Prime Numbers
Prime Numbers Prime Numbers
7.7 Exercises 375 7.4. As in Exercise 7.3 the nonsingularity condition for affine curves is that the discriminant 4a 3 +27b 2 be nonzero in the field Fp. Show that for the parameterization Y 2 = X 3 + CX 2 + AX + B and characteristic p > 3 the nonsingularity condition is different on a discriminant ∆, namely ∆=4(A − C 2 /3) 3 + 27(B − AC/3+2C 3 /27) 2 =0. Then show that in the computationally useful Montgomery parameterization is nonsingular if and only if C 2 =4. Y 2 = X 3 + CX 2 + X 7.5. For an elliptic curve over Fp, p>3, with cubic we define the j-invariant of E as Y 2 = X 3 + CX 2 + AX + B j(E) = 4096 (C2 − 3A) 3 , ∆ where the discriminant ∆ is given in Exercise 7.4. Carry out the following computational exercise. By choosing a conveniently small prime that allows hand computation or easy machine work (you might assess curve orders via the direct formula (7.8)), create a table of curve orders vs. j-invariants. Based on such empirical evidence, state an apparent connection between curve orders and j-invariant values. For an excellent overview of the beautiful theory of j-invariants and curve isomorphisms see [Seroussi et al. 1999] and numerous references therein, especially [Silverman 1986]. 7.6. Here we investigate just a little of the beautiful classical theory of elliptic integrals and functions, with a view to the connections of same to the modern theory of elliptic curves. Good introductory references are [Namba 1984], [Silverman 1986], [Kaliski 1988]. One essential connection is the observation of Weierstrass that the elliptic integral ∞ ds Z(x) = x 4s3 − g2s − g3 can be considered as a solution to an implicit relation ℘g2,g3(Z) =x, where ℘ is the Weierstrass function. Derive, then, the differential equations ℘(z1 + z2) = 1 4 ′ ℘ (z1) − ℘ ′ 2 (z2) − ℘(z1) − ℘(z2) ℘(z1) − ℘(z2)
376 Chapter 7 ELLIPTIC CURVE ARITHMETIC and that ℘ ′ (z) 2 = ℘ 3 (z) − g2℘(z) − g3, and indicate how the parameters g2,g3 need be related to the affine a, b curve parameters, to render the differential scheme equivalent to the affine scheme. 7.7. Prove the first statement of Theorem 7.1.3, that Ea,b(F ) together with the defined operations is an abelian group. A good symbolic processor for abstract algebra might come in handy, especially for the hardest part, which is proving associativity (P1 + P2)+P3 = P1 +(P2 + P3). 7.8. Show that an abelian group of squarefree order is cyclic. Deduce that if a curve order #E is squarefree, then the elliptic-curve group is cyclic. This is an important issue for cryptographic applications [Kaliski 1991], [Morain 1992]. 7.9. Compare the operation (multiplies only) counts in Algorithms 7.2.2, 7.2.3, with a view to the different efficiencies of doubling and (unequal point) addition. In this way, determine the threshold k at which an inverse must be faster than k multiplies for the first algorithm to be superior. In this connection see Exercise 7.25. 7.10. Showthatifweconspiretohaveparametera = −3 in the field, the operation count of the doubling operation of Algorithm 7.2.3 can be reduced yet further. Investigate the claim in [Solinas 1998] that “the proportion of elliptic curves modulo p that can be rescaled so that a = p − 3isabout1/4 if p ≡ 1 (mod 4) and about 1/2 ifp ≡ 3 (mod 4).” Incidentally, the slight speedup for doubling may seem trivial but in practice will always be noticed, because doubling operations constitute a significant portion of a typical pointmultiplying ladder. 7.11. Prove that the elliptic addition test, Algorithm 7.2.8, works. Establish first, for the coordinates x± of P1 ± P2, respectively, algebraic relations for the sum and product x+ + x− and x+x−, using Definition 7.1.2 and Theorem 7.2.6. The resulting relations should be entirely devoid of y dependence. Now from these sum and product relations, infer the quadratic relation. 7.12. Work out the heuristic expected complexity bound for ECM as discussed following Algorithm 7.4.2. 7.13. Recall the method, relevant to the second stage of ECM, and touched upon in the text, for finding a match between two lists but without using Algorithm 7.5.1. The idea is first to form a polynomial f(x) = (x − Ai), m−1 i=0 then evaluate this at the n values in B; i.e., evaluate for x = Bj,j = 0,...,n− 1. The point is, if a zero of f is found in this way, we have a match
- Page 334 and 335: 7.2 Elliptic arithmetic 325 with EC
- Page 336 and 337: 7.2 Elliptic arithmetic 327 Algorit
- Page 338 and 339: 7.2 Elliptic arithmetic 329 Before
- Page 340 and 341: 7.2 Elliptic arithmetic 331 the “
- Page 342 and 343: 7.3 The theorems of Hasse, Deuring,
- Page 344 and 345: 7.4 Elliptic curve method 335 a ran
- Page 346 and 347: 7.4 Elliptic curve method 337 B1 =
- Page 348 and 349: 7.4 Elliptic curve method 339 facto
- Page 350 and 351: 7.4 Elliptic curve method 341 propa
- Page 352 and 353: 7.4 Elliptic curve method 343 As fo
- Page 354 and 355: 7.4 Elliptic curve method 345 if(1
- Page 356 and 357: 7.5 Counting points on elliptic cur
- Page 358 and 359: 7.5 Counting points on elliptic cur
- Page 360 and 361: 7.5 Counting points on elliptic cur
- Page 362 and 363: 7.5 Counting points on elliptic cur
- Page 364 and 365: 7.5 Counting points on elliptic cur
- Page 366 and 367: 7.5 Counting points on elliptic cur
- Page 368 and 369: 7.5 Counting points on elliptic cur
- Page 370 and 371: 7.5 Counting points on elliptic cur
- Page 372 and 373: 7.5 Counting points on elliptic cur
- Page 374 and 375: 7.5 Counting points on elliptic cur
- Page 376 and 377: 7.5 Counting points on elliptic cur
- Page 378 and 379: 7.6 Elliptic curve primality provin
- Page 380 and 381: 7.6 Elliptic curve primality provin
- Page 382 and 383: 7.6 Elliptic curve primality provin
- Page 386 and 387: 7.7 Exercises 377 (some Bj equals A
- Page 388 and 389: 7.7 Exercises 379 This reduction ig
- Page 390 and 391: 7.8 Research problems 381 multiply-
- Page 392 and 393: 7.8 Research problems 383 highly ef
- Page 394 and 395: 7.8 Research problems 385 is prime.
- Page 396 and 397: Chapter 8 THE UBIQUITY OF PRIME NUM
- Page 398 and 399: 8.1 Cryptography 389 is, if an orac
- Page 400 and 401: 8.1 Cryptography 391 Algorithm 8.1.
- Page 402 and 403: 8.1 Cryptography 393 just to genera
- Page 404 and 405: 8.1 Cryptography 395 where in the l
- Page 406 and 407: 8.2 Random-number generation 397 ar
- Page 408 and 409: 8.2 Random-number generation 399 Al
- Page 410 and 411: 8.2 Random-number generation 401 }
- Page 412 and 413: 8.2 Random-number generation 403 is
- Page 414 and 415: 8.3 Quasi-Monte Carlo (qMC) methods
- Page 416 and 417: 8.3 Quasi-Monte Carlo (qMC) methods
- Page 418 and 419: 8.3 Quasi-Monte Carlo (qMC) methods
- Page 420 and 421: 8.3 Quasi-Monte Carlo (qMC) methods
- Page 422 and 423: 8.3 Quasi-Monte Carlo (qMC) methods
- Page 424 and 425: 8.4 Diophantine analysis 415 [Tezuk
- Page 426 and 427: 8.4 Diophantine analysis 417 9262 3
- Page 428 and 429: 8.5 Quantum computation 419 We spea
- Page 430 and 431: 8.5 Quantum computation 421 three H
- Page 432 and 433: 8.5 Quantum computation 423 for a n
376 Chapter 7 ELLIPTIC CURVE ARITHMETIC<br />
and that<br />
℘ ′ (z) 2 = ℘ 3 (z) − g2℘(z) − g3,<br />
and indicate how the parameters g2,g3 need be related to the affine a, b curve<br />
parameters, to render the differential scheme equivalent to the affine scheme.<br />
7.7. Prove the first statement of Theorem 7.1.3, that Ea,b(F ) together with<br />
the defined operations is an abelian group. A good symbolic processor for<br />
abstract algebra might come in handy, especially for the hardest part, which<br />
is proving associativity (P1 + P2)+P3 = P1 +(P2 + P3).<br />
7.8. Show that an abelian group of squarefree order is cyclic. Deduce that<br />
if a curve order #E is squarefree, then the elliptic-curve group is cyclic. This<br />
is an important issue for cryptographic applications [Kaliski 1991], [Morain<br />
1992].<br />
7.9. Compare the operation (multiplies only) counts in Algorithms 7.2.2,<br />
7.2.3, with a view to the different efficiencies of doubling and (unequal point)<br />
addition. In this way, determine the threshold k at which an inverse must be<br />
faster than k multiplies for the first algorithm to be superior. In this connection<br />
see Exercise 7.25.<br />
7.10. Showthatifweconspiretohaveparametera = −3 in the field, the<br />
operation count of the doubling operation of Algorithm 7.2.3 can be reduced<br />
yet further. Investigate the claim in [Solinas 1998] that “the proportion of<br />
elliptic curves modulo p that can be rescaled so that a = p − 3isabout1/4<br />
if p ≡ 1 (mod 4) and about 1/2 ifp ≡ 3 (mod 4).” Incidentally, the slight<br />
speedup for doubling may seem trivial but in practice will always be noticed,<br />
because doubling operations constitute a significant portion of a typical pointmultiplying<br />
ladder.<br />
7.11. Prove that the elliptic addition test, Algorithm 7.2.8, works. Establish<br />
first, for the coordinates x± of P1 ± P2, respectively, algebraic relations for<br />
the sum and product x+ + x− and x+x−, using Definition 7.1.2 and Theorem<br />
7.2.6. The resulting relations should be entirely devoid of y dependence. Now<br />
from these sum and product relations, infer the quadratic relation.<br />
7.12. Work out the heuristic expected complexity bound for ECM as<br />
discussed following Algorithm 7.4.2.<br />
7.13. Recall the method, relevant to the second stage of ECM, and touched<br />
upon in the text, for finding a match between two lists but without using<br />
Algorithm 7.5.1. The idea is first to form a polynomial<br />
f(x) =<br />
<br />
(x − Ai),<br />
m−1<br />
i=0<br />
then evaluate this at the n values in B; i.e., evaluate for x = Bj,j =<br />
0,...,n− 1. The point is, if a zero of f is found in this way, we have a match
Change language