# EMBEDDING DEGREE OF HYPERELLIPTIC CURVES WITH COMPLEX MULTIPLICATION

Save this PDF as:

Size: px
Start display at page:

## Transcription

1 EMBEDDING DEGREE OF HYPERELLIPTIC CURVES WITH COMPLEX MULTIPLICATION CHRISTIAN ROBENHAGEN RAVNSHØJ Abstract. Consider the Jacobian of a genus two curve defined over a finite field and with complex multiplication. In this paper we show that if the l-sylow subgroup of the Jacobian is not cyclic, then the embedding degree of the Jacobian with respect to l is one. 1. Introduction In elliptic curve cryptography it is essential to know the number of points on the curve. Cryptographically we are interested in elliptic curves with large cyclic subgroups. Such elliptic curves can be constructed. The construction is based on the theory of complex multiplication, studied in detail by Atkin and Morain (1993). It is referred to as the CM method. Koblitz (1989) suggested the use of hyperelliptic curves to provide larger group orders. Therefore constructions of hyperelliptic curves are interesting. The CM method for elliptic curves has been generalized to hyperelliptic curves of genus two by Spallek (1994), and efficient algorithms have been proposed by Weng (003) and Gaudry et al (005). Both algorithms take as input a primitive, quartic CM field K (see section 3 for the definition of a CM field), and give as output a hyperelliptic genus two curve C defined over a prime field F p. A prime number p is chosen such that p = xx for a number x O K, where O K is the ring of integers of K. We have K = Q(η) and K R = Q( D), where η = i a + bξ and { 1+ D ξ =, if D 1 mod 4, D, if D, 3 mod 4. In this paper, the following theorem is established. Theorem 1. Let C be a hyperelliptic curve of genus two defined over F p with End(C) O K, where K is a primitive, quartic CM field as defined in definition 6. Assume that the p-power Frobenius under this isomorphism is given by the number ω = c 1 + c ξ + (c 3 + c 4 ξ)η, where ξ and η are given as above and c i Z. Consider a prime number l J C (F p ) with l p, l D and l c. Assume that the l-sylow subgroup of J C (F p ) is not cyclic. Then p 1 mod l, i.e. the embedding degree of J C (F p ) with respect to l is one. Date: May 10, 007. The author is a PhD-student at the Department of Mathematical Sciences, University of Aarhus. 000 Mathematics Subject Classification. Primary 14H40; Secondary 11G15, 14Q05, 94A60. Key words and phrases. Jacobians, hyperelliptic curves, complex multiplication, cryptography. Research supported in part by a PhD grant from CRYPTOMAThIC. 1

2 C.R. RAVNSHØJ. Hyperelliptic curves A hyperelliptic curve is a smooth, projective curve C P n of genus at least two with a separable, degree two morphism φ : C P 1. Let C be a hyperelliptic curve of genus two defined over a prime field F p of characteristic p >. By the Riemann-Roch theorem there exists an embedding ψ : C P, mapping C to a curve given by an equation of the form y = f(x), where f F p [x] is of degree six and have no multiple roots (see Cassels and Flynn, 1996, chapter 1). The set of principal divisors P(C) on C constitutes a subgroup of the degree 0 divisors Div 0 (C). The Jacobian J C of C is defined as the quotient J C = Div 0 (C)/P(C). Let l p be a prime number. The l n -torsion subgroup J C [l n ] < J C of elements of order dividing l n is then (Lang, 1959, theorem 6, p. 109) (1) J C [l n ] Z/l n Z Z/l n Z Z/l n Z Z/l n Z, i.e. J C [l n ] is a Z/l n Z-module of rank four. The order of p modulo l plays an important role in cryptography. Definition (Embedding degree). Consider a prime number l dividing the order of J C (F p ), where l is different from p. The embedding degree of J C (F p ) with respect to l is the least number k, such that p k 1 mod l. An endomorphism ϕ : J C J C induces a Z l -linear map ϕ l : T l (J C ) T l (J C ) on the l-adic Tate-module T l (J C ) of J C (Lang, 1959, chapter VII, 1). The map ϕ l is given by ϕ as described in the following diagram:... J C [l n+1 ] J C [l n ]... ϕ ϕ... J C [l n+1 ] J C [l n ]... Here, the horizontal maps are the multiplication-by-l map. Hence, ϕ is represented by a matrix M Mat 4 4 (Z/lZ) on J C. Let P (X) Z[X] be the characteristic polynomial of ϕ (see Lang, 1959, pp ), and let P M (X) (Z/lZ)[X] be the characteristic polynomial of the restriction of ϕ to J C. Then (Lang, 1959, theorem 3, p. 186) () P (X) P M (X) mod l. Since C is defined over F p, the mapping (x, y) (x p, y p ) is an isogeny on C. This isogeny induces the p-power Frobenius endomorphism ϕ on the Jacobian J C. The characteristic polynomial P (X) of ϕ is of degree four (Tate, 1966, theorem, p. 140), and by the definition of P (X) (see Lang, 1959, pp ), J C (F p ) = P (1), i.e. the number of F p -rational elements of the Jacobian is determined by P (X).

3 EMBEDDING DEGREE OF HYPERELLIPTIC CURVES WITH CM 3 3. CM fields An elliptic curve E with Z End(E) is said to have complex multiplication. Let K be an imaginary, quadratic number field with ring of integers O K. K is a CM field, and if End(E) O K, then E is said to have CM by O K. More generally a CM field is defined as follows. Definition 3 (CM field). A number field K is a CM field, if K is a totally imaginary, quadratic extension of a totally real number field K 0. In this paper only CM fields of degree [K : Q] = 4 are considered. Such a field is called a quartic CM field. Remark 4. Consider a quartic CM field K. Let K 0 = K R be the real subfield of K. Then K 0 is a real, quadratic number field, K 0 = Q( D). By a basic result on quadratic number fields, the ring of integers of K 0 is given by O K0 = Z + ξz, where { 1+ D ξ =, if D 1 mod 4, D, if D, 3 mod 4. Since K is a totally imaginary, quadratic extension of K 0, a number η K exists, such that K = K 0 (η), η K 0. The number η is totally imaginary, and we may assume that η = iη 0, η 0 R. Furthermore we may assume that η O K0 ; so η = i a + bξ, where a, b Z. Let C be a hyperelliptic curve of genus two. Then C is said to have CM by O K, if End(C) O K. The structure of K determines whether C is irreducible. More precisely, the following theorem holds. Theorem 5. Let C be a hyperelliptic curve of genus two with End(C) O K, where K is a quartic CM field. Then C is reducible if, and only if, K/Q is Galois with Galois group Gal(K/Q) Z/Z Z/Z. Proof. (Shimura, 1998, proposition 6, p. 61). Theorem 5 motivates the following definition. Definition 6 (Primitive, quartic CM field). A quartic CM field K is called primitive if either K/Q is not Galois, or K/Q is Galois with cyclic Galois group. The CM method for constructing curves of genus two with prescribed endomorphism ring is described in detail by Weng (003) and Gaudry et al (005). In short, the CM method is based on the construction of the class polynomials of a primitive, quartic CM field K with real subfield K 0 of class number h(k 0 ) = 1. The prime number p has to be chosen such that p = xx for a number x O K. By Weng (003) we may assume that x O K0 + ηo K0. 4. Properties of J C (F p ) Consider a primitive, quartic CM field K with real subfield K 0 of class number h(k 0 ) = 1, and let p be an uneven prime number such that p = xx for a number x O K0 + ηo K0. The main result of this paper, given by the following theorem, concerns a curve of genus two with O K as endomorphism ring.

4 4 C.R. RAVNSHØJ Theorem 7. With the notation as in remark 4, let C be a hyperelliptic curve of genus two defined over F p with End(C) O K. Assume that the p-power Frobenius under this isomorphism is given by the number ω = c 1 + c ξ + (c 3 + c 4 ξ)η, where c i Z. Consider a prime number l J C (F p ) with l p, l D and l c. Assume that the l-sylow subgroup of J C (F p ) is not cyclic. Then p 1 mod l, i.e. the embedding degree of J C (F p ) with respect to l is one. Proof. Consider a prime number l J C (F p ) with l pc D. If l =, then obviously p 1 mod l. Hence we may assume that l. Assume that the l-sylow subgroup S of J C (F p ) is not cyclic. Then S contains a subgroup U (Z/lZ). So (Z/lZ) < J C (F p ) < J C. Let {e 1, e } J C (F p ) be a basis of (Z/lZ). Expand by the isomorphism (1) this set to a basis {e 1, e, f 1, f } of J C. It then follows that 1 is an eigenvalue of the Frobenius with eigenvectors e 1 and e, i.e. 1 is an eigenvalue of multiplicity at least two. First we assume that D, 3 mod l. Let P (X) be the characteristic polynomial of the Frobenius. Since the conjugates of ω are given by ω 1 = ω, ω = ω 1, ω 3 and ω 4 = ω 3, where ω 3 = c 1 c D + i(c3 c 4 D) a b D, it follows that 4 P (X) = (X ω i ) = X 4 4c 1 X 3 + (p + 4(c 1 c D))X 4c 1 px + p. i=1 Since 1 is an eigenvalue of the Frobenius of multiplicity at least two, the characteristic polynomial P (X) is divisible by (X 1) modulo l. Now, where P (X) = Q(X) (X 1) + R(X), R(X) = 4(1 3c 1 (c 1 1)p + (c 1 c D))X Since R(X) 0 mod l, it follows that + p p 4(c 1 c D) + 8c 1 3. (3) 1 3c 1 (c 1 1)p + (c 1 c D) 0 mod l. Since J C (F p ) = P (1), we know that (4) (p + 1) 4c 1 (p + 1) + 4(c 1 c D) 0 mod l. By equation (3) we see that 4(c 1 c D) (c 1 1)p +6c 1 this into equation (4) we get (p + 1) 4c 1 (p + 1) + (c 1 1)p + 6c 1 0 mod l; mod l. Substituting so either p 1 mod l or p c 1 1 mod l. Assume p c 1 1 mod l. Then R(X) 4c D( X + 1) 0 mod l. Since l c D, this is a contradiction. So if D, 3 mod 4, then p 1 mod l.

5 EMBEDDING DEGREE OF HYPERELLIPTIC CURVES WITH CM 5 Now consider the case D 1 mod 4. We now have 1 ( D 1 ) D ω 3 = c 1 + c + i c 3 + c 4 a + b 1 D, and it follows that the characteristic polynomial of the Frobenius is given by P (X) = X 4 cx 3 + (p + c c d)x pcx + p, where c = c 1 + c. We see that P (X) = Q(X)(X 1) + R(X), where R(X) = ((4 c)p + c 6c c D + 4)X + p p 3 + 4c c + c D. Since R(X) 0 mod l, it follows that (5) p p 3 + 4c c + c D 0 mod l, and since J C (F p ) = P (1), we know that (6) (p + 1) c(p + 1) + c c D 0 mod l. From equation (5) and (6) it follows that p cp + c 1 0 mod l, i.e. p 1 mod l or p c 1 mod l. Assume p c 1 mod l. Then R(X) c D( X + 1) 0 mod l, again a contradiction. So if D 1 mod 4, then p 1 mod l. Consider the case l c. Then the characteristic polynomial of the Frobenius modulo l is given by P (X) (X c 1 X + p) mod l, independently of the remainder of D modulo 4. Observe that X c 1 X + p = (X + 1 c 1 )(X 1) + p c Hence, p c 1 1 mod l, i.e. So the following theorem holds. P (X) (X 1) (X p) mod l. Theorem 8. With the notation as in remark 4, let C be a hyperelliptic curve of genus two defined over F p with End(C) O K. Assume that the p-power Frobenius under this isomorphism is given by the number ω = c 1 + c ξ + (c 3 + c 4 ξ)η, where c i Z. Consider a prime number l J C (F p ) with l p, l c. Assume that the l-sylow subgroup of J C (F p ) is not cyclic. Then either (1) J C (F p ) (Z/lZ), or () p 1 mod l and J C (F p ) = J C. Proof. If p 1 mod l, then 1 is not an eigenvalue of the Frobenius of multiplicity three, i.e. J C (F p ) (Z/lZ). If p 1 mod l, then 1 is an eigenvalue of the Frobenius of multiplicity four, i.e. J C (F p ) = J C.

6 6 C.R. RAVNSHØJ 5. Applications Let C be a hyperelliptic curve of genus two defined over F p with End(C) O K. Write (7) J C (F p ) Z/n 1 Z Z/n Z Z/n 3 Z Z/n 4 Z, where n i n i+1 and n p 1 (see Frey and Lange, 006, proposition 5.78, p. 111). We recall the following result on the prime divisors of the number n. Theorem 9. With the notion as above, let l n be an odd prime number. Then l Q, where if D, 3 Q = max{a, D, a b D}, mod 4, and Q = max{a, D, 4a(a + b) b (D 1), ad + b(d 1)}, if D 1 mod 4. If l > D, then c 1 1 mod l and c 0 mod l. Proof. Ravnshøj (007a). Let the Frobenius be given by the number ω = c 1 + c ξ + (c 3 + c 4 ξ)η, c i Z, and consider a prime number l J C (F p ), l p. Corollary 1. If l c and l > Q, then the l-sylow subgroup S of J C (F p ) is either of rank two and p 1 mod l, or S is cyclic. By Ravnshøj (007b), if p 1 mod l, then there exists an efficient, probabilistic algorithm to determine generators of the l-sylow subgroup of J C (F p ). Hence the following corollary holds. Corollary. If l D and l c, then there exists an efficient, probabilistic algorithm to determine generators of the l-sylow subgroup S of J C (F p ). Proof. If p 1 mod l, then the corollary is given by Ravnshøj (007b). If p 1 mod l, then S is cyclic by theorem 7. Assume S = l n. Then S has l n l n 1 elements of order l n. Hence the probability that a random element σ S generates S is 1 l 1, and choosing random elements σ S until an element of order l n is found will be an efficient, probabilistic algorithm to determine generators of S. 6. Acknowledgement I would like to thank my supervisor Johan P. Hansen for inspiration on theorem 8. References A.O.L. Atkin and F. Morain. Elliptic curves and primality proving. Math. Comp., vol. 61, pp. 9 68, J.W.S. Cassels and E.V. Flynn. Prolegomena to a Middlebrow Arithmetic of Curves of Genus. London Mathematical Society Lecture Note Series. Cambridge University Press, G. Frey and T. Lange. Varieties over Special Fields. In H. Cohen and G. Frey, editors, Handbook of Elliptic and Hyperelliptic Curve Cryptography, pp Chapman & Hall/CRC, 006. P. Gaudry, T. Houtmann, D. Kohel, C. Ritzenthaler and A. Weng. The p-adic CM-Method for Genus

7 EMBEDDING DEGREE OF HYPERELLIPTIC CURVES WITH CM 7 N. Koblitz. Hyperelliptic cryptosystems. J. Cryptology, vol. 1, pp , S. Lang. Abelian Varieties. Interscience, C.R. Ravnshøj. Large Cyclic Subgroups of Jacobians of Hyperelliptic Curves. 007a. C.R. Ravnshøj. Generators of Jacobians of Hyperelliptic Curves. 007b. http: //arxiv.org. G. Shimura. Abelian Varieties with Complex Multiplication and Modular Functions. Princeton University Press, A.-M. Spallek. Kurven vom Geschlecht und ihre Anwendung in Public-Key- Kryptosystemen. Ph.D. thesis, Institut für Experimentelle Mathematik, Universität GH Essen, J. Tate. Endomorphisms of abelian varieties over finite fields. Invent. Math., vol., pp , A. Weng. Constructing hyperelliptic curves of genus suitable for cryptography. Math. Comp., vol. 7, pp , 003. Department of Mathematical Sciences, University of Aarhus, Ny Munkegade, Building 1530, DK-8000 Aarhus C address:

### ON GALOIS REALIZATIONS OF THE 2-COVERABLE SYMMETRIC AND ALTERNATING GROUPS

ON GALOIS REALIZATIONS OF THE 2-COVERABLE SYMMETRIC AND ALTERNATING GROUPS DANIEL RABAYEV AND JACK SONN Abstract. Let f(x) be a monic polynomial in Z[x] with no rational roots but with roots in Q p for

### SOLVING POLYNOMIAL EQUATIONS

C SOLVING POLYNOMIAL EQUATIONS We will assume in this appendix that you know how to divide polynomials using long division and synthetic division. If you need to review those techniques, refer to an algebra

### (x + a) n = x n + a Z n [x]. Proof. If n is prime then the map

22. A quick primality test Prime numbers are one of the most basic objects in mathematics and one of the most basic questions is to decide which numbers are prime (a clearly related problem is to find

### Chapter 4, Arithmetic in F [x] Polynomial arithmetic and the division algorithm.

Chapter 4, Arithmetic in F [x] Polynomial arithmetic and the division algorithm. We begin by defining the ring of polynomials with coefficients in a ring R. After some preliminary results, we specialize

### calculating the result modulo 3, as follows: p(0) = 0 3 + 0 + 1 = 1 0,

Homework #02, due 1/27/10 = 9.4.1, 9.4.2, 9.4.5, 9.4.6, 9.4.7. Additional problems recommended for study: (9.4.3), 9.4.4, 9.4.9, 9.4.11, 9.4.13, (9.4.14), 9.4.17 9.4.1 Determine whether the following polynomials

### Introduction to Finite Fields (cont.)

Chapter 6 Introduction to Finite Fields (cont.) 6.1 Recall Theorem. Z m is a field m is a prime number. Theorem (Subfield Isomorphic to Z p ). Every finite field has the order of a power of a prime number

### The Brauer Manin obstruction for curves having split Jacobians

Journal de Théorie des Nombres de Bordeaux 00 (XXXX), 000 000 The Brauer Manin obstruction for curves having split Jacobians par Samir SIKSEK Résumé. Soit X A un morphism (qui n est pas constant) d une

### NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES

NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES Ounasser Abid 1, Jaouad Ettanfouhi 2 and Omar Khadir 3 1,2,3 Laboratory of Mathematics, Cryptography and Mechanics, Department of Mathematics, Fstm,

### CHAPTER SIX IRREDUCIBILITY AND FACTORIZATION 1. BASIC DIVISIBILITY THEORY

January 10, 2010 CHAPTER SIX IRREDUCIBILITY AND FACTORIZATION 1. BASIC DIVISIBILITY THEORY The set of polynomials over a field F is a ring, whose structure shares with the ring of integers many characteristics.

### Alex, I will take congruent numbers for one million dollars please

Alex, I will take congruent numbers for one million dollars please Jim L. Brown The Ohio State University Columbus, OH 4310 jimlb@math.ohio-state.edu One of the most alluring aspectives of number theory

### some algebra prelim solutions

some algebra prelim solutions David Morawski August 19, 2012 Problem (Spring 2008, #5). Show that f(x) = x p x + a is irreducible over F p whenever a F p is not zero. Proof. First, note that f(x) has no

### 7. Some irreducible polynomials

7. Some irreducible polynomials 7.1 Irreducibles over a finite field 7.2 Worked examples Linear factors x α of a polynomial P (x) with coefficients in a field k correspond precisely to roots α k [1] of

### 3 1. Note that all cubes solve it; therefore, there are no more

Math 13 Problem set 5 Artin 11.4.7 Factor the following polynomials into irreducible factors in Q[x]: (a) x 3 3x (b) x 3 3x + (c) x 9 6x 6 + 9x 3 3 Solution: The first two polynomials are cubics, so if

### Chapter 13: Basic ring theory

Chapter 3: Basic ring theory Matthew Macauley Department of Mathematical Sciences Clemson University http://www.math.clemson.edu/~macaule/ Math 42, Spring 24 M. Macauley (Clemson) Chapter 3: Basic ring

### ALGORITHMS FOR ALGEBRAIC CURVES

ALGORITHMS FOR ALGEBRAIC CURVES SUMMARY OF LECTURE 4 1. SCHOOF S ALGORITHM Let K be a finite field with q elements. Let p be its characteristic. Let X be an elliptic curve over K. To simplify we assume

### A Minkowski-style bound for the orders of the finite subgroups of the Cremona group of rank 2 over an arbitrary field.

A Minkowski-style bound for the orders of the finite subgroups of the Cremona group of rank 2 over an arbitrary field Jean-Pierre Serre Let k be a field. Let Cr(k) be the Cremona group of rank 2 over k,

### it is easy to see that α = a

21. Polynomial rings Let us now turn out attention to determining the prime elements of a polynomial ring, where the coefficient ring is a field. We already know that such a polynomial ring is a UF. Therefore

### International Journal of Information Technology, Modeling and Computing (IJITMC) Vol.1, No.3,August 2013

FACTORING CRYPTOSYSTEM MODULI WHEN THE CO-FACTORS DIFFERENCE IS BOUNDED Omar Akchiche 1 and Omar Khadir 2 1,2 Laboratory of Mathematics, Cryptography and Mechanics, Fstm, University of Hassan II Mohammedia-Casablanca,

### Breaking The Code. Ryan Lowe. Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and

Breaking The Code Ryan Lowe Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and a minor in Applied Physics. As a sophomore, he took an independent study

### Constructing Elliptic Curves with Prescribed Embedding Degrees

Constructing Elliptic Curves with Prescribed Embedding Degrees Paulo S. L. M. Barreto 1, Ben Lynn 2, and Michael Scott 3 1 Laboratório de Arquitetura e Redes de Computadores (LARC), Escola Politécnica,

### Constructing Pairing-Friendly Elliptic Curves with Embedding Degree 10

with Embedding Degree 10 University of California, Berkeley, USA ANTS-VII, 2006 Outline 1 Introduction 2 The CM Method: The Basic Construction The CM Method: Generating Families of Curves 3 Outline 1 Introduction

### Galois representations with open image

Galois representations with open image Ralph Greenberg University of Washington Seattle, Washington, USA May 7th, 2011 Introduction This talk will be about representations of the absolute Galois group

### 3.6 The Real Zeros of a Polynomial Function

SECTION 3.6 The Real Zeros of a Polynomial Function 219 3.6 The Real Zeros of a Polynomial Function PREPARING FOR THIS SECTION Before getting started, review the following: Classification of Numbers (Appendix,

### The van Hoeij Algorithm for Factoring Polynomials

The van Hoeij Algorithm for Factoring Polynomials Jürgen Klüners Abstract In this survey we report about a new algorithm for factoring polynomials due to Mark van Hoeij. The main idea is that the combinatorial

### The Division Algorithm for Polynomials Handout Monday March 5, 2012

The Division Algorithm for Polynomials Handout Monday March 5, 0 Let F be a field (such as R, Q, C, or F p for some prime p. This will allow us to divide by any nonzero scalar. (For some of the following,

### Lecture 6: Finite Fields (PART 3) PART 3: Polynomial Arithmetic. Theoretical Underpinnings of Modern Cryptography

Lecture 6: Finite Fields (PART 3) PART 3: Polynomial Arithmetic Theoretical Underpinnings of Modern Cryptography Lecture Notes on Computer and Network Security by Avi Kak (kak@purdue.edu) January 29, 2015

### The Dirichlet Unit Theorem

Chapter 6 The Dirichlet Unit Theorem As usual, we will be working in the ring B of algebraic integers of a number field L. Two factorizations of an element of B are regarded as essentially the same if

### Primality - Factorization

Primality - Factorization Christophe Ritzenthaler November 9, 2009 1 Prime and factorization Definition 1.1. An integer p > 1 is called a prime number (nombre premier) if it has only 1 and p as divisors.

### A New Generic Digital Signature Algorithm

Groups Complex. Cryptol.? (????), 1 16 DOI 10.1515/GCC.????.??? de Gruyter???? A New Generic Digital Signature Algorithm Jennifer Seberry, Vinhbuu To and Dongvu Tonien Abstract. In this paper, we study

### U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, 2009. Notes on Algebra

U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, 2009 Notes on Algebra These notes contain as little theory as possible, and most results are stated without proof. Any introductory

### Finite Fields and Error-Correcting Codes

Lecture Notes in Mathematics Finite Fields and Error-Correcting Codes Karl-Gustav Andersson (Lund University) (version 1.013-16 September 2015) Translated from Swedish by Sigmundur Gudmundsson Contents

### Arithmetic algorithms for cryptology 5 October 2015, Paris. Sieves. Razvan Barbulescu CNRS and IMJ-PRG. R. Barbulescu Sieves 0 / 28

Arithmetic algorithms for cryptology 5 October 2015, Paris Sieves Razvan Barbulescu CNRS and IMJ-PRG R. Barbulescu Sieves 0 / 28 Starting point Notations q prime g a generator of (F q ) X a (secret) integer

### Research Article On the Rank of Elliptic Curves in Elementary Cubic Extensions

Numbers Volume 2015, Article ID 501629, 4 pages http://dx.doi.org/10.1155/2015/501629 Research Article On the Rank of Elliptic Curves in Elementary Cubic Extensions Rintaro Kozuma College of International

### Faster Cryptographic Key Exchange on Hyperelliptic Curves

Faster Cryptographic Key Exchange on Hyperelliptic Curves No Author Given No Institute Given Abstract. We present a key exchange procedure based on divisor arithmetic for the real model of a hyperelliptic

### Module MA3411: Abstract Algebra Galois Theory Appendix Michaelmas Term 2013

Module MA3411: Abstract Algebra Galois Theory Appendix Michaelmas Term 2013 D. R. Wilkins Copyright c David R. Wilkins 1997 2013 Contents A Cyclotomic Polynomials 79 A.1 Minimum Polynomials of Roots of

### Factoring of Prime Ideals in Extensions

Chapter 4 Factoring of Prime Ideals in Extensions 4. Lifting of Prime Ideals Recall the basic AKLB setup: A is a Dedekind domain with fraction field K, L is a finite, separable extension of K of degree

### Monogenic Fields and Power Bases Michael Decker 12/07/07

Monogenic Fields and Power Bases Michael Decker 12/07/07 1 Introduction Let K be a number field of degree k and O K its ring of integers Then considering O K as a Z-module, the nicest possible case is

### H/wk 13, Solutions to selected problems

H/wk 13, Solutions to selected problems Ch. 4.1, Problem 5 (a) Find the number of roots of x x in Z 4, Z Z, any integral domain, Z 6. (b) Find a commutative ring in which x x has infinitely many roots.

### ADDITIVE GROUPS OF RINGS WITH IDENTITY

ADDITIVE GROUPS OF RINGS WITH IDENTITY SIMION BREAZ AND GRIGORE CĂLUGĂREANU Abstract. A ring with identity exists on a torsion Abelian group exactly when the group is bounded. The additive groups of torsion-free

### = 2 + 1 2 2 = 3 4, Now assume that P (k) is true for some fixed k 2. This means that

Instructions. Answer each of the questions on your own paper, and be sure to show your work so that partial credit can be adequately assessed. Credit will not be given for answers (even correct ones) without

### Characterizing the Sum of Two Cubes

1 3 47 6 3 11 Journal of Integer Sequences, Vol. 6 (003), Article 03.4.6 Characterizing the Sum of Two Cubes Kevin A. Broughan University of Waikato Hamilton 001 New Zealand kab@waikato.ac.nz Abstract

### Quotient Rings and Field Extensions

Chapter 5 Quotient Rings and Field Extensions In this chapter we describe a method for producing field extension of a given field. If F is a field, then a field extension is a field K that contains F.

### Cyclotomic Extensions

Chapter 7 Cyclotomic Extensions A cyclotomic extension Q(ζ n ) of the rationals is formed by adjoining a primitive n th root of unity ζ n. In this chapter, we will find an integral basis and calculate

### 9. POLYNOMIALS. Example 1: The expression a(x) = x 3 4x 2 + 7x 11 is a polynomial in x. The coefficients of a(x) are the numbers 1, 4, 7, 11.

9. POLYNOMIALS 9.1. Definition of a Polynomial A polynomial is an expression of the form: a(x) = a n x n + a n-1 x n-1 +... + a 1 x + a 0. The symbol x is called an indeterminate and simply plays the role

### The Chebotarev Density Theorem

The Chebotarev Density Theorem Hendrik Lenstra 1. Introduction Consider the polynomial f(x) = X 4 X 2 1 Z[X]. Suppose that we want to show that this polynomial is irreducible. We reduce f modulo a prime

### Galois Theory, First Edition

Galois Theory, First Edition David A. Cox, published by John Wiley & Sons, 2004 Errata as of September 18, 2012 This errata sheet is organized by which printing of the book you have. The printing can be

### PUTNAM TRAINING POLYNOMIALS. Exercises 1. Find a polynomial with integral coefficients whose zeros include 2 + 5.

PUTNAM TRAINING POLYNOMIALS (Last updated: November 17, 2015) Remark. This is a list of exercises on polynomials. Miguel A. Lerma Exercises 1. Find a polynomial with integral coefficients whose zeros include

### minimal polyonomial Example

Minimal Polynomials Definition Let α be an element in GF(p e ). We call the monic polynomial of smallest degree which has coefficients in GF(p) and α as a root, the minimal polyonomial of α. Example: We

### SECRET sharing schemes were introduced by Blakley [5]

206 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 52, NO. 1, JANUARY 2006 Secret Sharing Schemes From Three Classes of Linear Codes Jin Yuan Cunsheng Ding, Senior Member, IEEE Abstract Secret sharing has

### Study of algorithms for factoring integers and computing discrete logarithms

Study of algorithms for factoring integers and computing discrete logarithms First Indo-French Workshop on Cryptography and Related Topics (IFW 2007) June 11 13, 2007 Paris, France Dr. Abhijit Das Department

### On the largest prime factor of x 2 1

On the largest prime factor of x 2 1 Florian Luca and Filip Najman Abstract In this paper, we find all integers x such that x 2 1 has only prime factors smaller than 100. This gives some interesting numerical

### Factoring Polynomials

Factoring Polynomials Sue Geller June 19, 2006 Factoring polynomials over the rational numbers, real numbers, and complex numbers has long been a standard topic of high school algebra. With the advent

### Non-unique factorization of polynomials over residue class rings of the integers

Comm. Algebra 39(4) 2011, pp 1482 1490 Non-unique factorization of polynomials over residue class rings of the integers Christopher Frei and Sophie Frisch Abstract. We investigate non-unique factorization

### a 1 x + a 0 =0. (3) ax 2 + bx + c =0. (4)

ROOTS OF POLYNOMIAL EQUATIONS In this unit we discuss polynomial equations. A polynomial in x of degree n, where n 0 is an integer, is an expression of the form P n (x) =a n x n + a n 1 x n 1 + + a 1 x

### Lecture Notes on Polynomials

Lecture Notes on Polynomials Arne Jensen Department of Mathematical Sciences Aalborg University c 008 Introduction These lecture notes give a very short introduction to polynomials with real and complex

### ON THE NUMBER OF REAL HYPERSURFACES HYPERTANGENT TO A GIVEN REAL SPACE CURVE

Illinois Journal of Mathematics Volume 46, Number 1, Spring 2002, Pages 145 153 S 0019-2082 ON THE NUMBER OF REAL HYPERSURFACES HYPERTANGENT TO A GIVEN REAL SPACE CURVE J. HUISMAN Abstract. Let C be a

### 1 = (a 0 + b 0 α) 2 + + (a m 1 + b m 1 α) 2. for certain elements a 0,..., a m 1, b 0,..., b m 1 of F. Multiplying out, we obtain

Notes on real-closed fields These notes develop the algebraic background needed to understand the model theory of real-closed fields. To understand these notes, a standard graduate course in algebra is

### EXERCISES FOR THE COURSE MATH 570, FALL 2010

EXERCISES FOR THE COURSE MATH 570, FALL 2010 EYAL Z. GOREN (1) Let G be a group and H Z(G) a subgroup such that G/H is cyclic. Prove that G is abelian. Conclude that every group of order p 2 (p a prime

### ABSTRACT ALGEBRA: A STUDY GUIDE FOR BEGINNERS

ABSTRACT ALGEBRA: A STUDY GUIDE FOR BEGINNERS John A. Beachy Northern Illinois University 2014 ii J.A.Beachy This is a supplement to Abstract Algebra, Third Edition by John A. Beachy and William D. Blair

### A DETERMINATION OF ALL NORMAL DIVISION ALGEBRAS OVER AN ALGEBRAIC NUMBER FIELD*

A DETERMINATION OF ALL NORMAL DIVISION ALGEBRAS OVER AN ALGEBRAIC NUMBER FIELD* BY A. ADRIAN ALBERT AND HELMUT HASSE t 1. Introduction. The principal problem in the theory of linear algebras is that of

### Introduction to finite fields

Introduction to finite fields Topics in Finite Fields (Fall 2013) Rutgers University Swastik Kopparty Last modified: Monday 16 th September, 2013 Welcome to the course on finite fields! This is aimed at

### On near prime-order elliptic curves with small embedding degrees

On near prime-order elliptic curves with small embedding degrees Duc-Phong Le 1, Nadia El Mrabet 2, and Chik How Tan 1 1 Temasek Laboratories, National University of Singapore {tslld,tsltch}@nus.edu.sg

### STUDY ON ELLIPTIC AND HYPERELLIPTIC CURVE METHODS FOR INTEGER FACTORIZATION. Takayuki Yato. A Senior Thesis. Submitted to

STUDY ON ELLIPTIC AND HYPERELLIPTIC CURVE METHODS FOR INTEGER FACTORIZATION by Takayuki Yato A Senior Thesis Submitted to Department of Information Science Faculty of Science The University of Tokyo on

### JUST THE MATHS UNIT NUMBER 1.8. ALGEBRA 8 (Polynomials) A.J.Hobson

JUST THE MATHS UNIT NUMBER 1.8 ALGEBRA 8 (Polynomials) by A.J.Hobson 1.8.1 The factor theorem 1.8.2 Application to quadratic and cubic expressions 1.8.3 Cubic equations 1.8.4 Long division of polynomials

### Functions and Equations

Centre for Education in Mathematics and Computing Euclid eworkshop # Functions and Equations c 014 UNIVERSITY OF WATERLOO Euclid eworkshop # TOOLKIT Parabolas The quadratic f(x) = ax + bx + c (with a,b,c

### FACTORING POLYNOMIALS IN THE RING OF FORMAL POWER SERIES OVER Z

FACTORING POLYNOMIALS IN THE RING OF FORMAL POWER SERIES OVER Z DANIEL BIRMAJER, JUAN B GIL, AND MICHAEL WEINER Abstract We consider polynomials with integer coefficients and discuss their factorization

### ON GENERALIZED RELATIVE COMMUTATIVITY DEGREE OF A FINITE GROUP. A. K. Das and R. K. Nath

International Electronic Journal of Algebra Volume 7 (2010) 140-151 ON GENERALIZED RELATIVE COMMUTATIVITY DEGREE OF A FINITE GROUP A. K. Das and R. K. Nath Received: 12 October 2009; Revised: 15 December

### On the generation of elliptic curves with 16 rational torsion points by Pythagorean triples

On the generation of elliptic curves with 16 rational torsion points by Pythagorean triples Brian Hilley Boston College MT695 Honors Seminar March 3, 2006 1 Introduction 1.1 Mazur s Theorem Let C be a

### Continued Fractions and the Euclidean Algorithm

Continued Fractions and the Euclidean Algorithm Lecture notes prepared for MATH 326, Spring 997 Department of Mathematics and Statistics University at Albany William F Hammond Table of Contents Introduction

### Galois Fields and Hardware Design

Galois Fields and Hardware Design Construction of Galois Fields, Basic Properties, Uniqueness, Containment, Closure, Polynomial Functions over Galois Fields Priyank Kalla Associate Professor Electrical

### A number field is a field of finite degree over Q. By the Primitive Element Theorem, any number

Number Fields Introduction A number field is a field of finite degree over Q. By the Primitive Element Theorem, any number field K = Q(α) for some α K. The minimal polynomial Let K be a number field and

### FACTORING IN QUADRATIC FIELDS. 1. Introduction. This is called a quadratic field and it has degree 2 over Q. Similarly, set

FACTORING IN QUADRATIC FIELDS KEITH CONRAD For a squarefree integer d other than 1, let 1. Introduction K = Q[ d] = {x + y d : x, y Q}. This is called a quadratic field and it has degree 2 over Q. Similarly,

### Factorization Algorithms for Polynomials over Finite Fields

Degree Project Factorization Algorithms for Polynomials over Finite Fields Sajid Hanif, Muhammad Imran 2011-05-03 Subject: Mathematics Level: Master Course code: 4MA11E Abstract Integer factorization is

### Discrete Mathematics, Chapter 4: Number Theory and Cryptography

Discrete Mathematics, Chapter 4: Number Theory and Cryptography Richard Mayr University of Edinburgh, UK Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 4 1 / 35 Outline 1 Divisibility

### Elementary Number Theory We begin with a bit of elementary number theory, which is concerned

CONSTRUCTION OF THE FINITE FIELDS Z p S. R. DOTY Elementary Number Theory We begin with a bit of elementary number theory, which is concerned solely with questions about the set of integers Z = {0, ±1,

### Constructing Pairing-Friendly Elliptic Curves with Embedding Degree 10.

Constructing Pairing-Friendly Elliptic Curves with Embedding Degree 10. David Freeman University of California, Berkeley dfreeman@math.berkeley.edu Abstract. We present a general framework for constructing

### I. GROUPS: BASIC DEFINITIONS AND EXAMPLES

I GROUPS: BASIC DEFINITIONS AND EXAMPLES Definition 1: An operation on a set G is a function : G G G Definition 2: A group is a set G which is equipped with an operation and a special element e G, called

### On Bhargava s representations and Vinberg s invariant theory

On Bhargava s representations and Vinberg s invariant theory Benedict H. Gross Department of Mathematics, Harvard University Cambridge, MA 02138 gross@math.harvard.edu January, 2011 1 Introduction Manjul

### Computer Algebra for Computer Engineers

p.1/14 Computer Algebra for Computer Engineers Preliminaries Priyank Kalla Department of Electrical and Computer Engineering University of Utah, Salt Lake City p.2/14 Notation R: Real Numbers Q: Fractions

### Lecture 13 - Basic Number Theory.

Lecture 13 - Basic Number Theory. Boaz Barak March 22, 2010 Divisibility and primes Unless mentioned otherwise throughout this lecture all numbers are non-negative integers. We say that A divides B, denoted

### Row Ideals and Fibers of Morphisms

Michigan Math. J. 57 (2008) Row Ideals and Fibers of Morphisms David Eisenbud & Bernd Ulrich Affectionately dedicated to Mel Hochster, who has been an inspiration to us for many years, on the occasion

### Ideal Class Group and Units

Chapter 4 Ideal Class Group and Units We are now interested in understanding two aspects of ring of integers of number fields: how principal they are (that is, what is the proportion of principal ideals

### CHAPTER 5. Number Theory. 1. Integers and Division. Discussion

CHAPTER 5 Number Theory 1. Integers and Division 1.1. Divisibility. Definition 1.1.1. Given two integers a and b we say a divides b if there is an integer c such that b = ac. If a divides b, we write a

### MATH 361: NUMBER THEORY FIRST LECTURE

MATH 361: NUMBER THEORY FIRST LECTURE 1. Introduction As a provisional definition, view number theory as the study of the properties of the positive integers, Z + = {1, 2, 3, }. Of particular interest,

### Revision of ring theory

CHAPTER 1 Revision of ring theory 1.1. Basic definitions and examples In this chapter we will revise and extend some of the results on rings that you have studied on previous courses. A ring is an algebraic

### Some facts about polynomials modulo m (Full proof of the Fingerprinting Theorem)

Some facts about polynomials modulo m (Full proof of the Fingerprinting Theorem) In order to understand the details of the Fingerprinting Theorem on fingerprints of different texts from Chapter 19 of the

### Unique Factorization

Unique Factorization Waffle Mathcamp 2010 Throughout these notes, all rings will be assumed to be commutative. 1 Factorization in domains: definitions and examples In this class, we will study the phenomenon

### Evaluating large degree isogenies and applications to pairing based cryptography

Evaluating large degree isogenies and applications to pairing based cryptography Reinier Bröker, Denis Charles, and Kristin Lauter Microsoft Research, One Microsoft Way, Redmond, WA 98052, USA reinierb@microsoft.com,

### Galois Theory III. 3.1. Splitting fields.

Galois Theory III. 3.1. Splitting fields. We know how to construct a field extension L of a given field K where a given irreducible polynomial P (X) K[X] has a root. We need a field extension of K where

### CONTINUED FRACTIONS AND PELL S EQUATION. Contents 1. Continued Fractions 1 2. Solution to Pell s Equation 9 References 12

CONTINUED FRACTIONS AND PELL S EQUATION SEUNG HYUN YANG Abstract. In this REU paper, I will use some important characteristics of continued fractions to give the complete set of solutions to Pell s equation.

### On prime-order elliptic curves with embedding degrees k = 3, 4 and 6

On prime-order elliptic curves with embedding degrees k = 3, 4 and 6 Koray Karabina and Edlyn Teske University of Waterloo ANTS VIII, Banff, May 20, 2008 K. Karabina and E. Teske (UW) Prime-order elliptic

### Zeros of Polynomial Functions

Review: Synthetic Division Find (x 2-5x - 5x 3 + x 4 ) (5 + x). Factor Theorem Solve 2x 3-5x 2 + x + 2 =0 given that 2 is a zero of f(x) = 2x 3-5x 2 + x + 2. Zeros of Polynomial Functions Introduction

### SOLVING POLYNOMIAL EQUATIONS BY RADICALS

SOLVING POLYNOMIAL EQUATIONS BY RADICALS Lee Si Ying 1 and Zhang De-Qi 2 1 Raffles Girls School (Secondary), 20 Anderson Road, Singapore 259978 2 Department of Mathematics, National University of Singapore,

### (a) Write each of p and q as a polynomial in x with coefficients in Z[y, z]. deg(p) = 7 deg(q) = 9

Homework #01, due 1/20/10 = 9.1.2, 9.1.4, 9.1.6, 9.1.8, 9.2.3 Additional problems for study: 9.1.1, 9.1.3, 9.1.5, 9.1.13, 9.2.1, 9.2.2, 9.2.4, 9.2.5, 9.2.6, 9.3.2, 9.3.3 9.1.1 (This problem was not assigned

### HYPERELLIPTIC CURVE METHOD FOR FACTORING INTEGERS. 1. Thoery and Algorithm

HYPERELLIPTIC CURVE METHOD FOR FACTORING INTEGERS WENHAN WANG 1. Thoery and Algorithm The idea of the method using hyperelliptic curves to factor integers is similar to the elliptic curve factoring method.

### Cryptography: RSA and the discrete logarithm problem

Cryptography: and the discrete logarithm problem R. Hayden Advanced Maths Lectures Department of Computing Imperial College London February 2010 Public key cryptography Assymmetric cryptography two keys:

### On Near Prime-Order Elliptic Curves with Small Embedding Degrees

On Near Prime-Order Elliptic Curves with Small Embedding Degrees Duc-Phong Le, Nadia El Mrabet, Tan Chik How To cite this version: Duc-Phong Le, Nadia El Mrabet, Tan Chik How. On Near Prime-Order Elliptic

### A CRT ALGORITHM FOR CONSTRUCTING GENUS 2 CURVES OVER FINITE FIELDS. Kirsten Eisenträger & Kristin Lauter

A CRT ALGORITHM FOR CONSTRUCTING GENUS 2 CURVES OVER FINITE FIELDS by Kirsten Eisenträger & Kristin Lauter Abstract. We present a new method for constructing genus 2 curves over a finite field F n with