Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Math 373-578 Exam 3 - WVU Math Department
Document related concepts
Transcript
Math 373-578
Exam 3: In class part
Instructions:
No credit for solutions (even correct solutions) without sufficient supporting computations/arguments. You must not use matlab to do Problem 1, but you may use matlab to do all other
problems.
1. (5 % each) Let E denote the elliptic curve with equation y 2 = x3 − 2 over Z7 . Compute the following
without using matlab. (Demonstrating the procedure to obtain the answers are needed for full/partial credits.
Solution using matlab will have no credits).
(A) Verify that both (3, 2) and (5, 5) are points on the curve.
(B) Find (3, 2) + (5, 5).
(C) Find (3, 2) + (3, 2).
(D) Find (3, 2) + (3, 5).
2. (5 %) Let E be the elliptic curve E : y 2 = x3 + x + 1 over Z5 , and let P = (4, 2) and Q = (0, 1) be point
on E. Find a positive integer n such that Q = nP .
3. (5 %) Let E : y 2 = x3 + 457x + 9621 be an elliptic curve over the real numbers. Suppose that P, Q, and
R are three distinct points on E. If there is a straight line passing through all these three points, compute
P + Q + R on this elliptic curve, and explain how you perform the addition to get your answer. (Hint: Recall
how the addition on elliptic curves are defined. You do not need to know the coordinates of these points).
4. (5 % each) Do each of the following:
(i) Let x3 + ax2 + bx + c be a cubic polynomial with roots r1 , r2 and r3 . Explain why r1 + r2 + r3 is always
equal to −a.
(ii) (this problem indicates why most of the elliptic curves do not have the square term) With
z = x − a/3, we can write x3 + ax2 + bx + c as z 3 + Az + B. Express A and B in terms of a, b, and c. (That
is, explicitly express each of A and B as a function of a, b and c.)
5. (5 %) Let E be an elliptic curve and let P be a point on E. The smallest positive integer n such that nP = O
is called the order of P . Find the order of the point P = (1, 2) on the elliptic curve E : y 2 = x3 +4x+4 over Z5 .
6. (10 %) Use the following information and apply your knowledge on factoring via difference of squares to
factor n = 2525891. (Any solution based on the matlab commend factor(2525891) or its equivalent will have
zero credit.)
15912
≡ 2 · 5 · 72 · 11 (mod n)
31822
≡ 23 · 5 · 72 · 11 (mod n)
47732
≡ 2 · 32 · 5 · 72 · 11 (mod n)
52752
≡ 23 · 36 · 7 (mod n)
2
5401
≡ 24 · 32 · 53 · 7 · 11 (mod n)
7. (5 %) Alice and Bob want to exchange a key. They both work on the elliptic curve E : y 2 = x3 + x + 7206
over Z7211 , and a base point G = (3, 5) on E. Alice chooses a secret number nA , and computes and sends
nA G = (1794, 6375) to Bob. Bob has decided to use nB = 23 as his own secret number, and he computes and
sends nB G = (3861, 1242) to Alice. What will be their common key? (Present the value of this common key
and explain how you compute such a common key).
1
Math 373-578
(4/13/09))
Exam 3: Take home part (due day: 4/10/09, Due day for last Friday lab work:
Instructions: When you perform matlab to conduct computations for your work, copy and paste your
matlab commend/work onto a notepad file. You may submit your work electronically (preferred, as it saves
paper) or submit your matlap commends printouts as well as your solutions.
1. (5 %) Let n = 64213. Factor n by computing
n + 12 , n + 22 , n + 32 , · · · ,
and by factoring via difference of squares. (Any solution based on the matlab commend factor(64213) or its
equivalent will have zero credit.)
Definition needed in Problem 2. Let E be an elliptic curve and let P be a point on E. The smallest
positive integer n such that nP = O is called the order of P . (This exercise tells us how to smartly compute
the order of an element, when the order is large.)
2. Let P be a point on the elliptic curve E mod n. Suppose that we know an integer k > 0 such that
kP = O. We know what to know if k is the order of P , by showing the following properties.
(A) (4 %) Suppose that for each prime factor p of k, (k/p)P 6= O. Explain why k is the order of P .
(B) (4 %) Now let P = (2, 3) on E : y 2 = x3 − 10x + 21 over Z557 . Compute to show that 189P = O but
63P 6= O and 27P 6= O.
(C) (2 %) Determine the order of P , and give a reason to your answer.
3. (5 %) Compute (5, 9) − (1, 1) on the elliptic curve E : y 2 = x3 − 11x + 11 (mod 593899). (Note the both
(5, 9) and (1, 1) have small coordinates. Will the answer involves large coordinates?)
4. (10 %) (Elliptic Curve ElGamal Cryptosystem) Bob uses an elliptic curve E : y 2 = x3 +11652x+11483 over
Zp , where p = 17431 is a prime, with a base point B = (5, 12). He picks his secret key r = 7 and published
his encoding keys rB = (11638, 1159). Alice uses Bob’s public keys and send a cipher text D = (13872, 2359)
with a clue C = (7838, 13320). Find her plain text as a point on E.
5. (Extra Credit 10 %) You want to represent the message 12345 as a point (x, y) on the elliptic curve
E : y 2 = x3 + 7x + 11 (mod 593899) so that 12345 is part of the x-coordinate. Write x = 12345 and find a
value of the missing last digit of x such that there is a point on the curve with this x-coordinate.
2
Math 373-578
Exam 3: In class part
Instructions:
No credit for solutions (even correct solutions) without sufficient supporting computations/arguments. You must not use matlab to do Problem 1, but you may use matlab to do all other
problems.
1. (5 % each) Let E denote the elliptic curve with equation y 2 = x3 − 2 over Z7 . Compute the following
without using matlab. (Demonstrating the procedure to obtain the answers are needed for full/partial credits.
Solution using matlab will have no credits).
(A) Verify that both (3, 2) and (5, 5) are points on the curve.
(B) Find (3, 2) + (5, 5).
(C) Find (3, 2) + (3, 2).
(D) Find (3, 2) + (3, 5).
Solution: (A) Since, 25 = (3)(7) + 4 ≡ 4 (mod 7) and 125 − 2 = 123 = 119 + 4 = (17)(7) + 4 ≡ 4 (mod 7),
and since
22 = 4 ≡ 33 − 2 = 25, (mod 7), and 52 = 25 ≡ 4 ≡ 53 − 2 = 125 − 2 (mod 7),
both (3, 2) and (5, 5) are points on the curve.
(B) First compute the slope M = (5 − 2)/(5 − 3) = 3/2 = 3 · 2−1 . As (2)(4) = 8 ≡ 1 (mod 7), 2−1 ≡ 4 (mod
7), and so M = 3 · 4 ≡ 5 (mod 7). Let (3, 2) + (5, 5) = (x3 , y3 ). Then in Z7 ,
x3 = 52 − 3 − 5 = 17 = 3, y3 = 5(3 − 3) − 2 = −2 = 5.
Hence (3, 2) + (5, 5) = (3, 5).
(C) First compute the slope M = dy/dx at (3, 2). 2yy 0 = 3x2 , and so M = 3(32 )/4 = 27 · 4−1 ≡ 6 · 2 = 12 ≡ 5
(mod 7). Let (3, 2) + (3, 2) = (x4 , y4 ). Then in Z7 ,
x4 = 52 − 3 − 3 = 19 = 5, y4 = 5(3 − 5) − 2 = 2.
Hence (3, 2) + (3, 2) = (5, 2).
(D) Since −(3, 2) = (3, −2) = (3, 5), we have (3, 2) + (3, 5) = O.
2. (5 %) Let E be the elliptic curve E : y 2 = x3 + x + 1 over Z5 , and let P = (4, 2) and Q = (0, 1) be point
on E. Find a positive integer n such that Q = nP .
Solution: We can choose a large number n and compute kP for k = 1, 2, · · · , n. Since the field Z5 is very
small, we take n = 10, but you can see in the computations below that n could be even smaller.
>> multsell([4,2], 10, 1,1,5)
ans =
4
2
3
4
2
4
0
4
0
1
2
1
3
1
4
3
Inf
Inf
4
2
>> multell([4,2], 5, 1,1,5)
ans =
0
1
3
Therefore when n = 5, 5P = Q. This can be verified by the multell([4,2], 5, 1,1,5) comment.
3. (5 %) Let E : y 2 = x3 + 457x + 9621 be an elliptic curve over the real numbers. Suppose that P, Q, and
R are three distinct points on E. If there is a straight line passing through all these three points, compute
P + Q + R on this elliptic curve, and explain how you perform the addition to get your answer. (Hint: Recall
how the addition on elliptic curves are defined. You do not need to know the coordinates of these points).
Solution: By the definition of the addition of elliptic curves, when P and Q are two points on E, then the
line passing through P and Q will intersect E at R, and so P + Q = −R. By The definition of addition again,
(−R) + R = O. Therefore,
P + Q + R = (−R) + R = O.
4. (5 % each) Do each of the following:
(i) Let x3 + ax2 + bx + c be a cubic polynomial with roots r1 , r2 and r3 . Explain why r1 + r2 + r3 is always
equal to −a.
(ii) (this problem indicates why most of the elliptic curves do not have the square term) With
z = x + a/3, we can write x3 + ax2 + bx + c as z 3 + Az + B. Express A and B in terms of a, b, and c. (That
is, explicitly express each of A and B as a function of a, b and c.)
Solution: (i) Since r1 , r2 and r3 are roots of x3 + ax2 + bx + c, from high school algebra we know that
x3 + ax2 + bx + c = (x − r1 )(x − r2 )(x − r3 ) = x3 − (r1 + r2 + r3 )x2 + (r1 r2 + r1 r3 + r2 r3 )x + r1 r2 r3 .
By comparing the coefficient of the x2 term both sides, we have
a = −(r1 + r2 + r3 ) and so r1 + r2 + r3 = −a.
(ii) With z = x + a/3, we have x = z − a/3. Substitute x = z − a/3 in the polynomial x3 + ax2 + bx + c, and
collect like terms to get
x3 + ax2 + bx + c =
(z − a/3)3 + a(z − a/3)2 + b(z − a/3) + c
= z 3 − 3z 2 (a/3) + 3z(a/3)2 − (a/3)3 + az 2 − 2a2 z/3 + a(a/3)2 + bz − ab/3 + c
= z 3 + (−a + a)z 2 + (a2 /3 − 2a2 /3 + b)z + (−a3 /27 + a3 /9 − ab/3 + c)
= z 3 + (−a2 /3 + b)z + (2a3 /27 − ab/3 + c)
= z 3 + Az + B.
Therefore, by comparing coefficients, we have
A = −a2 /3 + b and B = 2a3 /27 − ab/3 + c.
5. (5 %) Let E be an elliptic curve and let P be a point on E. The smallest positive integer n such that nP = O
is called the order of P . Find the order of the point P = (1, 2) on the elliptic curve E : y 2 = x3 + 4x + 4 over
Z5 .
Solution: Since it is mod 5, there will not be many points on the curve. Choose a relatively large number
n (here we take n = 10, but you can see even n = 5 will suffice) and we compute P, 2P, · · · , nP , to see when
it becomes O the first time.
>> multsell([1,2], 10, 4, 4, 5)
ans =
1
2
2
0
1
3
Inf
Inf
1
2
2
0
4
1
3
Inf
Inf
1
2
2
0
>> multell([1,2],4,4,4,5)
ans =
Inf
Inf
It follows that the order of P = (1, 2) on E is 4. This can be verified by the multell([1,2],4,4,4,5) comment.
6. (10 %) Use the following information and apply your knowledge on factoring via difference of squares to
factor n = 2525891. (Any solution based on the matlab commend factor(2525891) or its equivalent will have
zero credit.)
15912
≡ 2 · 5 · 72 · 11 (mod n)
31822
≡ 23 · 5 · 72 · 11 (mod n)
47732
≡ 2 · 32 · 5 · 72 · 11 (mod n)
52752
≡ 23 · 36 · 7 (mod n)
54012
≡ 24 · 32 · 53 · 7 · 11 (mod n)
Solution: This is exercise (3.25)(d), of the text on Page 182.
One does not need all the information provided. For example, in the last three congruences, the sum of
all the exponents are even, and so we can simply use the last three.
>> n=2525891
n =
2525891
>> a=mod(4773*5275*5401, n)
a =
214699
>> b=mod(2^4*3^5*5^2*7^2*11,n)
b =
1872980
>> gcd(a-b,n)
ans =
1637
>> n/1637
ans =
1543
There n has a factor 1637, and the factorization is n = (1637)(1543).
7. (5 %) Alice and Bob want to exchange a key. They both work on the elliptic curve E : y 2 = x3 + x + 7206
over Z7211 , and a base point G = (3, 5) on E. Alice chooses a secret number nA , and computes and sends
nA G = (1794, 6375) to Bob. Bob has decided to use nB = 23 as his own secret number, and he computes and
sends nB G = (3861, 1242) to Alice. What will be their common key? (Present the value of this common key
and explain how you compute such a common key).
Solution: Bob received nA G = (1794, 6375) from Alice and he knows nB = 23. Then he can compute the
common key nA nB G = nB (nA G) = 23(1794, 6375).
>> multell([1794,6375],23,1,7206,7211)
ans =
1472
2098
The common key is (1472, 2098).
5
Math 373-578
(4/13/09))
Exam 3: Take home part (due day: 4/10/09, Due day for last Friday lab work:
Instructions: When you perform matlab to conduct computations for your work, copy and paste your
matlab commend/work onto a notepad file. You may submit your work electronically (preferred, as it saves
paper) or submit your matlap commends printouts as well as your solutions.
1. (5 %) Let n = 64213. Factor n by computing
n + 12 , n + 22 , n + 32 , · · · ,
and by factoring via difference of squares. (Any solution based on the matlab commend factor(64213) or its
equivalent will have zero credit.)
Solution: Use the following, with 10 values for k each time. (You can also write other matlab subroutines
for this purpose).
>> for k=[120:130], [k; sqrt(64213+k^2)]’, end
ans =
120.0000 280.3801
ans =
121.0000 280.8095
ans =
122.0000 281.2419
ans =
123.0000 281.6771
ans =
124.0000 282.1152
ans =
125.0000 282.5562
ans =
126
283
ans =
127.0000 283.4466
ans =
128.0000 283.8961
ans =
129.0000 284.3484
ans =
130.0000 284.8034
Therefore, 64213 + 1262 = 2832 , or 1262 ≡ 2832 (mod 64213). This allows us to compute the proper factor
of 64213, as follows.
>> gcd(283-126, 64213)
ans =
157
>> 64213/157
ans =
409
Hence 64213 = (157)(409). This can also be obtained from algebra:
64213 = 2832 − 1262 = (283 − 126)(283 + 126) = (157)(409).
6
Definition needed in Problem 2. Let E be an elliptic curve and let P be a point on E. The smallest
positive integer n such that nP = O is called the order of P . (This exercise tells us how to smartly compute
the order of an element, when the order is large.)
2. Let P be a point on the elliptic curve E mod n. Suppose that we know an integer k > 0 such that
kP = O. We know what to know if k is the order of P , by showing the following properties.
(A) (4 %) Suppose that for each prime factor p of k, (k/p)P 6= O. Explain why k is the order of P .
(B) (4 %) Now let P = (2, 3) on E : y 2 = x3 − 10x + 21 over Z557 . Compute to show that 189P = O but
63P 6= O and 27P 6= O.
(C) (2 %) Determine the order of P , and give a reason to your answer.
Solution: (A) Let d denote the order of P . By division, k = qd + r, where 0 ≤ r < d. Since kP = O and
since dP = O, we have
O = kP = (qd + r)P = q(dP ) + rP = O + rP = rP.
Hence we also have rP = O. But 0 ≤ r < d and d is the smallest positive integer satisfying dP = O, we must
have r = 0, and so d|k. Write k = nd for some integer n > 0. If n > 1, then by the Fundamental Theorem of
Arithmetic, for some prime number p, p|n, or n = pq for some integer q > 0. It follows that
(k/p)P = ((nd)/p)P = (pqd/p)P = (qd)P = q(dP ) = qO = O,
which is impossible as we know that for any p dividing kk, (k/p)P 6= O. Therefore, n cannot be bigger than
1, and so n = 1. This means k = d is the order of P .
(B) This can be done by
>>multsell([2, 3], 189, -10, 21, 557)
ans =
Inf
Inf
>>multsell([2, 3], 63, -10, 21, 557)
ans =
38
535
>>multsell([2, 3], 27, -10, 21, 557)
ans =
136
360
(C) Since 557 = 33 · 7, then by (A) of this problem with k = 189, p ∈ {3, 7}, we have 189P = O,
(189/3)P = 63P 6= O and (189/7)P = 27P 6= O. Hence k = 189 must be the order of P .
3. (5 %) Compute (5, 9) − (1, 1) on the elliptic curve E : y 2 = x3 − 11x + 11 (mod 593899). (Note the both
(5, 9) and (1, 1) have small coordinates. Will the answer involves large coordinates?)
Solution: Use matlab to compute
>> addell([5,9], [1,-1], -11, 11, n)
ans =
148475
222715
Therefore, (5, 9) − (1, 1) = (148475, 222715). Thus addition or subtraction of small coordinate points may
result in a point with large coordinates.
4. (10 %) (Elliptic Curve ElGamal Cryptosystem) Bob uses an elliptic curve E : y 2 = x3 +11652x+11483 over
Zp , where p = 17431 is a prime, with a base point B = (5, 12). He picks his secret key r = 7 and published
his encoding keys rB = (11638, 1159). Alice uses Bob’s public keys and send a cipher text D = (13872, 2359)
with a clue C = (7838, 13320). Find her plain text as a point on E.
Solution: First compute r · C.
7
>> r = 7
r =
7
>> multell([7838, 13320], r, 11652, 11483, 17431)
ans =
4589
10754
Then compute the plain text P = D + (−r) · C = (8, 25).
>> addell([13872,2359], [4589, -10754], 11652, 11483, 17431)
ans =
8
25
8
