EMBEDDING DEGREE OF HYPERELLIPTIC CURVES WITH COMPLEX MULTIPLICATION


 Colin Shepherd
 2 years ago
 Views:
Transcription
1 EMBEDDING DEGREE OF HYPERELLIPTIC CURVES WITH COMPLEX MULTIPLICATION CHRISTIAN ROBENHAGEN RAVNSHØJ Abstract. Consider the Jacobian of a genus two curve defined over a finite field and with complex multiplication. In this paper we show that if the lsylow subgroup of the Jacobian is not cyclic, then the embedding degree of the Jacobian with respect to l is one. 1. Introduction In elliptic curve cryptography it is essential to know the number of points on the curve. Cryptographically we are interested in elliptic curves with large cyclic subgroups. Such elliptic curves can be constructed. The construction is based on the theory of complex multiplication, studied in detail by Atkin and Morain (1993). It is referred to as the CM method. Koblitz (1989) suggested the use of hyperelliptic curves to provide larger group orders. Therefore constructions of hyperelliptic curves are interesting. The CM method for elliptic curves has been generalized to hyperelliptic curves of genus two by Spallek (1994), and efficient algorithms have been proposed by Weng (003) and Gaudry et al (005). Both algorithms take as input a primitive, quartic CM field K (see section 3 for the definition of a CM field), and give as output a hyperelliptic genus two curve C defined over a prime field F p. A prime number p is chosen such that p = xx for a number x O K, where O K is the ring of integers of K. We have K = Q(η) and K R = Q( D), where η = i a + bξ and { 1+ D ξ =, if D 1 mod 4, D, if D, 3 mod 4. In this paper, the following theorem is established. Theorem 1. Let C be a hyperelliptic curve of genus two defined over F p with End(C) O K, where K is a primitive, quartic CM field as defined in definition 6. Assume that the ppower Frobenius under this isomorphism is given by the number ω = c 1 + c ξ + (c 3 + c 4 ξ)η, where ξ and η are given as above and c i Z. Consider a prime number l J C (F p ) with l p, l D and l c. Assume that the lsylow subgroup of J C (F p ) is not cyclic. Then p 1 mod l, i.e. the embedding degree of J C (F p ) with respect to l is one. Date: May 10, 007. The author is a PhDstudent at the Department of Mathematical Sciences, University of Aarhus. 000 Mathematics Subject Classification. Primary 14H40; Secondary 11G15, 14Q05, 94A60. Key words and phrases. Jacobians, hyperelliptic curves, complex multiplication, cryptography. Research supported in part by a PhD grant from CRYPTOMAThIC. 1
2 C.R. RAVNSHØJ. Hyperelliptic curves A hyperelliptic curve is a smooth, projective curve C P n of genus at least two with a separable, degree two morphism φ : C P 1. Let C be a hyperelliptic curve of genus two defined over a prime field F p of characteristic p >. By the RiemannRoch theorem there exists an embedding ψ : C P, mapping C to a curve given by an equation of the form y = f(x), where f F p [x] is of degree six and have no multiple roots (see Cassels and Flynn, 1996, chapter 1). The set of principal divisors P(C) on C constitutes a subgroup of the degree 0 divisors Div 0 (C). The Jacobian J C of C is defined as the quotient J C = Div 0 (C)/P(C). Let l p be a prime number. The l n torsion subgroup J C [l n ] < J C of elements of order dividing l n is then (Lang, 1959, theorem 6, p. 109) (1) J C [l n ] Z/l n Z Z/l n Z Z/l n Z Z/l n Z, i.e. J C [l n ] is a Z/l n Zmodule of rank four. The order of p modulo l plays an important role in cryptography. Definition (Embedding degree). Consider a prime number l dividing the order of J C (F p ), where l is different from p. The embedding degree of J C (F p ) with respect to l is the least number k, such that p k 1 mod l. An endomorphism ϕ : J C J C induces a Z l linear map ϕ l : T l (J C ) T l (J C ) on the ladic Tatemodule T l (J C ) of J C (Lang, 1959, chapter VII, 1). The map ϕ l is given by ϕ as described in the following diagram:... J C [l n+1 ] J C [l n ]... ϕ ϕ... J C [l n+1 ] J C [l n ]... Here, the horizontal maps are the multiplicationbyl map. Hence, ϕ is represented by a matrix M Mat 4 4 (Z/lZ) on J C. Let P (X) Z[X] be the characteristic polynomial of ϕ (see Lang, 1959, pp ), and let P M (X) (Z/lZ)[X] be the characteristic polynomial of the restriction of ϕ to J C. Then (Lang, 1959, theorem 3, p. 186) () P (X) P M (X) mod l. Since C is defined over F p, the mapping (x, y) (x p, y p ) is an isogeny on C. This isogeny induces the ppower Frobenius endomorphism ϕ on the Jacobian J C. The characteristic polynomial P (X) of ϕ is of degree four (Tate, 1966, theorem, p. 140), and by the definition of P (X) (see Lang, 1959, pp ), J C (F p ) = P (1), i.e. the number of F p rational elements of the Jacobian is determined by P (X).
3 EMBEDDING DEGREE OF HYPERELLIPTIC CURVES WITH CM 3 3. CM fields An elliptic curve E with Z End(E) is said to have complex multiplication. Let K be an imaginary, quadratic number field with ring of integers O K. K is a CM field, and if End(E) O K, then E is said to have CM by O K. More generally a CM field is defined as follows. Definition 3 (CM field). A number field K is a CM field, if K is a totally imaginary, quadratic extension of a totally real number field K 0. In this paper only CM fields of degree [K : Q] = 4 are considered. Such a field is called a quartic CM field. Remark 4. Consider a quartic CM field K. Let K 0 = K R be the real subfield of K. Then K 0 is a real, quadratic number field, K 0 = Q( D). By a basic result on quadratic number fields, the ring of integers of K 0 is given by O K0 = Z + ξz, where { 1+ D ξ =, if D 1 mod 4, D, if D, 3 mod 4. Since K is a totally imaginary, quadratic extension of K 0, a number η K exists, such that K = K 0 (η), η K 0. The number η is totally imaginary, and we may assume that η = iη 0, η 0 R. Furthermore we may assume that η O K0 ; so η = i a + bξ, where a, b Z. Let C be a hyperelliptic curve of genus two. Then C is said to have CM by O K, if End(C) O K. The structure of K determines whether C is irreducible. More precisely, the following theorem holds. Theorem 5. Let C be a hyperelliptic curve of genus two with End(C) O K, where K is a quartic CM field. Then C is reducible if, and only if, K/Q is Galois with Galois group Gal(K/Q) Z/Z Z/Z. Proof. (Shimura, 1998, proposition 6, p. 61). Theorem 5 motivates the following definition. Definition 6 (Primitive, quartic CM field). A quartic CM field K is called primitive if either K/Q is not Galois, or K/Q is Galois with cyclic Galois group. The CM method for constructing curves of genus two with prescribed endomorphism ring is described in detail by Weng (003) and Gaudry et al (005). In short, the CM method is based on the construction of the class polynomials of a primitive, quartic CM field K with real subfield K 0 of class number h(k 0 ) = 1. The prime number p has to be chosen such that p = xx for a number x O K. By Weng (003) we may assume that x O K0 + ηo K0. 4. Properties of J C (F p ) Consider a primitive, quartic CM field K with real subfield K 0 of class number h(k 0 ) = 1, and let p be an uneven prime number such that p = xx for a number x O K0 + ηo K0. The main result of this paper, given by the following theorem, concerns a curve of genus two with O K as endomorphism ring.
4 4 C.R. RAVNSHØJ Theorem 7. With the notation as in remark 4, let C be a hyperelliptic curve of genus two defined over F p with End(C) O K. Assume that the ppower Frobenius under this isomorphism is given by the number ω = c 1 + c ξ + (c 3 + c 4 ξ)η, where c i Z. Consider a prime number l J C (F p ) with l p, l D and l c. Assume that the lsylow subgroup of J C (F p ) is not cyclic. Then p 1 mod l, i.e. the embedding degree of J C (F p ) with respect to l is one. Proof. Consider a prime number l J C (F p ) with l pc D. If l =, then obviously p 1 mod l. Hence we may assume that l. Assume that the lsylow subgroup S of J C (F p ) is not cyclic. Then S contains a subgroup U (Z/lZ). So (Z/lZ) < J C (F p ) < J C. Let {e 1, e } J C (F p ) be a basis of (Z/lZ). Expand by the isomorphism (1) this set to a basis {e 1, e, f 1, f } of J C. It then follows that 1 is an eigenvalue of the Frobenius with eigenvectors e 1 and e, i.e. 1 is an eigenvalue of multiplicity at least two. First we assume that D, 3 mod l. Let P (X) be the characteristic polynomial of the Frobenius. Since the conjugates of ω are given by ω 1 = ω, ω = ω 1, ω 3 and ω 4 = ω 3, where ω 3 = c 1 c D + i(c3 c 4 D) a b D, it follows that 4 P (X) = (X ω i ) = X 4 4c 1 X 3 + (p + 4(c 1 c D))X 4c 1 px + p. i=1 Since 1 is an eigenvalue of the Frobenius of multiplicity at least two, the characteristic polynomial P (X) is divisible by (X 1) modulo l. Now, where P (X) = Q(X) (X 1) + R(X), R(X) = 4(1 3c 1 (c 1 1)p + (c 1 c D))X Since R(X) 0 mod l, it follows that + p p 4(c 1 c D) + 8c 1 3. (3) 1 3c 1 (c 1 1)p + (c 1 c D) 0 mod l. Since J C (F p ) = P (1), we know that (4) (p + 1) 4c 1 (p + 1) + 4(c 1 c D) 0 mod l. By equation (3) we see that 4(c 1 c D) (c 1 1)p +6c 1 this into equation (4) we get (p + 1) 4c 1 (p + 1) + (c 1 1)p + 6c 1 0 mod l; mod l. Substituting so either p 1 mod l or p c 1 1 mod l. Assume p c 1 1 mod l. Then R(X) 4c D( X + 1) 0 mod l. Since l c D, this is a contradiction. So if D, 3 mod 4, then p 1 mod l.
5 EMBEDDING DEGREE OF HYPERELLIPTIC CURVES WITH CM 5 Now consider the case D 1 mod 4. We now have 1 ( D 1 ) D ω 3 = c 1 + c + i c 3 + c 4 a + b 1 D, and it follows that the characteristic polynomial of the Frobenius is given by P (X) = X 4 cx 3 + (p + c c d)x pcx + p, where c = c 1 + c. We see that P (X) = Q(X)(X 1) + R(X), where R(X) = ((4 c)p + c 6c c D + 4)X + p p 3 + 4c c + c D. Since R(X) 0 mod l, it follows that (5) p p 3 + 4c c + c D 0 mod l, and since J C (F p ) = P (1), we know that (6) (p + 1) c(p + 1) + c c D 0 mod l. From equation (5) and (6) it follows that p cp + c 1 0 mod l, i.e. p 1 mod l or p c 1 mod l. Assume p c 1 mod l. Then R(X) c D( X + 1) 0 mod l, again a contradiction. So if D 1 mod 4, then p 1 mod l. Consider the case l c. Then the characteristic polynomial of the Frobenius modulo l is given by P (X) (X c 1 X + p) mod l, independently of the remainder of D modulo 4. Observe that X c 1 X + p = (X + 1 c 1 )(X 1) + p c Hence, p c 1 1 mod l, i.e. So the following theorem holds. P (X) (X 1) (X p) mod l. Theorem 8. With the notation as in remark 4, let C be a hyperelliptic curve of genus two defined over F p with End(C) O K. Assume that the ppower Frobenius under this isomorphism is given by the number ω = c 1 + c ξ + (c 3 + c 4 ξ)η, where c i Z. Consider a prime number l J C (F p ) with l p, l c. Assume that the lsylow subgroup of J C (F p ) is not cyclic. Then either (1) J C (F p ) (Z/lZ), or () p 1 mod l and J C (F p ) = J C. Proof. If p 1 mod l, then 1 is not an eigenvalue of the Frobenius of multiplicity three, i.e. J C (F p ) (Z/lZ). If p 1 mod l, then 1 is an eigenvalue of the Frobenius of multiplicity four, i.e. J C (F p ) = J C.
6 6 C.R. RAVNSHØJ 5. Applications Let C be a hyperelliptic curve of genus two defined over F p with End(C) O K. Write (7) J C (F p ) Z/n 1 Z Z/n Z Z/n 3 Z Z/n 4 Z, where n i n i+1 and n p 1 (see Frey and Lange, 006, proposition 5.78, p. 111). We recall the following result on the prime divisors of the number n. Theorem 9. With the notion as above, let l n be an odd prime number. Then l Q, where if D, 3 Q = max{a, D, a b D}, mod 4, and Q = max{a, D, 4a(a + b) b (D 1), ad + b(d 1)}, if D 1 mod 4. If l > D, then c 1 1 mod l and c 0 mod l. Proof. Ravnshøj (007a). Let the Frobenius be given by the number ω = c 1 + c ξ + (c 3 + c 4 ξ)η, c i Z, and consider a prime number l J C (F p ), l p. Corollary 1. If l c and l > Q, then the lsylow subgroup S of J C (F p ) is either of rank two and p 1 mod l, or S is cyclic. By Ravnshøj (007b), if p 1 mod l, then there exists an efficient, probabilistic algorithm to determine generators of the lsylow subgroup of J C (F p ). Hence the following corollary holds. Corollary. If l D and l c, then there exists an efficient, probabilistic algorithm to determine generators of the lsylow subgroup S of J C (F p ). Proof. If p 1 mod l, then the corollary is given by Ravnshøj (007b). If p 1 mod l, then S is cyclic by theorem 7. Assume S = l n. Then S has l n l n 1 elements of order l n. Hence the probability that a random element σ S generates S is 1 l 1, and choosing random elements σ S until an element of order l n is found will be an efficient, probabilistic algorithm to determine generators of S. 6. Acknowledgement I would like to thank my supervisor Johan P. Hansen for inspiration on theorem 8. References A.O.L. Atkin and F. Morain. Elliptic curves and primality proving. Math. Comp., vol. 61, pp. 9 68, J.W.S. Cassels and E.V. Flynn. Prolegomena to a Middlebrow Arithmetic of Curves of Genus. London Mathematical Society Lecture Note Series. Cambridge University Press, G. Frey and T. Lange. Varieties over Special Fields. In H. Cohen and G. Frey, editors, Handbook of Elliptic and Hyperelliptic Curve Cryptography, pp Chapman & Hall/CRC, 006. P. Gaudry, T. Houtmann, D. Kohel, C. Ritzenthaler and A. Weng. The padic CMMethod for Genus
7 EMBEDDING DEGREE OF HYPERELLIPTIC CURVES WITH CM 7 N. Koblitz. Hyperelliptic cryptosystems. J. Cryptology, vol. 1, pp , S. Lang. Abelian Varieties. Interscience, C.R. Ravnshøj. Large Cyclic Subgroups of Jacobians of Hyperelliptic Curves. 007a. C.R. Ravnshøj. Generators of Jacobians of Hyperelliptic Curves. 007b. http: //arxiv.org. G. Shimura. Abelian Varieties with Complex Multiplication and Modular Functions. Princeton University Press, A.M. Spallek. Kurven vom Geschlecht und ihre Anwendung in PublicKey Kryptosystemen. Ph.D. thesis, Institut für Experimentelle Mathematik, Universität GH Essen, J. Tate. Endomorphisms of abelian varieties over finite fields. Invent. Math., vol., pp , A. Weng. Constructing hyperelliptic curves of genus suitable for cryptography. Math. Comp., vol. 7, pp , 003. Department of Mathematical Sciences, University of Aarhus, Ny Munkegade, Building 1530, DK8000 Aarhus C address:
ON GALOIS REALIZATIONS OF THE 2COVERABLE SYMMETRIC AND ALTERNATING GROUPS
ON GALOIS REALIZATIONS OF THE 2COVERABLE SYMMETRIC AND ALTERNATING GROUPS DANIEL RABAYEV AND JACK SONN Abstract. Let f(x) be a monic polynomial in Z[x] with no rational roots but with roots in Q p for
More informationSOLVING POLYNOMIAL EQUATIONS
C SOLVING POLYNOMIAL EQUATIONS We will assume in this appendix that you know how to divide polynomials using long division and synthetic division. If you need to review those techniques, refer to an algebra
More information(x + a) n = x n + a Z n [x]. Proof. If n is prime then the map
22. A quick primality test Prime numbers are one of the most basic objects in mathematics and one of the most basic questions is to decide which numbers are prime (a clearly related problem is to find
More informationChapter 4, Arithmetic in F [x] Polynomial arithmetic and the division algorithm.
Chapter 4, Arithmetic in F [x] Polynomial arithmetic and the division algorithm. We begin by defining the ring of polynomials with coefficients in a ring R. After some preliminary results, we specialize
More informationcalculating the result modulo 3, as follows: p(0) = 0 3 + 0 + 1 = 1 0,
Homework #02, due 1/27/10 = 9.4.1, 9.4.2, 9.4.5, 9.4.6, 9.4.7. Additional problems recommended for study: (9.4.3), 9.4.4, 9.4.9, 9.4.11, 9.4.13, (9.4.14), 9.4.17 9.4.1 Determine whether the following polynomials
More informationIntroduction to Finite Fields (cont.)
Chapter 6 Introduction to Finite Fields (cont.) 6.1 Recall Theorem. Z m is a field m is a prime number. Theorem (Subfield Isomorphic to Z p ). Every finite field has the order of a power of a prime number
More informationThe Brauer Manin obstruction for curves having split Jacobians
Journal de Théorie des Nombres de Bordeaux 00 (XXXX), 000 000 The Brauer Manin obstruction for curves having split Jacobians par Samir SIKSEK Résumé. Soit X A un morphism (qui n est pas constant) d une
More informationNEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES
NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES Ounasser Abid 1, Jaouad Ettanfouhi 2 and Omar Khadir 3 1,2,3 Laboratory of Mathematics, Cryptography and Mechanics, Department of Mathematics, Fstm,
More informationCHAPTER SIX IRREDUCIBILITY AND FACTORIZATION 1. BASIC DIVISIBILITY THEORY
January 10, 2010 CHAPTER SIX IRREDUCIBILITY AND FACTORIZATION 1. BASIC DIVISIBILITY THEORY The set of polynomials over a field F is a ring, whose structure shares with the ring of integers many characteristics.
More informationAlex, I will take congruent numbers for one million dollars please
Alex, I will take congruent numbers for one million dollars please Jim L. Brown The Ohio State University Columbus, OH 4310 jimlb@math.ohiostate.edu One of the most alluring aspectives of number theory
More informationsome algebra prelim solutions
some algebra prelim solutions David Morawski August 19, 2012 Problem (Spring 2008, #5). Show that f(x) = x p x + a is irreducible over F p whenever a F p is not zero. Proof. First, note that f(x) has no
More information7. Some irreducible polynomials
7. Some irreducible polynomials 7.1 Irreducibles over a finite field 7.2 Worked examples Linear factors x α of a polynomial P (x) with coefficients in a field k correspond precisely to roots α k [1] of
More information3 1. Note that all cubes solve it; therefore, there are no more
Math 13 Problem set 5 Artin 11.4.7 Factor the following polynomials into irreducible factors in Q[x]: (a) x 3 3x (b) x 3 3x + (c) x 9 6x 6 + 9x 3 3 Solution: The first two polynomials are cubics, so if
More informationChapter 13: Basic ring theory
Chapter 3: Basic ring theory Matthew Macauley Department of Mathematical Sciences Clemson University http://www.math.clemson.edu/~macaule/ Math 42, Spring 24 M. Macauley (Clemson) Chapter 3: Basic ring
More informationALGORITHMS FOR ALGEBRAIC CURVES
ALGORITHMS FOR ALGEBRAIC CURVES SUMMARY OF LECTURE 4 1. SCHOOF S ALGORITHM Let K be a finite field with q elements. Let p be its characteristic. Let X be an elliptic curve over K. To simplify we assume
More informationA Minkowskistyle bound for the orders of the finite subgroups of the Cremona group of rank 2 over an arbitrary field.
A Minkowskistyle bound for the orders of the finite subgroups of the Cremona group of rank 2 over an arbitrary field JeanPierre Serre Let k be a field. Let Cr(k) be the Cremona group of rank 2 over k,
More informationit is easy to see that α = a
21. Polynomial rings Let us now turn out attention to determining the prime elements of a polynomial ring, where the coefficient ring is a field. We already know that such a polynomial ring is a UF. Therefore
More informationInternational Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013
FACTORING CRYPTOSYSTEM MODULI WHEN THE COFACTORS DIFFERENCE IS BOUNDED Omar Akchiche 1 and Omar Khadir 2 1,2 Laboratory of Mathematics, Cryptography and Mechanics, Fstm, University of Hassan II MohammediaCasablanca,
More informationBreaking The Code. Ryan Lowe. Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and
Breaking The Code Ryan Lowe Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and a minor in Applied Physics. As a sophomore, he took an independent study
More informationConstructing Elliptic Curves with Prescribed Embedding Degrees
Constructing Elliptic Curves with Prescribed Embedding Degrees Paulo S. L. M. Barreto 1, Ben Lynn 2, and Michael Scott 3 1 Laboratório de Arquitetura e Redes de Computadores (LARC), Escola Politécnica,
More informationConstructing PairingFriendly Elliptic Curves with Embedding Degree 10
with Embedding Degree 10 University of California, Berkeley, USA ANTSVII, 2006 Outline 1 Introduction 2 The CM Method: The Basic Construction The CM Method: Generating Families of Curves 3 Outline 1 Introduction
More informationGalois representations with open image
Galois representations with open image Ralph Greenberg University of Washington Seattle, Washington, USA May 7th, 2011 Introduction This talk will be about representations of the absolute Galois group
More information3.6 The Real Zeros of a Polynomial Function
SECTION 3.6 The Real Zeros of a Polynomial Function 219 3.6 The Real Zeros of a Polynomial Function PREPARING FOR THIS SECTION Before getting started, review the following: Classification of Numbers (Appendix,
More informationThe van Hoeij Algorithm for Factoring Polynomials
The van Hoeij Algorithm for Factoring Polynomials Jürgen Klüners Abstract In this survey we report about a new algorithm for factoring polynomials due to Mark van Hoeij. The main idea is that the combinatorial
More informationThe Division Algorithm for Polynomials Handout Monday March 5, 2012
The Division Algorithm for Polynomials Handout Monday March 5, 0 Let F be a field (such as R, Q, C, or F p for some prime p. This will allow us to divide by any nonzero scalar. (For some of the following,
More informationLecture 6: Finite Fields (PART 3) PART 3: Polynomial Arithmetic. Theoretical Underpinnings of Modern Cryptography
Lecture 6: Finite Fields (PART 3) PART 3: Polynomial Arithmetic Theoretical Underpinnings of Modern Cryptography Lecture Notes on Computer and Network Security by Avi Kak (kak@purdue.edu) January 29, 2015
More informationThe Dirichlet Unit Theorem
Chapter 6 The Dirichlet Unit Theorem As usual, we will be working in the ring B of algebraic integers of a number field L. Two factorizations of an element of B are regarded as essentially the same if
More informationPrimality  Factorization
Primality  Factorization Christophe Ritzenthaler November 9, 2009 1 Prime and factorization Definition 1.1. An integer p > 1 is called a prime number (nombre premier) if it has only 1 and p as divisors.
More informationA New Generic Digital Signature Algorithm
Groups Complex. Cryptol.? (????), 1 16 DOI 10.1515/GCC.????.??? de Gruyter???? A New Generic Digital Signature Algorithm Jennifer Seberry, Vinhbuu To and Dongvu Tonien Abstract. In this paper, we study
More informationU.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, 2009. Notes on Algebra
U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, 2009 Notes on Algebra These notes contain as little theory as possible, and most results are stated without proof. Any introductory
More informationFinite Fields and ErrorCorrecting Codes
Lecture Notes in Mathematics Finite Fields and ErrorCorrecting Codes KarlGustav Andersson (Lund University) (version 1.01316 September 2015) Translated from Swedish by Sigmundur Gudmundsson Contents
More informationArithmetic algorithms for cryptology 5 October 2015, Paris. Sieves. Razvan Barbulescu CNRS and IMJPRG. R. Barbulescu Sieves 0 / 28
Arithmetic algorithms for cryptology 5 October 2015, Paris Sieves Razvan Barbulescu CNRS and IMJPRG R. Barbulescu Sieves 0 / 28 Starting point Notations q prime g a generator of (F q ) X a (secret) integer
More informationResearch Article On the Rank of Elliptic Curves in Elementary Cubic Extensions
Numbers Volume 2015, Article ID 501629, 4 pages http://dx.doi.org/10.1155/2015/501629 Research Article On the Rank of Elliptic Curves in Elementary Cubic Extensions Rintaro Kozuma College of International
More informationFaster Cryptographic Key Exchange on Hyperelliptic Curves
Faster Cryptographic Key Exchange on Hyperelliptic Curves No Author Given No Institute Given Abstract. We present a key exchange procedure based on divisor arithmetic for the real model of a hyperelliptic
More informationModule MA3411: Abstract Algebra Galois Theory Appendix Michaelmas Term 2013
Module MA3411: Abstract Algebra Galois Theory Appendix Michaelmas Term 2013 D. R. Wilkins Copyright c David R. Wilkins 1997 2013 Contents A Cyclotomic Polynomials 79 A.1 Minimum Polynomials of Roots of
More informationFactoring of Prime Ideals in Extensions
Chapter 4 Factoring of Prime Ideals in Extensions 4. Lifting of Prime Ideals Recall the basic AKLB setup: A is a Dedekind domain with fraction field K, L is a finite, separable extension of K of degree
More informationMonogenic Fields and Power Bases Michael Decker 12/07/07
Monogenic Fields and Power Bases Michael Decker 12/07/07 1 Introduction Let K be a number field of degree k and O K its ring of integers Then considering O K as a Zmodule, the nicest possible case is
More informationH/wk 13, Solutions to selected problems
H/wk 13, Solutions to selected problems Ch. 4.1, Problem 5 (a) Find the number of roots of x x in Z 4, Z Z, any integral domain, Z 6. (b) Find a commutative ring in which x x has infinitely many roots.
More informationADDITIVE GROUPS OF RINGS WITH IDENTITY
ADDITIVE GROUPS OF RINGS WITH IDENTITY SIMION BREAZ AND GRIGORE CĂLUGĂREANU Abstract. A ring with identity exists on a torsion Abelian group exactly when the group is bounded. The additive groups of torsionfree
More information= 2 + 1 2 2 = 3 4, Now assume that P (k) is true for some fixed k 2. This means that
Instructions. Answer each of the questions on your own paper, and be sure to show your work so that partial credit can be adequately assessed. Credit will not be given for answers (even correct ones) without
More informationCharacterizing the Sum of Two Cubes
1 3 47 6 3 11 Journal of Integer Sequences, Vol. 6 (003), Article 03.4.6 Characterizing the Sum of Two Cubes Kevin A. Broughan University of Waikato Hamilton 001 New Zealand kab@waikato.ac.nz Abstract
More informationQuotient Rings and Field Extensions
Chapter 5 Quotient Rings and Field Extensions In this chapter we describe a method for producing field extension of a given field. If F is a field, then a field extension is a field K that contains F.
More informationCyclotomic Extensions
Chapter 7 Cyclotomic Extensions A cyclotomic extension Q(ζ n ) of the rationals is formed by adjoining a primitive n th root of unity ζ n. In this chapter, we will find an integral basis and calculate
More information9. POLYNOMIALS. Example 1: The expression a(x) = x 3 4x 2 + 7x 11 is a polynomial in x. The coefficients of a(x) are the numbers 1, 4, 7, 11.
9. POLYNOMIALS 9.1. Definition of a Polynomial A polynomial is an expression of the form: a(x) = a n x n + a n1 x n1 +... + a 1 x + a 0. The symbol x is called an indeterminate and simply plays the role
More informationThe Chebotarev Density Theorem
The Chebotarev Density Theorem Hendrik Lenstra 1. Introduction Consider the polynomial f(x) = X 4 X 2 1 Z[X]. Suppose that we want to show that this polynomial is irreducible. We reduce f modulo a prime
More informationGalois Theory, First Edition
Galois Theory, First Edition David A. Cox, published by John Wiley & Sons, 2004 Errata as of September 18, 2012 This errata sheet is organized by which printing of the book you have. The printing can be
More informationPUTNAM TRAINING POLYNOMIALS. Exercises 1. Find a polynomial with integral coefficients whose zeros include 2 + 5.
PUTNAM TRAINING POLYNOMIALS (Last updated: November 17, 2015) Remark. This is a list of exercises on polynomials. Miguel A. Lerma Exercises 1. Find a polynomial with integral coefficients whose zeros include
More informationminimal polyonomial Example
Minimal Polynomials Definition Let α be an element in GF(p e ). We call the monic polynomial of smallest degree which has coefficients in GF(p) and α as a root, the minimal polyonomial of α. Example: We
More informationSECRET sharing schemes were introduced by Blakley [5]
206 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 52, NO. 1, JANUARY 2006 Secret Sharing Schemes From Three Classes of Linear Codes Jin Yuan Cunsheng Ding, Senior Member, IEEE Abstract Secret sharing has
More informationStudy of algorithms for factoring integers and computing discrete logarithms
Study of algorithms for factoring integers and computing discrete logarithms First IndoFrench Workshop on Cryptography and Related Topics (IFW 2007) June 11 13, 2007 Paris, France Dr. Abhijit Das Department
More informationOn the largest prime factor of x 2 1
On the largest prime factor of x 2 1 Florian Luca and Filip Najman Abstract In this paper, we find all integers x such that x 2 1 has only prime factors smaller than 100. This gives some interesting numerical
More informationFactoring Polynomials
Factoring Polynomials Sue Geller June 19, 2006 Factoring polynomials over the rational numbers, real numbers, and complex numbers has long been a standard topic of high school algebra. With the advent
More informationNonunique factorization of polynomials over residue class rings of the integers
Comm. Algebra 39(4) 2011, pp 1482 1490 Nonunique factorization of polynomials over residue class rings of the integers Christopher Frei and Sophie Frisch Abstract. We investigate nonunique factorization
More informationa 1 x + a 0 =0. (3) ax 2 + bx + c =0. (4)
ROOTS OF POLYNOMIAL EQUATIONS In this unit we discuss polynomial equations. A polynomial in x of degree n, where n 0 is an integer, is an expression of the form P n (x) =a n x n + a n 1 x n 1 + + a 1 x
More informationLecture Notes on Polynomials
Lecture Notes on Polynomials Arne Jensen Department of Mathematical Sciences Aalborg University c 008 Introduction These lecture notes give a very short introduction to polynomials with real and complex
More informationON THE NUMBER OF REAL HYPERSURFACES HYPERTANGENT TO A GIVEN REAL SPACE CURVE
Illinois Journal of Mathematics Volume 46, Number 1, Spring 2002, Pages 145 153 S 00192082 ON THE NUMBER OF REAL HYPERSURFACES HYPERTANGENT TO A GIVEN REAL SPACE CURVE J. HUISMAN Abstract. Let C be a
More information1 = (a 0 + b 0 α) 2 + + (a m 1 + b m 1 α) 2. for certain elements a 0,..., a m 1, b 0,..., b m 1 of F. Multiplying out, we obtain
Notes on realclosed fields These notes develop the algebraic background needed to understand the model theory of realclosed fields. To understand these notes, a standard graduate course in algebra is
More informationEXERCISES FOR THE COURSE MATH 570, FALL 2010
EXERCISES FOR THE COURSE MATH 570, FALL 2010 EYAL Z. GOREN (1) Let G be a group and H Z(G) a subgroup such that G/H is cyclic. Prove that G is abelian. Conclude that every group of order p 2 (p a prime
More informationABSTRACT ALGEBRA: A STUDY GUIDE FOR BEGINNERS
ABSTRACT ALGEBRA: A STUDY GUIDE FOR BEGINNERS John A. Beachy Northern Illinois University 2014 ii J.A.Beachy This is a supplement to Abstract Algebra, Third Edition by John A. Beachy and William D. Blair
More informationA DETERMINATION OF ALL NORMAL DIVISION ALGEBRAS OVER AN ALGEBRAIC NUMBER FIELD*
A DETERMINATION OF ALL NORMAL DIVISION ALGEBRAS OVER AN ALGEBRAIC NUMBER FIELD* BY A. ADRIAN ALBERT AND HELMUT HASSE t 1. Introduction. The principal problem in the theory of linear algebras is that of
More informationIntroduction to finite fields
Introduction to finite fields Topics in Finite Fields (Fall 2013) Rutgers University Swastik Kopparty Last modified: Monday 16 th September, 2013 Welcome to the course on finite fields! This is aimed at
More informationOn near primeorder elliptic curves with small embedding degrees
On near primeorder elliptic curves with small embedding degrees DucPhong Le 1, Nadia El Mrabet 2, and Chik How Tan 1 1 Temasek Laboratories, National University of Singapore {tslld,tsltch}@nus.edu.sg
More informationSTUDY ON ELLIPTIC AND HYPERELLIPTIC CURVE METHODS FOR INTEGER FACTORIZATION. Takayuki Yato. A Senior Thesis. Submitted to
STUDY ON ELLIPTIC AND HYPERELLIPTIC CURVE METHODS FOR INTEGER FACTORIZATION by Takayuki Yato A Senior Thesis Submitted to Department of Information Science Faculty of Science The University of Tokyo on
More informationJUST THE MATHS UNIT NUMBER 1.8. ALGEBRA 8 (Polynomials) A.J.Hobson
JUST THE MATHS UNIT NUMBER 1.8 ALGEBRA 8 (Polynomials) by A.J.Hobson 1.8.1 The factor theorem 1.8.2 Application to quadratic and cubic expressions 1.8.3 Cubic equations 1.8.4 Long division of polynomials
More informationFunctions and Equations
Centre for Education in Mathematics and Computing Euclid eworkshop # Functions and Equations c 014 UNIVERSITY OF WATERLOO Euclid eworkshop # TOOLKIT Parabolas The quadratic f(x) = ax + bx + c (with a,b,c
More informationFACTORING POLYNOMIALS IN THE RING OF FORMAL POWER SERIES OVER Z
FACTORING POLYNOMIALS IN THE RING OF FORMAL POWER SERIES OVER Z DANIEL BIRMAJER, JUAN B GIL, AND MICHAEL WEINER Abstract We consider polynomials with integer coefficients and discuss their factorization
More informationON GENERALIZED RELATIVE COMMUTATIVITY DEGREE OF A FINITE GROUP. A. K. Das and R. K. Nath
International Electronic Journal of Algebra Volume 7 (2010) 140151 ON GENERALIZED RELATIVE COMMUTATIVITY DEGREE OF A FINITE GROUP A. K. Das and R. K. Nath Received: 12 October 2009; Revised: 15 December
More informationOn the generation of elliptic curves with 16 rational torsion points by Pythagorean triples
On the generation of elliptic curves with 16 rational torsion points by Pythagorean triples Brian Hilley Boston College MT695 Honors Seminar March 3, 2006 1 Introduction 1.1 Mazur s Theorem Let C be a
More informationContinued Fractions and the Euclidean Algorithm
Continued Fractions and the Euclidean Algorithm Lecture notes prepared for MATH 326, Spring 997 Department of Mathematics and Statistics University at Albany William F Hammond Table of Contents Introduction
More informationGalois Fields and Hardware Design
Galois Fields and Hardware Design Construction of Galois Fields, Basic Properties, Uniqueness, Containment, Closure, Polynomial Functions over Galois Fields Priyank Kalla Associate Professor Electrical
More informationA number field is a field of finite degree over Q. By the Primitive Element Theorem, any number
Number Fields Introduction A number field is a field of finite degree over Q. By the Primitive Element Theorem, any number field K = Q(α) for some α K. The minimal polynomial Let K be a number field and
More informationFACTORING IN QUADRATIC FIELDS. 1. Introduction. This is called a quadratic field and it has degree 2 over Q. Similarly, set
FACTORING IN QUADRATIC FIELDS KEITH CONRAD For a squarefree integer d other than 1, let 1. Introduction K = Q[ d] = {x + y d : x, y Q}. This is called a quadratic field and it has degree 2 over Q. Similarly,
More informationFactorization Algorithms for Polynomials over Finite Fields
Degree Project Factorization Algorithms for Polynomials over Finite Fields Sajid Hanif, Muhammad Imran 20110503 Subject: Mathematics Level: Master Course code: 4MA11E Abstract Integer factorization is
More informationDiscrete Mathematics, Chapter 4: Number Theory and Cryptography
Discrete Mathematics, Chapter 4: Number Theory and Cryptography Richard Mayr University of Edinburgh, UK Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 4 1 / 35 Outline 1 Divisibility
More informationElementary Number Theory We begin with a bit of elementary number theory, which is concerned
CONSTRUCTION OF THE FINITE FIELDS Z p S. R. DOTY Elementary Number Theory We begin with a bit of elementary number theory, which is concerned solely with questions about the set of integers Z = {0, ±1,
More informationConstructing PairingFriendly Elliptic Curves with Embedding Degree 10.
Constructing PairingFriendly Elliptic Curves with Embedding Degree 10. David Freeman University of California, Berkeley dfreeman@math.berkeley.edu Abstract. We present a general framework for constructing
More informationI. GROUPS: BASIC DEFINITIONS AND EXAMPLES
I GROUPS: BASIC DEFINITIONS AND EXAMPLES Definition 1: An operation on a set G is a function : G G G Definition 2: A group is a set G which is equipped with an operation and a special element e G, called
More informationOn Bhargava s representations and Vinberg s invariant theory
On Bhargava s representations and Vinberg s invariant theory Benedict H. Gross Department of Mathematics, Harvard University Cambridge, MA 02138 gross@math.harvard.edu January, 2011 1 Introduction Manjul
More informationComputer Algebra for Computer Engineers
p.1/14 Computer Algebra for Computer Engineers Preliminaries Priyank Kalla Department of Electrical and Computer Engineering University of Utah, Salt Lake City p.2/14 Notation R: Real Numbers Q: Fractions
More informationLecture 13  Basic Number Theory.
Lecture 13  Basic Number Theory. Boaz Barak March 22, 2010 Divisibility and primes Unless mentioned otherwise throughout this lecture all numbers are nonnegative integers. We say that A divides B, denoted
More informationRow Ideals and Fibers of Morphisms
Michigan Math. J. 57 (2008) Row Ideals and Fibers of Morphisms David Eisenbud & Bernd Ulrich Affectionately dedicated to Mel Hochster, who has been an inspiration to us for many years, on the occasion
More informationIdeal Class Group and Units
Chapter 4 Ideal Class Group and Units We are now interested in understanding two aspects of ring of integers of number fields: how principal they are (that is, what is the proportion of principal ideals
More informationCHAPTER 5. Number Theory. 1. Integers and Division. Discussion
CHAPTER 5 Number Theory 1. Integers and Division 1.1. Divisibility. Definition 1.1.1. Given two integers a and b we say a divides b if there is an integer c such that b = ac. If a divides b, we write a
More informationMATH 361: NUMBER THEORY FIRST LECTURE
MATH 361: NUMBER THEORY FIRST LECTURE 1. Introduction As a provisional definition, view number theory as the study of the properties of the positive integers, Z + = {1, 2, 3, }. Of particular interest,
More informationRevision of ring theory
CHAPTER 1 Revision of ring theory 1.1. Basic definitions and examples In this chapter we will revise and extend some of the results on rings that you have studied on previous courses. A ring is an algebraic
More informationSome facts about polynomials modulo m (Full proof of the Fingerprinting Theorem)
Some facts about polynomials modulo m (Full proof of the Fingerprinting Theorem) In order to understand the details of the Fingerprinting Theorem on fingerprints of different texts from Chapter 19 of the
More informationUnique Factorization
Unique Factorization Waffle Mathcamp 2010 Throughout these notes, all rings will be assumed to be commutative. 1 Factorization in domains: definitions and examples In this class, we will study the phenomenon
More informationEvaluating large degree isogenies and applications to pairing based cryptography
Evaluating large degree isogenies and applications to pairing based cryptography Reinier Bröker, Denis Charles, and Kristin Lauter Microsoft Research, One Microsoft Way, Redmond, WA 98052, USA reinierb@microsoft.com,
More informationGalois Theory III. 3.1. Splitting fields.
Galois Theory III. 3.1. Splitting fields. We know how to construct a field extension L of a given field K where a given irreducible polynomial P (X) K[X] has a root. We need a field extension of K where
More informationCONTINUED FRACTIONS AND PELL S EQUATION. Contents 1. Continued Fractions 1 2. Solution to Pell s Equation 9 References 12
CONTINUED FRACTIONS AND PELL S EQUATION SEUNG HYUN YANG Abstract. In this REU paper, I will use some important characteristics of continued fractions to give the complete set of solutions to Pell s equation.
More informationOn primeorder elliptic curves with embedding degrees k = 3, 4 and 6
On primeorder elliptic curves with embedding degrees k = 3, 4 and 6 Koray Karabina and Edlyn Teske University of Waterloo ANTS VIII, Banff, May 20, 2008 K. Karabina and E. Teske (UW) Primeorder elliptic
More informationZeros of Polynomial Functions
Review: Synthetic Division Find (x 25x  5x 3 + x 4 ) (5 + x). Factor Theorem Solve 2x 35x 2 + x + 2 =0 given that 2 is a zero of f(x) = 2x 35x 2 + x + 2. Zeros of Polynomial Functions Introduction
More informationSOLVING POLYNOMIAL EQUATIONS BY RADICALS
SOLVING POLYNOMIAL EQUATIONS BY RADICALS Lee Si Ying 1 and Zhang DeQi 2 1 Raffles Girls School (Secondary), 20 Anderson Road, Singapore 259978 2 Department of Mathematics, National University of Singapore,
More information(a) Write each of p and q as a polynomial in x with coefficients in Z[y, z]. deg(p) = 7 deg(q) = 9
Homework #01, due 1/20/10 = 9.1.2, 9.1.4, 9.1.6, 9.1.8, 9.2.3 Additional problems for study: 9.1.1, 9.1.3, 9.1.5, 9.1.13, 9.2.1, 9.2.2, 9.2.4, 9.2.5, 9.2.6, 9.3.2, 9.3.3 9.1.1 (This problem was not assigned
More informationHYPERELLIPTIC CURVE METHOD FOR FACTORING INTEGERS. 1. Thoery and Algorithm
HYPERELLIPTIC CURVE METHOD FOR FACTORING INTEGERS WENHAN WANG 1. Thoery and Algorithm The idea of the method using hyperelliptic curves to factor integers is similar to the elliptic curve factoring method.
More informationCryptography: RSA and the discrete logarithm problem
Cryptography: and the discrete logarithm problem R. Hayden Advanced Maths Lectures Department of Computing Imperial College London February 2010 Public key cryptography Assymmetric cryptography two keys:
More informationOn Near PrimeOrder Elliptic Curves with Small Embedding Degrees
On Near PrimeOrder Elliptic Curves with Small Embedding Degrees DucPhong Le, Nadia El Mrabet, Tan Chik How To cite this version: DucPhong Le, Nadia El Mrabet, Tan Chik How. On Near PrimeOrder Elliptic
More informationA CRT ALGORITHM FOR CONSTRUCTING GENUS 2 CURVES OVER FINITE FIELDS. Kirsten Eisenträger & Kristin Lauter
A CRT ALGORITHM FOR CONSTRUCTING GENUS 2 CURVES OVER FINITE FIELDS by Kirsten Eisenträger & Kristin Lauter Abstract. We present a new method for constructing genus 2 curves over a finite field F n with
More information5.1 The Remainder and Factor Theorems; Synthetic Division
5.1 The Remainder and Factor Theorems; Synthetic Division In this section you will learn to: understand the definition of a zero of a polynomial function use long and synthetic division to divide polynomials
More informationFACTORING CERTAIN INFINITE ABELIAN GROUPS BY DISTORTED CYCLIC SUBSETS
International Electronic Journal of Algebra Volume 6 (2009) 95106 FACTORING CERTAIN INFINITE ABELIAN GROUPS BY DISTORTED CYCLIC SUBSETS Sándor Szabó Received: 11 November 2008; Revised: 13 March 2009
More information