HOMEWORK 8 SOLUTIONS MATH 4753

Similar documents
HOMEWORK 11 MATH 4753

For your quiz in recitation this week, refer to these exercise generators:

Name: Mathematics 1C03

MATH 158 FINAL EXAM 20 DECEMBER 2016

SCHOOL OF MATHEMATICS AND STATISTICS

Math 109 HW 9 Solutions

MATH 310: Homework 7

One can use elliptic curves to factor integers, although probably not RSA moduli.

Attempt QUESTIONS 1 and 2, and THREE other questions. penalised if you attempt additional questions.

Math 299 Supplement: Modular Arithmetic Nov 8, 2013

} has dimension = k rank A > 0 over F. For any vector b!

Number theory (Chapter 4)

CPSC 467b: Cryptography and Computer Security

2. Polynomials. 19 points. 3/3/3/3/3/4 Clearly indicate your correctly formatted answer: this is what is to be graded. No need to justify!

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Introduction to Cybersecurity Cryptography (Part 5)

Linear Congruences. The equation ax = b for a, b R is uniquely solvable if a 0: x = b/a. Want to extend to the linear congruence:

Encryption: The RSA Public Key Cipher

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

Solutions to homework 2

Fall 2017 September 20, Written Homework 02

8 Elliptic Curve Cryptography

Candidates must show on each answer book the type of calculator used. Only calculators permitted under UEA Regulations may be used.

Mathematical Foundations of Public-Key Cryptography

The next sequence of lectures in on the topic of Arithmetic Algorithms. We shall build up to an understanding of the RSA public-key cryptosystem.

MATH 115, SUMMER 2012 LECTURE 4 THURSDAY, JUNE 21ST

Foundations of Network and Computer Security

Lecture 6: Finite Fields

Math 120. Groups and Rings Midterm Exam (November 8, 2017) 2 Hours

Clock Arithmetic and Euclid s Algorithm

Univ.-Prof. Dr. rer. nat. Rudolf Mathar. Written Examination. Cryptography. Tuesday, August 29, 2017, 01:30 p.m.

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Discrete Mathematics and Probability Theory Spring 2016 Rao and Walrand Discussion 6A Solution

Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs

Introduction to Elliptic Curve Cryptography. Anupam Datta

CPSC 467b: Cryptography and Computer Security

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Discrete Mathematics and Probability Theory Summer 2014 James Cook Midterm 1 (Version B)

Lecture Notes, Week 6

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

Lecture 22: RSA Encryption. RSA Encryption

ICS141: Discrete Mathematics for Computer Science I

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Public-key Cryptography and elliptic curves

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Number Theory Math 420 Silverman Exam #1 February 27, 2018

MONOALPHABETIC CIPHERS AND THEIR MATHEMATICS. CIS 400/628 Spring 2005 Introduction to Cryptography

MATH 25 CLASS 12 NOTES, OCT Contents 1. Simultaneous linear congruences 1 2. Simultaneous linear congruences 2

2x 1 7. A linear congruence in modular arithmetic is an equation of the form. Why is the solution a set of integers rather than a unique integer?

Mathematical Foundations of Cryptography

Math 430 Midterm II Review Packet Spring 2018 SOLUTIONS TO PRACTICE PROBLEMS

NUMBER THEORY AND CODES. Álvaro Pelayo WUSTL

Discrete Mathematics and Probability Theory Fall 2014 Anant Sahai Homework 5. This homework is due October 6, 2014, at 12:00 noon.

Discrete Mathematics and Probability Theory Fall 2017 Ramchandran and Rao Midterm 2 Solutions

Elliptic Curve Cryptography

19. Coding for Secrecy

Asymmetric Cryptography

Chapter 4 Asymmetric Cryptography

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

MATH 341, Section 001 FALL 2014 Introduction to the Language and Practice of Mathematics

Today. Wrapup of Polynomials...and modular arithmetic. Coutability and Uncountability.

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Discrete Mathematics for CS Fall 2003 Wagner MT2 Soln

Public Key Encryption

CPSC 467: Cryptography and Computer Security

Know the Well-ordering principle: Any set of positive integers which has at least one element contains a smallest element.

Notes 10: Public-key cryptography

University of Regina Department of Mathematics & Statistics Final Examination (April 21, 2009)

2x 1 7. A linear congruence in modular arithmetic is an equation of the form. Why is the solution a set of integers rather than a unique integer?

CIS 551 / TCOM 401 Computer and Network Security

Pseudo-random Number Generation. Qiuliang Tang

Elliptic curve cryptography. Matthew England MSc Applied Mathematical Sciences Heriot-Watt University

Discrete Mathematics and Probability Theory Spring 2015 Vazirani Midterm #2 Solution

9 Knapsack Cryptography

Tutorial on Quantum Computing. Vwani P. Roychowdhury. Lecture 1: Introduction

COMP4109 : Applied Cryptography

CPSC 467: Cryptography and Computer Security

Mathematics of Cryptography

Mappings of elliptic curves

The RSA public encryption scheme: How I learned to stop worrying and love buying stuff online

Midterm 2. Your Exam Room: Name of Person Sitting on Your Left: Name of Person Sitting on Your Right: Name of Person Sitting in Front of You:

MODULAR ARITHMETIC KEITH CONRAD

KTH, NADA , and D1449 Kryptografins grunder. Lecture 6: RSA. Johan Håstad, transcribed by Martin Lindkvist

A field F is a set of numbers that includes the two numbers 0 and 1 and satisfies the properties:

CPSC 467b: Cryptography and Computer Security

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

Discrete Mathematics and Probability Theory Summer 2015 Chung-Wei Lin Midterm 1

CPSC 467b: Cryptography and Computer Security

Powers in Modular Arithmetic, and RSA Public Key Cryptography

Counting points on elliptic curves over F q

Mathematics of Public Key Cryptography

AN ALGEBRAIC PROOF OF RSA ENCRYPTION AND DECRYPTION

Elliptic Curves I. The first three sections introduce and explain the properties of elliptic curves.

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

Math 223, Spring 2009 Final Exam Solutions

Classical Cryptography

All variables a, b, n, etc are integers unless otherwise stated. Each part of a problem is worth 5 points.

Transcription:

HOMEWORK 8 SOLUTIONS MATH 4753 In this homework we will practice taking square roots of elements in F p in F p 2, and study the encoding scheme suggested by Koblitz for use in elliptic curve cryptosystems. We will start with some basic examples. Question 1. Solve for a in the equation: 5 = a 3 in F49. (Hint: Your answer should be an element of F 7.) Solution. We square to get an equation modulo 7: 5 a 2 3 mod 7 This yields a 2 4 mod 7, so a ±2 mod 7 works. Question 2. Compute the square root of 6 in F 49. Proof. Really this question is asking us to express this root in a basis we chose like F 49 = F 7 [ 3], so we repeat the computation of the previous question: 6 = a 3, squaring both sides yields 6 3a 2 mod 7, and we find that a ±4 mod 7, so 6 = ±4 3. Define the field F p 2 = F p [ 3] where p are defined as in the hw8-data.txt file in Sage. These numbers satisfy that p 3 mod 4 and 3 is not a square modulo p. Remember, we do this as in lecture: R.<x> = PolynomialRing (GF( p ) ) F.<t> = GF( pˆ2, modulus = xˆ2 3) Here the modulus option tells Sage what the defining polynomial of t is. Thus our t will actually be 3. Check that you defined this correctly by computing t^2 and seeing if you get 3. Let E : y 2 = x 3 + ax + b be an elliptic curve defined over F p. As we mentioned in lecture, Koblitz suggested the following encoding function for elliptic curve cryptosystems: (1) Encode the message in, say, ASCII, as a number 0 m < p. Date: May 6, 2017. 1

2 HOMEWORK 8 SOLUTIONS MATH 4753 (2) Encoding the message as a point on an elliptic curve by sending m P m = (m, m 3 + am + b) E(F p 2), where the choice of square root is arbitrary. Question 3. For the given p in the data file, how many ASCII characters can you encode per message? Question 4. Use the GF(p).random element() member function as we did in lecture to select random coefficients a,b for an elliptic curve. Create the elliptic curve E associated to these parameters (but over the field F!) in Sage, and be sure that your parameters do not result in a non-zero discriminant. Implement Koblitz s encoding function for your elliptic curve. Be sure to include a check to make sure the message does not have too many characters. You may find it helpful to use the encoding function from HW7 s data file as a model. Question 5. Use random element() to find a random x and find a point P = (x, y) E(F p 2) to use as P in your public key for the El Gamal cryptosystem. Use randint to find a secret k and then generate Q = k*p to complete your public key. Question 6. My public key is given as the points P2, Q2 and the curve E2 in the data file (I used the same field F p 2). Create a new copy of your encoding function using my curve E2. A certain mathematics professor decides to give his students a surprise exam sometime during the week, either Monday, Wednesday, or Friday in lecture. But he tells the students, If you can guess when the exam will be, I will not give you an exam. A student (let s call him Vizzini) answers: But it s so simple! All I have to do is divine from what I know of you: are you the sort of professor who would give the exam early in the week, or later? Now, a clever professor would give the exam later in the week, because he would know that only a great fool would fail to study for an exam on Monday. I am not a great fool, so I can clearly I cannot say the exam would be on Friday. But you must have known I was not a great fool you would have counted on it! so I can clearly not expect the exam earlier in the week. The professor asks if the student has made his decision, but the student replies: Not remotely. Because our professor studied at Harvard, and as everyone knows, Harvard is entirely peopled with people who love giving exams as early and often as possible, so I can clearly not choose a time later in the week!

HOMEWORK 8 SOLUTIONS MATH 4753 3 The professor remarks that the student truly has a dizzying intellect, and the student continues, Wait till I get going! Where was I? Harvard! And you must have suspected I d have known your academic background you d have counted on it! so I clearly cannot choose a time earlier in the week! Now the professor interrupts Vizzini and says that not only are you just stalling you have missed the entire logic of the puzzle. Can you answer the question better than Vizzini did? Question 7. Create an encrypted response to me (using my public key) explaining why the exam cannot be on Friday. (Hint: Is the exam still a surprise if given on Friday?) Conclude that it is logically impossible for me to give you a pop quiz. (You may wish to break up your message into several fragments. Be sure you included a length check as in HW7 s ECencode function to avoid your messages wrapping around modulo p and being corrupted.) Question 8. E-mail your encrypted response from the previous question, as well as your curve s public key to me (i.e., the a, b, P, Q), and decrypt my subsequent response. Question 9. Let p 2 mod 3 throughout this problem. (1) Prove that the cubing map x x 3 : F p F p is a bijection. Proof. We compute the inverse of cubing map. In exponent space, we want an exponent k such that 3k 1 mod p 1. Since p 2 mod 3, we know that p 1 1 mod 3, so in particular, 3 p 1, so gcd(3, p 1) = 1. That means that 3 is invertible modulo p 1, so an inverse k does exist mod p 1. Then x x k is the inverse map to the cubing map, because (x 3 ) k x 3k x 1+l(p 1) x mod p for some l Z, where the p 1 power of x goes away by Euler s theorem when x 0 mod p, and the equation is trivially true when x 0 mod p. So essentially the k power is a cube root, but note, it is an integer power, so it still makes sense in modular arithmetic. (2) For some b F p, let E be the elliptic curve over F p given by Prove that #E(F p ) = p + 1. E : y 2 = x 3 + b. Proof. Since f(x) = x 3 is a bijection, so is f(x) = x 3 + b. So the possible values of x 3 + b are just all of the different numbers modulo p, in some permuted order. Since (p 1)/2 of those possible x coordinates

4 HOMEWORK 8 SOLUTIONS MATH 4753 are nonzero squares, those each yield 2 distinct y-values so 2 points in the group, the value 0 yields 1 point, and the point O adds one more, yielding 2 (p 1)/2 + 1 + 1 = p + 1 points, as claimed. Question 10. Let E : y 2 = x 3 + 1 over p = 5. Compute #E(F p 2), #E(F p 3), and #E(F p 4) using the previous question and the formula from lecture. Solution. Since p = 5 2 mod 3, we know that there are #E(F 5 ) = p+1 = 6 points on the elliptic curve over F p. As usual, set t = p + 1 #E(F p ) = 0, and then we solve for z in the characteristic equation of Frobenius: z 2 tz + p = 0 = z = ± p Call these roots α, β. Then our formula is that: Here, and #E(F p k) = p k + 1 α k β k. #E(F p 2) = p 2 + 1 (+ p) 2 ( p) 2 = p 2 + 1 + 2p, #E(F p 3) = p 3 + 1 (+ p) 3 ( p) 3 = p 3 + 1. Bonus Question 1 (25 pts). Let p 2 mod 3 be an odd prime. Recall from the previous question that the elliptic curve where 0 b F p, satisfies E : y 2 = x 3 + b, #E(F p ) = p + 1. Such a curve is called supersingular. 1 Recall from lecture that if t p = p + 1 #E(F p ) so that #E(F p ) = p + 1 t p, then τ 2 p (P ) t p τ p (P ) + pp = O for all P E(F p ), where τ p (x, y) = (x p, y p ) is the Frobenius map on E and τp 2 (P ) = τ p (τ p (P )), that is, τp 2 (x, y) = (x p2, y p2 ), and F p = k 1 F pk, identified with the natural inclusions. 1 This definition applies when p 5, otherwise the notion is defined slightly differently. Here the word singular does not mean, as it usually does, having a singularity on the curve like a cusp, where the tangent line is undefined. But rather, the word singular is used in the original sense of special. These supersingular curves were special amongst the original class of special curves, and thus supersingular is used here in the sense of very special.

HOMEWORK 8 SOLUTIONS MATH 4753 5 (1) Prove that the p-torsion E[p] = {P E(F p ) : pp = O} of E(F p ) satisfies E[p] = {O}. (2) Compute E[p n ] = {P E(F p ) : p n P = O} for all n N. (3) Prove that E[p+1] = E(F p 2). Compute #E[p+1] by using the formula from lecture to compute #E(F p n) when n = 2. (4) Suppose b is not a square modulo p. Consider the point P = (0, b) E(F p 2). Compute p n P for all n N. (5) Now suppose to the contrary that b = β 2 mod p for some β F p, that is, b is a square. Let P = (0, β) E(F p ) and compute p n P for all n N. Oklahoma State University, Spring 2017

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback