Test 2 Solutions
Test 2 Solutions 1. (a) Explain the elliptic curve factoring method. (What do you do to carry it out? Why does work?) To factor N , one randomly picks a point P = (a, b) ∈ Z2N and A ∈ ZN , then lets B = b2 − (a3 + Aa) ∈ ZN so that P is a point on E : y 2 = x3 + Ax + B. Then we compute a sequence of points Pn where P1 = P and Pn = nPn−1 , so then Pn = (n!)P . We look for a case in computing Pn that a denominator cannot be inverted mod N , but is also non-zero mod N . Taking its gcd with N then gives a nontrivial factor. Suppose N = pq where p and q are distinct primes. Then E(ZN ) ∼ = E(Zp )×E(Zq ). We hope that the order of P modulo one of these primes is such that it divides n! with n not very large. If its order mod p divides n! but its order mod q does not, then we succeed because we are getting the point at infinity modulo p, but not modulo q. (b) Explain why it may be better than the p − 1 method. The main advantage is that it can be run on many different elliptic curves. The curves will typically have groups of different orders and we just need one of the order of our random point is smooth mod p (divisible by only small primes so it divides n! with n not too large). With the p − 1 method, one is working with only one group and if for each prime p dividing N , p − 1 is not smooth, it will fail. In fact, one can construct N to make p − 1 impractical, but there are too many elliptic curves modulo N to prevent the elliptic curve method from working. 2. Suppose E : y 2 = x3 + Ax + B is an elliptic curve over Zp . Given a message M , describe how it can be encoded as a point on E. We may have to first divide M into blocks and convert each into a number, but we now take M to be an integer 0 ≤ M < p/100−1. Then we try successive j with 0 ≤ j < 100, let xj = 100M + j and check to see if this is an x-coordinate of a point on our curve. We stop at the first value which works. Note, 0 ≤ xj < 100(p/100 − 1) + 99 = p − 1. If all 100 values fail, we give up, but this happens with probability less than 1/2100 ≈ 8 · 10−31 . The receiver then takes the point P = (x, y), and computes bx/100c and recovers M . 3. The division polynomial ψ3 (x) for y 2 = x3 + Ax + B is ψ3 (x) = 3x4 + 6Ax2 + 12Bx − A2 (a) For the curve E : y 2 = x3 + 1, find all roots of ψ3 (x) in Z7 . Here, ψ3 (x) = 3x4 + 12x ≡ 3x4 + 5x (mod 7), and we can plug in each value: ψ3 (0) ≡ 0 ψ3 (1) ≡ 1 ψ3 (2) ≡ 2 ψ3 (3) ≡ 6 ψ3 (4) ≡ 4 ψ3 (5) ≡ 3 ψ3 (6) ≡ 5 (mod (mod (mod (mod (mod (mod (mod 7) 7) 7) 7) 7) 7) 7) So, the only root in Z7 is 0. (b) Determine the points of order 3 in E(Z7 ). From the last part, these correspond to points with x = 0, i.e., with y 2 ≡ 1 ⇐⇒ y ≡ ±1 (mod 7) So, (0, 1) and (0, 6) are the points of order 3. (c) Determine the points of order 2 in E(Z7 ). These correspond to points where y = 0, i.e., x3 + 1 ≡ 0 (mod 7). Plugging in each value as above we find 3 5, and 6 are the roots, so the elements of order 2 are (3, 0), (5, 0), and (6, 0). 4. (a) If y 2 = x3 +Ax+B is singular over an algebraically closed field K of characteristic different from 2, what are the different types of singularities (i.e., what are the different cases)? The curve is singular iff x3 + Ax + B has a repeated root. The two cases are when it has two roots, one of which has multiplicity two, and when there is a triple root. (b) For each case in part (a), what are the possibilities for the group of non-singular points? In the case of a double root (over an algebraically closed field), the group of nonsingular points is isomorphic to the multiplicative group K ∗ . In the case of a triple root, it is isomorphic to the additive group K. (c) Define what it means for an elliptic curve to be supersingular. An elliptic curve E over a field K of characteristic p is supersingular if E[p] is the trivial group. (d) (Extra credit) What else can happen with singular curves if the field is not algebraically closed? In the case of a double root, there is another option. If the slopes of the tangent lines at the singular point do not lie in K, then we get a “twisted” form of the multiplicative group. Technically, there is a second possibility in the case of a triple root where the root does not lie in K, but this only happens for certain infinite fields of characteristic p, and they are not considered in this course. 5. (a) What are the domain and codomain of the Weil pairing? Let E be an elliptic curve over a field K, and let E[n] denote the group of ntorsion points for E over the algebraic closure of K, and µn is the group of n-th roots of unity in the algebraic closure of K. Then en : E[n] × E[n] → µn , so the domain is E[n] × E[n] and the codomain is µn . (b) What are the hypotheses needed for it to exist? E must be an elliptic curve over a field K, n a positive integer such that char(K) n. (c) Is it always surjective (under your hypotheses)? Explain. Yes. We proved that if S and T form a basis for E[n], then en (S, T ) = ζn is a primitive n-th root of unity. Then from linearity, en (jS, T ) = en (S, T )j = ζnj Since every element of µn is a power of ζn , the Weil pairing is onto. (d) Give (at least) four of the six properties from the theorem asserting the existence of the Weil pairing. See the text for all six. 6. Suppose G is a cyclic group of order 210 · 1013 . (a) How many generators does G have? It has φ(210 · 1013 ) = 29 (2 − 1)1012 (101 − 1) = 522291200 generators. (b) If we randomly pick an element of G, what is the probability that we pick a generator. 100 50 29 (2 − 1)1012 (101 − 1) = = ≈ 0.495 10 3 2 101 2 · 101 101 (c) Prove that if g ∈ G, then |g| is a multiple of 1013 iff g is not 210 · 1012 torsion. Since g ∈ G, the order of g divides |G|, so is of the form 2j 101k where 0 ≤ j ≤ 10 and 0 ≤ k ≤ 3. On one hand, the order of g is a multiple of 1013 iff k = 3. On the other hand, g is 210 · 1012 torsion iff the order of g divides 210 · 1012 which happens iff 0 ≤ j ≤ 10 and 0 ≤ k ≤ 2, i.e., iff k 6= 3. (d) If we randomly pick an element of G, what is the probability that we pick an element whose order is a multiple of 1013 ? In a cyclic group of order n, if d | n, then the number of elements which are d torsion is d, so the probability that a random element is d torsion is d/n, and then the probability that an element is not d torsion is 1 − d/n. In this case, we get 210 1012 100 1 1 − 10 = ≈ 0.990099 =1− 3 2 101 101 101
© Copyright 2024