52 Things: Number 12: What is the elliptic curve group law?
52 件事: 数字 12:什么是椭圆曲线群定律? This is the latest in a series of blog posts to address the list of '52 Things Every PhD Student Should Know' to do Cryptography: a set of questions compiled to give PhD candidates a sense of what they should know by the end of their first year. We continue the Mathematical Background section by introducing the Elliptic Curve Group Law...这是一系列博客文章中的最新一篇,旨在解决“每个博士生都应该知道的 52 件事”来做密码学:一组问题汇编,让博士生在第一年结束时了解他们应该知道什么。我们继续数学背景部分,介绍椭圆曲线群定律... The Elliptic Curve group law is a method by which a binary operation is defined on the set of rational points of an elliptic curve to form a group. Now, lets go through what that actually means, and what it's used for. Thanks to Dr Dan Page for providing the group law diagram.
椭圆曲线群定律是一种在椭圆曲线的有理点集上定义二元运算以形成群的方法。现在,让我们来看看它的实际含义,以及它的用途。感谢Dan Page博士提供集团法图。
An Elliptic Curve and its rational points
椭圆曲线及其有理点
An Elliptic Curve is a cubic equation in two variables over some mathematical field. They can be written in various forms, but over most fields 1 can be written in short Weierstrass form:椭圆曲线是某个数学领域中两个变量的三次方程。它们可以用各种形式写成,但在大多数领域 1 可以用简短的 Weierstrass 形式写成: <span id="MathJax-Span-2" class="mrow"><span id="MathJax-Span-3" class="mi">E<span id="MathJax-Span-4" class="mo">:<span id="MathJax-Span-5" class="msubsup"><span id="MathJax-Span-6" class="mi">y<span id="MathJax-Span-7" class="mn">2<span id="MathJax-Span-8" class="mo">=<span id="MathJax-Span-9" class="msubsup"><span id="MathJax-Span-10" class="mi">x<span id="MathJax-Span-11" class="mn">3<span id="MathJax-Span-12" class="mo">+<span id="MathJax-Span-13" class="mi">a<span id="MathJax-Span-14" class="mi">x<span id="MathJax-Span-15" class="mo">+<span id="MathJax-Span-16" class="mi">b For now we will assume that we are working in the field of real numbers, and ignore any complications that come from using finite fields. With some simple requirements on <span id="MathJax-Span-18" class="mrow"><span id="MathJax-Span-19" class="mi">a<span id="MathJax-Span-20" class="mo">,<span id="MathJax-Span-21" class="mi">b (specifically, that <span id="MathJax-Span-23" class="mrow"><span id="MathJax-Span-24" class="mn">27<span id="MathJax-Span-25" class="msubsup"><span id="MathJax-Span-26" class="mi">b<span id="MathJax-Span-27" class="mn">2<span id="MathJax-Span-28" class="mo">≠<span id="MathJax-Span-29" class="mo">−<span id="MathJax-Span-30" class="mn">4<span id="MathJax-Span-31" class="msubsup"><span id="MathJax-Span-32" class="mi">a<span id="MathJax-Span-33" class="mn">3) this is an elliptic curve.
现在,我们将假设我们正在实数领域工作,并忽略使用有限域所带来的任何复杂性。有一些简单的要求 <span id="MathJax-Span-18" class="mrow"><span id="MathJax-Span-19" class="mi">a<span id="MathJax-Span-20" class="mo">,<span id="MathJax-Span-21" class="mi">b (具体来说, <span id="MathJax-Span-23" class="mrow"><span id="MathJax-Span-24" class="mn">27<span id="MathJax-Span-25" class="msubsup"><span id="MathJax-Span-26" class="mi">b<span id="MathJax-Span-27" class="mn">2<span id="MathJax-Span-28" class="mo">≠<span id="MathJax-Span-29" class="mo">−<span id="MathJax-Span-30" class="mn">4<span id="MathJax-Span-31" class="msubsup"><span id="MathJax-Span-32" class="mi">a<span id="MathJax-Span-33" class="mn">3 就是),这是一条椭圆曲线。 The set of points that will be elements of our group are going to be the rational points of the elliptic curve. This is simply the collection of points <span id="MathJax-Span-35" class="mrow"><span id="MathJax-Span-36" class="mo">(<span id="MathJax-Span-37" class="mi">x<span id="MathJax-Span-38" class="mo">,<span id="MathJax-Span-39" class="mi">y<span id="MathJax-Span-40" class="mo">) that satisfy the curve equation where both <span id="MathJax-Span-42" class="mrow"><span id="MathJax-Span-43" class="mi">x<span id="MathJax-Span-44" class="mo">,<span id="MathJax-Span-45" class="mi">y are rational. So, that's the set of <span id="MathJax-Span-47" class="mrow"><span id="MathJax-Span-48" class="mo">(<span id="MathJax-Span-49" class="mi">x<span id="MathJax-Span-50" class="mo">,<span id="MathJax-Span-51" class="mi">y<span id="MathJax-Span-52" class="mo">)<span id="MathJax-Span-53" class="mo">∈<span id="MathJax-Span-54" class="texatom"><span id="MathJax-Span-55" class="mrow"><span id="MathJax-Span-56" class="mi">Q where <span id="MathJax-Span-58" class="mrow"><span id="MathJax-Span-59" class="msubsup"><span id="MathJax-Span-60" class="mi">y<span id="MathJax-Span-61" class="mn">2<span id="MathJax-Span-62" class="mo">=<span id="MathJax-Span-63" class="msubsup"><span id="MathJax-Span-64" class="mi">x<span id="MathJax-Span-65" class="mn">3<span id="MathJax-Span-66" class="mo">+<span id="MathJax-Span-67" class="mi">x<span id="MathJax-Span-68" class="mo">+<span id="MathJax-Span-69" class="mi">b. For reasons that will become clear, we also include a point at infinity 2.
将成为我们组元素的一组点将是椭圆曲线的有理点。这只是满足曲线方程的点 <span id="MathJax-Span-35" class="mrow"><span id="MathJax-Span-36" class="mo">(<span id="MathJax-Span-37" class="mi">x<span id="MathJax-Span-38" class="mo">,<span id="MathJax-Span-39" class="mi">y<span id="MathJax-Span-40" class="mo">) 的集合,其中两者都 <span id="MathJax-Span-42" class="mrow"><span id="MathJax-Span-43" class="mi">x<span id="MathJax-Span-44" class="mo">,<span id="MathJax-Span-45" class="mi">y 是有理的。所以,这就是 <span id="MathJax-Span-47" class="mrow"><span id="MathJax-Span-48" class="mo">(<span id="MathJax-Span-49" class="mi">x<span id="MathJax-Span-50" class="mo">,<span id="MathJax-Span-51" class="mi">y<span id="MathJax-Span-52" class="mo">)<span id="MathJax-Span-53" class="mo">∈<span id="MathJax-Span-54" class="texatom"><span id="MathJax-Span-55" class="mrow"><span id="MathJax-Span-56" class="mi">Q where <span id="MathJax-Span-58" class="mrow"><span id="MathJax-Span-59" class="msubsup"><span id="MathJax-Span-60" class="mi">y<span id="MathJax-Span-61" class="mn">2<span id="MathJax-Span-62" class="mo">=<span id="MathJax-Span-63" class="msubsup"><span id="MathJax-Span-64" class="mi">x<span id="MathJax-Span-65" class="mn">3<span id="MathJax-Span-66" class="mo">+<span id="MathJax-Span-67" class="mi">x<span id="MathJax-Span-68" class="mo">+<span id="MathJax-Span-69" class="mi">b 的集合。出于将变得清晰的原因,我们还包括一个无穷大点 2 。
Adding a Group Law to an elliptic curve
将群律添加到椭圆曲线
The simplest way to describe the relation we're going to add to the set of rational points is with a diagram:描述我们将要添加到有理点集合中的关系的最简单方法是使用图表:
 |
| Elliptic Curve (blue) with two points (P,Q) and their sum (P+Q) plotted, along with construction lines (red) 椭圆曲线(蓝色),绘制了两个点 (P,Q) 及其总和 (P+Q),以及构造线(红色) |
因此,为了将 和 相 <span id="MathJax-Span-71" class="mrow"><span id="MathJax-Span-72" class="mi">P ,我们画一条穿过 <span id="MathJax-Span-77" class="mrow"><span id="MathJax-Span-78" class="mi">P 和 <span id="MathJax-Span-80" class="mrow"><span id="MathJax-Span-81" class="mi">Q 的线,并使 <span id="MathJax-Span-83" class="mrow"><span id="MathJax-Span-84" class="mi">T<span id="MathJax-Span-85" class="mo">=<span id="MathJax-Span-86" class="mo">(<span id="MathJax-Span-87" class="msubsup"><span id="MathJax-Span-88" class="mi">T<span id="MathJax-Span-89" class="mi">x<span id="MathJax-Span-90" class="mo">,<span id="MathJax-Span-91" class="msubsup"><span id="MathJax-Span-92" class="mi">T<span id="MathJax-Span-93" class="mi">y<span id="MathJax-Span-94" class="mo">) 这条线与曲线相交的第三 <span id="MathJax-Span-74" class="mrow"><span id="MathJax-Span-75" class="mi">Q 点。然后, <span id="MathJax-Span-96" class="mrow"><span id="MathJax-Span-97" class="mi">P<span id="MathJax-Span-98" class="mo">+<span id="MathJax-Span-99" class="mi">Q<span id="MathJax-Span-100" class="mo">=<span id="MathJax-Span-101" class="mo">(<span id="MathJax-Span-102" class="msubsup"><span id="MathJax-Span-103" class="mi">T<span id="MathJax-Span-104" class="mi">x<span id="MathJax-Span-105" class="mo">,<span id="MathJax-Span-106" class="mo">−<span id="MathJax-Span-107" class="msubsup"><span id="MathJax-Span-108" class="mi">T<span id="MathJax-Span-109" class="mi">y<span id="MathJax-Span-110" class="mo">) .为了给自己加一个点,我们在该点取切线。现在,令人惊讶的事实是,这个操作定义了一个群,无穷大的点是中性元素。 Most of the requirements of being a group are easy to see geometrically3. For example, it is easy to find the inverse of an element. In the diagram above <span id="MathJax-Span-112" class="mrow"><span id="MathJax-Span-113" class="mo">(<span id="MathJax-Span-114" class="mi">P<span id="MathJax-Span-115" class="mo">+<span id="MathJax-Span-116" class="mi">Q<span id="MathJax-Span-117" class="mo">)<span id="MathJax-Span-118" class="mo">+<span id="MathJax-Span-119" class="mi">T<span id="MathJax-Span-120" class="mo">=<span id="MathJax-Span-121" class="mn">0, because the line from <span id="MathJax-Span-123" class="mrow"><span id="MathJax-Span-124" class="mi">T to <span id="MathJax-Span-126" class="mrow"><span id="MathJax-Span-127" class="mo">(<span id="MathJax-Span-128" class="mi">P<span id="MathJax-Span-129" class="mo">+<span id="MathJax-Span-130" class="mi">Q<span id="MathJax-Span-131" class="mo">) has it's third intersection at infinity, and so <span id="MathJax-Span-133" class="mrow"><span id="MathJax-Span-134" class="mo">(<span id="MathJax-Span-135" class="mi">P<span id="MathJax-Span-136" class="mo">+<span id="MathJax-Span-137" class="mi">Q<span id="MathJax-Span-138" class="mo">)<span id="MathJax-Span-139" class="mo">=<span id="MathJax-Span-140" class="mo">−<span id="MathJax-Span-141" class="mi">T. In fact, for any elliptic curve in short Weierstrass form, to negate a point we simply change the sign of it's y-coordinate.
作为一个群体的大多数要求都很容易在几何上 3 看到。例如,很容易找到元素的逆数。在上 <span id="MathJax-Span-112" class="mrow"><span id="MathJax-Span-113" class="mo">(<span id="MathJax-Span-114" class="mi">P<span id="MathJax-Span-115" class="mo">+<span id="MathJax-Span-116" class="mi">Q<span id="MathJax-Span-117" class="mo">)<span id="MathJax-Span-118" class="mo">+<span id="MathJax-Span-119" class="mi">T<span id="MathJax-Span-120" class="mo">=<span id="MathJax-Span-121" class="mn">0 图中,因为 from <span id="MathJax-Span-123" class="mrow"><span id="MathJax-Span-124" class="mi">T 的 <span id="MathJax-Span-126" class="mrow"><span id="MathJax-Span-127" class="mo">(<span id="MathJax-Span-128" class="mi">P<span id="MathJax-Span-129" class="mo">+<span id="MathJax-Span-130" class="mi">Q<span id="MathJax-Span-131" class="mo">) 线在无穷远处有第三个交点,所以 <span id="MathJax-Span-133" class="mrow"><span id="MathJax-Span-134" class="mo">(<span id="MathJax-Span-135" class="mi">P<span id="MathJax-Span-136" class="mo">+<span id="MathJax-Span-137" class="mi">Q<span id="MathJax-Span-138" class="mo">)<span id="MathJax-Span-139" class="mo">=<span id="MathJax-Span-140" class="mo">−<span id="MathJax-Span-141" class="mi">T 。事实上,对于任何短魏尔斯特拉斯形式的椭圆曲线,要否定一个点,我们只需改变它的 y 坐标的符号。
Is that all there is to it?
仅此而已吗?
Pretty much yes. The same method holds to over finite fields, although in this case it tends to be simpler to think of the group's operation as being an algebraic construct rather than geometrical, since Elliptic Curves over finite fields do not have such an intuitive structure. Also, we don't need to view curves in short Weierstrass form, since there are many different coordinate schemes and equations that represent the same curve. Indeed, some choices of curve and coordinate system assist us in doing certain types of computation.差不多是的。同样的方法也适用于有限域,尽管在这种情况下,将群的运算视为代数结构而不是几何结构往往更简单,因为有限域上的椭圆曲线没有这种直观的结构。 此外,我们不需要以简短的 Weierstrass 形式查看曲线,因为有许多不同的坐标方案和方程表示同一条曲线。事实上,曲线和坐标系的一些选择有助于我们进行某些类型的计算。
What's that got to do with Cryptography?
这与密码学有什么关系?
It turns out that over certain finite fields the Elliptic Curve Group has several nice properties for cryptographers. There are a surprisingly large number of curve and field pairs where it's not too costly to do group computations4, but for which the various discrete log or DH problems (see last week's blog) are hard. Moreover, compared to using large multiplicative groups (eg RSA groups) the variables computed with are much smaller. Putting all these together, elliptic curves allow cryptographers to efficiently calculate ciphertexts that are much smaller than those created by alternative means without reducing security.事实证明,在某些有限域上,椭圆曲线群对密码学家来说有几个很好的属性。令人惊讶的是,有大量的曲线和场对,在这些对中,进行组计算的成本并不高 4 ,但是对于它们来说,各种离散对数或DH问题(参见上周的博客)是困难的。此外,与使用大型乘法组(例如RSA组)相比,计算的变量要小得多。将所有这些放在一起,椭圆曲线使密码学家能够有效地计算出比通过其他方式创建的密文小得多的密文,而不会降低安全性。
- Specifically, fields of characteristic not equal to 2,3. That is, fields where <span id="MathJax-Span-143" class="mrow"><span id="MathJax-Span-144" class="mn">2<span id="MathJax-Span-145" class="mo">≠<span id="MathJax-Span-146" class="mn">0 and <span id="MathJax-Span-148" class="mrow"><span id="MathJax-Span-149" class="mn">3<span id="MathJax-Span-150" class="mo">≠<span id="MathJax-Span-151" class="mn">0. Unfortunately, this obviously means that the results we discuss won't hold in binary fields, but that is rather beyond the scope of this talk.
具体来说,特征场不等于 2,3。也就是说,其中 <span id="MathJax-Span-143" class="mrow"><span id="MathJax-Span-144" class="mn">2<span id="MathJax-Span-145" class="mo">≠<span id="MathJax-Span-146" class="mn">0 和 <span id="MathJax-Span-148" class="mrow"><span id="MathJax-Span-149" class="mn">3<span id="MathJax-Span-150" class="mo">≠<span id="MathJax-Span-151" class="mn">0 的字段。不幸的是,这显然意味着我们讨论的结果在二进制领域中不成立,但这超出了本次演讲的范围。 - Justification for this comes from considering the elliptic curve as a curve in projective space, but for now it suffices that such a point exists.
这样做的理由来自于将椭圆曲线视为投影空间中的曲线,但就目前而言,存在这样的点就足够了。 - Associativity is by far the most complicated to show. This diagram on wikipedia explains the concept behind the proof, although the details are rather involved.
关联性是迄今为止最复杂的展示。维基百科上的这张图解释了证明背后的概念,尽管细节相当复杂。 - Even as I write this, I'm sure someone will question the validity of this claim, but it is true that compared to many groups that one could construct in which the required problems are sufficiently hard, point arithmetic on an elliptic curve is comparatively tractable.
即使在我写这篇文章的时候,我相信有人会质疑这种说法的有效性,但确实,与人们可以构建的许多组相比,其中所需的问题足够困难,椭圆曲线上的点算术相对容易处理。