Computers and Mathematics with Applications. Ramanujan s class invariants and their use in elliptic curve cryptography
Size: px
Start display at page:

Download "Computers and Mathematics with Applications. Ramanujan s class invariants and their use in elliptic curve cryptography"

Transcription

1 Computers and Mathematics with Applications 59 ( 9 97 Contents lists available at Scienceirect Computers and Mathematics with Applications journal homepage: Ramanujan s class invariants and their use in elliptic curve cryptography Elisavet Konstantinou a,, Aristides Kontogeorgis b a epartment of Information and Communication Systems Engineering, University of the Aegean, 83, Samos, Greece b epartment of Mathematics, University of the Aegean, 83, Samos, Greece a r t i c l e i n f o a b s t r a c t Article history: Received November 9 Received in revised form 9 February Accepted February Keywords: Generation of elliptic curves Complex Multiplication Class polynomials The Complex Multiplication (CM method is a method frequently used for the generation of elliptic curves (ECs over a prime field F p. The most demanding and complex step of this method is the computation of the roots of a special type of class polynomials, called Hilbert polynomials. However, there are several polynomials, called class polynomials, which can be used in the CM method, having much smaller coefficients, and fulfilling the prerequisite that their roots can be easily transformed to the roots of the corresponding Hilbert polynomials. In this paper, we propose the use of a new class of polynomials which are derived from Ramanujan s class invariants t n. We explicitly describe the algorithm for the construction of the new polynomials and give the necessary transformation of their roots to the roots of the corresponding Hilbert polynomials. We provide a theoretical asymptotic bound for the bit precision requirements of all class polynomials and, also using extensive experimental assessments, we compare the efficiency of using the new polynomials against the use of the other class polynomials. Our comparison shows that the new class of polynomials clearly surpass all of the previously used polynomials when they are used in the generation of prime order elliptic curves. Elsevier Ltd. All rights reserved.. Introduction Since its introduction in 985, elliptic curve cryptography has come to be seen as an attractive alternative to conventional public key cryptosystems, allowing the development of fast and memory efficient cryptographic algorithms. However, before the deployment of an elliptic curve cryptosystem, a cryptographically secure elliptic curve must be chosen in order to guarantee the robustness of the cryptosystem against all (currently known attacks (e.g. [ 4]. All these attacks can be avoided if the order of the EC possesses certain properties. An equally important alternative to cryptographic robustness (see e.g., [5] requires that the order of the EC generated is a prime number. It is clear that the generation of cryptographically secure elliptic curves over prime fields is one of the most fundamental and complex problems in elliptic curve cryptography. The methods most commonly used for the generation of ECs over prime fields are the Complex Multiplication (CM method [6,7] and the point counting method [8]. In this paper we will follow the first approach. The most complex and demanding step of the CM method is the computation of a class polynomial, called a Hilbert polynomial, whose roots are then used directly for the construction of the EC parameters. These polynomials are uniquely determined by a (positive parameter called the CM discriminant, which is congruent to, 3 (mod 4. In particular, for the construction of prime order ECs, the CM discriminant must be congruent to 3 (mod 8. The disadvantage of Hilbert Corresponding author. addresses: ekonstantinou@aegean.gr (E. Konstantinou, kontogar@aegean.gr (A. Kontogeorgis. 898-/$ see front matter Elsevier Ltd. All rights reserved. doi:.6/j.camwa...8

2 9 E. Konstantinou, A. Kontogeorgis / Computers and Mathematics with Applications 59 ( 9 97 polynomials is that their coefficients grow very large as the value of the discriminant increases and thus their construction requires high precision arithmetic. To overcome these shortcomings of Hilbert polynomials, we can use other classes of polynomials which have much smaller coefficients and their use can considerably improve the efficiency of the whole CM method. In the literature, three kinds of these polynomials are proposed: Weber polynomials [9], M,l (x polynomials [] and double-eta polynomials (we will denote them by M,p,p (x []. The logarithmic heights of the coefficients of the Weber, M,l (x and M,p,p (x polynomials are smaller by a constant factor than the corresponding logarithmic heights of the Hilbert polynomials and this is the reason for their much more efficient construction. Our contribution. Srinivasa Ramanujan (887 9 defined in his third notebook, pages 39 and 393 in the pagination of [, vol. ], the values of five class polynomials for five different values of the discriminant. The simplicity and the small coefficients of these polynomials were remarkable. In 999 Bruce C. Berndt and Heng Huat Chan [3] proved that if is square-free and mod 4 then the roots of these five polynomials are real units and can generate the Hilbert class field. Moreover, they asked for an efficient way of computing these polynomials for every discriminant (and not only for the five values computed by Ramanujan. In the rest of the paper, we will call them Ramanujan polynomials. Interpreting the theorem of Berndt and Chan (that the roots of the Ramanujan polynomials can generate the Hilbert class field for values mod 4, we see that Ramanujan polynomials can be used in the CM method, as the aforementioned theorem proves that there is a transformation of their roots to the roots of the corresponding Hilbert polynomials. In addition, as mod 4 3 mod 8, Ramanujan polynomials can also be used in the generation of prime order ECs. In this paper, we introduce for the first time the use of Ramanujan polynomials in the CM method by providing an efficient algorithm for their construction for all values of the discriminant. The theory behind this construction is based on the Shimura Reciprocity Law [4,5], and mathematical proofs behind it are presented in [6]. In the context of this paper we present a new, simplified and much more efficient construction method for the polynomials which avoids the use of matrices (as in [6] and is based solely on quadratic forms. The new construction method resembles the corresponding methods for all other class polynomials using modular functions under the conditions of the quadratic forms. We observe that Ramanujan polynomials have the same degree as their corresponding Hilbert polynomials and we provide the necessary transformation of a Ramanujan polynomial root to a root of the corresponding Hilbert polynomial. The new construction algorithm, together with the transformation formula, gives all the necessary information that a practitioner needs in order to use the new class of polynomials in the CM method. Beside the introduction of the new class polynomials, we give an asymptotic bound for the logarithmic height of the Weber, M,l (x, M,p,p (x and Ramanujan polynomials and prove theoretically that this bound does not depend solely on the height of the corresponding class invariants that generate the particular polynomials. For example, it can be shown that when 3 (mod 8, the logarithmic heights of the corresponding Weber polynomials are three times larger than the logarithmic heights of the Weber polynomials when 7 (mod 8 even though similar class invariants are used for the two cases. The logarithmic height of the polynomials is equal to the bit precision required for their construction. Thus, the asymptotic bounds of the logarithmic heights can be used as an estimation for the precision requirements of all polynomials. Obviously, this information is very crucial for anyone who wants to construct the polynomials. Finally, we perform a comparative theoretical and experimental study as regards the efficiency of using the aforementioned Weber, M,l (x and M,p,p (x polynomials, against the new class of polynomials. We show that Ramanujan polynomials are by far the best choice when the CM method is used for the generation of prime order elliptic curves since their construction is more efficient than the construction of all previously used polynomials. We show that the logarithmic heights of the coefficients of the Ramanujan polynomials are asymptotically 36 times smaller than the logarithmic heights of the Hilbert polynomials and this allows us to show that the precision requirements for the construction of Ramanujan polynomials can be from % to 66% smaller than the precision requirements for all other class polynomials. Ramanujan polynomials can also be used in the generation of special curves, such as MNT curves [7,8], and in the generation of ECs that do not necessarily have prime order [6,7]. In the case where non-prime order elliptic curves are constructed, the best known class invariant is the one used for the construction of Weber polynomials with (mod 3 and 7 (mod 8. However, our experiments indicated that this is not always true and the choice of Ramanujan polynomials can be more advantageous in many cases. Moreover, problems such as primality testing/proving [6] and the representability of primes by quadratic forms [9] can be considerably improved with the use of Ramanujan polynomials. This makes our analysis for these polynomials even more useful. The rest of the paper is organized as follows. In Section we review some basic definitions and facts about the CM method and class polynomials. In Section 3 we elaborate on the construction of Ramanujan polynomials, describing in an explicit way how they can be used in the CM method. In Section 4 we provide theoretical estimations for the precision requirements of all previously mentioned class polynomials, in Section 5 we present our experimental results and we give our conclusions in Section 6.. Complex multiplication and class polynomials In this section we give a brief introduction to elliptic curve theory, the Complex Multiplication (CM method and class polynomials. Our aim is to facilitate the reading of the sections that follow.

3 E. Konstantinou, A. Kontogeorgis / Computers and Mathematics with Applications 59 ( Elliptic curve theory and complex multiplication An elliptic curve over a finite field F p, p a prime larger than 3, is denoted by E(F p and it is comprised of all the points (x, y F p (in affine coordinates such that y = x 3 + ax + b, with a, b F p satisfying 4a 3 + 7b. These points, together with a special point denoted by O (the point at infinity and a properly defined addition operation form an Abelian group. This is the elliptic curve group and the point O is its zero element (see [ ] for more details on this group. The order, denoted by m, is the number of points that belong in E(F p. Among the most important quantities defined for an elliptic curve E(F p are the curve discriminant and the j-invariant. These two quantities are given by the equations = 6(4a 3 + 7b and j = 8(4a 3 /. Given a j-invariant j F p (with j, 8 two ECs can be constructed. If k = j /(8 j mod p, one of these curves is given by Eq. ( by setting a = 3k mod p and b = k mod p. The second curve (the twist of the first is given by the equation y = x 3 + ac x + bc 3 with c any quadratic non-residue of F p. If m and m denote the orders of an elliptic curve and its twist respectively, then m + m = p + which implies that if one of the curves has order p + t, then its twist has order p + + t, or vice versa (see [, Lemma VIII.3]. Finding a suitable j-invariant for a curve that has a given order m can be accomplished through the theory of Complex Multiplication (CM of elliptic curves over the rationals. This method is called the CM method and in what follows we will give a brief account of it. Given a prime p, the smallest, positive square-free is chosen for which there exists some integer u such that the equation 4p = u + v holds. The negative parameter is called a CM discriminant for the prime p. For convenience throughout the paper, we will use (the positive integer to refer to the CM discriminant. The CM method uses to determine a j-invariant. This j-invariant, in turn, will lead to the construction of an EC of order p + u or p + + u. If neither of the possible orders p + u and p + + u is suitable for our purposes, the process is repeated with a new. If at least one of these orders is suitable, then the method proceeds with the construction of the Hilbert polynomial (uniquely defined by and the determination of its roots modulo p. Any root of the Hilbert polynomial can be used as a j-invariant. From this root the corresponding EC and its twist can be constructed. In order to find which one of the curves has the desired suitable order (m = p + u or m = p + + u, Lagrange s theorem can be used as follows: we repeatedly choose points P at random in each EC until a point is found in one of the curves for which mp O. This implies that the curve that we seek is the other one. Recently, different methods have been proposed for choosing efficiently the correct elliptic curve in the CM method [3,4]. If the order m should be a prime number, then it is obvious that u should be odd. It is also easy to show that must be congruent to 3 mod 8 and v should be odd, too. The most demanding step of the CM method is the construction of the Hilbert polynomial, as it requires high precision floating point and complex arithmetic. As the value of the discriminant increases, the coefficients of the polynomials grow extremely large and their computation becomes more inefficient. If we could find a way to compute the roots of the Hilbert polynomials directly, it is clear that it wouldn t be necessary to construct the polynomials (since only their roots are needed in the CM method. Indeed, there are polynomials (known as class polynomials [5,6,9], with much smaller coefficients, which can be constructed much more efficiently than Hilbert polynomials and their roots can be transformed to the roots of the Hilbert polynomials. Thus, we can replace the Hilbert polynomials in the CM method with another class of polynomials given that their roots can be transformed to the roots of the Hilbert polynomials. In the following section we will briefly review the definition of these polynomials, while in Section 3 we will propose the use of a new class of polynomials... Class polynomials Beside Hilbert polynomials, other class polynomials can be used in the CM method. In the literature, three kinds of these polynomials are proposed: Weber polynomials [9], M,l (x polynomials [] and double-eta polynomials (we will denote them by M,p,p (x []. In what follows, we will briefly review the definitions of these polynomials. (... Hilbert polynomials Every CM discriminant defines a unique Hilbert polynomial, denoted by H (x. Given a positive, the Hilbert polynomial H (x Z[x] is defined as H (x = τ (x j(τ ( for values of τ satisfying τ = ( β+ /α, for all integers α, β, and γ such that (i β 4αγ =, (ii β α /3, (iii α γ, (iv gcd(α, β, γ =, and (v if β = α or α = γ, then β. The 3-tuple of integers [α, β, γ ] that satisfies these conditions is called a primitive, reduced quadratic form of, with τ being a root of the quadratic equation αz + βz + γ =. Clearly, the set of primitive reduced quadratic forms of a given discriminant is finite. The ( 4 quantity j(τ in Eq. ( is called class invariant and is defined as follows. Let z = e π τ and h(τ = η(τ, where η(τ η(τ = z /4 n= ( zn is the edekind eta function. Then, j(τ = (56h(τ+3. h(τ

4 94 E. Konstantinou, A. Kontogeorgis / Computers and Mathematics with Applications 59 ( Weber polynomials Weber polynomials are defined using the Weber functions f (τ = ζ η((τ+/ 48, f η(τ (τ = η(τ/ and f η(τ (τ = η(τ η(τ where ζ 48 = e πi/48. Then, the Weber polynomial W (x is defined as h W (x = (x g(τ l l= where g(τ l (a class invariant of W (x is an expression depending on the value of for the Weber functions, τ l satisfies the equation a l z + b l z + c l = and h is the degree of the polynomial. This quadratic equation corresponds to a primitive reduced quadratic form [a l, b l, c l ] for which 4b l 4a lc l = 4d, where d = /4 if 4, 8 (mod 6, and d = if 3 (mod 4 and (i gcd(a l, b l, c l =, (ii b l a l c l, and (iii if either a l = b l or a l = c l, then b l. In particular, g(τ l is constructed using the following equation given in [7]: [ ( π KLb g(τ l = ( l N exp I/6 f J (τ l ] G K 4 where J {,, }, f (τ l = f (τ l, G = gcd(, 3, I, K [, 6], and L, N are positive integers. The precise values of these parameters depend on certain, rather tedious, conditions among a l, c l and that encompass the various cases of the mathematical definition of the Weber polynomials; the interested reader can find all the details in [7]. There are ten cases of the discriminant that define ten different class invariants and consequently ten class polynomials. Recall that is either 3 (mod 4 or 4, 8 (mod 6 and that d = /4 if (mod 4, and d = if 3 (mod 4. This in turn implies that d 3, 7 (mod 8 if 3 (mod 4, while d,, 5, 6 (mod 8 when 4, 8 (mod 6. The ten class invariants split into two groups of five each, depending on whether (mod 3 or (mod 3. Finally, we note that the degree h of W (x is equal to the degree of the corresponding Hilbert polynomial for all cases of 3 (mod 8. When 3 (mod 8 the degree of Weber polynomials is three times larger than the degree of the corresponding Hilbert polynomials. This is why these values of are usually avoided in the generation of ordinary ECs. However, when we want to construct prime order ECs [5], it is necessary that 3 (mod M,l (x polynomials Another class of polynomials was proposed in [], referred to as the M,l (x polynomials. These polynomials have degree equal to the degree of their corresponding Hilbert polynomials and are constructed from a family of η-products: m l (z = η(z/l for an integer l {3, 5, 7, 3}. The polynomials are obtained from this family by evaluating their values for η(z a suitably chosen system of quadratic forms. Once a polynomial is computed, we can use a modular equation in order to compute a root modulo p of the Hilbert polynomial from a root modulo p of the M,l (x polynomial. The polynomials M,l (x Z[x] for (mod l are defined as M,l (x = τ Q (x m e l (τ Q where τ Q = B i+ for all representatives S A i = {(A i, B i, C i } i h of the reduced primitive quadratic forms of a discriminant derived from the l-system. etails on the construction of the invariants m e(τ l Q can be found in [5,]. The invariants m e(τ l Q are related to j(τ through the corresponding modular equations Φ l (m e(τ l Q, j(τ = []. Since M,l (x polynomials have roots R M modulo p, we use an algorithm for their computation (for example Berlekamp s algorithm [8] and then we can compute the roots R H modulo p of the corresponding Hilbert polynomial H (x from the modular equation Φ l (R M, R H =...4. M,p,p (x polynomials The authors of [] proposed the use of another class of polynomials. Like M,l (x polynomials, these polynomials are constructed using a family of η-products: m p,p (z = η(z/p η(z/p η(z/(p p η(z, where p, p are primes. We will refer to the minimal polynomials of these products (powers of which generate the Hilbert class field and are called class invariants like j(τ as M,p,p (x where is the discriminant used for their construction. The only restriction imposed on the discriminant is that ( ( p where ( is the Kronecker symbol. p and The polynomials are obtained from this family by evaluating their value at a suitably chosen system of quadratic forms. In particular, the polynomial M,p,p (x Z[x] is defined as M,p,p (x = τ Q (x m s p,p (τ Q

5 E. Konstantinou, A. Kontogeorgis / Computers and Mathematics with Applications 59 ( = B i+ A i where s = 4/ gcd(4, (p (p and τ Q for all representatives S = {(A i, B i, C i } i h of the reduced primitive quadratic forms of a discriminant derived from a (p p -system (the definition of a l-system can be found in [9]. Once a polynomial is computed, we can use the modular equations Φ p,p (x, j =, in order to compute a root j modulo p of the Hilbert polynomial from a root x modulo p of the M,p,p (x polynomial. However, a disadvantage of the M,p,p (x polynomial is that the degree in j in the modular equations is at least and the coefficients of the modular equations are quite large (which makes their use less efficient. The only modular polynomials that have degree in j are Φ 3,3 (x, j and Φ 5,7 (x, j. In addition, M,3,3 (x and M,5,7 (x polynomials are constructed more efficiently than other polynomials of the double-eta family [5]. Thus, we only used these polynomials in our experiments. 3. Ramanujan polynomials In this section, we define a new class of polynomials which can be used in the CM method for the generation of secure ECs. We elaborate on their construction and provide the necessary transformations of their roots to the roots of the corresponding Hilbert polynomials. 3.. Construction of polynomials Srinivasa Ramanujan (887 9 defined in his third notebook, pages 39 and 393 in the pagination of [, vol. ], the values t = 3q /8 f (q /3 f (q3 R f (q where f ( q = d= ( qd = q /4 η(τ, q = exp(πiτ, q = exp( π, τ H (H is the upper half-plane and η(τ denotes the edekind eta function. Without any further explanation on how he found them, Ramanujan gave the following table of polynomials T (x based on t for five values of : T (x x 35 x + x 59 x 3 + x 83 x 3 + x + x 7 x 3 x + 4x In [3] Berndt and Chan proved that these polynomials do indeed have the Ramanujan values t as roots. The method that they used could not be applied for higher values of and they asked for an efficient way of computing the polynomials T for every. They also proved that if N is square-free and such that mod 4, then t is a real unit generating the Hilbert class field. This actually means that the polynomials T can be used in the CM method because their roots can be transformed to the roots of the corresponding Hilbert polynomials. In addition, the remarkably small coefficients of these polynomials are a clear indication that their use in the CM method can be especially favoured. In [6] the authors applied the Shimura Reciprocity Law for the Ramanujan class invariant t and an algorithm for computing the polynomials T (x was provided using the work of Gee and Stevenhagen [4,5]. The construction of these polynomials (which we will call Ramanujan polynomials involves six modular functions R i ( with i {,,, 3, 4, 5} of level which are defined by R (τ = η(3τη(τ/3 η (τ η(3τη(τ/3 + /3 R (τ = η (τ η(3τη(τ/3 + /3 R (τ = η (τ η(τ/3η(τ/3 + /3 R 3 (τ = η (τ η(τ/3η(τ/3 + /3 R 4 (τ = η (τ (3 For example, notice in [9] the size of the smallest modular polynomial Φ5,7 (x, j.

6 96 E. Konstantinou, A. Kontogeorgis / Computers and Mathematics with Applications 59 ( 9 97 and R 5 (τ = η(τ/3 + /3η(τ/3 + /3. η (τ It was proved in [6] that t = 3R (θ where θ = / /. The Shimura Reciprocity Law gives us the action of every primitive, reduced quadratic form [a, b, c] of on 3R (θ: ( 3R (θ ( [a, b,c] = (ζ 6d[a,b,c] ζ 3d [a,b,c] α[a,b,c] τ [a,b,c] + β σd [a,b,c] [a,b,c] R, γ [a,b,c] τ [a,b,c] + δ [a,b,c] where ζ = e πi/, τ [a,b,c] is the (complex root of az +bz +c with positive imaginary part, ( α[a,b,c] β [a,b,c] γ [a,b,c] δ [a,b,c] = A [a,b,c] is an element in GL (Z/NZ, d [a,b,c] = det A [a,b,c] and σ Gal(Q(ζ /Q d [a,b,c] sends ζ ζ d [a,b,c]. In particular, the matrix A [a,b,c] is the unique element in GL (Z/NZ that is mapped to A [a,b,c],p r modulo p r, where p r is the maximum power of a prime p that divides. Namely, the matrices A [a,b,c],p r for p =, 3 and p r = 8, 9 are defined by a b if p a b A [a,b,c],p r = c if p a and p c (4 ( b b a c if p a and p c. The determinants of the matrices A [a,b,c],p r are easily found: { a if p a d [a,b,c],p r = c if p a and p c a + b + c if p a and p c. (5 On the basis of the Chinese remainder theorem, we can compute the determinant d [a,b,c] = 9d [a,b,c],8 8d [a,b,c],9. (6 Now, we can write the matrix A [a,b,c] uniquely as a product ( A [a,b,c] = B [a,b,c], d [a,b,c] where d [a,b,c] = det A [a,b,c] and B [a,b,c] is a matrix with determinant. The construction of the polynomials would be completed if we could compute the expansion of B [a,b,c] as a word of the matrices S = and T = which generate ( ( the group SL (Z. In this paper, we will try to simplify the approach provided in [6]. Since the construction of the polynomials T (x is based on the six modular functions R i, we must provide the action of σ d [a,b,c] and B [a,b,c] on them. In particular, the action of σ d on the modular functions is expressed in terms of the matrix ζ d ζ d ζ d ζ d ζ 3d 3 Σ = ζ d ζ d ζ d ζ d ζ 3d 3 if d mod 3 if d mod 3. (7

7 E. Konstantinou, A. Kontogeorgis / Computers and Mathematics with Applications 59 ( The action of the matrix B [a,b,c] on the modular functions R i can be found if we compute the expansion of B [a,b,c] as a word of the matrices S and T. The actions of the elements S and T on the modular functions R i are ζ 3d ζ 3d ζ 6d T d = ζ 3d, ζ 6d ζ 3d ζ 3d 3d ( ζ + ζ 6d ζ 3d S d = ζ 3d + ζ 6d ζ 3d 3d ( ζ + ζ 6d ζ 3d + ζ 6d ζ 3d where d = d [a,b,c] (see Eq. (6. For every representative [a, b, c] of an equivalence class in the class group we form the matrix A [a,b,c],p r for p r = 8, 9 as defined in Eq. (4. The matrix A [a,b,c],p r is then expressed as the product B [a,b,c],p r ( of a matrix of determinant and a matrix of the form d. In particular, [a,b,c],p r ( using Eq. (5 A [a,b,c],p r = B [a,b,c],p r d [a,b,c],p r b a a if p a a b B [a,b,c],p r = if p a and p c (8 b b c a (a + b + c if p a and p c. a + b + c According to Lemma 3.3 in [6], the matrix B [a,b,c],p r for p r = 8, 9 can be written as a word of the matrices F 8, G 8, (mod (mod (mod 6 (mod F 9, G 9, where F 8 = Td S d Td S d Td S d Td = T 7 d S dt 6 d S dt 7 d S dt 54 d, G 8 = T 9 d, F 9 = T d S d T 65 d S d T d S d T 96 d = T 7 d S dt 7 d S dt 7 d S dt 6 d and G 9 = T 8 d = T 64 d, where d = d [a,b,c]. In particular, we have computed that ( d ( d ( F 8 = G 8 = d ( d ( d ( d ( d ζ 33d 3d ( ζ + ζ 6d F 9 = ζ 33d 3d ( ζ + ζ 6d ( d ( ζ 33d + ζ 9d ζ 33d 3d ( ζ + ζ 6d ( d

8 98 E. Konstantinou, A. Kontogeorgis / Computers and Mathematics with Applications 59 ( 9 97 and G 9 = ζ 33d ζ 33d. ζ 33d ζ 3d ζ 33d ζ 3d Following again Lemma 3.3 in [6], we can prove the next lemma: Lemma. The matrices B [a,b,c],p r can be written as a word of the matrices F p r and G p r using the following equation: mod pr F mod pr pr G a a ( b a mod pr F p r G a p r p r F p r G( p r if p a b+ ( mod pr B [a,b,c],p r = G p r F p r G p r F p r G pr if p a and p c b+ ( a mod pr G p r F p r G p r F p r G mod pr a+b+c r if p a and p c. p (9 Proof. The proof is derived directly from Lemma 3.3 in [6]. For example, in the case that p a the matrix B [a,b,c],p r = ( ( ( b A B is equal to F p r G z F p r GBz +C r where z = mod p r a A B a. Substituting with from Eq. (8 we can C easily find that p r F p r G A p r p A C a B [a,b,c],p r = F p r G a p r mod pr F mod pr pr G a p r F p r G( a ( b a mod pr p r. Concluding the above discussion, the Ramanujan polynomial T (x Z[x] for mod 4 is defined as T (x = τ (x t(τ for values of τ satisfying τ = b+ for all primitive, reduced quadratic forms [a, b, c] of. Every value t(τ that corresponds to a specific form [a, b, c] is defined a by 5 t(τ = (ζ 6d ζ 3d a i R i (τ i= where the value d is equal to d [a,b,c] (see Eq. (6 and the values a i with i {,,, 3, 4, 5} are the elements of the third row of the 6 6 matrix A = B [a,b,c],8 B [a,b,c],9 Σ. It is easy to see that every row in the matrix A has only one non-zero element. Thus, only one value a i is not equal to zero and the computation of every value t(τ requires the evaluation of only one value R i (τ. However, the construction described above is not very efficient since it involves many multiplications of matrices (see Eq. (9. A question that immediately arises is that of whether we can avoid the use of matrices and construct the Ramanujan polynomials in a way similar to the construction of Hilbert or Weber polynomials (e.g. using only quadratic forms and modular functions. Clearly, the answer is positive and will be analysed in the next section. ( 3.. Constructing the polynomials without matrices Let us define the following function of d = d [a,b,c] : ( b d if a or c N(d = ( 3b d if a, c. (

9 E. Konstantinou, A. Kontogeorgis / Computers and Mathematics with Applications 59 ( We introduce the following notation: If 3 a then let a be an inverse of a mod 9. Write a = 3π a + υ a, a = 3π a + υ ( b a, a a = 3π + υ, where υ a, υ a, υ < 3. If 3 a and 3 c then write ( b+ = 3π + υ, where υ < 3. If 3 a and 3 c then write y = ( b+ a = 3π y + υ y, υ y < 3. Let (a + b + c be the multiplicative inverse of (a + b + c mod 9 and write (a + b + c + = 3π 3 + υ 3, υ 3 < 3. Moreover, consider the following function of τ = τ [a,b,c] : ζ 4d(π a π a π +4d R (τ if a mod 3, υ = ζ 48d(π a+π a +π 6d R (τ if a mod 3, υ = 48dπ ζ 4d 3d ζ + ζ R 6d 3(τ if a mod 3, υ =, c mod 3 48dπ f (τ = ζ 4d 3d ζ + ζ R 6d 4(τ if a mod 3, υ =, c mod 3 48dπ ζ +4d 3d ζ + ζ R 6d 4(τ if a mod 3, υ =, c mod 3 48dπ ζ +4d 3d ζ + ζ R 6d 3(τ if a mod 3, υ =, c mod 3 48dπ ζ +6d R (τ if a mod 3, υ = ζ 4d(π a π a π +d R (τ if a mod 3, υ = ζ 4d(π a π a π +5d R (τ if a mod 3, υ = ζ 48d(π a+π a +π 4d R (τ if a mod 3, υ = ζ 48d(π a+π a +π 46d R (τ if a mod 3, υ = ζ 4d(π 3 π y +36d 3 ζ 3d + ζ 6d ζ 4d(π 3 π y 3 ζ 3d + ζ 6d Then, the following theorem can be proved. R 5 (τ if a mod 3, c mod 3, υ y = R 5 (τ if a mod 3, c mod 3, υ y =. Theorem. The roots of the Ramanujan polynomials are given by the equation ( t(τ [a,b,c] = ζ 6d [a,b,c] ζ 3d [a,b,c] ( N(d [a,b,c] ( f τ [a,b,c] ( where [a, b, c] runs over the set of equivalences of quadratic forms of discriminant and τ [a,b,c] is the unique root of ax +bx+c with positive imaginary part. Proof. According to Eq. (, the roots of the Ramanujan polynomials are equal to t(τ = (ζ 6d ζ 3d 5 i= a ir i (τ. The values a i with i {,,, 3, 4, 5} are the elements of the third row of the 6 6 matrix A = B [a,b,c],8 B [a,b,c],9 Σ. On the basis of the congruences of the elements [a, b, c], we will try to evaluate the matrices B [a,b,c],8, B [a,b,c],9 and Σ in order to find the value of the only non-zero element a i. First, we will investigate the action of the B [a,b,c],8 matrix on the final matrix A and consequently on the values a i. The matrix B [a,b,c],8 is actually responsible for the term ( N(d [a,b,c] in Eq. (. Notice that the matrix B [a,b,c],8 is constructed from powers of the matrices F 8 and G 8 (see Eq. (9. Having in mind that the multiplicative group of invertible elements modulo 8 is isomorphic to the direct product Z/Z Z/Z, we conclude that the inverse of every element modulo 8 coincides with the element itself, i.e. a mod 8 if (a, 8 =. This means that Eq. (9 for the case p = takes the form a mod 8 a mod 8 F 8 G8 F 8 G8 F 8 G ( b a mod 8 8 if a b+ ( B [a,b,c],8 = G mod 8 8 F 8 G 8 F 8 G 8 if a and c b+ ( a mod 8 (a+b+c mod 8 G 8 F 8 G 8 F 8 G8 if a and c.

10 9 E. Konstantinou, A. Kontogeorgis / Computers and Mathematics with Applications 59 ( 9 97 Moreover, the form of the matrices F 8 and G 8 implies that F 8 G 8, G 8 and F 8 are all equal to the unit matrix I. This means that the matrix B [a,b,c],8 can be further simplified, leading to the equation G ( b mod 8 8 if a B [a,b,c],8 = G ( b mod 8 8 if a and c G ( 3b mod 8 8 if a and c. Clearly, the matrix B [a,b,c],8 will add a multiplier ± to the final value of the invariants. The sign in front of will be determined by the above equation and is given by Eq. (. ealing with the effect of the B [a,b,c],9 matrix is much more complicated. In this case, we have to compute powers of the matrix G 9. This task becomes less difficult with the observation that G 3 9 is a diagonal matrix equal to ζ 4d ζ 4d G 3 = ζ 4d 9 ζ 4d. ζ 4d ζ 4d Therefore, integer powers G k 9 can be computed by considering different cases according to the values of k mod 3. Let b+ ( a mod 9 us consider the case where 3 a and 3 c. Then, the matrix B [a,b,c],9 is equal to B [a,b,c],9 = G 9 F 9 G 9 /(a+b+c mod 9 F 9 G9. Since we want to use the fact that the matrix G 3 b+ 9 is diagonal, we must express the values y = ( a and x = (a + b + c, where (a + b + c is the multiplicative inverse of (a + b + c mod 9, as multiplies of 3 plus the residue modulo 3. Thus, we write y = ( b+ a = 3π y+υ y, υ y < 3 and x = (a+b+c = 3π 3 +υ 3, υ 3 < 3. Notice that y ( b+ b mod 3 mod 3 ( b mod 3 and x (a+b+c mod 3 (a+b+c mod 3 b mod 3. The residue υ y cannot be equal to, because then b mod 3 (this is not possible since a mod 3 and c mod 3. So, the only possible values for υ y are and. If υ y = then x mod 3 and if υ y = then x mod 3. Considering these two cases, we can symbolically compute integer powers of the matrix G 9 and finally find the values of the matrix B [a,b,c],9. Following the same reasoning, we can evaluate B [a,b,c],9 for the cases 3 a, 3 c and 3 a. The final step before the calculation of the function f (τ is the multiplication of the Σ matrix with B [a,b,c],9. In order to decide which of the two matrices to use (see Eq. (7 we must know the value of d mod 3. Notice that d = d [a,b,c] = 9d [a,b,c],8 8d [a,b,c],9. This means that the congruence of d mod 3 depends only on the value of d [a,b,c],9. From Eq. (5, we can compute d [a,b,c],9 and use the corresponding Σ matrix. For example, when 3 a and 3 c, d mod 3 d [a,b,c],9 mod 3 b mod 3. If b mod 3 =, then υ y = and if b mod 3 =, then υ y =. So, in every case we know with which Σ matrix we will multiply B [a,b,c],9. This finally leads us to the value of the f (τ function. Taking a more careful look at the f (τ function, we notice that it can be simplified into the following form: ζ 4d(π a π a π +4d (3d+υ R υ (τ if a mod 3 ζ 48d(π a+π a +π 6d+(3d ( υ R υ (τ if a mod 3 48dπ ζ +6d R (τ if a mod 3, υ =, c, mod 3 48dπ ζ 4d +(44d+υ f (τ = R 3d 6d 3+υ (τ if a mod 3, υ, c mod 3 ζ + ζ ζ 48dπ 4d +(44d υ ζ 3d + ζ 6d R 4 υ (τ if a mod 3, υ, c mod 3 ( d( υ y ζ 4d(π 3 π y 3 R ζ 3d + ζ 6d 5 (τ if a mod 3, c mod 3. A numerical example: Suppose that we want to compute the Ramanujan polynomial for = 49. The quadratic forms that correspond to this value are [,, 3], [3, ±, 4], [9, ±7, 5], [5, ±3, 5] and [, ±9, 3]. For the quadratic form [,, 3] we have that d =, N(d =, a = mod 3 and υ =. The corresponding root t(τ [,,3] of the Ramanujan polynomial is equal to.36. For [3,, 4], we compute d = 3, N(d =, a mod 3, c mod 3 and υ =. The corresponding root is equal to i while for the quadratic form [3,, 4] is i. For [9, 7, 5], we compute d = 67, N(d =, a mod 3, c mod 3 and υ y =. The corresponding root is equal to i while for the quadratic form [9, 7, 5] is i.

11 E. Konstantinou, A. Kontogeorgis / Computers and Mathematics with Applications 59 ( For [5, 3, 5], we compute d = 5, N(d =, a mod 3, c mod 3 and υ =. The corresponding root is equal to i while for the quadratic form [5, 3, 5] is i. For [, 9, 3], we compute d =, N(d =, a mod 3, c mod 3 and υ =. The corresponding root is equal to i while for the quadratic form [, 9, 3] is i. Finally, the Ramanujan polynomial is calculated using the relation T 49 (x = τ (x t(τ and is equal to x 9 + x 8 + 6x 7 + x x 5 3x x 3 4x + 9x Transformation of the roots In order to use Ramanujan polynomials in the CM method, we must prove that they have roots modulo p and then find a transformation of their roots modulo p to the roots modulo p of the corresponding Hilbert polynomials. The following proposition proves that a Ramanujan polynomial with degree h has exactly h roots modulo p under certain conditions (which are satisfied in the CM method: Proposition. A Ramanujan polynomial T (x with degree h has exactly h roots modulo p if and only if the equation 4p = u + v has integer solutions and p does not divide the discriminant (T of the polynomial. Proof. Let H K be the Hilbert class field of the imaginary quadratic field K = Q(, and let O HK and O K be the rings of algebraic integers of H K and K respectively. Let p be a prime such that 4p = u + v has integer solutions. Then, according to [9, Th. 5.6], p splits completely in H K. Proposition 5.9 in [9] implies that (since t generates H K T (x has a root modulo p if and only if p splits in H K and does not divide its discriminant (T. But since O H K /F po p is Galois, T HK (x has not only one root modulo p, but h distinct roots modulo p. We will present now a method for retrieving a root modulo p of the Hilbert polynomial H (x from a root modulo p of the corresponding Ramanujan polynomial T (x. Our aim is to find a transformation that maps a real root of the Ramanujan polynomial to a real root of the corresponding Hilbert polynomial. Then, we can reduce this transformation modulo a prime ideal of the ring of integers of the Hilbert class field. In this way we see that the same transformation will transfer a root of the Ramanujan polynomial modulo p to a root of the Hilbert polynomial modulo p. We know that if l = (,, + is a 4 quadratic form (known as the principal form that corresponds to the root τ l = + i then j(τ l is a real root of the Hilbert polynomial H (x. The following lemma shows that the value t defined in Eq. (3 is a real root of the Ramanujan polynomial T (x. Lemma. The value t is a real root of the Ramanujan polynomial T (x and is equal to t = 3R (τ l. Proof. Set q = exp( π = exp(πiτ l, where τ l = + i. Then f (q = f ( exp(πiτ l = exp(πiτ l /4 η(τ l, f (q 3 = exp(πiτ l 3/4 η(3τ l, f (q /3 = exp(πiτ l 3 4 η ( τl 3. Taking Eq. (3 and all the above equations into consideration we can easily derive that t = 3R (τ l. If we could prove that t(τ l = 3R (τ l then it would immediately follow that t = t(τ l and thus it is a root of the Ramanujan polynomial. In order to compute the value t(τ l we will use Eq. ( from Theorem. Notice that the quadratic form that corresponds to τ l is equal to [a, b, c] = [,, + ]. Then, d 4 [a,b,c] =, N(d [a,b,c] =, a =, π a =, π a =, π = and υ =. Therefore, the value f (τ [a,b,c] = f (τ l = ζ 4d(π a π a π +5d R (τ l = R (τ l. Finally, observe that 3 = ζ 6 ζ 3. Indeed, the value i 3 can be expressed as a difference of two primitive 3-roots of unity, ζ 3, ζ 3, since ( i = ζ 8 and ζ 3 = ζ 4. Thus, using Theorem we have that t(τ l = 3R (τ l = t. ζ 6d [a,b,c] ζ 3d [a,b,c] ( N(d [a,b,c] ( f τ [a,b,c] =

12 9 E. Konstantinou, A. Kontogeorgis / Computers and Mathematics with Applications 59 ( 9 97 Lemma 3. Suppose R T is a real root of a Ramanujan polynomial T (x. Then, the real number R H obtained from the equation R H = (R 6 T 7R 6 T 6 3 (3 is a real root of the corresponding Hilbert polynomial H (x. Proof. Set R T = t and R H = j(τ l. Using Equations (4.4 and (4.5 from [3] it can be easily derived that h(e πiτ l /3 7h(e πiτ l /3 = γ (τ l + 6 where γ 3 (τ l = j(τ l and h(q = f ( q 3 qf 6 ( qf 6 ( q 9. (4 Thus, j(τ l = (h(e πiτ l /3 7h(e πiτ l /3 6 3 which means that we now have to find the relation between t and h(e πiτ l /3. Substituting q with e πiτ l /3 in Eq. (4 we have that h(e πiτ l /3 f = ( e πiτ l e πiτ l /3 f 6 ( e πiτ l /3 f 6 ( e 3(πiτ l. Noticing that q = exp( π = exp(πiτ l, and from Eq. (3, we derive that h(e πiτ l /3 = 7t 6 which completes the proof of the lemma. The final step is to reduce Eq. (3 modulo p. The elements R H, R T are not in Z but are elements of the ring of algebraic integers O HK of the Hilbert class field and can be reduced modulo an ideal P extending the ideal pz of Z. But the ideal pz splits completely; therefore the Galois extension O H /P K is the trivial one, and O H K /P is the field F p. The argument above Z/pZ proves that Eq. (3 holds not only for the real roots of the polynomials but also for their roots modulo p. The interested reader is referred to [9,3,3] for definitions from algebraic number theory not given here. Using Eq. (3, we can easily derive the modular polynomial Φ T (x, j for Ramanujan polynomials. The polynomial is equal to Φ T (x, j = (x 6x jx 8. (5 4. Precision requirements for the construction of the polynomials In this section we focus on the precision required for the construction of all previously mentioned polynomials. In order to compare them, we introduce the notion of logarithmic height for estimating the size of a polynomial. For a polynomial g(x = n i= a ix i Z[x] its logarithmic height is defined as H(g = max log a i. i=,...,n The value H(g is actually the bit precision needed for performing all floating point computations in order to obtain the coefficients of the polynomial g(x. In the literature the efficiency of a class invariant (a root of a class polynomial is measured by the asymptotic ratio of the logarithmic height of a root of the Hilbert polynomial to a root of the class polynomial in question. The best known class invariant is the one used for the construction of Weber polynomials with (mod 3 and 3, 7 (mod 8. The roots of these Weber polynomials have logarithmic height that is asymptotically times smaller than the logarithmic height of the roots of the corresponding Hilbert polynomials. However, in practice we are not interested in the logarithmic height of the roots but in the logarithmic height of the polynomials, since the latter measures the precision required for the construction of the polynomials. In this section, we will show that these two heights coincide only if the class polynomial has degree equal to the degree of the corresponding Hilbert polynomial. For the construction of prime order elliptic curves, Weber class polynomials have degree three times larger than the degree of the Hilbert polynomials. We will show that in this case the logarithmic height of the Weber polynomials is asymptotically 4 = /3 times less than the logarithmic height of Hilbert polynomials and not. In what follows, it will be proved that even though the height of the Weber polynomials roots for 3 mod 8 is smaller than the height of the roots of Ramanujan s class polynomials, the precision requirements for the construction of the latter are smaller. Starting from Hilbert polynomials, a remarkably accurate estimation of their precision requirements in bits (and of their logarithmic height also was given in [3]: H-Prec( 33 + π ln τ α with the sum running over the same values of τ as the product in Eq. (. It will be shown in the rest of the section that on the basis of this estimation, we can derive estimations of the precision requirements of every class polynomial. Let f be a modular function such that f (τ for some τ Q( generates the Hilbert class field of Q(. The element f (τ is an algebraic integer, and let us denote by P f its minimal polynomial. For every modular function there is a polynomial Φ (called a modular polynomial such that Φ(f, j = where j is the modular function used in the construction of Hilbert polynomials. This polynomial equation is used in order to transform the roots of the minimal polynomial of a class

13 E. Konstantinou, A. Kontogeorgis / Computers and Mathematics with Applications 59 ( invariant to the roots of the Hilbert polynomial. We have seen that in the cases of Weber, M,l (x and Ramanujan polynomials the degree in j of the modular polynomial is equal to while for M,p,p (x polynomials it is at least. Asymptotically, one can estimate the ratio of the logarithmic height h(j(τ of the algebraic integer j(τ to the logarithmic height h(f (τ of the algebraic integer f (τ. Namely, h(j(τ lim h(j(τ h(f (τ = deg f Φ(f, j = r(f, (6 deg j Φ(f, j where the limit is taken over all CM points SL (Zτ H [33]. A question that immediately arises is how Eq. (6 can be used for the estimation of the logarithmic height of the minimal polynomial P f. The following lemma gives an answer to this question by generalizing the result in [5] for every algebraic number which generates either the Hilbert class field or an extension of it. Lemma 4. Suppose that H(P f is the logarithmic height of the minimal polynomial of the algebraic number f (τ and H(P j is the logarithmic height of the corresponding Hilbert polynomial. If f (τ generates the Hilbert class field then H(P j lim h(j(τ H(P f = deg f Φ(f, j = r(f. deg j Φ(f, j (7 If f (τ generates not the Hilbert class field but an algebraic extension of it with extension degree m, then H(P j lim h(j(τ H(P f = deg f Φ(f, j deg j Φ(f, j = r(f m. Proof. The proof is based on the following bounds [, Th. 5.9]: k + kh(a H(P a k + kh(a where h(a is the logarithmic height of the algebraic integer a and k is the degree of its minimal polynomial P a. If f (τ generates the Hilbert class field then the degree of its minimal polynomial is equal to the degree of the corresponding Hilbert polynomial. Suppose that their degree is equal to k. Then, we have that and Thus, k + kh(f (τ H(P f k + kh(f (τ (8 k + kh(j(τ H(P j k + kh(j(τ. k + kh(j(τ k + kh(f (τ H(P j H(P f k + kh(j(τ k + kh(f (τ. Taking the limit h(j(τ we obtain that H(P j r(f. H(P f In the case where f (τ generates an algebraic extension of the Hilbert class field, we similarly have that H(P j H(P f r(f m where m is the degree of the extension. This is easily derived from the fact that the degree of the minimal polynomial P f is m times larger than the degree of the corresponding Hilbert polynomial and Eq. (8 becomes mk + mkh(f (τ H(P f mk + mkh(f (τ. (9 ( Thus, k + kh(j(τ mk + mkh(f (τ H(P j H(P f k + kh(j(τ mk + mkh(f (τ. Let K be a number field, α K be an algebraic number and MK be( the set of absolute values on K. Following the notation of [, VIII], the absolute logarithmic height of an element α K is defined as h(α = [K:Q] log max{ α v M K v, }.

14 94 E. Konstantinou, A. Kontogeorgis / Computers and Mathematics with Applications 59 ( 9 97 Table Precision estimations for (mod 3. 7 (mod 8 3 (mod 8 /4,, 6 (mod 8 /4 5 (mod 8 Precision estimation ln τ α 4 ln τ α 36 ln τ α 8 ln τ α Table Precision estimations for (mod 3. 7 (mod 8 3 (mod 8 /4,, 6 (mod 8 /4 5 (mod 8 Precision estimation 4 ln τ α 8 ln τ α ln τ α 6 ln τ α Table 3 Precision estimations for M,l (x, M,p,p (x and T (x polynomials. Class polynomial M,3 (x M,5 (x M,7 (x M,3 (x M,5,7 (x M,3,3 (x T (x Precision estimation 4 ln τ α 6 ln τ α 8 ln τ α 4 ln τ α 4 ln τ α 8 ln τ α 36 ln τ α Eqs. (9 and ( relate the precision required for the construction of Hilbert polynomials to the precision needed for other classes of polynomials. Estimating the height H(P j of Hilbert polynomials with the quantity π ln τ, we can derive α the precision requirements for the construction of every class polynomial by the equation m π r(f ln τ α, where m is either or larger. Obviously, we want to find class invariants f (τ such that the ratio r(f is as big as possible. However, there is a limit on the ratio r(f. It is known [34] that r(f 8/7 and if the Selberg eigenvalue conjecture in [35] holds then r(f 96. As regards Weber polynomials, when 3 (mod 8 their degree is three times larger than the degree of the corresponding Hilbert polynomials. Therefore, for this case of, the estimation of the precision requirements will be approximately 3 r(f π ln τ α. Concluding, estimations of the precision requirements of Weber polynomials are given in Tables and (these estimations can be derived from the definition of the corresponding class invariants, e.g. in [7]. Again on the basis of Eq. (7, it can be concluded that the precision required for the construction of the M,l (x π polynomials is approximately (l+ ln τ α and for M,p,p (x polynomials it is approximately (p (p π (p +(p + ln where the sum runs over the same values of τ as the product in Eq. ( [5]. Thus, it is equal to 8 ln τ α for M,3,3 (x polynomials and to 4 ln τ α for M,5,7(x polynomials. Finally, in order to find an estimation for the precision requirements of Ramanujan polynomials, we use Eqs. (7 and (5. We readily conclude that the precision required for the construction of the Ramanujan polynomials is approximately 36 ln τ. The above precision estimations are summarized α in Table Implementation and experimental results In this section, we discuss some issues regarding the construction of the Weber, M,l (x, M,p,p (x and Ramanujan polynomials. All implementations and experiments were made in Pari.3. [36] compiled with the GMP-4.. kernel [37] and have been carried out on a double GHz Xeon machine running Linux.6.9- and equipped with Gb of main memory. τ α

15 E. Konstantinou, A. Kontogeorgis / Computers and Mathematics with Applications 59 ( Fig.. Bit precision for the construction of all polynomials. Table 4 Precision requirements (in bits for the computation of M,3 (x, Weber, M,5,7 (x, M,3,3 (x and Ramanujan polynomials. h M,3 (x Weber M,5,7 (x M,3,3 (x Ramanujan Comparing polynomials for 3 mod 8 In Fig. we report on the precision needed for the construction of all polynomials for various values of 3 mod 8. These values are used when the CM method is applied for the generation of prime order ECs. In the left figure, we examine the precision requirements of Ramanujan, Weber ( (mod 3 and M,l (x polynomials for all values of l. The values of range from 383 to 6463 while the degree h ranges from 3 to 48. We noticed that, as the theory dictates, the precision required for the construction of Ramanujan polynomials is much less than the precision required for the construction of Weber and M,l (x polynomials for all values of that we examined. Weber polynomials require less precision than M,l (x polynomials, while among them M,3 (x polynomials require the least precision. Examining larger values of the discriminant and adding M,3,3 (x and M,5,7 (x polynomials in our comparison, we show (Fig. (right that Ramanujan polynomials are constructed more efficiently than all other polynomials. M,3,3 (x polynomials require less precision than M,5,7 (x polynomials which are constructed more efficiently than Weber polynomials. In this figure, we examined all values of from 8499 to using a step of 84. The degree h of the polynomials constructed (for these values of ranges from 88 to 74. Summarizing the results of our experiments, we see that Ramanujan polynomials surpass M,3 (x, Weber, M,5,7 (x and M,3,3 (x polynomials as they require on average 66%, 4%, 3% and % less precision respectively. Table 4 shows this difference by presenting the exact bit precision needed for the construction of the polynomials for several values of. Comparing the number of bits for the storage of all classes of polynomials, it is clear that the memory required for the storage of the Ramanujan polynomials is smaller than the memory needed for the storage of the other three classes of polynomials. The percentages are the same as in the precision requirements of the polynomials with one exception: Weber polynomials. Notice that the degree of Weber polynomials is 3h and thus the memory used for the storage of Ramanujan polynomials is not just 4% (like the precision requirements less than the corresponding memory needed for the Weber polynomials but approximately 8% less! This means that as regards the storage requirements of all polynomials, Weber polynomials are by far the worst choice. In Table 5 we present the memory in MB needed for the storage of all classes of polynomials for a few values of. The differences in efficiency of construction for all classes of polynomials can be easily understood by noticing the size of polynomials for a small value of, namely = 99. Even though this is a small value for the discriminant, the difference in size of the coefficients of the polynomials is remarkable. In particular, 5 bits are required for the storage of the coefficients of the T 99 (x polynomial, 88 bits for the storage of the W 99 (x polynomial, bits for the M 99,3 (x polynomial, 3 bits for M 99,3,3 (x and 3 bits for M 99,5,7 (x. W 99 (x = x 4 8x 3 x 8x 56x 4x x x 7 + 6x 6 x 5 4x 4 46x 3 3x + 56x + 74x + 83x x 8 384x 7 79x 6 8x 5 56x 4 + 8x x + 5x + 56 M 99,3 (x = x x x x x x x x M 99,5,7 (x = x 8 8x 7 + 3x 6 x 5 + 8x 4 x 3 9x + 8x

Similar documents

On the Efficient Generation of Prime-Order Elliptic Curves

On the Efficient Generation of Prime-Order Elliptic Curves J. Cryptol. DOI: 10.1007/s00145-009-9037-2 On the Efficient Generation of Prime-Order Elliptic Curves Elisavet Konstantinou Department of Information and Communication Systems Engineering, University of

More information

Constructing Class invariants

Constructing Class invariants Constructing Class invariants Aristides Kontogeorgis Department of Mathematics University of Athens. Workshop Thales 1-3 July 2015 :Algebraic modeling of topological and computational structures and applications,

More information

Finite Fields and Their Applications

Finite Fields and Their Applications Finite Fields and Their Applications 18 (2012) 1232 1241 Contents lists available at SciVerse ScienceDirect Finite Fields and Their Applications www.elsevier.com/locate/ffa What is your birthday elliptic

More information

Generating Prime Order Elliptic Curves: Difficulties and Efficiency Considerations

Generating Prime Order Elliptic Curves: Difficulties and Efficiency Considerations Generating Prime Order Elliptic Curves: Difficulties and Efficiency Considerations Elisavet Konstantinou 1,2, Aristides Kontogeorgis 3, Yannis C. Stamatiou 1,3,4, and Christos Zaroliagis 1,2 1 Computer

More information

Addition sequences and numerical evaluation of modular forms

Addition sequences and numerical evaluation of modular forms Addition sequences and numerical evaluation of modular forms Fredrik Johansson (INRIA Bordeaux) Joint work with Andreas Enge (INRIA Bordeaux) William Hart (TU Kaiserslautern) DK Statusseminar in Strobl,

More information

CONSTRUCTING SUPERSINGULAR ELLIPTIC CURVES. Reinier Bröker

CONSTRUCTING SUPERSINGULAR ELLIPTIC CURVES. Reinier Bröker CONSTRUCTING SUPERSINGULAR ELLIPTIC CURVES Reinier Bröker Abstract. We give an algorithm that constructs, on input of a prime power q and an integer t, a supersingular elliptic curve over F q with trace

More information

Class invariants by the CRT method

Class invariants by the CRT method Class invariants by the CRT method Andreas Enge Andrew V. Sutherland INRIA Bordeaux-Sud-Ouest Massachusetts Institute of Technology ANTS IX Andreas Enge and Andrew Sutherland Class invariants by the CRT

More information

Mathematics for Cryptography

Mathematics for Cryptography Mathematics for Cryptography Douglas R. Stinson David R. Cheriton School of Computer Science University of Waterloo Waterloo, Ontario, N2L 3G1, Canada March 15, 2016 1 Groups and Modular Arithmetic 1.1

More information

Part II. Number Theory. Year

Part II. Number Theory. Year Part II Year 2017 2016 2015 2014 2013 2012 2011 2010 2009 2008 2007 2006 2005 2017 Paper 3, Section I 1G 70 Explain what is meant by an Euler pseudoprime and a strong pseudoprime. Show that 65 is an Euler

More information

COMPUTER ARITHMETIC. 13/05/2010 cryptography - math background pp. 1 / 162

COMPUTER ARITHMETIC. 13/05/2010 cryptography - math background pp. 1 / 162 COMPUTER ARITHMETIC 13/05/2010 cryptography - math background pp. 1 / 162 RECALL OF COMPUTER ARITHMETIC computers implement some types of arithmetic for instance, addition, subtratction, multiplication

More information

20 The modular equation

20 The modular equation 18.783 Elliptic Curves Spring 2015 Lecture #20 04/23/2015 20 The modular equation In the previous lecture we defined modular curves as quotients of the extended upper half plane under the action of a congruence

More information

Chapter 5. Modular arithmetic. 5.1 The modular ring

Chapter 5. Modular arithmetic. 5.1 The modular ring Chapter 5 Modular arithmetic 5.1 The modular ring Definition 5.1. Suppose n N and x, y Z. Then we say that x, y are equivalent modulo n, and we write x y mod n if n x y. It is evident that equivalence

More information

20 The modular equation

20 The modular equation 18.783 Elliptic Curves Lecture #20 Spring 2017 04/26/2017 20 The modular equation In the previous lecture we defined modular curves as quotients of the extended upper half plane under the action of a congruence

More information

Groups, Rings, and Finite Fields. Andreas Klappenecker. September 12, 2002

Groups, Rings, and Finite Fields. Andreas Klappenecker. September 12, 2002 Background on Groups, Rings, and Finite Fields Andreas Klappenecker September 12, 2002 A thorough understanding of the Agrawal, Kayal, and Saxena primality test requires some tools from algebra and elementary

More information

Public-key Cryptography: Theory and Practice

Public-key Cryptography: Theory and Practice Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Chapter 2: Mathematical Concepts Divisibility Congruence Quadratic Residues

More information

Chapter 4. Characters and Gauss sums. 4.1 Characters on finite abelian groups

Chapter 4. Characters and Gauss sums. 4.1 Characters on finite abelian groups Chapter 4 Characters and Gauss sums 4.1 Characters on finite abelian groups In what follows, abelian groups are multiplicatively written, and the unit element of an abelian group A is denoted by 1 or 1

More information

Euler s, Fermat s and Wilson s Theorems

Euler s, Fermat s and Wilson s Theorems Euler s, Fermat s and Wilson s Theorems R. C. Daileda February 17, 2018 1 Euler s Theorem Consider the following example. Example 1. Find the remainder when 3 103 is divided by 14. We begin by computing

More information

2x 1 7. A linear congruence in modular arithmetic is an equation of the form. Why is the solution a set of integers rather than a unique integer?

2x 1 7. A linear congruence in modular arithmetic is an equation of the form. Why is the solution a set of integers rather than a unique integer? Chapter 3: Theory of Modular Arithmetic 25 SECTION C Solving Linear Congruences By the end of this section you will be able to solve congruence equations determine the number of solutions find the multiplicative

More information

NUNO FREITAS AND ALAIN KRAUS

NUNO FREITAS AND ALAIN KRAUS ON THE DEGREE OF THE p-torsion FIELD OF ELLIPTIC CURVES OVER Q l FOR l p NUNO FREITAS AND ALAIN KRAUS Abstract. Let l and p be distinct prime numbers with p 3. Let E/Q l be an elliptic curve with p-torsion

More information

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 9.1 Chapter 9 Objectives

More information

THESIS. Presented in Partial Fulfillment of the Requirements for the Degree Master of Science in the Graduate School of The Ohio State University

THESIS. Presented in Partial Fulfillment of the Requirements for the Degree Master of Science in the Graduate School of The Ohio State University The Hasse-Minkowski Theorem in Two and Three Variables THESIS Presented in Partial Fulfillment of the Requirements for the Degree Master of Science in the Graduate School of The Ohio State University By

More information

FACTORIZATION OF IDEALS

FACTORIZATION OF IDEALS FACTORIZATION OF IDEALS 1. General strategy Recall the statement of unique factorization of ideals in Dedekind domains: Theorem 1.1. Let A be a Dedekind domain and I a nonzero ideal of A. Then there are

More information

Ramanujan and the Modular j-invariant

Ramanujan and the Modular j-invariant Canad. Math. Bull. Vol. 4 4), 1999 pp. 47 440 Ramanujan and the Modular j-invariant Bruce C. Berndt and Heng Huat Chan Abstract. A new infinite product t n was introduced by S. Ramanujan on the last page

More information

Quasi-reducible Polynomials

Quasi-reducible Polynomials Quasi-reducible Polynomials Jacques Willekens 06-Dec-2008 Abstract In this article, we investigate polynomials that are irreducible over Q, but are reducible modulo any prime number. 1 Introduction Let

More information

Outline of the Seminar Topics on elliptic curves Saarbrücken,

Outline of the Seminar Topics on elliptic curves Saarbrücken, Outline of the Seminar Topics on elliptic curves Saarbrücken, 11.09.2017 Contents A Number theory and algebraic geometry 2 B Elliptic curves 2 1 Rational points on elliptic curves (Mordell s Theorem) 5

More information

2x 1 7. A linear congruence in modular arithmetic is an equation of the form. Why is the solution a set of integers rather than a unique integer?

2x 1 7. A linear congruence in modular arithmetic is an equation of the form. Why is the solution a set of integers rather than a unique integer? Chapter 3: Theory of Modular Arithmetic 25 SECTION C Solving Linear Congruences By the end of this section you will be able to solve congruence equations determine the number of solutions find the multiplicative

More information

Counting points on elliptic curves over F q

Counting points on elliptic curves over F q Counting points on elliptic curves over F q Christiane Peters DIAMANT-Summer School on Elliptic and Hyperelliptic Curve Cryptography September 17, 2008 p.2 Motivation Given an elliptic curve E over a finite

More information

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem. Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem. Elisa Lorenzo García Université de Rennes 1 14-09-2017 Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 1 /

More information

Imaginary Quadratic Fields With Isomorphic Abelian Galois Groups

Imaginary Quadratic Fields With Isomorphic Abelian Galois Groups Imaginary Quadratic Fields With Isomorphic Abelian Galois Groups Universiteit Leiden, Université Bordeaux 1 July 12, 2012 - UCSD - X - a Question Let K be a number field and G K = Gal(K/K) the absolute

More information

Course 2316 Sample Paper 1

Course 2316 Sample Paper 1 Course 2316 Sample Paper 1 Timothy Murphy April 19, 2015 Attempt 5 questions. All carry the same mark. 1. State and prove the Fundamental Theorem of Arithmetic (for N). Prove that there are an infinity

More information

Algebraic structures I

Algebraic structures I MTH5100 Assignment 1-10 Algebraic structures I For handing in on various dates January March 2011 1 FUNCTIONS. Say which of the following rules successfully define functions, giving reasons. For each one

More information

CPSC 467: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 9 September 30, 2015 CPSC 467, Lecture 9 1/47 Fast Exponentiation Algorithms Number Theory Needed for RSA Elementary Number Theory

More information

Independence of Heegner Points Joseph H. Silverman (Joint work with Michael Rosen)

Independence of Heegner Points Joseph H. Silverman (Joint work with Michael Rosen) Independence of Heegner Points Joseph H. Silverman (Joint work with Michael Rosen) Brown University Cambridge University Number Theory Seminar Thursday, February 22, 2007 0 Modular Curves and Heegner Points

More information

FORMAL GROUPS OF CERTAIN Q-CURVES OVER QUADRATIC FIELDS

FORMAL GROUPS OF CERTAIN Q-CURVES OVER QUADRATIC FIELDS Sairaiji, F. Osaka J. Math. 39 (00), 3 43 FORMAL GROUPS OF CERTAIN Q-CURVES OVER QUADRATIC FIELDS FUMIO SAIRAIJI (Received March 4, 000) 1. Introduction Let be an elliptic curve over Q. We denote by ˆ

More information

A BRIEF INTRODUCTION TO LOCAL FIELDS

A BRIEF INTRODUCTION TO LOCAL FIELDS A BRIEF INTRODUCTION TO LOCAL FIELDS TOM WESTON The purpose of these notes is to give a survey of the basic Galois theory of local fields and number fields. We cover much of the same material as [2, Chapters

More information

Basic elements of number theory

Basic elements of number theory Cryptography Basic elements of number theory Marius Zimand 1 Divisibility, prime numbers By default all the variables, such as a, b, k, etc., denote integer numbers. Divisibility a 0 divides b if b = a

More information

Basic elements of number theory

Basic elements of number theory Cryptography Basic elements of number theory Marius Zimand By default all the variables, such as a, b, k, etc., denote integer numbers. Divisibility a 0 divides b if b = a k for some integer k. Notation

More information

LECTURE NOTES IN CRYPTOGRAPHY

LECTURE NOTES IN CRYPTOGRAPHY 1 LECTURE NOTES IN CRYPTOGRAPHY Thomas Johansson 2005/2006 c Thomas Johansson 2006 2 Chapter 1 Abstract algebra and Number theory Before we start the treatment of cryptography we need to review some basic

More information

2. ETA EVALUATIONS USING WEBER FUNCTIONS. Introduction

2. ETA EVALUATIONS USING WEBER FUNCTIONS. Introduction . ETA EVALUATIONS USING WEBER FUNCTIONS Introduction So ar we have seen some o the methods or providing eta evaluations that appear in the literature and we have seen some o the interesting properties

More information

w d : Y 0 (N) Y 0 (N)

w d : Y 0 (N) Y 0 (N) Upper half-plane formulas We want to explain the derivation of formulas for two types of objects on the upper half plane: the Atkin- Lehner involutions and Heegner points Both of these are treated somewhat

More information

Applications of Complex Multiplication of Elliptic Curves

Applications of Complex Multiplication of Elliptic Curves Applications of Complex Multiplication of Elliptic Curves MASTER THESIS Candidate: Massimo CHENAL Supervisor: Prof. Jean-Marc COUVEIGNES UNIVERSITÀ DEGLI STUDI DI PADOVA UNIVERSITÉ BORDEAUX 1 Facoltà di

More information

Constructing genus 2 curves over finite fields

Constructing genus 2 curves over finite fields Constructing genus 2 curves over finite fields Kirsten Eisenträger The Pennsylvania State University Fq12, Saratoga Springs July 15, 2015 1 / 34 Curves and cryptography RSA: most widely used public key

More information

Class invariants for quartic CM-fields

Class invariants for quartic CM-fields Number Theory Seminar Oxford 2 June 2011 Elliptic curves An elliptic curve E/k (char(k) 2) is a smooth projective curve y 2 = x 3 + ax 2 + bx + c. Q P E is a commutative algebraic group P Q Endomorphisms

More information

HOMEWORK 11 MATH 4753

HOMEWORK 11 MATH 4753 HOMEWORK 11 MATH 4753 Recall that R = Z[x]/(x N 1) where N > 1. For p > 1 any modulus (not necessarily prime), R p = (Z/pZ)[x]/(x N 1). We do not assume p, q are prime below unless otherwise stated. Question

More information

The complexity of Diophantine equations

The complexity of Diophantine equations The complexity of Diophantine equations Colloquium McMaster University Hamilton, Ontario April 2005 The basic question A Diophantine equation is a polynomial equation f(x 1,..., x n ) = 0 with integer

More information

Discrete Logarithms. Let s begin by recalling the definitions and a theorem. Let m be a given modulus. Then the finite set

Discrete Logarithms. Let s begin by recalling the definitions and a theorem. Let m be a given modulus. Then the finite set Discrete Logarithms Let s begin by recalling the definitions and a theorem. Let m be a given modulus. Then the finite set Z/mZ = {[0], [1],..., [m 1]} = {0, 1,..., m 1} of residue classes modulo m is called

More information

Chapter 4 Finite Fields

Chapter 4 Finite Fields Chapter 4 Finite Fields Introduction will now introduce finite fields of increasing importance in cryptography AES, Elliptic Curve, IDEA, Public Key concern operations on numbers what constitutes a number

More information

Some algebraic number theory and the reciprocity map

Some algebraic number theory and the reciprocity map Some algebraic number theory and the reciprocity map Ervin Thiagalingam September 28, 2015 Motivation In Weinstein s paper, the main problem is to find a rule (reciprocity law) for when an irreducible

More information

ECEN 5022 Cryptography

ECEN 5022 Cryptography Elementary Algebra and Number Theory University of Colorado Spring 2008 Divisibility, Primes Definition. N denotes the set {1, 2, 3,...} of natural numbers and Z denotes the set of integers {..., 2, 1,

More information

This is a recursive algorithm. The procedure is guaranteed to terminate, since the second argument decreases each time.

This is a recursive algorithm. The procedure is guaranteed to terminate, since the second argument decreases each time. 8 Modular Arithmetic We introduce an operator mod. Let d be a positive integer. For c a nonnegative integer, the value c mod d is the remainder when c is divided by d. For example, c mod d = 0 if and only

More information

Modular forms and the Hilbert class field

Modular forms and the Hilbert class field Modular forms and the Hilbert class field Vladislav Vladilenov Petkov VIGRE 2009, Department of Mathematics University of Chicago Abstract The current article studies the relation between the j invariant

More information

COUNTING MOD l SOLUTIONS VIA MODULAR FORMS

COUNTING MOD l SOLUTIONS VIA MODULAR FORMS COUNTING MOD l SOLUTIONS VIA MODULAR FORMS EDRAY GOINS AND L. J. P. KILFORD Abstract. [Something here] Contents 1. Introduction 1. Galois Representations as Generating Functions 1.1. Permutation Representation

More information

CPSC 467: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 21 November 15, 2017 CPSC 467, Lecture 21 1/31 Secure Random Sequence Generators Pseudorandom sequence generators Looking random

More information

PARITY RESULTS FOR BROKEN k DIAMOND PARTITIONS AND (2k + 1) CORES

PARITY RESULTS FOR BROKEN k DIAMOND PARTITIONS AND (2k + 1) CORES PARITY RESULTS FOR BROKEN k DIAMOND PARTITIONS AND 2k + CORES SILVIU RADU AND JAMES A. SELLERS Abstract. In this paper we prove several new parity results for broken k-diamond partitions introduced in

More information

Introduction to Elliptic Curves

Introduction to Elliptic Curves IAS/Park City Mathematics Series Volume XX, XXXX Introduction to Elliptic Curves Alice Silverberg Introduction Why study elliptic curves? Solving equations is a classical problem with a long history. Starting

More information

Constructing Abelian Varieties for Pairing-Based Cryptography

Constructing Abelian Varieties for Pairing-Based Cryptography for Pairing-Based CWI and Universiteit Leiden, Netherlands Workshop on Pairings in Arithmetic Geometry and 4 May 2009 s MNT MNT Type s What is pairing-based cryptography? Pairing-based cryptography refers

More information

Lecture Notes. Advanced Discrete Structures COT S

Lecture Notes. Advanced Discrete Structures COT S Lecture Notes Advanced Discrete Structures COT 4115.001 S15 2015-01-13 Recap Divisibility Prime Number Theorem Euclid s Lemma Fundamental Theorem of Arithmetic Euclidean Algorithm Basic Notions - Section

More information

Computing the modular equation

Computing the modular equation Computing the modular equation Andrew V. Sutherland (MIT) Barcelona-Boston-Tokyo Number Theory Seminar in Memory of Fumiyuki Momose Andrew V. Sutherland (MIT) Computing the modular equation 1 of 8 The

More information

A Guide to Arithmetic

A Guide to Arithmetic A Guide to Arithmetic Robin Chapman August 5, 1994 These notes give a very brief resumé of my number theory course. Proofs and examples are omitted. Any suggestions for improvements will be gratefully

More information

Introduction to Arithmetic Geometry Fall 2013 Lecture #23 11/26/2013

Introduction to Arithmetic Geometry Fall 2013 Lecture #23 11/26/2013 18.782 Introduction to Arithmetic Geometry Fall 2013 Lecture #23 11/26/2013 As usual, a curve is a smooth projective (geometrically irreducible) variety of dimension one and k is a perfect field. 23.1

More information

NOTES ON FINITE FIELDS

NOTES ON FINITE FIELDS NOTES ON FINITE FIELDS AARON LANDESMAN CONTENTS 1. Introduction to finite fields 2 2. Definition and constructions of fields 3 2.1. The definition of a field 3 2.2. Constructing field extensions by adjoining

More information

Curves, Cryptography, and Primes of the Form x 2 + y 2 D

Curves, Cryptography, and Primes of the Form x 2 + y 2 D Curves, Cryptography, and Primes of the Form x + y D Juliana V. Belding Abstract An ongoing challenge in cryptography is to find groups in which the discrete log problem hard, or computationally infeasible.

More information

Counting points on genus 2 curves over finite

Counting points on genus 2 curves over finite Counting points on genus 2 curves over finite fields Chloe Martindale May 11, 2017 These notes are from a talk given in the Number Theory Seminar at the Fourier Institute, Grenoble, France, on 04/05/2017.

More information

Fast, twist-secure elliptic curve cryptography from Q-curves

Fast, twist-secure elliptic curve cryptography from Q-curves Fast, twist-secure elliptic curve cryptography from Q-curves Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC #17, Leuven September 16,

More information

Abstracts of papers. Amod Agashe

Abstracts of papers. Amod Agashe Abstracts of papers Amod Agashe In this document, I have assembled the abstracts of my work so far. All of the papers mentioned below are available at http://www.math.fsu.edu/~agashe/math.html 1) On invisible

More information

LECTURE 2 FRANZ LEMMERMEYER

LECTURE 2 FRANZ LEMMERMEYER LECTURE 2 FRANZ LEMMERMEYER Last time we have seen that the proof of Fermat s Last Theorem for the exponent 4 provides us with two elliptic curves (y 2 = x 3 + x and y 2 = x 3 4x) in the guise of the quartic

More information

Dirichlet Characters. Chapter 4

Dirichlet Characters. Chapter 4 Chapter 4 Dirichlet Characters In this chapter we develop a systematic theory for computing with Dirichlet characters, which are extremely important to computations with modular forms for (at least) two

More information

CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 8 February 1, 2012 CPSC 467b, Lecture 8 1/42 Number Theory Needed for RSA Z n : The integers mod n Modular arithmetic GCD Relatively

More information

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald) Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald) 1 Euclid s Algorithm Euclid s Algorithm for computing the greatest common divisor belongs to the oldest known computing procedures

More information

8 Elliptic Curve Cryptography

8 Elliptic Curve Cryptography 8 Elliptic Curve Cryptography 8.1 Elliptic Curves over a Finite Field For the purposes of cryptography, we want to consider an elliptic curve defined over a finite field F p = Z/pZ for p a prime. Given

More information

1 Overview and revision

1 Overview and revision MTH6128 Number Theory Notes 1 Spring 2018 1 Overview and revision In this section we will meet some of the concerns of Number Theory, and have a brief revision of some of the relevant material from Introduction

More information

Computing modular polynomials in dimension 2 ECC 2015, Bordeaux

Computing modular polynomials in dimension 2 ECC 2015, Bordeaux Computing modular polynomials in dimension 2 ECC 2015, Bordeaux Enea Milio 29/09/2015 Enea Milio Computing modular polynomials 29/09/2015 1 / 49 Computing modular polynomials 1 Dimension 1 : elliptic curves

More information

Short proofs of the universality of certain diagonal quadratic forms

Short proofs of the universality of certain diagonal quadratic forms Arch. Math. 91 (008), 44 48 c 008 Birkhäuser Verlag Basel/Switzerland 0003/889X/010044-5, published online 008-06-5 DOI 10.1007/s00013-008-637-5 Archiv der Mathematik Short proofs of the universality of

More information

Rational Points on Conics, and Local-Global Relations in Number Theory

Rational Points on Conics, and Local-Global Relations in Number Theory Rational Points on Conics, and Local-Global Relations in Number Theory Joseph Lipman Purdue University Department of Mathematics lipman@math.purdue.edu http://www.math.purdue.edu/ lipman November 26, 2007

More information

Basic Algorithms in Number Theory

Basic Algorithms in Number Theory Basic Algorithms in Number Theory Algorithmic Complexity... 1 Basic Algorithms in Number Theory Francesco Pappalardi Discrete Logs, Modular Square Roots & Euclidean Algorithm. July 20 th 2010 Basic Algorithms

More information

TC10 / 3. Finite fields S. Xambó

TC10 / 3. Finite fields S. Xambó TC10 / 3. Finite fields S. Xambó The ring Construction of finite fields The Frobenius automorphism Splitting field of a polynomial Structure of the multiplicative group of a finite field Structure of the

More information

Constructing Families of Pairing-Friendly Elliptic Curves

Constructing Families of Pairing-Friendly Elliptic Curves Constructing Families of Pairing-Friendly Elliptic Curves David Freeman Information Theory Research HP Laboratories Palo Alto HPL-2005-155 August 24, 2005* cryptography, pairings, elliptic curves, embedding

More information

An Additive Characterization of Fibers of Characters on F p

An Additive Characterization of Fibers of Characters on F p An Additive Characterization of Fibers of Characters on F p Chris Monico Texas Tech University Lubbock, TX c.monico@ttu.edu Michele Elia Politecnico di Torino Torino, Italy elia@polito.it January 30, 2009

More information

Congruent Number Problem and Elliptic curves

Congruent Number Problem and Elliptic curves Congruent Number Problem and Elliptic curves December 12, 2010 Contents 1 Congruent Number problem 2 1.1 1 is not a congruent number.................................. 2 2 Certain Elliptic Curves 4 3 Using

More information

Mathematics of Cryptography

Mathematics of Cryptography UNIT - III Mathematics of Cryptography Part III: Primes and Related Congruence Equations 1 Objectives To introduce prime numbers and their applications in cryptography. To discuss some primality test algorithms

More information

A. Algebra and Number Theory

A. Algebra and Number Theory A. Algebra and Number Theory Public-key cryptosystems are based on modular arithmetic. In this section, we summarize the concepts and results from algebra and number theory which are necessary for an understanding

More information

LEGENDRE S THEOREM, LEGRANGE S DESCENT

LEGENDRE S THEOREM, LEGRANGE S DESCENT LEGENDRE S THEOREM, LEGRANGE S DESCENT SUPPLEMENT FOR MATH 370: NUMBER THEORY Abstract. Legendre gave simple necessary and sufficient conditions for the solvablility of the diophantine equation ax 2 +

More information

arxiv: v1 [math.nt] 2 Jul 2009

arxiv: v1 [math.nt] 2 Jul 2009 About certain prime numbers Diana Savin Ovidius University, Constanţa, Romania arxiv:0907.0315v1 [math.nt] 2 Jul 2009 ABSTRACT We give a necessary condition for the existence of solutions of the Diophantine

More information

Projects on elliptic curves and modular forms

Projects on elliptic curves and modular forms Projects on elliptic curves and modular forms Math 480, Spring 2010 In the following are 11 projects for this course. Some of the projects are rather ambitious and may very well be the topic of a master

More information

Application of Explicit Hilbert s Pairing to Constructive Class Field Theory and Cryptography

Application of Explicit Hilbert s Pairing to Constructive Class Field Theory and Cryptography Applied Mathematical Sciences, Vol. 10, 2016, no. 45, 2205-2213 HIKARI Ltd, www.m-hikari.com http://dx.doi.org/10.12988/ams.2016.64149 Application of Explicit Hilbert s Pairing to Constructive Class Field

More information

Security Level of Cryptography Integer Factoring Problem (Factoring N = p 2 q) December Summary 2

Security Level of Cryptography Integer Factoring Problem (Factoring N = p 2 q) December Summary 2 Security Level of Cryptography Integer Factoring Problem (Factoring N = p 2 ) December 2001 Contents Summary 2 Detailed Evaluation 3 1 The Elliptic Curve Method 3 1.1 The ECM applied to N = p d............................

More information

Cover Page. The handle holds various files of this Leiden University dissertation

Cover Page. The handle holds various files of this Leiden University dissertation Cover Page The handle http://hdl.handle.net/1887/37019 holds various files of this Leiden University dissertation Author: Brau Avila, Julio Title: Galois representations of elliptic curves and abelian

More information

Don Zagier s work on singular moduli

Don Zagier s work on singular moduli Don Zagier s work on singular moduli Benedict Gross Harvard University June, 2011 Don in 1976 The orbit space SL 2 (Z)\H has the structure a Riemann surface, isomorphic to the complex plane C. We can fix

More information

IEEE P1363 / D13 (Draft Version 13). Standard Specifications for Public Key Cryptography

IEEE P1363 / D13 (Draft Version 13). Standard Specifications for Public Key Cryptography IEEE P1363 / D13 (Draft Version 13). Standard Specifications for Public Key Cryptography Annex A (Informative). Number-Theoretic Background. Copyright 1999 by the Institute of Electrical and Electronics

More information

Hecke Operators for Arithmetic Groups via Cell Complexes. Mark McConnell. Center for Communications Research, Princeton

Hecke Operators for Arithmetic Groups via Cell Complexes. Mark McConnell. Center for Communications Research, Princeton Hecke Operators for Arithmetic Groups via Cell Complexes 1 Hecke Operators for Arithmetic Groups via Cell Complexes Mark McConnell Center for Communications Research, Princeton Hecke Operators for Arithmetic

More information

Introduction to Arithmetic Geometry

Introduction to Arithmetic Geometry Introduction to Arithmetic Geometry 18.782 Andrew V. Sutherland September 5, 2013 What is arithmetic geometry? Arithmetic geometry applies the techniques of algebraic geometry to problems in number theory

More information

Computing modular polynomials with the Chinese Remainder Theorem

Computing modular polynomials with the Chinese Remainder Theorem Computing modular polynomials with the Chinese Remainder Theorem Andrew V. Sutherland Massachusetts Institute of Technology ECC 009 Reinier Bröker Kristin Lauter Andrew V. Sutherland (MIT) Computing modular

More information

The Kronecker-Weber Theorem

The Kronecker-Weber Theorem The Kronecker-Weber Theorem November 30, 2007 Let us begin with the local statement. Theorem 1 Let K/Q p be an abelian extension. Then K is contained in a cyclotomic extension of Q p. Proof: We give the

More information

SUBGROUPS OF CYCLIC GROUPS. 1. Introduction In a group G, we denote the (cyclic) group of powers of some g G by

SUBGROUPS OF CYCLIC GROUPS. 1. Introduction In a group G, we denote the (cyclic) group of powers of some g G by SUBGROUPS OF CYCLIC GROUPS KEITH CONRAD 1. Introduction In a group G, we denote the (cyclic) group of powers of some g G by g = {g k : k Z}. If G = g, then G itself is cyclic, with g as a generator. Examples

More information

On the equality case of the Ramanujan Conjecture for Hilbert modular forms

On the equality case of the Ramanujan Conjecture for Hilbert modular forms On the equality case of the Ramanujan Conjecture for Hilbert modular forms Liubomir Chiriac Abstract The generalized Ramanujan Conjecture for unitary cuspidal automorphic representations π on GL 2 posits

More information

Arithmetic Progressions Over Quadratic Fields

Arithmetic Progressions Over Quadratic Fields Arithmetic Progressions Over Quadratic Fields Alexander Diaz, Zachary Flores, Markus Vasquez July 2010 Abstract In 1640 Pierre De Fermat proposed to Bernard Frenicle de Bessy the problem of showing that

More information

GALOIS GROUPS OF CUBICS AND QUARTICS (NOT IN CHARACTERISTIC 2)

GALOIS GROUPS OF CUBICS AND QUARTICS (NOT IN CHARACTERISTIC 2) GALOIS GROUPS OF CUBICS AND QUARTICS (NOT IN CHARACTERISTIC 2) KEITH CONRAD We will describe a procedure for figuring out the Galois groups of separable irreducible polynomials in degrees 3 and 4 over

More information

Elliptic Curves as Complex Tori

Elliptic Curves as Complex Tori Elliptic Curves as Complex Tori Theo Coyne June 20, 207 Misc. Prerequisites For an elliptic curve E given by Y 2 Z = X 2 + axz 2 + bz 3, we define its j- invariant to be j(e = 728(4a3 4a 3 +27b. Two elliptic

More information

CHAPTER 3. Congruences. Congruence: definitions and properties

CHAPTER 3. Congruences. Congruence: definitions and properties CHAPTER 3 Congruences Part V of PJE Congruence: definitions and properties Definition. (PJE definition 19.1.1) Let m > 0 be an integer. Integers a and b are congruent modulo m if m divides a b. We write

More information

IEEE P1363 / D9 (Draft Version 9). Standard Specifications for Public Key Cryptography

IEEE P1363 / D9 (Draft Version 9). Standard Specifications for Public Key Cryptography IEEE P1363 / D9 (Draft Version 9) Standard Specifications for Public Key Cryptography Annex A (informative) Number-Theoretic Background Copyright 1997,1998,1999 by the Institute of Electrical and Electronics

More information
2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback