Elliptic Curve Crypto

Number Theory Level 5

Consider an elliptic curve E described by the formula y 2 = x 3 + a x + b y^{2} = x^{3} + ax + b mod p p where 4 a 3 + 27 b 2 0 4a^{3} + 27b^{2} ≠ 0 mod p p and p > 3 p > 3 is prime.

It is clear that a point P = ( x , y ) P = (x,y) is an element of E and has order 3 if and only if 2 P = P 2P = -P .
What is the maximum number of points on curve E that have order 3? (hint: use 2 P = P 2P = -P to find equation for points of order 3)


The answer is 8.

Chloe Jackson by Chloe Jackson , 25, USA

This section requires Javascript.
You are seeing this because something didn't load right. We suggest you, (a) try refreshing the page, (b) enabling javascript if it is disabled on your browser and, finally, (c) loading the non-javascript version of this page . We're sorry about the hassle.

2 solutions

Patrick Corn
May 11, 2018

It is well-known that if p m , p \nmid m, the set of m m -torsion points over F p , \overline{{\mathbb F}_p}, the algebraic closure of the finite field F p , {\mathbb F}_p, is isomorphic to Z / m × Z / m . {\mathbb Z}/m \times {\mathbb Z}/m. So there are nine 3 3 -torsion points over the algebraic closure, hence 8 8 points of order 3. 3. This means that the maximum is at most 8 8 , and all that remains is to find an elliptic curve with full 3 3 -torsion over F p . {\mathbb F}_p. As Mark Hennings points out, y 2 = x 3 + 1 y^2=x^3+1 will do for p = 31. p=31.

2 Helpful 0 Interesting 0 Brilliant 0 Confused

Really elegant solution you have here :) I'm newer to ECC to it's cool that you mentioned torsion points and isomorphisms :) reminds me of a hw problem i did

Chloe Jackson - 3 years ago
Chloe Jackson
May 9, 2018

Recall the formulas for point doubling: s = ( 3 x 2 + a ) ( 2 y 1 ) s = (3x^{2} + a)(2y^{-1}) , x n e w = s 2 2 x x_{new} = s^{2} - 2x , y n e w = s ( x n e w x ) y y_{new} = s(x_{new} - x) - y .

Since 2P = -P, we know that x n e w = x x_{new} = x and that y n e w = y y_{new} = -y .

We look at the equation for x n e w x_{new} and use substitution to get s 2 3 x = 0 s^{2} - 3x = 0 . If we work out what s 2 s^{2} is, then we can generate the equation 9 x 4 + 6 a x 2 + a 2 3 x ( 4 y 2 ) = 0 9x^{4} + 6ax^{2} + a^{2} - 3x(4y^{2}) = 0 . Since we know y 2 y^{2} from our equation for the curve E, we substitute that to get 9 x 4 + 6 a x 2 + a 2 3 x ( 4 x 3 + 4 a x + 4 b ) = 0 9x^{4} + 6ax^{2} + a^{2} - 3x(4x^{3} + 4ax + 4b) = 0 which simplifies to 3 x 4 + 6 a x 2 + 12 b x a 2 = 0 3x^{4} + 6ax^{2} + 12bx - a^{2} = 0 .

This implies that there are four x values to satisfy the equation. And for four distinct x-values on the curve, there are two y-values. So then we have at most 8 points of order 3.

1 Helpful 0 Interesting 0 Brilliant 0 Confused

I guess we should find a pair a , b a,b and a prime p p such that the quartic does have 4 4 roots. For example, if a = 0 a=0 , b = 1 b=1 we want to show that x ( x 3 + 4 ) = 0 x(x^3 + 4) = 0 has 4 4 roots, and so find a p p such that 4 -4 has three cube roots in Z p \mathbb{Z}_p . I think that p = 31 p=31 works.

Mark Hennings - 3 years, 1 month ago

Log in to reply

A good point (no pun intended). It does help the algebraic solution I have, but you can also know from the equation that finding such an a and b is trivial (as your a and b over p are easy to find through brute force) :)

Chloe Jackson - 3 years ago

0 pending reports

×

Problem Loading...

Note Loading...

Set Loading...