# Elliptic Curve Cryptography

AI and Robotics

Nov 21, 2013 (4 years and 5 months ago)

77 views

1

Elliptic Curve Cryptography

(Midterm, 2009 Spring,

)

[1]

(a)

17 points.

x

x
3
+
2x
+
4

y

y

y
2

0

4

㈬‱1

0

0

1

7

X

ㄬ‱1

1

2

3

㐬‹

㈬‱1

4

3

X

㌬‱3

9

4

X

㐬‹

3

5

9

㌬‱3

㔬‸

6

X

㘬‷

7

㘬‷

8

㔬‸

9

㘬‷

㘬‷

5

X

1

ㄬ‱1

ⴭ-

ⴭ-

⡢(

⠸ⰵ(

λ
=
3
×
2
2
+
2
2
×
4
=
14
8
=
7
4
=
7
×
10
=
5

x
3
=
5
2

2
×
2
=
21
=
8
,
y
3
=
(
2

8
)
×
5

4
=
35

4
=
31
=
5

(c)

(7,6)

λ
=
5

4
8

2
=
1
6
=
11

x
3
=
11
2

8

2
=
111
=
7
,
y
3
=
(
8

7
)
×
11

5
=
6

(d)

Find a
u

𝔽
13

,
E
2
:
y
2
=
x
3
+
u
4
ax
+
u
6
b

The isomorphism
ϕ
:
(
x
,
y
)

(
u
2
x
,
u
3
y
)
,
ϕ
(

)
=

2

u

E
2

Isomorphism

2

y
2
=
x
3
+
6x
+
9

(4x, 8y)

3

y
2
=
x
3
+
6x
+
4

(9x, y)

4

y
2
=
x
3
+
5x
+
4

(3x, 12y)

5

y
2
=
x
3
+
2x
+
9

(12x, 8y)

6

y
2
=
x
3
+
5x
+
9

(10x, 8y)

7

y
2
=
x
3
+
5x
+
9

(10x, 5y)

8

y
2
=
x
3
+
2x
+
9

(12x, 5y)

9

y
2
=
x
3
+
5x
+
4

(3x, y)

10

y
2
=
x
3
+
6x
+
4

(9x, 12y)

11

y
2
=
x
3
+
6x
+
9

(4x, 5y)

[2]

(Note: one of the two is accepted.)

(a)
189 (or 219)

a

23

(
mod

30
)

Since
|
a
|

2

211

29
, a = 23 or a =
-
7.

So,
#
E
(
F
211
)
=
211
+
1

23
=
189

or
#
E
(
F
211
)
=
211
+
1

(

7
)
=
219

(b)
151 (or 241)

The number of points
P

E
(
𝔽
̅
211
)

such that
ϕ
211
(
P
)
=
3P

is
deg

(
ϕ
211

3
)

For a = 23,
deg
(
ϕ
211

3
)
=
211
+
9

3
×
23
=
151

For a =
-
7,
deg
(
ϕ
211

3
)
=
211
+
9

3
×
(

7
)
=
241

[3]

(a)

154

a = 131 + 1
-

#E(F
131
) = 22.

131

3

(
mod

4
)
,
(

1
131
)
=

1

#E
1
(F
131
) = #E
(
-
1)
(F
131
) = 131 + 1

(

1
131
)
×
22

= 132 + 22 = 154.

(b)
16940

#E(
F
131
2
) = #E(F
131
)
×

#E
(
-
1)
(F
131
) = 110
×

154 = 16940.

By subfield curve:

s
0
=
2
,
s
1
=
22
,
s
2
=
22
×
22

131
×
2
=
222

#E(
F
131
2
) = 131
2

+ 1

222 = 16940.

3

(c)
2

By Fermat

s Theorem,
131
10

1

(
mod

11
)
,
(

1
)
10

1

(
mod

11
)

Find the smallest k such that
(

1
)
k

1

(
mod

11
)

Obviously, k=2.

(d)
μ
11
=
{
g
1560
,
g
3120
,
g
4680
,
g
6240
,
g
7800
,
g
9360
,
g
10920
,
g
12480
,
g
14040
,

g
15600
,
g
17160
(
=
1
=
g
0
)

}

F
131
2

=
{
g
i

i
>
0
}
, and
g
17160
=
1
.

Then,
μ
11
=
{
g
i

17160
|
11i
,
i
>
0
}
=
{
g
1560i

1

i

11
}
.

[
4
]

(a)

f
(
x
)
=
x
3

is 1
-
1.

Thus for each
y

F
7841
,

!
x

F
7841

such that
(
x
,
y
)

E
(
F
7841
)

#E(F
7841
) = 7841 + 1 = 7842. a = 0

E is supersingular.

(b)

Choose x randomly, and find a point
P
(
x
,
y
)

E
.
Then compute 6P.

If
Q
=
6P

, Q is a point of order 1307.

If
Q
=

, Choose another x.

(c)

β
(
P
+
Q
)
=
β
(
P
)
+
β
(
Q
)
,

Claim
β
(
nP
)
=
n
β
(
P
)
.

For n=0:
β
(
0P
)
=
β
(

)
=

=

(
P
)
.

Suppose n=k:
β
(
kP
)
=
k
β
(
P
)
,

Then, n=k+1:
β
(
(
k
+
1
)
P
)
=
β
(
kP
+
P
)
=
β
(
kP
)
+
β
(
P
)
=
k
β
(
P
)
+
β
(
P
)

=

(
k
+
1
)
β
(
P
)

By induction,
β
(
nP
)
=
n
β
(
P
)
.

So,
1307β
(
P
)
=
β
(
1307P
)
=
β
(

)
=

, That is,
β
(
P
)

is a point of order 1307.

[
5
]

(a)

f
(
x
,
y
)
=
y

14
x

11

div(y
-
14) = [(5,14)] + [(11,14)] + [(1,14)]

3[

]

div(
x
-
11) = [(11,3)] + [(11,14)]
-

2[

]

div(f) = [(5,14)] + [(1,14)]

[(11,3)]
-

[

] = div(y
-
14)

div(x
-
11) =
div
(
y

14
x

11
)
.

4

(b)

2[(4,9)] + [(9,9)
]

2[(2,6)]

2[(2,11)] + [

]

div(x
-
2) = [(2,6)] + [(2,11)
]
-

2
[

]

div(y
-
9) = 2[(4,9)] + [(9,9
)]
-

3
[

]

div(
g) = div(y
-
9)

2div(x
-
2)

= 2[(4,9)] + [(9,9)
]

2[(2,6)]

2[(2,11)] + [

]

(c)

[(10,7)]

[

]

sum(D) =
3
×
5P
+
19P
+
2
×
17P

6
×
10P

=
8P

= (10,7)

[
6
]

7

D
Q

= [(1,1)]

[(2,6)]

Initial setting: i=5, j=0, k=1, v
j
=1, v
k
=1.

Step 1:

i=5 is odd

i
=5
-
1=4, j=0+1=1, k=1, v
j
=1, v
k
=1.

Step 2:

i=4 is even

i=4/2=2, j=1, k=1
×2
=2, v
j
=1, v
k
=3

The tangent line at kP=P=(7,2):
λ
=
3
×
7
2
+
2
2
×
2
=
3
2
=
3
×
7
=
8
, L: 8x
-
y
-
2=0

The vertical line at 2kP=(11,5): L: x+2=0

v
2

= v
1
×
v
1
×
8x

y

2
x
+
2
|
D
Q
= 1
×
1
×
(
8
×
1

1

2
)
(
2
+
2
)
(
8
×
2

6

2
)
(
1
+
2
)

=
7
11

= 7
×
6 = 3

Step 3:

i=2 is even

i=2/2=1, j=1, k=2
×2
=4, v
j
=1, v
k
=8

The tangent line at kP=
2
P
=(11,5
):
λ
=
3
×
11
2
+
2
2
×
5
=
1
10
=
1
×
4
=
4
, L:
4x
-
y
=0

The vert
ical line at 2kP=(7,11): L: x+6
=0

v
4

= v
2
×
v
2
×
4x

y
x
+
6
|
D
Q
=
3
×
3
×
(
4
×
1

1
)
(
2
+
6
)
(
4
×
2

6
)
(
1
+
6
)

=
9
×
11
1

= 8

Step 4:

i=1 is odd

i=1
-
1=0, j=1+4=5, k=4, v
j
=7, v
k
=8

The divisor [P] + [4P
]

[5P
]

[

]

= [(7,2)] + [(7,11)]

2[

] = div(x+6)

v
5
= v
1
×
v
4
×
(
x
+
6
)
|
D
Q
= 1
×
8
×
(
1
+
6
)
(
2
+
6
)

= 8
×
7
8

= 7

[7]

5

Elliptic Curve Cryptography

(
Final
, 2009 Spring,

)

[1]

(a)

x

y

4
x

11
.

div(
x
-
y
-
4) = [(10,6)] + [(6,2)] + [(11,7)]

3[

]

div(x
-
11) = [(11,6
)
] + [(11,7)]

2[

]

Since div(f) = div(x
-
y
-
4)

div(x
-
11),
f
(
x
,
y
)
=
x

y

4
x

11

(b)

[(6,2)]

[

]

D = 3[(11,7)] + 4[(5,6)]

6[(5,7)]

[

]

sum(D) =
3
×
6P
+
4
×
4P

6
×
7P

=
-
8P = 3P

D ~ [3P]

[

] =
[
(6,2
)
]

[

]

[2]

(a)

(6,4)

C(F
7
) = {

, (1,1), (1,5), (2,2), (2,3), (5,3), (5,6), (6,4)}

Check all finite points in
C(F
7
)
:

(
1
,
1
)
̃
=
(
1
,
5
)
,
(
2
,
2
)
̃
=
(
2
,
3
)
,
(
5
,
3
)
̃
=
(
5
,
6
)
,
(
6
,
4
)
̃
=
(
6
,
4
)

The special point of
C(F
7
)
: (6,4)

(b)

[(1,1)] + [(1,5
)]

+ 4[(6,4
)
] + 2[(2,2
)
] +
2[(2,3
)
]

10[

]

div(G) = div(y
2
+xy+6x
4
+6x
3
+x
2
+6x)

= div(x
5
+5x
4
+6x
2
+x+3+
6x
4
+6x
3
+x
2
+6x
)

= div(
x
5
+
4
x
4
+6x
3
+ 3
)

= div((x
-
1)(x+1)
2
(x
-
2)
2
)

= div(x
-
1) + 2div(x+1) + 2div(x
-
2)

=
[(1,1)] + [(1,5
)]

+ 4[(6,4
)
] + 2[(2,2
)
] + 2[(2,3
)
]

10[

]

[3]

(a)

(g
5
,0)

P = (g,1),
λ
=
g
2
+
1
g
=
g
6
g
=
g
5
,
x
3
=
λ
2
+
λ
+
g
3
+
g
+
g
=
g
3
+
g
5
+
g
3
=
g
5
,

y
3
=
(
g
+
g
5
)
×
g
5
+
g
5
+
1
=
g
4
+
g
5
+
1
=
0
.

(b)

261144

#
E
(
F
2
3
)
=
6
=
2
3
+
1

s
1
,
s
1
=
3
. Let
q
=
2
3
.

By subfield curve:

6

s
0
=
2
,
s
1
=
3
,
s
2
=
3
×
3

2
3
×
2
=

7
,
s
3
=
3
×
(

7
)

2
3
×
3
=

45
,

s
4
=
3
×
(

45
)

2
3
×
(

7
)
=

79
,
s
5
=
3
×
(

79
)

2
3
×
(

45
)
=
123
,

s
6
=
3
×
123

2
3
×
(

79
)
=
1001
, so

#
E
(
F
2
18
)
=
#
E
(
F
q
6
)
=
2
18
+
1

1001
=
261144
.

[4]

(a)

A divisor D is defined over F
3

if
D
σ
=
D

for all automorphisms of
F
̅
3

over F
3
,

The generator of automorphisms of
F
̅
3

over F
3

is
σ
:
x

x
3
.

So, we just check the generator
of automorphisms of
F
̅
3

over F
3
.

D
1
=
P
5
+
P
6

2∞
,
σ
(
P
5
)
=
P
6
,
σ
(
P
6
)
=
P
5
, and hence
D
1
σ
=
D
1
.

D
1

is defined over F
3
, and is a reduced divisor of C.

D
2
=
P
5
+
P
9

2∞
,
σ
(
P
5
)
=
P
6
,
σ
(
P
9
)
=
P
10
, and hence
D
2
σ

D
2
.

D
2

is
note
defined over F
3
.

(b)

D
1
=
2
P
2

, P
2

= (1,2).

a(x) = (x
-
1)(x
-
1) = x
2

2x + 1 = x
2

+ x + 1

Since
deg
(
b
(
x
)
)

deg
(

(
𝑥
)
)
, assume b(x) = mx+n.

Then, (1,2) is a root of B(x,y) = b(x)
-
y of degree 2.

Therefore, b(1)
-
2 = 0, i.e. m+n=2, and B

(1,2) = 0.

B

(
x
,
y
)
=
m

y

x
=
m

2
x
4
+
2
x
3
2y
, so m

1 = 0.

Therefore, m = n = 1. b(x) = x + 1.

(c)

7D

D
2
=
3
P
2

3
P
3
=
3
(
P
2

)

3
(
P
3

)
=
3
×
4D

3
×
13D
=

27D
=
7D
.

[5]

(a)

a
<


,
|
b
|

|
a
|
,
b
2

a
2
.
0
<


,

c

a
.

D
=
b
2

4ac

a
2

4ac

a
2

4
a
2
=

3
a
2
,
3
a
2

D
,
a

D
3

(b)

(1,1,7)

By (a), a = 1, 2, 3.

When a = 1, (b,c) = (1,7).

When a = 2, there is no (b,c).

When a = 3, (b,c) = (3,3) satisfies (1)
-
(4),
but gcd(a,b,c) = 3.

Therefore, we have only (1,1,7).

7

(c)

57

P(X) = X + 40, X =
-
40 = 57.

(d)

Step 1: Construct
E
1
:
y
2
=
x
3
+
3j
1728

j
x
+
2j
1728

j

over F
97
.

Step 2: Choose
P

E
1
(
F
97
)

randomly, and check if
79P
=

.

Step 3: If P is of order 79, then
E
1

is the desired curve. Done.

Step 4: Otherwise, find
k

F
97

such that k is quadratic non
-
residue in F
97
, and
construct
E
2
:
y
2
=
x
3
+
k
2
3j
1728

j
x
+
k
3
2j
1728

j
, the twist curve of
E
1
.

Then,
E
2

is the desired curve.

[6]

[7]

(a)

#
E
(
F
p
)
=
p
+
1
+

(

x
3
+
x
p

)
x

F
p
. Claim

(

x
3
+
x
p

)
x

F
p
=
0
.

(

x
3
+
x
p

)
x

F
p
=

(

x
3
+
x
p

)
p

1
x
=
0
=
(

x
3
+
x
p

)
|
x
=
0
+

(

x
3
+
x
p

)
p

1
x
=
1
=
0
+

(
(

x
3
+
x
p

)
+
(
(

x
)
3
+
(

x
)
p
)
)
p

1
2
x
=
1
=

(
(

x
3
+
x
p

)
+
(

(

x
3
+
x
)
p

)
)
p

1
2
x
=
1
=

0
p

1
2
x
=
1
=
0

So,
#
E
(
F
p
)
=
p
+
1
, and E is supersingular.

(b)

ϕ
(
P
)
=
(

x
,
𝑖
y
)

E
(
F
p
2
)
\
E
(
F
p
)
.

Let
P
1
=
(
x
1
,
y
1
)
,
P
2
=
(
x
2
,
y
2
)

P
1
+
P
2
:
λ
=
{
3
x
1
2
+
1
2
y
1
if

P
1
=
P
2
y
2

y
1
x
2

x
1
if

P
1

P
2
,
x
3
=
λ
2

x
1

x
2
,

y
3
=
(
x
1

x
3
)
λ

y
1
=
(
2
x
1
+
x
2

λ
2
)
λ

y
1
.

ϕ
(
P
1
+
P
2
)
=
(
x
1
+
x
2

λ
2
,
(
2
x
1
+
x
2

λ
2
)
𝑖
λ

𝑖
y
1
)
.

ϕ
(
P
1
)
=
(

x
1
,
𝑖
y
1
)
,
ϕ
(
P
2
)
=
(

x
2
,
𝑖
y
2
)

8

ϕ
(
P
1
)
+
ϕ
(
P
2
)
:
λ

=
{
3
x
1
2
+
1
2
𝑖
y
1
if

P
1
=
P
2
𝑖
y
2

𝑖
y
1
x
1

x
2
if

P
1

P
2
,
λ

=

𝑖
λ
.

x
3
=
λ
′2
+
x
1
+
x
2
=
x
1
+
x
2

λ
2
,

y
3
=
(

x
1

x
3
)
λ

𝑖
y
1
=
(
2
x
1
+
x
2

λ
2
)
𝑖
λ

𝑖
y
1

ϕ
(
P
1
+
P
2
)
=
ϕ
(
P
1
)
+
ϕ
(
P
2
)
.

So,
ϕ

is an endomorphism. Therefore,
ϕ

is a distortion map.

(c)

9+
i

D
ϕ
(
P
)
=
[
ϕ
(
P
)
+
(
0
,
0
)
]

[
(
0
,
0
)
]
=
[
(
15
,
12
𝑖
)
]

[
(
0
,
0
)
]
.

Initial setting: i=5, j=0, k=1, v
j
=1, v
k
=1.

Step 1:

i=5 is odd

i=5
-
1=4, j=0+1=1, k=1, v
j
=1, v
k
=1.

Step 2:

i=4 is even

i=4/2=2, j=1, k=1
×2
=2, v
j
=1, v
k
=8
-
5
i

The tangent line at kP=P=(5,4):
λ
=
3
×
5
2
+
1
2
×
4
=
0
8
=
0
, L: y

4 = 0

The vertical line at 2kP=(9,15): L: x

9 = 0

v
2

=

v
1
2
×
y

4
x

9
|
D
ϕ
(
P
)
=
1
2
×
(

4
+
12
𝑖
)
(
0

9
)
(
15

9
)
(
0

4
)
=

2
+
6
𝑖

5
=
8

5
𝑖
.

Step 3:

i=2 is even

i=2/2=1,
j=1, k=2
×2
=4, v
j
=1, v
k
=5+9
i

The tangent line at kP=2P=(9,15):
λ
=
3
×
9
2
+
2
2
×
15
=
16
11
=

2
, L: y + 2x + 5 = 0

The vertical line at 2kP=(5,15): L: x

5 = 0

v
4
=
v
2
2
×
y
+
2x
+
5
x

5
|
D
ϕ
(
P
)
=
(
8

5
𝑖
)
2
×
(

3
+
12
𝑖
)
(

5
)
(
10
)
(
5
)
=
5
+
9
𝑖
.

Step 4:

i=1 is odd

i=1
-
1=0, j=1+4=5, k=4, v
j
=9+
i
, v
k
=5+9
i

The divisor [P] + [4P
]

[5P
]

[

]

= [(5,4)] + [(5,15)]

2[

] = div(x
-
5)

v
5
=
v
1
×
v
4
×
(
x

5
)
|
D
ϕ
(
P
)
=
1
×
(
5
+
9
𝑖
)
×
(
10
)
(

5
)
=
9
+
𝑖
.