

13 So What Happens to Point Multiples?

14 An Elliptic Divisibility Sequence is an integer sequence satisfying the following recurrence relation.

15 Some Example Sequences
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, …

16 Some Example Sequences
0, 1, 1, 2, 3, 5, 8, 13, 21, 34, 55, 89, 144, 233, 377, 610, 987, 1597, 2584, 4181, 6765, 10946, 17711, 28657, 46368, 75025, , , , , , , , , , , , , , …

17 Some Example Sequences
0, 1, 1, -1, 1, 2, -1, -3, -5, 7, -4, -23, 29, 59, 129, -314, -65, 1529, -3689, -8209, , 83313, , , , , , , , , , , , …

18 Our First Example 0, 1, 1, -3, 11, 38, 249, -2357, 8767, , , , , , , , , , , , , …

19 Some more terms… 0, 1, -3, 11, 38, 249, -2357, 8767, 496035, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ...

20 Part III: Elliptic Curves over Complex Numbers

21 Take a Lattice Λ in the Complex Plane
1 2 1+ 2

22 Elliptic Curves over Complex Numbers

23 Elliptic Functions Zeroes at z = a and z=b Poles at z = c and z=d

24 Example Elliptic Functions

25 Part IV: Elliptic Divisibility Sequences from Elliptic Functions

26 Elliptic Divisibility Sequences: Two Good Definitions
Definition A This is just an elliptic function with zeroes all the n-torsion points and a pole of order n2 at the point at infinity. Yes, this is the same as before!

27 Elliptic Divisibility Sequences: Two Good Definitions
Definition A Definition B Mention division polynomials, mention division needed for recurrence, mention many ways to determine one point

28 Theorem (M Ward, 1948): A and B are equivalent.
From the initial conditions in Definition B, one can explicitly calculate the curve and point needed for Definition A. Definition A Definition B Note division and non deterministicness

29 Part V: Reduction Mod p

30 Reduction of a curve mod p
6 5 X 4 3 (0,-3) 2 1

31 Reduction Mod p 0, 1, 1, -3, 11, 38, 249, -2357, 8767, , , , , , , , , , , , , … 0, 1, 1, 8, 0, 5, 7, 8, 0, 1, 9, 10, 0, 3, 7, 6, 0, 3, 1, 10, 0, 1,10, 8, 0, 5, 4, 8, 0, 1, 2, 10, 0, 3, 4, 6, 0, 3, 10, 10, 0, 1, 1, 8, 0, 5, 7, 8, 0, … This is the elliptic divisibility sequence associated to the curve reduced modulo 11

32 What do the zeroes mean??

33 Reduction Mod p 0, 1, 1, -3, 11, 38, 249, -2357, 8767, , , , , , , , , , , , , … 0, 1, 1, 8, 0, 5, 7, 8, 0, 1, 9, 10, 0, 3, 7, 6, 0, 3, 1, 10, 0, 1,10, 8, 0, 5, 4, 8, 0, 1, 2, 10, 0, 3, 4, 6, 0, 3, 10, 10, 0, 1, 1, 8, 0, 5, 7, 8, 0, … The point has order 4, but the sequence has period 40!

34 Periodicity of Sequences

35 Periodicity Example 0, 1, 1, 8, 0, 5, 7, 8, 0, 1, 9, 10, 0, 3, 7, 6, 0, 3, 1, 10, 0, …

36 Research (Partial List)
Applications to Elliptic Curve Discrete Logarithm Problem in cryptography (R. Shipsey) Finding integral points (M. Ayad) Study of nonlinear recurrence sequences (Fibonacci numbers, Lucas numbers, and integers are special cases of EDS) Appearance of primes (G. Everest, T. Ward, …) EDS are a special case of Somos Sequences (A. van der Poorten, J. Propp, M. Somos, C. Swart, …) p-adic & function field cases (J. Silverman) Continued fractions & elliptic curve group law (W. Adams, A. van der Poorten, M. Razar) Sigma function perspective (A. Hone, …) Hyper-elliptic curves (A. Hone, A. van der Poorten, …) More…

37 Part VI: Elliptic Nets: Jacking up the Dimension

38 The Mordell-Weil Group

39 From Sequences to Nets It is natural to look for a generalisation that reflects the structure of the entire Mordell-Weil group:

40 In this talk, we work with a rank 2 example
Nearly everything can be done for general rank

41 Elliptic Nets: Rank 2 Case
Zeroes at (P,Q) such that mP + nQ = 0. Some crazy poles. Definition A

42 Elliptic Nets: Rank 2 Case
Definition B

43 Example 4335 5959 12016 -55287 23921 94 479 919 -2591 13751 68428 424345 -31 53 -33 -350 493 6627 48191 -5 8 -19 -41 -151 989 -1466 1 3 -1 -13 -36 181 -1535 2 7 89 -149 -3 11 38 249 Q P→

44 Example 4335 5959 12016 -55287 23921 94 479 919 -2591 13751 68428 424345 -31 53 -33 -350 493 6627 48191 -5 8 -19 -41 -151 989 -1466 1 3 -1 -13 -36 181 -1535 2 7 89 -149 -3 11 38 249 Q P→

45 Example 4335 5959 12016 -55287 23921 94 479 919 -2591 13751 68428 424345 -31 53 -33 -350 493 6627 48191 -5 8 -19 -41 -151 989 -1466 1 3 -1 -13 -36 181 -1535 2 7 89 -149 -3 11 38 249 Q P→

46 Example 4335 5959 12016 -55287 23921 94 479 919 -2591 13751 68428 424345 -31 53 -33 -350 493 6627 48191 -5 8 -19 -41 -151 989 -1466 1 3 -1 -13 -36 181 -1535 2 7 89 -149 -3 11 38 249 Q P→

47 Example 4335 5959 12016 -55287 23921 94 479 919 -2591 13751 68428 424345 -31 53 -33 -350 493 6627 48191 -5 8 -19 -41 -151 989 -1466 1 3 -1 -13 -36 181 -1535 2 7 89 -149 -3 11 38 249 Q P→

48 Example 4335 5959 12016 -55287 23921 94 479 919 -2591 13751 68428 424345 -31 53 -33 -350 493 6627 48191 -5 8 -19 -41 -151 989 -1466 1 3 -1 -13 -36 181 -1535 2 7 89 -149 -3 11 38 249 Q P→

49 Equivalence of Definitions

50 For any given n, one can compute the explicit bijection

51 Nets are Integral

52 Reduction Mod p

53 Divisibility Property

54 Example 4335 5959 12016 -55287 23921 94 479 919 -2591 13751 68428 424345 -31 53 -33 -350 493 6627 48191 -5 8 -19 -41 -151 989 -1466 1 3 -1 -13 -36 181 -1535 2 7 89 -149 -3 11 38 249 Q P→

55 Example 4 1 3 2 Q P→

56 Periodicity of Sequences: Restatement

57 Periodicity of Nets

58 Part VII: Elliptic Curve Cryptography

59 Elliptic Curve Cryptography
For cryptography you need something that is easy to do but difficult to undo. Like multiplying vs. factoring. Or getting pregnant. (No one has realised any cryptographic protocols based on this: Possible thesis topic anyone?)

60 The (Elliptic Curve) Discrete Log Problem
Let A be a group and let P and Q be known elements of A. The Discrete Logarithm Problem (DLP) is to find an integer m satisfying Q = P + P + … + P = mP. m summands Hard but not too hard in Fp*. Koblitz and Miller (1985) independently suggested using the group E(Fp) of points modulo p on an elliptic curve. It seems pretty hard there.

61 Elliptic Curve Diffie-Hellman Key Exchange
Public Knowledge: A group E(Fp) and a point P of order n. BOB ALICE Choose secret 0 < b < n Choose secret 0 < a < n Compute QBob = bP Compute QAlice = aP Send QBob to Alice to Bob Send QAlice Compute bQAlice Compute aQBob Bob and Alice have the shared value bQAlice = abP = aQBob Presumably(?) recovering abP from aP and bP requires solving the elliptic curve discrete logarithm problem. Yeah, I stole this one too.

62 The Tate Pairing This is a bilinear nondegenerate pairing.

63 Tate Pairing in Cryptography: Tripartite Diffie-Hellman Key Exchange
Public Knowledge: A group E(Fp) and a point P of order n. ALICE BOB CHANTAL Secret < a < n < b < n < c < n Compute QAlice = aP QBob = bP QChantal = cP Reveal QAlice QBob QChantal Compute τn(QBob,QChantal)a τn(QAlice,QChantal)b τn(QAlice,QBob)c These three values are equal to τn(P,P)abc Security (presumably?) relies on Discrete Log Problem in Fp*

64 Part VIII: Elliptic Nets and the Tate Pairing

65 Tate Pairing from Elliptic Nets

66 Choosing a Nice Net This is just the value of a from the periodicity relation

67 Calculating the Net (Rank 2)
Based on an algorithm by Rachel Shipsey Double DoubleAdd

68 Calculating the Tate Pairing
Find the initial values of the net associated to E, P, Q (there are simple formulae) Use a Double & Add algorithm to calculate the block centred on m Use the terms in this block to calculate

69 Embedding Degree k M | q^k – 1 – mention? Understand why again?

70 Efficiency Mention Ben Lynn, Dan Boneh, Mike Scott

71 Possible Research Directions
Extend this to Jacobians of higher genus curves? Use periodicity relations to find integer points? (M. Ayad does this for sequences) Other computational applications: counting points on elliptic curves over finite fields? Other cryptographic applications of Tate pairing relationship? Have something to say more about each of these

72 Slides, preprint, scripts at
References Morgan Ward. “Memoir on Elliptic Divisibility Sequences”. American Journal of Mathematics, 70:13-74, 1948. Christine S. Swart. Elliptic Curves and Related Sequences. PhD thesis, Royal Holloway and Bedford New College, University of London, 2003. Graham Everest, Alf van der Poorten, Igor Shparlinski, and Thomas Ward. Recurrence Sequences. Mathematical Surveys and Monographs, vol American Mathematical Society, 2003. Elliptic net algorithm for Tate pairing implemented in the PBC Library, Slides, preprint, scripts at

Download ppt "Elliptic Nets How To Catch an Elliptic Curve"

Similar presentations

An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.

An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.
Introduction to Elliptic Curves. What is an Elliptic Curve? An Elliptic Curve is a curve given by an equation E : y 2 = f(x) Where f(x) is a square-free.

Introduction to Elliptic Curves. What is an Elliptic Curve? An Elliptic Curve is a curve given by an equation E : y 2 = f(x) Where f(x) is a square-free.
Cannonballs, Donuts, and Secrets

Cannonballs, Donuts, and Secrets
1 390-Elliptic Curves and Elliptic Curve Cryptography Michael Karls.

1 390-Elliptic Curves and Elliptic Curve Cryptography Michael Karls.
Lecture 8: Lattices and Elliptic Curves

Lecture 8: Lattices and Elliptic Curves
Parshuram Budhathoki FAU October 25, 2012 11/25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU.

Parshuram Budhathoki FAU October 25, /25/2012 Ph.D. Preliminary Exam, Department of Mathematics, FAU.
What is Elliptic Curve Cryptography?

What is Elliptic Curve Cryptography?
7. Asymmetric encryption-

7. Asymmetric encryption-
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
YSLInformation Security -- Public-Key Cryptography1 Elliptic Curve Cryptography (ECC) For the same length of keys, faster than RSA For the same degree.

YSLInformation Security -- Public-Key Cryptography1 Elliptic Curve Cryptography (ECC) For the same length of keys, faster than RSA For the same degree.
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 6 Epayment Security II.

ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.
CNS2010handout 8 :: introduction to number theory1 computer and network security matt barrie.

CNS2010handout 8 :: introduction to number theory1 computer and network security matt barrie.
The Ubiquity of Elliptic Curves Joseph Silverman (Brown University) Public Lecture – Dublin Tuesday, 4 September 2007, 7:30 PM.

The Ubiquity of Elliptic Curves Joseph Silverman (Brown University) Public Lecture – Dublin Tuesday, 4 September 2007, 7:30 PM.
Elliptic Curve Cryptography (ECC) Mustafa Demirhan Bhaskar Anepu Ajit Kunjal.

Elliptic Curve Cryptography (ECC) Mustafa Demirhan Bhaskar Anepu Ajit Kunjal.
Windows Core Security1© 2006 Microsoft Corp Cryptography: Helping Number Theorists Bring Home the Bacon Since 1977 Dan Shumow SDE Windows Core Security.

Windows Core Security1© 2006 Microsoft Corp Cryptography: Helping Number Theorists Bring Home the Bacon Since 1977 Dan Shumow SDE Windows Core Security.
The Ubiquity of Elliptic Curves Joseph Silverman (Brown University) MAA Invited Address Baltimore – January 18, 2003.

The Ubiquity of Elliptic Curves Joseph Silverman (Brown University) MAA Invited Address Baltimore – January 18, 2003.
Hidden pairings and trapdoor DDH groups Alexander W. Dent Joint work with Steven D. Galbraith.

Hidden pairings and trapdoor DDH groups Alexander W. Dent Joint work with Steven D. Galbraith.
No-Key Cryptography Nathan Marks Based on Massey-Omura US Patent # 4,567,600.

No-Key Cryptography Nathan Marks Based on Massey-Omura US Patent # 4,567,600.
Electronic Payment Systems Lecture 5: ePayment Security II

Electronic Payment Systems Lecture 5: ePayment Security II
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 6 Epayment Security II.

ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.

Similar presentations

Ads by Google