Cryptography Reference
In-Depth Information
curves over fields of characteristic 2 are given in Section 4.4.5.a of [
16
] and Section III.4.2
of [
61
]. Division polynomials for elliptic curves in general Weierstrass form are discussed
in Section III.4 of [
61
].
Definition 9.8.4
Let
E
:
y
2
=
x
3
+
+
k
k
=
a
4
x
a
6
be an elliptic curve over
with char(
)
2.
The
division polynomials
are defined by
ψ
1
(
x,y
)
=
1
ψ
2
(
x,y
)
=
2
y
3
x
4
6
a
4
x
2
a
4
ψ
3
(
x,y
)
=
+
+
12
a
6
x
−
4
y
(
x
6
5
a
4
x
4
20
a
6
x
3
5
a
4
x
2
(
a
4
+
8
a
6
))
ψ
4
(
x,y
)
=
+
+
−
−
4
a
4
a
6
x
−
ψ
m
+
2
(
x,y
)
ψ
m
(
x,y
)
3
ψ
m
−
1
(
x,y
)
ψ
m
+
1
(
x,y
)
3
,
(
m
ψ
2
m
+
1
(
x,y
)
=
−
≥
2)
2
y
ψ
m
(
x,y
)(
ψ
m
+
2
(
x,y
)
,ψ
m
−
1
(
x,y
)
2
−
1
ψ
2
m
(
x,y
)
=
ψ
m
−
2
(
x,y
)
ψ
m
+
1
(
x,y
)
2
)
,
(
m
≥
3)
.
Lemma 9.8.5
Let E be an elliptic curve in short Weierstrass form over
k
with
char(
k
)
=
2
.
Let m
∈ N
. Then ψ
m
(
x,y
)
∈ k
[
x,y
]
.Ifm is odd then ψ
m
(
x,y
)
is a polynomial in x
mx
(
m
2
−
1)
/
2
only and ψ
m
(
x,y
)
=
+···∈k
[
x
]
.Ifm is even then ψ
m
(
x,y
)
=
yh
(
x
)
where
mx
(
m
2
−
4)
/
2
h
(
x
)
=
+···∈k
[
x
]
.
Proof
The case
m
=
2 is trivial and the cases
m
=
3 and 4 were done in Exercises
9.8.2
and
9.8.3
. The rest are easily proved by induction.
Theorem 9.8.6
Let E be an elliptic curve in short Weierstrass for
m
over
k
with
char(
k
)
=
2
,
3
. Let m
∈ N
and ψ
m
(
x,y
)
as above. Then P
=
(
x
P
,y
P
)
∈
E
(
k
)
satisfies
[
m
]
P
=
O
E
if and only if ψ
m
(
x
P
,y
P
)
=
0
. Furthermore, there are polynomials A
m
(
x
)
∈ k
[
x
]
and
B
m
(
x,y
)
∈ k
[
x,y
]
such that
A
m
(
x
)
.
ψ
m
(
x,y
)
2
,
B
m
(
x,y
)
[
m
](
x,y
)
=
ψ
m
(
x,y
)
3
Proof
This can be proved in various ways: Section 9.5 of Washington [
560
] gives a proof for
elliptic curves over
and then deduces the result for general fields of characteristic not equal
to 2, Charlap and Robbins [
119
] give a proof (Sections 7 to 9) using considerations about
divisors and functions, other sources (such as Exercise 3.7 of [
505
]) suggest a (tedious)
verification by induction.
C
9.9 Endomorphism structure
The aim of this section is to discuss the structure of the ring End
k
(
E
). Note that
Z ⊆
End
k
(
E
)
and that, by Lemma
9.6.11
,End
k
(
E
) is a torsion-free
Z
-module. For an isogeny
φ
:
E
→
E
and an integer
m
φ
.
To understand the endomorphism rings of elliptic curves one introduces the
Tate module
T
l
(
E
). This is defined, for any prime
l
∈ Z
we write
mφ
for the isogeny [
m
]
◦
), to be the inverse limit of the groups
E
[
l
i
]
=
char(
k
