The assumption ofP16=−P2implies thatfY(x1, y1)6= 0. Therefore we write:
L:Y = −fX(x1, y1)
fY(x1, y1) (X−x1) +y1
= −fX(x1, y1)
fY(x1, y1) X+x1fX(x1, y1) +y1fY(x1, y1) fY(x1, y1)
=λX+µ.
Using the results obtained in the point 3 and 4 we can conclude the proof of the theorem. The third intersection point of the lineLwithEis a pointP30 = (x03, y03). We now compute this point:
f(X, λX+µ) = (λx+µ)2+a1X(λX+µ) +a3(λX+µ)−X3−a2X2−a4X−a6
=−X3+ (λ2+a1λ−a2)X2+ (2λµ+a1µ+a3λ−a4)X+ (µ2+a3µ−a6)
=−(X−x1)(X−x2)(X−x03)
=−X3+ (x1+x2+x03)X2+ (−x1x2−x1x03−x2x03)X+x1x2x03. Comparing coefficients, we see that
x03=λ2+a1λ−a2−x1−x2. SinceP30 is a point ofL, one has
y30 =λx03+µ.
The pointP3= (x3, y3) =P1+P2is−P30. According to the 1 this has the coordinates:
x3 = x03 = λ2+a1λ−a2−x1−x2
y3 = −y30 −a1x03−a3 = −(λ+a1)x3−µ−a3.
To end this section we define the multiplication of a rational point by an integer.
Definition 3.13. LetEbe an elliptic curve over a filedK,m∈ZandP ∈E(K). We definemP as follow:
mP =
m
X
j=1
P ifm >0
O ifm= 0
−m
X
j=1
(−P) ifm <0.
This notion will be fundamental to define a cryptographic scheme over an elliptic curves.
denote by#E(Fq)the number of such points. Given an elliptic curveE, we will denote the number of rational points onEby#E(Fq). We will also define a quantity calledtrace of Frobeniusand a map called Frobenius maporFrobenius endomorphism. These notions will be useful in due course in our study, as they play a main role counting the number of rational points of an elliptic curve. To ease on notation, we will useP when referring to the set of prime numbers.
Definition 3.14. Given an elliptic curveEover a finite fieldFq, we calltrace of Frobeniusto the quantity tdefined by the equation below:
#E(Fq) =q+ 1−t.
Definition 3.15. Given an elliptic curveE over a fieldFq, byqthpower Frobenius map, we understand the following map:
ϕ:E(Fq) → E(Fq) (x, y) 7→ (xq, yq)
O 7→ O.
The mapϕis a group endomorphism, usually mentioned as theFrobenius endomorphism.
In order to build algorithms that count the number of rational points on an elliptic curve over a finite field, we will need first to present two important results. The first one is presented in the next proposition and it is an explicit way to calculate the trace of Frobenius.
Proposition 3.16. Given an elliptic curveE over a finite fieldFq, for any rational pointP = (x, y)over the elliptic curve, we have that the following equation holds:
ϕ2(P)−tϕ(P) +q(P) =O
where we denoteϕby theq-th Frobenius power.
The second important result for counting the number of points is known asHasse’s Estimate. This shows an approximation to the order of#E(Fq)which uses the trace of Frobenius as we have presented in Definition 3.14.
Theorem 3.17(Hasse’s Estimate).
The trace of Frobeniustof an elliptic curveEover a fieldFq satisfies the following:
|t| ≤2√ q.
We will not provide a proof for any of the two results presented before since there proof is out of the scope of this thesis, however the interested reader can find the proofs on Schmitt and Zimmer [2003].
The notion of trace of Frobenius yields a new way of characterizing elliptic curves, the concept of supersingularcurves. As we will see later, this notion is important in terms of security for cryptosystems based on elliptic curves.
Definition 3.18. LetEbe an elliptic curve over a finite fieldFqof characteristicpwith#E(Fq) =q+ 1−t.
The curve is calledsupersingular, ifp|t.
With these tools at hand, we are able to build an algorithm that count the number of rational points of an elliptic curve. There are several algorithms that do this task, but we will only present one, the so calledSchoof algorithm. This computes the order of the group, of rational points, modulo small primes and uses the Chinese Remainder Theorem to obtain the exact order. One can find more on the Chinese Remainder Theorem in Fernandes and Ricou [2004]. The q-Frobenius endomorphism presented in Definition 3.15 is also important in this algorithm.
We are now going to take a deeper look at this algorithm. From Hasse’s estimate, we know that
|t| ≤2√
q, wheretis the Frobenius trace of an elliptic curveEover a finite fieldFq. Consider all primes 2≤l≤lmax, where
lmax=min{p0∈ P: Y
l∈P,l≤p0
l >4√ q}.
From Prime Number Theorem it easily follows that the number of primes needed isO(log loglogqq)and that the size oflmax=O(logq). Taking all such primes we use the Chinese Remainder Theorem to calculate the value oft.
Forl = 2we have to consider two cases: When 2 dividesq and when it does not. For the first case, by Theorem 3.5 on Schmitt and Zimmer [2003] if2|qthent≡0 mod 2if and only ifEis supersingular.
This case is not of special interest since, as we will see later, supersingular curves can be attacked and therefore are not of interest for cryptography applications. For the remaining case we have that if 2 does not divideq, thent ≡0 mod 2if and only if there exists a non trivial point of order 2. From Silverman [2009] we know that ifEis not supersingular and does not have characteristic 2, then is of the type:
Y2=X3+aX2+bX+c
and therefore it has a non trivial point of order 2.
Let us now recall the Frobenius endomorphism mentioned in Definition 3.14 and Proposition 3.16, let uLet uss also denote byE[l]theE(Fq) mod l. Takeϕq as theq-th Frobenius endomorphism, then for allP ∈E(Fq)we know that,
ϕ2q(P)−tϕq(P) +qP =O.
If there exists aτ ∈ {0,1, ..., l−1}such that forP∈E[l]\ Owe have, ϕ2q(P) +ql(P) =τ ϕq(P),
whereql≡q modl, thent≡τ modl.
Schoof Algorithm is presented in 2. The importance of this algorithm is based on the fact that one can calculate the number of rational points in polynomial time, since the complexity Schoof algorithm is O(log8q). This result can be found in Blake et al. [1999].