Cryptography Reference
In-Depth Information
be a non-supersingular elliptic curve. Given P
=
(
x
,
y
)
, we define
−
P
=
(
x
,
x
+
y
)
and
−
O
=
O
. Given P
1
=
(
x
1
,
y
1
)
and P
2
=
(
x
2
,
y
2
)
,ifP
2
=−
P
1
, we define
P
1
+
P
2
=
O
. Otherwise, we let
y
2
+
y
1
x
2
+
x
1
x
1
+
y
1
x
1
if
P
1
=
P
2
otherwise
λ
=
y
1
x
2
+
y
2
x
1
x
2
+
x
1
if
P
1
=
P
2
otherwise
µ
=
x
1
2
x
3
=
λ
+
λ
+
a
2
+
x
1
+
x
2
y
3
=
(
λ
+
1)
x
3
+
µ
=
(
x
1
+
x
3
)
λ
+
x
3
+
y
1
P
3
=
(
x
3
,
y
3
)
and P
1
+
P
2
=
P
3
. In addition, P
+
O
=
O
+
P
=
P.
We further define the
discriminant
=
a
6
and the j -
invariant
j
=
1
/
.
We have similar results for group structures.
γ
∈
K
∗
be such that
Theorem 6.12.
Given a finite field
K
of characteristic two, let
Tr
#
K
,
2
(
γ
)
=
1
. Given a
6
∈
K
∗
and a
2
∈{
0
,γ
}
, we let E
a
2
,
a
6
be the elliptic curve as
defined in Def. 6.11.
1. E
a
2
,
a
6
together with the point addition is an Abelian group of which O is the
neutral element.
2. For any a
6
∈
K
∗
and a
2
∈{
0
,γ
}
, the group E
a
2
,
a
6
is isomorphic to the group
a
6
.
3. E
0
,
a
6
and E
γ,
a
6
are called
twist
of each other. We have
#
E
0
,
a
6
+
a
2
and a
6
=
E
a
2
,
a
6
if and only if a
2
=
#
E
γ,
a
6
=
2#
K
+
2
.
6.5.3
General Results
We mention an important result that will be used later.
*
Theorem 6.13 (Hasse 1933).
Let
K
be a fi
nit
e field and E be an elliptic curve on
K
.
We have
#
E
2
√
#
K
. t is called the trace of Frobenius.
=
#
K
+
1
−
t where
|
t
|≤
Computing #
E
is quite technical (but feasible in polynomial time).
For some technical reasons, we define special elliptic curves.
*
See, e.g. Ref [171]
Search WWH ::
Custom Search