Elliptic Curve Cryptography

wanderooswarrenAI and Robotics

Nov 21, 2013 (3 years and 11 months ago)

70 views

1


Elliptic Curve Cryptography

(Midterm, 2009 Spring,
交大資工所
)


[1]

(a)

17 points.

x

x
3
+
2x
+
4

y


y

y
2

0

4

㈬‱1


0

0

1

7

X


ㄬ‱1

1

2

3

㐬‹


㈬‱1

4

3



X


㌬‱3

9

4



X


㐬‹

3

5

9

㌬‱3


㔬‸



6



X


㘬‷



7



㘬‷




8



㔬‸




9



㘬‷








㘬‷






5

X






1

ㄬ‱1




ⴭ-

ⴭ-







⡢(

⠸ⰵ(

λ
=
3
×
2
2
+
2
2
×
4
=
14
8
=
7
4
=
7
×
10
=
5

x
3
=
5
2

2
×
2
=
21
=
8
,
y
3
=
(
2

8
)
×
5

4
=
35

4
=
31
=
5


(c)

(7,6)

λ
=
5

4
8

2
=
1
6
=
11

x
3
=
11
2

8

2
=
111
=
7
,
y
3
=
(
8

7
)
×
11

5
=
6


(d)

Find a
u

𝔽
13

,
E
2
:
y
2
=
x
3
+
u
4
ax
+
u
6
b

The isomorphism
ϕ
:
(
x
,
y
)

(
u
2
x
,
u
3
y
)
,
ϕ
(

)
=





2


u

E
2

Isomorphism

2

y
2
=
x
3
+
6x
+
9

(4x, 8y)

3

y
2
=
x
3
+
6x
+
4

(9x, y)

4

y
2
=
x
3
+
5x
+
4

(3x, 12y)

5

y
2
=
x
3
+
2x
+
9

(12x, 8y)

6

y
2
=
x
3
+
5x
+
9

(10x, 8y)

7

y
2
=
x
3
+
5x
+
9

(10x, 5y)

8

y
2
=
x
3
+
2x
+
9

(12x, 5y)

9

y
2
=
x
3
+
5x
+
4

(3x, y)

10

y
2
=
x
3
+
6x
+
4

(9x, 12y)

11

y
2
=
x
3
+
6x
+
9

(4x, 5y)



[2]

(Note: one of the two is accepted.)

(a)
189 (or 219)

a

23

(
mod


30
)

Since
|
a
|

2

211

29
, a = 23 or a =
-
7.

So,
#
E
(
F
211
)
=
211
+
1

23
=
189

or
#
E
(
F
211
)
=
211
+
1

(

7
)
=
219


(b)
151 (or 241)

The number of points
P

E
(
𝔽
̅
211
)

such that
ϕ
211
(
P
)
=
3P

is
deg

(
ϕ
211

3
)

For a = 23,
deg
(
ϕ
211

3
)
=
211
+
9

3
×
23
=
151

For a =
-
7,
deg
(
ϕ
211

3
)
=
211
+
9

3
×
(

7
)
=
241


[3]

(a)

154

a = 131 + 1
-

#E(F
131
) = 22.

131

3

(
mod


4
)
,
(

1
131
)
=

1

#E
1
(F
131
) = #E
(
-
1)
(F
131
) = 131 + 1


(

1
131
)
×
22

= 132 + 22 = 154.


(b)
16940

#E(
F
131
2
) = #E(F
131
)
×

#E
(
-
1)
(F
131
) = 110
×

154 = 16940.


By subfield curve:

s
0
=
2
,
s
1
=
22
,
s
2
=
22
×
22

131
×
2
=
222

#E(
F
131
2
) = 131
2

+ 1


222 = 16940.

3


(c)
2

By Fermat

s Theorem,
131
10

1

(
mod

11
)
,
(

1
)
10

1

(
mod

11
)

Find the smallest k such that
(

1
)
k

1

(
mod

11
)

Obviously, k=2.


(d)
μ
11
=
{
g
1560
,
g
3120
,
g
4680
,
g
6240
,
g
7800
,
g
9360
,
g
10920
,
g
12480
,
g
14040
,























g
15600
,
g
17160
(
=
1
=
g
0
)

}


F
131
2

=
{
g
i


i
>
0
}
, and
g
17160
=
1
.

Then,
μ
11
=
{
g
i

17160
|
11i
,
i
>
0
}
=
{
g
1560i

1

i

11
}
.


[
4
]

(a)

f
(
x
)
=
x
3

is 1
-
1.

Thus for each
y

F
7841
,

!
x

F
7841

such that
(
x
,
y
)

E
(
F
7841
)


#E(F
7841
) = 7841 + 1 = 7842. a = 0


E is supersingular.


(b)

Choose x randomly, and find a point
P
(
x
,
y
)

E
.
Then compute 6P.

If
Q
=
6P


, Q is a point of order 1307.

If
Q
=

, Choose another x.



(c)

β
(
P
+
Q
)
=
β
(
P
)
+
β
(
Q
)
,

Claim
β
(
nP
)
=
n
β
(
P
)
.

For n=0:
β
(
0P
)
=
β
(

)
=

=

(
P
)
.

Suppose n=k:
β
(
kP
)
=
k
β
(
P
)
,

Then, n=k+1:
β
(
(
k
+
1
)
P
)
=
β
(
kP
+
P
)
=
β
(
kP
)
+
β
(
P
)
=
k
β
(
P
)
+
β
(
P
)




















































=

(
k
+
1
)
β
(
P
)


By induction,
β
(
nP
)
=
n
β
(
P
)
.

So,
1307β
(
P
)
=
β
(
1307P
)
=
β
(

)
=

, That is,
β
(
P
)

is a point of order 1307.


[
5
]

(a)

f
(
x
,
y
)
=
y

14
x

11

div(y
-
14) = [(5,14)] + [(11,14)] + [(1,14)]


3[

]

div(
x
-
11) = [(11,3)] + [(11,14)]
-

2[

]

div(f) = [(5,14)] + [(1,14)]


[(11,3)]
-

[

] = div(y
-
14)


div(x
-
11) =
div
(
y

14
x

11
)
.


4


(b)

2[(4,9)] + [(9,9)
]



2[(2,6)]


2[(2,11)] + [

]

div(x
-
2) = [(2,6)] + [(2,11)
]
-

2
[

]

div(y
-
9) = 2[(4,9)] + [(9,9
)]
-

3
[

]

div(
g) = div(y
-
9)


2div(x
-
2)

= 2[(4,9)] + [(9,9)
]



2[(2,6)]


2[(2,11)] + [

]


(c)

[(10,7)]


[

]

sum(D) =
3
×
5P
+
19P
+
2
×
17P

6
×
10P

=
8P

= (10,7)


[
6
]

7


D
Q

= [(1,1)]


[(2,6)]

Initial setting: i=5, j=0, k=1, v
j
=1, v
k
=1.

Step 1:

i=5 is odd


i
=5
-
1=4, j=0+1=1, k=1, v
j
=1, v
k
=1.

Step 2:

i=4 is even


i=4/2=2, j=1, k=1
×2
=2, v
j
=1, v
k
=3

The tangent line at kP=P=(7,2):
λ
=
3
×
7
2
+
2
2
×
2
=
3
2
=
3
×
7
=
8
, L: 8x
-
y
-
2=0

The vertical line at 2kP=(11,5): L: x+2=0

v
2

= v
1
×
v
1
×
8x

y

2
x
+
2
|
D
Q
= 1
×
1
×
(
8
×
1

1

2
)
(
2
+
2
)
(
8
×
2

6

2
)
(
1
+
2
)

=
7
11

= 7
×
6 = 3

Step 3:

i=2 is even


i=2/2=1, j=1, k=2
×2
=4, v
j
=1, v
k
=8

The tangent line at kP=
2
P
=(11,5
):
λ
=
3
×
11
2
+
2
2
×
5
=
1
10
=
1
×
4
=
4
, L:
4x
-
y
=0

The vert
ical line at 2kP=(7,11): L: x+6
=0

v
4

= v
2
×
v
2
×
4x

y
x
+
6
|
D
Q
=
3
×
3
×
(
4
×
1

1
)
(
2
+
6
)
(
4
×
2

6
)
(
1
+
6
)

=
9
×
11
1

= 8

Step 4:

i=1 is odd


i=1
-
1=0, j=1+4=5, k=4, v
j
=7, v
k
=8

The divisor [P] + [4P
]



[5P
]



[

]

= [(7,2)] + [(7,11)]


2[

] = div(x+6)

v
5
= v
1
×
v
4
×
(
x
+
6
)
|
D
Q
= 1
×
8
×
(
1
+
6
)
(
2
+
6
)

= 8
×
7
8

= 7


[7]







5


Elliptic Curve Cryptography

(
Final
, 2009 Spring,
交大資工所
)

[1]

(a)

x

y

4
x

11
.

div(
x
-
y
-
4) = [(10,6)] + [(6,2)] + [(11,7)]


3[

]

div(x
-
11) = [(11,6
)
] + [(11,7)]


2[

]

Since div(f) = div(x
-
y
-
4)


div(x
-
11),
f
(
x
,
y
)
=
x

y

4
x

11

(b)

[(6,2)]


[

]

D = 3[(11,7)] + 4[(5,6)]


6[(5,7)]


[

]

sum(D) =
3
×
6P
+
4
×
4P

6
×
7P

=
-
8P = 3P

D ~ [3P]


[

] =
[
(6,2
)
]


[

]



[2]

(a)

(6,4)

C(F
7
) = {

, (1,1), (1,5), (2,2), (2,3), (5,3), (5,6), (6,4)}

Check all finite points in
C(F
7
)
:

(
1
,
1
)
̃
=
(
1
,
5
)
,
(
2
,
2
)
̃
=
(
2
,
3
)
,
(
5
,
3
)
̃
=
(
5
,
6
)
,
(
6
,
4
)
̃
=
(
6
,
4
)

The special point of
C(F
7
)
: (6,4)

(b)

[(1,1)] + [(1,5
)]

+ 4[(6,4
)
] + 2[(2,2
)
] +
2[(2,3
)
]


10[

]

div(G) = div(y
2
+xy+6x
4
+6x
3
+x
2
+6x)


= div(x
5
+5x
4
+6x
2
+x+3+
6x
4
+6x
3
+x
2
+6x
)


= div(
x
5
+
4
x
4
+6x
3
+ 3
)


= div((x
-
1)(x+1)
2
(x
-
2)
2
)


= div(x
-
1) + 2div(x+1) + 2div(x
-
2)


=
[(1,1)] + [(1,5
)]

+ 4[(6,4
)
] + 2[(2,2
)
] + 2[(2,3
)
]


10[

]


[3]

(a)

(g
5
,0)

P = (g,1),
λ
=
g
2
+
1
g
=
g
6
g
=
g
5
,
x
3
=
λ
2
+
λ
+
g
3
+
g
+
g
=
g
3
+
g
5
+
g
3
=
g
5
,

y
3
=
(
g
+
g
5
)
×
g
5
+
g
5
+
1
=
g
4
+
g
5
+
1
=
0
.

(b)

261144

#
E
(
F
2
3
)
=
6
=
2
3
+
1

s
1
,
s
1
=
3
. Let
q
=
2
3
.

By subfield curve:

6


s
0
=
2
,
s
1
=
3
,
s
2
=
3
×
3

2
3
×
2
=

7
,
s
3
=
3
×
(

7
)

2
3
×
3
=

45
,

s
4
=
3
×
(

45
)

2
3
×
(

7
)
=

79
,
s
5
=
3
×
(

79
)

2
3
×
(

45
)
=
123
,

s
6
=
3
×
123

2
3
×
(

79
)
=
1001
, so

#
E
(
F
2
18
)
=
#
E
(
F
q
6
)
=
2
18
+
1

1001
=
261144
.


[4]

(a)

A divisor D is defined over F
3

if
D
σ
=
D

for all automorphisms of
F
̅
3

over F
3
,

The generator of automorphisms of
F
̅
3

over F
3

is
σ
:
x

x
3
.

So, we just check the generator
of automorphisms of
F
̅
3

over F
3
.

D
1
=
P
5
+
P
6

2∞
,
σ
(
P
5
)
=
P
6
,
σ
(
P
6
)
=
P
5
, and hence
D
1
σ
=
D
1
.

D
1

is defined over F
3
, and is a reduced divisor of C.

D
2
=
P
5
+
P
9

2∞
,
σ
(
P
5
)
=
P
6
,
σ
(
P
9
)
=
P
10
, and hence
D
2
σ

D
2
.

D
2

is
note
defined over F
3
.

(b)

D
1
=
2
P
2


, P
2

= (1,2).

a(x) = (x
-
1)(x
-
1) = x
2



2x + 1 = x
2

+ x + 1

Since
deg
(
b
(
x
)
)

deg
(

(
𝑥
)
)
, assume b(x) = mx+n.

Then, (1,2) is a root of B(x,y) = b(x)
-
y of degree 2.

Therefore, b(1)
-
2 = 0, i.e. m+n=2, and B

(1,2) = 0.

B

(
x
,
y
)
=
m


y

x
=
m

2
x
4
+
2
x
3
2y
, so m


1 = 0.

Therefore, m = n = 1. b(x) = x + 1.


(c)

7D

D
2
=
3
P
2

3
P
3
=
3
(
P
2


)

3
(
P
3


)
=
3
×
4D

3
×
13D
=

27D
=
7D
.


[5]

(a)


a
<



,
|
b
|

|
a
|
,
b
2

a
2
.
0
<



,

c


a
.


D
=
b
2

4ac

a
2

4ac

a
2

4
a
2
=

3
a
2
,
3
a
2

D
,
a


D
3

(b)

(1,1,7)

By (a), a = 1, 2, 3.

When a = 1, (b,c) = (1,7).

When a = 2, there is no (b,c).

When a = 3, (b,c) = (3,3) satisfies (1)
-
(4),
but gcd(a,b,c) = 3.

Therefore, we have only (1,1,7).


7


(c)

57

P(X) = X + 40, X =
-
40 = 57.

(d)

Step 1: Construct
E
1
:
y
2
=
x
3
+
3j
1728

j
x
+
2j
1728

j

over F
97
.

Step 2: Choose
P

E
1
(
F
97
)

randomly, and check if
79P
=

.

Step 3: If P is of order 79, then
E
1

is the desired curve. Done.

Step 4: Otherwise, find
k

F
97

such that k is quadratic non
-
residue in F
97
, and
construct
E
2
:
y
2
=
x
3
+
k
2
3j
1728

j
x
+
k
3
2j
1728

j
, the twist curve of
E
1
.


Then,
E
2

is the desired curve.


[6]




[7]

(a)

#
E
(
F
p
)
=
p
+
1
+

(

x
3
+
x
p

)
x

F
p
. Claim

(

x
3
+
x
p

)
x

F
p
=
0
.


(

x
3
+
x
p

)
x

F
p
=

(

x
3
+
x
p

)
p

1
x
=
0
=
(

x
3
+
x
p

)
|
x
=
0
+

(

x
3
+
x
p

)
p

1
x
=
1
=
0
+

(
(

x
3
+
x
p

)
+
(
(

x
)
3
+
(

x
)
p
)
)
p

1
2
x
=
1
=

(
(

x
3
+
x
p

)
+
(

(

x
3
+
x
)
p

)
)
p

1
2
x
=
1
=

0
p

1
2
x
=
1
=
0

So,
#
E
(
F
p
)
=
p
+
1
, and E is supersingular.

(b)

ϕ
(
P
)
=
(

x
,
𝑖
y
)

E
(
F
p
2
)
\
E
(
F
p
)
.

Let
P
1
=
(
x
1
,
y
1
)
,
P
2
=
(
x
2
,
y
2
)

P
1
+
P
2
:
λ
=
{
3
x
1
2
+
1
2
y
1
if

P
1
=
P
2
y
2

y
1
x
2

x
1
if

P
1

P
2
,
x
3
=
λ
2

x
1

x
2
,


y
3
=
(
x
1

x
3
)
λ

y
1
=
(
2
x
1
+
x
2

λ
2
)
λ

y
1
.

ϕ
(
P
1
+
P
2
)
=
(
x
1
+
x
2

λ
2
,
(
2
x
1
+
x
2

λ
2
)
𝑖
λ

𝑖
y
1
)
.

ϕ
(
P
1
)
=
(

x
1
,
𝑖
y
1
)
,
ϕ
(
P
2
)
=
(

x
2
,
𝑖
y
2
)

8


ϕ
(
P
1
)
+
ϕ
(
P
2
)
:
λ

=
{
3
x
1
2
+
1
2
𝑖
y
1
if

P
1
=
P
2
𝑖
y
2

𝑖
y
1
x
1

x
2
if

P
1

P
2
,
λ

=

𝑖
λ
.


x
3
=
λ
′2
+
x
1
+
x
2
=
x
1
+
x
2

λ
2
,


y
3
=
(

x
1

x
3
)
λ


𝑖
y
1
=
(
2
x
1
+
x
2

λ
2
)
𝑖
λ

𝑖
y
1



ϕ
(
P
1
+
P
2
)
=
ϕ
(
P
1
)
+
ϕ
(
P
2
)
.

So,
ϕ

is an endomorphism. Therefore,
ϕ

is a distortion map.

(c)

9+
i

D
ϕ
(
P
)
=
[
ϕ
(
P
)
+
(
0
,
0
)
]

[
(
0
,
0
)
]
=
[
(
15
,
12
𝑖
)
]

[
(
0
,
0
)
]
.

Initial setting: i=5, j=0, k=1, v
j
=1, v
k
=1.

Step 1:

i=5 is odd


i=5
-
1=4, j=0+1=1, k=1, v
j
=1, v
k
=1.

Step 2:

i=4 is even


i=4/2=2, j=1, k=1
×2
=2, v
j
=1, v
k
=8
-
5
i

The tangent line at kP=P=(5,4):
λ
=
3
×
5
2
+
1
2
×
4
=
0
8
=
0
, L: y


4 = 0

The vertical line at 2kP=(9,15): L: x


9 = 0

v
2

=

v
1
2
×
y

4
x

9
|
D
ϕ
(
P
)
=
1
2
×
(

4
+
12
𝑖
)
(
0

9
)
(
15

9
)
(
0

4
)
=

2
+
6
𝑖

5
=
8

5
𝑖
.

Step 3:

i=2 is even


i=2/2=1,
j=1, k=2
×2
=4, v
j
=1, v
k
=5+9
i

The tangent line at kP=2P=(9,15):
λ
=
3
×
9
2
+
2
2
×
15
=
16
11
=

2
, L: y + 2x + 5 = 0

The vertical line at 2kP=(5,15): L: x


5 = 0

v
4
=
v
2
2
×
y
+
2x
+
5
x

5
|
D
ϕ
(
P
)
=
(
8

5
𝑖
)
2
×
(

3
+
12
𝑖
)
(

5
)
(
10
)
(
5
)
=
5
+
9
𝑖
.

Step 4:

i=1 is odd


i=1
-
1=0, j=1+4=5, k=4, v
j
=9+
i
, v
k
=5+9
i

The divisor [P] + [4P
]



[5P
]



[

]

= [(5,4)] + [(5,15)]


2[

] = div(x
-
5)

v
5
=
v
1
×
v
4
×
(
x

5
)
|
D
ϕ
(
P
)
=
1
×
(
5
+
9
𝑖
)
×
(
10
)
(

5
)
=
9
+
𝑖
.