ELLIPTIC CURVES AND INTEGER FACTORIZATION
|
|
- Maurice Benson
- 6 years ago
- Views:
Transcription
1 ELLIPTIC CURVES AND INTEGER FACTORIZATION HAORU LIU Abstract. Elliptic curves are a class of cubic curves over fields which can be endowed with an algebraic structure. They are particularly useful in number theory due to their properties over finite fields. In this paper, we outline basic properties of elliptic curves and fundamental ideas in factorization, followed by a description of H. W. Lenstra s elliptic curve factorization algorithm and an analysis of its running time. Contents. Elliptic curves and the chord-tangent group law. Algebraic group factorization methods 3 3. The elliptic curve method Running time 6 Acknowledgements 8 References 8. Elliptic curves and the chord-tangent group law Definition.. The projective plane P (F) over a field F is the set of ordered triplets (w,x,y) F 3 along with the equivalence relation (w,x,y) (w,x,y ) if there exists some k F such that w = kw, x = kx, and y = ky Definition.. The line at infinity in P is the set of solutions to the equation w = 0 Geometrically, the projective plane can be seen as the set of all lines through the origin in F 3. It is identical to the familiar plane F with the addition of a line at infinity, as for each point (w,x,y) in P, we can associate a point (x,y) in F by noting that (w,x,y) (,xw,yw ) for w 0 Definition.3. An elliptic curve in the projective plane over some field F is the set of points satisfying an equation of the form wy +a wxy+a 3 w y = x 3 +a wx + a 4 w x + a 6 w 3 with coefficients in F, where the equation cannot be factored over F and where any line through any point on the curve intersects the curve no less than twice. Such a curve is also referred to as a nonsingular cubic. Setting w = 0 in the above definition, we have that x = 0. Since the value of the y-coordinate may be freely determined due to the equivalence relation, we denote this single point at infinity by O, with the coordinates (0,0,). Date: August 0, 0.
2 HAORU LIU Applying the above projection into F and assuming that we are not at infinity, we obtain the formula y +a xy+a 3 y = x 3 +a x +a 4 x+a 6 for an elliptic curve. Definition.4. The chord-tangent composition of two points P and Q on an elliptic curve E is denoted by PQ and is defined as the third point of intersection of the line through P and Q with E. If P and Q are the same point, the line through them is given by the tangent to the curve at P. The point PQ determined by this definition is easily shown to exist and may be determined through algebraic manipulations of the elliptic curve equation. Its coordinates can be expressed in terms of the coordinates of P and Q and the coefficients of E. It is useful to take note of a geometric special case. When one of the points involved is O, we must use the projective form of the line, given by aw+bx+cy = 0. If we have O = (0,0,) and P = (α,β,γ), we must have c = 0. Then, assuming that w 0, we can normalize the non-projective equation of the line to read a+bx = 0, or x = b/a = β. Thus, the line is simply the vertical line through P. Proposition.5. An elliptic curve over a field not of characteristic or 3 may be expressed as the set of solutions to an equation of the form y = x 3 +c x+c Proof. Let the nonsingular cubic be represented by the equation presented above in.3. Let y = y + ax+a3 and x = x. Under this change of variables, the equation takes the form (.6) (y ) = (x ) 3 + b 4 (x ) + b x + b 3 4, where b = a +4a, b = a a 3 +a 4, and b 6 = a 3 +4a 6. Then, let y = y and x = x + b. Applying this change of variables, the equation becomes (.7) (y ) = (x ) 3 c 48 x c 864, where c = b 4b and c = b 3 +36b b 6b 3. If we have an equation in this form, it is reasonable to ask whether it represents an elliptic curve. Through analytic methods, one may determine that the curve is nonsingular if and only if 4c 3 +7c 0. Proposition.8. The chord-tangent group law on an elliptic curve E is defined as the relation P +Q = O(PQ), or the composition of O with PQ. This group law, together with the locus of points of E over a field F, forms an abelian group. Proof. Through similar algebraic manipulations as in the chord-tangent composition, we can arrive at a formula for the point P +Q given the equation of E and the coordinates of P and Q. Commutativity is derived from the commutativity of the chord-tangent composition. The identity element of this group is O. Examining O(OP), if we draw the vertical line through P, it intersects E at O, P, and OP. Thus, it is immediately clear that O(OP) = P. The existance of inverses is also clear: for any point P, let P = OP. Then, P + ( P) = O(P(OP)). The line through P and OP is a vertical line which intersects the curve at O, and so O(P(OP)) = OO = O. Finally, the associativity of this group law may be proven by examining the intersections of cubic curves in P, though the detailed proof is outside the scope of this paper and may be found in [].
3 ELLIPTIC CURVES AND INTEGER FACTORIZATION 3 However, it should be noted that the chord-tangent composition is not associative, as O(OP) = P, while (OO)P = OP. Remark.9. For two points (x,y ), (x,y ), the sum (x 3,y 3 ) of the two points on an elliptic curve given by y = x 3 +c x+c is the following: Let Then, we have (.0) (.) λ = { 3x +c y when x = x and y = y otherwise y y x x x 3 = x x +λ y 3 = y +λ(x x 3 ). Algebraic group factorization methods We now digress from the topic of elliptic curves to present the basic idea behind Lenstra s factorization algorithm. Lenstra s algorithm is part of a family of factorization algorithms known as the p family, named after the original p method discovered by Pollard. We first present this method as an introduction to the idea behind the Lenstra algorithm. Fix N as the number that we wish to factor. Assume that it is composite, as we may determine if N is prime beforehand using dedicated primality tests. We start with a few definitions to establish the groups that we will be working with. Definition.. Define G(n) for n N to be the multiplicative group of integers modulo n. This group consists of the integers less than n which are coprime to n with the operation of multiplication modulo n. We will be mostly concerned with the groups G(p), where p is a prime divisor of N. While we do not know what the p are, we can still work with these groups through the following maps. Definition.. Let p be any prime divisor of N. Define the map β p : G(N) G(p) to be the reduction modulo p. That is, for any n G(N), n maps to n (mod p) in G(p). We should first note that this map is a homomorphism, as this property makes the p algorithm possible. We now give a definition of what it means for a number to be nice in the context of factorization, as this property allows us to construct a number that will eliminate the need to know the actual prime factors of N. Definition.3. Fix B N. If the prime factorization of some integer n is p k p k p l k l, then n is B-powersmooth if (.4) max i l p i ki B The property of B-powersmoothness is particularly important when applied to the order of the groups that we will be working with. If the order of some G(p) is B-powersmooth, then we may construct a number Q(B) defined as (.5) Q(B) = p B p max{k N pk B}
4 4 HAORU LIU such that Q(B) is a multiple of p. This is useful, as Q(B) is totally independent from p, as long as we make the assumption that there is some prime divisor of N such that p is B-powersmooth. We shall now describe the steps involved in the p algorithm. Fix positive integers N and B. Then, find some element a G(N) ( usually serves as a good choice). Now, we compute a Q(B). Since we have assumed that there is some p N that is B-powersmooth, we have that β p (a Q(B) ) = β p (a) Q(B) =, as the order of G(p) divides Q(B). However, since β p is simply the reduction modulo p, we have that a Q(B) is a multiple of p. This guarantees that gcd(a Q(B),N) >, and thus we have found a factor of N. There are still a few ways that this could go wrong. First, our B could be chosen too small such that no p N has p B-powersmooth. This is illustrated by the following example: Example.6. Let N = and let B = 5. Computing Q(B), we have Q(B) = = Since N is obviously odd, choose a =. In G(34547), Q(B) = 9. Taking gcd(9,34547), we get. This happened since = 79 93, and neither 78 nor 9 are 5-powersmooth. The other way that this could go wrong is choosing B to be too large. In normal circumstances, this would not be a problem, as we are limited by the running time of the program. However, this is still theoretically possible if N is a sufficiently smooth number. As a final example, we shall factor successfully with the p method, this time taking B = 86. In this case, Q(B) is a 37-digit number which will be omitted for the sake of space, and Q(B) = 4. If we compute gcd(3, 34547), we obtain 93, and we are done. In summary, the algorithm works by first associating to every n N a group G(n) along with homomorphisms from G(N) to each G(p), where p is a prime divisor of N. Then, we attempt to find a nontrivial element in the kernel of one of the homomorphisms, so that the element, along with the structure of the group, leads us to a divisor of N. We will see a similar process followed in the elliptic curve method. 3. The elliptic curve method Before we begin to describe the elliptic curve method in detail, we first need a few properties of elliptic curves over fields other than R and Q. Notation 3.. For any prime p, let F p denote the field consisting of the integers {,,p } under the operations of addition and multiplication modulo p. Definition 3.. Let P be the set of points (w, x, y), where w, x, y Z/nZ and gcd(w, x, y, n) =. Let two points (w, x, y), (w, x, y ) of P be equivalent if (w, x, y) = (aw, ax, ay ) for some invertible a Z/nZ. The projective plane over the ring Z/nZ is defined as the set of equivalence classes on P. Note that if n is prime, we have the usual definition of the projective plane over a field. In that case, we have a decomposition (3.3) P (Z/pZ) = (Z/pZ) {(w,x,y) w = 0} by identifying the points where w 0 with the representative of their equivalence class where w =. We will refer to the (Z/pZ) part of the decomposition as the
5 ELLIPTIC CURVES AND INTEGER FACTORIZATION 5 affine part, for the simple reason that points there can be represented as points on the affine plane. However, if we are working in Z/NZ for some composite N, there will exist nonzero non-invertible elements. Thus, the decomposition (3.4) P (Z/nZ) = (Z/nZ) {(w,x,y) w = 0} {(w,x,y) gcd(w,n) > } must also include the set of points where w is noninvertible, so that the triple is not equivalent to one where w =. Definition 3.5. For some N coprime to 6, an elliptic curve E over Z/NZ is defined as the set of solutions to the projective equation y w = x 3 +c xw +c w 3, where c, c Z/NZ and 4c 3 +7c is invertible. This definition of an elliptic curve over a ring provides a starting point for obtaining the group G(N) we used in the p method. While the points on this sort of elliptic curve may not actually form a group if N is composite, it will not matter for our purposes as a breakdown in the computation of group operations will lead us to a factor of N. In fact, since the group operations defined in.0 and. are only valid in the affine part, any computation that falls in the non-affine part will yield a factor of N. We now define the analogs to the homomorphisms used in the p method. Definition 3.6. Let N be some composite integer. For any p N, we define the map β p : E(Z/NZ) E(Z/pZ) as the reduction of the coordinates modulo p Of course, the equation representing E(Z/pZ) is simply the equation of E(Z/N Z) with its coefficients reduced modulo p. In addition, note that our requirement that 4c 3 +7c is invertible in Z/NZ ensures that the reduced equation is an elliptic curve, since 4c 3 +7c being coprime to N implies that it is nonzero modulo any divisor of N. Since E(Z/NZ) is a subset of P (Z/NZ), it can be partitioned into the three parts mentioned earlier: one where w is invertible, one where w is zero, and one where w is nonzero and noninvertible. We now describe the algorithm itself. First, fix N N as the composite number to be factored, and fix B as a bound on the smoothness of the orders of the elliptic curve groups over Z/pZ for the prime divisors that we seek. For the purposes of convenience, choose some elliptic curve with c =, thus with the equation y = x 3 +ax+. Foranyellipticcurveofthisform,wehavetheelementa 0 = (,0,) on the curve. Let Q(B) be defined as in (.5). Then, try to compute Q(B)a 0 in E(Z/N Z) using the affine equations described in (.0) and (.). At some point, we expect the computation of λ to fail due to the lack of an inverse of either y or x x. At this point, we are done, as this implies that we have found some integer not coprime to N. A factor follows by taking the gcd. Otherwise, we start over with a different value for a, changing the elliptic curve. There are some details of this algorithm that are worth considering. We begin with this proposition. Proposition 3.7. Let the elliptic curve E a (Z/pZ) be represented by the equation y = x 3 +ax+ over Z/pZ for some prime p N. If the order of this curve is B- powersmooth, then ka 0 lies in the non-affine part of E a (Z/NZ) for some k Q(B).
6 6 HAORU LIU Proof. First, note that the point a 0 mentioned in the description of the algorithm is in every reduction of E a (Z/NZ). In E a (Z/pZ), we therefore have that Q(B)a 0 = (0,0,). Suppose for the purpose of contradiction that ka 0 lies in the affine part of E a (Z/NZ) for every k Q(B). Thus, since the reduction maps are homomorphisms where addition is defined in E a (Z/NZ), we find that β p (Q(B)a 0 ) = (0,0,) for each p N. This implies that the w-coordinate of Q(B)a 0 is not coprime to N, and thus Q(B)a 0 cannot be in the affine part. The about proposition shows that our method is guaranteed to find a factor if we are given the smoothness of the order of the group. 3.. Running time. We now give a brief description of the running time of the elliptic curve method. First, we state two theorems that serve as a starting point for our analysis. Theorem 3.8 (Hasse). p+ #E(Z/pZ) < p, where #E(Z/pZ) is the number of points on an elliptic curve over Z/pZ. Theorem 3.9 (Canfield, Erdös, Pomerance). Let L(x) = e lnxlnlnx. Then, the probability that some n < x is L(x) a -smooth is as x. L(x) a +o() Since we are mostly interested in large values of p, we note that #E(Z/pZ) < p+ p+. Since p+ p+ is O(p), we can take #E(Z/pZ) to be less than p when applying (3.9). WealsonotethatifsomenumbernisL(x) a -smooth,itisalsol(x) a -powersmooth for some other a, as we can simply multiply a by the largest exponent in the prime factorization of n to get a. Thus, the distinction between smoothness and powersmoothness will be negligible here. Fix some value of a. By (3.9), we have that the probability of #E(Z/pZ) being L(p) a -powersmooth is L(p) a +o(). If we choose B = L(p) a, then we expect to try L(p) a +o() curves before we find a suitable curve. In order to find an expression for the number of group operations needed on each curve, we need the following theorem. Theorem 3.0 (Prime Number theorem). Let π(x) be the number of primes less than or equal to x. Then, π(x) (3.) lim x x/ln(x) = Now, we derive a result relating to the asymptotic behavior of Q(B). Proposition 3.. For any sequence a n defined over N, let A(x) = n x a n. Let f be some continuously differentiable monotone increasing function on an interval [x, y]. Then, (3.3) x n y a n f(n) = A(y)f(y) A(x)f(x) y x A(t)f (t)dt
7 ELLIPTIC CURVES AND INTEGER FACTORIZATION 7 Proof. By the summation by parts identity, we have that a n f(n) = A( y )f( y ) A( x )f( x +) x n y = A( y )f( y ) A( x )f( x +) = x n y n+ x n y n x ( y ) ( A(y)f(y) A(t)f (t) A(x)f(x)+ y = A(y)f(y) A(x)f(x) y x A(t)f (t)dt Definition 3.4. Define the Chebyshev θ-function as (3.5) θ(x) = p x ln(p) A(n)(f(n+) f(n)) x A(t)f (t)dt ) A(t)f (t) y x A(t)f (t) Lemma 3.6. Suppose that x. Then, (3.7) θ(x) = π(x) ln(x) where π(x) is defined as in 3. π(t) dt t Proof. Let a n be the indicator function of primes, where a n = if n is prime, and 0 otherwise. Then, taking f(x) = ln(x) and noting that A(x) = π(x), we have that θ(x) = a n f(x) n x = π(x)ln(x) Since π(x) = 0 for x <, this completes the proof. π(x) x dx Proposition 3.8. θ(x) is asymptotically equal to x. That is, θ(x) lim x x = Proof. We have by Theorem 3.0 that the first term in the expression for θ(x) x tends to as x. Thus, we need to show that By Theorem 3.0, π(t) t = O ( lim x x lim x x ln(t) ). Thus, π(t) dt = 0 t π(t) dt = lim t x x ln(t) dt, If we split the integral into two integrals over (, x) and ( x,x), we find that the following inequality holds due to the monotone decreasing nature of x x ln(t) dt+ x ln(t) dt x ln() + x x ln( x) ln(t).
8 8 HAORU LIU Multiplying by x and taking x, we see that the limit is indeed 0. We are now close to an expression for the asymptotic behavior of Q(B). First, note that ln(q(b)) = p Bkln(p) where k is the exponent found in.5. If we expand by k, we can rewrite this sum as ln(p) n=p B /n Since the inner sum is empty for n > log (B), we have the expression (3.9) ln(q(b)) = θ(b /n ) n log (B) Now, we establish a relationship between the asymptotic growth of ln(q(b)) and θ(b). We have ln(q(b)) θ(b) = θ(b /n ) n log (B) log (B)θ( B) log (B) Bln( B) B(lnB) = ln Dividing through by B, we obtain a bound on the difference between ln(q(b)) B and θ(b) B, which vanishes as B. Thus, we have that ln(q(b)) = O(B), or Q(B) = O(expB). ThenumberofgroupoperationsneededtoreachQ(B)a 0 ismucheasiertoderive. By repeatedly doubling and adding terms to reach Q(B), we are essentially doing long multiplication in base-. First, we compute all the power of multiples of a 0 up to Q(B) in log (Q(B)) operations. Then, we step through the binary digits of Q(B) and add together all the precomputed multiples where a appears in the representation, taking another log (Q(B)) operations at most for a total of log (Q(B)) operations. Thus, since the magnitude of Q(B) is O(exp(B)), the number of group operations needed per curve is on the order of B. Since we chose B = L(p) a, we therefore obtain a total expected running time of L(p) a+/(a)+o(). Taking a = /, we have a running time of L(p) +o(). Since our N is composite, we are guaranteed a prime factor p N. Thus, we can restate our running time in terms of N, giving L(N) +o(). Acknowledgements. I would like to thank John Wilmes for his guidance in each step of the paper writing process. References [] Dale Husemöller Elliptic Curves Springer-Verlag [] A Course in Computational Algebraic Number Theory Henri Cohen Springer-Verlag [3] Introduction to Analytic Number Theory; Tom Apostol; Springer-Verlag 976
Group, Rings, and Fields Rahul Pandharipande. I. Sets Let S be a set. The Cartesian product S S is the set of ordered pairs of elements of S,
Group, Rings, and Fields Rahul Pandharipande I. Sets Let S be a set. The Cartesian product S S is the set of ordered pairs of elements of S, A binary operation φ is a function, S S = {(x, y) x, y S}. φ
More informationElliptic Curves Spring 2013 Lecture #12 03/19/2013
18.783 Elliptic Curves Spring 2013 Lecture #12 03/19/2013 We now consider our first practical application of elliptic curves: factoring integers. Before presenting the elliptic curve method (ECM) for factoring
More information1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation
1 The Fundamental Theorem of Arithmetic A positive integer N has a unique prime power decomposition 2 Primality Testing Integer Factorisation (Gauss 1801, but probably known to Euclid) The Computational
More informationElliptic Curves: An Introduction
Elliptic Curves: An Introduction Adam Block December 206 Introduction The goal of the following paper will be to explain some of the history of and motivation for elliptic curves, to provide examples and
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Chapter 2: Mathematical Concepts Divisibility Congruence Quadratic Residues
More informationThe Elliptic Curve Method and Other Integer Factorization Algorithms. John Wright
The Elliptic Curve Method and Other Integer Factorization Algorithms John Wright April 12, 2012 Contents 1 Introduction 2 2 Preliminaries 3 2.1 Greatest common divisors and modular arithmetic...... 3 2.2
More informationALGEBRA. 1. Some elementary number theory 1.1. Primes and divisibility. We denote the collection of integers
ALGEBRA CHRISTIAN REMLING 1. Some elementary number theory 1.1. Primes and divisibility. We denote the collection of integers by Z = {..., 2, 1, 0, 1,...}. Given a, b Z, we write a b if b = ac for some
More informationFully Deterministic ECM
Fully Deterministic ECM Iram Chelli LORIA (CNRS) - CACAO Supervisor: P. Zimmermann September 23, 2009 Introduction The Elliptic Curve Method (ECM) is currently the best-known general-purpose factorization
More informationPRIME NUMBERS YANKI LEKILI
PRIME NUMBERS YANKI LEKILI We denote by N the set of natural numbers: 1,2,..., These are constructed using Peano axioms. We will not get into the philosophical questions related to this and simply assume
More informationIntroduction to Arithmetic Geometry Fall 2013 Lecture #24 12/03/2013
18.78 Introduction to Arithmetic Geometry Fall 013 Lecture #4 1/03/013 4.1 Isogenies of elliptic curves Definition 4.1. Let E 1 /k and E /k be elliptic curves with distinguished rational points O 1 and
More informationLARGE PRIME NUMBERS (32, 42; 4) (32, 24; 2) (32, 20; 1) ( 105, 20; 0).
LARGE PRIME NUMBERS 1. Fast Modular Exponentiation Given positive integers a, e, and n, the following algorithm quickly computes the reduced power a e % n. (Here x % n denotes the element of {0,, n 1}
More informationIntroduction to Elliptic Curves
IAS/Park City Mathematics Series Volume XX, XXXX Introduction to Elliptic Curves Alice Silverberg Introduction Why study elliptic curves? Solving equations is a classical problem with a long history. Starting
More informationInteger factorization in Endymion
Integer factorization in Endymion José Grimm, Apics Team June 17, 2005 1 General primality test The purpose of this section is to give an algorithm that shows that a given integer n is prime, or quasi-prime
More informationALGEBRAIC GEOMETRY COURSE NOTES, LECTURE 2: HILBERT S NULLSTELLENSATZ.
ALGEBRAIC GEOMETRY COURSE NOTES, LECTURE 2: HILBERT S NULLSTELLENSATZ. ANDREW SALCH 1. Hilbert s Nullstellensatz. The last lecture left off with the claim that, if J k[x 1,..., x n ] is an ideal, then
More informationNUMBER SYSTEMS. Number theory is the study of the integers. We denote the set of integers by Z:
NUMBER SYSTEMS Number theory is the study of the integers. We denote the set of integers by Z: Z = {..., 3, 2, 1, 0, 1, 2, 3,... }. The integers have two operations defined on them, addition and multiplication,
More informationCourse 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography
Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography David R. Wilkins Copyright c David R. Wilkins 2006 Contents 9 Introduction to Number Theory and Cryptography 1 9.1 Subgroups
More informationIntroduction to Arithmetic Geometry Fall 2013 Lecture #23 11/26/2013
18.782 Introduction to Arithmetic Geometry Fall 2013 Lecture #23 11/26/2013 As usual, a curve is a smooth projective (geometrically irreducible) variety of dimension one and k is a perfect field. 23.1
More informationCourse MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography
Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography David R. Wilkins Copyright c David R. Wilkins 2000 2013 Contents 9 Introduction to Number Theory 63 9.1 Subgroups
More informationPUTNAM TRAINING POLYNOMIALS. Exercises 1. Find a polynomial with integral coefficients whose zeros include
PUTNAM TRAINING POLYNOMIALS (Last updated: December 11, 2017) Remark. This is a list of exercises on polynomials. Miguel A. Lerma Exercises 1. Find a polynomial with integral coefficients whose zeros include
More informationA Few Primality Testing Algorithms
A Few Primality Testing Algorithms Donald Brower April 2, 2006 0.1 Introduction These notes will cover a few primality testing algorithms. There are many such, some prove that a number is prime, others
More information4 PRIMITIVE ROOTS Order and Primitive Roots The Index Existence of primitive roots for prime modulus...
PREFACE These notes have been prepared by Dr Mike Canfell (with minor changes and extensions by Dr Gerd Schmalz) for use by the external students in the unit PMTH 338 Number Theory. This booklet covers
More informationEighth Homework Solutions
Math 4124 Wednesday, April 20 Eighth Homework Solutions 1. Exercise 5.2.1(e). Determine the number of nonisomorphic abelian groups of order 2704. First we write 2704 as a product of prime powers, namely
More informationBasic elements of number theory
Cryptography Basic elements of number theory Marius Zimand By default all the variables, such as a, b, k, etc., denote integer numbers. Divisibility a 0 divides b if b = a k for some integer k. Notation
More informationBasic elements of number theory
Cryptography Basic elements of number theory Marius Zimand 1 Divisibility, prime numbers By default all the variables, such as a, b, k, etc., denote integer numbers. Divisibility a 0 divides b if b = a
More informationSchool of Mathematics and Statistics. MT5836 Galois Theory. Handout 0: Course Information
MRQ 2017 School of Mathematics and Statistics MT5836 Galois Theory Handout 0: Course Information Lecturer: Martyn Quick, Room 326. Prerequisite: MT3505 (or MT4517) Rings & Fields Lectures: Tutorials: Mon
More informationIntroduction to Arithmetic Geometry
Introduction to Arithmetic Geometry 18.782 Andrew V. Sutherland September 5, 2013 What is arithmetic geometry? Arithmetic geometry applies the techniques of algebraic geometry to problems in number theory
More informationPRACTICE PROBLEMS: SET 1
PRACTICE PROBLEMS: SET MATH 437/537: PROF. DRAGOS GHIOCA. Problems Problem. Let a, b N. Show that if gcd(a, b) = lcm[a, b], then a = b. Problem. Let n, k N with n. Prove that (n ) (n k ) if and only if
More informationCounting points on elliptic curves: Hasse s theorem and recent developments
Counting points on elliptic curves: Hasse s theorem and recent developments Igor Tolkov June 3, 009 Abstract We introduce the the elliptic curve and the problem of counting the number of points on the
More informationChapter 5. Modular arithmetic. 5.1 The modular ring
Chapter 5 Modular arithmetic 5.1 The modular ring Definition 5.1. Suppose n N and x, y Z. Then we say that x, y are equivalent modulo n, and we write x y mod n if n x y. It is evident that equivalence
More informationWORKSHEET ON NUMBERS, MATH 215 FALL. We start our study of numbers with the integers: N = {1, 2, 3,...}
WORKSHEET ON NUMBERS, MATH 215 FALL 18(WHYTE) We start our study of numbers with the integers: Z = {..., 2, 1, 0, 1, 2, 3,... } and their subset of natural numbers: N = {1, 2, 3,...} For now we will not
More informationBalanced subgroups of the multiplicative group
Balanced subgroups of the multiplicative group Carl Pomerance, Dartmouth College Hanover, New Hampshire, USA Based on joint work with D. Ulmer To motivate the topic, let s begin with elliptic curves. If
More informationCHAPTER 3. Congruences. Congruence: definitions and properties
CHAPTER 3 Congruences Part V of PJE Congruence: definitions and properties Definition. (PJE definition 19.1.1) Let m > 0 be an integer. Integers a and b are congruent modulo m if m divides a b. We write
More informationMATH 361: NUMBER THEORY FOURTH LECTURE
MATH 361: NUMBER THEORY FOURTH LECTURE 1. Introduction Everybody knows that three hours after 10:00, the time is 1:00. That is, everybody is familiar with modular arithmetic, the usual arithmetic of the
More informationElliptic curves and modularity
Elliptic curves and modularity For background and (most) proofs, we refer to [1]. 1 Weierstrass models Let K be any field. For any a 1, a 2, a 3, a 4, a 6 K consider the plane projective curve C given
More informationElliptic Curves Cryptography and factorization. Part VIII. Elliptic curves cryptography and factorization. Historical Remarks.
Elliptic Curves Cryptography and factorization Part VIII Elliptic curves cryptography and factorization Cryptography based on manipulation of points of so called elliptic curves is getting momentum and
More informationRings and modular arithmetic
Chapter 8 Rings and modular arithmetic So far, we have been working with just one operation at a time. But standard number systems, such as Z, have two operations + and which interact. It is useful to
More information9. Integral Ring Extensions
80 Andreas Gathmann 9. Integral ing Extensions In this chapter we want to discuss a concept in commutative algebra that has its original motivation in algebra, but turns out to have surprisingly many applications
More informationImproving Lenstra s Elliptic Curve Method
Oregon State University Masters Paper Improving Lenstra s Elliptic Curve Method Author: Lukas Zeller Advisor: Holly Swisher August 2015 Abstract In this paper we study an important algorithm for integer
More informationMath 120 HW 9 Solutions
Math 120 HW 9 Solutions June 8, 2018 Question 1 Write down a ring homomorphism (no proof required) f from R = Z[ 11] = {a + b 11 a, b Z} to S = Z/35Z. The main difficulty is to find an element x Z/35Z
More informationA field F is a set of numbers that includes the two numbers 0 and 1 and satisfies the properties:
Byte multiplication 1 Field arithmetic A field F is a set of numbers that includes the two numbers 0 and 1 and satisfies the properties: F is an abelian group under addition, meaning - F is closed under
More informationMathematics for Cryptography
Mathematics for Cryptography Douglas R. Stinson David R. Cheriton School of Computer Science University of Waterloo Waterloo, Ontario, N2L 3G1, Canada March 15, 2016 1 Groups and Modular Arithmetic 1.1
More informationAN ALGEBRA PRIMER WITH A VIEW TOWARD CURVES OVER FINITE FIELDS
AN ALGEBRA PRIMER WITH A VIEW TOWARD CURVES OVER FINITE FIELDS The integers are the set 1. Groups, Rings, and Fields: Basic Examples Z := {..., 3, 2, 1, 0, 1, 2, 3,...}, and we can add, subtract, and multiply
More information12. Hilbert Polynomials and Bézout s Theorem
12. Hilbert Polynomials and Bézout s Theorem 95 12. Hilbert Polynomials and Bézout s Theorem After our study of smooth cubic surfaces in the last chapter, let us now come back to the general theory of
More informationHOMEWORK 11 MATH 4753
HOMEWORK 11 MATH 4753 Recall that R = Z[x]/(x N 1) where N > 1. For p > 1 any modulus (not necessarily prime), R p = (Z/pZ)[x]/(x N 1). We do not assume p, q are prime below unless otherwise stated. Question
More informationDefinition List Modern Algebra, Fall 2011 Anders O.F. Hendrickson
Definition List Modern Algebra, Fall 2011 Anders O.F. Hendrickson On almost every Friday of the semester, we will have a brief quiz to make sure you have memorized the definitions encountered in our studies.
More information0 Sets and Induction. Sets
0 Sets and Induction Sets A set is an unordered collection of objects, called elements or members of the set. A set is said to contain its elements. We write a A to denote that a is an element of the set
More informationFall 2004 Homework 7 Solutions
18.704 Fall 2004 Homework 7 Solutions All references are to the textbook Rational Points on Elliptic Curves by Silverman and Tate, Springer Verlag, 1992. Problems marked (*) are more challenging exercises
More information22. The Quadratic Sieve and Elliptic Curves. 22.a The Quadratic Sieve
22. The Quadratic Sieve and Elliptic Curves 22.a The Quadratic Sieve Sieve methods for finding primes or for finding factors of numbers are methods by which you take a set P of prime numbers one by one,
More informationTheorem 6.1 The addition defined above makes the points of E into an abelian group with O as the identity element. Proof. Let s assume that K is
6 Elliptic curves Elliptic curves are not ellipses. The name comes from the elliptic functions arising from the integrals used to calculate the arc length of ellipses. Elliptic curves can be parametrised
More informationChapter 5: The Integers
c Dr Oksana Shatalov, Fall 2014 1 Chapter 5: The Integers 5.1: Axioms and Basic Properties Operations on the set of integers, Z: addition and multiplication with the following properties: A1. Addition
More informationMATH 3030, Abstract Algebra FALL 2012 Toby Kenney Midyear Examination Friday 7th December: 7:00-10:00 PM
MATH 3030, Abstract Algebra FALL 2012 Toby Kenney Midyear Examination Friday 7th December: 7:00-10:00 PM Basic Questions 1. Compute the factor group Z 3 Z 9 / (1, 6). The subgroup generated by (1, 6) is
More informationDefinitions, Theorems and Exercises. Abstract Algebra Math 332. Ethan D. Bloch
Definitions, Theorems and Exercises Abstract Algebra Math 332 Ethan D. Bloch December 26, 2013 ii Contents 1 Binary Operations 3 1.1 Binary Operations............................... 4 1.2 Isomorphic Binary
More informationContribution of Problems
Exam topics 1. Basic structures: sets, lists, functions (a) Sets { }: write all elements, or define by condition (b) Set operations: A B, A B, A\B, A c (c) Lists ( ): Cartesian product A B (d) Functions
More informationMATH 403 MIDTERM ANSWERS WINTER 2007
MAH 403 MIDERM ANSWERS WINER 2007 COMMON ERRORS (1) A subset S of a ring R is a subring provided that x±y and xy belong to S whenever x and y do. A lot of people only said that x + y and xy must belong
More informationUndergraduate Notes in Mathematics. Arkansas Tech University Department of Mathematics. College Algebra for STEM
Undergraduate Notes in Mathematics Arkansas Tech University Department of Mathematics College Algebra for STEM Marcel B. Finan c All Rights Reserved 2015 Edition To my children Amin & Nadia Preface From
More informationModels of Elliptic Curves
Models of Elliptic Curves Daniel J. Bernstein Tanja Lange University of Illinois at Chicago and Technische Universiteit Eindhoven djb@cr.yp.to tanja@hyperelliptic.org 26.03.2009 D. J. Bernstein & T. Lange
More information4. Number Theory (Part 2)
4. Number Theory (Part 2) Terence Sim Mathematics is the queen of the sciences and number theory is the queen of mathematics. Reading Sections 4.8, 5.2 5.4 of Epp. Carl Friedrich Gauss, 1777 1855 4.3.
More informationAlgebraic structures I
MTH5100 Assignment 1-10 Algebraic structures I For handing in on various dates January March 2011 1 FUNCTIONS. Say which of the following rules successfully define functions, giving reasons. For each one
More informationAbstract Algebra, Second Edition, by John A. Beachy and William D. Blair. Corrections and clarifications
1 Abstract Algebra, Second Edition, by John A. Beachy and William D. Blair Corrections and clarifications Note: Some corrections were made after the first printing of the text. page 9, line 8 For of the
More informationMath 312/ AMS 351 (Fall 17) Sample Questions for Final
Math 312/ AMS 351 (Fall 17) Sample Questions for Final 1. Solve the system of equations 2x 1 mod 3 x 2 mod 7 x 7 mod 8 First note that the inverse of 2 is 2 mod 3. Thus, the first equation becomes (multiply
More informationElementary Algebra Chinese Remainder Theorem Euclidean Algorithm
Elementary Algebra Chinese Remainder Theorem Euclidean Algorithm April 11, 2010 1 Algebra We start by discussing algebraic structures and their properties. This is presented in more depth than what we
More informationNumbers, Groups and Cryptography. Gordan Savin
Numbers, Groups and Cryptography Gordan Savin Contents Chapter 1. Euclidean Algorithm 5 1. Euclidean Algorithm 5 2. Fundamental Theorem of Arithmetic 9 3. Uniqueness of Factorization 14 4. Efficiency
More informationMath 145. Codimension
Math 145. Codimension 1. Main result and some interesting examples In class we have seen that the dimension theory of an affine variety (irreducible!) is linked to the structure of the function field in
More informationMIT Algebraic techniques and semidefinite optimization February 16, Lecture 4
MIT 6.972 Algebraic techniques and semidefinite optimization February 16, 2006 Lecture 4 Lecturer: Pablo A. Parrilo Scribe: Pablo A. Parrilo In this lecture we will review some basic elements of abstract
More informationNotes for Math 290 using Introduction to Mathematical Proofs by Charles E. Roberts, Jr.
Notes for Math 290 using Introduction to Mathematical Proofs by Charles E. Roberts, Jr. Chapter : Logic Topics:. Statements, Negation, and Compound Statements.2 Truth Tables and Logical Equivalences.3
More informationSPRING 2006 PRELIMINARY EXAMINATION SOLUTIONS
SPRING 006 PRELIMINARY EXAMINATION SOLUTIONS 1A. Let G be the subgroup of the free abelian group Z 4 consisting of all integer vectors (x, y, z, w) such that x + 3y + 5z + 7w = 0. (a) Determine a linearly
More informationMath 418 Algebraic Geometry Notes
Math 418 Algebraic Geometry Notes 1 Affine Schemes Let R be a commutative ring with 1. Definition 1.1. The prime spectrum of R, denoted Spec(R), is the set of prime ideals of the ring R. Spec(R) = {P R
More informationBoolean Algebra CHAPTER 15
CHAPTER 15 Boolean Algebra 15.1 INTRODUCTION Both sets and propositions satisfy similar laws, which are listed in Tables 1-1 and 4-1 (in Chapters 1 and 4, respectively). These laws are used to define an
More informationAlgebraic Varieties. Chapter Algebraic Varieties
Chapter 12 Algebraic Varieties 12.1 Algebraic Varieties Let K be a field, n 1 a natural number, and let f 1,..., f m K[X 1,..., X n ] be polynomials with coefficients in K. Then V = {(a 1,..., a n ) :
More informationABSTRACT ALGEBRA: A STUDY GUIDE FOR BEGINNERS
ABSTRACT ALGEBRA: A STUDY GUIDE FOR BEGINNERS John A. Beachy Northern Illinois University 2000 ii This is a supplement to Abstract Algebra, Second Edition by John A. Beachy and William D. Blair ISBN 0
More informationNOTES ON FINITE FIELDS
NOTES ON FINITE FIELDS AARON LANDESMAN CONTENTS 1. Introduction to finite fields 2 2. Definition and constructions of fields 3 2.1. The definition of a field 3 2.2. Constructing field extensions by adjoining
More informationReal Analysis Prelim Questions Day 1 August 27, 2013
Real Analysis Prelim Questions Day 1 August 27, 2013 are 5 questions. TIME LIMIT: 3 hours Instructions: Measure and measurable refer to Lebesgue measure µ n on R n, and M(R n ) is the collection of measurable
More informationHomework 10 M 373K by Mark Lindberg (mal4549)
Homework 10 M 373K by Mark Lindberg (mal4549) 1. Artin, Chapter 11, Exercise 1.1. Prove that 7 + 3 2 and 3 + 5 are algebraic numbers. To do this, we must provide a polynomial with integer coefficients
More information8 Primes and Modular Arithmetic
8 Primes and Modular Arithmetic 8.1 Primes and Factors Over two millennia ago already, people all over the world were considering the properties of numbers. One of the simplest concepts is prime numbers.
More informationCourse 2316 Sample Paper 1
Course 2316 Sample Paper 1 Timothy Murphy April 19, 2015 Attempt 5 questions. All carry the same mark. 1. State and prove the Fundamental Theorem of Arithmetic (for N). Prove that there are an infinity
More information2. Two binary operations (addition, denoted + and multiplication, denoted
Chapter 2 The Structure of R The purpose of this chapter is to explain to the reader why the set of real numbers is so special. By the end of this chapter, the reader should understand the difference between
More informationAll variables a, b, n, etc are integers unless otherwise stated. Each part of a problem is worth 5 points.
Math 152, Problem Set 2 solutions (2018-01-24) All variables a, b, n, etc are integers unless otherwise stated. Each part of a problem is worth 5 points. 1. Let us look at the following equation: x 5 1
More informationCongruent number elliptic curves of high rank
Michaela Klopf, BSc Congruent number elliptic curves of high rank MASTER S THESIS to achieve the university degree of Diplom-Ingenieurin Master s degree programme: Mathematical Computer Science submitted
More informationSTEP Support Programme. Pure STEP 1 Questions
STEP Support Programme Pure STEP 1 Questions 2012 S1 Q4 1 Preparation Find the equation of the tangent to the curve y = x at the point where x = 4. Recall that x means the positive square root. Solve the
More informationD-MATH Algebra I HS 2013 Prof. Brent Doran. Solution 3. Modular arithmetic, quotients, product groups
D-MATH Algebra I HS 2013 Prof. Brent Doran Solution 3 Modular arithmetic, quotients, product groups 1. Show that the functions f = 1/x, g = (x 1)/x generate a group of functions, the law of composition
More informationFactorization of integer-valued polynomials with square-free denominator
accepted by Comm. Algebra (2013) Factorization of integer-valued polynomials with square-free denominator Giulio Peruginelli September 9, 2013 Dedicated to Marco Fontana on the occasion of his 65th birthday
More informationELLIPTIC CURVES BJORN POONEN
ELLIPTIC CURVES BJORN POONEN 1. Introduction The theme of this lecture is to show how geometry can be used to understand the rational number solutions to a polynomial equation. We will illustrate this
More informationModular Arithmetic and Elementary Algebra
18.310 lecture notes September 2, 2013 Modular Arithmetic and Elementary Algebra Lecturer: Michel Goemans These notes cover basic notions in algebra which will be needed for discussing several topics of
More informationφ(xy) = (xy) n = x n y n = φ(x)φ(y)
Groups 1. (Algebra Comp S03) Let A, B and C be normal subgroups of a group G with A B. If A C = B C and AC = BC then prove that A = B. Let b B. Since b = b1 BC = AC, there are a A and c C such that b =
More informationAN EXPOSITION OF THE RIEMANN ROCH THEOREM FOR CURVES
AN EXPOSITION OF THE RIEMANN ROCH THEOREM FOR CURVES DOMINIC L. WYNTER Abstract. We introduce the concepts of divisors on nonsingular irreducible projective algebraic curves, the genus of such a curve,
More informationPart II. Number Theory. Year
Part II Year 2017 2016 2015 2014 2013 2012 2011 2010 2009 2008 2007 2006 2005 2017 Paper 3, Section I 1G 70 Explain what is meant by an Euler pseudoprime and a strong pseudoprime. Show that 65 is an Euler
More informationCongruences and Residue Class Rings
Congruences and Residue Class Rings (Chapter 2 of J. A. Buchmann, Introduction to Cryptography, 2nd Ed., 2004) Shoichi Hirose Faculty of Engineering, University of Fukui S. Hirose (U. Fukui) Congruences
More informationTopic 7: Polynomials. Introduction to Polynomials. Table of Contents. Vocab. Degree of a Polynomial. Vocab. A. 11x 7 + 3x 3
Topic 7: Polynomials Table of Contents 1. Introduction to Polynomials. Adding & Subtracting Polynomials 3. Multiplying Polynomials 4. Special Products of Binomials 5. Factoring Polynomials 6. Factoring
More information2.1 Affine and Projective Coordinates
1 Introduction Depending how you look at them, elliptic curves can be deceptively simple. Using one of the easier definitions, we are just looking at points (x,y) that satisfy a cubic equation, something
More informationMATH 433 Applied Algebra Lecture 4: Modular arithmetic (continued). Linear congruences.
MATH 433 Applied Algebra Lecture 4: Modular arithmetic (continued). Linear congruences. Congruences Let n be a postive integer. The integers a and b are called congruent modulo n if they have the same
More informationAlgorithm for Concordant Forms
Algorithm for Concordant Forms Hagen Knaf, Erich Selder, Karlheinz Spindler 1 Introduction It is well known that the determination of the Mordell-Weil group of an elliptic curve is a difficult problem.
More informationLECTURE NOTES IN CRYPTOGRAPHY
1 LECTURE NOTES IN CRYPTOGRAPHY Thomas Johansson 2005/2006 c Thomas Johansson 2006 2 Chapter 1 Abstract algebra and Number theory Before we start the treatment of cryptography we need to review some basic
More informationMath 4310 Solutions to homework 1 Due 9/1/16
Math 0 Solutions to homework Due 9//6. An element [a] Z/nZ is idempotent if [a] 2 [a]. Find all idempotent elements in Z/0Z and in Z/Z. Solution. First note we clearly have [0] 2 [0] so [0] is idempotent
More informationIRREDUCIBILITY TESTS IN Q[T ]
IRREDUCIBILITY TESTS IN Q[T ] KEITH CONRAD 1. Introduction For a general field F there is no simple way to determine if an arbitrary polynomial in F [T ] is irreducible. Here we will focus on the case
More informationChapter 2. Mathematical Reasoning. 2.1 Mathematical Models
Contents Mathematical Reasoning 3.1 Mathematical Models........................... 3. Mathematical Proof............................ 4..1 Structure of Proofs........................ 4.. Direct Method..........................
More informationMATH 145 Algebra, Solutions to Assignment 4
MATH 145 Algebra, Solutions to Assignment 4 1: a) Find the inverse of 178 in Z 365. Solution: We find s and t so that 178s + 365t = 1, and then 178 1 = s. The Euclidean Algorithm gives 365 = 178 + 9 178
More informationa b (mod m) : m b a with a,b,c,d real and ad bc 0 forms a group, again under the composition as operation.
Homework for UTK M351 Algebra I Fall 2013, Jochen Denzler, MWF 10:10 11:00 Each part separately graded on a [0/1/2] scale. Problem 1: Recalling the field axioms from class, prove for any field F (i.e.,
More informationIndustrial Strength Factorization. Lawren Smithline Cornell University
Industrial Strength Factorization Lawren Smithline Cornell University lawren@math.cornell.edu http://www.math.cornell.edu/~lawren Industrial Strength Factorization Given an integer N, determine the prime
More informationFINITE ABELIAN GROUPS Amin Witno
WON Series in Discrete Mathematics and Modern Algebra Volume 7 FINITE ABELIAN GROUPS Amin Witno Abstract We detail the proof of the fundamental theorem of finite abelian groups, which states that every
More informationComputing a Lower Bound for the Canonical Height on Elliptic Curves over Q
Computing a Lower Bound for the Canonical Height on Elliptic Curves over Q John Cremona 1 and Samir Siksek 2 1 School of Mathematical Sciences, University of Nottingham, University Park, Nottingham NG7
More information