Elliptic curves: Theory and Applications. Day 3: Counting points.
|
|
- Elfrieda Dalton
- 5 years ago
- Views:
Transcription
1 Elliptic curves: Theory and Applications. Day 3: Counting points. Elisa Lorenzo García Université de Rennes Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26
2 Counting points: basic idea Let E be the curve y 2 = x 3 + x + 1 over F 5. To count points on E, we make a list of the possible values of x, then of x 3 + x + 1 (mod 5), then of the square roots y of x 3 + x + 1 (mod 5). This yields the points on E. Therefore, E(F 5 ) has order 9. The complexity is O(q). x x 3 + x + 1 y Points 0 1 ±1 (0, 1), (0, 4) ±1 (2, 1), (2, 4) 3 1 ±1 (3, 1), (3, 4) 4 4 ±2 (4, 2), (4, 3) Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26
3 Complexity In order to well-define the complexity, we have to define the available operations and its cost. In the arithmetic complexity, the operations with integers have a unit cost: addition, subtraction, multiplications and division. For an algorithm we always give the worse case complexity. Example. The complexity for computing n! is O(n). Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26
4 Complexity In order to well-define the complexity, we have to define the available operations and its cost. In the arithmetic complexity, the operations with integers have a unit cost: addition, subtraction, multiplications and division. For an algorithm we always give the worse case complexity. Example. The complexity for computing n! is O(n). The notation O( ). The meaning of f (n) = O(g(n)) when n is that there exist K > 0 and A > 0, such that for all n > A, one has f (n) K g(n). Example. O(3x log(x)) = O(x 5 ). Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26
5 Counting points: another basic idea Theorem Let E be an elliptic curve defined by y 2 = x 3 + Ax + B over F q. Then #E(F q ) = q ( x 3 ) + Ax + B. F q x F q Corollary Let x 3 + Ax + B be a polynomial with A, B F q, where q is odd. Then ( x 3 ) + Ax + B 2 q F q x F q Again the complexity is O(q). Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26
6 Counting points: Baby Step - Giant Step Let P E(F q ). We want to find an integer k such that kp =. Let #E(F q ) = N. Then, NP =. We do not know N yet, but we know that q q N q q. We could try all values of N in this range and see which ones satisfy NP =. This takes around 4 q steps. However, it is possible to speed this up to around 4q 1/4 steps by the following algorithm. 1. Compute Q = (q + 1)P. 2. Choose an integer m with m > q 1/4. Compute and store the points jp for j = 0, 1, 2,..., m. 3. Compute the points Q + k(2mp) for k = m, (m 1),..., m until there is a match Q + k(2mp) = ±jp with a point (or its negative) on the stored list. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26
7 Counting points: Baby Step - Giant Step 4. Conclude that (q mk ± j)p =. Let M = q mk ± j. 5. Factor M. Let p 1,..., p r be the distinct prime factors of M. 6. Compute (M/p i )P for i = 1,..., r. If (M/p i )P = for some i, replace M with M/p i and go back to step (5). If (M/p i )P for all i then M is the order of the point P. 7. If we are looking for #E(F q ), then repeat steps (1)-(6) with randomly chosen points in E(F q ) until the least common multiple of the orders divides only one integer N with q q N q q. Then N = #E(F q ). Remarks: Assuming that there is a match, this method clearly produces an integer that annihilates P. But why is there a match? Why does step (6) yield the order of P? Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26
8 Counting points: Baby Step - Giant Step To save storage space, it might be more efficient to store only the x coordinates of the points jp (along with the corresponding integer j), since looking for a match with ±jp only requires the x-coordinate. When a match is found, the two possible y-coordinates can be recomputed. Computing Q + k(2mp) can be done by computing Q and 2mP once for all. To get from Q + k(2mp) to Q + (k + 1)(2mP), simply add 2mP rather than recomputing everything. Similarly, once jp has been computed, add P to get (j + 1)P. We are assuming that we can factor M. If not, we can at least find all the small prime factors p i and check that (M/p i )P for these. Then M will be a good candidate for the order of P. Why is the method called Baby Step - Giant Step? The baby steps are from a point jp to (j + 1)P. The giant steps are from a point k(2mp) to (k + 1)(2mP), since we take the bigger step 2mP. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26
9 Counting points: Baby Step - Giant Step Example Let E be the elliptic curve y 2 = x 3 10x + 21 over F 557. Let P = (2, 3). We follow the BS-GS algorithm. 1 Q = 558P = (418, 33). 2 Let m = 5, which is greater than 557 1/4. The list of jp is, (2, 3), (58, 164), (44, 294), (56, 339), (132, 364). 3 When k = 1, we have Q + k(2mp) = (2, 3), which matches the point on our list for j = 1. 4 We have (q mk j)p = 567P =. 5 Factor 567 = Compute (567/3)P = 189P =. We now have 189 as a candidate for the order of P. 6 Factor 189 = Compute (189/3)P = (38, 535) and (189/7)P = (136, 360). Therefore 189 is the order of P. Hence, #E(F 557 ) = 567. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26
10 Counting points: Schoof s Algorithm Complexity O(log 8 q). Improvements by Atkins and Elkies. Suppose E is an elliptic curve given by y 2 = x 3 + Ax + B over F q. We know, by Hasse s theorem, that #E(F q ) = q + 1 a, with a 2 q. Let S = {2, 3, 5, 7,..., L} be a set of primes such that l > 4 q. l S If we can determine a mod l for each prime l S, then we know a mod l, and therefore a is uniquely determined. Let l be prime. For simplicity, we assume l p, where p is the characteristic of F q. We also assume that q is odd. We want to compute a (mod l). Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26
11 The Chinese Remainder theorem Theorem (The Chinese Remainder theorem) Let n 1,..., n k be pairwise coprime integers greater than 1. Let a 1,..., a k be any integers, then there exists an integer x such that x a 1 (mod n 1 )..., x a k (mod n k ) and any two such x are congruent modulo N = n i. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26
12 Counting points: Schoof s Algorithm l = 2: If x 3 + Ax + B has a root e F q, then (e, 0) E[2] and (e, 0) E(F q ), so E(F q ) has even order. In this case, q + 1 a 0(mod 2), so a is even. If x 3 + Ax + B has no roots in F q, then E(F q ) has no points of order 2, and a is odd. To determine whether x 3 + Ax + B has a root in F q, we could try all the elements in F q, but there is a faster way. Recall that the roots of x q x are exactly the elements of F q. Therefore, x 3 + Ax + B has a root in F q if and only if it has a root in common with x q x. The Euclidean algorithm, applied to polynomials, yields the gcd of the two polynomials. If q is very large, the polynomial x q has very large degree. Therefore, it is more efficient to compute x q x q (mod x 3 + Ax + B) by successive squaring, and then use the result to compute gcd(x q x, x 3 + Ax + B) = gcd(x q x, x 3 + Ax + B). Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26
13 Counting points: Schoof s Algorithm When n is odd, we have the division polynomial ψ n and (x, y) E[n] ψ n (x) = 0. On the other hand, the Frobenius endomorphism φ q (x, y) = (x q, y q ) satisfies φ 2 q aφ q + q = 0. Let (x, y) be a point of order l. Then (x q2, y q2 ) + q l (x, y) = a l (x q, y q ), where q l = q(mod l) and a l = a(mod l). Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26
14 Counting points: Schoof s Algorithm 1. Choose a set of primes S = {2, 3, 5,..., L} (with p / S) such that l S l > 4 q. 2. If l = 2, we have a 0(mod 2) if and only if gcd(x 3 + Ax + B, x q x) For each odd prime l S, do the following. (a) Let q l q(mod l) with q l < l/2. (b) Compute the x-coordinate x of (x, y ) = (x q2, y q2 ) + q l (x, y)mod ψ l. (c) For j = 1, 2,..., (l 1)/2, do the following. i. Compute the x-coordinate x j of (x j, y j ) = j(x, y). ii. If x x q j 0(mod ψ l ), go to step (iii). If not, try the next value of j (in step (c)). If all values 1 j (l 1)/2 have been tried, go to step (d). iii. Compute y and y j. If (y y q j )/y 0(mod ψ l), then a j(mod l). If not, then a j(mod l). Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26
15 Counting points: Schoof s Algorithm 3. (Cont.) (d) If all values 1 j (l 1)/2 have been tried without success, let w 2 q (mod l). If w does not exist, then a 0(mod l). (e) If gcd(numerator(x q x w ), ψ l ) = 1, then a 0 (mod l). Otherwise, compute gcd(numerator((y q y w )/y), ψ l ). If this gcd is not 1, then a 2w (mod l). Otherwise, a 2w (mod l). 4. Use the knowledge of a (mod l) for each l S to compute a (mod l). Choose the value of a that satisfies this congruence and such that a 2 q. The number of points in E(F q ) is q + 1 a. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26
16 Counting points: Schoof s algorithm Let E be the elliptic curve y 2 = x 3 + 2x + 1 mod 19. Then #E(F 19 ) = a. We want to determine a. We ll show that 1(mod 2) a 2(mod 3) 3(mod 5) Putting these together yields a 23(mod 30). Since a < 2 19 < 9, we must have a = 7. We start with l = 2. We compute x 19 x x + 14 (mod x 3 + 2x + 1) by successive squaring and then use the result to compute gcd(x 19 x, x 3 + 2x + 1) = gcd(x x + 14, x 3 + 2x + 1) = 1. It follows that x 3 + 2x + 1 has no roots in F 19. Therefore, there is no 2-torsion in E(F 19 ), so a 1 (mod 2). Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26.
17 Counting points: Schoof s algorithm For l = 3, we proceed as in Schoof s algorithm and eventually get to j = 1. We have q 2 = 361 and we have q 1 (mod 3). Therefore, q l = 1 and we need to check whether (x 361, y 361 ) + (x, y) = ±(x 19, y 19 ) for (x, y) E[3]. The third division polynomial is ψ 3 = 3x x x 4. We compute the x-coordinate of (x 361, y 361 ) + (x, y): ( y 361 ) 2 ( y (x x 361 x 361 x = (x x + 1) 180 ) x + 1) x x 361 x 361 x, x Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26
18 Counting points: Schoof s algorithm where we have used the relation y 2 = x 3 + 2x + 1. We need to reduce this mod ψ 3. The natural way to start is to use the extended Euclidean algorithm to find the inverse of x 361 x (mod ψ 3 ). However, gcd(x 361 x, ψ 3 ) = x 8 1, so the multiplicative inverse does not exist. We could remove x 8 from the numerator and denominator of (x 3 + 2x + 1) x 361, x but this is unnecessary. Instead, we realize that since x = 8 is a root of ψ 3, the point (8, 4) E(F 19 ) has order 3. Therefore, so a 2(mod 3). #E(F 19 ) = a 0 (mod 3), Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26
19 Factoring and primality testing The problems of factorization and primality testing are related, but are very different in nature. The largest announced factorization up to the year 2007 was of an integer with 200 digits. However, it was at that time possible to prove primality of primes of several thousand digits. It is possible to prove that a number is composite without finding a factor. One way is to show that a n 1 1(mod n) for some a with gcd(a, n) = 1. Theorem (Fermat s little theorem) If n is prime and gcd(a, n) = 1, then a n 1 1(mod n). It follows that n must be composite, even though we have not produced a factor. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26
20 Factoring and primality testing Of course, if a n 1 1(mod n) for several random choices of a, we might suspect that n is probably prime. But how can we actually prove n is prime? If n has only a few digits, we can divide n by each of the primes up to n. However, if n has hundreds of digits, this method will take too long (much longer than the predicted life of the universe). Definition If a n 1 1 (mod n), we say that n is a pseudo-prime in base a. If n is pseudo-prime for all base a coprime to n, we say it is a Carmichael number. Similarly, suppose we have proved that a number is composite. How do we find the factors? Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26
21 Factoring algorithms In the mid 1980 s, Hendrik Lenstra gave new impetus to the study of elliptic curves by developing an efficient factoring algorithm that used elliptic curves. It turned out to be very effective for factoring numbers of around 60 decimal digits, and, for larger numbers, finding prime factors having around 20 to 30 decimal digits. Example. We want to factor Let E be the elliptic curve y 2 = x x 2mod 4453 and let P = (1, 3). Let s try to compute 3P. First, we compute 2P. The slope of the tangent line at P is 3x y = (mod 4453). We used the fact that gcd(6, 4453) = 1 to find (mod 4453). Using this slope, we find that 2P = (x, y), with x , y 3713(x 1) Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26
22 Factoring algorithms To compute 3P, we add P and 2P. The slope is = But gcd(4331, 4453) = Therefore, we have found the factor 61 of 4453, and 4453 = Recall that E(Z 4453 ) = E(F 61 ) E(F 73 ). If we look at the multiples of P mod 61 we have P (1, 3), 2P (1, 58), 3P, 4P (1, 3),...(mod 61). However, the multiples of P mod 73 are P (1, 3), 2P (25, 18), 3P (28, 44),..., 64P (mod 73). Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26
23 Factoring algorithms 1. Choose several (usually around 10 to 20) random elliptic curves E i : y 2 = x 3 + A i x + B i and points P i mod n. 2. Choose an integer B (perhaps around 10 8 ) and compute [B!]P i on E i for each i. 3. If step 2 fails because some slope does not exist mod n, then we have found a factor of n. 4. If step 2 succeeds, increase B or choose new random curves E i and points P i and start over. Steps 2, 3 and 4 can often be done in parallel using all of the curves E i simultaneously. The elliptic curve method is very successful in finding a prime factor p of n when p < Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26
24 Primality tests Suppose n is an integer of several hundred decimal digits. It is usually easy to decide with reasonable certainty whether n is prime or composite. But suppose we actually want to prove that our answer is correct. If n is composite, then usually either we know a nontrivial factor or n failed a pseudoprimality test (for example, perhaps a n 1 1(mod n) for some a). Therefore, when n is composite, it is usually easy to prove it, and the proof can be stated in a form that can be checked easily. But if n is prime, the situation is more difficult. Cohen and Lenstra developed methods involving Jacobi sums that work well for primes of a few hundred digits. However, for primes of a thousand digits or more, the most popular method currently in use involves elliptic curves. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26
25 Primality tests Proposition Let n > 1 be an integer, and let n 1 = rs with r n. Suppose that, for each prime l r, there exists an integer a l with ( ) 1(mod n) and gcd a (n 1)/l l 1, n = 1. a n 1 l Then n is prime. The converse can be proved to be also true. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26
26 Primality tests Theorem Let n > 1 and let E be an elliptic curve mod n. Suppose there exist distinct prime numbers l 1,..., l k and finite points P i E(Z n ) such that 1. l i P i = for 1 i k. 2. k i=1 l i > (n 1/4 + 1) 2. Then n is prime. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26
27 Primality tests Example. Let n = 907. Let E be the elliptic curve y 2 = x x 2 mod n. Let l = 71. Then l > (907 1/4 + 1) Let P = (819, 784). Then 71P = and 907 is prime. Of course, we needed the fact that 71 is prime, which could also be proved using the same result, or by direct calculation. How did we find E and P? First, we looked at a few elliptic curves mod 907 until we found one whose order was divisible by a prime l that was slightly larger than (If we had chosen l 907 then we would not have made much progress, since we would still have needed to prove the primality of l). In fact, to find the order of the curve, we started with curves where we knew a point. In the present case, E has the point (1, 3). Using Baby Step, Giant Step, we found the order of (1, 3) to be 923 = Then we took P = 13(1, 3), which has order 71. Elisa Lorenzo García (Rennes 1) Elliptic Curves / 26
Applied Cryptography and Computer Security CSE 664 Spring 2018
Applied Cryptography and Computer Security Lecture 12: Introduction to Number Theory II Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline This time we ll finish the
More informationElliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.
Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem. Elisa Lorenzo García Université de Rennes 1 14-09-2017 Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 1 /
More informationCounting points on elliptic curves over F q
Counting points on elliptic curves over F q Christiane Peters DIAMANT-Summer School on Elliptic and Hyperelliptic Curve Cryptography September 17, 2008 p.2 Motivation Given an elliptic curve E over a finite
More information3 The fundamentals: Algorithms, the integers, and matrices
3 The fundamentals: Algorithms, the integers, and matrices 3.4 The integers and division This section introduces the basics of number theory number theory is the part of mathematics involving integers
More information4 Number Theory and Cryptography
4 Number Theory and Cryptography 4.1 Divisibility and Modular Arithmetic This section introduces the basics of number theory number theory is the part of mathematics involving integers and their properties.
More informationMath 109 HW 9 Solutions
Math 109 HW 9 Solutions Problems IV 18. Solve the linear diophantine equation 6m + 10n + 15p = 1 Solution: Let y = 10n + 15p. Since (10, 15) is 5, we must have that y = 5x for some integer x, and (as we
More informationLecture Notes. Advanced Discrete Structures COT S
Lecture Notes Advanced Discrete Structures COT 4115.001 S15 2015-01-13 Recap Divisibility Prime Number Theorem Euclid s Lemma Fundamental Theorem of Arithmetic Euclidean Algorithm Basic Notions - Section
More informationSolutions to Problem Set 4 - Fall 2008 Due Tuesday, Oct. 7 at 1:00
Solutions to 8.78 Problem Set 4 - Fall 008 Due Tuesday, Oct. 7 at :00. (a Prove that for any arithmetic functions f, f(d = f ( n d. To show the relation, we only have to show this equality of sets: {d
More informationLecture notes: Algorithms for integers, polynomials (Thorsten Theobald)
Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald) 1 Euclid s Algorithm Euclid s Algorithm for computing the greatest common divisor belongs to the oldest known computing procedures
More informationCHAPTER 3. Congruences. Congruence: definitions and properties
CHAPTER 3 Congruences Part V of PJE Congruence: definitions and properties Definition. (PJE definition 19.1.1) Let m > 0 be an integer. Integers a and b are congruent modulo m if m divides a b. We write
More informationCOMP239: Mathematics for Computer Science II. Prof. Chadi Assi EV7.635
COMP239: Mathematics for Computer Science II Prof. Chadi Assi assi@ciise.concordia.ca EV7.635 The Euclidean Algorithm The Euclidean Algorithm Finding the GCD of two numbers using prime factorization is
More informationBasic elements of number theory
Cryptography Basic elements of number theory Marius Zimand 1 Divisibility, prime numbers By default all the variables, such as a, b, k, etc., denote integer numbers. Divisibility a 0 divides b if b = a
More informationBasic elements of number theory
Cryptography Basic elements of number theory Marius Zimand By default all the variables, such as a, b, k, etc., denote integer numbers. Divisibility a 0 divides b if b = a k for some integer k. Notation
More informationA Few Primality Testing Algorithms
A Few Primality Testing Algorithms Donald Brower April 2, 2006 0.1 Introduction These notes will cover a few primality testing algorithms. There are many such, some prove that a number is prime, others
More informationApplied Cryptography and Computer Security CSE 664 Spring 2017
Applied Cryptography and Computer Security Lecture 11: Introduction to Number Theory Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline What we ve covered so far: symmetric
More informationOne can use elliptic curves to factor integers, although probably not RSA moduli.
Elliptic Curves Elliptic curves are groups created by defining a binary operation (addition) on the points of the graph of certain polynomial equations in two variables. These groups have several properties
More informationMATH 433 Applied Algebra Lecture 4: Modular arithmetic (continued). Linear congruences.
MATH 433 Applied Algebra Lecture 4: Modular arithmetic (continued). Linear congruences. Congruences Let n be a postive integer. The integers a and b are called congruent modulo n if they have the same
More informationCorollary 4.2 (Pepin s Test, 1877). Let F k = 2 2k + 1, the kth Fermat number, where k 1. Then F k is prime iff 3 F k 1
4. Primality testing 4.1. Introduction. Factorisation is concerned with the problem of developing efficient algorithms to express a given positive integer n > 1 as a product of powers of distinct primes.
More informationFermat s Little Theorem. Fermat s little theorem is a statement about primes that nearly characterizes them.
Fermat s Little Theorem Fermat s little theorem is a statement about primes that nearly characterizes them. Theorem: Let p be prime and a be an integer that is not a multiple of p. Then a p 1 1 (mod p).
More informationAn integer p is prime if p > 1 and p has exactly two positive divisors, 1 and p.
Chapter 6 Prime Numbers Part VI of PJE. Definition and Fundamental Results Definition. (PJE definition 23.1.1) An integer p is prime if p > 1 and p has exactly two positive divisors, 1 and p. If n > 1
More informationFactoring Algorithms Pollard s p 1 Method. This method discovers a prime factor p of an integer n whenever p 1 has only small prime factors.
Factoring Algorithms Pollard s p 1 Method This method discovers a prime factor p of an integer n whenever p 1 has only small prime factors. Input: n (to factor) and a limit B Output: a proper factor of
More informationLARGE PRIME NUMBERS (32, 42; 4) (32, 24; 2) (32, 20; 1) ( 105, 20; 0).
LARGE PRIME NUMBERS 1. Fast Modular Exponentiation Given positive integers a, e, and n, the following algorithm quickly computes the reduced power a e % n. (Here x % n denotes the element of {0,, n 1}
More informationCongruence of Integers
Congruence of Integers November 14, 2013 Week 11-12 1 Congruence of Integers Definition 1. Let m be a positive integer. For integers a and b, if m divides b a, we say that a is congruent to b modulo m,
More informationPart II. Number Theory. Year
Part II Year 2017 2016 2015 2014 2013 2012 2011 2010 2009 2008 2007 2006 2005 2017 Paper 3, Section I 1G 70 Explain what is meant by an Euler pseudoprime and a strong pseudoprime. Show that 65 is an Euler
More informationPart V. Chapter 19. Congruence of integers
Part V. Chapter 19. Congruence of integers Congruence modulo m Let m be a positive integer. Definition. Integers a and b are congruent modulo m if and only if a b is divisible by m. For example, 1. 277
More information1 Overview and revision
MTH6128 Number Theory Notes 1 Spring 2018 1 Overview and revision In this section we will meet some of the concerns of Number Theory, and have a brief revision of some of the relevant material from Introduction
More informationAN EXPOSITION OF SCHOOF S ALGORITHM
AN EXPOSITION OF SCHOOF S ALGORITHM ALEJANDRA ALVARADO ARIZONA STATE UNIVERSITY Abstract. Elliptic curves have a number of important applications in different areas, including cryptography. In particular,
More informationax b mod m. has a solution if and only if d b. In this case, there is one solution, call it x 0, to the equation and there are d solutions x m d
10. Linear congruences In general we are going to be interested in the problem of solving polynomial equations modulo an integer m. Following Gauss, we can work in the ring Z m and find all solutions to
More informationBasic Algorithms in Number Theory
Basic Algorithms in Number Theory Algorithmic Complexity... 1 Basic Algorithms in Number Theory Francesco Pappalardi Discrete Logs, Modular Square Roots & Euclidean Algorithm. July 20 th 2010 Basic Algorithms
More information2.3 In modular arithmetic, all arithmetic operations are performed modulo some integer.
CHAPTER 2 INTRODUCTION TO NUMBER THEORY ANSWERS TO QUESTIONS 2.1 A nonzero b is a divisor of a if a = mb for some m, where a, b, and m are integers. That is, b is a divisor of a if there is no remainder
More informationMATH 361: NUMBER THEORY FOURTH LECTURE
MATH 361: NUMBER THEORY FOURTH LECTURE 1. Introduction Everybody knows that three hours after 10:00, the time is 1:00. That is, everybody is familiar with modular arithmetic, the usual arithmetic of the
More informationA Guide to Arithmetic
A Guide to Arithmetic Robin Chapman August 5, 1994 These notes give a very brief resumé of my number theory course. Proofs and examples are omitted. Any suggestions for improvements will be gratefully
More informationChapter 3 Basic Number Theory
Chapter 3 Basic Number Theory What is Number Theory? Well... What is Number Theory? Well... Number Theory The study of the natural numbers (Z + ), especially the relationship between different sorts of
More informationECEN 5022 Cryptography
Elementary Algebra and Number Theory University of Colorado Spring 2008 Divisibility, Primes Definition. N denotes the set {1, 2, 3,...} of natural numbers and Z denotes the set of integers {..., 2, 1,
More informationFinite Fields and Elliptic Curves in Cryptography
Finite Fields and Elliptic Curves in Cryptography Frederik Vercauteren - Katholieke Universiteit Leuven - COmputer Security and Industrial Cryptography 1 Overview Public-key vs. symmetric cryptosystem
More informationHOMEWORK 11 MATH 4753
HOMEWORK 11 MATH 4753 Recall that R = Z[x]/(x N 1) where N > 1. For p > 1 any modulus (not necessarily prime), R p = (Z/pZ)[x]/(x N 1). We do not assume p, q are prime below unless otherwise stated. Question
More information2x 1 7. A linear congruence in modular arithmetic is an equation of the form. Why is the solution a set of integers rather than a unique integer?
Chapter 3: Theory of Modular Arithmetic 25 SECTION C Solving Linear Congruences By the end of this section you will be able to solve congruence equations determine the number of solutions find the multiplicative
More informationa the relation arb is defined if and only if = 2 k, k
DISCRETE MATHEMATICS Past Paper Questions in Number Theory 1. Prove that 3k + 2 and 5k + 3, k are relatively prime. (Total 6 marks) 2. (a) Given that the integers m and n are such that 3 (m 2 + n 2 ),
More informationCourse MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography
Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography David R. Wilkins Copyright c David R. Wilkins 2000 2013 Contents 9 Introduction to Number Theory 63 9.1 Subgroups
More informationNumber Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.
CSS322: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 29 December 2011 CSS322Y11S2L06, Steve/Courses/2011/S2/CSS322/Lectures/number.tex,
More informationNotes on Systems of Linear Congruences
MATH 324 Summer 2012 Elementary Number Theory Notes on Systems of Linear Congruences In this note we will discuss systems of linear congruences where the moduli are all different. Definition. Given the
More informationLARGE PRIME NUMBERS. In sum, Fermat pseudoprimes are reasonable candidates to be prime.
LARGE PRIME NUMBERS 1. Fermat Pseudoprimes Fermat s Little Theorem states that for any positive integer n, if n is prime then b n % n = b for b = 1,..., n 1. In the other direction, all we can say is that
More informationCONTEMPORARY CRYPTOSYSTEMS
CONTEMPORARY CRYPTOSYSTEMS TIAN MA Abstract. This paper mainly focuses on contemporary cryptography principles and methods, and how number theory and elliptic cruves are used to establish the foundations
More informationAlgorithms (II) Yu Yu. Shanghai Jiaotong University
Algorithms (II) Yu Yu Shanghai Jiaotong University Chapter 1. Algorithms with Numbers Two seemingly similar problems Factoring: Given a number N, express it as a product of its prime factors. Primality:
More informationCHAPTER 6. Prime Numbers. Definition and Fundamental Results
CHAPTER 6 Prime Numbers Part VI of PJE. Definition and Fundamental Results 6.1. Definition. (PJE definition 23.1.1) An integer p is prime if p > 1 and the only positive divisors of p are 1 and p. If n
More informationLecture 11 - Basic Number Theory.
Lecture 11 - Basic Number Theory. Boaz Barak October 20, 2005 Divisibility and primes Unless mentioned otherwise throughout this lecture all numbers are non-negative integers. We say that a divides b,
More informationSchoof s Algorithm for Counting Points on E(F q )
Schoof s Algorithm for Counting Points on E(F q ) Gregg Musiker December 7, 005 1 Introduction In this write-up we discuss the problem of counting points on an elliptic curve over a finite field. Here,
More information2x 1 7. A linear congruence in modular arithmetic is an equation of the form. Why is the solution a set of integers rather than a unique integer?
Chapter 3: Theory of Modular Arithmetic 25 SECTION C Solving Linear Congruences By the end of this section you will be able to solve congruence equations determine the number of solutions find the multiplicative
More informationp = This is small enough that its primality is easily verified by trial division. A candidate prime above 1000 p of the form p U + 1 is
LARGE PRIME NUMBERS 1. Fermat Pseudoprimes Fermat s Little Theorem states that for any positive integer n, if n is prime then b n % n = b for b = 1,..., n 1. In the other direction, all we can say is that
More informationElliptic Curves Cryptography and factorization. Part VIII. Elliptic curves cryptography and factorization. Historical Remarks.
Elliptic Curves Cryptography and factorization Part VIII Elliptic curves cryptography and factorization Cryptography based on manipulation of points of so called elliptic curves is getting momentum and
More informationThe Elliptic Curve Method and Other Integer Factorization Algorithms. John Wright
The Elliptic Curve Method and Other Integer Factorization Algorithms John Wright April 12, 2012 Contents 1 Introduction 2 2 Preliminaries 3 2.1 Greatest common divisors and modular arithmetic...... 3 2.2
More informationCOUNTING POINTS ON ELLIPTIC CURVES OVER F q
COUNTING POINTS ON ELLIPTIC CURVES OVER F q RENYI TANG Abstract. In this expository paper, we introduce elliptic curves over finite fields and the problem of counting the number of rational points on a
More informationDefinition of a finite group
Elliptic curves Definition of a finite group (G, * ) is a finite group if: 1. G is a finite set. 2. For each a and b in G, also a * b is in G. 3. There is an e in G such that for all a in G, a * e= e *
More informationElliptic Curves Spring 2013 Lecture #8 03/05/2013
18.783 Elliptic Curves Spring 2013 Lecture #8 03/05/2013 8.1 Point counting We now consider the problem of determining the number of points on an elliptic curve E over a finite field F q. The most naïve
More information2 Arithmetic. 2.1 Greatest common divisors. This chapter is about properties of the integers Z = {..., 2, 1, 0, 1, 2,...}.
2 Arithmetic This chapter is about properties of the integers Z = {..., 2, 1, 0, 1, 2,...}. (See [Houston, Chapters 27 & 28]) 2.1 Greatest common divisors Definition 2.16. If a, b are integers, we say
More informationInstructor: Bobby Kleinberg Lecture Notes, 25 April The Miller-Rabin Randomized Primality Test
Introduction to Algorithms (CS 482) Cornell University Instructor: Bobby Kleinberg Lecture Notes, 25 April 2008 The Miller-Rabin Randomized Primality Test 1 Introduction Primality testing is an important
More informationPrimality Testing. 1 Introduction. 2 Brief Chronology of Primality Testing. CS265/CME309, Fall Instructor: Gregory Valiant
CS265/CME309, Fall 2018. Instructor: Gregory Valiant Primality Testing [These notes may not be distributed outside this class without the permission of Gregory Valiant.] 1 Introduction Prime numbers are
More informationMATH 501 Discrete Mathematics. Lecture 6: Number theory. German University Cairo, Department of Media Engineering and Technology.
MATH 501 Discrete Mathematics Lecture 6: Number theory Prof. Dr. Slim Abdennadher, slim.abdennadher@guc.edu.eg German University Cairo, Department of Media Engineering and Technology 1 Number theory Number
More information1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation
1 The Fundamental Theorem of Arithmetic A positive integer N has a unique prime power decomposition 2 Primality Testing Integer Factorisation (Gauss 1801, but probably known to Euclid) The Computational
More informationLinear Congruences. The equation ax = b for a, b R is uniquely solvable if a 0: x = b/a. Want to extend to the linear congruence:
Linear Congruences The equation ax = b for a, b R is uniquely solvable if a 0: x = b/a. Want to extend to the linear congruence: ax b (mod m), a, b Z, m N +. (1) If x 0 is a solution then so is x k :=
More informationCourse 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography
Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography David R. Wilkins Copyright c David R. Wilkins 2006 Contents 9 Introduction to Number Theory and Cryptography 1 9.1 Subgroups
More informationSimultaneous Linear, and Non-linear Congruences
Simultaneous Linear, and Non-linear Congruences CIS002-2 Computational Alegrba and Number Theory David Goodwin david.goodwin@perisic.com 09:00, Friday 18 th November 2011 Outline 1 Polynomials 2 Linear
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Chapter 2: Mathematical Concepts Divisibility Congruence Quadratic Residues
More informationPrimality testing: then and now
Seventy-five years of Mathematics of Computation ICERM, November 1 3, 2018 Primality testing: then and now Carl Pomerance Dartmouth College, Emeritus University of Georgia, Emeritus In 1801, Carl Friedrich
More informationChapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations
Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 9.1 Chapter 9 Objectives
More informationSlides by Christopher M. Bourke Instructor: Berthe Y. Choueiry. Spring 2006
Slides by Christopher M. Bourke Instructor: Berthe Y. Choueiry Spring 2006 1 / 1 Computer Science & Engineering 235 Introduction to Discrete Mathematics Sections 2.4 2.6 of Rosen Introduction I When talking
More informationPUTNAM TRAINING NUMBER THEORY. Exercises 1. Show that the sum of two consecutive primes is never twice a prime.
PUTNAM TRAINING NUMBER THEORY (Last updated: December 11, 2017) Remark. This is a list of exercises on Number Theory. Miguel A. Lerma Exercises 1. Show that the sum of two consecutive primes is never twice
More information1. multiplication is commutative and associative;
Chapter 4 The Arithmetic of Z In this chapter, we start by introducing the concept of congruences; these are used in our proof (going back to Gauss 1 ) that every integer has a unique prime factorization.
More informationLecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya
BBM 205 Discrete Mathematics Hacettepe University http://web.cs.hacettepe.edu.tr/ bbm205 Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya Resources: Kenneth Rosen,
More informationCongruent Number Problem and Elliptic curves
Congruent Number Problem and Elliptic curves December 12, 2010 Contents 1 Congruent Number problem 2 1.1 1 is not a congruent number.................................. 2 2 Certain Elliptic Curves 4 3 Using
More information= 1 2x. x 2 a ) 0 (mod p n ), (x 2 + 2a + a2. x a ) 2
8. p-adic numbers 8.1. Motivation: Solving x 2 a (mod p n ). Take an odd prime p, and ( an) integer a coprime to p. Then, as we know, x 2 a (mod p) has a solution x Z iff = 1. In this case we can suppose
More informationLecture 2. The Euclidean Algorithm and Numbers in Other Bases
Lecture 2. The Euclidean Algorithm and Numbers in Other Bases At the end of Lecture 1, we gave formulas for the greatest common divisor GCD (a, b), and the least common multiple LCM (a, b) of two integers
More informationElementary Number Theory. Franz Luef
Elementary Number Theory Congruences Modular Arithmetic Congruence The notion of congruence allows one to treat remainders in a systematic manner. For each positive integer greater than 1 there is an arithmetic
More informationMATH 2112/CSCI 2112, Discrete Structures I Winter 2007 Toby Kenney Homework Sheet 5 Hints & Model Solutions
MATH 11/CSCI 11, Discrete Structures I Winter 007 Toby Kenney Homework Sheet 5 Hints & Model Solutions Sheet 4 5 Define the repeat of a positive integer as the number obtained by writing it twice in a
More information1. Algebra 1.7. Prime numbers
1. ALGEBRA 30 1. Algebra 1.7. Prime numbers Definition Let n Z, with n 2. If n is not a prime number, then n is called a composite number. We look for a way to test if a given positive integer is prime
More informationElementary Number Theory and Cryptography, 2014
Elementary Number Theory and Cryptography, 2014 1 Basic Properties of the Integers Z and the rationals Q. Notation. By Z we denote the set of integer numbers and by Q we denote the set of rational numbers.
More informationBasic Algorithms in Number Theory
Basic Algorithms in Number Theory Algorithmic Complexity... 1 Basic Algorithms in Number Theory Francesco Pappalardi #2 - Discrete Logs, Modular Square Roots, Polynomials, Hensel s Lemma & Chinese Remainder
More informationElliptic Curves Spring 2013 Lecture #12 03/19/2013
18.783 Elliptic Curves Spring 2013 Lecture #12 03/19/2013 We now consider our first practical application of elliptic curves: factoring integers. Before presenting the elliptic curve method (ECM) for factoring
More informationNumber Theory Math 420 Silverman Exam #1 February 27, 2018
Name: Number Theory Math 420 Silverman Exam #1 February 27, 2018 INSTRUCTIONS Read Carefully Time: 50 minutes There are 5 problems. Write your name neatly at the top of this page. Write your final answer
More informationIntroduction to Cryptology. Lecture 19
Introduction to Cryptology Lecture 19 Announcements HW6 due today HW7 due Thursday 4/20 Remember to sign up for Extra Credit Agenda Last time More details on AES/DES (K/L 6.2) Practical Constructions of
More informationDiscrete Mathematics and Probability Theory Fall 2018 Alistair Sinclair and Yun Song Note 6
CS 70 Discrete Mathematics and Probability Theory Fall 2018 Alistair Sinclair and Yun Song Note 6 1 Modular Arithmetic In several settings, such as error-correcting codes and cryptography, we sometimes
More informationNUMBER SYSTEMS. Number theory is the study of the integers. We denote the set of integers by Z:
NUMBER SYSTEMS Number theory is the study of the integers. We denote the set of integers by Z: Z = {..., 3, 2, 1, 0, 1, 2, 3,... }. The integers have two operations defined on them, addition and multiplication,
More informationQ 2.0.2: If it s 5:30pm now, what time will it be in 4753 hours? Q 2.0.3: Today is Wednesday. What day of the week will it be in one year from today?
2 Mod math Modular arithmetic is the math you do when you talk about time on a clock. For example, if it s 9 o clock right now, then it ll be 1 o clock in 4 hours. Clearly, 9 + 4 1 in general. But on a
More informationTheory of Numbers Problems
Theory of Numbers Problems Antonios-Alexandros Robotis Robotis October 2018 1 First Set 1. Find values of x and y so that 71x 50y = 1. 2. Prove that if n is odd, then n 2 1 is divisible by 8. 3. Define
More informationWilson s Theorem and Fermat s Little Theorem
Wilson s Theorem and Fermat s Little Theorem Wilson stheorem THEOREM 1 (Wilson s Theorem): (p 1)! 1 (mod p) if and only if p is prime. EXAMPLE: We have (2 1)!+1 = 2 (3 1)!+1 = 3 (4 1)!+1 = 7 (5 1)!+1 =
More information198 VOLUME 46/47, NUMBER 3
LAWRENCE SOMER Abstract. Rotkiewicz has shown that there exist Fibonacci pseudoprimes having the forms p(p + 2), p(2p 1), and p(2p + 3), where all the terms in the products are odd primes. Assuming Dickson
More informationCounting points on hyperelliptic curves
University of New South Wales 9th November 202, CARMA, University of Newcastle Elliptic curves Let p be a prime. Let X be an elliptic curve over F p. Want to compute #X (F p ), the number of F p -rational
More informationM381 Number Theory 2004 Page 1
M81 Number Theory 2004 Page 1 [[ Comments are written like this. Please send me (dave@wildd.freeserve.co.uk) details of any errors you find or suggestions for improvements. ]] Question 1 20 = 2 * 10 +
More informationCSE 311 Lecture 13: Primes and GCD. Emina Torlak and Kevin Zatloukal
CSE 311 Lecture 13: Primes and GCD Emina Torlak and Kevin Zatloukal 1 Topics Modular arithmetic applications A quick wrap-up of Lecture 12. Primes Fundamental theorem of arithmetic, Euclid s theorem, factoring.
More informationIntroduction to Public-Key Cryptosystems:
Introduction to Public-Key Cryptosystems: Technical Underpinnings: RSA and Primality Testing Modes of Encryption for RSA Digital Signatures for RSA 1 RSA Block Encryption / Decryption and Signing Each
More informationAdvanced Algorithms and Complexity Course Project Report
Advanced Algorithms and Complexity Course Project Report Eklavya Sharma (2014A7PS0130P) 26 November 2017 Abstract This document explores the problem of primality testing. It includes an analysis of the
More informationPrimality testing: then and now
Primality testing: then and now Mathematics Department Colloquium Boise State University, February 20, 2019 Carl Pomerance Dartmouth College (emeritus) University of Georgia (emeritus) In 1801, Carl Friedrich
More informationChapter 5. Number Theory. 5.1 Base b representations
Chapter 5 Number Theory The material in this chapter offers a small glimpse of why a lot of facts that you ve probably nown and used for a long time are true. It also offers some exposure to generalization,
More informationWXML Final Report: Primality of Polynomials
WXML Final Report: Primality of Polynomials William Stein, Travis Scholl, Astrid Berge, Daria Micovic, Xiaowen Yang Autumn 016 1 Introduction The density of certain types of primes is a classical question
More informationMATH 145 Algebra, Solutions to Assignment 4
MATH 145 Algebra, Solutions to Assignment 4 1: a) Find the inverse of 178 in Z 365. Solution: We find s and t so that 178s + 365t = 1, and then 178 1 = s. The Euclidean Algorithm gives 365 = 178 + 9 178
More information3.2 Solving linear congruences. v3
3.2 Solving linear congruences. v3 Solving equations of the form ax b (mod m), where x is an unknown integer. Example (i) Find an integer x for which 56x 1 mod 93. Solution We have already solved this
More informationAll variables a, b, n, etc are integers unless otherwise stated. Each part of a problem is worth 5 points.
Math 152, Problem Set 2 solutions (2018-01-24) All variables a, b, n, etc are integers unless otherwise stated. Each part of a problem is worth 5 points. 1. Let us look at the following equation: x 5 1
More informationCOMS W4995 Introduction to Cryptography September 29, Lecture 8: Number Theory
COMS W4995 Introduction to Cryptography September 29, 2005 Lecture 8: Number Theory Lecturer: Tal Malkin Scribes: Elli Androulaki, Mohit Vazirani Summary This lecture focuses on some basic Number Theory.
More informationPostmodern Primality Proving
Preda Mihăilescu (University of Göttingen) Postmodern Primality Proving June 28, 2013 1 / 29 Postmodern Primality Proving Preda Mihăilescu Mathematical Institute, University of Göttingen, Germany June
More informationCryptosystem. Traditional Cryptosystems: The two parties agree on a secret (one to one) function f. To send a message M, thesendersendsthemessage
Cryptosystem Traditional Cryptosystems: The two parties agree on a secret (one to one) function f. To send a message M, thesendersendsthemessage f(m). The receiver computes f 1 (f(m)). Advantage: Cannot
More information