aa r X i v : . [ m a t h . N T ] J u l A mean value formula for elliptic curves
Rongquan Feng , Hongfeng Wu LMAM, School of Mathematical Sciences, Peking University, Beijing 100871, [email protected] College of Science, North China University of technology, Beijing 100144, P.R. [email protected]
Abstract
It is proved in this paper that for any point on an elliptic curve,the mean value of x -coordinates of its n -division points is the same asits x -coordinate and that of y -coordinates of its n -division points is n times of its y -coordinate. Keywords: elliptic curves, Weierstrass ℘ -function, point multiplication,division polynomial Let K be a field with char( K ) = 2 , K be the algebraic closure of K . Every elliptic curve E over K can be written as a classical Weierstrassequation E : y = x + ax + b with coefficients a, b ∈ K . A point Q on E is said to be smooth (or non-singular) if (cid:16) ∂f∂x | Q , ∂f∂y | Q (cid:17) = (0 , f ( x, y ) = y − x − ax − b . The pointmultiplication is the operation of computing nP = P + P + · · · + P | {z } n P ∈ E and a positive integer n . The multiplication-by- n map[ n ] : E → EP nP is an isogeny of degree n . For a point Q ∈ E , any element of [ n ] − ( Q )is called an n -division point of Q . Assume that (char( K ) , n ) = 1. In thispaper, the following result on the mean value of the x, y -coordinates of allthe n -division points of any smooth point on an elliptic curve is proved. Theorem 1.
Let E be an elliptic curve defined over K , and let Q = ( x Q , y Q ) ∈ E be a point with Q = O . Set Λ = { P = ( x P , y P ) ∈ E ( K ) | nP = Q } . Then n X P ∈ Λ x P = x Q and n X P ∈ Λ y P = ny Q . According to Theorem 1, let P i = ( x i , y i ) , i = 1 , , · · · , n , be all thepoints such that nP = Q and let λ i be the slope of the line through P i and Q , then y Q = λ i ( x Q − x i ) + y i . Therefore, n y Q = n X i =1 λ i · ( n X i =1 x i ) /n − n X i =1 λ i x i + n X i =1 y i . Thus we have y Q = n P i =1 λ i n · n P i =1 x i n − n P i =1 λ i x i n + n P i =1 y i n = λ i · x i − λ i x i + y i , where λ i , x i , λ i x i , y i are the average values of the variables λ i , x i , λ i x i and y i , respectively. Therefore, Q = ( x Q , y Q ) = ( x i , λ i · x i − λ i x i + y i ) = (cid:18) x i , n y i (cid:19) . Remark:
The discrete logarithm problem in elliptic curve E is to find n bygiven P, Q ∈ E with Q = nP . The above theorem gives some informationon the integer n . 2 Proof of Theorem 1
To prove Theorem 1, define division polynomials [9] ψ n ∈ Z [ x, y, a, b ] on anelliptic curve E : y = x + ax + b , inductively as follows: ψ = 0 ,ψ = 1 ,ψ = 2 y,ψ = 3 x + 6 ax + 12 bx − a ,ψ = 4 y ( x + 5 ax + 20 bx − a x − abx − b − a ) ,ψ n +1 = ψ n +2 ψ n − ψ n − ψ n +1 , for n ≥ , yψ n = ψ n ( ψ n +2 ψ n − − ψ n − ψ n +1 ) , for n ≥ . It can be checked easily by induction that the ψ n ’s are polynomials. More-over, ψ n ∈ Z [ x, y , a, b ] when n is odd, and (2 y ) − ψ n ∈ Z [ x, y , a, b ] when n is even. Define the polynomial φ n = xψ n − ψ n − ψ n +1 for n ≥
1. Then φ n ∈ Z [ x, y , a, b ]. Since y = x + ax + b , replacing y by x + ax + b , one have that φ n ∈ Z [ x, a, b ]. So we can denote it by φ n ( x ). Notethat, ψ n ψ m ∈ Z [ x, a, b ] if n and m have the same parity. Furthermore, thedivision polynomials ψ n have the following properties. Lemma 2. ψ n = nx n − + n ( n − n + 6)60 ax n − + lower degree terms , when n is odd, and ψ n = ny (cid:18) x n − + ( n − n + 6) − ax n − + lower degree terms (cid:19) , when n is even. Proof.
We prove the result by induction on n . It is true for n <
5. Assumethat it holds for all ψ m with m < n . We give the proof only for the case for3dd n ≥
5. The case for even n can be proved similarly. Now let n = 2 k + 1be odd, where k ≥
2. If k is even, then by induction, ψ k = ky ( x k − + ( k − k +6) − ax k − + · · · ) ,ψ k +2 = ( k + 2) y ( x k k + ( k +4 k +3)( k +4 k +10) − ax k k − + · · · ) ,ψ k − = ( k − x k − k + ( k − k − k )( k − k +7)60 ax k − k − + · · · ,ψ k +1 = ( k + 1) x k k + ( k +1)( k +2 k )( k +2 k +7)60 ax k k − + · · · , By substituting y by ( x + ax + b ) , we have ψ k +2 ψ k = k ( k +2) (cid:18) x k +2 k + 4( k + 1)( k + k + 10 k + 3)60 ax k +2 k − + · · · (cid:19) , and ψ k − ψ k +1 = ( k − k +1) x k +2 k + 4 k ( k − k + 2 k + 11 k + 7)( k + 1) ax k +2 k − + · · · . Therefore ψ k +1 = ψ k +2 ψ k − ψ k − ψ k +1 = (2 k + 1) x k +2 k + (2 k +1)(4 k +4 k )(4 k +4 k +7)60 ax k +2 k − + · · · = (2 k + 1) x (2 k +1)2 − + (2 k +1)((2 k +1) − k +1) +6)60 ax (2 k +1)2 − + · · · The case when k is odd can be proved similarly.The following corollary follows immediately from Lemma 2. Corollary 3. ψ n = n x n − − n ( n − n + 6)30 ax n − + · · · , and φ n = x n − n ( n − ax n − + · · · . roof of Theorem 1: Define ω n as4 yω n = ψ n +2 ψ n − − ψ n − ψ n +1 . Then for any P = ( x P , y P ) ∈ E , we have ([9]) nP = (cid:18) φ n ( x P ) ψ n ( x P ) , ω n ( x P , y P ) ψ n ( x P , y P ) (cid:19) . If nP = Q , then φ n ( x P ) − x Q ψ n ( x P ) = 0. Therefore, for any P ∈ Λ, the x -coordinate of P satisfies the equation φ n ( x ) − x Q ψ n ( x ) = 0. From Corollary3, we have that φ n ( x ) − x Q ψ n ( x ) = x n − n x Q x n − + lower degree terms . Since ♯ Λ = n , every root of φ n ( x ) − x Q ψ n ( x ) is the x -coordinate of some P ∈ Λ. Therefore X P ∈ Λ x P = n x Q by Vitae’s Theorem.Now we prove the mean value formula for y -coordinates. Let K be thecomplex number field C first and let ω and ω be complex numbers whichare linearly independent over R . Define the lattice L = Z ω + Z ω = { n ω + n ω | n , n ∈ Z } , and the Weierstrass ℘ -function by ℘ ( z ) = ℘ ( z, L ) = 1 z + X ω ∈ L,ω =0 (cid:18) z − ω ) − ω (cid:19) . For integers k ≥
3, define the Eisenstein series G k by G k = G k ( L ) = X ω ∈ L,ω =0 ω − k . Set g = 60 G and g = 140 G , then ℘ ′ ( z ) = 4 ℘ ( z ) − g ℘ ( z ) − g . E be the elliptic curve given by y = 4 x − g x − g . Then the map C /L → E ( C ) z (cid:0) ℘ ( z ) , ℘ ′ ( z ) (cid:1) ,
7→ ∞ , is an isomorphism of groups C /L and E ( C ). Conversely, it is well known [9]that for any elliptic curve E over C defined by y = x + ax + b , there is alattice L such that g ( L ) = − a, g ( L ) = − b and there is an isomorphismbetween groups C /L and E ( C ) given by z (cid:0) ℘ ( z ) , ℘ ′ ( z ) (cid:1) and 0
7→ ∞ .Therefore, for any point ( x, y ) ∈ E ( C ), we have ( x, y ) = (cid:0) ℘ ( z ) , ℘ ′ ( z ) (cid:1) and n ( x, y ) = (cid:0) ℘ ( nz ) , ℘ ′ ( nz ) (cid:1) for some z ∈ C .Let Q = (cid:0) ℘ ( z Q ) , ℘ ′ ( z Q ) (cid:1) for a z Q ∈ C . Then for any P i ∈ Λ, 1 ≤ i ≤ n ,there exist integers j, k with 0 ≤ j, k ≤ n −
1, such that P i = (cid:18) ℘ (cid:18) z Q n + jn ω + kn ω (cid:19) , ℘ ′ (cid:18) z Q n + jn ω + kn ω (cid:19)(cid:19) . Thus n − X j,k =0 ℘ (cid:18) z Q n + jn ω + kn ω (cid:19) = n ℘ ( z Q )which comes from n P i =1 x i = n x Q . Differential for z Q , we have n − X j,k =0 ℘ ′ (cid:18) z Q n + jn ω + kn ω (cid:19) = n ℘ ′ ( z Q ) . That is n X i =1 y i = n y Q . Secondly, let K be a field of characteristic 0 and let E be the elliptic curveover K given by the equation y = x + ax + b . Then all of the equationsdescribing the group law are defined over Q ( a, b ). Since C is algebraicallyclosed and has infinite transcendence degree over Q , Q ( a, b ) can be consideredas a subfield of C . Therefore we can regard E as an elliptic curve definedover C . Thus the result follows. 6t last assume that K is a field of characteristic p . Then the elliptic curvecan be viewed as one defined over some finite field F q , where q = p m for someinteger m . Without loss of generality, let K = F q for convenience. Let K ′ = Q q be an unramified extension of the p -adic numbers Q p of degree m ,and let E be an elliptic curve over K ′ which is a lift of E . Since ( n, p ) = 1,the natural reduction map E [ n ] → E [ n ] is an isomorphism. Now for anypoint Q ∈ E with Q = O , we have a point Q ∈ E such that the reductionpoint is Q . For any point P i ∈ E ( K ) with nP i = Q , its lifted point P i satisfies nP i = Q and P i = P j whenever P i = P j . Thus n X i =1 y ( P i ) = n y ( Q )since K ′ is a field of characteristic 0. Therefore the formula n P i =1 y i = n y Q holds by the reduction from E to E . Remark: (1) The result for x -coordinate of Theorem 1 holds also for the ellipticcurve defined by the general Weierstrass equation y + a xy + a y = x + a x + a x + a .(2) The mean value formula for x -coordinates was given in the first versionof this paper [3] with a slightly complicated proof. The formula for y -coordinates was conjectured by D. Moody based on [3] and numericalexamples in a personal email communication [6].(3) Recently, some mean value formulae for twisted Edwards curves [1, 2]and other alternate models of elliptic curves were given by [7] and [8]. Let E be an elliptic curve over K given by the Weierstrass equation y = x + ax + b. Then we have a non-zero invariant differential ω = dxy . Let φ ∈ End( E ) be a nonzero endomorphism. Then φ ∗ ω = ω ◦ φ = c φ ω for some c φ ∈ K ( E ) since the space Ω E of differential forms on E is a 1-dimensional7 ( E )-vector space. Since c φ = 0 and div( ω ) = 0, we havediv( c φ ) = div( φ ∗ ω ) − div( ω ) = φ ∗ div( ω ) − div( ω ) = 0 . Hence c φ has neither zeros nor poles and c φ ∈ K . Let ϕ and ψ be two nonzeroendomorphisms, then c ϕ + ψ ω = ( ϕ + ψ ) ∗ ω = ϕ ∗ ω + ψ ∗ ω = c ϕ ω + c ψ ω = ( c ϕ + c ψ ) ω. Therefore, c ϕ + ψ = c ϕ + c ψ . For any nonzero endomorphism φ , set φ ( x, y ) =( R φ ( x ) , yS φ ( x )), where R φ and S φ are rational functions. Then c φ = R ′ φ ( x ) S φ ( x ) , where R ′ φ ( x ) is the differential of R φ ( x ). Especially, for any positive integer n , the map [ n ] on E is an endomorphism. Set [ n ]( x, y ) = ( R n ( x ) , yS n ( x )).From c [1] = 1 and [ n ] = [1] + [( n − c [ n ] = R ′ n ( x ) S n ( x ) = n. For any Q = ( x Q , y Q ) ∈ E , and any P = ( x P , y P ) ∈ Λ = { P = ( x P , y P ) ∈ E ( K ) | nP = Q } , we have y P = y Q S n ( x P ) . Therefore, Theorem 1 gives X P ∈ Λ S n ( x P ) = X P ∈ Λ y P y Q = 1 y Q X P ∈ Λ y P = n . Thus X P ∈ Λ R ′ n ( x P ) = X P ∈ Λ n · S n ( x P ) = 1 n X P ∈ Λ S n ( x P ) = n , and X P ∈ Λ x Q R ′ n ( x P ) = x Q X P ∈ Λ R ′ n ( x P ) = n x Q = X P ∈ Λ x P . eferenceseferences