ON REMARKS OF LIFTING PROBLEMS FOR ELLIPTIC CURVES 1 ...

More documents

Recommendations

Info

12 HWAN JOON KIM, JUNG HEE CHEON, AND SANG GEUN HAHN may have large rank. Silverman applied Mestre’s method reversely to get elliptic curves with lower rank. But, he found that asymptotically his algorithm is virtually certain to fail, because of an absolute bound on the size of the coefficients of the linearly dependence relation satisfied by the lifting points [4]. 4.2. E 1 (Q) and Lifting Problem. Suppose that the lifted elliptic curve E of Ẽ with r linearly independent lifted points P i ’s of ˜P i ’s has the rank r. If we can find a point R of E 1 (Q) where E 1 (Q) = {P ∈ E(Q)|P ≡ O mod p}, then (E, P 1 , · · · , P r , R) becomes a good lifting of (Ẽ, ˜P 1 , · · · , ˜P r , Õ). Moreover, if R is not contained in the group generated by N p P i ’s where N p = |Ẽ(F p)|, then the dependence relation of {P 1 , · · · , P r , R} gives a non-trivial dependence relation of { ˜P 1 , · · · , ˜P r }. That is, To find a non-trivial point of E 1 (Q) solves the ECDLP. Unfortunately, any algorithm to find a non-trivial point of E 1 (Q) is not known yet except the brute force search. Therefore, we first estimate the minimum of the canonical heights of points on E 1 (Q). To make this precise, we define ɛ-difficult ECDLP. Definition 4.3. Let Ẽ be an elliptic curve defined over F p where q = |Ẽ(F p)| is a prime. Then, for given ˜P , ˜Q ∈ Ẽ(F p), we say that ˜P , ˜Q satisfy ɛ-difficult ECDLP (0 < ɛ ≤ 1) if and only if a 1 ˜P + a2 ˜Q ̸= O for all 0 < |ai | < ɛ √ q. Note that for a fixed ˜P , each solution (a 1 , a 2 ) of a 1 ˜P + a2 ˜Q = O is unique for the choice of ˜Q. Hence for a fixed ˜P and a fixed ɛ < 1/2, the number of ˜Q’s which satisfy ɛ-difficult ECDLP is greater than (1 − 4ɛ 2 )q. That is, two randomly chosen points ˜P and ˜Q satisfy ɛ-difficult ECDLP with probability greater than 1 − 4ɛ 2 . The following theorem gives the lower bound of the canonical heights of the points E 1 (Q) where E is the lifting elliptic curve associated to the points ˜P and ˜Q which satisfy ɛ-difficult ECDLP. Theorem 4.4. Suppose that ˜P , ˜Q in Ẽ(F p ) satisfy ɛ-difficult ECDLP and that (E, P 1 ,· · · ,P r ) is a lifting of (Ẽ, ˜P 1 ,· · · , ˜P r ) where P i ’s are the generators of the Mordell-Weil group E(Q)/E(Q) tor and ˜P i = x i ˜P + yi ˜Q for some integers xi , y i respectively. Then, there exists a constant c which is uniquely determined by (E, P 1 , · · · , P r ) such that ĥ(R) > cɛ2 q r 2 N 2 . for any point R of E 1 (Q) where N = max(|x i |, |y i |). Proof of Theorem. Since P i ’s are the generators of E(Q) / E(Q) tor , for any point R of E 1 (Q), there exist integers α 1 , · · · , α r such that R = α 1 P 1 + · · · + α r P r . By taking reduction modulo p with the above equation, we get (∑ xi α i ) ˜P + (∑ yi α i ) ˜Q = O.
ON REMARKS OF LIFTING PROBLEMS FOR ELLIPTIC CURVES 13 Since ˜P , ˜Q satisfy the ɛ-difficult ECDLP, we get ɛ √ ∣ ∑ ∣ ∣ ∣∣ ∣∣ ∑ ∣ ∣∣) q < max( xi α i , yi α i (7) < r max i The following lemma proves the theorem. (|x i |, |y i |) max(|α i |). Lemma 4.5. Let E be an elliptic curve defined over K and the points P 1 , · · · , P r of E(K) are linearly independent. Define the matrix where A = (a ij ) 1≤i,j≤r a ij = ĥ(P i + P j ) − ĥ(P i) − ĥ(P j), i (i, j = 1, · · · , r). If we define c k = a kk − a k A −1 k aT k (k = 1, · · · , r) where a k = (a k1 , · · · , a kk−1 , a kk+1 , · · · , a kr ) and A k is the matrix obtained by removing kth-row and kth-column in A, then, for any integers n 1 , · · · , n r , ĥ(n 1 P 1 + · · · + n r P r ) ≥ c max(n1, 2 · · · , nr) 2 where Especially, in the case of r = 2, Proof. Note that c = c(E, P 1 , · · · , P r ) = 1 2 min(c 1, · · · , c r ) > 0. c = min(ĥ(P 1), ĥ(P 2)) − (ĥ(P 1 + P 2 ) − ĥ(P 1) − ĥ(P 2)) 2 4 max(ĥ(P 1), ĥ(P . 2)) 〈P, Q〉 = ĥ(P + Q) − ĥ(P ) − ĥ(Q) is the positive-definite symmetric bilinear form on E(K)/E(K) tor . Moreover, it can be extended to 〈 , 〉 : (E(K)/E(K) tor ⊗ R) 2 → R with taking tensor product on (E(K)/E(K) tor by R [10]. For simplicity, we may assume that |n 1 | = max i (|n i |). Then if we define a ij = 〈P i , P j 〉 and x i = n i /n 1 (i = 1, · · · , r), then 〈n 1 P 1 + · · · + n r P r , n 1 P 1 + · · · + n r P r 〉 = n 2 1(a 11 + 2 ∑ a 1i x i + ∑ a ij x i x j ). i≥2 i,j≥2 Since 〈, 〉 is the positive-definite symmetric bilinear form, it is easy to show that f(x 2 , · · · , x r ) = a 11 + 2 ∑ a 1i x i + ∑ a ij x i x j i≥2 i,j≥2 has the minimum when That is, a 11 − (a 12 , · · · , a 1r )A −1 1 (a 12, · · · , a 1r ) T (x 2 , · · · , x r ) T = −A −1 1 (a 12, · · · , a 1r ) T . 2ĥ(n 1P 1 + · · · + n r P r ) = 〈n 1 P 1 + · · · + n r P r , n 1 P 1 + · · · + n r P r 〉 ≥ c 1 n 2 1.
Page 1 and 2: ON REMARKS OF LIFTING PROBLEMS FOR
Page 11: ON REMARKS OF LIFTING PROBLEMS FOR
Page 15: ON REMARKS OF LIFTING PROBLEMS FOR

ON REMARKS OF LIFTING PROBLEMS FOR ELLIPTIC CURVES 1 ...

Create successful ePaper yourself

Delete template?

Save as template?