Cryptography Reference
In-Depth Information
In the first case,
a
6
= 0 (otherwise the curves
would be singular). If
P
=(
x, y
) is a point of order 2, then the tangent at
P
must be vertical, which means that the partial derivative with respect to
y
must vanish. In case I, this
mea
ns that
x
= 0. S
ubs
titute
x
= 0 into (I)
= 0 and in the second case,
a
3
to obtain 0 =
y
2
+
a
6
=(
y
+
√
a
6
)
2
. Therefore (0
,
√
a
6
) is the only point of
order 2 (square roots are unique in characteristic 2), so
E
[2] =
{∞,
(0
,
√
a
6
)
}.
As an abstract group, this is isomorphic to
Z
2
.
In case II, the partial derivative with respect to
y
is
a
3
= 0. Therefore,
there is no point of order 2, so
E
[2] =
{∞}.
We summarize the preceding discussion as follows.
PROPOSITION 3.1
Let
E
be an elliptic curve over a field
K
.Ifthe characteristicof
K
is not 2,
then
E
[2]
Z
2
⊕
Z
2
.
If the characteristicof
K
is2,then
E
[2]
0
or
Z
2
.
Now let's look at
E
[3]. Assume first that the characteristic of
K
is not 2
or 3, so that
E
can be given by the equation
y
2
=
x
3
+
Ax
+
B
.Apoint
P
satisfies 3
P
=
P
. This means that the
x
-coordinate
of 2
P
equals the
x
-coordinate of
P
(the
y
-coordinates therefore differ in sign;
of course, if they were equal, then 2
P
=
P
, hence
P
=
∞
ifandonlyif2
P
=
−
∞
). In equations, this
becomes
where
m
=
3
x
2
+
A
2
y
m
2
−
2
x
=
x,
.
Using the fact that
y
2
=
x
3
+
Ax
+
B
, we find that
(3
x
2
+
A
)
2
=12
x
(
x
3
+
Ax
+
B
)
.
This simplifies to
3
x
4
+6
Ax
2
+12
Bx − A
2
=0
.
6912(4
A
3
+27
B
2
)
2
, which is nonzero.
Therefo
re
the polynomial has no multiple roots. There are 4 distinct values
of
x
(in
K
), and each
x
yields two values of
y
, so we have eight points of order
3. Since
The discriminant of this polynomial is
−
is also in
E
[3], we see that
E
[3] is a group of order 9 in which
every element is 3-torsion. It follows that
∞
E
[3]
Z
3
⊕
Z
3
.
Search WWH ::
Custom Search