Download   Report
  1. science
  2. mathematics
  3. arithmetic

Test 2 Solutions

Test 2 Solutions
1. (a) Explain the elliptic curve factoring method. (What do you do to carry it out?
Why does work?)
To factor N , one randomly picks a point P = (a, b) ∈ Z2N and A ∈ ZN , then lets
B = b2 − (a3 + Aa) ∈ ZN so that P is a point on E : y 2 = x3 + Ax + B. Then
we compute a sequence of points Pn where P1 = P and Pn = nPn−1 , so then
Pn = (n!)P . We look for a case in computing Pn that a denominator cannot be
inverted mod N , but is also non-zero mod N . Taking its gcd with N then gives
a nontrivial factor.
Suppose N = pq where p and q are distinct primes. Then E(ZN ) ∼
= E(Zp )×E(Zq ).
We hope that the order of P modulo one of these primes is such that it divides
n! with n not very large. If its order mod p divides n! but its order mod q does
not, then we succeed because we are getting the point at infinity modulo p, but
not modulo q.
(b) Explain why it may be better than the p − 1 method.
The main advantage is that it can be run on many different elliptic curves. The
curves will typically have groups of different orders and we just need one of the
order of our random point is smooth mod p (divisible by only small primes so it
divides n! with n not too large). With the p − 1 method, one is working with only
one group and if for each prime p dividing N , p − 1 is not smooth, it will fail.
In fact, one can construct N to make p − 1 impractical, but there are too many
elliptic curves modulo N to prevent the elliptic curve method from working.
2. Suppose E : y 2 = x3 + Ax + B is an elliptic curve over Zp . Given a message M ,
describe how it can be encoded as a point on E.
We may have to first divide M into blocks and convert each into a number, but we now
take M to be an integer 0 ≤ M < p/100−1. Then we try successive j with 0 ≤ j < 100,
let xj = 100M + j and check to see if this is an x-coordinate of a point on our curve.
We stop at the first value which works. Note, 0 ≤ xj < 100(p/100 − 1) + 99 = p − 1.
If all 100 values fail, we give up, but this happens with probability less than 1/2100 ≈
8 · 10−31 .
The receiver then takes the point P = (x, y), and computes bx/100c and recovers M .
3. The division polynomial ψ3 (x) for y 2 = x3 + Ax + B is
ψ3 (x) = 3x4 + 6Ax2 + 12Bx − A2
(a) For the curve E : y 2 = x3 + 1, find all roots of ψ3 (x) in Z7 .
Here, ψ3 (x) = 3x4 + 12x ≡ 3x4 + 5x (mod 7), and we can plug in each value:
ψ3 (0) ≡ 0
ψ3 (1) ≡ 1
ψ3 (2) ≡ 2
ψ3 (3) ≡ 6
ψ3 (4) ≡ 4
ψ3 (5) ≡ 3
ψ3 (6) ≡ 5
(mod
(mod
(mod
(mod
(mod
(mod
(mod
7)
7)
7)
7)
7)
7)
7)
So, the only root in Z7 is 0.
(b) Determine the points of order 3 in E(Z7 ).
From the last part, these correspond to points with x = 0, i.e., with
y 2 ≡ 1 ⇐⇒ y ≡ ±1
(mod 7)
So, (0, 1) and (0, 6) are the points of order 3.
(c) Determine the points of order 2 in E(Z7 ).
These correspond to points where y = 0, i.e., x3 + 1 ≡ 0 (mod 7). Plugging in
each value as above we find 3 5, and 6 are the roots, so the elements of order 2
are (3, 0), (5, 0), and (6, 0).
4. (a) If y 2 = x3 +Ax+B is singular over an algebraically closed field K of characteristic
different from 2, what are the different types of singularities (i.e., what are the
different cases)?
The curve is singular iff x3 + Ax + B has a repeated root. The two cases are when
it has two roots, one of which has multiplicity two, and when there is a triple
root.
(b) For each case in part (a), what are the possibilities for the group of non-singular
points?
In the case of a double root (over an algebraically closed field), the group of nonsingular points is isomorphic to the multiplicative group K ∗ . In the case of a
triple root, it is isomorphic to the additive group K.
(c) Define what it means for an elliptic curve to be supersingular.
An elliptic curve E over a field K of characteristic p is supersingular if E[p] is the
trivial group.
(d) (Extra credit) What else can happen with singular curves if the field is not algebraically closed?
In the case of a double root, there is another option. If the slopes of the tangent
lines at the singular point do not lie in K, then we get a “twisted” form of the
multiplicative group.
Technically, there is a second possibility in the case of a triple root where the root
does not lie in K, but this only happens for certain infinite fields of characteristic
p, and they are not considered in this course.
5. (a) What are the domain and codomain of the Weil pairing?
Let E be an elliptic curve over a field K, and let E[n] denote the group of ntorsion points for E over the algebraic closure of K, and µn is the group of n-th
roots of unity in the algebraic closure of K.
Then
en : E[n] × E[n] → µn ,
so the domain is E[n] × E[n] and the codomain is µn .
(b) What are the hypotheses needed for it to exist?
E must be an elliptic curve over a field K, n a positive integer such that char(K) n.
(c) Is it always surjective (under your hypotheses)? Explain.
Yes. We proved that if S and T form a basis for E[n], then en (S, T ) = ζn is a
primitive n-th root of unity. Then from linearity,
en (jS, T ) = en (S, T )j = ζnj
Since every element of µn is a power of ζn , the Weil pairing is onto.
(d) Give (at least) four of the six properties from the theorem asserting the existence
of the Weil pairing.
See the text for all six.
6. Suppose G is a cyclic group of order 210 · 1013 .
(a) How many generators does G have?
It has
φ(210 · 1013 ) = 29 (2 − 1)1012 (101 − 1) = 522291200
generators.
(b) If we randomly pick an element of G, what is the probability that we pick a generator.
100
50
29 (2 − 1)1012 (101 − 1)
=
=
≈ 0.495
10
3
2 101
2 · 101
101
(c) Prove that if g ∈ G, then |g| is a multiple of 1013 iff g is not 210 · 1012 torsion.
Since g ∈ G, the order of g divides |G|, so is of the form 2j 101k where 0 ≤ j ≤ 10
and 0 ≤ k ≤ 3.
On one hand, the order of g is a multiple of 1013 iff k = 3.
On the other hand, g is 210 · 1012 torsion iff the order of g divides 210 · 1012 which
happens iff 0 ≤ j ≤ 10 and 0 ≤ k ≤ 2, i.e., iff k 6= 3.
(d) If we randomly pick an element of G, what is the probability that we pick an
element whose order is a multiple of 1013 ?
In a cyclic group of order n, if d | n, then the number of elements which are d
torsion is d, so the probability that a random element is d torsion is d/n, and
then the probability that an element is not d torsion is 1 − d/n. In this case, we
get
210 1012
100
1
1 − 10
=
≈ 0.990099
=1−
3
2 101
101
101
The University of Sydney Number Theory and Cryptography Semester 2, 2014 Lecturer: A.Fish

The University of Sydney Number Theory and Cryptography Semester 2, 2014 Lecturer: A.Fish

HERE - Full-Time Faculty

HERE - Full-Time Faculty

Homework 3

Homework 3

Semester I Examinations 2013-14

Semester I Examinations 2013-14

1

1

COMP 232 Mathematics for Computer Science Midterm Exam II Fall 2014

COMP 232 Mathematics for Computer Science Midterm Exam II Fall 2014

Mr. Chad  Art Foundations    Name:_________________________________________  

Mr. Chad  Art Foundations    Name:_________________________________________  

AUCTION INVENTORY REDUCTION &amp; MOVING Saturday, November 1 @ 10:00 AM

AUCTION INVENTORY REDUCTION &amp; MOVING Saturday, November 1 @ 10:00 AM

Manta Demo Settings

Manta Demo Settings

Discrete Math, Spring 2013 - Some Sample Problems

Discrete Math, Spring 2013 - Some Sample Problems

Elements of Epistemic Crypto Logic (Extended Abstract)

Elements of Epistemic Crypto Logic (Extended Abstract)

Bachet`s Equation - Boise State University

Bachet`s Equation - Boise State University

here

here

Quadratic Q-curves, units and Hecke L-values

Quadratic Q-curves, units and Hecke L-values

Towards Model Checking Cryptographic Protocols with

Towards Model Checking Cryptographic Protocols with

- Faculty of Social Sciences and Technology

- Faculty of Social Sciences and Technology

An object oriented concept for elliptic curves 1 Introduction

An object oriented concept for elliptic curves 1 Introduction

LNCS 7073 - Constant-Rounds, Linear Multi

LNCS 7073 - Constant-Rounds, Linear Multi

abcdocz.com

© Copyright 2024