Elliptic Curve Cryptography
(Midterm, 2009 Spring, 交大資工所)
(請按順序作答, 並列出演算過程)
Time: 13:00-15:30 4/28/2009
Venue: EC122
7 problems and 117 points in total
[1] Let E be the elliptic curve E: y2 = x3 + 2x + 4 over F13 and P = (2,4).
(a) List all points on E(Fp). (8 points)
(b) Calculate 2P. (4 points)
(c) Calculate 3P. (4 points)
(d) Find another elliptic curve E2: y2 = x3 + ax + b over F13, (find a suitable pair
(a, b)) such that E(F13) ≅ E2(F13). And explain why your solution is
correct.
(6 points)
[2] Let E be an elliptic curve over F211. Perform Schoof’s algorithm, we get the trace
1 (mod 2)
a ≡ {2 (mod 3)
3 (mod 5)
(a) Solve the above equation to find #E(F211). (7 points)
̅̅̅̅̅̅
(b) Among E(F
211 ), how many points of P satisfying ϕ211 (P) = 3P. (7 points)
[3] Let E be the elliptic curve E: y2 = x3 - 3x + 8 over F131, and #E(F131) = 110.
(a) E1: y2 = x3 - 3x - 8 over F131, find #E1(F131). (6 points)
(b) Find #E(F1312 ). (5 points)
(c) Find smallest k such that μ11 ⊂ F131k . (5 points)
∗
∗
i
(d) In (c) if you have a generator g for 𝔽131
2 (that is 𝔽1312 = {g | i > 0}.), find
all 11 members of μ11. (5 points)
[4] Let E be the elliptic curve E: y2 = x3 + 1 over F7841.
(a) Prove that E is supersingular of order 7842. (6 points)
(b) How to efficiently choose a point P in E such that P has order 1307? (1307 is a
prime.) (5 points)
(c) Let   F78412 be a primitive third root of unity. Define a map
β: E(F78412 )  E(F78412 ), (x, y)  (  x, y), β(∞) = ∞.
βis a homomorphism that is β(P+Q) =β(P)+β(Q). Use this property to
prove that if P has order 1307, then β(P) also has order 1307. (6 points)
[5] Let E be the elliptic curve E: y2 = x3 + 3x + 5 over F17. The points of E(F17) are
P=(1,3), 2P=(16,16), 3P=(4,8), 4P=(11,3), 5P=(5,14), 6P=(9,9), 7P=(15,12),
8P=(10,7), 9P=(2,6), 10P=(6,16), 11P=(12,16), 12P=(12,1), 13P=(6,1),
14P=(2,11), 15P=(10,10), 16P=(15,5), 17P=(9,8), 18P=(5,3), 19P=(11,14),
20P=(4,9), 21P=(16,1), 22P=(1,14), 23P=∞.
(a) Find a rational function f(x,y) such that
div(f) = [(5,14)] + [(1,14)] – [(11,3)] – [∞]. (6 points)
(b) Find a principle divisor div(g), where g(x,y) =
(y−9)
.
(x−2)2
(6 points)
(c) Let the degree zero divisor D = 3[(5,14)] + [(11,14)] + 2[(9,8)] – 6[(6,16)].
Find the divisor D’ = [Q] – [∞] such that sum(D) = sum(D’). (6 points)
[6] Let E be the elliptic curve E: y2 = x3 + 2x - 2 over F13. The point P=(7,2) has order
5, where 2P=(11,5), 3P=(11,8), 4P=(7,11), 5P=∞. Compute the Tate pairing
⟨P, P⟩5 by using DP = [(7,2)] – [∞] and DQ = [(1,1)] – [(2,6)]. (Show your steps)
(similar to Example 11.7 in pp. 345-346). (15 points)
[7] Use one page to briefly describe an ID-based cryptosystem. (10 points)
Elliptic Curve Cryptography
(Final, 2009 Spring, 交大資工所)
[Open Book] (請按順序作答, 並列出演算過程)
Time: 13:00-15:30 6/16/2009
Place: EC122
7 problems and 115 points in total
[1] Let E be the elliptic curve E: y2 = x3 +7 x + 6 over F13. The points of E(F13) are
P=(1,1), 2P=(10,6), 3P=(6,2), 4P=(5,6), 5P=(11,6), 6P=(11,7), 7P=(5,7), 8P=(6,11),
9P=(10,7), 10P=(1,12), 11P=∞.
(a) Find a rational function f(x,y) such that
div(f) = [(10,6)] + [(6,2)] – [(11,6)] – [∞]. (6 points)
(b) Take E as a hyperelliptic curve of genus 1. Find the reduced divisor which is
equivalent to the degree zero divisor D = 3[(11,7)] + 4[(5,6)] – 6[(5,7)] – [∞].
(Justify your solution) (4 points)
[2] Consider the curve C: y2 + xy = x5 + 5x4 + 6x2 + x + 3 over F7.
C(F7) = { ∞, (1,1), (1,5), (2,2), (2,3), (5,3), (5,6), (6,4) }
(a) Find the only special point in C(F7). (Justify your solution.) (4 points)
(b) Find the divisor of the polynomial function
G(x,y) = y2 + xy + 6x4 + 6x3 + x2 + 6x. (8 points)
[3] Let E be the elliptic curve E: y2 + xy = x3 + g3x2 + g5 over GF(23), where GF(23) is
constructed by the irreducible polynomial h(x) = x3 + x + 1. Let g = x, denoted as
(010), be the generator of GF(23), g2 = (100), g3 = (011), g4 = (110), g5 = (111),
g6 = (101), g7 = (001).
(a) Let P = (g, 1). Calculate 2P. (6 points)
(b) There are 6 points in E(GF(23)). Find #E(GF(218)). (6 points)
[4] Let C be the hyperelliptic curve of genus 2 over GF(3).
C: y2 = x5 + 2x4 + 1
The rational points of C(GF(32)) are
:
P1 = (0, 1), P2 = (1, 2), P3 = (1, 1), P4 = (0, 2), P5 = (2+i, 2+2i), P6 = (2+2i, 2+i),
P7 = (i, 2+i), P8 = (2i, 2+2i), P9 = (i, 1+2i), P10 = (2i, 1+i), P11 = (2+i, 1+i),
P12 = (2+2i, 1+2i), P13 =∞.
Here #JC(GF(3)) = 17.
Let D = div(x, 1) (We denote the divisor by div(a, b) as shown in our handout.)
Each member in J(GF(3)) is presented as div(a,b) and reduced divisor as shown
below.
1D = div(x, 1)
2
= P1 - ∞
2D = div(x , 1)
= P1 + P1 - 2∞
3D = div(x2+2x, 2)
= P2 + P4 - 2∞
4D = div(x+2, 2)
= P2 - ∞
5D = div(x2+2x, x+1)
= P1 + P2 - 2∞
2
6D = div(x +2x+2, 2x+1)
= P5 + P6 - 2∞
7D = div(x2+1, x+2)
= P7 + P8 - 2∞
2
8D = div(x +x+1, x+1)
= P2 + P2 - 2∞
9D = div(x2+x+1, 2x+2)
= P3 + P3 - 2∞
2
10D = div(x +1, x+1)
= P9 + P10 - 2∞
11D = div(x2+2x+2, x+2)
= P11 + P12 - 2∞
2
12D = div(x +2x, 2x+2)
= P3 + P4 - 2∞
13D = div(x2+2, 1)
= P3 - ∞
2
14D = div(x +2x, 1)
= P1 + P3 - 2∞
15D = div(x2, 2)
= P4 + P4 - 2∞
16D = div(x, 2)
= P4 - ∞
17D = div(1,0)
= empty
(a) Explain why P5 + P6 - 2∞ is a reduced divisor defined over GF(3) while
P5 + P9 - 2∞ is not a reduced divisor defined over GF(3). (6 points)
(b) Let the semi-reduced divisor D1= 2P2 - 2∞. Show how to find its Mumford
expression div(a, b) with a(x) = x2+x+1 and b(x) = x+1. (6 points)
(c) Let D2=3P2-3P3 be a degree 0 divisor. Find the reduced divisor D which is
equivalent to D2. (6 points)
[5] Use CM method to find an elliptic curve E/ F97 : y2 = x3 + ax + b, with
#E(F97) = 79. One step in CM method is to find all (a, b, c) triples:
Let aτ2 + bτ + c = 0. Find all triples (a, b, c) , a, b, c ∈ Z, a > 0,
gcd(a, b, c) = 1, such that
(1) b2 − 4ac = −D
(2) −a < b ≤ a
(3) a ≤ c
(4) if a = c then b ≥ 0 .
D
(a) Prove that if (a,b,c) satisfies (1)-(4), then a ≤ √ 3 . (4 points)
(b) Find out all (a,b,c) for our instance (N=79, p=97). (4 points)
(c) If you have known the Hilbert polynomial is P(X) = Π(X − j(τ)) = X + 40,
what is the j-invariant of the desired curve? (4 points)
(d) How to find the desired curve: y2 = x3 +a x + b after finding out the j-invariant?
(7 points)
[6] (a) Describe Cha and Cheon’s ID-based signature. (6 points)
(b) Design another ID-based signature and indicate the difference between
yours and Cha+Cheon’s signature. (8 points)
[7] Let p≡3 mod 4, and E: y2=x3+x be an elliptic curve defined over Fp. We know that
x3 + x
#E(Fp ) = p + 1 + ∑ (
)
𝑝
x∈Fp
−a
−1
a
a
Also, ( p ) = ( p ) (p) = − (p) for p≡3 mod 4.
(a) Use the relations above to prove that #E(Fp) = p+1 and thus E is supersingular.
(8 points)
(b) x2+1 is irreducible polynomial in Fp, and i is the root of x2+1 in Fp2 . That is,
i2=1. Show that ϕ(x,y) = (-x, iy) is a distortion map. (8 points)
(c) Let p = 19, P=(5,4). Then, P is a point of order 5, where 2P=(9,15), 3P=(9,4),
4P=(5,15), 5P=∞. The modified Tate pairing ê(P,P) = e(P, ϕ(P)) =
⟨P, ϕ(P)⟩
192−1
5
. Calculate ⟨P, ϕ(P)⟩ by choosing Dϕ(P) = [ϕ(P) − (0,0)] −
[(0,0)]. (14 points)