HOMEWORK 11 MATH 4753

Transcription

1 HOMEWORK 11 MATH 4753 Recall that R = Z[x]/(x N 1) where N > 1. For p > 1 any modulus (not necessarily prime), R p = (Z/pZ)[x]/(x N 1). We do not assume p, q are prime below unless otherwise stated. Question 1. Let q be prime. x 1 f(x) in (Z/qZ)[x]. Prove that f(1) 0 mod q if and only if Proof. When q is prime Z/qZ is a field, so by the division algorithm for polynomials, dividing f(x) by x 1, we know there exist q(x), r(x) (Z/qZ)[x] with deg r(x) < deg(x 1) = 1 (so that r(x) = r is a constant such that: f(x) = q(x)(x 1) + r. Plugging in x = 1 gives f(1) = r 0 mod q, so in fact, f(x) = q(x)(x 1) and x 1 mod f(x) as desired. Question 2. When we choose f(x) in the NTRU cryptosystem, we decide to look for f T (d + 1, d) instead of T (d, d). There is a good reason for this. Show that for any prime q and any polynomial f T (d, d) where d N/2, that f / R q. Can you still prove the result if q is not assumed to be prime? Proof. Note that f T (d, d) implies that f(1) 0 mod q, so when q is prime, this implies that x 1 f(x), but x 1 x N 1 for any N N, so they share a common factor and f(x) cannot be invertible. The proof of the general case can be reduced to this by observing that if p q is any prime, then there is a natural homomorphism R q R p that just reduces the mod q coefficients to be modulo p, and that if f(x) has an inverse in R q, that is, if we have f(x)k(x) = 1 for some k(x) in R q, then this is still a factorization in R p, but that s a contradiction because if f(1) 0 mod q, it is still 0 mod p, and by the previous question, this means that f(x) is not invertible mod p. (There are also more direct proofs that you can come up with that construct explicit factorizations of f(x) and advoid reducing modulo a prime factor of q.) Date: May 6,

2 2 HOMEWORK 11 MATH 4753 Question 3 (Variant of HPS 7.29). Alice and Bob use the NTRU cryptosystem with (N, p, q) = 7, 3, 37. Alice s private key is: f(x) = 1 + x x 3 + x 4 + x 6. Compute F 3 (x) = f(x) 1 in R p, and use this to decrypt the message: e(x) = 2 + 8x 2 16x 3 9x 4 18x 5 3x 6 received from Bob into an encoded message m(x) R p. Solution. Performing the Euclidean algorithm with coefficients mod 3 for gcd(f(x), x 7 1) results in: (2x 6 + 2x 4 + 2x 2 + x)f(x) + (x 5 + 2x 3 + 2x 2 + 2x + 2)(x 7 1) = 1 so f(x) 1 = 2x 6 + 2x 4 + 2x 2 + x R 3. We now compute: to get a(x) = f(x)e(x) in R q = R 37, a(x) = 3x 12 18x 11 12x 10 +6x 9 +17x 8 10x 7 +11x 6 +x 5 5x 4 15x 3 8x 2 +2x 2. (Notice that we took the centered lift here, so coefficients are in ( q/2, q/2].) Then we compute m(x) = F 3 (x)a(x) in R p = R 3 to get: m(x) = x 6 + x 5 + x 4 + x (again in centered lift form). Review for the Final Exam Write up solutions for 2 of the following questions. You are strongly encouraged to study the remainder for the exam. For the purposes of a review, consider Question 3 above as a possible exam question as well. Question 4. Consider the elliptic curve given by E : y 2 = x 3 x + 1 over Q. Compute the discriminant of the curve. Compute by hand the points 2P and 3P, where P = (1, 1) E(Q). Solution. The discriminant D = 16(4a b 2 ) = 16(4( 1) (1) 2 ) = To compute 2P, we use the doubling formula: λ = 3x2 + a 2y = 3(1)2 1 2(1) = 1. Then x 3 = λ 2 x 1 x 2 = = 1, and thus y 3 = y 1 + λ(x 3 x 1 ) = 1 + 1( 1 1) = 1, so 2P = (x 3, y 3 ) = ( 1, 1).

3 HOMEWORK 11 MATH Now, let s compute 3P = 2P + P. This time λ = y 2 y 1 x 2 x 1 = = 0. Thus x 3 = λ 2 x 1 x 2 = 0 1 ( 1) = 0. Therefore y 3 = y 1 +λ(x 3 x 1 ) = 1. Therefore 3P = (x 3, y 3 ) = (0, 1). Question 5. Define a primitive root modulo n. (Do this in general, not just for a prime, though for some n primitive roots may not exist.) Find a primitive root modulo 13 by hand. Proof. A primitive root modulo n is an element of order ϕ(n). Equivalently, g is a primitive root if and only if every unit modulo n is a power of g, {g 1, g 2,... g ϕ(n) } = (Z/nZ). Since ϕ(13) = 13 1 = 12, the maximal divisors are 4, 6, so it suffices to show that g 4 1 mod 13 and g 6 1 mod 13 to show that g is a primitive root. You can check that g = 2 works. Question 6. Compute gcd(12354, 546) by hand using the Euclidean algorithm. Solution. So the GCD is = = gcd(12354, 546) 546 = = gcd(546, 342) 342 = = gcd(342, 204) 204 = = gcd(204, 138) 138 = = gcd(138, 66) 66 = = gcd(66, 6) = 6 Question 7. Find all x Z satisfying: Prove your answer. x 1 mod 6 x 2 mod 3 Proof. We reduce x 1 mod 6 to the two factors of 6 to get: { x 1 mod 2 x 1 mod 6 = x 1 mod 3 The latter equation contradicts x 2 mod 3, so there are no solutions.

4 4 HOMEWORK 11 MATH 4753 Question 8. Define a primitive root modulo n. (Do this in general, not just for a prime, though for some n primitive roots may not exist.) Find a primitive root modulo 11 by hand. Solution. This is accidentally a repeat of question 5 above. Question 9. Define what an elliptic curve E over a field F is. (Be sure to remember all conditions an elliptic curve must meet.) Explain how Bob sends messages to Alice using the elliptic curve El Gamal cryptosystem. (In particular, describe all information which is exchanged between Alice and Bob and how it is computed.) Solution. An elliptic curve E over a field F is the set of solutions (x, y) to the equation: y 2 = x 3 + ax + b, a, b F, together with a point O, given by [0 : 1 : 0] in projective coordinates, at infinity, that has nonzero discriminant D = 16(4a b 2 ) 0. It has a geometrically defined group law which we denote + between points, for which O is the identity. In EC El Gamal, Alice s public key is a curve E over the field F p for a prime p, and a point P E(F p ) of high order, and a second point Q = kp, where the choice of k N is Alice s private key. To send Alice a message, Bob first: (1) Encodes the message as a point P m E(F p ). (2) Chooses an ephemeral random key t N. (3) Sends to Alice: { = tp C 1 C 2 = tq + P m Alice decrypts this by computing P m = C 2 kc 1 and decoding P m. Question 10. Define what it means for L R n to be a lattice. Given a basis (v 1,..., v n ) for a lattice L, define the Hadamard constant H(v 1,..., v n ), and explain what the difference between a good basis and a bad basis is in terms of the Hadamard constant. Proof. ( ) 1/n det L H(v 1,..., v n ) =, v 1 v n where det L = det(v 1 v 2 v n ). The Hadamard constant satisfies 0 < H(v 1,..., v n ) 1. A good basis has constant near 1, which indicates near-orthogonality, while a bad basis has constant near 0.

5 HOMEWORK 11 MATH Question 11. Explain how Alice and Bob communicate in the GGH cryptosystem. (In particular, describe all information which is exchanged between Alice and Bob and how it is computed.) Proof. Alice chooses a private key of V = (v 1 v 2 v n ) of vectors with integer coordinates a good basis for a lattice, and a public key of W = V E is V changed by some random elementary column operations in order to produce a new basis W which has very bad Hadamard constant. She publishes W and a parameter δ which is chosen to be small relative to the lengths of the vectors in V. Bob then encodes a message as a vector m Z n, and encrypts it by sending: e = W m + r, where r R n is a random vector with length r < δ. Alice decodes this by writing e in the V basis by computing V 1 e, rounding the coefficients to the nearest integers to produce a vector a (Babai s algorithm), and then computing V a = W m, so that m = W 1 V a. Since V is a good basis, the small random vector r is correctly rounded out, but in a bad basis (like W ), Babai s algorithm fails and introduces (large) errors. Question 12. Suppose that E is an elliptic curve defined over the field F 7 that happens to have #E(F 7 ) = 8. Determine how many points E has over the fields F 7 2 and F 7 3. Solution. As usual, set t = p + 1 #E(F p ) = = 0, and then we solve for z in the characteristic equation of Frobenius: z 2 tz + p = 0 = z = ± 7 Call these roots α, β. Then our formula is that: This yields: #E(F p k) = p k + 1 α k β k. #E(F 7 2) = ( 7) ( 7) = 64 and #E(F 7 3) = , as the signs cancel. Question 13. Let N = pq and suppose we want to factor N to recover p, q, where p, q are large distinct primes. Define what it means for a natural number to be B-power smooth. Suppose that E = y 2 + ax + 1 is an elliptic curve defined over F p and F q for some a Z, and that #E(F p ) is B-power smooth and #E(F q ) is not. Explain how one would factor N using Lenstra s method, and why the prime p would likely be recovered first.

6 6 HOMEWORK 11 MATH 4753 Solution. A natural number n is B-power smooth if the prime power factorization of n = p k 1 1 p kt t satisfies p k i i B for 1 i t. In Lenstra s method, one choose a point P = (0, 1) on the given family of curves (here E = y 2 + ax + 1) and proceeds to compute mp where m = lcm{1, 2,..., B} with mod N arithmetic (although elliptic curves are properly only defined over fields!). If #E(F p ) is B-power smooth then #E(F p ) m and so mp = O in E(F p ). This means that as we try to compute mp, one of the slopes λ that we compute should have a denominator which is 0 mod p. There is a good chance that if #E(F q ) is not B-power smooth then mp O in E(F q ), and so when the denominator vanishes mod p, it does not vanish mod q, so when attempting to compute its inverse mod N by using the Euclidean algorithm, we compute a GCD of gcd(n, denom.) = p, and we have factored N. Proof-based Review Questions Write out a solution for one of these questions to turn in with this assignment. Question 14. Let p be an odd prime and g a primitive root modulo p. Prove that x F p is a square (also known as a quadratic residue ) if and only if log g (x) is even. Conclude that exactly half of the values of F p have square roots, and the other half do not. Proof. Let k = log g (x) mod (p 1), so that x g k mod p. Since p 1 is even, the reduction modulo 2 is well-defined, so the notion of even and odd is preserved mod p 1. Now, if x has a square root, call it y, then y g l mod p for some l Z/(p 1)Z (since y must be nonzero as well), and then x y 2 g 2l mod p, so k 2l mod (p 1), so k is even. Further, there are (p 1)/2 even numbers modulo p 1, and each of them is a square (cut the exponent in half to get its square root), and also a root of the polynomial: z (p 1)/2 1 mod p by the Euler criterion. Therefore, by the Lagrange theorem for fields, the polynomial above in z can have at most (p 1)/2 roots, so any number x which is an odd power of g cannot be one of its roots, and hence it must satisfy x (p 1)/2 1 mod p, since ( ) z (p 1)/2 2 z p 1 1 mod p so the value of z (p 1)/2 mod p must square to 1, and hence must be ±1 mod p; and as all the even powers of g cover the +1 roots, all the odd powers of g must be the 1 roots. But then the odd powers of g are not squares, since any square x y 2 mod p will result in a value of x (p 1)/2 y p 1 +1 mod p by Euler.

7 HOMEWORK 11 MATH Question 15. Let p be a prime. Explain how one constructs the field F p 2. Explain why, if a F p, the equation x 2 = a always has a root in F p 2. Proof. Fix a number c F p If a F p which is not a square. Then we construct F p 2 = F p [ c] = {x + y c : x, y F p }. is another number which is not a square, then we claim that: a = b c = 0 + b c Fp [ c], for some b F p, and thus a F p 2. To see this, square both sides of the equation to obtain an equation in F p : a b 2 c mod p. Now, in terms of a primitive root g, a, c are both odd powers. Call them a g 2k+1 mod p and c g 2l+1 mod p. It follows that b g 2(k l) mod p, and in particular, it is a square, so a solution for b exists. Question 16. Let N = pq be a product of distinct odd primes and g = gcd(p 1, q 1). Prove that for all x (Z/NZ), x ϕ(n)/g 1 mod N. Proof. We use the Chinese Remainder Theorem: { x x ϕ(n)/g 1 mod N ϕ(n)/g 1 mod p x ϕ(n)/g 1 mod q Since ϕ(n)/g = (p 1) q 1 and q 1 Z, we get that x ϕ(n)/g g g (x p 1 ) (q 1)/g 1 (q 1)/g 1 mod p by Euler s lemma, and likewise we get that it is 1 mod q, proving the result. Question 17. Let N, q > 1 and let R q = (Z/qZ)[x]/(x N 1). Prove that f(x) R q gcd(x N 1, f(x)) (Z/qZ). Proof. (Note that we could have said gcd(f(x), x N 1) = 1, as there is no harm dividing by units, and we usually make this normalization.) There are two directions we must prove. First, assume f(x) R q, and we will show that gcd(x N 1, f(x)) (Z/qZ). Let k(x) denote f(x) 1 so that f(x)k(x) 1 mod x N 1. This means that there exists l(x) (Z/qZ)[x] such that f(x)k(x) = 1 + l(x)(x N 1) f(x)k(x) l(x)(x N 1) = 1. Now, any common divisor d(x) of f(x) and x N 1 divides the entire left hand side of that equality, so it divides 1, that is, d(x) 1, but then d(x) = c R q is a constant unit.

8 8 HOMEWORK 11 MATH 4753 Now, assume gcd(x N 1, f(x)) (Z/qZ). By Bézout s theorem means there exists c (Z/qZ) and k(x), l(x) (Z/qZ)[x] such that k(x)f(x) + l(x)(x N 1) = c. But then reducing modulo x N 1 gives: k(x)f(x) = c in R q, and thus c 1 k(x) = f(x) 1 in R q, so f(x) is invertible. Oklahoma State University, Spring 2017