Undergraduate Research Opportunity Programme in Science

CURVES FOR THE ELLIPTIC CURVE CRYPTOSYSTEM

TEO KAI MENG

A P XING CHAOPING

Department of Mathematics National University of Singapore Academic Year 2000 2001

Acknowledgement

I would like to express my heartfelt thanks to A/P Xing Chaoping for his guidance and advice throughout the course of this UROPS project. I am also grateful to Angeline Tay for her continuous support and encouragement. I thank Javen Gwee and the Special Programme in Science for the aids provided for my computations.

Abstract

In 1985, Neal Koblitz and Victor Miller independently introduced the elliptic curve cryptosystem as another alternative public key cryptosystem. Its security relies on the difficulty of the elliptic curve discrete logarithm problem that allows the delivery of the highest strength per bit of all previously known public key cryptosystems. The security level is determined by the size and structure of the group of rational points lying on an elliptic curve defined over a finite field. In this project, we use two methods to search for curves for the elliptic curve cryptosystem. The first method involves the definition of an elliptic curve over a number field and then its reduction modulo prime ideals. The second method defines an elliptic curve over a small finite field and then considers it over extensions of the small field. Results show that both methods are effective in searching for a suitable elliptic curve for the cryptosystem. Two mathematical programming packages, Mathematica and UBASIC, are used to perform all required numerical computations.

ii

Contents

Acknowledgement

Abstract

ii

Chapter 1. Introduction

Chapter 2. Mathematical Background

2.1 Basic Algebra 2.2 Projective Coordinates 2.3 Definition of an Elliptic Curve 2.4 Group Law of an Elliptic Curve 2.5 Elliptic Curve Discrete Logarithm Problem

5
5 7 9 12 15

Chapter 3. The Elliptic Curve Cryptosystem

3.1 Information Security and Cryptography 3.2 Private Key Cryptosystems 3.3 Public Key Cryptosystems 3.4 Elliptic Curve Cryptosystem

18
18 19 20 21

Chapter 4. The First Method of Curve Searching

4.1 Method I 4.2 Reduction of Elliptic Curves

24
24 25

iii

4.3 Numerical Computations 4.4 Discussion of Results

29 34

Chapter 5. The Second Method of Curve Searching

5.1 Method II 5.2 Elliptic Curves Over Finite Field Extensions 5.3 Numerical Computations 5.4 Discussion of Results

39
39 40 43 46

Appendix A. Programming Codes for Numerical Computations

49

Appendix B. Tables and Figures

59

Appendix C. Running Times of Algorithms

73

References

74

iv

Chapter 1. Introduction

Cryptography is the study of mathematical techniques related to aspects of information security such as confidentiality, data integrity, entity authentication and data origin authentication [12]. The history of cryptography is long and fascinating, and a very significant turning point came in 1976 when two researchers from Stanford, Whitfield Diffie and Martin Hellman, published their paper New Directions in Cryptography. In that paper, they introduced the revolutionary concept of public key cryptography.

Since then, many public key cryptosystems have been proposed. Each of these systems relies on a difficult mathematical problem for its security. None has been proven to be intractable, that is, difficult to solve in an efficient manner. However, they are generally believed to be intractable because years of intensive studies carried out by leading mathematicians and computer scientists have failed to yield efficient algorithms for solving them [3]. Therefore, in practice, they remain intractable with the current computational technology available. The longer it takes to derive the key with the best known algorithm for a problem, the more secure a public key cryptosystem based on that problem is.

Presently, there are only three classes of public key cryptosystems that are considered to be both secure and efficient. They are classified below according to the mathematical problem on which they are based. 1. Integer factorization systems. 2. Discrete logarithm systems. 3. Elliptic curve discrete logarithm systems.

Elliptic curves are algebraic curves that have been studied by many mathematicians since the seventeenth century. In 1985, Neal Koblitz and Victor Miller independently proposed public key cryptosystems using the group of points on an elliptic curve. The elliptic curve cryptosystem (ECC) was thus created. Since then, numerous researchers and developers have spent years researching the strength of ECC and improving techniques for its implementation. Today, it offers those looking for a smaller and faster public key cryptosystem, a practical and secure technology, even for the most constrained environments.

The elliptic curve cryptosystem delivers the highest strength per bit of any known public key cryptosystem because of the difficulty of the hard problem upon which it is based the elliptic curve discrete logarithm problem (ECDLP). The fundamental advantage that ECC has over systems that are based on the multiplicative group of a finite field is the absence of a subexponential-time algorithm that is able to find discrete logarithms in these elliptic curve groups generally [10]. Consequently, one can use an elliptic curve group that is smaller in size with the same level of security maintained. The outcomes are smaller key sizes, bandwidth savings and faster implementations. Such characteristics are particularly attractive for security applications where computational power and integrated circuit space are limited. Smart cards and wireless devices are two such examples. Cryptography companies such as Certicom Corporation have already implemented ECC for some of these commercial purposes.

Currently, there exist three known attacks on ECC in some special cases, namely, the Pollard -attack, the Semaev-Smart-Satoh-Araki attack and the MOV reduction attack. We shall elaborate on these situations in the next chapter. Therefore, it is only logical that each particular ECC is constructed with the ability to withstand these potential attacks, so that the required level of security is guaranteed for the commercial users. With this in mind, we shall search for elliptic curves that are deemed suitable for use by ECC in this project.

In one of his books [9], Koblitz has stated three methods by which an appropriate elliptic curve can be chosen so as to construct a secure ECC. Out of these three methods, we have chosen to focus on the first two. For the first technique, we choose an elliptic curve defined over the field of rational numbers and then reduce it modulo a prime number such that the resulting curve over the finite field is able to resist the potential attacks. As for the second technique, we start with an elliptic curve E defined over the finite field curve over any extension field

qr

of

q.

Then E can be viewed as an elliptic

q.

The key problem in both cases is the determination of

the number of rational points on the defined elliptic curve.

Throughout this project, there were many numerical computations being carried out. All these calculations were facilitated by the use of two readily available mathematical software packages: Mathematica and UBASIC. These two packages are chosen because they allow the handling of large numbers of arbitrary precision that are required for this project. In addition, UBASIC has an edge over Mathematica because of its high-speed operations that are made possible by the fact that it is encoded in assembly language. The codes of the algorithms written for this project are included in this report with the necessary explanations. While built-in functions of these mathematical software packages were used as required to perform all the numerical computations and primality testing, we note that the algorithms that were written need not be the most efficient. Efficiency, however, was not one of the primary objectives of this project.

In the next chapter, we shall elaborate on the mathematical background required for this project. It includes the definition of an elliptic curve, the group structure and arithmetic of the rational points on an elliptic curve and a discussion on the elliptic curve discrete logarithm problem. In Chapter 3, we give an introduction to the mechanism of the elliptic curve cryptosystem with an example. The next two chapters explain the search for suitable elliptic

curves in full details, the first method in Chapter 4 and the second in Chapter 5. In each of these chapters, we state and explain briefly the theorems on which the computations were based upon. Then we go on to the step-by-step explanations of all the computations carried out. We conduct an analysis and discussion of the results obtained at the end of each chapter. Appendix A contains all the programming codes constructed for both methods of curve searching, while Appendix B records all the data computed. Appendix C defines some basic terminologies on the running times of algorithms.

Chapter 2. Mathematical Background

In this chapter, we shall present some of the basic concepts on the subject of elliptic curves. In particular, we will define the equation of an elliptic curve over a field and state the addition law of the group of points on an elliptic curve. Note that in all situations, detailed explanations, derivations and proofs of theorems will not be provided here. Instead, we shall recommend the appropriate references to the reader. We refer mainly to [6], [7], [9] and [17].

2.1 Basic Algebra

We provide here the essential algebraic terminologies and concepts required for the understanding of the studies on elliptic curves.

Definition 2.1. A nonempty set of elements G is said to form a group (G, ) if in G there is defined an operation, called the product and denoted by , such that 1. a, b G implies that ab G (closure). 2. a, b, c G implies that a(bc) = (ab)c (associative law). 3. There exists an element e G such that ae = ea = a for all a G (the existence of an identity element in G). 4. For every a G there exists an element a-1 G such that a a-1 = a-1a = e (the existence of inverses in G).

Definition 2.2. A group G is said to be abelian (commutative) if ab = ba for all a, b G.

Definition 2.3. A field is a nonempty set of elements multiplication , such that 1. ( , +) is an abelian additive group.

with two operations, addition + and

2. ( \{0}, ) is an abelian multiplicative group, where 0 denotes the additive identity element. 3. The distributive laws hold in .

From now on,

elements of , unless otherwise stated.

will always denote a field and

will denote the group of nonzero

Definition 2.4. The characteristic of

, denoted by char( ), is defined to be the smallest

positive integer p such that pa = 0 for all a . If such an integer does not exist, char( ) is zero.

Definition 2.5. A finite field for a prime p,

is a field that has a finite number q of elements. In particular,

is the field of equivalence classes of integers modulo p and thus has a finite

number p of elements.

Definition 2.6. A field

is said to be an extension of

if


contains .

Definition 2.7. The ring of polynomials [x] in x over

f ( x) = a0 + a1 x +

+ an x n , n

0, ai

is the set of all formal expressions

for all i = 0, 1, , n.

Definition 2.8. Let f(x) deg f(x), is n.

[x]. If f(x) 0 and an 0, then the degree of f(x), written as

Definition 2.9. has a root in .

is said to be algebraically closed if for every f(x) [x] of deg f(x)

1, f(x)

2.2 Projective Coordinates

Definition 2.10.

The affine plane

is the usual plane,

 (
2

) = {(x, y) | x, y }.

Definition 2.11.

Define an equivalence relation on the triples over , not all components zero,

as follows: ( X , Y , Z )

( X ,Y , Z )

if and only if ( X , Y , Z ) = ( X , Y , Z ) for some

*.

Then each equivalence class (X, Y, Z) is called a projective point and the numbers X, Y, Z are called the homogeneous coordinates of that point.

Definition 2.12.

The projective plane

 (
2

) over

is the set of all projective points.

 (
2

) =

{( X , Y , Z ) : X , Y , Z not all zero }

Definition 2.13.

A direction is an equivalence class of parallel lines in

collection of all lines parallel to a given line in

 (
2

 (
2

), that is, a

).

 ( ) is parallel to a unique line passing through the origin. Thus, the set of all directions in  ( ) is described by the points (A, B) of the projective line  ( ), where each (A, B) corresponds to the line Ay = Bx. For A, B not both zero, ( A, B )  ( A, B ) if and only if ( A, B ) = ( A, B ) for some 0  .
the origin, since every line in
2 2 1

The set of all directions can be described as the set of all lines in

 (
2

) passing through

Definition 2.14.

The projective line

is, the set of all directions in

 (
2

 (
1 2

) over

is the set of equivalence classes (A, B), that

).

As such, the projective plane

 (

) can also be defined as

 (
2

)=

 ( )   (
2 1

).

Definition 2.15.

The set of extra points in

 (
2

) associated to the directions in

( ) are

called points at infinity, denoted by the line L called the line at infinity.

The following maps show how to identify the two definitions of the projective plane:

{( X , Y , Z ) : X , Y , Z not all zero }

For each projective point (X, Y, Z) in

 (
2

( )

 "  (
1

) with Z 0, we can divide throughout by Z to yield

(x, y, 1) where x = X/Z and y = Y/Z. This process is called dehomogenization with respect to Z. (The reverse process is called homogenization.) Then there is a one to one correspondence between the point (x, y, 1)

 (
2

) and the point (x, y) X Y , Z Z

( ). In other words, for Z 0,

( X ,Y , Z ) #

X Y , ,1 = ( X , Y , Z ) . Z Z

The remaining points with Z = 0, the points at infinity, then corresponds to a copy of

$ (%
1

).

Therefore, a line L in

$ (%
2

) is made up of a line in

& (%
2

) and the point at infinity

corresponding to its direction. The intersection of L and L is the point at infinity. The intersection of two parallel lines in direction.

& (%
2

) is the point at infinity corresponding to their common

2.3 Definition of an Elliptic Curve

Let

'

be an algebraically closed field. We write the affine plane

( ('
2

) as

'

for short.

Definition 2.16. the affine plane

'

Let C [X, Y] be an irreducible polynomial. Then the set of zeros of C in

2

'

is an affine plane curve over , that is, {(x, y)

'

'

| C(x, y) = 0}.

From now on, for notational convenience, we shall denote a curve by the same symbol as the polynomial that defines it. It will be called the curve define by C, the curve with equation C or the curve C.

Definition 2.17.

Let C be a curve and P be a point (x, y) on C. Then P is a singular point on C

if both partial derivatives vanish at P. A curve with at least one singular point is a singular curve; otherwise it is a non-singular curve.

Definition 2.18.

An affine Weierstrass equation C over

'

is an equation of the form (1)

C : Y 2 + a1 XY + a3Y = X 3 + a2 X 2 + a4 X + a6 , where a1, a2, a3, a4, a6 .

'

Definition 2.19.

An elliptic curve E is a curve defined by a non-singular Weierstrass equation E : Y 2 + a1 XY + a3Y = X 3 + a2 X 2 + a4 X + a6 , (2)

where the following two equations

a1Y = 3 X 2 + 2a2 X + a4 ,

2Y + a1 X + a3 = 0

(3)

cannot be satisfied simultaneously by any point (x, y) on the curve E.

At first, one may think that the way the subscripts of the coefficients in (1) and (2) are labeled is weird. But it is often said that X has degree 2 and Y has degree 3 because of the following: for large X, the curve extends to infinity much like the function Y = X3/2, which can be parametrized by X = T2 and Y = T3. The subscripts of the coefficients in (1) and (2) therefore indicate the degrees that must be given to the coefficients in order that the equations are homogeneous; that is, each term has a total degree of 6.

Here, we define an important quantity related to E, namely, the discriminant of E. Its original form in the general case may look very complicated, but in specific cases, it will look much simpler. The theorem that follows relates its significance.

Definition 2.20.

is called the discriminant of E and it is given by

= b22b8 8b43 27b62 + 9b2b4b6 ,

where b2 = a12 + 4a2 b4 = 2a4 + a1a3
2 b6 = a3 + 4a6 2 2 b8 = a12 a6 + 4a2 a6 a1a3 a4 + a2 a3 a4

(4)

Theorem 2.1. A cubic curve defined by a Weierstrass equation is singular if and only if its discriminant

is zero.

For a proof of the above theorem, see [6].

If we apply the process of homogenization to (2), we obtain the homogeneous equation Y 2 Z + a1 XYZ + a3YZ 2 = X 3 + a2 X 2 Z + a4 XZ 2 + a6 Z 3 . Substituting Z = 0, we have X3 = 0, which implies X = 0. The only equivalence class of triples with X = 0 = Z is the class of [0, 1, 0].

10

Definition 2.21.

The point of intersection of the y-axis with the line at infinity, given by the

equivalence class of [0, 1, 0], is called

We shall see that this point of infinity elliptic curve group.

actually serves as the identity element of the

Definition 2.22.

denote the set of -points (x, y)

, then E( ) denotes the set of

A rational point on an elliptic curve E over

that satisfy (2), along with

-points (x, y)

is called a -point. Let E( ) . If

is any extension field of

that satisfy (2), along with

Next, we look at the possible different forms of the equation of an elliptic curve E under different characteristics of the defining field

. The objective is to get a simpler form of the

defining equation. We split it into 3 cases: char( ) 2 or 3, char( ) = 3 and char( ) = 2. The corresponding admissible change of variables will be given in each case.

1. Char( ) 2, 3: If char( ) 2, complete the square on the left hand side of (2) and the corresponding admissible change of variables ( X , Y )

( X , Y ( a X + a )) transforms E into
1 2 1 3

X 2 + a4 X + a6 . E : Y 2 = X 3 + a2

(5)

Further, if char( ) 3, a similar process can be carried out on the right hand side of (2) to eliminate the X2 term. The transformation ( X , Y )

a , Y ) yields from (5) (X 1 3 2 (6)

X + a6 . E : Y 2 = X 3 + a4

2. Char( ) = 3:

0 , the transformation ( X , Y ) If a2

- (X +

a4 a2

, Y yields from (5)

11

X 2 + a6 . E : Y 2 = X 3 + a2 = 0 , then from (5), we immediately have the desired form If a2

X + a6 . E : Y 2 = X 3 + a4

(7)

(8)

3. Char( ) = 2: Case 1. The supersingular case, a1 = 0: The substitution ( X , Y )

( X + a2 , Y ) eliminates the X2 term to yield from (2)

(9)

Y = X 3 + a4 X + a6 . E : Y 2 + a3 Case 2. The nonsupersingular case, a1 0: The substitution ( X , Y )

0 (a X +
2 1

a3 a1

4 + a3 , a13Y + a1 aa 3 2 1

) transforms (2) into

(10)

X 2 + a6 . E : Y 2 + XY = X 3 + a2

2.4 Group Law of an Elliptic Curve

In what follows, we shall define the operation of addition in the group of points on an elliptic curve E over a field . We deal with the case where the characteristic of

first. For simplicity, we look at elliptic curves defined over the real number field .

is not 2 or 3

Definition 2.23.

Let E be an elliptic curve defined over the field of real numbers

with its

equation given by (6), E : Y 2 = X 3 + aX + b , a,b

(11)

Let P and Q be two points on E. We state the following rules that determine the negative of P and the sum P + Q:

12

1. If P is the point at infinity Q. Thus,

3 4

, then define P to be

. For any point Q, define

serves as the additive identity of the group E( ). From now on, we suppose that .

+ Q to be

neither P nor Q is the point

2. The negative P is the point with the same x-coordinate as P but with negative y-coordinate; that is, (x, y) = (x, y). From (11), it is clear that if (x, y) is on the curve, then so is (x, y). If Q = P, then define P + Q to be

3. If P and Q have different x-coordinates, then the line l = PQ intersects the curve at exactly one more point R (if l is tangent to the curve at P or Q, then take R = P or Q respectively). For a proof, see [9] or [17]. Define P + Q to be R, that is, the mirror image of the third point of intersection with respect to the x-axis. 4. For the last case where P = Q, let l be the tangent line to the curve at P and let R be the only other point of intersection of l with the curve. Define 2P = R. (If l has a double tangency at P, that is, if P is a point of inflection, then let R = P.)

In short, the above set of rules can be stated as follows: the sum of the three points where a line intersects the curve is zero. That is, on the line l defined above, P + Q + R =

. It can be

shown that this definition of addition makes the set of points on E into an abelian group. For a proof, see [6], [9] or [17].

Next, we state the expression of the resulting sum of two points on E explicitly. For a detailed derivation, see [6], [9] or [17]. Let P = (x1, y1), Q = (x2, y2) and P + Q = (x3, y3).

1. Char( ) 2, 3: x3 = 2 x1 x2 ,

y3 = y1 + ( x1 x3 ) ,

(12)

where =

y2 y1 3x 2 + a if P Q and = 1 if P = Q. x2 x1 2 y1

13

2. Char( ) = 3, a1 = a3 = 0 in (2) but a2 is not necessarily zero: E : Y 2 = X 3 + a2 X 2 + a4 X + a6 . x3 = 2 a2 x1 x2 , where = y3 = y1 + ( x1 x3 ) , (13) (14)

y2 y1 3 x 2 + 2a2 x1 + a4 if P Q and = 1 if P = Q. x2 x1 2 y1

3. Char( ) = 2, a3 = a4 = 0 in (2) but a1 is nonzero and may be assumed to be 1:

E : Y 2 + XY = X 3 + a2 X 2 + a6 .

(15)

If P Q, y + y2 y1 + y2 x3 = 1 + x1 + x2 + a2 , + x1 + x2 x1 + x2 If P = Q, x3 = x12 + a6 , x12 y y3 = x12 + x1 + 1 x3 + x3 . x1 (17)

2

y + y2 y3 = 1 ( x1 + x3 ) + x3 + y1 . x1 + x2

(16)

4. Char( ) = 2, a1 = a2 = 0 in (2) but a3 is nonzero: E : Y 2 + a3Y = X 3 + a4 X + a6 . If P Q, y + y2 x3 = 1 + x1 + x2 , x1 + x2 If P = Q, x3 =

2 x14 + a4 , 2 a3
2

(18)

y + y2 y3 = 1 ( x1 + x3 ) + y1 + a3 x1 + x2

(19)

x 2 + a4 y3 = 1 ( x1 + x3 ) + y1 + a3 . a3

(20)

14

2.5 Elliptic Curve Discrete Logarithm Problem

The security of the elliptic curve cryptosystem is based on the apparent intractability of the elliptic curve discrete logarithm problem [10]. Let us state it formally as the following:

Given an elliptic curve E defined over a field

and a point Q E( q), determine the integer l, 0 l n 1, such that Q = lP, provided that such an integer exists.

q,

a point P E( q) of order n

As mentioned earlier, there are basically three situations whereby ECC may be attacked. That is equivalent to saying that the level of difficulty of solving the ECDLP may be lowered. These are precisely the situations that ECC must avoid in order that its security level is ensured. Below is a discussion of these three attacks.

The PohligHellman algorithm reduces the determination of l to the determination of l modulo each of the prime factors of n. Therefore, to achieve the maximum possible security level, n should be prime. To date, the fastest algorithm for solving ECDLP is the Pollard method, as modified by Gallant, Lambert and Vanstone, and Wiener and Zuccherato, which takes about
n 2

steps, where each step is an elliptic curve addition. In addition, Van Oorschot

and Wiener showed how the Pollard -method can be parallelized so that if r processors are used, the expected number of steps by each processor before a single discrete logarithm is obtained is
n 2r

. For elliptic curves E defined over a subfield

-method for ECDLP in E(

2l

of

2m

, the parallelized Pollard

nl m 2r

2m

) can be sped up to an expected running time of

Definition 2.24. Denote the cardinality of a set S by #S. An elliptic curve E over be prime-field-anomalous if #E( p) = p.

is said to

15

Semaev, Smart and Satoh and Araki independently showed how to efficiently compute an isomorphism between E( p), where E is a prime-field-anomalous curve, and the additive group of

p.

This gives a polynomial-time algorithm for the ECDLP in E( p).

Menezes, Okamoto and Vanstone (MOV) used the Weil pairing on an elliptic curve E to embed the group E( q) in the multiplicative group of the field

reduces the ECDLP in E( q) to the discrete logarithm problem (DLP) in condition for E( q) to be embedded in

qr

for some integer r. This

qr

is that n divides qr 1. In

qr

. A necessary

qr

, it is possible to use a

version of the index-calculus algorithm with subexponential running time

r exp (c + o(1) ) (log q ) 1 3

(log log q )
r

No algorithm with this running time is known for odd q and r > 1, but we take the optimistic supposition that this time estimate is the complexity of the discrete logarithm problem in

qr

for all q and r > 1. Note that r must be less than log2 q, since otherwise the index-calculus algorithm for

qr

will take fully exponential time. For the very special class of supersingular

curves (See Definition 2.25.), the MOV reduction gives a subexponential-time algorithm for the ECDLP as it is known that r 6. However, a randomly generated elliptic curve has an exponentially small probability of being supersingular and for most randomly generated elliptic curves, r > log2 q.

Definition 2.25. An elliptic curve E over

is said to be supersingular if #E( q) = q + 1 a,

where a2 = 0, q, 2q, 3q, or 4q. Otherwise E is non-supersingular [10].

Stating it more explicitly, by an appropriate elliptic curve, we mean an elliptic curve E defined over a finite field

satisfying the following conditions:

16

1. To resist the Pollard -attack, #E( q) should be divisible by a sufficiently large prime number n.

2. To resist the Semaev-Smart-Satoh-Araki attack, #E( q) should not be equal to q. 3. To resist the MOV reduction attack, n should not divide qr 1 for all 1 r C, where C is large enough so that it is computationally infeasible to find discrete logarithms in

qC

17

Chapter 3. The Elliptic Curve Cryptosystem

In this chapter, we describe the need for cryptography and its two different classes, namely, private and public key cryptography. Following that is a detailed description of ECC.

3.1 Information Security and Cryptography

Information security refers to the prevention of unauthorized use of data [2]. Unauthorized use of information may take the form of disclosure, substitution, alteration or destruction. Information security may also be defined as the provision of the following services: 1. Confidentiality concealment of data from unauthorized parties. 2. Integrity assurance of genuineness of data. 3. Availability efficient functionality of the system after security provisions are in place.

Of all the methods that have been suggested to provide information security, only cryptography offers the highest level of security and flexibility. In the simplest terms, cryptography transforms data from one format to another modified form such that the data is unintelligible to unauthorized parties or that the data cannot be tampered with. The following are the goals of cryptography in more specific definition: 1. Confidentiality concealment of data from all but authorized parties. 2. User Authentication assurance of the identities of the parties involved. 3. Data Origin Authentication assurance of the source of messages. 4. Data Integrity assurance that unauthorized parties do not modify the data. 5. Non-repudiation binding of an entity to a transaction in which it is involved.

18

We define here some commonly used terms that are required for our discussions.

Definition 3.1. A plaintext is a user-readable meaningful message or data, while a ciphertext is an unintelligible modified form of the plaintext.

Definition 3.2. Encryption refers to the process of transformation of a plaintext into a ciphertext with respect to a key. A key is simply the defining function characteristic of a cryptosystem. Decryption is the process of transformation of a ciphertext back into its corresponding plaintext, that is, the inverse of encryption.

From this point on, let ciphertext and

denote the set of all possible plaintext,

<

the set of all possible

the set of all possible keys [11]. As in most texts, we shall adopt two people,

Alice and Bob, in our illustrations.

3.2 Private Key Cryptosystems

Definition 3.3. A private key cryptosystem, or symmetric key cryptosystem, consists of a family of pairs of functions Ek : m

and k

> ? @ ,D :@ ? A
k

,k

, such that Dk ( Ek ( m )) = m for all

To use a particular private key cryptosystem, Alice and Bob agree initially upon a secret key k

, by physically meeting for example [11]. If Alice wants to send Bob a message m

, she sends the ciphertext c = Ek ( m ) to Bob. Bob then recovers m by applying the decryption

function Dk. It should be infeasible for an eavesdropper who sees c to determine the message m or the key k.

19

3.3 Public Key Cryptosystems

Definition 3.4. A one-way function f :

C D E

is an injective function such that for each m

it takes polynomial time to compute f(m), while for most c

it requires exponential time

to compute f 1(c).

Definition 3.5.

A one-way function f :

C D E

is said to be a trapdoor one-way function

(TOF) if there exists some extra information with which f can be efficiently inverted. This extra information is called the trapdoor.

Definition 3.6. A public key cryptosystem, or asymmetric key cryptosystem, consists of a family fk :

C D E ,kF

, of trapdoor one-way functions.

Given a particular public key cryptosystem, Alice selects a random k

and publishes

the encryption algorithm Ek for computing fk in a public directory. Ek is Alices public key and the trapdoor t(k) that inverts fk is her private key. When Bob wants to send Alice a message m

, he looks up her public key Ek in the directory and sends fk(m) to her. Since only Alice has

her private key t(k) to invert fk, only she can recover the message m. Note that Alice and Bob no longer need to meet up physically to exchange keys secretly. It is computationally infeasible to determine the private key t(k) given the public key or the ciphertext.

20

3.4 Elliptic Curve Cryptosystem

Since its introduction in 1985, there had been several variations of the elliptic curve cryptosystem being proposed. In fact, they are analogs of the existing encryption schemes. There are elliptic curve analogs of public key cryptosystems such as the ElGamal encryption that are based on the discrete logarithm problem. There are two further classifications of these elliptic curve analogs: one requires the finite field to have odd characteristic, while the other is defined over fields of characteristic 2. There are also elliptic curve analogs of the RSA cryptosystem. At this juncture, we shall only introduce the elliptic curve analog of the ElGamal encryption scheme: the Elliptic Curve Encryption Scheme (ECES).

Let E be an elliptic curve of the form of (11) defined over the integers , that is,

E : Y 2 = X 3 + aX + b ,
Let p be a large prime number such that

a,b .

(21)

of E given by (21) is 16 ( 4a 3 + 27b 2 ) . Thus, it requires that 16 ( 4a 3 + 27b 2 ) / 0 (mod p ) .

of E is not divisible by p. The discriminant

(22)

Let #E denote the number of points (x, y) lying on E, x, y may be given by,
p 1 i 3 + ai + b # E = 1 + 1 + , p i=0

p,

satisfying (21) [10]. #E

(23)

where

( ) here denotes the Legendre symbol for quadratic residues.

s p

Suppose Alice wishes to make use of the Elliptic Curve Encryption Scheme with elliptic curve E and prime p as given above. She carries out the following steps:

21

1. Choose a point P = (xP, yP) on E and an integer n such that 2 n (#E 1). 2. Compute Q = nP = (xQ, yQ) according to the addition law stated in section 2.4. 3. Publish the key (P, Q, p, #E) as the public-key, keeping n secret.

Next, suppose Bob wishes to send a message (x1, x2) to Alice. He carries out the following steps: 1. Choose a random number k, 2 k (#E 1). 2. Perform the following calculations: R = kP

(c1 , c2 ) = kQ ( y1 , y2 ) = (c1 x1 , c2 x2 ) ( mod p )

3. Send the triple (R, y1, y2) to Alice.

(24)

Upon receiving the ciphertext, Alice recovers the message (x1, x2) as follows:

(c1 , c2 ) = nR ( x1 , x2 ) = (c11 y1 , c21 y2 ) ( mod p )

(25)

Example 3.1. Let E be the curve Y = X3 + X + 13 and p = 31. (p is chosen to be arbitrarily small for easy computations.) By (23), #E = 34.

Suppose Alice carries out the following: 1. Choose P = (9, 10) and n = 25. 2. Then Q = 25P = (16, 23). 3. Publish the public-key (P, Q, p, #E) = ((9, 10), (16, 23), 31, 34).

22

Suppose Bob wants to send Alice the message (2, 5) and does the following: 1. Choose k = 11. 2. Then, he has R = kP = 11 (9,10) = (22, 22)

(c1 , c2 ) = kQ = 11 (16, 23) = (23,19) ( y1 , y2 ) = (c1x1 , c2 x2 ) = (23 2,19 5) = (46, 95) (15, 2)
3. Send ((22, 22), 15, 2) to Alice.

(mod 31)

Alice retrieves the original message as follows:

(c1 , c2 ) = nR = 25 (22, 22) = (23,19) ( x1 , x2 ) = (c11 y1 , c21 y2 ) = (231 15,191 2) = (27 15,18 2) (2,5)

(mod 31)

23

Chapter 4. The First Method of Curve Searching

In this chapter, we present the first half of the project where we make use of the first method mentioned in the introduction to search for elliptic curves for the elliptic curve cryptosystem. In short, we are interested in finding elliptic curves defined over finite fields such that the number of rational points on each curve is prime. An elliptic curve cryptosystem that is constructed using curves with such a property can at least resist the Pollard -attack discussed in Section 2.5.

We begin this chapter with a description of the first method of curve searching with reference to [9]. Next, we state the theorems and results that would be required in order to carry out the computations involved. Following that is a step-by-step breakdown of the numerical computations. As mentioned in the introduction, the actual programming codes of the computations in this section will be included in Appendix A, while some representative data computed will be presented in Appendix B. At the end of this chapter, we give an analysis and discussion on this part of the project.

4.1 Method I

Let E be an elliptic curve defined over the field of rational numbers

with an equation

given by (6). In fact, we can always clear all denominators of the coefficients of the equation of E over

so as to arrive at an equation with integer coefficients. Thus, we have E : Y 2 = X 3 + aX + b , a, b .

(26)

This will be the form of the equation of each subsequent elliptic curve in this section.

24

Let p be any odd prime number that does not divide the coefficients or the discriminant of E. Likewise, p will always assume these characteristics in this section. We consider E over

the finite field

by reducing its coefficients modulo p and determine the total number of

rational points lying on the resulting curve, that is, the number of points with coordinates in

p.

Finally, we seek the primality of the quotient of this total number by the number of rational points with finite order on E over

. We will see that this quotient is well-defined. If

this quotient is prime for some large prime p, then we say that E may be selected to construct a particular elliptic curve cryptosystem of reasonable security level, according to the discussion in Section 2.5.

We shall address this first method of curve searching by Method I.

4.2 Reduction of Elliptic Curves

For a start, we need the notion of the order of a rational point on E.

Definition 4.1. Let P be a rational point on an elliptic curve E. If there exists a positive integer m such that mP = P + P +

OQPRPTSUN PV+ PXW P = O ,

m times

then the order of P is m and P is said to be of finite order. If such a positive integer does not exist, then P is said to be of infinite order.

Each elliptic curve E defined over

has its unique set of rational points of finite order

and these points have a very significant role to play in Method I as stated below.

25

Theorem 4.1. The set of rational points of finite order on E over group E( ) of rational points on E.

forms a subgroup of the

Definition 4.2. The subgroup of rational points of finite order on E over

is called the torsion

subgroup of E, denoted by Etors. Each point in this subgroup is called a torsion point.

The following theorem plays a very important role in the computations of the torsion points of E in Method I. Nagell and Lutz discovered it independently in the 1930s. For a proof, see [17].

Theorem 4.2. Nagell-Lutz Theorem. Let P = (x, y) be a torsion point on E. Then x and y are integers. Moreover, y = 0, in which case P has order 2, or else, y divides

We note that the converse statement of Theorem 4.2 need not be true. That is, if (x, y) is a rational point on E with y dividing if and only if statement.

, (x, y) need not be a torsion point. This theorem is not an

For computational purposes, the following stronger form of Theorem 4.2 is useful. We shall see how it helps to reduce the computations required for the determination of the number of torsion points on E.

Theorem 4.3. Let P = (x, y) be a torsion point with y 0. Then y2 divides

The following theorem is a very deep result that states explicitly the possible structure of the torsion subgroup Etors.

26

Theorem 4.4. Mazurs Theorem. Let P be a torsion point of order m on E over 1 m 10 or m = 12. More precisely, Etors takes one of the following two forms: 1. A cyclic group of order N with 1 N 10 or N = 12.

. Then either

2. The product of a cyclic group of order 2 and a cyclic group of order 2N with 1 N 4 .

Let [z] denote the image of the reduction of an integer z modulo p, where p is a prime [17]. To define an elliptic curve E over the finite field p to yield [ E ] : Y 2 = X 3 + [a ] X + [b] , [a], [b]

p,

reduce the coefficients in (26) modulo

p.

(27)

Recall that in order for a cubic curve E over any field to be defined as an elliptic curve, it must be nonsingular. By Theorem 2.1, it requires over

p,

it requires that

to be nonzero. Thus, for an elliptic curve E

is not divisible by p.

Similarly, we can reduce points P on E to obtain points [P] on [E]. If P = (x, y) is a point on E with integer coordinates, then x and y satisfy (26) y 2 = x 3 + ax + b . We can reduce (28) modulo p to obtain [ y ]2 = [ x]3 + [a ][ x] + [b] . (29) (28)

This implies that [P] = ([x], [y]) is a point on [E]. Clearly, this maps the points on E with integer coordinates to points on [E]. We define this map as the following.

Definition 4.3. The reduction modulo p map of Etors P

[E]( p) is defined by

([ x],[ y ]) , if P = ( x, y ). [ P] = [ ], if P = .

(30)

27

The next theorem is another useful theorem on the reduction of elliptic curves that will facilitate the determination of the cardinality of Etors. For a proof, see [8].

Theorem 4.5. Let p be an odd prime that does not divide reduction homomorphism rp : E (

) [ E ]( p ) is one-one.

. Then the restriction to Etors of the

From Theorems 4.1 and 4.5, we are able to derive the following result, which is the main concept in Method I.

Corollary 4.6.

Let denote the quotient below. Then is an integer.

#[ E ]( p ) # Etors

(31)

In Method I, we seek the primality of . For a fixed curve E, if is prime for some large prime number p, then E can be chosen as an elliptic curve for ECC. When is a large prime number, then the Pollard -method algorithm cannot be employed to solve the elliptic curve discrete logarithm problem in less than exponential time. We are aware that caution must be exercised when #Etors = 1. For if = p = #[E]( p) when #Etors = 1, then E is a prime-fieldanomalous curve, even though is prime.

We note here that in [9], one is asked to prove the following conjecture.

Conjecture 4.1. Let E be any fixed elliptic curve over for which is prime.

. There are infinitely many primes p

28

4.3 Numerical Computations

Now, we present the steps involved in the computations of Method I in details.

We aim to select curves from a finite range of elliptic curves E. From the equation of E, in order to create a finite range of curves for consideration, we only have to vary the coefficients a and b. We have chosen to vary them within the following ranges: 0 a 30 and 0 b 100, excluding the case when a = b = 0. Therefore, there are 3130 curves to be considered.

To ascertain whether a given elliptic curve E is suitable for ECC, we need to determine if there exists some large prime p for which is prime. To perform this check, we must know how to compute for a given prime p. From (31), we need to determine #[E]( p) and #Etors in order to compute for a given prime p.

In one of his papers [14], Ren Schoof has presented a deterministic polynomial time algorithm to compute #[E]( q), where q is some power of p. In view of its impracticality in its original form, Atkin and Elkies even made some improvements to this algorithm and it is included in another of Schoofs papers [15]. It appears at first that this algorithm is just the perfect tool that we need for our computation of #[E]( p) here, as we are in the simple case of q = p. However, after several attempts to understand the algorithm, we have no choice but to conclude that we are unable to put it into practice at this level. Hence, we make use of the Legendre method as stated below.

Lemma 4.1. Given an elliptic curve E, #[E]( p) is given by #[ E ] (

) = 1+ g 1 +
x
p

x3 + ax + b , p

(32)

29

where

( i ) denotes the Legendre symbol for quadratic residues, defined by

p

1, if a is a quadratic residue of p, a = 0, if p divides a, p 1, if a is a quadratic nonresidue of p , where a

is such that gcd(a, p) = 1.

Proof. For any x

p,

x is either the x-coordinate of some point P [E]( p) or it is not.

If x is not the x-coordinate of some point, then there does not exist any y

such that

(x, y) satisfies (27). That is to say that x3 + ax + b is not a square of some integer and we have x3 + ax + b x3 + ax + b 1+ = 0, since = 1 , p p resulting in no contribution towards #[E]( p). If x is the x-coordinate of some point P, then there exists y

k m

such that (x, y) satisfies

(27). Thus, x3 + ax + b is a square of y modulo p and p either divides x3 + ax + b or it does not. If p does not divide x3 + ax + b, then y2

0 (mod p) and by taking square roots, we obtain 2 such

values of y, say y1 and y2, yielding two points (x, y1) and (x, y2) on [E]( p). Indeed, we have x3 + ax + b x3 + ax + b 1+ = 2, since = 1. p p If p divides x3 + ax + b, then y2 0 (mod p) and y = 0, resulting in only one point (x, y) on [E]( p), which is consistent with x3 + ax + b x3 + ax + b 1+ = 1, since = 0. p p Finally, we add 1 to #[E]( p) to include the point

and complete the proof.

30

Although the Legendre method is only efficient for very small primes, it still allows us to perform sufficient amount of computations in order to make meaningful observations and conclusions. We have encoded it using Mathematica as Program M1 in Appendix A.

Next, we determine #Etors. In fact, in many cases, this number is equal to 1 [9]. In addition, from Theorem 4.4, we are able to deduce an upper bound for #Etors.

Corollary 4.7.

Given an elliptic curve E over

, the number of torsion points lying on E is

less than or equal to 16, that is, #Etors 16.

We break up the computation of #Etors into two stages. In the first stage, we employ an indirect method to determine if #Etors = 1. This helps to reduce the total amount of computations required. We make use of the following result that can be derived from Corollary 4.6 and the fact that given any 3 integers a, b and c such that a and b are relatively prime and c divides both a and b, then c = 1.

Corollary 4.8.

r of E. If # [ E ](

Let p1 and p2 be two odd prime numbers that do not divide the coefficients or
p1

) and # [E ](

p2

) are relatively prime, then #Etors = 1.

Recall that in the reduction of E modulo p, p is an odd prime that does not divide form the following set of primes:

. We

s
pi, pj

= {First 100 primes} \ {q : q is prime and q |

Using the Legendre method, we compute #[E]( p) sequentially for each prime p , and check if there exist a pair of values # [ E ](

pi

) and # [ E ]( u

pj

) that are relatively prime for two primes

. As soon as we have a hit, we terminate this step and conclude that #Etors = 1. We

choose to perform this computation for the first 100 primes or so because, generally, this range

31

is large enough and quick enough to reveal, if any, at least a pair of values of # [ E ]( relatively prime.

that are

In the actual computations, we perform the step above successively for all the 3130 elliptic curves and compile a list

of all those curves whose #Etors is not deduced to be 1, that

is, there does not exist a pair of primes pi and pj for which the corresponding values of #[E]( p) are relatively prime. This is encoded as Program M2.

With , we come to the second stage of the computation of #Etors. To ascertain the exact value of #Etors for each elliptic curve E, by its definition, we need to determine the number of torsion points. By the contrapositive statement of Theorem 4.2, we only need to check the order of those rational points with integral coordinates.

Corollary 4.9.

Let P = (x, y) be a rational point on an elliptic curve E. If x and y are not both

integers, then P is of infinite order, that is, P is not a torsion point.

To determine all points on E with integral coordinates, from Theorem 4.2, we simply determine all values of y such that y2 divides the determinant

and solve for x by substituting

these values of y into (26). This is done by Program M3. Thus, we obtain a list points P with integral coordinates for each curve E.

of rational

For each of these integral points P

of each E, by Program M4, we determine

whether P has finite or infinite order by computing multiples mP successively until either mP = 0 or mP is not integral for some integer m. If mP = 0, by Definition 4.1, P is a torsion point of order m. If mP is not integral, then P is just a rational point of infinite order. In any

32

case, this stage will not take too long a time, since the maximum possible order for a torsion point is 12 from Theorem 4.4.

Using Program M5, we count the number of torsion points of each curve E including the point at infinity

, we obtain #Etors of all curves in

. By

, and hence #Etors of all the

3130 elliptic curves to be considered. These are recorded in Table 1 of Appendix B. Now, we are ready to carry out the main part of the computations of Method I the determination of the primality of , given E and p.

Due to the limitation of the Legendre method to compute #[E]( p) efficiently for large primes p, we adjust our curves selection criterion as the following.

Conjecture 4.2. Let E1 and E2 be two elliptic curves. For a large enough fixed range of primes p, if the number of cases that 1 is prime is larger than that of 2, then the probability that 1 is prime for some large prime p is higher than that of 2 and thus resulting in E1 being selected over E2.

There are two levels of primality testing of for each of the 3130 elliptic curves, with only a small set

of selected curves going through the second level of computations. We define

the following notion for the convenience of our computations and discussion.

Definition 4.4. For all odd primes p less than N 1000, N

, with p not dividing

, let N

denote the number of cases for which is prime for a given curve E.

Using UBASIC, we design Program U6 to compute N for any N

for any curve E.

For the first level of computation, we determine 10 for each curve E using Program U6 with

33

N = 10 and tabulate the results in Table 2. Next, we select the set

of appropriate curves to be

subjected to the second level of computations in order to investigate Conjecture 4.2. For each curve in , we compute 200 using Program U6 with N = 200 and the results are tabulated in Table 3. In addition, we plot the graph of 10 against 200 for the curves in 1 of Appendix B.

as shown in Figure

Due to the observations made from the collected results of the 3130 curves, 10 and 200 of some additional curves were computed to confirm these observations. These further results are also tabulated in Table 3 and added to Figure 1.

4.4 Discussion of Results

We present the observations that are made from the computed results of Method I and discuss their implications, if any.

Observation 4.1. From Table 1, it is obvious that the possible values of #Etors are only 1, 2, 3, 4 and 6. However, we can only deduce that this only holds for Method I due to the restriction on the coefficients of the equation of E to only nonnegative values. From Theorem 4.4, we know that this is definitely not the case for general equations of elliptic curves.

Observation 4.2. For a large number of the 3130 elliptic curves, #Etors = 1. This is seen clearly from Table 1 and it tallies with what Koblitz has stated in [9]. Out of the 3130 curves, there are only 135 curves (about 4.31 %) whose #Etors is greater than 1.

34

Observation 4.3. From Table 1, for E with b = ak + k3, a and k being non-negative integers, #Etors > 1. In fact, #Etors is even for any such curve E, taking values 2, 4 or 6. This is further verified true for all a 1000 and k = 0, 1, , 5. Moreover, only a very small number of these curves have #Etors = 4 or 6, as contained within Table 3. The remaining of such curves have #Etors = 2. Hence, we have the following proposition.

Proposition 4.1. Let E be an elliptic curve with an equation given by

E : Y 2 = X 3 + aX + (ak + k 3 ) ,
where a, k

(33)

{0}, excluding a = 0 = k. Then #Etors is even.

Proof. Substituting y = 0, we have x 3 + ax + ak + k 3 = 0 x3 + k 3 + a ( x + k ) = 0

2 2 (x + k ) ( x kx + k ) + a =0

Therefore, (k, 0) is a torsion point of order 2. By Lagranges Theorem, the order of a torsion point must divide the order of the torsion subgroup, hence #Etors is even.

Observation 4.4. For E with a = 0, b = k2, k verifies a theorem in [8].

\{1} and k is cube-free, #Etors = 3. This

Theorem 4.11. Let E be an elliptic curve with an equation given by E :Y 2 = X 3 + k2 , where, k \{1} and k is cube-free. Then #Etors = 3. (34)

35

Observation 4.5. For E with a = 0, b = k6, k

curves E1 and E2, #[E1]( p) = #[E2]( p) for any prime p. We have the following explanation.

, #Etors = 6. Moreover, for any two such

Proposition 4.2. Let E be an elliptic curve with an equation given by E :Y 2 = X 3 + k6 , k . Then E is isomorphic to the curve E0 given by E0 : Y 2 = X 3 + 1 . (36)

(35)

Proof. We only have to make the substitutions Y

k 3Y and X

k 2 X to yield

k 6Y 2 = k 6 X 3 + k 6
Y 2 = X 3 + 1 .

Observation 4.6. In Table 2 (shaded boxes), there are several curves with 10 4. Further investigation for the primality of of these curves yields no result. Contrary to the claim by Conjecture 4.1, this appears to suggest that there exist elliptic curves such that there are only a very small number of primes such that is prime. We have no explanation for this observation.

Observation 4.7. From Figure 1, we observe a very interesting relationship between 10 and 200. Instead of having random distributions, there seems to exist corresponding blocks of values of 10 and 200. More precisely, the values of 10 and 200 in Table 3 appear to suggest that if 10 of a given curve E lies within a certain range r, then the corresponding 200 lies within a corresponding range r. Also, if the midpoint of a range r2 is than that of r1, then the midpoint of the corresponding range r2 is higher than that of r1.

36

Observation 4.8. More significantly from Table 3 and Figure 1, we see that the corresponding blocks of values of 10 and 200 are in fact distributed according to the values of #Etors. That is, curves with the same particular value of #Etors will all have 10 and 200 lying in particular fixed ranges. For all curves investigated thus far, it is clear that curves with #Etors = 3 have the highest values of 10 and thus the highest values of 200.

From Observation 4.7, Conjecture 4.2 may just as well be true, at least to a moderate extent. Consequently, we conclude that Conjecture 4.2 is a sufficient criterion for selecting a suitable elliptic curve for the elliptic curve cryptosystem. In other words, given an elliptic curve E, in order to determine its suitability, one only needs to compute 10 and check which range it falls within. The higher the value of 10 is, the higher is the chance of the existence of a large prime number p such that is prime. With the current computing power, this check is extremely fast and convenient, even if the Legendre method of points counting is employed.

In addition, with respect to Observation 4.8, one can also decide the suitability of an elliptic curve by checking the cardinality of its torsion subgroup. From Figure 1, in case that #Etors = 3, then 10 will most likely be of a high value. With the aid of an appropriate algorithm, such as the one encoded within Programs M3, M4 and M5, this computation is as simple as the determination of 10 above.

The main obstacle in the implementation of Method I is the counting of the rational points on an elliptic curve defined over a finite field. To date, the most efficient algorithm to do this is the Schoof-Atkin-Elkies algorithm. However, it is not a trivial matter to encode it as a computer program, which may be why some still say that it is not practical enough in its implementation. In other words, if we can find an improvement to the Schoof-Atkin-Elkies

37

algorithm, then we can definitely have Method I as an effective technique in searching for curves for the elliptic curve cryptosystem.

Looking at the problem from a different perspective and making reference to Observation 4.8, we can begin with a fixed value of #Etors, instead of fixing the curve. There is a deterministic method to construct curves of a specified #Etors as stated in [8]. For instance, if it is true that the probability of the existence of a large prime p such that is prime is higher for curves E with equation (26) and #Etors = 3, we can reduce our problem to the construction of elliptic curves with #Etors = 3.

38

Chapter 5. The Second Method of Curve Searching

In this chapter, we present the remaining part of the project where we make use of the second method of curve searching for the elliptic curve cryptosystem mentioned in the introduction. The key idea is to fix an elliptic curve defined over a small field and then consider it over extensions of the small field.

We begin by presenting a description of the second method, follow by the required theorems and results. The next portion will consist of a detailed explanation of the computations involved. Finally, we analyze the outcomes of the computations and state our conclusions. Similarly, programming codes used in this method are included in Appendix A and computed results are in Appendix B.

5.1 Method II

Let

be a finite field for some q = pn, where p is a prime and n

extension field of

. Let

qr

be an

for some prime r. These two definitions will hold throughout this section.

Define an elliptic curve E given by (2) over # E(

and

qr

. Determine the values of #E( q) and

qr

) , the number of rational points on E with coordinates in

and

qr

respectively.

Finally, determine the primality of defined by

# E( # E(

qr

) . q)

(37)

It will be shown that is an integer in a while. The main objective is to find prime numbers r such that is a large prime. Here, a large prime refers to one that has at least 50 decimal

39

digits. An elliptic curve E that satisfies such a property can be considered for the construction of a secure elliptic curve cryptosystem with reference to Section 2.5.

In [9], the proof of the following conjecture is sought. Similar to Conjecture 4.1, this is still an unsolved problem.

Conjecture 5.1. Given an elliptic curve E as defined above, there exist infinitely many primes r such that is prime.

5.2 Elliptic Curves Over Finite Field Extensions

Theorem 5.1. Given an elliptic curve E defined over Moreover, E( q) is a subgroup of E ( of E (

qr

) , and if s

q,

it is defined over

divides r, then E (

qr

for any r

qs

) is also a subgroup

qr

).

With Theorem 5.1, we immediately deduce that #E( q) divides # E (

qr

).

Corollary 5.2.

In the definition in Section 5.1, is an integer.

Although Theorem 5.1 holds true for any r, s

, the reason for the requirement of r to

be prime in Method II is to increase the probability of being prime [9].

For convenience, we may rewrite # E (

have = Nr N. From these numbers Nr, we obtain the following generating series.

qr

) as Nr with N = N1 = #E( q). Therefore, we

40

Definition 5.1. The zeta-function of an elliptic curve E over Z (E ( where T is an indeterminate [9].

is the formal power series (38)

) ; T ) = e

Nr T r r =1 r

A theorem of Hasse states that (38) can be simplified as follows. For a proof, see [16].

Theorem 5.3. The zeta-function of an elliptic curve E is a rational function of T of the form Z (E (

); T ) =

1 aT + qT 2 , (1 T )(1 qT )

(39)

where only the coefficient a of T in the numerator depends on E as follows: a = q + 1 N. (40)

The discriminant of the quadratic polynomial in the numerator is either negative or zero, that is, a2 4q. Thus, this polynomial has two complex conjugate roots and with absolute value q. (41)

The following corollary is an immediate consequence of the above theorem [9].

Corollary 5.4.

Let Nr and a be defined as above. Let and be the roots of the quadratic

polynomial T2 aT + q. Then we have Nr = r 1 = qr + 1 r r , where | | denotes the usual complex absolute value.
2

(42)

Proof. By substituting (38) into (39), we have

41

e r =1

Nr T r r

1 aT + qT 2 (1 T )(1 qT )

(1 T )(1 T ) N rT r r = ln (1 T )(1 qT ) r =1 = ln(1 T ) + ln(1 T ) ln(1 T ) ln(1 qT ) =

rT r rT r T r q rT r + + r r r r =1 r =1 r =1 r r =1

(using ln(1 cT ) =

c rT r ) r =1 r

Nr = qr + 1 r r

From Theorem 5.3, there is another corollary concerning N = #E( q) that can be derived and is usually named as Hasses Theorem. It states that the size of E( q) does not differ very much from that of the defining finite field

q.

Corollary 5.5.

The number N of

q-points

on E defined over

lies in the interval (43)

q +1 2 q N q +1+ 2 q.

Proof. From (40) and (41), q + 1 N = a 4q .

The next theorem is one that plays a very crucial role in Method II [13]. It is related to Theorem 5.3 by (40) and (41).

Theorem 5.6. Let

be a fixed finite field, where q = pn, p a prime and n . For any elliptic

curve E, all the possible values of N = #E( q) are given by N = q + 1 a, where a is an integer with 2 q a 2 q satisfying one of the following conditions: 1. Gcd(a, p) = 1; 2. If n is even: a = 2 q ; 3. If n is even and p

1 (mod 3): a = q ;

42

4. If n is odd and p = 2 or 3: a = p ( n +1) 2 ; 5. If p

1 (mod 4): a = 0.

5.3 Numerical Computations

Recall that the main objective of Method II is to search for elliptic curves E with the existence of at least one prime number r such that = Nr N is a large prime number for a fixed finite field

q.

Clearly, we need the methods of determining the values of Nr and N for any E and

r. We also require a primality test for the status of , especially when it is large.

From Corollary 5.4, we can determine the value of Nr as soon as the roots and of the quadratic polynomial T2 aT + q are determined. This in turn requires the value of a to be ascertained first. From (40), the value of a depends on the value of N. Hence, we see that we should begin with the determination of the value of N for any elliptic curve E and prime r. However, instead of choosing any random curve E to determine N and then a, we make use of Theorem 5.6. We consider all possible values of a to obtain all possible values of N. This approach is more straightforward and it also exhausts all possible scenarios for each fixed field, as opposed to choosing random curves, which may yield the same value of N.

In this project, we investigate Method II for the fixed finite fields determine what values a, and thus N, can take in each case.

,
2

and

4.

First, we

1.

is the fixed finite field:

We have q = p = 2 2 2 a 2 2 2 a 2, since a is an integer. Next, check if each possible value of a satisfies at least one condition in Theorem 5.6.

43

For a = 1, 1, gcd(a, 2) = 1; For a = 2, 2, since n = 1 is odd and p = 2, a = p(n+1)/2; For a = 0, since p = 2

1 (mod 4).

Therefore, we have a = 2, 1, 0, 1, 2. Consequently, N = q + 1 a = 1, 2, 3, 4, 5.

2.

is the fixed finite field:

We have q = p = 3 2 3 a 2 3 3 a 3, since a is an integer. For a = 2, 1, 1, 2, gcd(a, 3) = 1; For a = 3, 3, since n = 1 is odd and p = 3, a = p(n+1)/2; For a = 0, since p = 3

1 (mod 4).

Therefore, we have a = 3, 2, 1, 0, 1, 2, 3. Consequently, N = q + 1 a = 1, 2, 3, 4, 5, 6, 7.

3.

is the fixed finite field:

We have q = p2 = 22 = 4 2 4 a 2 4 4 a 4, since a is an integer. For a = 3, 1, 1, 3, gcd(a, 2) = 1; For a = 4, 4, since n = 2 is even and q = 4, a = 2 q For a = 2, 2, since n = 2 is even and p = 2 For a = 0, since p = 2

1 (mod 3), a = q ;

1 (mod 4).

Therefore, we have a = 4, 3, 2, 1, 0, 1, 2, 3, 4. Consequently, N = q + 1 a = 1, 2, 3, 4, 5, 6, 7, 8, 9.

Now, we can begin with the actual computations. For each q = 2, 3, 4, the following process is carried out step by step.

44

Step 1: Substitute each value of a into the quadratic polynomial T2 aT + q and solve for the roots and . We make use of Program M7 in Appendix A to solve for the roots and record them in Table 4 in Appendix B.

Step 2: For each N and the corresponding pair of roots, compute = Nr N for the first 400 primes r, using (42) for the calculation of Nr. The aim is to select the cases where is prime. This step is accomplished by Program M8 and the results are tabulated in Tables 5, 6 and 7, according to the respective value of q = 2, 3 and 4.

However, the built-in primality test function PrimeQ in Program M8, though deterministic, uses a procedure that is known to be correct only for integers u < 1016 [18]. (This procedure first tests for divisibility using small primes, then uses the Miller-Rabin strong pseudoprime test base 2 and base 3, and then uses the Lucas test.) Thus, this function may falsely claim a composite number v 1016 to be prime, although it is mathematically proven that all integers that it claims to be composite are genuinely composite. In view that a majority of s computed are greater than 1016, we employ a more powerful primality test that has been justified rigorously to confirm the primality of each of those s for which PrimeQ returns a True. This test is the UBASIC package APRT-CLE, the extended version of the Cohen-Lenstra version of the Adleman-Pomerance-Rumely Test (APR Test) [1], [4], [5].

Step 3: The last step is the construction of the curves for each value of N = #E( q) for each q = 2, 3 and 4. With reference to the objective of Method II, this curves construction is restricted to only those cases where is prime with at least 50 decimal digits. Using (2), #E( q) is determined by exhaustion until all values of N are achieved. The coefficients of (2) are tested with all possible combinations of the elements in

q.

For each set of coefficients, all possible

pairs of coordinates are checked if they satisfy the equation of the curve, so as to add towards

45

#E( q). This is encoded as Program M9 for q = 2 and 3 and as Program M10 for q = 4. In each case, we state the equation of one of the curves in Table 8.

5.4 Discussion of Results

Observation 5.1. From Tables 5, 6 and 7, it is clear that for each

q,

q = 2, 3 and 4, for almost

all corresponding values of N, there exists prime numbers r among the first 400 primes such that

is prime with at least 50 decimal digits. The exceptions are the following cases when q = 4.

1. For N = 9 and a = 4, the roots of T2 + 4T + 4 are the repeated roots = = 2. There does not exist any case for which is prime. It can then be shown that will always be composite for odd primes r. 4r + 1 ( 2 )r ( 2 )r =1 9 2r )2 + 1 + 2r + 2r (since r is odd ) =1 9 ( = =
1 9

2r

+ 1)
2

(44)

( )
2r +1 3

Hence, in this case is always a square that can never be prime. For r = 2, = 1.

2. For N = 8 and a = 3, the roots of T2 + 3T + 4 are

1 2

(3 7i ) and (3 + 7i ) . There are

1 2

only 2 cases for which is prime: r = 2 and 3. Using Mathematica, we factorize for the first 20 primes r in Table 9 and observe that there does not exist any fixed factor of . It appears that for all primes r 5, is composite. However, we are not able to prove it mathematically.

46

3. For N = 5 and a = 0, the roots of T2 + 4 are 2i and 2i. There are also only 2 cases where is prime: r = 2 and 3. For primes r 5, we have 4r + 1 ( 2i ) ( 2i ) =1 5 4r + 1 + ( 2i )r ( 2i )r =1 5
r r

=1 4 + 1) ( 4 ) 5(
i =0

r 1

(45)

= ( 4 )
i =0

r 1

= cr Similarly, we factorize for the first 20 primes r in Table 10 and there does not exist any fixed factor of . Denote the summation in (45) by cr and it is trivial to see that cr = 4k + 1 for some k

. One possible method is to use the converse of Fermats Little Theorem to

prove that cr is composite for r 5. If we can find an integer m such that cr does not divide m and m cr 1 = m 4 k

1 (mod cr = 4k + 1), then cr is composite. There may be some results on

the primality of such summation as cr, but none is known to us at this juncture.

4. For N = 1 and a = 4, the roots of T2 4T + 4 are the repeated roots = = 2. There does not exist any prime r for which is prime. This case is similar to the first case of N = 9 as we only have to replace 2 in the first line of (44) by 2 and 9 by 1 to yield

= ( 2r 1) .
2

(46)

Observation 5.2. Apart from a few s that are still too large an input, all others that PrimeQ claims to be prime are further verified by APRT-CLE to be prime (See Table 5, 6 and 7). This suggests that PrimeQ is quite reliable after all. We shall assume the correctness of the primality of those large not verified by APRT-CLE.

47

Observation 5.3. From Table 8, we see that for each N of each q where there is at least one prime with 50 decimal digits or more, there exists at least one curve E over

#E( q) = N. Hence, we are assured of the existence of the curves required for the construction of the elliptic curve cryptosystem.

such that

The main problem in searching for suitable elliptic curves using Method II is the primality testing of . The remaining steps in the process can be performed within much shorter time given the current computing power. Therefore, with the availability of an appropriate primality test, Method II can be a very effective technique in searching for suitable curves for the elliptic curve cryptosystem. Moreover, such constructions with elliptic curves defined over small finite fields of both even and odd characteristics allow more efficient calculations than those defined over other fields.

48

Appendix A. Programming Codes for Numerical Computations

In this appendix, we present the programming codes that are written to carry out all computations in both Method I and II of this project. The programs that have indices starting with M are written using Mathematica, while those that have indices starting with U are written using UBASIC. At the end of the section, we have also included a glossary of the built-in functions used in these codes.

Program M1 Given E and p, compute #[E]( p).

ECP[a_, b_, p_] := Module[{x}, m = 1 + Sum[1 + JacobiSymbol[Mod[x^3 + a*x + b, p], p], {x, 0, p - 1}]; Print[m]]

Note

1. m = #[E]( p).

Program M2 Given E, determine if #Etors = 1 and sieve out those that cannot be determined for 0 a 30, 0 b 100

CkTors1[a_, b_] := Module[{d, PrmDiv, J, z, K, i}, d = -16*(4*a^3 + 27*b^2); PrmDiv = Select[Divisors[d], PrimeQ]; J = Complement[PrmList, PrmDiv]; ECP[a, b, J[[1]]]; K = {m}; z = 0; Do[{ECP[a, b, J[[i]]]; If[MemberQ[GCD[K, m], 1], {z = 1; Print[{a, b}], Break[]},

49

K = Join[K, {m}]]}, {i, 2, Length[J]}]; If[z == 0, L = Join[L, {{a, b}}]]]

Note

1. d =

2. PrmDiv is a list of prime divisors of

3. PrmList is a list of the first 100 odd primes. 4. J = .

5. K is a list of values of #[E]( p) for different p. 6. z is just an two-state indicator.

Program M3 Given E, determine all integral points satisfying the equation of E.

IntegralPts[a_, b_] := Module[{d, ylist = {0}, R, n, xx, x, y}, Print[{a, b}, " : ", Y^2 == X^3 + a X + b]; d = -16*(4*a^3 + 27*b^2); Print["Discriminant = ", d, " = ", FactorInteger[d]]; ylist = Join[ylist, Select[Sqrt[Divisors[d]], IntegerQ]]; Z = {}; Do[{y = ylist[[j]]; R = FactorList[x^3 + a*x + b - y^2]; n = Length[R]; Do[If[Exponent[R[[k, 1]], x] == 1, {xx = x - R[[k, 1]], Z = Union[Z, {{xx, y}, {xx, -y}}]}], {k, n}]}, {j, Length[ylist]}]; Print["Integral Points : ", Z]]

Note

1. ylist is a list of values of y such that y2 |

2. R is the list of irreducible factors of X3 + aX + b y2 for y ylist.

50

3. n counts the number of elements in R. 4. xx is an integral root of X3 + aX + b y2. 5. Z = .

Program M4 Given an integral point (x, y) of E, determine its order.

Ord[x_, y_, a_] := Module[{x2, y2, x22, y22, x3, y3}, If[y == 0, {Print[{x, y}, " is of order 2."]; t = t + 1; Continue[]}, x2 = ((3*x^2 + a)/(2*y))^2 - 2*x]; If[IntegerQ[x2] == False, Print[{x, y}, " is of infinite order."]; Continue[], y2 = -y + ((3*x^2 + a)/(2*y))(x - x2)]; w = 2; If[x2 == x && y2 == -y, {Print[{x, y}, " is of order 3."]; t = t + 1; Continue[]}]; x3 = x2; y3 = y2; While[(IntegerQ[x3]) == True, x22 = x3; y22 = y3; x3 = ((y22 - y)/(x22 - x))^2 - x - x22; If[IntegerQ[x3] == False, Print[{x, y}, " is of infinite order."]; Break[], y3 = -y + ((y22 - y)/(x22 - x))(x - x3)]; w = w + 1; If[x3 == x && y3 == -y, {Print[{x, y}, " is of order ", w + 1]; t = t + 1; Break[]}]; ]]

Note

1. t is a counter of #Etors.

2. w denotes the order of an integral point (x, y) .

51

Program M5 For each E , determine #Etors.

Torsion[a_, b_] := Module[{}, t = 0; IntegralPts[a, b]; Do[Ord[Z[[i, 1]], Z[[i, 2]], a], {i, Length[Z]}]; Print["#E_tors = ", t + 1]]

Program U6

Given E and #Etors, determine N for N .

10 20 30 40 50 60 70 80 90 100 110 120 130 140 150

input "A, B, T, N"; A, B, T, N P = 3 C = 0 while P < (N*1000) NU = 0 S = 0 for X = 0 to (P - 1) S = S + 1 + kro((X^3 + A*X + B)@P, P) next X NU = (S + 1)\T if prmdiv(NU) = NU then C = C + 1 P = nxtprm(P) wend print A, B, C end

Note

1. A and B denote a and b of (26) respectively. 2. T = #Etors. 3. P = p.

52

4. NU = . 5. C = N.

Program M7

Given q and a, determine the roots of T2 aT + q.

ConjugateRoots[q_] := Module[{a, T}, Print["q = ", q]; Do[Print[Solve[T^2 - a*T + q == 0]], {a, -q, q, 1}]]

Program M8

Given q and N, compute = Nr N, where r is a prime, with the corresponding

roots and , giving an output if is prime.

Method2[q_, s_, t_, n_] := Module[{k}, c = 0; Do[{r = Prime[k]; lamda = (q^r + 1 - Expand[s^r] - Expand[t^r])/n; If[PrimeQ[lamda], {c = c + 1; Print[{c, r, lamda}]}]}, {k, 400}]]

Note

1. c is an index serial number. 2. lamda denotes . 3. s and t are the roots and respectively. 4. n = N.

53

Program M9

Given q = 2 or 3 and for each corresponding N, determine equation of all

elliptic curves E with #E( q) = N.

Equation[q_, n_] := Module[{LHS, RHS}, Do[Do[Do[Do[Do[{c = 0;Do[Do[ {LHS = Mod[y^2 + a1*x*y + a3*y, q]; RHS = Mod[x^3 + a2*x^2 + a4*x + a6, q]; If[LHS == RHS, c = c + 1]}, {y, 0, q - 1}], {x, 0, q - 1}]; If[c + 1 == n, Print[Y^2 + a1*X*Y + a3*Y == X^3 + a2*X^2 + a4*X + a6]]}, {a6, 0, q - 1}], {a4, 0, q - 1}], {a3, 0, q - 1}], {a2, 0, q - 1}], {a1, 0, q - 1}]]

Note

1. c is a counter for N. 2. a1, a2, a3, a4, a6 denote a1, a2, a3, a4 ,a6 in (2) respectively.

Program M10 Given q = 4 and for each corresponding N, determine equation of all elliptic curves E with #E( q) = N.

EquationF4[n_] := Module[{LHS, RHS, F4}, z = 0; F4 = {0, 1, w, w^2}; a1 = F4; a2 = F4; a3 = F4; a4 = F4; a6 = F4; x = F4; y = F4; Do[Do[Do[Do[Do[{c = 0;Do[Do[ {LHS = PolynomialMod[Expand[y[[f]]^2 + a1[[k]]*x[[e]]*y[[f]] + a3[[i]]*y[[f]]], w^2 + w + 1];

54

RHS = PolynomialMod[Expand[x[[e]]^3 + a2[[j]]*x[[e]]^2 + a4[[h]]*x[[e]] + a6[[g]]], w^2 + w + 1]; If[LHS == RHS, c = c + 1]}, {e, 4}], {f, 4}]; If[c + 1 == n, {z = z + 1; Print[Y^2 + a1[[k]]*X*Y + a3[[i]]*Y == X^3 + a2[[j]]*X^2 + a4[[h]]*X + a6[[g]]]}]}, {g, 4}], {h, 4}], {i, 4}], {j, 4}], {k, 4}]; Print[z]]

Note

1. F4 =

4.

55

Glossary of Built-in Functions of Mathematica

Break Complement

Break[]exits the nearest enclosing Do, For or While. Complement[eall, e1, e2, ] gives the elements in eall in which are not in any of the ei.

Continue

Continue[] exits to the nearest enclosing Do, For or While in a procedural program.

Divisors Do Expand

Divisors[n] gives a list of the integers that divide n. Do[expr, {imax}] evaluates expr imax times. Expand[expr] expands out products and positive integer powers in expr.

Exponent

Exponent[expr, form] gives the maximum power with which form appears in the expanded form of expr.

FactorInteger

FactorInteger[n] gives a list of the prime factors of the integer n, together with their exponents.

FactorList

FactorList[poly] gives a list of the factors of a polynomial, together with their exponents.

GCD If

GCD[n1, n2, ] gives the greatest common divisor of the integers ni. If[condition, t, f] gives t if condition evaluates to True, and f if it evaluates to False.

IntegerQ

IntegerQ[expr] gives True if expr is an integer, and False otherwise.

n (m ) . For prime m, the

JacobiSymbol

JacobiSymbol[n, m] gives the Jacobi symbol Jacobi symbol reduces to the Legendre symbol.

Join Length

Join[list1, list2, ] concatenates lists together. Length[expr] gives the number of elements in expr.

56

MemberQ

MemberQ[list, form] returns True if an element of list matches form, and False otherwise.

Mod Module

Mod[m,n] gives the remainder on division of m by n. Module[{x, y, }, expr] specifies that occurrences of the symbols x, y, in expr should be treated as local.

PolynomialMod

PolynomialMod[poly, m] gives the polynomial poly reduced modulo m.

PrimeQ

PrimeQ[expr] yields True if expr is a prime number, and yields False otherwise.

Print

Print[expr1, expr2, ] prints the expri, followed by a newline (line feed).

Select

Select[list, crit] picks out all elements ei of list for which crit[ei], is True.

Solve

Solve[eqns, vars] attempts to solve an equation or set of equations for the variables vars.

Sqrt Sum Union

Sqrt[z] gives the square root of z. Sum[f, {i, imax}] evaluates the sum

i1

i max

Union[list1, list2, ] gives a sorted list of all the distinct elements that appear in any of the listi.

While

While[test, body] evaluates test, then body, repetitively, until test first fails to give True.

57

Glossary of Built-in Functions of UBASIC

End

Closes all files and ends program execution, sends a newline character to the printer if necessary and cancels unterminated loops.

For-Next If-Then

A loop that executes the commands within successively. If expression Then statements. If the value of the expression is not zero, then the statements after Then are executed.

Input

Waits for a number or an expression and assigns its value to the variable. If more than one variable is specified, separate the input numbers/ expressions by commas.

Kro(m,n)

Extended Kroneckers symbol for m and n. Equivalent to Legendres symbol for odd prime n.

Prmdiv(n) Print

The least prime divisor of n. Outputs the value of the expression, the string, the character whose ASCII code is n, or the current time to the screen.

While-Wend

While expression statements Wend. Executes while expression is nonzero.

58

Appendix B. Tables and Figures

In this appendix, we present the following tables and figure created in this project.

Table 1.

#Etors of each elliptic curve E with (26), for 0 a 30 and 0 b 100.

Table 2.

10 of each elliptic curve E with (26), for 0 a 30 and 0 b 100.

Table 3.

200 of each of the selected elliptic curves.

Figure 1. Graph of 200 against 10 of the elliptic curves tabulated in Table 3.

Table 4.

Conjugate roots of the quadratic polynomial T2 aT + q, for all values of a corresponding to each q.

Table 5.

Number of digits of each that is prime and the corresponding prime r for q = 2.

Table 6.

Number of digits of each that is prime and the corresponding prime r for q = 3.

Table 7.

Number of digits of each that is prime and the corresponding prime r for q = 4.

Table 8.

Equation of an elliptic curve E with #Etors = N, for all N, for each q.

Table 9.

Prime factorization of for first 20 primes r for q = 4 and N = 8.

Table 10. Prime factorization of for first 20 primes r for q = 4 and N = 5.

59

Table 1. #Etors of each elliptic curve E with coefficient a in the first row and b in the leftmost column. (Blank spaces denote 1.)
4 4 5 2 6 2 7 2 8 2 9 2 10 2 11 2 12 2 13 2 14 2 15 2 16 2 17 2 18 2 19 2 20 2 21 2 22 2 23 2 24 2 25 2 26 2 27 2 28 2 29 2 30 2

0 -6

1 2

2 2

3 2

2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 4 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2

2 3

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48

60

3 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2

2 2 2 2

2 2 2 2 2

2 2

49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100

61

Table 2. 10 of each elliptic curve E with coefficient a in the first row and b in the leftmost column.
5 80 80 77 84 72 69 80 80 79 80 68 79 89 85 75 92 95 82 75 87 80 87 74 79 87 85 93 101 96 84 77 82 75 78 80 89 69 80 72 88 93 76 63 88 77 78 67 91 88 6 89 80 90 93 97 76 67 2 74 74 91 82 88 77 64 75 80 78 83 81 75 80 89 65 75 80 80 84 82 72 74 75 73 75 83 86 70 79 89 75 88 73 97 96 77 61 86 77 105 7 87 80 75 78 75 78 90 90 66 81 92 84 93 81 80 87 79 68 90 84 85 84 65 88 84 78 80 83 66 71 87 80 82 94 78 88 86 77 80 82 101 92 79 59 102 85 84 91 77 8 96 87 86 76 84 95 77 76 87 65 75 67 86 96 82 83 85 89 80 79 86 91 85 72 70 78 74 96 71 79 86 92 96 75 90 92 69 84 67 71 81 80 82 80 78 93 81 77 88 9 1 73 45 83 77 82 90 73 86 78 54 76 76 91 80 60 77 83 2 73 82 73 78 87 72 92 52 89 85 76 81 81 75 85 76 94 73 74 72 79 79 82 76 71 85 70 87 82 92 10 96 76 92 77 84 77 89 81 89 74 98 54 83 86 90 81 92 77 94 81 80 97 78 86 81 86 84 83 63 82 65 76 77 84 71 84 95 87 90 89 81 80 89 74 73 81 70 70 103 11 92 95 82 83 68 78 87 88 72 90 95 81 73 66 90 86 78 81 86 72 94 85 83 82 90 85 71 76 86 83 70 79 75 75 84 80 83 72 109 82 80 79 80 84 93 86 77 91 86 12 103 68 91 98 73 100 87 79 38 70 71 84 93 63 76 70 97 94 79 87 80 64 86 83 93 74 81 85 71 74 97 61 56 72 77 96 75 2 79 92 95 90 84 94 70 73 80 86 73 13 88 77 80 97 99 83 87 85 78 92 75 83 84 82 2 89 86 70 83 80 94 92 80 73 85 69 69 94 83 94 90 84 73 76 74 89 80 76 95 81 75 86 84 93 75 82 93 97 76 14 90 84 78 71 87 74 74 80 85 89 71 78 92 71 80 61 69 81 94 82 96 75 88 87 75 81 100 75 76 89 69 89 84 76 89 84 63 68 62 88 64 93 79 77 80 75 75 82 82 15 90 80 79 85 65 85 85 81 85 85 85 32 84 87 75 79 78 73 78 71 92 87 85 36 75 85 84 82 80 99 81 82 79 96 88 80 79 69 68 71 92 68 76 78 74 74 78 82 78 16 2 83 56 89 88 98 76 79 77 82 75 78 83 87 81 81 87 60 69 86 78 93 81 82 80 74 89 70 77 78 86 73 87 92 80 75 92 90 85 99 75 91 86 85 84 83 73 75 62 17 91 85 77 74 79 73 93 87 83 76 76 82 65 75 93 83 62 76 59 83 88 98 78 80 78 79 81 86 77 74 90 83 88 74 93 72 97 88 69 74 93 80 72 84 81 107 91 76 71 18 96 72 87 84 87 81 91 86 75 77 86 77 82 88 77 104 90 82 94 52 92 93 73 93 91 71 79 81 69 84 98 75 76 79 90 80 73 70 95 85 88 91 73 82 71 77 84 81 82 19 90 82 72 74 66 82 83 90 96 81 73 74 69 77 89 79 72 75 73 86 77 90 89 92 68 80 100 98 84 75 79 84 85 83 92 71 92 89 82 81 87 75 78 77 88 90 68 81 88 20 74 91 75 88 82 77 92 72 95 76 72 81 86 74 76 86 83 99 86 88 81 73 77 75 86 79 71 87 84 90 76 65 66 79 85 98 78 71 80 86 80 81 77 84 79 86 67 72 66 21 88 80 75 68 84 80 81 75 76 70 88 78 82 72 65 71 65 79 77 71 80 95 65 89 80 82 36 85 74 77 77 87 82 84 68 80 88 79 74 86 89 70 97 84 79 73 84 84 67 22 91 93 76 79 89 83 89 82 77 82 86 72 89 83 82 85 75 90 76 76 92 68 74 3 90 101 81 84 93 79 103 67 77 90 89 85 91 70 83 67 87 84 81 90 69 83 64 80 96 23 96 108 83 73 85 72 67 104 81 77 76 81 78 78 87 100 82 66 79 86 90 85 78 83 70 96 82 77 104 97 66 67 89 81 94 77 92 67 77 84 94 83 97 87 77 77 78 92 71 24 88 85 40 87 85 74 86 80 91 79 87 80 67 86 91 91 84 85 92 72 73 69 86 86 79 56 89 79 77 87 77 86 88 70 67 71 86 72 85 72 80 81 71 81 72 87 72 89 69 25 2 99 89 83 74 76 81 80 94 80 99 79 78 75 78 81 75 77 77 74 75 82 84 88 79 68 81 79 68 79 80 96 96 81 88 66 86 81 82 72 85 83 72 93 80 78 77 72 89 26 97 81 97 68 78 86 94 82 84 82 72 77 76 85 78 81 81 77 84 73 71 77 73 72 88 89 80 64 82 91 91 98 87 82 86 85 101 78 74 79 77 74 78 88 66 65 78 77 81 27 99 87 79 70 84 84 76 76 85 85 97 77 88 61 76 76 77 60 91 58 96 70 93 83 91 63 85 40 66 86 88 74 83 72 91 85 68 74 83 75 82 85 68 86 66 80 89 42 77 28 92 101 76 84 77 75 71 76 84 70 81 64 80 81 89 70 78 93 72 91 84 75 90 88 72 88 82 89 75 70 68 96 92 80 83 89 79 68 73 82 72 77 77 83 81 99 66 94 69 29 90 99 77 89 96 78 82 78 78 91 93 76 92 78 81 66 91 85 77 90 84 79 85 72 73 86 91 90 86 71 76 63 83 86 81 90 77 75 89 70 80 72 81 75 84 86 84 76 99 30 87 80 87 82 89 75 66 72 78 91 83 87 87 84 98 78 85 99 89 95 94 82 84 86 95 84 90 81 97 91 104 72 88 88 72 85 71 81 75 84 92 80 75 92 85 83 87 80 69

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48

0 -102 82 91 117 71 70 90 77 122 75 83 81 81 78 66 4 72 78 77 84 89 88 72 81 107 69 3 85 80 88 75 85 83 76 79 127 82 81 89 74 87 74 77 87 77 77 87 74

1 2 80 83 79 93 79 77 82 81 63 80 75 92 67 82 75 77 80 85 92 71 82 83 90 84 87 81 84 83 68 62 84 87 86 83 82 76 82 79 94 68 89 91 70 70 82 71 82 86

2 93 75 71 60 77 85 75 64 100 80 78 72 73 80 88 76 85 77 85 83 84 90 87 76 73 96 79 87 91 79 89 78 80 82 81 90 81 83 74 76 96 84 60 93 91 95 71 86 87

3 108 2 86 79 62 98 68 78 85 66 79 48 87 73 68 76 89 84 93 79 59 67 73 79 84 88 83 86 85 83 71 77 79 88 80 80 65 72 80 70 83 92 68 84 86 91 80 78 87

4 71 80 74 83 85 71 73 88 88 81 76 84 85 80 85 88 1 84 76 85 76 73 81 83 98 65 84 83 74 85 77 75 89 92 68 90 72 79 76 56 89 78 63 72 84 84 74 91 82

62

49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100

134 68 80 75 82 85 91 91 70 82 85 73 76 75 79 102 83 80 79 79 67 72 80 80 75 75 78 79 83 63 88 76 117 72 57 82 78 76 83 79 77 82 76 74 66 72 84 81 83 76 74 130

75 106 80 77 77 77 73 79 85 70 78 78 90 70 84 89 89 86 83 4 91 91 74 71 78 79 74 90 81 86 80 85 74 90 69 93 74 82 68 73 88 73 80 68 84 69 74 82 86 89 79 70

79 84 69 94 77 81 90 77 71 94 86 78 95 83 83 78 68 76 92 99 106 83 83 59 76 88 79 79 85 74 67 78 89 98 79 84 86 88 87 80 73 86 104 92 74 74 83 92 91 73 71 64

72 86 71 79 87 91 82 88 80 84 80 89 97 82 81 85 62 81 88 84 92 75 96 77 72 70 88 77 96 84 75 98 84 80 88 88 90 68 67 84 84 84 78 94 74 80 97 88 98 103 82 79

83 72 86 76 79 89 73 90 77 73 72 73 96 96 73 83 86 80 68 89 85 81 88 78 75 88 72 98 73 76 83 69 78 64 93 74 86 69 81 98 84 89 81 86 81 68 84 95 78 77 90 86

96 75 90 101 83 94 96 71 81 67 84 75 88 68 74 67 86 75 76 87 85 89 98 89 73 81 86 87 73 74 76 77 74 88 66 55 79 91 92 71 85 73 65 79 82 71 64 89 70 85 75 92

79 86 90 81 83 80 65 84 83 77 78 82 68 99 61 74 73 81 92 94 75 85 74 73 94 86 77 81 74 72 80 67 88 83 92 75 87 80 79 57 82 83 72 78 77 98 74 82 77 77 83 83

82 87 69 90 76 68 71 83 75 95 79 79 74 98 91 97 83 89 82 87 82 89 78 80 83 88 84 77 88 93 79 77 76 89 84 85 89 79 83 103 98 83 76 70 87 85 92 91 93 71 100 100

79 70 81 79 77 89 80 73 88 79 78 80 82 104 75 83 87 89 97 83 97 72 85 84 88 86 87 80 91 87 85 71 80 85 80 84 65 79 87 81 73 80 80 92 82 82 81 63 71 74 82 86

65 79 85 93 91 2 95 73 89 74 83 75 66 76 79 92 82 93 74 84 76 90 85 81 86 86 87 82 74 88 79 86 82 82 89 82 63 84 78 72 87 72 90 77 66 78 83 81 72 91 75 72

73 87 64 93 78 85 75 74 63 77 83 76 93 82 78 79 85 84 95 75 89 76 76 71 84 77 79 82 88 73 75 91 80 70 92 78 76 81 86 89 77 94 88 73 78 77 68 79 93 87 83 98

85 86 77 103 76 82 87 70 77 98 90 68 95 85 73 86 71 71 88 81 76 79 74 68 72 84 67 68 78 95 82 81 85 90 84 61 96 78 86 82 87 71 96 73 79 73 76 75 85 78 89 109

82 88 76 63 91 87 78 87 90 57 78 86 86 88 60 95 82 72 78 85 88 97 82 73 88 61 91 71 76 56 88 81 80 78 88 70 72 82 69 44 101 83 76 81 92 80 81 78 68 80 78 73

77 84 89 70 76 86 73 76 89 78 96 72 97 79 81 80 82 68 65 72 76 85 77 76 99 92 73 62 79 65 82 91 77 83 84 102 68 90 91 81 77 85 84 79 101 84 78 85 76 86 86 81

90 78 80 88 83 70 85 70 81 64 75 82 76 81 83 79 82 97 85 81 70 90 84 85 90 83 77 84 69 95 83 91 74 85 90 94 89 76 90 83 78 78 76 90 64 64 90 74 91 72 86 87

85 93 91 81 73 79 75 87 76 93 81 82 83 84 79 82 38 85 88 80 84 72 84 62 77 87 93 77 95 68 93 64 86 82 88 75 83 82 78 92 82 82 74 78 90 84 80 82 88 84 75 73

83 91 67 80 76 84 78 92 77 65 69 92 75 95 80 80 80 83 75 99 88 88 98 80 98 74 83 94 80 72 80 84 75 87 75 86 82 80 77 83 93 81 71 68 84 74 80 79 66 66 91 83

89 85 93 79 82 86 81 79 74 76 86 70 76 71 83 75 87 83 86 82 81 94 77 88 88 70 78 85 81 58 66 75 71 83 82 90 70 82 100 93 77 85 80 74 76 79 72 81 93 84 95 77

89 85 79 95 102 61 93 57 81 71 88 79 75 80 92 80 87 77 74 76 110 90 88 79 74 87 88 77 78 73 91 75 62 89 84 100 83 79 79 70 67 85 80 81 89 84 79 88 71 81 71 99

86 85 81 87 87 83 80 65 79 90 68 87 71 76 78 83 78 79 88 72 80 94 56 85 81 93 94 72 79 74 81 71 84 84 92 72 77 82 82 87 80 86 76 89 88 86 69 84 88 100 81 77

72 90 94 70 81 73 87 85 84 98 76 76 77 79 89 86 78 90 88 84 72 98 72 78 73 76 73 95 90 78 76 80 82 69 71 79 89 69 73 67 78 83 85 73 76 71 62 77 82 76 90 85

78 67 83 76 86 89 86 82 70 95 71 91 86 76 67 82 78 82 70 78 60 78 82 73 81 87 91 97 84 73 68 86 75 83 92 93 86 84 77 87 78 83 83 92 78 84 92 108 86 83 75 82

69 93 80 65 80 78 74 88 103 69 94 71 76 86 74 92 103 69 78 68 82 74 75 80 71 81 84 84 73 78 74 76 81 95 96 81 71 75 89 72 71 79 87 93 3 70 75 70 72 83 82 82

88 96 77 73 73 65 89 83 92 86 75 78 75 98 70 65 72 95 104 97 85 69 82 76 90 73 94 100 75 88 86 87 93 80 75 81 72 72 92 73 86 83 70 92 86 76 79 70 69 90 84 77

84 90 89 2 79 97 90 1 86 82 76 79 87 70 81 77 80 80 78 77 77 73 84 88 85 102 82 80 88 101 91 89 78 72 96 92 97 81 89 97 67 88 87 90 86 92 95 90 82 85 74 87

72 91 81 77 84 82 61 84 83 62 67 71 87 77 87 70 87 77 83 80 78 85 93 67 79 77 81 83 68 79 77 60 71 91 93 76 85 82 78 93 69 79 74 78 70 79 78 78 83 76 85 70

74 81 80 85 79 62 81 64 77 81 73 81 85 79 77 69 72 94 72 86 85 84 92 69 83 97 84 71 78 81 83 84 76 91 82 86 72 74 96 69 80 91 77 83 78 78 80 78 90 82 78 71

73 74 69 79 85 89 82 105 85 73 79 84 70 79 96 78 73 82 92 72 86 83 84 87 83 96 88 88 81 99 73 85 86 65 71 87 65 79 98 82 83 78 70 92 82 82 79 84 87 78 77 73

72 81 82 81 89 82 89 90 75 85 88 81 85 77 94 67 76 90 77 65 65 72 87 78 82 90 79 79 84 82 84 90 100 82 76 96 91 79 77 78 85 76 86 92 83 67 96 93 97 83 80 80

92 87 94 95 85 92 83 78 71 96 75 85 66 77 85 82 74 79 79 77 78 96 102 62 68 85 85 86 73 73 84 81 86 91 79 78 83 74 73 83 109 68 76 83 84 86 92 81 75 87 83 98

76 77 79 94 76 79 76 80 88 90 80 78 86 68 76 102 77 66 64 68 100 75 76 110 84 82 82 87 74 86 96 81 72 80 74 94 89 79 78 82 75 104 81 95 70 79 74 71 86 80 93 88

63

Table 3.
a
15 21 15 27 15 12 12 24 27 3 6 18 12 4 9 429 4 10 5 16 9 17 2 5 2 3 11 2 7 12 30 6 15 15 673 3 2 9 13 14 1 1 16 109 8 1 814 13 13 193 262 33 528 69 325 148 949 27 17 19 17

200 of selected elliptic curves with (26).

#Etors
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 4 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 4 2 2 2 2 2 2 4 4 4 2 2 4 2 4 4 4 4 4 4 4 4 4 1 1 1 1

b
65 24 23 47 11 8 88 2 27 11 88 19 63 39 26 866 5 11 84 75 10 78 3 6 12 4 60 33 8 32 31 20 72 38 674 36 72 100 66 69 30 2 128 226 9 10 2469 14 34 194 813 34 2176 470 1750 656 4870 19 35 71 71

10
38 36 36 42 32 38 44 40 40 48 57 52 60 56 52 63 71 54 55 83 54 58 60 80 73 62 68 82 66 56 72 75 62 68 82 65 59 72 68 70 62 83 83 68 65 80 73 74 74 78 78 85 85 71 85 80 80 56 72 56 77

200
352 358 360 378 383 394 397 398 411 415 553 570 587 612 616 618 619 624 626 637 641 647 647 647 653 657 660 665 666 667 670 673 677 677 677 678 681 681 684 692 693 694 694 694 696 697 702 704 704 716 720 724 724 728 732 739 747 774 795 796 796

64

6 12 13 1 3 10 4 13 2 3 5 14 9 7 6 1 8 16 19 19 9 17 1 11 16 14 7 20 1 8 20 4 11 2 0 13 5 10 18 18 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

56 58 23 13 20 30 79 61 32 93 89 84 27 88 48 11 1 5 98 8 70 6 50 100 55 3 36 60 7 73 17 22 38 69 1 9 27 80 69 15 289 169 361 841 441 529 36 676 625 121 900 324 9 576 144 225 49 484 196 81 100 400 784 4 256

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 6 1 1 1 1 1 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3

84 57 73 67 59 65 83 97 80 74 85 94 89 103 105 75 87 98 100 96 90 93 106 109 78 71 86 76 82 88 99 81 109 106 102 92 101 91 110 104 119 120 133 113 117 132 127 106 117 126 109 124 122 122 119 126 134 124 129 117 130 116 127 117 176

796 805 809 810 815 816 816 818 823 824 825 825 827 827 827 829 829 832 832 833 837 843 843 846 848 849 849 852 853 853 855 874 880 882 884 885 889 899 915 996 1181 1190 1199 1200 1201 1209 1212 1214 1214 1217 1226 1226 1227 1227 1239 1239 1240 1242 1251 1254 1274 1310 1326 1820 1821

65

Figure 1. Graph of 200 against 10 for elliptic curves in Table 3.

200

2000

1800

1600

1400

1200

1000

800

#E_tors = 1 #E_tors = 2 #E_tors = 3 #E_tors = 4 #E_tors = 6

600

400

200
10

0 0 20 40 60 80 100 120 140 160 180 200

66

Table 4. q 2 2 2 2 2 3 3 3 3 3 3 3 4 4 4 4 4 4 4 4 4

Roots of T2 aT + q for each q = 2, 3 and 4 and each corresponding a. a 2 1 0 1 2 3 2 1 0 1 2 3 4 3 2 1 0 1 2 3 4 N 5 4 3 2 1 7 6 5 4 3 2 1 9 8 7 6 5 4 3 2 1

1 2 1 2 1 2 1 2 1 2 1 2 1 2 1 2 1 2 1 2

1 i

1 + i
1 2

(1 7i ) 2i (1 7i )
1 i

(1 + 7i ) 2i
1 2

(1 + 7i )
1+ i

(3 3i ) 1 2i (1 11i ) 3i (1 11i ) 1 2i (3 3i ) 2 (3 7i ) 1 3i (1 15i ) 2i (1 15i ) 1 3i (3 7i ) 2

1 2

(3 + 3i ) 1 + 2i (1 + 11i ) 3i (1 + 11i ) 1 + 2i (3 + 3i ) 2

1 2

1 2

1 2

1 2

(3 + 7i ) 1 + 3i (1 + 15i ) 2i (1 + 15i ) 1 + 3i (3 + 7i ) 2

1 2

1 2

1 2

67

Table 5. Number of digits of prime = Nr N for q = 2 and first 400 primes r.

N
5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3

r
5 7 11 13 17 29 43 53 89 283 557 563 613 691 1223 2731 2 5 7 13 19 23 41 83 97 103 107 131 233 239 277 283 349 409 571 1249 1913 2221 2647 2 3 5 7 11 13 17 19 23 31 43 61 79 101 127 167

Log10
1 2 3 4 5 9 13 16 27 85 167 169 184 208 368 822 1 2 2 4 6 7 12 25 29 31 32 39 70 72 83 85 105 123 172 376 576 668 797 1 1 2 2 3 4 5 6 7 9 13 18 24 30 38 50

APRT-CLE
Not necessary Not necessary Not necessary Not necessary Not necessary Not necessary Not necessary Yes Yes Yes Yes Yes Yes Yes Yes No Not necessary Not necessary Not necessary Not necessary Not necessary Not necessary Not necessary Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No No No No Not necessary Not necessary Not necessary Not necessary Not necessary Not necessary Not necessary Not necessary Not necessary Not necessary Not necessary Yes Yes Yes Yes Yes

N
3 3 3 3 3 3 3 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

r
191 199 313 347 701 1709 2617 3 5 7 11 17 19 23 101 107 109 113 163 283 311 331 347 359 701 1153 1597 1621 2063 2437 2 3 5 7 11 19 29 47 73 79 113 151 157 163 167 239 241 283 353 367 379 457 997 1367

Log10
58 60 94 104 211 514 788 1 2 2 3 5 6 7 31 32 33 34 49 85 94 100 105 108 211 347 481 488 621 734 1 2 2 3 4 6 9 15 22 24 35 46 48 50 51 72 73 86 107 111 115 138 301 412

APRT-CLE
Yes Yes Yes Yes Yes No No Not necessary Not necessary Not necessary Not necessary Not necessary Not necessary Not necessary Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No No No No Not necessary Not necessary Not necessary Not necessary Not necessary Not necessary Not necessary Not necessary Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes No

68

Table 6. Number of digits of prime = Nr N for q = 3 and first 400 primes r.

N
7 7 7 7 7 7 7 7 7 7 7 7 7 7 6 6 6 6 6 6 6 6 6 6 6 6 6 6 5 5 5 5 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 4

r
5 11 31 37 47 53 97 163 167 509 877 1061 2027 2293 2 3 5 7 13 19 71 199 257 479 503 683 1523 1867 2 7 23 59 179 269 383 3 5 7 13 23 43 281 359 487 577 1579 1663 1741

Log10
2 5 14 17 22 25 46 77 79 243 418 506 967 1094 1 1 2 3 6 9 34 95 122 228 240 326 726 891 1 3 11 28 85 128 183 1 2 3 6 11 20 134 171 232 275 753 793 831

APRT-CLE
Not necessary Not necessary Not necessary Yes Yes Yes Yes Yes Yes Yes No No No No Not necessary Not necessary Not necessary Not necessary Not necessary Not necessary Yes Yes Yes Yes Yes Yes No No Not necessary Not necessary Not necessary Yes Yes Yes Yes Not necessary Not necessary Not necessary Not necessary Not necessary Yes Yes Yes Yes Yes No No No

N
3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

r
2 5 7 37 67 271 281 409 449 559 677 991 1523 1823 1877 3 7 11 13 19 23 31 37 43 47 83 193 557 733 1583 2203 2 5 7 11 17 19 79 163 193 239 317 353 659 709 1049 1103 1759 2029

Log10
1 2 3 18 32 129 134 195 214 286 323 473 727 870 896 2 4 5 6 9 11 15 18 21 23 40 92 266 350 755 1051 1 3 4 6 9 10 38 78 93 115 152 169 315 339 501 527 840 969

APRT-CLE
Not necessary Not necessary Not necessary Yes Yes Yes Yes Yes Yes Yes Yes No No No No Not necessary Not necessary Not necessary Not necessary Not necessary Not necessary Not necessary Yes Yes Yes Yes Yes Yes Yes No No Not necessary Not necessary Not necessary Not necessary Not necessary Not necessary Yes Yes Yes Yes Yes Yes Yes Yes No No No No

69

Table 7. Number of digits of prime = Nr N for q = 4 and first 400 primes r.

N
9 8 8 7 7 7 7 7 7 7 7 7 7 7 7 6 6 6 6 6 6 6 6 5 5 4 4

r
Nil 2 3 2 3 5 11 23 31 43 149 157 193 1801 2539 5 7 31 59 167 227 379 1163 2 3 3 5

Log10
Nil 1 1 1 1 3 6 14 18 26 89 94 116 1084 1528 3 4 18 35 100 136 228 700 1 2 2 3

APRT-CLE
Not applicable Not necessary Not necessary Not necessary Not necessary Not necessary Not necessary Not necessary Yes Yes Yes Yes Yes No No Not necessary Not necessary Yes Yes Yes Yes Yes No Not necessary Not necessary Not necessary Not necessary

N
4 4 4 4 4 4 4 3 3 3 3 3 3 3 3 3 3 2 2 2 2 2 2 2 2 2 1

r
7 17 37 43 67 79 163 2 5 7 13 29 61 383 401 1637 1871 3 5 11 31 53 61 383 683 1381 Nil

Log10
4 10 22 26 40 47 98 1 3 4 8 17 37 231 241 986 1126 2 3 7 19 32 37 231 411 832 Nil

APRT-CLE
Not necessary Not necessary Yes Yes Yes Yes Yes Not necessary Not necessary Not necessary Not necessary Yes Yes Yes Yes No No Not necessary Not necessary Not necessary Yes Yes Yes Yes No No Not applicable

70

Table 8. Equation of an elliptic curve E corresponding to each N = #Etors of each q. q 2 2 2 2 2 3 3 3 3 3 3 3 4 4 4 4 4 N 5 4 3 2 1 7 6 5 4 3 2 1 7 6 4 3 2 Equation of E. Y + Y = X3 + X Y2 + XY + Y = X3 Y2 = X3 + X2 + X + 1 Y2 + XY = X3 Y2 + Y = X3 + X2 + 1 Y2 + Y = X3 + 2X Y2 + Y = X3 + X2 + 2X + 2 Y2 + XY + 2Y = X3 + X2 + 2X + 2 Y2 = X3 + 2X Y2 + Y = X3 + X2 + 1 Y2 + XY + 2Y = X3 + X2 + 2X + 1 Y2 = X3 + 2X + 2 Y2 + Y = X3 + 1 Y2 + XY + Y = X3 + 1 Y2 + XY = X3 + Y2 + Y = X3 Y2 + XY + Y = X3 +

2

71

Table 9. Prime factorization of for first 20 primes r for q = 4, N = 8. r

2 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53 59 61 67 71

Prime factorization of
2 7 112 29 71 232 991 53 79 2003 137 239 65587 130873 262543 2095853 4196903 6323 8353 16067 42457 373 26041 41231 1439393 149 260999 263293 230603167 739 2543 585071 549756390943 947 1033 22877 93053 4644189029 659 4965269 7086097 106781081677 1072 3488143 12066511 21044858204113 11447 14321189 10063074221 25179555920633 977 3539 102481 11514943771 162888033982417 2011 7639 31357 76589041 1079503331 68352708293 107069 2006603 588353361747061 5513228015079457

Table 10. Prime factorization of for first 20 primes r for q = 4, N = 5. r

2 3 5 7 11 13 17 19 23 29 31 37 41 43 47 53 59 61 67 71

Prime factorization of
5 13 5 41 29 113 397 2113 53 157 1613 137 953 26317 229 457 525313 277 1013 1657 30269 107367629 536903681 5581 8681 49477 384773 149 593 184481113 231769777 10169 181549 12112549 43249589 173 101653 500177 1759217765581 3761 7484047069 140737471578113 15358129 586477649 1801439824104653 1181 3541 157649 174877 5521693 104399276341 733 1709 3456749 368140581013 667055378149 269 15152453 42875177 2559066073 9739278030221 569 148587949 4999465853 5585522857 472287102421

72

Appendix C. Running Times of Algorithms

In this appendix, we include the definitions of the different running times of algorithms. We borrow these definitions from [12].

Definition 1. The Big-O Notation. Suppose that for all n n0 the two functions f(n) and g(n) are defined, take positive values, and for some constant C satisfy the inequality f(n) Cg(n). Then we say that f = O(g).

Definition 2. A polynomial-time algorithm is an algorithm whose worst-case running time

k function is of the form O(n ),where n is the input size and k is a constant. Any algorithm

whose running time cannot be so bounded is called an exponential-time algorithm.

Definition 3. A subexponential-time algorithm is an algorithm whose worst-case running time function is of the form e
o(n)

,where n is the input size.

A subexponential-time algorithm is asymptotically faster than an algorithm whose running time is fully exponential in the input size, while it is asymptotically slower than a polynomial-time algorithm.

73

References

[1]

Adleman, L.M., Pomerance, C. and Rumely, R.S. (1983), On distinguishing prime numbers from composite numbers, Ann. Math., Vol 117, 173-206. Certicom Corp., (1997), An Introduction to Information Security, Certicom White Papers, number 1. Certicom Corp., (1998), The Elliptic Curve Cryptosystem for Smart Cards, Certicom White Papers, number 7. Cohen, H. and Lenstra, H.W. (1984), Primality testing and Jacobi sums, Math. Comp., Vol 42, 297-330. Cohen, H. and Lenstra, A.K. (1987), Implementation of a new primality test, Math. Comp., Vol 48, 103-121. Enge, A. (1999), Elliptic Curves and their Applications to Cryptography, Kluwer Academic Publishers, Boston. Herstein, I.N. (1975), Topics In Algebra, John Wiley, New York. Knapp, A.W. (1992), Elliptic Curves, Princeton University Press, Princeton, N.J. Koblitz, N. (1999), Algebraic Aspects of Cryptography, Springer-Verlag, Berlin. Koblitz, N., Menezes, A.J. and Vanstone, S.A. (2000), The State of Elliptic Curve Cryptography, Designs, Codes and Cryptography, Vol 19, 173-193, Kluwer Academic Publishers, Boston. Menezes, A.J. (1993), Elliptic Curve Public Key Cryptosystems, Kluwer Academic Publishers, Boston. Menezes, A.J., van Oorschot, P.C. and Vanstone, S.A. (1997), Handbook of Applied Cryptography, CRC Press, Boca Raton, Florida.

[2]

[3]

[4]

[5]

[6]

[7] [8] [9] [10]

[11]

[12]

74

[13]

Rck, H. (1987), A Note on Elliptic Curves Over Finite Fields, Math. Comp., Vol 49(179), 301-304. Schoof, R. (1985), Elliptic curves over finite fields and the computation of square roots mod p, Math. Comp. Vol 44(170), 483-494. Schoof, R. (1995), Counting points on elliptic curves over finite fields, Journal de Thorie des Nombres de Bordeaux, Vol 7, 219-254. Silverman, J.H. (1986), The Arithmetic of Elliptic Curves, Springer-Verlag, New York. Silverman, J.H. and Tate, J. (1992), Rational Points on Elliptic Curves, Springer-Verlag, New York.

[14]

[15]

[16] [17]

[18]

Wolfram, S. (1999), The Mathematica Book, Cambridge University Press, New York.

75