Updated write-up

.gitignore

@@ -18,4 +18,6 @@ primecurves/primecurves.egg-info/top_level.txt
 *.bbl
 *.blg
 *.gz
-*.toc
+*.toc
+*.cpp
+*.hpp

latex/bibliography.bib

@@ -1,6 +1,65 @@
-@book{Example,
-  author =	 "Person, Fake",
-  title =	 "A Book",
-  year =	 1992,
+%%% CITATION SYNTAX - ~\cite{hank}
+
+@book {gouvea,
+    AUTHOR = {Gouv{\^e}a, Fernando Q.},
+     TITLE = {{$p$}-adic numbers},
+    SERIES = {Universitext},
+      NOTE = {An introduction},
+ PUBLISHER = {Springer-Verlag, Berlin},
+      YEAR = {1993},
+     PAGES = {vi+282},
+      ISBN = {3-540-56844-1},
+   MRCLASS = {11S80 (11-01 11S85 12J25 30G06)},
+  MRNUMBER = {1251959 (95b:11111)},
+MRREVIEWER = {Daniel Barsky},
+       DOI = {10.1007/978-3-662-22278-2},
+       URL = {http://dx.doi.org/10.1007/978-3-662-22278-2},
+}
+
+@book {hank,
+    AUTHOR = {Hankerson, Darrel and Menezes, Alfred and Vanstone, Scott},
+     TITLE = {Guide to elliptic curve cryptography},
+    SERIES = {Springer Professional Computing},
+ PUBLISHER = {Springer-Verlag, New York},
+      YEAR = {2004},
+     PAGES = {xx+311},
+      ISBN = {0-387-95273-X},
+   MRCLASS = {94A60 (11T71 14G50 94-02)},
+  MRNUMBER = {2054891 (2005c:94049)},
+MRREVIEWER = {Steven D. Galbraith},
 }
 
+@book {silv,
+    AUTHOR = {Silverman, Joseph H.},
+     TITLE = {The arithmetic of elliptic curves},
+    SERIES = {Graduate Texts in Mathematics},
+    VOLUME = {106},
+ PUBLISHER = {Springer-Verlag, New York},
+      YEAR = {1986},
+     PAGES = {xii+400},
+      ISBN = {0-387-96203-4},
+   MRCLASS = {11G05 (14Gxx 14K07 14K15)},
+  MRNUMBER = {817210 (87g:11070)},
+MRREVIEWER = {Robert S. Rumely},
+       DOI = {10.1007/978-1-4757-1920-8},
+       URL = {http://dx.doi.org/10.1007/978-1-4757-1920-8},
+}
+
+@article {smart,
+    AUTHOR = {Smart, N. P.},
+     TITLE = {The discrete logarithm problem on elliptic curves of trace
+              one},
+   JOURNAL = {J. Cryptology},
+  FJOURNAL = {Journal of Cryptology. The Journal of the International
+              Association for Cryptologic Research},
+    VOLUME = {12},
+      YEAR = {1999},
+    NUMBER = {3},
+     PAGES = {193--196},
+      ISSN = {0933-2790},
+     CODEN = {JOCREQ},
+   MRCLASS = {11G20 (11T71 94A60)},
+  MRNUMBER = {1698180 (2000b:11069)},
+       DOI = {10.1007/s001459900052},
+       URL = {http://dx.doi.org/10.1007/s001459900052},
+}

latex/elliptic-curve-basics.tex

@@ -1,11 +1,17 @@
-\chapter{Elliptic Curve Basics}%
+%\chapter{Elliptic Curves}%
 \label{sec:elliptic-curves}
 
+\section{Introduction to Elliptic Curves}
 % Weierstrass equation
 \begin{defn}
 Let $K$ be a field. An $\textbf{elliptic curve $E$ over $K$}$ is defined by an equation:
 $$E : y^2 + a_1xy + a_3y = x^3 + a_2x^2 + a_4x + a_6$$
-where $a_1, a_2, a_3, a_4, a_6 \in K$ and the $\textbf{discriminant}$ $\Delta$ is non-zero. This equation is called a $\textbf{Weierstrass equation}$.
+where $a_1, a_2, a_3, a_4, a_6 \in K$ and the $\textbf{discriminant}$ $\Delta$\footnote{If you must know, $$\Delta = -d^2_2d_8 - 8d^3_4 - 27d_6^2 + 9d_2d_4d_6$$ } is non-zero. This equation is called a $\textbf{Weierstrass equation}$.
+
+When char$(K) \neq 2, 3$, we can change variables
+to arrive at the simplified Weierstrass equation:
+$$ E : y^2 = x^3 + ax + b $$
+where $a, b \in K$. 
 \end{defn}
 
 % L-rational points
@@ -16,6 +22,11 @@ \chapter{Elliptic Curve Basics}%
 The set of L-rational points is denoted $E(L)$.
 \end{defn}
 
+An elliptic curve can be defined over any field $K$, but in cryptography we generally restrict $K$ to be a finite field $F_q$ where
+$q = p^n$, for $p$ prime and $n \in \Z_{>0}$. In this paper we will restrict ourselves even further to prime fields
+$\F_p$ where $p \neq 2, 3$, and to an infinite field $\Q_p$ (the $p$-adics), which have characteristic 0. This means we will always be able to use the
+simplified equation given in the first definition above.
+
 % Trace of Frobenius
 \begin{defn}
 Let $E$ be an elliptic curve over a finite field $\finfield$. The $\textbf{trace of Frobenius}$ t is defined by:
@@ -27,3 +38,76 @@ \chapter{Elliptic Curve Basics}%
 The trace of Frobenius is equal to one if and only if $E(\finfield)$ has exactly $q$ elements. This has important implications
 for cryptography, as we will see.
 \end{rmk}
+
+\subsection{The group law}
+\todo[inline, caption={Geometric group law}]{Describe geometric group law and how it motivates algebraic one. Possibly add
+figures to motivate this.}
+\begin{defn} Let $E(K)$ be an elliptic curve over a field $K$ with $char(K) \neq 2, 3$ defined by $y^3 =x^3  ax + b$ with point at infinity $\OO$. Let
+ $P = (x_P, y_P)$ and $Q = (x_Q, y_Q)$ be points on $E(K)$. Then:
+\begin{enumerate}
+\item(Identity.)
+$\OO + P = P$ and $P + \OO = P$.
+\item(Additive inverses.)
+The additive inverse of $P$, denoted $-P$, is in $E(K)$, and
+$P + (-P) = \OO$.
+\item{(Point Doubling.)}
+If P is not its own inverse, then $P + P = 2P = (x_{2P}, y_{2P})$ where
+$$x_{2P} = N^2 - 2 x_P, $$
+$$y_{2P} = N(x_P - x_{2P}) - y_P,$$
+$$N = \frac{3x_P^2 + a}{2y_P}.$$
+\item(Point Addition.)
+If  $P \neq Q$ and $P \neq -Q$ then
+$P + Q = R = (x_{R}, y_{R})$ where
+$$x_{R} = M^2 - x_P - x_Q,$$
+$$y_{R} = M * (x_P - x_{R}) - y_P,$$
+ $$M = \frac{y_Q - y_P}{x_Q - x_P}.$$
+
+\end{enumerate}
+
+\end{defn}$E(K)$ is an abelian group under this group law.
+\begin{note}
+Let $P$ be a point on an elliptic curve. We use the notation $[n]P$ to denote scalar multiplication of $P$ by a non-zero integer $n$. In other words, $$[n]P = P + P + ... + P \  \mathrm{(n \ times)}.$$
+\end{note}
+
+\subsection{Projective space and projective coordinates}
+
+
+\subsection{The Elliptic Curve Discrete Logarithm Problem}
+The interesting thing about elliptic curves with regards to cryptography
+is that their structure can be used to construct a "one-way" function.\footnote{In this case one-way is in quotes because the problem is only hard in
+certain cases, and there is no guarantee that there is not some clever way to render the
+general problem easy.}
+ A one-way function is one that is easy to perform but hard to undo (i.e., it is difficult to retrieve the input,
+given an output). 
+\begin{defn}[Elliptic Curve Discrete Logarithm Problem]
+Let $E$ be an elliptic curve over a finite field $\F_q$, and let $P$ be a point on $E$. Suppose we have a point $Q$
+on $E$ that is some scalar multiple of $P$, i.e.,
+$$[n]P = Q, \ \ \ \  n \in \NN. $$
+The \textbf{elliptic curve discrete logarithm problem} (ECDLP) is to determine the natural number $n$, given $E$, $P$
+and $Q$.
+\end{defn}
+
+On the other hand, the problem of determining $[n]P$ given $n$ and $P$ is not hard. One simple (to describe)
+way to do this is by using successive squaring.
+
+\begin{defn}[Successive Squaring for Elliptic Curves].
+Suppose we have an elliptic curve $E(K)$, a point $P \in E(K)$ and a nonnegative integer $n$.
+We can compute $[n]P$ recursively by calling SuccessiveSquare($n$, $P$). The analogue of
+squaring for elliptic curves is doubling.\\ \\
+SuccessiveSquare(nonnegative integer $m$, point on elliptic curve $Q$): \todo{Fix formatting here}
+\begin{enumerate}
+\item
+If m = 0, return $\OO$.
+\item
+If m = 1, return $Q$.
+\item
+If $n$ is even, return $[m/2](2Q)$ by calling SuccessiveSquare$(n / 2, 2Q)$.
+\item
+If $n$ is odd, return $[(m - 1)/2](2Q)$ by calling SuccessiveSquare( $(m-1) / 2, 2Q$) and add $Q$.
+\end{enumerate}
+This asymptotic run-time of this algorithm is $O(\log{n})$, a considerable improvement on
+brute force computation of $P + P + P + ...$ which takes $O(n)$ time. There are even faster
+algorithms for this computation that we do not describe here.
+\end{defn}
+
+

latex/formal-log.tex

@@ -1,5 +1,5 @@
-\chapter{Formal Power Series and Formal Logarithm}%
-\label{sec:formal-log}
+%\chapter{Formal Power Series and Formal Logarithm}%
+%\label{sec:formal-log}
 
 \section{Formal Power Series}
 
@@ -8,5 +8,4 @@ \section{Formal Power Series}
 \end{defn}
 
 
-\section{Formal Logarithm}
-Hello
+\section{Formal Logarithm}

latex/intro.tex

@@ -3,7 +3,7 @@ \chapter{Introduction}%
 
 \section{What is an elliptic curve?}
 
-An elliptic curve is wisdom. ~\cite{Example}
+An elliptic curve is wisdom. ~\cite{hank}
 
 \pagebreak
 

latex/math-bg.tex

@@ -0,0 +1,6 @@
+\chapter{Background}
+\label{sec:background}
+
+\input{elliptic-curve-basics}
+\input{formal-log}
+\input{p-adics}

latex/p-adics.tex

@@ -1,8 +1,10 @@
-\chapter{P-adic numbers}%
 \label{sec:p-adics}
+\section{The $p$-adics}
 
-\section{The p-adics}
-
+The $p$-adics $\Q_p$ are an alternate completion of the rationals $\Q$, with respect to the $p$-adic absolute value.
+\footnote{The standard completion of $\Q$, of course, is $\R$ with respect
+to the familiar absolute value} They will be useful in our discussion of solving ECDLP for curves of trace one.
+\todo{Introduce what p-adics look like here?}
 \begin{defn}
 For a rational number $a$ and a prime number $p$, separate out all factors of $p$ from $a$ and write: $$ a = p^r \dfrac{m}{n} $$ where $r$, $m$ and $n$ are integers, and $p$ does not divide $m$ or $n$. The exponent $r$ is called the $\textbf{p-adic ordinal}$ of $a$, denoted $\text{ord}_p(a)$.
 \end{defn}
@@ -25,6 +27,12 @@ \section{The p-adics}
 The p-adic absolute value is a norm on $\Q$, and induces a metric $$d_p(a, \ b) = | a - b |_p$$ for $a, b \in \Q$.
 \end{prop}
 
+\begin{pf}
+\todo{Prove this!}
+\end{pf}
+
+\todo[inline, caption="p-adic comment"]{Explain why we don't really detailed proofs of Cauchy sequences etc}
+
 \begin{defn}
 A p-adic number $a$ is called a $\textbf{p-adic integer}$ if $ord_p(a) \ge 0$. The set of all p-adic integers is
 denoted $\Z_p$.
@@ -33,3 +41,39 @@ \section{The p-adics}
 \begin{rmk}
 A p-adic integer is always of the form $$a_0 + a_1p + a_2p^2 + ... ,$$ i.e., all powers of $p$ are non-negative.
 \end{rmk}
+
+\subsection{Computing lifts and reducing modulo $p$}
+Since $\Q_p$ is a field with characteristic 0, we can talk about elliptic curves over the $p$-adics, and all of the
+theory we built up in the previous sections applies.
+
+\todo{Describe computation of lifts}
+
+Going the other way is simple. We define a map from $E(\Q_p)$ to $\tilde{E}(\F_p)$
+by reducing a point modulo $p$, i.e, extracting its $a_0$ term.
+\todo{more on reduction mod p}
+
+\subsection{More about elliptic curves over $\Q_p$}
+
+\begin{defn}
+Let $E(\Q_p)$ be an elliptic curve. The group $E_1(\Q_p)$ is defined to be:
+$$ E_1(\Q_p) = \{ P \in E(\Q_p) \ | \ \tilde{P} = \OO  \}. $$
+In words, $E_1$ is the set of points on $E$ that reduce modulo $p$ to $\OO$.
+This leads naturally to the following proposition:
+\end{defn}
+
+\begin{prop}
+$$E(\Q_p) / E_1(\Q_p) \simeq E(\F_p).$$
+\end{prop}
+
+\begin{pf}
+Define a map $r: E(\Q_p) \to E(F_p)$ where $r(P) = \tilde{P}$. \todo{Prove this is a homomorphism} By definition,
+the kernel of this map is $E_1(\Q_p)$. The result follows from the First Isomorphism Theorem.
+\end{pf}
+
+\begin{defn}
+The subgroup $E_n$ (for $n \in N$) of $E(\Q_p)$  is defined:
+$$ E_n(\Q_p) = \{ P \in E(\Q_p) \ | \ \mathrm{ord}_p(x_P) \le -2n \} \cup \{ \OO \}, $$
+where $x_P$ is the x-coordinate of $P$.
+\end{defn}
+
+

latex/projective-space.tex

@@ -0,0 +1 @@
+\section{Projective Space}

latex/smart-discussion.tex

@@ -0,0 +1,71 @@
+\chapter{Discrete Logarithm on Elliptic Curves of Trace One}
+\label{sec:trace-one}
+
+In this section we will see that elliptic curves of trace one should not be used for cryptography, because there is a subexponential algorithm
+for solving the ECDLP in this case. This algorithm was initially proposed by Nigel Smart in ~\cite{smart}.
+
+Recall that if $E$ is an elliptic curve over a field $\F_q$, then having trace one means that:
+$$ \#E(\F_p) = p.$$
+In words, the number of group elements is the same as the number of elements in the
+underlying prime field.
+
+Throughout this section, we will work with a toy example so that the computations can be
+shown in full. 
+
+\begin{ex}[Setup]
+
+Let $E$ be defined over $F_7$ by the equation:
+$$ y^2 = x^3 + 6x + 5.$$
+This is an elliptic curve because the discriminant $\Delta = -16 (4 \cdot 6^3 + 27 \cdot 5^2) = -24624 \neq 0.$\footnote{The equation for the discriminant simplifies to
+$$\Delta = -16(4a^3 + 27b^2)$$
+for $E(K)$ with with char($K$)$\neq 2, 3$. Here char($\F_7$) = 7.} 
+
+\pagebreak
+
+The points satisfying $E$ are:
+
+\begin{table}[h]
+\centering
+\begin{tabular}{llll}
+$\OO$     & (2, 2) & (2, 5) & (3, 1) \\
+(3, 6) & (4, 3) & (4, 4). &        
+\end{tabular}
+\end{table}
+$E$ has $7$ points, so it has trace one.
+
+Now let $\tilde{P} = (2, 5)$ and $\tilde{Q} = (4, 3)$. Suppose we know that
+$$ [n]\tilde{P} = \tilde{Q} $$
+for some natural number $n$ (this is indeed the case). How can we solve the discrete log problem and determine $n$?
+\end{ex}
+
+We do not have a (known) direct way of computing logarithms in $\F_p$, but we do have a way in the $p$-adics $Q_p$.
+
+\begin{ex}[Computation of lifts]
+We compute the lifts of $\tilde{P}$ and $\tilde{Q}$ in $E(\F_7)$ to $P$ and $Q$  in $E(\Q_7)$. \\
+We know $\tilde{P} = (2, 5)$ and we want to solve for $P = (x, y)$.
+We choose $x = 2$. We want to solve for the first two coefficients $a_0$ and $a_1$ of the $p$-adic expansion of $y = a_0 + a_1p + ...$. Since $y$ must reduce
+to $5$, we let $a_0 = 5$.We use our formula for $a_1$:
+$$ a_1 = -\frac{f(2, 5)}{7 * (2*5)} = \frac{5^2 - 2^3 - 6*2- 5}{70} = 0 ? $$
+COMMENT : Is this wrong, or is it the anomalous case Smart mentioned?
+Using a similar method, we determine that $Q = $. TODO
+\end{ex}
+
+\begin{ex}[Scalar multiplication by $p$]
+We compute $[7]P$ and $[7]Q$.
+TODO
+%Since char($\Q_7$) = 0, we can use the simplified addition law introduced on page \pageref{sec:elliptic-curves}.
+\end{ex}
+
+\begin{rmk}
+$E_1(\Q_p)$ can be defined in this way as well. EXPLAIN WHY. \\
+QUESTION: $E_0(\Q_p)$ is the same as $E(\Q_p$?
+\end{rmk}
+
+\begin{defn}
+For $E$ an elliptic curve over $\Q_p$, we define $\hat{E}(p\Z_p)$ to be the set $p\Z_p$ with
+addition law:
+$$ x \oplus y = F(x, y) \mathrm{ \ for \ all  \ } x, y \in p\Z_p, $$
+where $F$ is the formal power series:
+$$ F(x, y) = x + y - ...$$ TODO : figure out what this is in the simplified case
+\end{defn}
+

latex/thesis-wrapper.tdo

@@ -0,0 +1,8 @@
+\contentsline {todo}{Geometric group law}{3}
+\contentsline {todo}{Fix formatting here}{4}
+\contentsline {todo}{Introduce what p-adics look like here?}{5}
+\contentsline {todo}{Prove this!}{6}
+\contentsline {todo}{"p-adic comment"}{6}
+\contentsline {todo}{Describe computation of lifts}{6}
+\contentsline {todo}{more on reduction mod p}{6}
+\contentsline {todo}{Prove this is a homomorphism}{6}