Professional Documents
Culture Documents
Final
Final
1.1 Introduction:
In today’s digital age the topmost priority of a human being is to commu-
nicate securely. But it is not easy to have secure communication over any
channel. It has been always a topic of interest ”how to communicate se-
curely”. In past, people used to communicate through handwritten letters,
and letters were sent via hands. It was a tough challenge to maintain the
secrecy of information. For secure communication, they were use riddles,
puzzles, some special characters in place of the original message such a way
that only the receiver could decode.
The practice and study of hiding information is known as Cryptography.
Cryptography is a Mathematical science that comes up with a way for secure
communication between two or more parties by converting the confidential
information into a scrambled form so that only authorized users can remove
scrambles and read information. For instance a sender Alice wants to send
secret information to a receiver Bob over an insecure communication channel
i.e via the internet or telephone. Then it is possible that Eavesdropper can
intercept and read the information.
3
4 CHAPTER 1.
E :P 7→ C
m 7→ E(m) = c
D :C 7→ P
c 7→ D(c) = m
Note:- The plaintext and ciphertext are written in some symbols (usually,
but not always, they are written in the same symbols) consisting of a certain
number n of letters. The term “letter” (or “character” ) can refer not only
to the familiar A-Z, but also to numerals, blanks, punctuation marks, or any
other symbols that we allow ourselves to use when writing the messages.
6 CHAPTER 1.
E :P→C
And Decryption function is defined by
D:C→P
Such that
DE = ED = I
D0 : A B C ... X Y Z
D1 : Z A B ... W X Y
D2 : Y Z A ... V W X
D3 : X Y Z ... U V W
Decrypt “RK!LZLVKLNQRZ”
D2 (LZL)=JXJ
Combining two decryptions we have “PI JXJ” (make no sense i.e no en-
glish word )
A B C D E F G H I J K L M N
0 1 2 3 4 5 6 7 8 9 10 11 12 13
O P Q R S T U V W X Y Z ? !
14 15 16 17 18 19 20 21 22 23 24 25 26 27
A B C D E F G H I J K L M N
00 01 02 03 04 05 06 07 08 09 10 11 12 13
O P Q R S T U V W X Y Z ? !
14 15 16 17 18 19 20 21 22 23 24 25 26 27
XY = n × N (X) + N (Y )
E.g. AN=0 × n + 13
NO=13 × n + 14
O!= 14 × n + 27
XY Z = n2 × N (X) + n × N (Y ) + N (Z)
1.4. CLASSICAL CIPHER: 9
E: P → C
m 7→ c = E(m) ≡ m + b (mod n)
10 CHAPTER 1.
Example:
Let P={A=0,B=1,...,Y=24,Z=25} be set of symbols (alphabets), then en-
cryption function is given by
Encryption: Let b = 2
E : Z26 → Z26
m 7→ c = E(m) ≡ m + 2 (mod 26)
1.5. SUBSTITUTION CIPHERS 11
To encrypt “HELLO”
D : Z26 → Z26
c 7→ m = D(c) ≡ c − 2 (mod 26)
To decrypt “JGNNQ”
E :Zn → Zn
m 7→ E(m) = c ≡ am (mod n)
D :Zn → Zn
c 7→ D(c) ≡ a−1 c (mod n)
Example:
Let P = {A, B, . . . , Z, } and n = 26
Plain text- “SPARKY”
Encryption: Let a = 3
Decryption:
D(c) ≡ 3−1 c (mod 26)
Since (3, 26) = 1, hence 3−1 exist in mod 26. By Euclidean algorithm we can
find inverse of 3 in mod 26.
1.5. SUBSTITUTION CIPHERS 13
E :Zn → Zn
m 7→ E(m) = c ≡ am + b (mod n)
D :Zn → Zn
c 7→ D(c) ≡ a0 c + b0 (mod n)
c − b = am =⇒ a−1 (c − b) = m
=⇒ a−1 c − a−1 b = m
=⇒ a0 c + b0 = m = D(c)
Example:
Let P = {A, B, . . . , Z, } and n = 27
¯
Plain text- “HELP ME”.
14 CHAPTER 1.
Decryption:
D(c) =≡ a0 c + b0 (mod 27)
where a0 ≡ 13−1 (mod 27) and b0 ≡ −13−1 7 (mod 27)
Since (13, 27) = 1, hence 13−1 exist in mod 27. By using Euclidean algorithm
we can find inverse of 13 in mod 27.
Hence a0 ≡ 25 (mod 27) and b0 ≡ −25 · 7 (mod 27) ≡ 14 (mod 27)
Activity: Read a 500 words article in English. Count how many times
each English alphabet letter appears in that article.
Lecture-2
1
Practically, Code breakers always try their best to break cipher text with
their best strategy. So encrypted text is secure only when it is secure from
best known methods presently. As new improved methods are developed,
the old encryption system can be less secure only, never become better .
In previous lecture we have studied about monoalphabetic substitution ci-
phers which are not more secure. In monoalphabetic cipher, each symbol is
replaced by a unique symbol every time on encryption due to this fact we
can apply frequency analysis to break such ciphers. In this lecture we will
discuss cryptanalysis of some ciphers.
1 Frequency Analysis
From the activity given in last lecture, you would have observed that the
letter q is always followed by letter u. The fact is that many letters appear,
such as e, t and a, more frequently than others letters such as f, h, and z.
Here we have frequency analysis of english alphabets:
By decreasing frequency
E 13.11% M 2.54%
T 10.47% U 2.46%
A 8.15% G 1.99%
O 8.00 % Y 1.98%
N 7.10% P 1.98%
R 6.83% W 1.54%
I 6.35% B 1.44%
S 6.10% V 0.92%
H 5.26% K 0.42%
D 3.79% X 0.17%
L 3.39% J 0.13%
F 2.92% Q 0.12%
C 2.76% Z 0.08%
2
First we observe frequency of letters in cipher text
Letter A B C D E F G H I J K L M
Count 2 0 0 7 2 0 6 1 0 1 0 0 12
Letter N O P Q R S T U V W X Y Z
Count 4 8 0 2 3 0 2 7 0 1 6 2 2
(Verify !)
We have decryptions:
3
Note 1. In practice we do frequency analysis over large text for accuracy.
In above example we have taken very small text (70 words only).
2 Vigenère cipher
Vigenère Cipher is a polyalphabetic cipher. It is named after Blaise de
Vigenere (15231596), whose 1586 book Traicte des Chires describes the
known ciphers of his time.
In Vigenère cipher, encryption of dierent symbols is done by dierent shift
ciphers. To decide how far to shift each symbol, sender (Bob) and receiver
4
(Alice) share on a common keyword (common knowledge).
Now, Bob wants to send a secret message to Alice. Bob will divide the plain
text (message) into blocks of length l (l=length of the keyword). Then Bob
will shift the symbols of each block corresponding to the keyword, i.e., Bob
will shift the rst symbols of the block by the rst symbol of the keyword,
the second symbol of the block by the second symbol of keyword, and so on,
Bob will do this for each block to encrypt the whole message.
To decrypt the ciphertext, Alice will divide ciphertext into the blocks of
length l, (l=length of the keyword). After that, Alice will perform a back-
ward shift of each cipher symbol of each block corresponding to the keyword,
i.e., rst cipher symbols backward shift by the rst symbol of keyword, sec-
ond cipher symbols backward shift by the second symbol of keyword, and so
on, to get the plaintext.
x = x1 x2 . . . xl , xi ∈ Zn
We can treat
x = (x1 , x2 , . . . , xl ) ∈ Zn × Zn × · · · Zn = Zln
| {z }
l times
Now consider plaintext space P = Zln and cipher text space C = Zln Then
encryption is dened as
E :P→C
E(x) = y = (y1 , y2 , . . . , yl ) where each yi ∈ Zn
5
Example: Let A={A=0,B=1,. . . Y=24,Z=25,?=26} i.e |A| = 27
Encrypt the following plain text with keyword EGYPT"
Solution:
Keyword: EGYPT, Keylength=5
Encrypt: HELLO HOW ARE YOU?
First divide the message into blocks of length 5 i.e.
K=EGYPT=k1 k2 k3 k4 k5 = [4 6 24 15 19]
y1 = x1 + k1 = 7 + 4 ≡ 11 (mod 27)
y2 = x2 + k2 = 4 + 6 ≡ 10 (mod 27)
y3 = x3 + k3 = 11 + 24 = 35 ≡ 8 (mod 27)
y4 = x4 + k4 = 11 + 15 ≡ 26 (mod 27)
y5 = x5 + k5 = 14 + 19 = 33 ≡ 6 (mod 27)
y1 = x1 + k 1 = 7 + 4 ≡ 11 (mod 27)
y2 = x2 + k 2 = 14 + 6 ≡ 20 (mod 27)
y3 = x3 + k 3 = 22 + 24 = 46 ≡ 19 (mod 27)
y4 = x4 + k 4 = 0 + 15 ≡ 15 (mod 27)
y5 = x5 + k 5 = 17 + 19 = 33 ≡ 9 (mod 27)
6
Decryption: y=LKI?G=y1 y2 y3 y4 y5 =[11 10 8 26 6]
D(y)=x=x1 x2 x3 x4 x5 such that xi ≡ yi − ki (mod 27)
x1 = y1 − k1 = 11 − 4 ≡ 7 (mod 27)
x2 = y2 − k2 = 10 − 6 ≡ 4 (mod 27)
x3 = y3 − k3 = 8 − 24 = −16 ≡ 11 (mod 27)
x4 = y4 − k4 = 26 − 15 ≡ 11 (mod 27)
x5 = y5 − k5 = 6 − 19 = −13 ≡ 14 (mod 27)
D(y)=x=[7 4 11 11 14]=HELLO
So decryption of `LKI?G' is `HELLO'.
In the same way we can decrypt any Vigenere ciphers when keyword is known.
Plain Text : D O N O T W A S T E T H E T I M E
Key : C A T D O N O T W A S T E T H E T
Cipher Text : F O G R H J O L P E L A I M P Q X
Suppose the key length of the chosen keyword is l. Then lines up all
ciphertext in l columns. So one can consider that 1st column is shifted by
the rst symbol of the keyword and 2nd column is shifted by 2nd symbol of
the keyword and so on. That is each column can be seen as a monoalpha-
betic substitution cipher. Therefore, for each column, we can use frequency
7
analysis to guess the plaintext.
(y11 , y12 , y13 , . . . , y1m )(y21 , y22 , y23 , . . . , y2m ) . . . (yl1 , yl2 , yl3 , . . . ylm )
We now do the frequency analysis on each subset and get the plaintext.
Example: Decrypt the following ciphertext using Vigenère Cipher for keylength
l = 7.
XHUEHXZHRIUHTIHGEUZSWEIATUMEZXHTVYXAAHKJLNX
ECSBMIXONQDPVWKEKAIEEMGJAIELIMRVAVKWAPKGIXET
GZEGHWIVPZVWIVGSSGFINVHLVETKVRXBZEUHRZGHIXPH
LTPTJLOEHALGKKVTRDURMCEWTQDSIDAIVOZZKXUG
8
Step-2: Now lines up all ciphertext in 7 column
X H U E H X Z
H R I U H T I
H G E U Z S W
E I A T U M E
Z X H T V Y X
A A H K J L N
X E C S B M I
X O N Q D P V
W K E K A I E
E M G J A I E
L I M R V A V
K W A P K G I
X E T G Z E G
H W I V P Z V
W I V G S S G
F I N V L H L
V E T K V R X
B Z E U H R Z
G H I X P H L
T P T J L O E
H A L G K K V
T R D U R M C
E W T Q D S I
D A I V O Z Z
K X U G
9
On rst column - X occurs 4 times which is the highest frequency in
rst column hence E may be encrypted to X i.e
=⇒ b1 = 19 = T
On second column- I occurs 4 times which is the highest frequency in
second column hence E may be encrypted to I i.e
=⇒ b2 = 4 = E
On third column- T occurs 4 times which is the highest frequency in third
column hence E may be encrypted to T i.e
=⇒ b3 = 15 = P
(When we decrypt our cipher text taking third letter of keyword as P then
plaintext does not make sense (Verify))
Now take second more frequent English alphabet i.e T hence T (second more
frequent in English alphabet) may be encrypted to T (most frequent symbol
in third column of cipher)
=⇒ b3 = 0 = A
On fourth column- G occurs 4 times which is the highest frequency in
fourth column hence E may be encrypted to G i.e
=⇒ b4 = 2 = C
On fth column- H and V occur more frequent but if we consider encryption
of E either H or V then plaintext does not make sense (Verify). Similarly if
we take encryption of T is either H or V then also plain text does not make
sense. Now if we consider the 3rd more frequent letter in English alphabet
i.e A may be encrypted to H then
E(0) = 0 + b5 = 7 (mod 6)
10
=⇒ b5 = 7 = H
Similarly we can do frequency analysis on 6th and 7th column. After doing
this we nd that our key word is TEACHER.
Now we know keyword hence we can decrypt the cipher text easily and we
get plaintext as follows.
If the key length of the keyword is not known then rst we nd the key
length by Kasiski Method. Kasiski method utilizes the fact of repetition of
words in the ciphertext. In this method, it is consider that repeated substring
in plaintext is encrypted by the same substring in the keyword. That's why
in the ciphertext, we get repeated substring, and the distance between the
occurrence of repetition is multiple of the key lengths. Hence we can cal-
culate key length by taking gcd of the distances between repetitions. After
nding the key length, we apply the above method of frequency analysis for
decrypting the ciphertext.
Note: Not every repetition occur in the above way but the probability of
not occuring the repetition as above is very small.
A long ciphertext probably has more repetition and additionally, long re-
peated substrings are not likely to be by chance but short repetition may
appear more often.
Example: Find the keylength and keyword for following cipher text
LIBVQSTNEZLQMEDLIVMAMPAKUFAVATLJVDAYYVN
FJQLNPLJVHKVTRNFLJVCMLKETALJVHUYJVSFKRF
TTWEFUXVHZNP
Solution: From the cipher text, we can see that
11
LJVH occurs 2 times
LJV occurs 4 times
JVH occurs 2 times
JV occurs 5 times
LJ occurs 4 times
VH occurs 3 times
LI, NF, NP occurs 2 times
So keylength=5
Now we know the keylength, nd keyword by above discussed method.
12
Lecture-3
1 Introduction
We have studied many encryption methods in previous lectures like Substitu-
tion/shift cipher, Hill cipher and ane ciphers. In this lecture we will discuss
some of previous discussed encryption methods with the help of matrices with
usual matrix addition and multiplication.
2 Hill Cipher
Let A be the set of symbols (like english alphabets A,B ...Z, ? , !, (blank
space) and P be plain text.
Encryption: First divide the plain text into n-length message units
Choose a n × n matrix A, then encryption function E is dened by
E : P → An
X 7−→ C = E(X) = AX
D : An → P
C 7−→ X = D(C) = A−1 C
1
Example: Let A={A=0,B=1,C=2,...,Y=24,Z=25} be set of symbols(english
alphabets).
|A| = 26
Plain text: NO I DO NOT KNOW"
First We divide plain text into 2-length (n=2) message units
i.e NO ID ON OT KN OW
16 Q
= (mod 26) =
21 V
A−1 = 1
det(A)
cof actor(A)
2
−1 1 8 −3
A =− (mod 26)
5 −7 2
8 −3
= −21 (mod 26) (since 5−1 = 21 (mod 26))
−7 2
8 −3
=5 (mod 26)
−7 2
14 11
= (mod 26)
17 10
Now
Q 16
D(C1 ) = D =D = A−1 C1
V 21
14 11 16
= (mod 26)
17 10 21
224 + 231
= (mod 26)
272 + 210
455
= (mod 26)
482
13
= (mod 26)
14
N
=
O
In the same way we can do encryption and decryption for X2 =ID, X3 =ON,
X4 =OT, X5 =KN, X6 =OW .
3
3 Ane Cipher
Let A be the set of symbols (like english alphabtes, ? , !, ) and P be plain
text.
Encryption: First divide plain text into n-length message units. Let A
be n × n matrix and B be n × 1 vector.
Encryption function E, is dened by
E : P → An
X 7→ C = E(X) = AX + B
D : An → P
C 7→ X = D(C) = A−1 (C − B)
We rst divide plain text into 2-length message unit (n=2) i.e X1 =NO,
X2 =AN, X3 =SW, X4 =ER
2 3 4
Let A= , Fixed matrix for encryption in Z26 = |A|, B=
7 8 2
13
Encryption:X1 =NO=[13 14]T =
14
4
E(X1 ) = C1 = AX1 + B
2 3 13 4
= + (mod 26)
7 8 14 2
16 4
= + (mod 26)
21 2
20
= (mod 26)
23
U
=
X
Decryption: C1 =UX
In the the same way we can do encryption and decryption for X2 =AN,
X3 =SW, X4 =ER.
5
Question: Decrypt the message
W KN CM SLRT Q
So, to decrypt the given cipher we have to calculate A−1 in Z29 i.e we have
to nd matrix A in Z29 .
a b
Let matrix A= .
c d
Message started with 'GIVE' means E(GI) = W K and E(V E) = N C
Let X1 =GI, C1 =WK, X2 =VE,C2 =NC
by encryption function we have E(X1 ) = AX1 = C1 , E(X2 ) = AX2 = C2
i.e AX1 = C1 , AX2 = C2
a b 6 22 a b 21 13
= and =
c d 8 10 c d 4 2
from above, we have system of 4 linear equations in a, b, c, d
6a + 8b = 22
6c + 8d = 10
21a + 4b = 13
21c + 4d = 2
6
Solve the above system of equation for a, b, c, d
We have
1
a = = 1 × 9−1 = 1 × 13 = 13 (mod 29),
9
8
b = = 8 × 3−1 = 8 × 10 = 22 (mod 29),
3
−1
c= = −1 × 6−1 = −1 × 5 = 24 (mod 29),
6
11
d= = 11 × 8−1 = 11 × 11 = 5 (mod 29)
8
13 22
So we have matrix A= ,
24 5
det(A)= 13 × 5 − 22 × 24 = 65 − 528 = −463 = 1 (mod 29)
5 −22 5 7
and A−1 = (mod 29) = (mod 29)
−24 13 5 13
12
C3 = M S =
18
11
C4 = LR =
17
19
C5 = T Q =
16
Now
−1 5 7 12 12 M
X3 = A C 3 = = (mod 29) =
5 13 18 4 E
5 7 11 0 A
X4 = A−1 C4 = = (mod 29) =
5 13 17 15 P
5 7 19 4 E
X5 = A−1 C5 = = (mod 29) =
5 13 16 13 N
7
4 Vigenèner Cipher
Recall Vigenère Cipher: Suppose keyword
K = k1 k2 k3 . . . kl , ki ∈ Zn
E : Ml×1 → Ml×1
x1 x1 k1 x1 + k1 y1
x2 x2 k2 x2 + k2 y2
. . . .
(mod n) = .
E(x) = y = E = + =
. . . . .
. . . . .
xl xl kl xl + kl yl
8
and decryption function is dened by
D : Ml×1 → Ml×1
y1 y1 k1 y1 − k1 x1
y2 y2 k2 y2 − k2 x2
. . . .
(mod n) = .
D(y) = x = D = − =
. . . . .
. . . . .
yl yl kl yl − kl xl
9
E : M5×1 → M5×1
7 7 4 7+4 11 L
4 4 6 4 + 6 10 K
E(x) = y = E 11 = 11 + 24 = 11 + 24 (mod 27) = 8 (mod 27) = I
11 11 15 11 + 15 26 ?
14 14 19 14 + 19 6 G
D : M5×1 → M5×1
11 11 4 11 − 4 7 H
10 10 6 10 − 6 4 E
8 = 8 − 24 = 8 − 24 (mod 27) = 11 (mod 27) = L
D(y) = x = D
26 26 15 26 − 15 11 L
6 6 19 6 − 19 14 O
10
5 Transposition Ciphers
In transposition cipher, symbols of the cipher text remain the same as plain-
text, but the ordering of these symbols are changed in a specic form. Trans-
position Ciphers are not very secure as the cipher is the rearrangement of
plain text. With modern computers, one can check all possible rearrange-
ments of cipher text and get the plain text. But before the computer era,
transposition ciphers were used and considered to be a secure cipher.
[Column-1][Column-2][Column-3][Column-4]"
i.e.
Cipher Text: MEISNGAMCAGETASLUHTIAA"
11
For decryption, Count the numbers of symbols in cipher text say n.
The receiver (Bob) knows the number of columns, which is k . Now Bob will
perform the following calculations to know the number of symbols in each
column.
By division algorithm n = k × q + r, where q is quotient and r is remainder
on dividing number of symbols in cipher text n by number of columns k .
If r = 0 then each column have q symbols.
If r 6= 0 then rst r columns have q + 1 symbols and other columns (i.e. last
(k − r) columns) have q symbols. Plain text is obtained by writing symbols
row-wise.
12
5.1.2 Keyword Columnar Transposition Cipher
Example: Encrypt the following plain text using keyword columnar trans-
position ciphers with key WORLD"
MATHEMATICS IS A LANGUAGE"
[Column-D][Column-L][Column-O][Column-R][Column-W]
i.e.
ECLAHIAUAAINETTSGMMSAG
13
Example: Decrypt the following keyword columnar transposition cipher
using keyword `WORLD'
ECLAHIAUAAINETTSGMMSAG
MATHEMATICSISALANGUAGE
i.e
MATHEMATICS IS A LANGUAGE
14
5.2 Double Transposition
Example: Encrypt the following plain text using double transposition with
x number (number of columns) is eqaul to 4
MATHEMATICS IS A LANGUAGE
[Column-1][Column-2][Column-3][Column-4]"
i.e.
Cipher Text: MNCTUAEGAAHAIAGSTSMELI"
So encryption of MATHEMATICS IS A LANGUAGE" is
MNCTUAEGAAHAIAGSTSMELI" by double transposition.
15
Example: Decrypt the following double transposition cipher
MEISNGAMCAGETASLUHTIAA
MEISNGAMCAGETASLUHTIAA"
(Similar to example of columnar transposition )
Number of symbols =22
number of columns=4
By division algorithm 22 = 4 × 5 + 2, i.e q = 5 and r = 2
this implies rst two columns have q + 1 = 6 symbols and last 2 columns
have q = 5 symbols. So divide the cipher text into blocks of length 6,6,5 and
5, each block corresponds to columns of transposition cipher.
16
So we have columns :
MATHEMATICSISALANGUAGE
i.e.
MATHEMATICS IS A LANGUAGE
17
Lecture-4
Some more classical Ciphers
1 ADFGX Cipher
ADFGX ciphers were used by the German military in March 1918 for the
first time. This cipher is the combination of substitution cipher and transpo-
sition cipher. This cipher is named ADFGX because in the ciphertext only
five symbols (A, D, F, G, X) can appear. It involves two steps.
In the first step, it uses the substitution cipher to encrypt the plaintext.
To apply the substitution cipher, users (Sender and Receiver) agree upon a
5 × 5 array of the English alphabet. In the 5 × 5 array, there are 25 places at
which 26 symbols are placed by considering I and J at the same place. The
rows and columns of this ADFGX array are each labeled with the symbols
A, D, F, G, and X in order as follows.
A D F G X
A
D
F
G
X
1
Example: Consider the following 5 × 5 array of symbols
A D F G X
A T F I/J K E
D H N C S Z
F D A X M G
G O V R U Y
X L B Q W P
Take keyword ‘WATER’ and encrypt the following message using ADFGX
cipher
Solution:
Encryption: To encrypt “PEACOCK IS A NATIONAL BIRD OF INDIA”
we map each letter of plain text to a pair of corresponding row and column
symbol label in 5 × 5 array of symbols i.e to encrypt P we write XX , For E
we write AX and so on. And we get a first cipher text as follows.
Plain text P E A C O C K I S A N
Cipher text XX AX FD DF GA DF AG AF DG FD DD
Plain text A T I O N A L B I R D
Cipher text FD AA AF GA DD FD XA XD AF GF FA
Plain text O F I N D I A
Cipher text GA AD AF DD FA AF FD
Hence cipher text obtained from the first step of ADFGX cipher is
XXAXFDDFGADFAGAFDGFDDDFDAAAFGADDFDXAXDAFG
FFAGAADAFDDFAAFFD
Now we apply key columner transposition cipher using key word ‘WATER’
on the ciphet text obtained from the first step to get final ciphertext.
2
Column array of key columnar transposition cipher:
XDFDDADXFADFXGGFDGDAAAAFAADAAXFGFAAFAGFF
FDFDFDXDDFDADAGADF
XXAXFDDFGADFAGAFDGFDDDFDAAAFGADDFDXAXDAFG
FFAGAADAFDDFAAFFD
Now, decrypt the above text with the help of 5 × 5 array to get the plain
text
To do so, divide the text in blocks of length 2. In each block, first symbol
corresponds to row label and second symbol corresponds to column label.
After dividing text in blocks of length 2 we have
XX AX FD DF GA DF AG AF DG FD DD FD AA AF GA DD
FD XA XD AF GF FA GA AD AF DD FA AF FD
3
And 5 × 5 array is
A D F G X
A T F I/J K E
D H N C S Z
F D A X M G
G O V R U Y
X L B Q W P
So,
XX corresponds to P (row-X, column-X)
AX corresponds to E (row-A, column-X)
FD corresponds to A (row-F, column-D)
and so on.
Finally, we get plain text
“PEACOCK IS A NATIONAL BIRD OF INDIA”
2 ADFGVX Cipher:
In June 1918, Germans built this cipher from ADFGX, by increasing the size
of the array to 6 × 6. They added the digit 0-9 in the plaintext. Therefore
they had to increase the size of the array from 5 × 5 to 6 × 6. This array
takes the values 0-9 and the English alphabet, by considering I and J are
placed at a different position in the array. Now to label this array there was
a requirement of an extra letter and this additional letter was ‘V’.
Therefore the rows and columns of this ADFGVX array are each labeled with
the symbols A, D, F, G, V and X in order as follows.
A D F G V X
A
D
F
G
V
X
Encryption and Decryption technique is similar to ADFGX cipher.
4
Example: Using ADFGVX cipher encrypt the plaintext “EARTH IS
ESTIMATED TO BE 4540 MILLION YEARS OLD”. Keyword is
“STAR”
A D F G V X
A 1 9 A J M R
D C B I 2 Q Y
F E 0 Z 3 D V
G 7 8 O F G S
V 6 H 4 X T W
X P 5 N K L U
Plaint text E A R T H I S E S T I
Cipher text FA AF AX VV VD DF GX FA GX VV DF
Plaint text M A T E D T O B E 4 5
Cipher text AV AF VV FA FV VV GF DD FA VF XD
Plain text 4 0 M I L L I O N Y E
Cipher text VF FD AV DF XV XV DF GF XF DX FA
Plain text A R S O L D
Cipher text AF AX GX GF XV FV
Encrypted cipher text
“FAAFAXVVVDDFGXFAGXVVDFAVAFVVFAFVVVGFDDFA
VFXDVFFDAVDFXVXVDFGFXFDXFAAFAXGXGFXVFV”
Now we apply key columner transposition cipher using key word ‘STAR’
on the ciphet text obtained from the first step to get final ciphertext.
5
Column-S Column-T Column-A Column-R
F A A F
A X V V
V D D F
G X F A
G X V V
D F A V
A F V V
F A F A
V V G F
D D F A
V F X D
V F F D
A V D F
X V X V
D F G F
X F D X
F A A F
A X G X
G F X V
F V
Final cipher text is :
“AVDFVAVFGFXFDXGDAGXFVFAVVVAFADDFVFXFXVF
AVGGDAFVDVVAXDXFAGFAXDXXFFAVDFFVVFFAXFV”
3 Permutation cipher:
Let Sn be the symmetric group on n symbols where n is cardinality of Al-
phabets. The plaintext and ciphertext space is X = {m1 , m2 , . . . , mn }.
Then for plaintext m = (m1 , m2 , . . . , mk ) and a permutation σ ∈ Sn
E : X −→ X
m 7−→ (m)σ = (m1 , m2 , . . . , mk )σ = (m(1)σ , m(2)σ , . . . , m(k)σ )
6
Decryption: Denote σ −1 to be the inverse of σ in Sn . Let m0 =
(m01 , m02 , . . . , m0k ) is a ciphertext, encrypted with permutation cipher
by using permutation σ, then decryption function is defined by
D : X −→ X
m0 7−→ (m0 )σ −1 = (m01 , m02 , . . . , m0k )σ −1 = (m0(1)σ−1 , m0(2)σ−1 , . . . , m0(k)σ−1 )
N E V E R G I V E U P
14 5 22 5 18 7 9 22 5 21 16
Encryption:- ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓
14 4 20 4 16 7 9 20 4 22 17
N D T D P G I T D V Q
Encrypted Message is: “NDTDP GITD VQ”
N D T D P G I T D V Q
14 4 20 4 16 7 9 20 4 22 17
Decryption:- ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓
14 5 22 5 18 7 9 22 5 21 16
N E V E R G I V E U P
Decrypted message is: “NEVER GIVE UP ”
7
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
A B C D E F G H I J K L M N O P Q R S T
↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓ ↓
A H M R S B C D E F G I J K L N O P Q T
1 8 13 18 19 2 3 4 5 6 7 9 10 11 12 14 15 16 17 20
21 22 23 24 25 26
U V W X Y Z
↓ ↓ ↓ ↓ ↓ ↓
U V W X Y Z
21 22 23 24 25 26
i.e. σ = (2 8 4 18 16 14 11 7 3 13 10 6)(5 19 17 15 12 9)
Cipher text is :- “IST UQ CL BLP NIAYEKC MPEMGST”
4 Playfair Cipher:
The playfair cipher was the first practical digraph substitution cipher. The
scheme was invented in 1854 by Charles Wheatstone. But it was named after
Lord Playfair because he started the use of this cipher.
We have a grid of 5 × 5 cipher. There are 25 spaces but we have 26 letters,
by convention we put I,J together.
A B C D E
F G H I,J K
L M N O P
Q R S T U
V W X Y Z
Encryption: There are four rules for encryption using playfair cipher. Sup-
pose P,Q represent the plain text symbols and C,D represent cipher symbols.
8
1. If P,Q are in different rows and columns then they form a rectangle of
which they are opposite diagonal entries, then the encryption of digraph
PQ is given by CD where C is in the same column as of P and D is
also in same column as of Q.
Eg: E(CT ) = SD, E(W A) = BV
2. If P,Q are different and lie in the same row then the encryption of
digraph PQ is given by CD where C is just right from P and D is just
right from Q. If needed wrap it.
Eg: E(CE) = DA, E(F K) = GF
3. If P,Q are different and lie in the same column then the encryption of
digraph PQ is given by CD where C is just below of P and D is just
below Q. If needed wrap it.
Eg: E(N H) = SN, E(AQ) = F V
4. If P,Q are same then by convention put letter X in between them and
then do encryption by using rules 1,2,3.
1. If C,D are in different rows and columns then they form a rectangle of
which they are opposite diagonal entries, then the decryption of digraph
CD is given by PQ where P is in the same column as of C and Q is
also in same column as of D.
Eg: D(N I) = HO, D(BV ) = W A
2. If C,D are different and lie in the same row then the decryption of
digraph CD is given by PQ where P is just left from C and Q is just
left from D. If needed wrap it.
Eg: D(DA) = CE, D(GF ) = F K
3. If C,D are different and lie in the same column then the decryption of
digraph CD is given by PQ where P is just above of C and Q is just
above D. If needed wrap it.
Eg: D(SN ) = N H, D(F V ) = AQ
9
Arrange key in alphabetical order i.e ELRU
In 5 × 5 grid, first we write row-wise alphabets of keyword in alphabetical
order then remaining English alphabet in order.
E L R U A
B C D F G
H I,J K M N
O P Q S T
V W X Y Z
Plaintext: “INSTRUMENTS”
After split: ‘IN’ ‘ST’ ‘RU’ ‘ME’ ‘NT’ ‘SZ’
E(IN ) = KH
E(ST ) = T O
E(RU ) = U A
E(M E) = U H
E(N T ) = T Z
E(SZ) = Y T
D(KH) = IN
D(T O) = ST
D(U A) = RU
D(U H) = M E
D(T Z) = N T
D(Y T ) = SZ
Message is “INSTRUMENTS”
10
Note- When we perform encryption without keyword then we write 5 × 5
grid in English alphabets order i.e. A, B,. . . Y,Z
A B C D E
F G H I,J K
L M N O P
Q R S T U
V W X Y Z
11
Lecture-5
Introduction to Number Theory
Note :
2. gcd(a1 , a2 ) = gcd(a2 , a1 )
1
Theorem: If a, b ∈ Z, (atleast one of them is not 0) then gcd(a, b)
exists.
Proof: Case 1 : b > 0
Applying division algorithm on a, b (b > 0) , ∃ q1 , r1 ∈ Z such that
.
If r1 = 0, then a = bq1 ⇒ b|a also b|b ⇒ b|gcd(a, b).
Since, gcd(a, b)|a and gcd(a, b)|b ⇒ gcd(a, b) = b
If r1 > 0, then 0 < r1 < b and thus we can apply division algorithm on
b and r1 .
Therefore, ∃ q2 , r2 ∈ Z such that
b = r1 q2 + r2 , where 0 ≤ r2 < r1
r1 = r2 q3 + r3 where 0 ≤ r3 < r2
Note that
2
Case 2 : b < 0
Take b0 = −b, then b0 > 0. Apply division algorithm on a and b0 and solve.
Note that gcd(a, b) = gcd(a, b0 )
Euclidean Algorithm provides a way to find the gcd of any two
integers and thus proves the existance of greatest common divisor.
Well Ordering Principle: Any non empty subset of natural numbers has
a least element.
3
Example: Let a = 612, b = 2017, then Find gcd(612, 2017) using Eu-
clidean Algorithm.
43 = 26 · 1 + 17
26 = 17 · 1 + 9
17 = 9 · 1 + 8
9 = 8·1 + 1
8 = 1·8 + 0
Thus gcd(612, 2017) = 1
Example: Find the greatest common divisor d of 218 and 66, and find
integers x and y solving the equation 218x + 66y = d.
4
Similarly gcd(66, 20) = gcd(20, 6), we apply Division Algorithm on (20, 6)
as :
20 = 6 · 3 + 2
Similarly gcd(20, 6) = gcd(6, 2), we apply Division Algorithm on (6, 2) as :
6 = 2·3 + 0
2 = 20 − (6 · 3)
= 20 − (66 − (20 · 3)) · 3
= 20 − (66 · 3 − 20 · 3 · 3)
= 20 · (1 + 9) − 66 · 3
= 20 · 10 − 66 · 3
= (218 − (66 · 3)) · 10 − 66 · 3
= 218 · 10 − 66 · (3 · 10 + 3)
= 218 · 10 + 66 · (−33)
2. a ≡ b (mod n) ⇔ a + k ≡ b + k (mod n) ∀ k ∈ Z
3. a ≡ b (mod n) ⇒ ka ≡ kb (mod n) ∀ k ∈ Z
5
4. a ≡ b (mod n) ⇒ ak ≡ bk (mod n) ∀ k ∈ Z+ ∪ {0}
Proof:
Case 1 : gcd(p, a) 6= 1, then p|a and a ≡ 0 (mod p). Hence, Fermat’s
Little Theorem holds.
Case 2 : gcd(p, a) = 1, then p does not divide a.
Consider the set {a, 2a, 3a, . . . , (p − 1)a}.
Since p does not divide a ⇒ p does not divide ia ∀ 1 6 i 6 (p − 1).
Since a−1 (mod p) exists , thus ia = ja ⇒ i = j ∀ 1 6 i, j 6 (p − 1).
Thus the set {a, 2a, 3a, . . . , (p−1)a} is eqvivalent to the set {1, 2, 3, . . . , (p−
1)} in mod p
Hence,
a(2a)(3a) · · · ((p − 1)a) ≡ 1 · 2 · 3 · · · p − 1 (mod p)
⇒ ap−1 (p − 1)! ≡ (p − 1)! (mod p)
Since gcd(i, p) = 1 ∀ 1 6 i 6 (p − 1) ⇒ ap−1 ≡ 1 (mod p)
6
Euler totient function:- Let n be a positive integer. The Euler totient
function φ(n) is defined to be the number of non-negative integers b less than
n which are prime to n:
It is easy to see that φ(1) = 1 and that φ(p) = p − 1 for any prime p. We
can also see that for any prime power
α α α−1 α 1
φ(p ) = p − p =p 1−
p
Example: Let p = 11
Let a = 2, then gcd(2, 11) = 1 ⇒ 2(11−1) ≡ 1 (mod 11)
Let a = 3, then gcd(3, 11) = 1 ⇒ 3(11−1) ≡ 1 (mod 11)
7
Let a = 4, then gcd(4, 11) = 1 ⇒ 4(11−1) ≡ 1 (mod 11)
Let a = 5, then gcd(5, 11) = 1 ⇒ 5(11−1) ≡ 1 (mod 11)
Let a = 6, then gcd(6, 11) = 1 ⇒ 6(11−1) ≡ 1 (mod 11)
Let a = 7, then gcd(7, 11) = 1 ⇒ 7(11−1) ≡ 1 (mod 11)
Let a = 8, then gcd(8, 11) = 1 ⇒ 8(11−1) ≡ 1 (mod 11)
Let a = 9, then gcd(9, 11) = 1 ⇒ 9(11−1) ≡ 1 (mod 11)
Let a = 10, then gcd(10, 11) = 1 ⇒ 10(11−1) ≡ 1 (mod 11)
Example: Reduce 50250 (mod 83) to a number in the range {0, 1, . . . , 82}.
(Note: 83 is prime.
If you multiply out 50250 , here’s what you get:
52714787526044456024726519219225572551424023323922008641517022
09078987540239533171017648022222644649987502681255357847020768
8
63325972445883937922417317167855799198150634765625000000000000
00000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000
But we can simply compute it using Fermat’s Theorem.
Thus, by using Fermat’s Theorem, we have
50250 ≡ 5082·3 + 4
≡ 504 ≡ 25002 ≡ 102 ≡ 17 (mod 83)
Compute 92883
4
92883 ≡ 9720·4+3 ≡ (9720 ) · 93 ≡ 14 · 93 ≡ 93 ≡ 729 (mod 1001)
Compute 24400
6 8
24400 ≡ 2720·6+80 ≡ (2720 ) · 280 ≡ (210 ) ≡ 10248 ≡ 238 ≡ 5622 ≡
529 (mod 1001)
Moreover, if (x, y) is a solution, then the other solutions have the form
(x + btd , y − atd ), where t is an arbitrary integer, and d =gcd(a, b).
9
Linear Congruences
Theorem: The linear congruence ax ≡ b (mod n) has a solution if and only
if d divides b, where d=gcd(a, n). If d|b, the it has d mutually incongruent
solutions modulo n.
Corollary:
1. If gcd(a, n)= 1, then the linear congruence ax ≡ b (mod n) has a
unique solution.
2. If gcd(a, n)= d, then d incongruent solution of the equation ax ≡
b (mod n) is given by
n n n
x0 , x 0 + , x0 + 2 , . . . , x0 + (d − 1)
d d d
a b n
where x0 is the solution of d x ≡ d mod d .
20 =3 · 6 + 2 q1 = 6, r1 = 2
3 =2 · 1 + 1 q2 = 1, r2 = 1
2 =1 · 2 + 0 q3 = 2, r3 = 0
=⇒ gcd(3,20)=1, hence given equtaion unique solution
Therefore 3−1 exists in modulo 20.
apply Extended Euclidean Algorithm as follows
1 =3 − 1(2)
1 =3 − 1(20 − (3 · 6))
1 =7 · 3 − 20
=⇒ 3−1 ≡7 (mod 20)
Now,
3x ≡15 (mod 20)
x ≡3−1 · 15 (mod 20)
x ≡5 (mod 20)
10
Example 2: Solve 20x ≡ 12 (mod 36)
Solution: Since gcd(20,36)=4 (verify by Euclidean Algorithm)
This implies given equation has 4 solutions under modulo 36.
To calculate all the solutions of the equation 20x ≡ 12 (mod 36), we will
find the solution of the equation
20 12 36
x≡ mod
4 4 4
=⇒ 5x ≡ 3 (mod 9)
5−1 ≡ 2 (mod 9)
Now,
5x ≡ 3 (mod 9)
=⇒ x ≡ 5−1 · 3 (mod 9)
=⇒ x ≡ 6 (mod 9)
x0 = 6, x1 = 15, x2 = 24, x3 = 33
11
where ‘a’ is the solution of following congruence equation
2x ≡ 6 (mod 26)
Solution: To decrypt the message we will find the solutions of the given
linear equation 2x ≡ 6 (mod 26)
Since gcd(2, 26) = 2 and 2|6 , hence linear congruence has 2 solution.
To find the solutions, first we will find the solution of the following equation
2 6 26
x≡ mod
2 2 2
=⇒ x ≡ 3 (mod 13)
Hence solutions of 2x
26
≡ 6 (mod 26) are given by
x0 = 3, x1 = 3 + 2 = 16
So we have two values of a=3 and a=16
First we decrypt the cipher by taking a=16
To decrypt the Hill cipher we have to find a−1 under modulo 26.
Note that gcd(16, 26) 6= 1, therefore inverse of 16 does not exist in modulo
26. So a=16 will not work for decryption.
and so on.
We have plaintext
MATHEMATICS IS THE LANGUAGE OF THE UNIVERSE
12
System of Linear Congruence
Theorem: The system of linear congruence
ax + by ≡ r (mod n) (1)
cx + dy ≡ s (mod n) (2)
has unique solution modulo n whenever gcd(ad − bc, n) = 1.
13
Subtract the above equations we have
since gcd(5, 12) = 1 =⇒ 5−1 (mod 12) exists and 5−1 = 5 (mod 12)
So,
x ≡ 5−1 · 4 ≡ 5 · 4 ≡ 20 ≡ 8 (mod 12)
Now put the value of x in equation(3) we have
Note that gcd(3,12)=3 and 3|6, So above linear congruence has 3 solutions
To find all solutions fist we solve follwing linear congruence
3y 6 12
≡ mod
3 3 3
y ≡2 (mod 4)
2 · 8 + 7y ≡6 (mod 12)
16 + 7y ≡6 (mod 12)
7y ≡(6 − 16) ≡ −10 (mod 12)
7y ≡2 (mod 12)
14
y ≡ 2 (mod 12)
Alternate way to calculate y, Multiply equation(3) by 2 and equation(4)
by 5, we have
N DXBHO
D(ZA)=E =⇒ D(675) = 134 (mod 729) i.e. 675a0 + b0 ≡ 134 (mod 729) − (1)
¯
D(IA)=S =⇒ D(216) = 512 (mod 729) i.e. 216a0 + b0 ≡ 512 (mod 729) − (2)
¯
D(IW)= T =⇒ D(238) = 721 (mod 729) i.e. 238a0 + b0 ≡ 721 (mod 729) − (3)
¯
Subtract, equation(1) and equation(2), we have
We calculate gcd(459,729):
16
of equation
459a0
351 729
≡ mod i.e. 17a0 ≡ 13 (mod 27)
27 27 27
Note that by Extended Euclidean Algorithm 17−1 ≡ 8 (mod 27)
So
a0 ≡ 17−1 · 13 (mod 27) ≡ 8 · 13 ≡ 23 (mod 27)
.
Hence solutions of 459a0 ≡ 351 (mod 729) are
17
Now put the value of a0 = 374 (mod 729) in equation(1),(2),(3)
We have cipher text c1 =ND, c2 =XB, c3 =HO, Decryption key is (a0 , b0 )=(374,
647) and decryption function is D(c) = a0 c + b0 ≡ 374 · c + 647 (mod 729)
decryptions are
D(c1 ) =D(354) = 374 · 354 + 647 ≡ 365 (mod 729) = 13 · 271 + 14 · 270 = NO
D(c2 ) =D(622) = 374 · 622 + 647 ≡ 724 (mod 729) = 26 · 271 + 22 · 270 = W
¯
D(c3 ) =D(203) = 374 · 203 + 647 ≡ 24 (mod 729) = 0 · 271 + 24 · 270 = AY
x ≡ a1 (mod m1 ) ,
x ≡ a2 (mod m2 ) ,
.
.
.
x ≡ an (mod mn )
18
and m1 , m2 , . . . , mn are pairwise relatively prime, then there exist a unique
solution modulo m where m = m1 m2 · · · mn .
Example:
Solve the simultaneous congruences
x ≡3 (mod 5) ,
x ≡1 (mod 7) ,
x ≡6 (mod 8)
19
m 280
M3 = = = 35
m3 8
x ≡ a1 y1 M1 + a2 y2 M2 + a3 y3 M3 (mod m)
x ≡ 3 · 1 · 56 + 1 · 3 · 40 + 6 · 3 · 35 (mod 280)
x ≡ 78 (mod 280)
20
Lecture-6
Modern Cryptography and Quadratic Residue
So far, we have studied some classical cipher. There are many other classi-
cal ciphers we have not learned. Classical ciphers are not secure with present
advanced technologies. Now a days, Classical ciphers are not in use. Cryp-
tographers have developed modern encryption techniques that are secure
with modern technology, especially Public Key Cryptosystem. In classical
ciphers, encryption and decryption keys are the same and known to sender
and receiver both and no one else for secure communication.
1
Silver Pohlig - Hellman Exponentiation Cipher
Let p be a prime and e (called exponent) an integer such that 0 < e < p and
gcd(e, p − 1) = 1.
E : Zp −→ Zp
m 7−→ c = E(m) ≡ me (mod p)
D : Zp −→ Zp
c 7−→ D(c) ≡ cd (mod p)
Where d ≡ e−1 (mod (p − 1)), such d exists since gcd(e, p − 1) = 1 and can
be determined by using Extended Euclidean Algorithm.
Solution:
Encrption: To encrypt this message take
A = { A = 0, B = 1, . . . , Z = 25, = 26, ? = 27, . = 28}
¯
So p = 29 = |A| and take e = 3.
2
Observe that gcd(e, p − 1) = 1 i.e (3, 28) = 1.
3
E(R) = E(17) ≡ 173 (mod 29)
≡ 4913 (mod 29)
≡ 12 (mod 29) = M
4
D(Y ) = D(Y ) ≡ 2419 (mod 29)
24 ≡ (−5) (mod 29)
242 ≡ 25 ≡ (−4) (mod 29)
244 ≡ 16 (mod 29)
246 ≡ (−64) ≡ (−6) (mod 29)
247 ≡ 1 (mod 29)
2414 ≡ 1 (mod 29)
2418 ≡ 16 (mod 29)
2419 ≡ (−80) ≡ 7 (mod 29) = H
6
D(Z) = D(Z) ≡ 2519 (mod 29)
25 ≡ (−4) (mod 29)
252 ≡ 16 (mod 29)
254 ≡ (−5) (mod 29)
257 ≡ 1 (mod 29)
2514 ≡ 1 (mod 29)
2519 ≡ 20 (mod 29) = U
RSA Cryptosystem
RSA cryptosystem (from the last names of the inventors’ Rivest, Shamir,
and Adleman) was developed after one year of Silver Pohlig - Hellman Ex-
ponentiation Cipher in 1977, which is one of the most popular public-key
cryptosystems, is based on the tremendous difficulty of factorization of inte-
gers.
7
Encryption and Decryption Techniques : Let p and q be two distinct
large prime numbers and the product n = pq. Also let e such that 0 < e < n
and gcd(e, φ(n)) = 1 i.e gcd(e, (p − 1)(q − 1)) = 1.
Now (p, q) is private key and make (n, e) public key.
Encryption: The encryption function is defined by
E : Zn −→ Zn
m 7−→ c = E(m) ≡ me (mod n)
Decryption: The decryption function is defined by
D : Zn −→ Zn
c 7−→ m = D(c) ≡ cd (mod n)
where d ≡ e−1 (mod (p − 1)(q − 1)) exists, since gcd(e, (p − 1)(q − 1)) = 1
Recall
1. Euler totient function:- Let n be a positive integer. The Euler to-
tient function φ(n) is defined to be the number of non-negative integers
b less than n which are prime to n:
φ(n) = |{0 ≤ b < n| gcd(b, n) = 1}|
8
Case-2 If gcd(m, n) 6= 1 then gcd(m, n) can be either p or q. So we can
assume WLOG gcd(m, n) = q then q|m and
⇒ m(p−1)(q−1) ≡ m (mod q)
Also observe that p - m i.e gcd(m, p) = 1 ⇒ m(p−1) ≡ 1 (mod p).
Now,
k(p−1)
cd ≡ med ≡ m1+k(p−1)(q−1) ≡ m m(q−1) ≡ m (mod q)
k(q−1)
cd ≡ med ≡ m1+k(p−1)(q−1) ≡ m m(p−1) ≡ m (mod p)
So we get,
cd ≡ m (mod q)
cd ≡ m (mod p)
Let cd = x then we have
x ≡ m (mod q)
x ≡ m (mod p)
x ≡ m (mod pq)
i.e.
cd ≡ m (mod pq)
9
Encryption:
E(C) = E(2) = 23 (mod 33)
= 8 (mod 33) = I
10
Decryption:
11
Cryptanalysis: RSA is a Public key cryptosystem.
Alice
Public (n, e)
Private (p, q)
and n = pq
To send a message to Alice, say the message m ∈ Zn
send her c = me (mod n).
She decrypts the message D(c) = cd (mod n)
She compute the decryption key d as
When p and q are known then φ(n) = (p − 1)(q − 1) can be easily cal-
culated.
Conversely when n and φ(n) are known then p and q can be calculated as
follows
x2 − (p + q)x + pq = 0
or that
x2 − (p + q)x + n = 0
since n = pq or
x2 + (φ(n) − n − 1)x + n = 0
Since φ(n) = pq − p − q + 1 = n − (p + q) + 1
That is, when n and φ(n) is known then p and q are roots of the equation
x2 + (φ(n) − n − 1)x + n = 0 such that n = pq.
12
Quadratic Cipher
Suppose A has n symbols (letters) then plain text space and cipher text
space is treated as Zn .
Encryption: Encryption function is defined by
E : Zn → Zn
m 7→ c = E(m) ≡ m2 (mod n)
D : Zn → Zn
√
c 7→ m = D(c) ≡ c (mod n)
√
provided c exists in Zn i.e congruence equation x2 ≡ c (mod n) has solution
in Zn
13
a a2 (mod 26) a a2 (mod 26)
0 0 13 13
1 1 14 14
2 4 15 17
3 9 16 22
4 16 17 3
5 25 18 12
6 10 19 23
7 23 20 10
8 12 21 25
9 3 22 16
10 22 23 9
11 17 24 4
12 14 25 1
√ √
Decryption function is D(c) = c (mod 26) i.e c = x ⇐⇒ c = x2 (mod 26)
To decrypt ‘XQRRO’
√
D(X) = D(23) = 23 (mod 26) ≡ a (mod 26) (say)
=⇒ a2 = 23 (mod 26)
=⇒ a = 7 or 19 (from above table)
i.e. D(X) = H or T
√
D(Q) = D(16) = 16 (mod 26) ≡ a (mod 26) (say)
=⇒ a2 = 16 (mod 26)
=⇒ a = 4 or 22 (from above table)
i.e. D(Q) = E or W
√
D(R) = D(17) = 17 (mod 26) ≡ a (mod 26) (say)
=⇒ a2 = 17 (mod 26)
=⇒ a = 11 or 15 (from above table)
i.e. D(R) = L or P
14
√
D(O) = D(14) = 14 (mod 26) ≡ a (mod 26) (say)
=⇒ a2 = 14 (mod 26)
=⇒ a = 14 or 12 (from above table)
i.e. D(O) = O or M
12 ≡1 (mod 8)
32 ≡1 (mod 8)
52 ≡1 (mod 8)
72 ≡1 (mod 8)
2
√ x ≡ 1 (mod 8) has four solutions.
So congruence
Therefore, 1 (mod 8) = 1, 3, 5, 7 (mod 8)
Quadratic Residue
An integer a ∈ Z is said to be a quadratic residue mod n (where n is a
fixed positive integer such that gcd(a, n) = 1). If the quadratic congruence
15
x2 ≡ a (mod n) has a solution. That is, if there exists x ∈ Z such that
x2 ≡ a (mod n). If no such x ∈ Z exist, a is said to be a non-quadratic
residue mod n.
y p−1 ≡ 1 (mod p)
p−1
(y 2 ) 2 ≡ 1 (mod p)
p−1
a 2 ≡ 1 (mod p)
p−1
Conversely, suppose a ≡ 1 (mod p). We want to show that a is a quadratic
2
which is a contradiction.
16
Now let g be a primitive root mod p. So g φ(p) ≡ 1 (mod p) and g k 6≡
1 (mod p) ∀1 ≤ k < p − 1.
(Since U (Zr ) is cyclic if r is prime).
Hence U (Zp ) is cycllic =⇒ hg | g p−1 = 1i = U (Zp ).
Since a ∈ U (Zp )
=⇒ a ≡ g r (mod p) for some r ∈ Z
Now,
p−1 p−1
1≡ a 2 ≡ (g r ) 2 (mod p)
r·(p−1)
=⇒ g 2≡ 1 (mod p)
r
=⇒ (p − 1) | · (p − 1) ∵ | U (Zp ) |= p − 1
2
r
=⇒ ∈ Z
2
r
Take y = g s where s = 2
this gives y 2 = g 2s = g r ≡ a (mod p).
Since p = 4k + 3
p+1 4k + 3 + 1
=⇒ = =k+1∈Z
4 4
17
Now
p+1
2 p+1
±a 4 ≡a 2 (mod p)
p+1
≡a 2 · 1 (mod p)
p+1 p−1
≡ a 2 · a 2 (mod p)
≡ ap (mod p)
≡ a · ap−1 (mod p)
≡ a (mod p) (By Fermat’s little theorem)
p+1
Hence x ≡ ±a 4 (mod p) are solutions.
p+1 p+1
Then two solution namely x ≡ a 4 (mod p) and x ≡ −a 4 (mod p) are
incongruent mod p.
Since x2 ≡ a (mod p) is a quadratic congruence. It can not have more than
two incongruent solutions and therefore if the congruence x2 ≡ a (mod p)
p+1
has a solution then x ≡ ±a 4 (mod p) are all the solutions.
∗ ∗ EN D ∗ ∗
18
Lecture-7
y p−1 ≡ 1 (mod p)
p−1
(y 2 ) 2 ≡ 1 (mod p)
p−1
a 2 ≡ 1 (mod p)
p−1
Conversely, suppose a ≡ 1 (mod p). We want to show that a is a quadratic
2
1
1 (mod p) ∀1 ≤ k < p − 1.
Let us assume that 1 ≤ a ≤ p − 1.
(Since U (Zr ) is cyclic if r is prime).
Hence U (Zp ) is cycllic =⇒ hg | g p−1 = 1i = U (Zp ).
Since a ∈ U (Zp )
Now,
p−1 p−1
1≡ a 2 ≡ (g r ) 2 (mod p)
r·(p−1)
=⇒ g 2≡ 1 (mod p)
r
=⇒ (p − 1) | · (p − 1) ∵ | U (Zp ) |= p − 1
2
r
=⇒ ∈ Z
2
r
Take y = g s where s = 2
this gives y 2 = g 2s = g r ≡ a (mod p).
Since p = 4k + 3
p+1 4k + 3 + 1
=⇒ = =k+1∈Z
4 4
2
Now
p+1
2 p+1
±a 4 ≡a 2 (mod p)
p+1
≡a 2 · 1 (mod p)
p+1 p−1
≡ a 2 · a 2 (mod p)
p
≡ a (mod p)
≡ a · ap−1 (mod p)
≡ a (mod p) (By Fermat’s little theorem)
p+1
Hence x ≡ ±a 4 (mod p) are solutions.
p+1 p+1
Then two solution namely x ≡ a 4 (mod p) and x ≡ −a 4 (mod p) are
incongruent mod p.
Since x2 ≡ a (mod p) is a quadratic congruence under modulo p(prime). It
can not have more than two incongruent solutions and therefore if the con-
p+1
gruence x2 ≡ a (mod p) has a solution then x ≡ ±a 4 (mod p) are all the
solutions.
=⇒ a1 x ≡ − a0 (mod p)
=⇒ x ≡−a1 −1 a0 (mod p)
We assume that theorem holds for all polynomial of degree less than k(say).
x = ω1 , ω2 , . . . , ωk+1 (mod p)
3
Let
g(x) = f (x) − ak (x − ω1 )(x − ω2 ) · · · (x − ωk )
Then g(x) is a polynomial of degree less than k.
By induction hypothesis g(x) ≡ 0 (mod p) can have at most (k − 1) (incon-
gruent modulo p) solution. But g(x) has k incongruent modulo p solution
ω1 , ω2 , . . . , ωk . So g(x) ≡ 0, (mod p) ∀x ∈ Z.
But then for x = ωk+1
=⇒ g(ωk+1 ) = 0 (mod p)
=⇒ 0 = g(ωk+1 ) = f (ωk+1 ) − ak (ωk+1 − ω1 )(ωk+1 − ω2 ) . . . (ωk+1 − ωk ) (mod p)
=⇒ g(ωk+1 ) ≡ −ak (ωk+1 − ω1 )(ωk+1 − ω2 ) . . . (ωk+1 − ωk ) (mod p)
(∵ f (ωk+1 ) ≡ 0 (mod p))
=⇒ g(ωk+1 ) 6≡ 0 (mod p)
(Since p . ak and ωi , i = 1, 2, . . . , k + 1 are incongruent)
Legendre Symbol
Let p be odd prime and let gcd(a, p)=1. The Legendre Symbol ap is de-
fined by
0 if p | a i.e. p divides a
a
= 1 if p - a and a is a quadractic residue modulo p
p
−1 if p - a and a is a non-quadractic residue modulo p
2
Example: 1. 3
= −1 since x2 ≡ 2 (mod 3) has no solution i.e. 2 is
non-quadratic residue modulo 3 and 3 - 2
2. p0 = 0
3
3. 13 = 1 since x2 ≡ 3 (mod 13) has solutions x = 4, 9 i.e. 3 is quadratic
residue modulo 13
4
Note: Legendre symbol can be defined in general for any 0 n0 instead of
prime p.
and (
2 1 if p = 8k + 1, 8k − 1, k ∈ N ∪ {0}
=
p −1 if p = 8k + 3, 8k − 3, k ∈ N ∪ {0}
5
equivalently
− pq if p = 4k1 + 3, q = 4k2 + 3
k1 , k2 ∈ N ∪ {0}
q
p
if p = 4k1 + 1, q = 4k2 + 1,
= p
q
p = 4k1 + 1, q = 4k2 + 3,
p = 4k1 + 3, q = 4k2 + 1
k1 , k2 ∈ N ∪ {0}
Example: Check whether the congruence x2 ≡ −46 (mod 17) has solutions.
Solution: We will use Legendre symbol to find solution exist or not.
Note that 17 - −46
By definition of Legendre symbol
If −46
17
= 1 then −46 is a quadratic residue modulo 17 i.e. it has solution.
−46
If 17 = −1 then −46 is a non-quadratic residue modulo 17 i.e. it has no
solution.
So we have to find
−46
=?
17
−46 −1 46
=
17 17 17
46 46
=(1) = ( by above theorem )
17 17
Also
46 12
46 ≡ 12 (mod 17) =⇒ = (by property (a))
17 17
22 · 3
12
=
17 17
2
2 3 3
= =
17 17 17
6
2
2
since 17
= 1 by property (b)
So
−46
= −1
17
Therefore congruence x2 = −46 (mod 17) has no solution.
7
From (1), we have
p−1
(−1) 2 ≡ 1 (mod p) (2)
8
since N > all 4k + 3 primes). So N has more than 1 factor of the form 4k + 3.
Now if 3|N then 3|N − 3
=⇒ 3|4(p2 · p3 · · · pn )
=⇒ 3|p2 · p3 · · · pn
=⇒ 3|pj some j = 2, 3, . . . , n (Not possible )
=⇒ 3 - N
=⇒ pj |3 but pj > 3
=⇒ pj - 3
=⇒ pj - N ∀j = 2, 3, . . . , n
9
Lecture-8
Rabin Cipher
Let p, q be distinct primes of the form 4k + 3 and take n = pq
E : Zn → Zn
m 7→ c = E(m) ≡ m2 (mod n)
D : Zn → Zn
√
c 7→ m = D(c) ≡ c (mod n)
1
E(S) =E(18) = 182 ≡ 324 (mod 33) ≡ 27 (mod 33) = ?
E(T ) =E(19) = 192 ≡ 361 (mod 33) ≡ 31 (mod 33) = χ
E(U ) =E(20) = 202 ≡ 400 (mod 33) ≡ 4 (mod 33) = E
E(D) =E(3) = 32 ≡ 9 (mod 33) = J
E(E) =E(4) = 42 ≡ 16 (mod 33) = Q
E(N ) =E(13) = 132 ≡ 169 (mod 33) ≡ 4 (mod 33) = E
E(T ) =E(19) = 192 ≡ 361 (mod 33) ≡ 31 (mod 33) = χ
To decrypt: “?χEJQEχ”
√
D(?) = D(27) ≡ 27 (mod 33) ≡ x (mod 33) i.e. x2 ≡ 27 (mod 33)
For a = 27 and p = 3 = 0 × 4 + 3
a ≡ 27 (mod 3) ≡ 0 (mod 3)
2
Recall: Chinese Remainder Theorem
x ≡a1 (mod m1 )
x ≡a2 (mod m2 )
x ≡ a1 y1 M1 + a2 y2 M2 (mod m1 m2 )
where
m1 · m2 m1 · m2
M1 = = m2 , M2 = = m1
m1 m2
Now solve (1) and (3) using Chinese Remainder Theorem, we have
a1 = 4, a2 = 0, m1 = 11, m2 = 3
11 · 3 11 · 3
M1 = = 3, M2 = = 11
11 3
x ≡ 18 (mod 33)
√
Therefore 27 ≡ 15, 18 (mod 33)
√
D(?) = D(27) ≡ 27 (mod 33) ≡ 15, 18 (mod 33) = P or S
Now
√
D(χ) = D(31) ≡ 31 (mod 33) ≡ x (mod 33) i.e. x2 ≡ 31 (mod 33)
3
we have
11+1
x ≡ ±31 4 (mod 11) ≡ ±313 (mod 11) ≡ ±93 ≡ ±3 (mod 11)
For a = 31 , p = 3 and gcd (31, 3) = 1. By Theorem 1
we have
3+1
x ≡ ±31 4 (mod 3) ≡ ±311 (mod 3) ≡ ±1 (mod 3)
Now we have
4
Solve (5) and (6) using Chinese Remainder Theorem, we have
a1 = 8, a2 = 1, m1 = 11, m2 = 3
11 · 3 11 · 3
M1 = = 3, M2 = = 11
11 3
x ≡ 8 (mod 33)
√
Hence 31 ≡ 8, 14, 19, 25 (mod 33)
√
D(χ) = D(31) ≡ 31 (mod 33) ≡ 8, 14, 19, 25 (mod 33) = I, O, T or Z
In the same way we can do other decryptions, we get finitely many possible
plain text. We shall choose meaningful plain texts.
Attacks on RSA
In RSA cryptosystem, we use two keys one for encryption which is public
and another for decryption which is private. Attacks on RSA , we mean
that without knowing private key how can someone decrypt the cipher text.
There are many attacks on RSA, we will study few of them.
5
their public key say (nB , 3), (nC , 3) and (nD , 3) respectively
Alice will send
cB = m3 (mod nB ) to Bob
cC = m3 (mod nC ) to Christopher
cD = m3 (mod nD ) to David
x =cB = m3 (mod nB )
x =cC = m3 (mod nC )
x =cD = m3 (mod nD )
x = m3 (mod nB nC nD )
6
Alice will send
x · e1 + y · e2 + z · e3 = 1
The attacker will construct a cipher text from the obtained cipher ‘c’
(to be decrypted )
c0 ≡ se · c (mod n)
The attacker will manage somehow that receiver must decrypt c0 with
the help of private key d.
m0 = (c0 )d (mod n) ≡ (se ·c)d (mod n) ≡ se·d ·cd (mod n) ≡ s·m (mod n)
since e · d = 1 (mod φ(n)) i.e. e · d = 1 + kφ(n) for some k ∈ Z.
7
Since the attacker has choosen s himself, so attacker knows s−1 (mod n),
therefore message is obtained by
m ≡ s−1 · m0 (mod n)
Strong Prime
Let p be a large prime, then p is said to be a strong prime if,
• p − 1 has a large prime factor say r
• r − 1 has a large prime factor say t
• p + 1 has a large prime factor say s
Observe that
Since p − 1 has a lage prime factor r i.e. p = kr + 1 for some k. If k is odd
then p will be even which is not possible. Therefore k must be even.
Since r − 1 has a lage prime factor t i.e. r = k 0 t + 1 for some k 0 . If k 0 is odd
then r will be even which is not possible. Therefore k 0 must be even.
Also, Since p + 1 has a lage prime factor s i.e. p = k 00 s − 1 for some k 00 . If k 00
is odd then p will be even which is not possible. Therefore k 00 must be even.
So we can write
• p = 2jr + 1
• p = 2ms − 1
• r = 2lt + 1
for some integres j, l, m where r, s and t are primes.
To construct strong primes, we take large primes r, s and t as above and
compute p for different choices for j, l and m. Check whether p is prime or
not. If p is prime then it will be strong prime.
8
Question is given a positive integer n, to decide if it is a prime or
not.
Some Definition:
9
Pseudoprime: A composite number n is said to be pseudoprime
to the base b if b is a positive integer such that gcd(b, n) = 1 and
b(n−1) ≡ 1 (mod n).
From above example, 341 is a pseudoprime to the base 2.
10
310 ≡ 56 (mod 341),
320 ≡ 67 (mod 341),
330 ≡ 1 (mod 341),
(330 )11 = 3330 ≡ 1 (mod 341),
3340 = 3330 · 310 ≡ 56 (mod 341),
⇒ 3341−1 ≡ 56 6≡ 1 (mod 341).
Hence 341 is not prime and we can observe that 341 = 11 × 31.
Miller-Rabin test:
Let n be a postive integer and n − 1 = 2s t, s ≥ 0 and t odd positive integer.
We say that n passes the Miller’s test for the base b if either bt ≡ 1 (mod n)
k
or b2 t ≡ −1 (mod n) for some k : 0 ≤ k ≤ s − 1.
Let b be a base, then bn−1 ≡ 1 (mod n). (if not, then by Fermat’s pri-
mality test, n is composite. )
WLOG, we may assume that s > 0 otherwise n − 1 will be odd and n will
be even i.e n is composite.
So n − 1 is an even integer
⇒ n−1 ∈N
2 n−1 2
⇒ b 2 ≡ 1 (mod n)
n−1
n−1
for x = b 2 , x2 ≡ 1 (mod n), suppose y = 2
11
(a) If 2|y i.e. y is even, assign y = y/2 ∈ Z and evaluate
x ≡ by (mod n)
If n passes the test for base b then we choose another base b0 and apply
Miller-Rabin test for base b0 .
n − 1 = 28 = 22 · 7 where t = 7, and s = 2
n−1
2
= 14
52 ≡ −4 (mod 29),
54 ≡ 16 (mod 29),
56 ≡ −6 (mod 29),
57 ≡ −1 (mod 29),
514 ≡ 1 (mod 29),
For x = 514 ≡ 1 (mod 29)
x ≡ 1 (mod 29) so 29 may be prime we can proceed further.
Since 2|14 and 57 ≡ −1 (mod 29). It may be a prime and may not be a prime
and we can not proceed also further i.e 29 passes the test for the base 5.
Example 2:
Let n = 1387, b = 2
12
(218 )77 = 21386 ≡ 1 (mod 1387),
21386 ≡ 1 (mod 1387)
n − 1 = 1386 = 2 · 693 where t = 693, and s = 1
n−1
2
= 693
38
(218 ) = 2684 ≡ 1 (mod 1387),
2684 · 29 = 2693 ≡ 512 6≡ ±1 (mod 1387)
Since x2 = (2693 )2 = 21386 ≡ 1 (mod 1387) but x = 2693 ≡ 512 6≡ ±1 (mod 1387).
Hence 1387 fails the test. Therefore 1387 is composite number and 1378 =
19 · 73.
Remark: Observe that a prime passes the test , but a composite may also.
So if n passes the test we can not conclude that n is ’prime’. However if n
fails the test then n is ’composite’.
Wilson’s theorem:
Statement: Let p be a positive integer then p is a prime iff (p − 1)! ≡
−1 (mod p).
Proof:
⇒: Let p be a prime. If p = 2 then (2 − 1)! = 1! and 1 ≡ −1 (mod 2). So
theorem holds for p = 2.
If p = 3 then (3 − 1)! = 2! and 2 ≡ −1 (mod 3). Theorem also true for p = 3.
Now consider p > 3
(p − 1)! = 1 · 2 · 3 · · · (p − 1)
13
x ≡ x−1 (mod p) i.e x2 ≡ 1 (mod p).
⇐: For if p is not prime, then p has a divisor d with 1 < d < p. Further-
more, because d ≤ (p − 1), d occurs as one of the factors in (p − 1)!, whence
d|(p − 1)!. Now we are assuming that p|(p − 1)! + 1, and so d|(n − 1)! + 1,
too. The conclusion is that d|1, which is nonsense.
Hence If p is composite then (p−1)! 6≡ −1 (mod p) i.e if (p−1)! ≡ −1 (mod p)
then p is prime.
1 1
1. Check n k is an integer for 2 ≤ k ≤ log2 (n). If n k is the integer i.e. n
is perfect power, then n is composite.
2. Find the smallest integer r such that ordr (n) > (log2 (n))2 where ordr (n)
is multiplicative order of n modulo r.
(X + b)n ≡ X n + b (mod X r − 1, n)
14
√
For all b such that 1 ≤ b ≤ φr log2 (n). If this the case n is prime i.e.
(X + b)n 6≡ X n + b (mod X r − 1, n)
p
For some b such that 1 ≤ b ≤ φ(r) log2 (n), then n is composite.
ord2 (37) = 1
ord3 (37) = 1
ord4 (37) = 1
ord5 (37) = 4
ord6 (37) = 1
15
So we have r = 29
and gcd(a, 37) = 1 for 2 ≤ a ≤ 27
Since n ≥ r So it passes step (4), now we check step(5) i.e.
(X + b)n ≡ X n + b (mod X r − 1, n)
√ p
for
√ n = 37, r = 29 and 1 ≤ b ≤ φr log 2 (n). and φ(29) log2 (37) =
28 log2 (37) = 27.6 i.e 1 ≤ b ≤ 27.6
For b = 1
(X + 1)37 − (X 37 + 1) = (X 29 − 1)q(x) + r(x) ≡ r(x) (mod X 29 − 1)
where
and
16
Lecture-9
Factorization of Integers
Fermat’s Factorization
Fermat’s method for factoring a composite number n tries to write it as
the difference of two squares n = x2 − y 2 , yielding the factorization n =
(x + y)(x − y). Indeed, for a composite odd number n = ab such a represen-
tation always exists:
square. √
Let m be the positive integer such that m ≥ n. Now look for perfect squares
in the sequence m2 − n, (m + 1)2 − n, (m + 2)2 − n, . . . . The search will end
into a perfect square for m ≤ n+1
2
.
Since
m2 − n, for m = n+12
is
2
n2 + 1 + 2n − 4n
2 n−1
m −n= = ∈Z
4 2
Of course the value of m, gives trivial factor.
√
Remark: To have an initial guess for m ≥ n, m ∈ N, apply Newton’s
method for function f (x) = x2 − n, observe that f 0 (x) = 2x. Say r0 and
subsequent guesses by the sequence rk = rk−1 − ff0(r(rk−1 )
k−1 )
for k ≥ 1.
1
√
Example 1:√Let n = 3811 and m ≥ 3811.
Since 62 > 3811 > 61. Choose m = 62.
Now look for perfect square
622 − 3811 = 33
632 − 3811 = 158
642 − 3811 = 285
652 − 3811 = 414
662 − 3811 = 545
672 − 3811 = 678
682 − 3811 = 813
692 − 3811 = 950
702 − 3811 = 1089 = 332
2
p|n and (p − 1)|k! for some k ∈ Z+
WLOG, assume p is an odd prime i.e. p > 2. Let a be a positive integer such
that gcd(a, n) = 1 this implies that gcd(a, p) = 1 then by Fermat’s Little
Theorem a(p−1) ≡ 1 (mod p)
Since
Since p|mn and p|ak! − 1 this implies that p|z and p|n i.e p|gcd(z, n)
Note: Since n is odd, we can choose a = 2.
Algorithm:
Suppose n is given integer which is to be factored.
Choose a base a such that gcd(a, n) = 1. Let z be the least non-negative
residue in modulo n of ak! − 1 i.e.
Case 1: z 6= 0
Calculate gcd(z, n)
If gcd(z, n) 6= 1 then we get a non trivial factor on n.
3
61937 = 3 · 20645 + 2
3=2·1+1
2=1·2+0
61937 = 63 · 983 + 8
63 = 8 · 7 + 7
8=7·1+1
7=1·7+0
4
Setup
4. Go to Algorithm.
m0 , m1 , m2 , m3 , . . . , mk
such that their least non-negative residue are distint in modulo n but
not all distint in modulo p,
that is,
and
m0 , m1 , m2 , m3 , . . . , mk
Note that
Now compute
5
gcd((mq − mr ), n)
m1 , m2 , m3 , . . .
such that
3. Compute
gcd(m2i − mi , n)
4. If gcd is greater than 1 and less than n for some i, then we get a non
trivial factor of n.
Note
3. If n = pq where p and q are primes of the same size (that is, of same
length),√then Pollard’s Rho Algorithm can find a non trivial factor of
n in O( 4 n).
6
then,
m1 = 22 + 1 = 5
m2 = 52 + 1 = 26
m3 = 262 + 1 = 677
m4 = 6772 + 1 = 458330 ≡ 7474 (mod 8051)
m5 = 74742 + 1 ≡ 2839 (mod 8051)
m6 = 28392 + 1 ≡ 871 (mod 8051)
and so on
Now compute
gcd(m2i − mi , n)
that is,
m1 = 32 + 1 = 10
m2 = 102 + 1 = 101
m3 = 1012 + 1 = 10202 ≡ 323 (mod 3293)
m4 = 3232 + 1 ≡ 2247 (mod 3293)
and so on.
Compute
gcd(m2i − mi , n)
that is,
gcd(m2 − m1 , n) = gcd(91 , 3293) = 1
7
gcd(m4 − m2 , n) = gcd(2146 , 3293) = 37
Thus 37 is a factor of n = 3293.
Other non trivial factor of n is 89.
m1 = 22 + 3 = 7
m2 = 72 + 3 = 52
m3 = 522 + 3 = 2707
m4 = 27072 + 3 = 3948
m5 = 39482 + 3 ≡ 2976 (mod 4087)
m6 = 29762 + 3 ≡ 50 (mod 4087)
m7 = 502 + 3 ≡ 2503 (mod 4087)
m8 = 25032 + 3 ≡ 3728 (mod 4087)
m9 = 37282 + 3 ≡ 2187 (mod 4087)
m10 = 21872 + 3 ≡ 1182 (mod 4087)
m11 = 11822 + 3 ≡ 3460 (mod 4087)
m12 = 34602 + 3 ≡ 780 (mod 4087)
m13 = 7802 + 3 ≡ 3527 (mod 4087)
m14 = 35272 + 3 ≡ 2991 (mod 4087)
and so on.
Compute
gcd(m2i − mi , n)
8
that is,
9
Denote bj ≡ αj (mod 2) i.e. powers of primes modulo 2 and b = {b1 , b2 , . . . , bh }
67 = {1, 0, 0}
68 = {1, 0, 0}
69 = {0, 1, 0}
Given a positive integer n to be factored, Suppose we have k B-smooth
numbers b2i where B is a factor base and
So !
k k h
α
Y Y Y
ai = pj j (mod n)
i=1 i=1 j=1
h Pk
αij
Y
= pj i=1
(mod n)
j=1
k k h Pk
αij
Y Y Y
b2i = ai = pj i=1
(mod n)
i=1 i=1 j=1
Pk
Now if i=1 i = (0, 0, . . . , 0) i.e. sum of powers modulo 2 is 0, i.e. even,
then right side become a perfect square,
h Pk
αij
Y
RHS = pj i=1
= l2 (say)
j=1
and !2
k
Y
b2 = bi (say)
i=1
10
then we have
b2 = l2 (mod n)
i.e. n | b2 − l2 i.e. n | (b − l)(b + l)
and factors of n is obtained by computing gcd(n, b − l) and gcd(n, b + l)
Example: From above we have, for n = 4633
67 = (1, 0, 0) and 68 = (1, 0, 0)
67 + 68 = (0, 0, 0)
11
where ei ’s are even i.e right hand side is perfect square .
Suppose pe11 ·e22 · · · penn = l2 then we have
gcd(r − l, n)
and
gcd(r + l, n)
√
Example: For n = 7429, n ≈ 86.20 , so m = 87
take f (x) = (87 + x)2 − 7429
f (0) = 872 − 7429 ≡ 140 (mod 7429) ≡ 22 · 5 · 7 (mod 7429)
f (1) = 882 − 7429 ≡ 315 (mod 7429) ≡ 32 · 5 · 7 (mod 7429)
f (−2) = 852 − 7429 ≡ −204 (mod 7429) ≡ (−1) · 22 · 3 · 17 (mod 7429)
Note that f (0)f (1) = 22 · 32 · 52 · 72 (mod 7429)
gcd(n, 7446) = 17
gcd(n, 7866) = 1
Factors of n = 7429 are 17 and 437.
12
Continued Fraction Factorization
For a give real number x, we define continued fraction
1
x = a0 +
1
a1 +
1
a2 +
1
a3 +
1
a4 +
...
1
c k = a0 +
1
a1 +
1
a2 +
1
a3 +
... 1
+
ak
13
Example:
19 1
= 0+
35 35
19
1
=0 +
16
1+
19
1
=0 +
1
1+
19
16
1
=0 +
1
1+
3
1+
16
1
=0 +
1
1+
1
1+
1
5+
3
14
19
= [0; 1, 1, 5, 3]
35
c0 = 0
1
c1 = 0 + =1
1
1 1
c2 = 0 + =
1 2
1+
1
1 6
c3 = 0 + =
1 11
1+
1
1+
5
1 19
c4 = 0 + =
1 35
1+
1
1+
1
5+
3
15
then we have
A0
c0 =
B0
A1
c1 =
B1
A2
c2 =
B2
..
.
Ak
ck =
Bk
=⇒ X ≡ Y 2 (mod n)
2
gcd((X − Y ), n)
and
gcd((X + Y ), n)
16
√
Algorithm for wrting Continued fraction of n
Initialization:
√
a0 = 2 n
√
y0 = n
z0 = 1
√
Example:
√ √ For n = 33 , we
√ write
33 in continued fraction
n = 33 ≈ 5.744 i.e. 33 = 5
j√ k
a0 = 2 · 33 = 2 · 5 = 10
j√ k
y0 = 33 = 5
z0 = 1
17
y1 = a0 z0 − y0 = 10 · 1 − 5 = 5
33 − 25
z1 = =8
1
$ √ %
33 + y1 5+5
a1 = = =1
z1 8
y2 = a1 z1 − y1 = 1 · 8 − 5 = 3
33 − 9
z2 = =3
8
$ √ %
33 + y2 5+3
a2 = = =2
z2 3
y3 = a2 z2 − y2 = 2 · 3 − 3 = 3
33 − 9
z3 = =8
3
$ √ %
33 + y3 5+3
a3 = = =1
z3 8
√ 1
33 = 5 +
1
1+
1
2+
1+ .
..
√
33 = [5; 1, 2, 1 . . . ] = [a0 ; a1 , a2 , a3 . . . ]
Ak
k-th convergent ck = Bk
A 0 = a0 B0 = 1
A1 = a1 a0 + 1 B1 = a1
Ak = ak Ak−1 + Ak−2 Bk = ak Bk−1 + Bk−2
18
A0 = a0 = 5 B0 =1
A1 = a1 a0 + 1 = 5 + 1 = 6 B1 = a1 =1
A2 = a2 A1 + A0 = 17 B2 = a2 B1 + B0 =3
A3 = a3 A2 + A1 = 23 B3 = a3 B2 + B1 =4
c0 = 5
c1 = 6
17
c2 =
3
23
c3 =
4
So, A0 = 5, A1 = 6, A2 = 17, , A3 = 23
19
Lecture-10
Key Exchange Protocols and Discrete Logarithm
Alice Bob
Private a b ∈ Zn
Public ga −→ ga ∈ G
b
Public g ←− gb ∈ G
Now Alice calculate (g b )a = g ab and Bob calculate (g a )b = g ab .
Hence K = g ab which becomes their common knowledge.
Alice Bob
Private a = 29 b = 19 ∈ Zn
Public ga −→ g a = 229 ≡ 45 (mod 53) ∈ G
Public g b = 12 ←− g b = 219 ≡ 12 (mod 53) ∈ G
Now, Alice will calculate
(g b )a = (12)29 (mod 53)
122 = 144 ≡ 38 (mod 53)
124 = 1444 ≡ 13 (mod 53)
128 = 169 ≡ 10 (mod 53)
1216 = 100 ≡ −6 (mod 53)
1224 = 1216 · 128 ≡ −60 ≡ −7 (mod 53)
1229 = 1224 · 124 · 121 = −7 · 13 · 12 = −1092 ≡ 21 (mod 53)
1
Since g b = 12 =⇒ b = 19 (as the least non-negative integer x such that g x = y, for y = 12, g = 2 ∈ G)
g a = 45 b = 19
Now, Bob will calculate
Alice choose a = 29 , Bob choose b = 19 and kept as a secret. Made public g a = 229 ≡ 45 (mod 53)
and g b = 219 ≡ 12 (mod 53). Then common shared key k = 21.
Massey-Omura Cryptosystem
Let G = hg|g n = 1i be a cyclic group generated by g and be public. Suppose a message M ∈ G is
sent by Alice and Bob. They choose integer in Zn a and b respectively and keep secret. Then Alice
and Bob exchange the key as follows.
Alice Bob
Private a b ∈ Zn
Ma −→ Ma ∈ G
M ab = (M a )b ←− (M a )b ∈ G
−1 −1
(M ba )a −→ (M ba )a = M b
−1
Hence Bob receives the message M by computing (M b )b = M. Provided a−1 and b−1 exist in
Modulo φ(n).
M a = 25 ≡ 3 (mod 29)
2
ElGamal Cryptosystem
Let G =< g|g n = 1 > be public. All users, say Alice and Bob . . . . They choose random integers
a, b, . . . respectively and keep it secret and make g a , g b , · · · ∈ G public.
Now, if Bob wants to send message M to Alice. He choose a random integer k and create a mask by
doing (g a )k ∈ G. Bob then sends to Alice (g k , Mg ak ) ∈ G × G.
Alice will receive (g k , Mg ak ) ∈ G × G, to recover M from order pair (g k , Mg ak ) , Alice will recreate
the mask by doing (g k )a = g ka = g ak ∈ G, as Alice know a (secret) and g k is first element of order
pair (g k , Mg ak ) received from Bob.
To recover the message, Alice will compute
Example: Let G = Z∗ 29 =< 2 | 228 = 1 >= {20 , 21 , 23 , . . . 227 } = {1, 2, 4, 8, 16, , 6, 12, 24 . . . }, |G| =
28
suppose A = {A = 1, B = 2, C = 4, D = 8, E = 16, F = 3, G = 6, H = 12, I = 24 . . . }, |A| = 28
Alice: Private key a = 3, Public key: g a = 23 = 8
Bob wants to send message “HELLO”
To send M=H= 12 = 27 ∈ G,
Bob choose k = 5,
create mask:
(g a )k = (23 )5 = 215 ≡ 27 (mod 29)
(g k )a = 33 ≡ 27 (mod 29) ∈ G
and compute
M(g ak ) · [g ak ]−1 = 5 · 27−1 ≡ 5 · 14 ≡ 12 (mod 29)
(since 27−1 ≡ 14 (mod 29))
So, Alice will get M =H (as 12 correspond to H)
3
Discrete Logarithm
Definition: Let G be a group and g, h ∈ G, then x is called the discrete logarithm for h in G
to the base g (denoted as x = dlogg h) if x is the least non negative integer satisfying g x = h.
Note :
1. Discrete Logarithm may or may not exists.
If discrete loagrithm for h in G to the base g exists, then we say dlogg h exists.
If discrete loagrithm for h in G to the base g does not exist, then we say dlogg h does not exist.
2. Let G = Z2 × Z2 = {(0, 0), (0, 1), (1, 0), (1, 1)}, then G is abelian but not cyclic.
Note that (0, 1)2 = (0, 1) + (0, 1) = (0, 0), (1, 0)2 = (1, 0) + (1, 0) = (0, 0), (1, 1)2 = (1, 1) +
(1, 1) = (0, 0).
In this case discrete logarithm for any element of G to any base will not exists except (0, 0) .
3. Let G = S3 = {I, (1 2), (1 3), (2 3), (1 2 3), (1 3 2)} be the set of permutations on symbols
{1, 2, 3} then G is neither abelian nor cyclic.
Note that
(1 2)(1 2) = I
(1 3)(1 3) = I
(2 3)(2 3) = I
(1 2 3)(1 2 3) = (1 3 2)
(1 2 3)(1 2 3)(1 2 3) = I
(1 3 2)(1 3 2) = (1 2 3)
(1 3 2)(1 3 2)(1 3 2) = I
4
The computation of discrete logarithm whenever exists is called Discrete Logarithm
Problem (DLP).
The discrete logarithm problem is solvable in a cyclic group to the base g, where g is a generator of
G. We shall discuss some algorithms to compute the discrete logarithm in a finite cyclic group of
order n, say G = < g : g n = 1 >:
The baby-step giant-step algorithm is a generic algorithm. It works for every finite cyclic group.
As the name suggests, this method is divided into two parts. We call them as Baby Steps and
Giant Steps.
Set up
Let G be a finite cyclic group.
G = < g| g n = 1 >
Then, ∀ a ∈ G, dlogg a exists. √
Let, m be the least positive integer greater than or equal to n.
Let x = dlogg a ⇒ g x = a
⇒ ∃ q, r ∈ Z, 0 ≤ r < m such that x = mq + r .
⇒ g x = g mq + r = a
⇒ g mq = ag −r
5
Algorithm :
Baby Steps
To compute baby steps, we compute a set
B = {(ag −r , r)|0 ≤ r ≤ m − 1}
that is,
B = {(a, 0), (ag −1 , 1), (ag −1 , 1), (ag −2 , 2), (ag −3 , 3), . . . , (ag −(m−1) , m − 1)}
Giant Steps:
If such s does not exists, that is, there dose not any t, 0 ≤ t ≤ m−1 such that (ag −t , t) = (1, t) ∈ B,
we go the Giant Steps.
To compute giant steps, we compute :
g m , (g m )2 , (g m )3 , (g m )4 , . . .
that is,
(g m )i , i = 1, 2, 3, ...
till we get some q such that (g m )q = ag −r for some 0 ≤ r ≤ m − 1.
In that case (g m )q = ag −r ⇒ g mq + r = a
and hence dlogg a = mq + r = x .
Examples :
1. Determine, if exists, dlog5 3 in Z∗53 .
√
Let, m be the least positive integer greater than or equal to 53 = 7.2 approx.
⇒ m = 8
Let x = dlog5 3 ⇒ 5x = 3.
⇒ ∃ q, r ∈ Z, 0 ≤ r < 8 such that x = 8q + r .
Baby Steps :
To compute baby steps, we compute a set
B = {(ag −r , r)/0 ≤ r ≤ 7}
that is,
B = {(a, 0), (ag −1 , 1) (ag −2 , 2), (ag −3 , 3), (ag −4 , 4), (ag −5 , 5), (ag −6 , 6), (ag −7 , 7)}
Note that g −1 ≡ 5−1 ≡ 32 (mod 53)
6
⇒ B = {(3, 0), (3 · 32, 1), (3 · (32)2 , 2), (3 · (32)3 , 3), (3 · (32)4 , 4),
(3 · (32)5 , 5), (3 · (32)6 , 6), (3 · (32)7 , 7)}
⇒ B = {(3, 0), (43, 1), (51, 2), (42, 3), (19, 4), (25, 5), (5, 6), (1, 7)}
Baby Steps :
B = {(ag −r , r)|0 ≤ r ≤ 6}
that is,
B = {(a, 0), (ag −1 , 1) (ag −2 , 2), (ag −3 , 3), (ag −4 , 4), (ag −5 , 5), (ag −6 , 6)}
⇒ B = {(15, 0), (15 · 15, 1), (15 · (15)2 , 2), (15 · (15)3 , 3), (15 · (15)4 , 4),
(15 · (15)5 , 5), (15 · (15)6 , 6), (15 · (15)7 , 7)}
⇒ B = {(15, 0), (3, 1), (8, 2), (9, 3), (24, 4), (27, 5), (35, 6)}
Giant Steps :
g m , (g m )2 , (g m )3 , (g m )4 , . . .
that is,
i
(57 ) , i = 1, 2, 3, ...
Note that
1
(57 ) = 18
2
(57 ) = 28
7
3
(57 ) = 23
4
(57 ) = 7
5
(57 ) = 15
5
Here we get q = 5 such that (g m )q = (57 ) = 15 = ag −r for r = 0.
5
Hence (57 ) = 15 ⇒ dlog5 15 = 7 · 5 + 0 = 35.
8
Lecture-11
Discrete Logarithm Algorithm
as b0 = g x0
similarly
gb1
if b1 ∈ G1
b2 = f (b1 ) = b1 2 if b1 ∈ G2
ab1 if b1 ∈ G3
1
NOTE 1 : bi ∈ G and bi is of the form bi = g xi ayi (i ≥ 0)
thus bi+1 = f (bi ) = g xi+1 ayi+1
So,
x0 +1 x0 +1 0
g
if b0 ∈ G1 g a if b0 ∈ G1
b1 = g x1 ay1 = g 2x0 2x
if b0 ∈ G2 = g 0 a 0
if b0 ∈ G2
x0
x0 1
ag if b0 ∈ G3 g a if b0 ∈ G3
thus,
x0 + 1 if b0 ∈ G1
x1 = 2x0 if b0 ∈ G2
x0 if b0 ∈ G3
and
y 0
if b0 ∈ G1
y1 = 2y0 if b0 ∈ G2
y0 + 1 if b0 ∈ G3
and
yi (mod n)
if bi ∈ G1
yi+1 = 2yi (mod n) if bi ∈ G2
yi + 1 (mod n) if bi ∈ G3
NOTE 2 :
we can prove it by induction
we won’t write (mod n) again and again.
The sequence {bm }m=0 must be a finite sequence (as G is finite) and thus
it terminates at some finite step. Suppose
bi+k = bi for some i, k
xi+k
g ayi+k = g xi ayi
g xi+k −xi = ayi −yi+k in G =< g|g n = 1 >
2
If x = dlogg a, then g x = a Thus,
xi+k − xi ≡ x (yi − yi+k ) (mod φ(n))
x ≡ (yi − yi+k )−1 (xi+k − xi ) (mod φ(n))
If (yi − yi+k )−1 (mod φ(n)) exists, then dlogg a = x is uniquely deter-
mined.
If (yi − yi+k )−1 (mod φ(n)) does not exist, the congruence
xi+k − xi ≡ x (yi − yi+k ) (mod φ(n))
can still be solved and x can be determined from various possible solu-
tions (by putting g x = a for least possible x).
(we have divided the group in this way but it can be divided in any way by
choice)
Let x0 = 2,
b0 = g x0 = 52 ≡ 25 ≡ 2 (mod 23)
b0 = g x0 ay0 = (52 )(180 ) ≡ 2 (mod 23) and 2 ∈ G1
b1 = g x1 ay1 = g x0 +1 ay0 = (53 )(180 ) ≡ 10 (mod 23) and 10 ∈ G2
b2 = g x2 ay2 = g 2x1 a2y1 = (56 )(180 ) ≡ 8 (mod 23) and 8 ∈ G2
b3 = g x3 ay3 = g 2x2 ay2 = (512 )(180 ) ≡ 18 (mod 23) and 18 ∈ G3
b4 = g x4 ay4 = g x3 ay3 +1 = (512 )(181 ) ≡ 2 (mod 23) and 2 ∈ G1
Note that
b4= b0
=⇒ g a = g x0 ay0
x4 y4
3
Index Calculus Algorithm in Zp:
Let G = Z∗p = hg| g p−1 = 1i. and x = dlogg a where a ∈ G. So g x ≡
a (mod p).
We choose a bound B and determine factor base F(B) = {q ∈ P|q ≤ B}
where P is set of all prime numbers.
An integer b is said to be B-smooth number if all prime divisors of b lie in
F(B). That is if p is a prime such that p|b and p ≤ B.
Hence
a ≡ g {( x(q)e(q))−y }
P
q∈F (B) (mod p)
4
This implies
X
=⇒ x ≡ x(q)e(q) − y (mod p − 1)
q∈F (B)
Now for step-1, to determine of x(q) the discrete log of the ele-
ment q ∈ F(B).
For this we choose random integer z ∈ {1, 2, . . . , p−1} and compute g z (mod p),
and check if these are B-smmoth. If yes then compute the decomoposition:
Y
g z (mod p) = q f (q,z)
q∈F (B)
5
Thus,
Y
gz ≡ q f (q,z) (mod p)
q∈F (B)
Y
≡ [g x(q) ]f (q,z) (mod p)
q∈F (B)
≡ g( x(q)f (q,z))
P
q∈F (B) (mod p)
Implies that
X
z≡ x(q)f (q, z) (mod p − 1) ∀z : g z (mod p) is B − smooth
q∈F (B)
Hence we have a system of linear congruence in variables x(q) for all q ∈ F(B)
Step-1 To find dlogg q ∀q ∈ F(B) i.e. dlogg 2, dlogg 3, dlogg 5, dlogg 7, and dlogg 11
For q = 2 dlog2 2 = 1(since 21 ≡ 2 (mod p))
So we have x(2) = 1.
Suppose g x(q) = q ∀q ∈ F(B) i.e.
6
(since (p − 1) | (x(3) + x(11) − z) and z = 1593, p = 2027)
Similarly,
z = 1318 =⇒ g z = 21318 ≡ 1408 ≡ 27 × 11 (mod 2027) which is
B − smooth.
i.e.
g z = 21318 ≡ g 7x(2) · g x(11) (mod p)
i.e.
g 7x(2)+x(11)−z ≡ 1 (mod 2027)
=⇒ 7x(2) + x(11) − z ≡ 0 (mod 2026)
=⇒ 7x(2) + x(11) ≡ 1318 (mod 2026) (3)
7
Similarly, we have
for z = 1918
=⇒ 6x(2) + 2x(5) ≡ 1918 (mod 2026) (5)
and for z = 11
=⇒ x(3) + x(7) ≡ 11 (mod 2026) (6)
Finally we have six equations (1)-(6) to calculate x(3), x(5), x(7), x(11)
and we already know x(2) = 1.
Now we have to solve system of equations (1)-(6) for x(3), x(5), x(7), x(11)
Note that 2026 = 2 × 1013. So we solve system of equations Modulo 2 and
Modulo 1013.
x(3) ≡ 0 (mod 2)
x(5) ≡ 1 (mod 2)
x(7) ≡ 1 (mod 2)
x(11) ≡ 1 (mod 2)
8
and system of equation Modulo 1013
Now we have solutions in Modulo 2 and Modulo 1013, we can easily calculate
solution Modulo 2026, using Chinese Remainder Theorem
x(3) ≡ 0 (mod 2)
x(3) ≡ 282 (mod 1013)
x(3) ≡ 282 (mod 2026) (by applying Chinese Remainder Theorem)
x(5) ≡ 1 (mod 2)
x(5) ≡ 956 (mod 1013)
x(5) ≡ 1969 (mod 2026) (by applying Chinese Remainder Theorem)
x(7) ≡ 1 (mod 2)
x(7) ≡ 742 (mod 1013)
x(7) ≡ 1755 (mod 2026) (by applying Chinese Remainder Theorem)
9
x(11) ≡ 1 (mod 2)
x(11) ≡ 298 (mod 1013)
x(11) ≡ 1311 (mod 2026) (by applying Chinese Remainder Theorem)
(1). For a = 12
a = 12 = 22 · 3 i.e a is B-smooth and we have g x(2) = 21 = 2 and g x(3) =
2282 = 3 Then
(2.) For a = 65
a = 65 = 5 × 13 is not B-smooth.
Now we find y ∈ {1, 2, . . . p − 1} such that ag y (mod p) is B-smooth.
and so on we get y = 28
10
Lecture-12
Discrete Logarithm Algorithm
Algorithm :
Let G0 be a finite abelian group of order k.
We need to compute dlogγ α, where α, γ ∈ G0 .
Assuming that dlogγ α exists, we are considering a subgroup G of G0 of order
n such that
G = < γ|γ n = 1 >
1
. Y
Thus G be a finite cyclic group of order n where n = pe(p) .
p|n
Then γ ∈ G , O(γ) = n, and, dlogγ α exists.
Let dlogγ α = x =⇒ γ x = α.
For each prime p, p|n , denote
n
np =
pe(p)
=⇒ O(γp )|pe(p)
(p) (p) n
then (γp )p = (γ np )p = γ pe(p)−(p) = 1
=⇒ O(γ) < n, which is a contradiction.
Hence, O(γp ) = pe(p)
=⇒ γpx = αp
Let x(p) = dlogγp αp
x(p)
Then γP = αp (x(p) is the least non negative integer satisfying this rela-
tion.)
2
e(p)
Let H = < γp |γpp = 1>
Observe that
(γ −x α)np = γp−x αp = αp−1 αp = 1
=⇒ O(γ −x α)|np ∀p|n
=⇒ O(γ −x α)|g.c.d.(np ) ∀ prime p|n
and
g.c.d.(np ) = 1 ∀ prime p|n
=⇒ O(γ −x α) = 1
=⇒ γ −x α = 1G
=⇒ x = dlogγ α
Now,
e(p)
H = < γp |γpp = 1>
Then, note that αp ∈ H, which implies
(x − x(p))|pe(p)
3
Notations :
Denote e(p) = e, x(p) = x, αp = a, γp = g.
Since we have to compute x(p) = dlogγp αp , that is, we have to compute
e
x = dlogg a in the set H = < g|g p = 1 >
Since x = dlogg a ⇒ g x = a,
where x = x0 + x1 p + x2 p2 + ... + xe−1 pe−1 , 0 ≤ xi < p, ∀ 0 ≤ i ≤ e − 1
be the p-nary representation of x can be obtained by division algorithm.
For example :
if x = 9 and p = 3, e = 3 then O(H) = 33 = 27 and x = 0+0·3+1·32 ,
if x = 13 and p = 3, e = 3 then O(H) = 33 = 27 and x = 1+1∗3+1∗32 ,
if x = 26 and p = 3, e = 3 then O(H) = 33 = 27 and x = 2+2∗3+2∗32 .
Now,
gx = a
e−1 e−1
=⇒ (g x )p = ap
e−1 e−1
=⇒ (g p )x = ap
e−1 x e−1
=⇒ g p = ap
e−1 (x 2 e−1 ) e−1
=⇒ g p 0 +x1 p+x2 p +···+xe−1 p
= ap
e−1 +x pe +x pe+1 +···+x 2e−2 ) e−1
=⇒ g (x0 p 1 2 e−1 p
= ap
e−1 e e+1 2e−2 e−1
=⇒ g x0 p · g x1 p · g x2 p · · · g xe−1 p = ap
e
Note that g p = 1, implies
e−1 e−1
g x0 p = ap
e−1 e−1
=⇒ (g p )x0 = ap
e−1 e−1
Since O(g) = pe =⇒ g p 6= 1 =⇒ x0 = dloggpe−1 ap [ Use same
argument that we have used before to prove x(p) = dlogγp αp ]
e−1
Also, note that O(g p ) = p
e−1 e−1
Let H0 = hg p |(g p )p = 1i be a subgroup of H of order p,
e−1
then, x0 = dloggpe−1 ap in H0 .
Note that the problem now reduces to cyclic group of prime (p) order, namely
4
H0 and computation of x0 .
To determine xi for all i, we first calculate x0 and then apply induction on
xi .
Suppose x0 , x1 , x2 , . . . xi−1 are determined, we need to determine xi .
Now consider
e−1
X
xj p j
−x0 −x1 p−···−xi−1 pi−1 +
g (xi p +xi+1 p )=g
i i+1 +···+x e−1
e−1 p j=0
i−1
= g −x0 −x1 p−···−xi−1 p · gx
i−1
= g −x0 −x1 p−···−xi−1 p ·a
= ai (say)
Thus, we have
g (xi p +xi+1 p ) = a
i i+1 +···+x e−1
e−1 p
i
=⇒ g (p
e−i−1 (x pi +x
i i+1 p
i+1 +···+x
e−1 p
e−1 )
) = (a )pe−i−1
i
=⇒ g( p e−1 ·p−i (x pi +x
i i+1 p i+1 +···+x
e−1 p e−1 )
) = (a )pe−i−1
i
e−i−1
g (p ·(xi +xi+1 p+···+xe−1 p ))
e−1 e−i−1
=⇒ = (a )p i
=⇒ g( pe−1 ·x i ) = (a )pe−i−1 e
since g p = 1
i
e−1
Let g p = ḡ
Then
e−i−1
(ḡ)xi = (ai )p in some group K = < ḡ | ḡ p = 1 >.
e−i−1
=⇒ xi = dlogḡ (ai )p ∀i
Examples :
5
1. Determine, if exists, dlog5 3 in Z∗53 .
Let x = dlog5 3, then 5x = 3 (mod 53)
Note that G =< 5| 552 = 1 >, thus γ = 5 and α = 3
Also, note that O(Z∗53 ) = 52 = 22 · 13
Let p1 = 2, p2 = 13, e(2) = 2, e(13) = 1
Then, n2 = 13, n13 = 4
Let γ2 = γ n2 = 513 = 23 (mod 53)
Let H1 =< γ2 | γ2 4 = 1 > =< 23| 234 = 1 >
Note that O(H1 ) = 4
Let α2 = αn2 = α13 = 313 = 30 (mod 53),
then, γ2 x = α2 ⇒ 23x = 30 (mod 53).
We need to compute x(2) = dlogγ2 α2 = dlog23 30,
such that 23x(2) = 30 and x ≡ x(2) (mod 4)).
Since, here, p1 e(2) = 4, a small integer, we can either compute x(2)
directly or we can reduce the prime power group to a cyclic group of
order 2.
One Possible way is we compute x(2) as:
6
Solving 42x(13) = 28 in H2 , we get that x(13) ≡ 7 (mod 13),
hence x ≡ 7 (mod 13).
x ≡ 3 (mod 4)
x ≡ 7 (mod 13)
x ≡ 7 (mod 52)
7
is either 0 or 1.
Then
e−1 x0 e−1
(γp p ) = αp p ∈ H1
=⇒
x0
(γ2 2 ) = α2 2 ∈ H1
=⇒
x0
((62025 )2 ) = (75312025 )2 ∈ H1
=⇒
x0
(64050 ) = 75314050 ≡ −1 (mod 8101)
=⇒
(−1)x0 ≡ −1 (mod 8101)
=⇒
x0 = 1
Thus we need to compute x1 now.
e−1−1
Note that x1 = dloggpe−1 a1 p , where a1 = g −x0 .αp and g = γp =
2025
6 ,
=⇒ a1 = g −x0 .α2 = (62025 )(−1) .75312025
=⇒
(2−1−1)
x1 = dlog(62025 )2 a1 2
=⇒
x1 = dlog(62025 )2 .a1
=⇒
(62025 )(−1) .75312025 = ((62025 )2 )x1
=⇒
(6−1 )(2025) .75312025 = (−1)x1
Since, 6−1 ≡ 6751 (mod 8081), we have
=⇒
(6751 ∗ 7531)2025 = (−1)x1
8
=⇒
80062025 = (−1)x1
Note that
80062025 ≡ 1 (mod 4) ⇒ x1 = 0
Thus
x(2) = x0 + x1 ∗ 2 = 1
and the congruence relation is
x ≡ 1 (mod 4)
9
Since, x0 canbe0, 1, 2 only, thus after putting x0 as 0, 1, 2 in the above
relation, we get
x0 = 2
Thus we need to compute x1 now.
e−1−1
Note that x1 = dloggpe−1 a1 p , where a1 = g −x0 .αp and g = γp =
6100 ,
=⇒ a1 = g −x0 .α3 = (6100 )(−2) .7531100
=⇒
(4−1−1)
x1 = dlog(6100 )27 a1 3
=⇒
x1 = dlog(62700 ) .a1 9
=⇒
(62700 )x1 = ((6100 )(−2) .7531100 )9
=⇒
900
(62700 )x1 = (7531 · 6−2 )
Since, 6−2 ≡ 7876 (mod 8081), we have
=⇒
(62700 )x1 = (6735)900
=⇒
5883x1 = 6735900 = 1
Note that
6735900 ≡ 1 (mod 81) ⇒ x1 = 0
Thus
x(2) = 2 + 0 · 3 + x2 · 9 + x3 · 27
Similarly solve for x2 and x3 .
On, solving, we get that x2 = 2 and x3 = 1, =⇒
x(2) = 2 + 0 · 3 + 2 · 9 + 1 · 27 = 47
10
and the congruence relation is
x ≡ 47 (mod 81)
x ≡ 1 (mod 4)
x ≡ 47 (mod 81)
x ≡ 14 (mod 25)
Use Chinese remainder theorem to compute the value of x.
11
Leture-13
Introduction to Finite Field
1. Closure : ∀ x, y ∈ G, x ∗ y ∈ G
2. Associative : (x ∗ y) ∗ z = x ∗ (y ∗ z) ∀ x, y, z ∈ G
Note : Every cyclic group is abelian but converse need not be true.
Proof : Let G be a cyclic group with a generator g ∈ G i.e. G = hgi (every
element in G is some power of g.) Let a and b be arbitrary elements in G.
Then there exists n, m ∈ Z such that a = g n and b = g m . It follows that
ab = g n g m = g n+m = g m g n = ba. Hence we obtain ab = ba for arbitrary
a, b ∈ G. Thus G is an abelian group.
Converse need not be true.
1
Let G = {e, a, b, ab} such that order of e = 1, , order of a = order of b =
order of ab = 2 and ab = ba, thus G is abelian. But G is not a cyclic.
Ideal: For an arbitrary ring (R, +, ·), a subset I is called a left ideal of R if:
2. ∀r ∈ R, ∀x ∈ I, the product rx ∈ I
Similarly, we define right ideal. A two-sided ideal is a left ideal that is also
a right ideal, and is sometimes simply called an ideal.
2
For any ideal J with I ⊆ J ⊆ R, either J = I or J = R.
3
Suppose f (x) = f (y) =⇒ rx = ry =⇒ rx−ry = 0 =⇒ r(x−y) = 0
since R is integral domain r 6= 0 =⇒ (x − y) = 0 =⇒ x = y
Hence f is injective. Since R finite therefore f is sujective. 1 ∈ R and
f is surjective, so there exist s ∈ R such that f (s) = 1 i.e. rs = 1
implies that r in unit in R.
rs.1 = 0
(r.1)(s.1) = 0
Since F is a field, F has no zero divisors. So r.1 = 0 or s.1 = 0. But this
contradicts n being the least such non negative integer with this property.
So n = p for some prime p.
4
Euclidean Ring : An Integral Domain R is called an Euclidean Domain if
∀ 0 6= a ∈ R, ∃ a function d : R r {0} → Z+ ∪ {0} such that
1. d(a) ≤ d(ab) ∀ a, b ∈ R (b 6= 0)
Factorization of polynomials
Irreducible polynomial: Let D be an integral domain. A polynomial
f (x) from D[x] that is neither the zero polynomial nor a unit in D[x] is
said to be irreducible over D if, whenever f (x) is expressed, as a product
f (x) = g(x)h(x) with g(x) and h(x) from D[x], then g(x) or h(x) is a unit
in D[x].
5
Note: In the case that an integral domain is a field F, it is equivalent and
more convenient to define a nonconstant f (x) ∈ F[x] to be irreducible if
f (x) cannot be expressed as a product of two polynomials of lower degree.
Examples
1. The polynomial f (x) = 2x2 + 4 is irreducible over Q but reducible over
Z, since 2x2 + 4 = 2(x2 + 2) and neither 2 nor x2 + 2 is a unit in Z[x].
Note :
Converse of above theorem need not true .(See example 1).
Irreducibility Tests
Theorem: Mod p Irreducibility Test
Let p be a prime and suppose that f (x) ∈ Z[x] with degf (x) ≥ 1. Let f (x)
be the polynomial in Zp [x] obtained from f (x) by reducing all the coefficients
of f (x) modulo p. If f (x) is irreducible over Zp and degf (x) = degf (x), then
f (x) is irreducible over Q.
6
Example : Let f (x) = 21x3 − 3x2 + 2x + 9. Then, over Z2 ,we have
f (x) = x3 + x2 + 1 and, since f (0) = 1 and f (1) = 1, we see that f (x)
is irreducible over Z2 . Thus f (x) is irreducible over Q. Notice that over Z3 ,
f (x) = 2x is irreducible, but we can not apply above theorem to conclude
that f (x) is irreducible over Q since degf (x) 6= degf (x).
Note that this example shows that the Mod p Irreducibility Test may fail
for some p and work for others. To conclude that a particular f (x) ∈ Z[x]
is irreducible over Q, all we need to do is find a single p for which the corre-
sponding polynomial in f (x) ∈ Zp is irreducible. However, this is not always
possible, since f (x) = x4 + 1 is irreducible over Q but reducible over Zp for
every prime p.
The Mod p Irreducibility Test can also be helpful in checking for irreducibil-
ity of polynomials of degree greater than 3 and polynomials with rational
coefficients.
p - an
p 2 - a0
Note : If f (x) ∈ Z[x], and it satisfies all 3 conditions, then f (x) is ir-
reducible over the Q and hence over Z. But in general f (x) need not be in
Z[x].
7
Corollary: (Irreducibility of pth Cyclotomic Polynomial)
For any prime p, the pth cyclotomic polynomial
xp − 1
φp (x) = = xp−1 + xp−2 + ...... + x + 1
x−1
is irreducible over Q.
Theorem Let F be a field and let f (x) ∈ F[x]. Then hf (x)i is maxi-
mal in F[x] if and only if f (x) is irreducible over F.
8
Leture-14
Introduction to Finite Field
Finite field
Theorem: If F is a finite field, then | F |= q = pn for some prime p and
some positive integer n.
Theorem: For every prime p and every positive integer n, there exist a
field having pn elements.
Example :
1
Put h(x) = (x3 + x + 1) ∈ F2 [x]. This polynomial is irreducible over F2
and it thus allows to define a field with 8 elements as F8 is isomorphic
to F2 [x]/hF2 [x]. By the same considerations as above the splitting field
of h is F8 .
Result : Let f (x) = (xp )n − x ∈ Fp [x] for some integer n. The splitting
field of f is a finite field K with | K |= pn elements and f splits as
Y
(xp )n − x = (x − a)
a∈K
Points to remember :
Construction
We will explain the construction by an example.
Z2 [x] is a commutative ring with identity 1. Since for every field F, the poly-
nomial ring F[x] is a PID (also UFD -unique factorization domain) and every
ideal is of the form hf (x)i and hf (x)i is maximal in F[x] if and only if hf (x)i
2
is irreducible over F.
Therefore Z2 [x]/hf (x)i is a field, if f (x) is irreducible over Z2 .
If degree of f (x) is n then Z2 [x]/hf (x)i has finitely many elements and
Z2 [x] n n
hf (x)i = p = 2
If
f (x) = a0 + a1 x + an−1 xn−1 + an xn , an 6= 0
then
Zp [x]
= {g(x) + hf (x)i : g(x) ∈ Zp [x]}
hf (x)i
implies
Zp [x]
= {f (x)q(x)+r(x)+hf (x)i : q(x), r(x) ∈ Zp [x], r(x) = 0 or deg r(x) < deg f (x)}
hf (x)i
Zp [x]
= {r(x)+hf (x)i : r(x) ∈ Zp [x], r(x) = 0 or deg r(x) < deg f (x) = n}
hf (x)i
implies
Zp [x]
= {α0 + α1 x + ... + αn−1 xn−1 + hf (x)i : αi ∈ Zp }
hf (x)i
∼ {(α0 , α1 , ...αn−1 ) : αi ∈ Zp }
Example 1 : p = 2, n = 2
The quadratic polynomial of degree 2 in Z2 [x] are :
x2 = x · x reducible
x2 + 1 = (x + 1)(x + 1) reducible
x2 + x + 1 irreducible verify!
x2 + x = x(x + 1) reducible
3
Only one of these namely f (x) = x2 + x + 1 is irreducible over Z2
So,
Z2 [x]
= {α0 + α1 x + hx2 + x + 1i : α0 , α1 ∈ Z2 }
hf (x)i
= {0 + hx2 + x + 1i, 1 + hx2 + x + 1i, x + 1 + hx2 + x + 1i, x + hx2 + x + 1i}
∼ {0, 1, x, x + 1}
Cayley’s Table:
+ 0 1 x x+1
0 0 1 x x+1
1 1 0 x+1 x
x x x+1 0 1
x+1 x+1 x 1 0
. 0 1 x x+1
0 0 0 0 0
1 0 1 x x+1
x 0 x x+1 1
x+1 0 x+1 1 x
x4 x4 + 1 x4 + x x4 + x + 1
x4 + x3 x4 + x3 + x2 x4 + x3 + x x 4 + x3 + 1
x + x2 + x + 1
4
x + x3 + x2 + x
4
x + x3 + x2 + x + 1
4
x4 + x2 + 1
x4 + x2 + x x 4 + x2 x4 + x3 + x + 1 x 4 + x3 + x + 1
4
1. x4 reducible since x is a factor
4. x4 + x + 1 -
8. x4 + x 3 + 1 -
11. x4 + x3 + x2 + x + 1 -
5
There is only one irreducible polynomial of degree 2 over Z2 , namely k(x) =
x2 + x + 1.
By division, Observe that k(x) - f (x), k(x) - g(x) and k(x) - h(x).
Therefore f (x), g(x) and h(x) are the only irreducible polynomial of degree
4 over Z2 and quotient over Z2 will become field of order 24 = 16 .
F3 [x] F3 [x]
Example 4: Two finite fields of order 9 are hx2 +1i
and hx2 +x+2i
.
F7 [x]
Example 5: The polynomial x3 − 2 is irreducible in F7 [x], so hx3 −2i
is a field
of order 73 = 343.
Primitive Polynomial
Corollary : Every finite field contains at least one primitive element. More
precisely there are exactly φ(q − 1) primitive elements.
α4 + α3 + α2 + α + 1 = 0
6
multiplying both daides by α − 1, we have
α5 − 1 = 0
implies
α5 = 1
Hence |α| = 5 6= 15 = |Z∗24 |
So α cannot be primitive element and so f (x) is not a primitive polynomial
though f (x) is irreducible over Z2 .
[x] Zp [x]
Result : If hfZp(x)i and ∠g(x)i are fields of order pn , then they are isomorphic.
But if g(x) is a primitive polynomial, then f (x) need not be primitive poly-
nomial.
α4 + α + 1 = 0 =⇒ α4 = α + 1 ( as 1 ≡ −1 (mod 2))
The set
{αi : 0 ≤ i ≤ q − 1}
α10 = α2 +α+1, α11 = α3 +α2 +α, α12 = α3 +α2 +α+1, α13 = α3 +α2 +1, α14 = α3 +1, α15 = 1}
Hence α is a primitive root of g(x).
7
Recall the El-Gamal Cryptosystem, all users agree on a finite cyclic group,
say F∗q = hα : αq−1 = 1i where Fq = F∗q ∪ {0} is a finite field of order q = pn
for some prime p and some positive integer n.
Every user, say Alice, Bob,..., will choose and keep secret positive integer
a, b, ... and make public αa , αb , ... respectively.
To send a message M ∈ F∗q , to Alice, we create a mask by choosing a random
integer k and doing αak and hide the message M (αa )k ∈ F∗q .
Now send Alice the ordered pair : (αk , M (αa )k ) ∈ F∗q × F∗q
a
So, She retrives the message by doing M (αa )k · [(αk ) ]−1 = M ∈ F∗q
2. Massy-Omura Cryptosystem
3. ElGamal Cryptosystem
8
Question: Decrypt the following ElGamal cipher text
(H,K) (X,P) (K,N) (R,H) (F,T) (Y,V) (H,E) (A,F) (W,T) (D,J)
(J,U)
Z3 [x]
Take field hx3 +2x2 +1i
A 1 N x2 + x + 1
B 2 O x2 + 2x
C x P x2 + 2x + 1
D x+1 Q x2 + 2x + 2
E x+2 R 2x2
F 2x S 2x2 + 1
G 2x + 1 T 2x2 + 2
H 2x + 2 U 2x2 + x
I x2 V 2x2 + x + 1
J x2 + 1 W 2x2 + x + 2
K x2 + 2 X 2x2 + 2x
L x2 + x Y 2x2 + 2x + 1
M x2 + x + 1 Z 2x2 + 2x + 2
The correspondence of the normal English alphabet letters with field ele-
ments
9
A x26 1
B x13 2
C x x
D x18 x+1
E x11 x+2
F x14 2x
G x24 2x + 1
H x5 2x + 2
I x2 x2
J x7 x2 + 1
K x3 x2 + 2
L x19 x2 + x
M x22 x2 + x + 1
N x8 x2 + x + 1
O x12 x2 + 2x
P x10 x2 + 2x + 1
Q x4 x2 + 2x + 2
R x15 2x2
S x16 2x2 + 1
T x20 2x2 + 2
U x25 2x2 + x
V x17 2x2 + x + 1
W x23 2x2 + x + 2
X x6 2x2 + 2x
Y x21 2x2 + 2x + 1
Z x9 2x2 + 2x + 2
10
C x F x14
I x2 R x15
K x3 S x16
Q x4 V x17
H x5 D x18
X x6 L x19
J x7 T x20
N x8 Y x21
Z x9 M x22
P x10 W x23
E x11 G x24
O x12 U x25
B x13 A x26
11
Decryption: suppose secret a = 11, public encryption key g 11 = x11 =
x+2= E
The first cipher message unit (H,K) or (x5 , x3 )
The message lies masked in the first coordinate i.e. H or x5
Recreate the mask from the second coordinate i.e. K or x3 by doing (x3 )11 =
x33 = x7 . Remove the mask from the first coordinate
12
Leture-15
Introduction to Elliptic Curves
Elliptic Equation
The most general elliptic equation is the Weierstrass Equation:
y 2 + a1 xy + a3 y = x3 + a2 x2 + a4 x + a6 (1)
where the coefficient come from a ring or a field. Just for the time being con-
sider the real Weierstrass equation, i.e. the coefficients ai ’s are real numbers.
y 2 = x3 + ax + b (2)
1
for some real numbers a, b.
There are several methods to do this . We take the simplest way.
In equation(1), put
v − a1 x − a3
y= .
2
The LHS of equation becomes:
y 2 + a1 xy + a3 y = y(y + a1 x + a3 )
v − a1 x − a3 v − a1 x − a3
= + a1 x + a3
2 2
v − a1 x − a3 v + a1 x + a3
=
2 2
2 2
v − (a1 x + a3 )
=
4
v 2 − (a21 x2 + 2a1 a3 x + a23 )
=
4
Hence equation(1) becomes:
X−3(a21 +4a2 )
In equation(3) put x = 36
, then RHS of equation (3) becomes:
3 2
X − 3(a21 + 4a2 ) X − 3(a21 + 4a2 )
4 + (a21
+ 4a2 )
36 36
X − 3(a21 + 4a2 )
+ 2(a1 a3 + 2a4 ) + (a23 + 4a6 )
36
2
And equation(3) becomes:
4 3 (a21 + 4a2 ) 2
v2 = 3
{X − 3(a 2
1 + 4a 2 )} + 2
{X − 3(a21 + 4a2 )}
36 36
2
+ (a1 a3 + 2a4 ){X − 3(a21 + 4a2 )}
36
+ (a3 2 + 4a6 )
Y
Now put v = 108 , in this equation we get:
2
(a21 + 4a2 )
Y 4 2 3 2
= 3 {X − 3(a1 + 4a2 )} + 2
{X − 3(a21 + 4a2 )}
108 36 36
2
+ (a1 a3 + 2a4 ){X − 3(a21 + 4a2 )}
36
+ (a3 2 + 4a6 )
1082 32 .362
= =9
362 36
2 32 . 362 . 2
1082 . = = 32 . 36 . 2 = 3 . 3 . 2 .36 = 6 . 108
36 36
We get
3
On expanding each bracket term we get
Y 2 =[{X 3 + 3X 2 {−3(a21 + 4a2 )} + 3X{−3(a21 + 4a2 )}2 + {−3(a21 + 4a2 )}3 ]
+ [9(a21 + 4a2 ){X 2 − 6(a21 + 4a2 )X + 9(a21 + 4a2 )2 }]
+ [6. 108(a1 a3 + 2a4 )X − 18 .108(a1 . a3 + 2a4 )(a21 + 4a2 )]
+ [(108)2 (a23 + 4a6 )]
Or
Y 2 = X 3 + AX + B
4
Also recall that if p 6= 2, 3 then the equation can be transformed into simpler
equation called normal form
Y 2 = X 3 + AX + B; A, B ∈ K
Y 2 = X 3 + AX 2 + BX + C A, B, C ∈ K .
E = ER = {(x, y) ∈ R × R : y 2 = x3 + ax + b, a, b ∈ R} ∪ {∞}.
Or
5
Elliptic Curves
Let K be a field, and
or
EK = {(x, y) ∈ K × K|F (x, y) = 0} ∪ {∞},
where F (x, y) = y 2 + a1 xy + a3 y − x3 − a2 x2 − a4 x − a6
∂f ∂f dy
+ · =0
∂x ∂y dx
6
and so the slope of the tangent at P (x, y):
∂f
dy
= − ∂x P
dx ∂f
∂y
P
dy
Now, if at least one of the partial derivative does not vanish, one of dx or
dx
dy
, can be determined (at P ). The point then has surely a tangent and the
point P is called an ordinary point. However, if both the partial derivative
∂f
∂x
and ∂f
∂y
at P vanish, the point P is called a singular point.
Further, a curve given by f (x, y) = 0 is said to be singular, if it has at least
one singular point.
We shall discuss general real curves first, and then Elliptic curves in partic-
ular.
∂f
= 0 =⇒ −(y − 1) · 2(y − 2) − (y − 2)2 = 0
∂y
=⇒ (y − 2){2y − 2 + (y − 2)} = 0
=⇒ (y − 2)(3y − 4) = 0
4
=⇒ y = 2,
3
7
Possible singular points are : (1, 2) and (1, 43 ).
However (1, 43 ) does not lie on C. The point (1, 2) is the only singular point
of C.
2. Cusp
8
The curve crosses itself.
Observe that
1. The curve is symmetric about the line y = x. The point of intersection
of line y = x with C are given by substituting y = x in the equation of
C. That is:
3
2x3 + 3x2 = 0 =⇒ x2 (2x + 3) = 0 =⇒ x = 0, −
2
3 3
Points of intersection are (0, 0), (− 2 , − 2 ).
You may verify that:
9
2. The curve passes through origin but does not meet any of the coordinate
axis at any other point.
3. There is no curve in the first quadrant.
4. Slope of the tangent at (− 23 , − 23 ) is
∂f
2
dy ∂x (− 32 ,− 32 ) 3x + 3y
= − =− = −1
dx (− 3 ,− 3 ) ∂f 3y 2 + 3x (− 3 ,− 3 )
2 2 ∂y 2 2
(− 32 ,− 32 )
10
Accordingly, P is called.
Single Cusp: Figure (a) and (c), when the branches do not extend on both
sides of the normal at P .
Double Cusp: Figures (d) and (e), when the branches extend on the both
sides of the normal at P .
First Species: Figures (a) and (b), when two branches are on the oppo-
site sides of the tangent at P .
Second Species: Figures (c) and (d), when the two branches of the curve
are on the same side of the tangent at P .
11
Example 5: Let C be given by f (x, y) = 0, where f (x, y) = x3 − y 3 + x2
Observe that
∂f 2
= 3x2 + 2x = 0 =⇒ x = 0, −
∂x 3
and
∂f
= −3y 2 = 0 =⇒ y = 0.
∂y
Hence possible singular points are (0, 0) and (− 23 , 0). Since (0, 0) lies on C,
and (− 32 , 0) does not lie on C. We get that (0, 0) is the only singular point
on C.
Further, to know more about the nature of the point (0, 0), note that the
tangent(s) at origin are given by x2 = 0. The two tangents are real but
coincident. In fact, it is a cusp of first species. (Prove it).
12
2
∂2f ∂2f ∂2f
2. Cusp: if ∂x∂y
− ∂x2 ∂y 2
=0
P P P
2
∂2f ∂2f ∂2f
3. Conjugate Point: if ∂x∂y
− ∂x2 ∂y 2
<0
P P P
∂2f ∂2f ∂2f
4. If ∂x2
= 0, ∂y 2
= 0 and ∂x∂y
=0
P P P
f (x, y) = x2 (x − y) + y 2 = x3 − x2 y + y 2
However, (0, 0) lies on C. So (0, 0) is the only singular point. We discuss fur-
ther, the nature of the singular point. We shall use the second derivative test.
13
∂f 2 ∂ 2f
= 3x − 2xy =⇒ = 6x − 2y
∂x ∂x2
∂f ∂ 2f
= −x2 + 2y =⇒ =2
∂y ∂y 2
∂ 2f
= −2x
∂x∂y
2 2 2 2
∂ f ∂ f ∂ f
− 2 2
= (−2x2 ) − (6x − 2y)(2) = 4x2 − 12x + 4y
∂x∂y ∂x ∂y
14
Leture-16
3. 4A3 + 27B 2 6= 0
1
Suppose, f (x) = 0 has a repeated root α. Two cases arises.
(a) α is repeated thrice
(b) α is repeated twice
In case (a): f (x) = x3 + Ax + B = (x − α)3 = x3 − 3αx2 + 3αx − α3
On comparing the coefficient we get
−3α = 0 =⇒ α = 0
A = 3α = 0; B = −α3 = 0 =⇒ A = 0, B = 0
=⇒ 4A3 + 27B 2 = 0
In case (b): f (x) = x3 + Ax + B = (x − α)2 (x − β), for some β 6= α.
Again, this implies that
β + 2α = 0; α2 + 2αβ = A; −α2 β = B
=⇒ β = −2α; α2 + 2α(−2α) = A; −α2 (−2α) = B
=⇒ β = −2α; −3α2 = A; 2α3 = B
1
A 2
α= −
3
and 13 1 13
B A 2 B
α= =⇒ − =
2 3 2
Raising 6-th power on both side, we have
3 2
A B
− =
3 2
3
A B2
=⇒ − =
27 4
=⇒ 4A + 27B 2 = 0
3
2
Conversely, suppose 4A3 + 27B 2 = 0
This gives that
3 2
A3 B2
A B
− = =⇒ − = −
27 4 3 2
12 1
A B 3
=⇒ − = − = α (say)
3 2
A B
=⇒ α2 = − and α3 =
3 2
Now
(x − α)2 (x + 2α) = x3 − 3α2 x + 2α3 = x3 + Ax + B
3
Discriminant D(f ) of a polynomial f (x) ∈ K[x]
Let f (x) ∈ K[x] be a polynomial of degree n split into linear factor in F [x],
where F is the splitting field of K, as :
f (x) = a(x − α1 )(x − α2 ) · · · (x − αn )
then the discriminate D(f ) of f (x) is defined as
Y
D(f ) = a2n−2 (αi − αj )2 ; αi ∈ F ∀i = 1, 2, . . . , n
1≤i<j≤n
Obviously f (x) has a multiple root if and only if its discriminate D(f ) = 0.
Although αi ’s ∈ F , but D(f ) ∈ K (Prove)
For example, if f (x) = ax2 + bx + c = a(x − α1 )(x − α2 ), then
D(f ) = a2 (α1 − α2 )2
= a2 {(α1 + α2 )2 − 4α1 α2 }
( )
2
b c
= a2 − −4·
a a
= b2 − 4ac
Thus D(ax2 + bx + c) = b2 − 4ac
And the two roots are equal if and only if b2 = 4ac.
4
2. When p = 2
(a)
(b)
3. When p = 3
(a)
(b)
5
Thus 4a3 + 27b2 6= iff ∆(E) 6= 0.
Further, if x3 + ax + b = 0 has no repeated root, then it has either one real
root, or all the three real roots. This happens (Prove that) depending on
∆(E) is negative or positive.
6
Examples of singular real Elliptic Curve:
Example 3: E1 = {(x, y) ∈ R × R : y 2 = x3 + x2 } ∪ {∞}.
Note that the x3 + x2 = x2 (x + 1). The only singular point of E is (0, 0).
This is a node as y = ±x are two real tangents to the curve at this point.
The graph is like:
7
Analyzing the nature of the double point (0, 0) of E, we find that (0, 0) is a
cusp of the first species as y = 0 is the common tangent , and the branches
of the curve lie on both sides of the tangent.
E = {(x, y) ∈ Zp × Zp : y 2 = x3 + ax + b; a, b ∈ Zp } ∪ {∞}
The discriminant
y 0 1 2 3 4 5 6 7 8 9 10
2
y (mod 11) 0 1 4 9 5 3 3 5 9 4 1
y 2 (mod 11) 0 1 3 4 5 9
y (mod 11) 0 1,10 5,6 2,9 4,7 3,8
8
this gives the correspondence :
x 0 0 1 1 2 2 3 3 4 5 5 6 6 8 8 9 9
y 1 10 4 7 2 9 2 9 0 3 8 2 3 3 9 3 8
E := {(0, 1), (0, 10), (1, 4), (1, 7), (2, 2), (2, 9), (3, 2), (3, 9), (4, 0), (5, 3), (5, 8),
, (6, 2), (6, 9), (8, 3), (8, 9), (9, 3), (9, 8)} ∪ {∞}
9
Its discriminant
∆(E) = −16(4a3 + 27b2 )
≡ 6(4a3 + 5b2 ) (mod 11)
≡ 6(4 · 43 + 5 · 52 ) (mod 11)
≡ 6(4 · 64 + 5 · 25) (mod 11)
≡ 6(4(−2) + 5 · 3) (mod 11)
≡ 6(15 − 8) ≡ 6 · 7 (mod 11)
≡ 42 (mod 11)
≡ −4 ≡ 7 (mod 11) 6≡ 0 (mod 11)
Hence the curve is non-singular. The number of points on E, using Hasse’s
Theorem, can not exceed 20. In fact, they are much less. Since Z11 is a small
field, you can find all points of E by taking every (x, y) ∈ Z11 × Z11 and
checking if P (x, y) ∈ E, that is by observing y 2 = x3 + 4x + 5 or not. And
list all:
Points of E : (0, 4), (0, 7), (3, 0), (6, 5), (6, 6), (9, 0), (10, 0), ∞
Hence E = {(0, 4), (0, 7), (3, 0), (6, 5), (6, 6), (9, 0), (10, 0)} ∪ {∞}
Note that E has just eight points, including the point at infinity.
10
Examples of Curves Over Field of Character-
istic 2
Example 7: Let E = {(x, y) ∈ Z2 × Z2 |y 2 + y = x3 + x} ∪ {∞}.
Recall that the Elliptic Curve over finite fields K of characteristic 2 are of
the form
1.
2.
11
Example 9: Let E = {(x, y) ∈ F4 × F4 |y 2 + y = x3 + x} ∪ {∞}, where
F4 is a finite field of order 4.
Observe that f (x) = x2 +x+1 ∈ Z2 [x] is an irreducible quadratic polynomial
over Z2 . Let ω be a root of f (x) = 0. Then ω 6= 1, ω 2 + ω + 1 = 0 and ω 3 = 1.
We can take F4 = {0, 1, ω, ω 2 |ω 2 + ω + 1 = 0}
We calculate points of E as follows:
x y 2 + y = x3 + x y
0 0 0,1
1 0 0,1
ω 1 + ω = ω2 -
ω2 = 1 + ω 1 + ω2 = ω = ω4 -
Hence the curve E = {(0, 0), (0, 1), (1, 0), (1, 1)} ∪ {∞}.
Number of points of E is #(E) = 5.
x y 2 + xy = x3 + 1 y
0 y2 = 1 1
1 y2 + y = 0 0,1
ω y 2 + ωy = 0 0,ω
ω2 y2 + ω2y = 0 0,ω 2
Hence E = {(0, 1), (1, 0), (1, 1), (ω, 0), (ω, ω), (ω 2 , 0), (ω 2 , ω 2 )} ∪ {∞}
Number of points of E is #(E) = 8.
12
Example of Elliptic Curves Over Fields of Char-
acteristic 3
Example 11: Let E = {(x, y) ∈ Z3 × Z3 |y 2 = x3 − x + 2} ∪ {∞}
Recall the Elliptic Curves defined over finite field of characteristic 3 are of
the form:
2.
E = {(x, y) ∈ Z3 × Z3 : y 2 = x3 − x2 + 2} ∪ {∞}
13
= {(x, y) ∈ Z3 × Z3 : F (x, y) = 0} ∪ {∞}
where F (x, y) = y 2 − x3 + x2 − 2
∂f
= −3x2 + 2x ≡ 2x over Z3
∂x
Also
∂f
= 0 =⇒ x = 0
∂x
∂f
= 2y = 0 =⇒ y = 0
∂y
Hence, possible singular point is (0, 0). But (0, 0) does not lie on E. So the
curve is non singular. We calcuate points of E as follows:
x 0 1 2
y = x − x2 + 2
2 3
2 2 0
y - - 0
F9 = {0, ξ i : 1 ≤ i ≤ 8; ξ 2 + ξ + 2 = 0}
= {0, ξ, ξ 2 = 1 + 2ξ, ξ 3 = 2 + 2ξ, ξ 4 = −1 = 2, ξ 5 = 2ξ, ξ 6 = 1 + ξ, ξ 7 = 1 + ξ, ξ 8 = 1}
x 0 ξ ξ2 ξ3 ξ 4 = −1 = 2
2 3 3
y =x −x+2 2 ξ −ξ+2 ξ6 − ξ2 + 2 ξ9 − ξ3 + 2 ξ 12 − ξ 4 + 2
y2 2 1+ξ 2ξ 2ξ 2
y2 ξ4 ξ7 ξ5 ξ5 ξ4
y ξ 2 , 2ξ 2 - - - ξ 2 , 2ξ 2
14
x ξ5 ξ6 ξ7 ξ8 = 1
y 2 = x3 − x + 2 ξ 15 − ξ 5 + 2 ξ 18 − ξ 6 + 2 ξ 21 − ξ 7 + 2 ξ 24 − ξ 8 + 2
y2 2ξ 1+ξ 1+ξ 2
y2 ξ5 ξ7 ξ7 ξ4
y - - - ξ , 2ξ 2
2
Point of E are :
(0, ξ 2 ), (0, 2ξ 2 ), (ξ 4 , ξ 2 ), (ξ 4 , 2ξ 2 ), (ξ 8 , ξ 2 ), (ξ 8 , 2ξ 2 )
or
(0, 1 + 2ξ), (0, 2 + ξ), (2, 1 + 2ξ), (2, 2 + ξ), (1, 1 + 2ξ), (1, 2 + ξ)
and the point at infinity 0 ∞0
Hence E := {(0, 1+2ξ), (0, 2+ξ), (2, 1+2ξ), (2, 2+ξ), (1, 1+2ξ), (1, 2+ξ), ∞}.
And #(E) = 7
F9 = {0, ξ i : 1 ≤ i ≤ 8; ξ 2 + ξ + 2 = 0}
= {0, ξ, ξ 2 = 1 + 2ξ, ξ 3 = 2 + 2ξ, ξ 4 = −1 = 2, ξ 5 = 2ξ, ξ 6 = 1 + ξ, ξ 7 = 1 + ξ, ξ 8 = 1}
x 0 ξ ξ 2 = 1 + 2ξ
y = x − x2 + 2
2 3
2 ξ − ξ2 + 2
3
ξ6 − ξ4 + 2
y2 ξ4 (2 + 2ξ) − (1 + 2ξ) + 2 (2 + ξ) − 2 + 2
y2 ξ4 0 2 + ξ = ξ6
y ξ 2 , 2ξ 2 0 ξ 3 , 2ξ 3
y 1 + 2ξ, 2 + ξ 0 2 + 2ξ, 1 + ξ
15
x ξ 3 = 2 + 2ξ ξ 4 = 2 = −1 ξ 5 = 2ξ
y = x − x2 + 2
2 3
ξ9 − ξ6 + 2 12
ξ −ξ +2 8
ξ − ξ 10 + 2
15
y2 ξ − (2 + ξ) + 2 ξ4 − 1 − 1 ξ7 − ξ2 + 2
y2 0 0 (1 + ξ) − (1 + 2ξ) + 2 = 2 − ξ
= 2 + 2ξ = ξ 3
y 0 0 -
y 0 0 -
x ξ6 = 2 + ξ ξ7 = 1 + ξ ξ8 = 1
y = x − x2 + 2
2 3
ξ 18 − ξ 12 + 2 ξ 21 − ξ 14 + 2 ξ 24 − ξ 16 + 2
y2 ξ2 − ξ4 + 2 ξ5 − ξ6 + 2 1−1+2
y2 (1 + 2ξ) − 2 + 2 (2ξ) − (2 + ξ) + 2 2
y2 (1 + 2ξ) = ξ 2 ξ ξ4
y ξ, 2ξ - ξ 2 , 2ξ 2
y ξ, 2ξ - 1 + 2ξ, 2 + ξ
This gives us the curve
E ={(0, 1 + 2ξ), (0, 2 + ξ), (ξ, 0), (1 + 2ξ, 2 + 2ξ), (1 + 2ξ, 1 + ξ), (2 + 2ξ, 0), (2, 0),
(2 + ξ, ξ), (2 + ξ, 2ξ), (1, 1 + 2ξ), (1, 2 + ξ)} ∪ {∞}
Define a Relation on EF :
If P1 (x1 , y1 ) and P2 (x2 , y2 ) be two points in EF (P( x1 , y1 ) is the point (x1 , y1 )
represented by P1 ), then define
16
as follows :
Take L to be the the line P1 P2 joining the points P1 and P2 . Extend the
same.
Let the line L meet the curve at Q. Define P3 to be the reflection about
x− axis of Q on the curve EF . For example, see the curve in the bfollowing
figure :
17
3. Existence of (additive) inverse: If P (x, y) = P ∈ EF , then
P (x, −y) = −P (x, y) = −P ∈ EF . That is
P (x, y) + P (x, −y) = P + (−P ) = ∞
Verify for EF : The properties listed above, using the geometry for addition
of points. You will see thal The Associative Property (5th property) is the
most difficult to prove, although it appears to be trivial.
Similarly, if we join ( i.e. add) A and −A, case of two distinct points
(none of them point at infinity 0 ∞0 ) on EF having same x− coordinate (as
shown in the figure by green line), the line we get is a straight line parallel
18
to y− axis, and thus it will not intersect the curve further (except at A and
−A).
Since the line joining A and −A goes to ∞ without intersecting the curve at
any other point except A and −A, thus we assume
A + (−A) = Image of ∞ = ∞.
19
Algebraic Formula For Point Addition
Recall from geometry, discussed as earlier, the following rules hold for adding
points P1 (x1 , y1 ), P2 (x2 , y2 ), P3 (x3 , y3 ) on an Elliptic Curve
2. If x1 = x2 but y1 6= y2 , then P1 + P2 = ∞.
Case(a)
20
To determine coefficient (x3 , y3 ) of P3 in terms of the coordinates (x1 , y1 ) of
P1 and (x2 , y2 ) of P2 . Since P3 (x3 , y3 ) ∈ E is the point reflected by Q, we get
the coordinates of Q as (x3 , −y3 ).
−y1
Now equation of L : y = mx + c, where m = xy22 −x 1
, since it passes through
P1 and P2 , we get :
y2 = mx2 + c, y1 = mx1 + c.
=⇒ y2 − y1 = m(x2 − x1 )
−y1
since x2 6= x1 =⇒ m = xy22 −x 1
Further,
y1 = mx1 + c =⇒ c = y1 − mx1
Hence equation of L: y = mx + y1 − mx1 or L: y − y1 = m(x − x1 ), where
−y1
m = xy22 −x 1
or L: y = m(x − x1 ) + y1
Since L meets E at Q, we get:
y 2 =x3 + ax + b
=⇒ {m(x − x1 ) + y1 }2 = x3 + ax + b
=⇒ m2 (x − x1 )2 + y12 + 2m(x − x1 )y1 = x3 + ax + b
=⇒ m2 (x2 − 2xx1 + x21 ) + y12 + 2m(xy1 − x1 y1 ) = x3 + ax + b
=⇒ x3 − m2 x2 + (a + 2m2 x1 − 2my1 )x + (b − m2 x21 − y12 + 2mx1 y1 = 0)
=⇒ x3 = m2 − x1 − x2
−y3 =m(x3 − x1 ) + y1
or − y3 = − m(x1 − x3 ) + y1
=⇒ y3 =m(x1 − x3 ) − y1
x3 = m2 − x1 − x2
21
y3 = m(x1 − x3 ) − y1 ,
y2 −y1
where m = x2 −x1
.
3x2 + a
dy dy
2y 2
= 3x + a =⇒ m = = 1
dx dx P1 2y1
x3 = m2 − 2x1
y3 = m(x1 − x3 ) − y1
3x2 + a
m= 1
2y1
We now summarize the definition of point addition on an Elliptic Curve
over R given by:
EF := {(x, y) ∈ F × F : y 2 = x3 + ax + b; a, b ∈ F} ∪ {∞}
where ∆(E) 6= 0,
as follows : for P1 = (x1 , y1 ), P2 = (x2 , y2 ), and P3 = (x3 , y3 )
1. If P1 , P2 6= ∞ then P1 + P2 = P3
(a) When x1 6= x2 ,
x3 = m2 − x1 − x2 , y3 = m(x1 − x3 ) − y1
y2 −y1
where m = x2 −x1
(b) When x1 = x2 but y1 6= y2 , P3 = ∞
(c) When P1 = P2 but y1 6= 0 then
x3 = m2 − 2x1 , y3 = m(x1 − x3 ) − y1
3x21 +a
where m = 2y1
22
(d) When P1 = P2 and y1 = 0 then P1 + P2 = ∞
2. P + ∞ = P ∀P ∈ E
(So ∞ + ∞ = ∞ is included)
These rules are defined for a field F of characteristic char(F) > 3. In case
char(F) = 2 or 3, the rules are different.
2. The point at infinity ∞ serves as the identity of the this addition, since
P + ∞ = P = ∞ + P ∀P ∈ E
P +Q=∞=Q+P
Once all the properties of point addition are verified, we get that E becomes
an Abelian group with respect to addition (of points on E).
In case F is a finite field, EF or E(F) becomes a finite Abelian group. By the
fundamental theorem for finite Abelian gropus, E is isomorphic onto a finite
direct sum of finite cyclic groups. In fact more can be said. We shall discuss
that later on.
First, we shall discuss various examples of Elliptic curves over the filed F = R,
finite fields F of characteristic p > 3, of characteristic p = 2, as well as over
characteristic p = 3, fields.
23
Leture-17
x3 =m2 − 2x1
y3 =m(x1 − x3 ) − y1
3x2 + a
m=
2y1
3 · 52 + 3 78
m= =
2·8 16
1
= ≡ 5−1 (mod 11)
5
≡9 (mod 11)
x3 = 92 − 2 · 5 = 81 − 10 = 71 ≡ 5 (mod 11);
y3 = 9 · (5 − 5) − 8 ≡ −8 ≡ 3 (mod 11)
1
Hence 2P = (5, 3). It is easy to see that 3P = P + 2P = (5, 8) + (5, 3) = ∞.
This gives order of (5, 8) to be 3.
If P (0, 1), then it can be seen that
Let P (x, y) be point of the Elliptic Curve E, then the least non-negative
integer k is said to be the order of P in E if kP = ∞ (point at infinity).
Recall the curve
E :={(0, 1), (0, 10), (1, 4), (1, 7), (2, 2), (2, 9), (3, 2), (3, 9), (4, 0), (5, 3), (5, 8),
(6, 2), (6, 9), (8, 3), (8, 9), (9, 3), (9, 8)} ∪ {∞}
2
Recall the Elliptic Curve
Example 2:
= {(0, 4), (0, 7), (3, 0), (6, 5), (6, 6), (9, 0), (10, 0)} ∪ {∞}
Note that : #(E) = 8
Every element has order 2 or 4, as follows:
Points of order 2 are: (3, 0), (9, 0), (10, 0)
Points of order 4 are: (0, 4), (0, 7), (6, 5), (6, 6)
x3 = m2 − x1 − x2
y3 = m(x1 − x3 ) − y1 ,
and
y2 − y1
m= if x1 6= x2
x2 − x1
3x2 + a
= 1 if P1 = P2 & y1 6= 0
2y1
Here
3 · 02 + 4 4
m= = as a = 4, b = 5,
2·4 8
1
≡
2
≡6 ∵ 2 × 6 ≡ 12 ≡ 1 (mod 11)
3
3P = P + 2P = (0, 4) + (3, 0) = (0, 7), using the addition of points formula.
Since, there is no element of order 8, and the Elliptic curve E has 8 points
in all, the group of points E is an Abelian group which can not be cyclic.
Therefore, by the fundamental theorem of finite abelian group, E is isomor-
phic to C2 × C2 × C2 or C2 × C4 . It can not be isomorphic to C2 × C2 × C2 as
it has points of order 4, e.g. if P (0, 4), then 2P = (3, 0) and 4P = ∞. This
leaves, E ∼ = C2 × C4 . In fact, this is the case.
Observe that, subgroup of E of order 2: are the subgroups generated by
h(3, 0)i, h(9, 0)i, h(10, 0)i. These are {(3, 0), ∞}, {(9, 0), ∞}, {(10, 0), ∞}.
Similarly, subgroup of order 4:
h(0, 4) : 4(0, 4) = ∞i = {(0, 4), 2(0, 4) = (3, 0), 3(0, 4) = (0, 7), 4(0, 4) = ∞}
h(6, 5) : 4(6, 5) = ∞i = {(6, 5), 2(6, 5) = (3, 0), 3(6, 5) = (6, 6), 4(6, 5) = ∞}
You can prove that E = h(9, 0)i ⊕ h(0, 4)i
For, h(9, 0)i ⊕ h(0, 4)i ⊆ E as h(9, 0)i and h(0, 4)i are subgroups of E.
Conversely
(0, 4) =∞ + (0, 4), (0, 7) = ∞ + 3(0, 4),
(3, 0) =∞ + 2(0, 4), (6, 5) = (9, 0) + (0, 7) = (9, 0) + 3(0, 4),
(6, 6) =(9, 0) + (0, 4), (9, 0) = (9, 0) + ∞,
(10, 0) =(9, 0) + (3, 0) = (9, 0) + 2(0, 4), ∞ = ∞ + ∞.
This gives that E ⊆ h(9, 0)i⊕h(0, 4)i or that E = h(9, 0)i⊕h(0, 4)i ∼
= C2 ×C4 .
4
The order infact is much less. It is #(E) = 32 You may verify that:
E ={(0, 6), (0, 23), (2, 9), (2, 20), (4, 0), (5, 6), (5, 23), (7, 1), (7, 28),
(8, 0), (13, 9), (13, 20), (14, 9), (14, 20), (15, 7), (15, 22), (16, 7),
(16, 22), (17, 0), (18, 13), (18, 16), (20, 5), (20, 24), (22, 10), (22, 19),
(23, 12), (23, 17), (24, 6), (24, 23), (27, 7), (27, 22)} ∪ {∞}
Next to determine the structure of the group of point E with respect to point
addition, observe the following:
If P is (0, 6), the P (0, 6) ∈ E, and multiples of P as:
5
Point Addition In Elliptic Curves Over Fields
Of Characteristic 3
Recall the Elliptic curve E(F ) over a field F of Characteristics 3:
1. P + ∞ = P ∀P ∈ E (including ∞ + ∞ = ∞).
x3 =m2 − a − x1 − x2
y3 =m(x1 − x3 ) − y1
y2 − y1
m=
x2 − x 1
x3 =m2 − a − 2x1 ,
y3 =m(x1 − x3 ) − y1
3x2 + 2ax1 + b
m= 1
2y1
2ax1 + b
= since Char(F ) = 3
2y1
6
And at a non singular point P, the slope of the line (tangent in case P1 = P2 )
is m which can be computed using:
∂g
∂x
m = P =P1 =P2
∂g
∂y
P =P1 =P2
−3x2 − 2ax − b
m=−
2y P (x1 ,y1 )
2
3x1 + 2ax1 + b
m=
2y1
2 2
2 3x1 + 2ax1 + b
m =
2y1
7
3. P1 6= P2 with x1 = x2 but y1 6= y2 , then P1 + P2 = ∞
4. If P1 = P2 with y1 6= 0, then 2P1 = P1 + P2 = P3 (x3 , y3 ), where
x3 =m2 − 2x1 ,
y3 =m(x1 − x3 ) − y1
3x2 + a
m= 1
2y1
a
= since Char(F ) = 3
2y1
5. If P1 = P2 and y1 = 0, then 2P1 = P1 + P2 = ∞
Particular Case (2): If the curve E = E(F ), where Char(F ) = 3 is given
by:
EK = {(x, y) ∈ F × F |y 2 = x3 + ax2 + b; a, b ∈ F } ∪ {∞}
8
The Group Of Points On An Elliptic Curve
Over Fields Of Characteristic 3:
Example 4:. Let E = {(x, y) ∈ Z3 × Z3 |y 2 = x3 − x + 2} ∪ {∞}
We have seen that E has only one point, namely the point at infinity ∞.
Hence E = {∞}, and therefore E ∼
= C1
F9 = {0, ξ i : 1 ≤ i ≤ 8; ξ 2 + ξ + 2 = 0}
= {0, ξ, ξ 2 = 1 + 2ξ, ξ 3 = 2 + 2ξ, ξ 4 = −1 = 2, ξ 5 = 2ξ, ξ 6 = 2 + ξ, ξ 7 = 1 + ξ, ξ 8 = 1}
We have computed all the points of the points of the curve E, we have seen
that:
E := {(0, 1 + 2ξ), (0, 2 + ξ), (2, 1 + 2ξ), (2, 2 + ξ), (1, 1 + 2ξ), (1, 2 + ξ), ∞}.
x3 =m2 − 2x1 ,
y3 =m(x1 − x3 ) − y1
3x2 + a a
m= 1 =
2y1 2y1
9
x3 =m2 − 2x1 = (2 + ξ)2 − 2 · 0 = (2 + ξ)2
=(ξ − 1)2 = ξ 2 − 2ξ + 1 = ξ 2 + ξ + 1
=(1 + 2ξ) + ξ + 1 = 2 + 3ξ = 2 = −1 = ξ 4
y3 =m(x1 − x3 ) − y1
=(2 + ξ)(0 − 2) − (1 + 2ξ)
=(2 + ξ) · 1 − 1 − 2ξ
=2 + ξ − 1 + ξ = 1 + 2ξ = 1 − ξ = ξ 2
Hence 2P1 = 2(0, 1 + 2ξ) = (2, 1 + 2ξ)
Next, we calculate 3P1 as P1 + 2P1 .
Let P2 (x2 , y2 ) = 2P1 , have the coordinates x2 = 2, y2 = 1 + 2ξ. Also recall
x1 = 0, y1 = 1 + 2ξ.
Suppose P3 (x03 , y30 ) = P1 + P2 , then
x03 =m2 − x1 − x2 ,
y30 =m(x1 − x03 ) − y1
y2 − y1
m=
x2 − x1
10
and
m2 = −1 = 2
Now
x003 = m2 − 2x001 = 2 − 2 · 2 = 2 − 4 = −2 = 1
E = hP1 |7P1 = ∞i ∼
= C7
F9 = {0, ξ i : 1 ≤ i ≤ 8; ξ 2 + ξ + 2 = 0}
= {0, ξ, ξ 2 = 1 + 2ξ, ξ 3 = 2 + 2ξ, ξ 4 = −1 = 2, ξ 5 = 2ξ, ξ 6 = 1 + ξ, ξ 7 = 1 + ξ, ξ 8 = 1}
E ={(0, 1 + 2ξ), (0, 2 + ξ), (ξ, 0), (1 + 2ξ, 2 + 2ξ), (1 + 2ξ, 1 + ξ), (2 + 2ξ, 0), (2, 0),
(2 + ξ, ξ), (2 + ξ, 2ξ), (1, 1 + 2ξ), (1, 2 + ξ)} ∪ {∞}
x3 = m2 − a − 2x1 ,
y3 = m(x1 − x3 ) − y1
3x2 + 2ax1 2ax1
m= 1 =
2y1 2y1
11
Observing a = −1 = 2 (mod 3), x1 = 0, y1 = 1 + 2ξ, we get
2·2·0
m= =0
2 · (1 + 2ξ)
x3 = −a − 2x1 = 1 + x1 = 1
y3 = m(x1 − x3 ) − y1 = −y1 = −(1 + 2ξ) = 2 + ξ
Hence (2P1 )(x1 , y3 ) = (1, 2 + ξ)
next, we compute 3P1 by doing P1 + 2P1
Let P1 = (x1 , y1 ), 2P1 = (x2 , y2 ) where x1 = 0, y1 = 1 + 2ξ, x2 = 1, y2 = 2 + ξ
then
x03 =m2 − a − x1 − x2 ,
y30 =m0 (x1 − x03 ) − y1
y2 − y1 (2 + ξ) − (1 + 2ξ)
m0 = = = 1 − ξ = 1 + 2ξ = ξ 2
x2 − x1 1−0
(m0 )2 = ξ 4 = −1 = 2
This gives
x03 =2 − 2 − 0 − 1 = 2
y30 =m0 (x1 − x3 ) − y1
=(1 + 2ξ)(0 − 2) − (1 + 2ξ)
=(1 + 2ξ) − (1 + 2ξ) = 0
Example 8: Let
E = {(x, y) ∈ F9 × F9 |y 2 = x3 + x2 + x + 1} ∪ {∞}
= {(x, y) ∈ F9 × F9 |g(x, y) = 0 where g(x, y) = y 2 − x3 − x2 − x − 2} ∪ {∞}
12
F9 = {0, ξ i : 1 ≤ i ≤ 8; ξ 2 + ξ + 2 = 0}
= {0, ξ, ξ 2 = 1 + 2ξ, ξ 3 = 2 + 2ξ, ξ 4 = −1 = 2, ξ 5 = 2ξ, ξ 6 = 1 + ξ, ξ 7 = 1 + ξ, ξ 8 = 1}
∂g
=3x2 + 2x + 1 = 0 =⇒ x = 1
∂x
∂g
=2y = 0 =⇒ y = 0
∂y
So, possible singular point is (1, 0). But (1, 0) is not a point on the curve E.
Hence, the curve is non-singular. Now we compute points on E.
Some points are easily noticeable on E.
For example
(0, 1) ∈ E. Hence (0, −1) = (0, 2) ∈ E
(1, 1) ∈ E. Hence (1, 2) ∈ E. Also (2, 0) ∈ E
It is better to calculate all the points of E by taking x, y ∈ F9 and verifying
g if (x, y) ∈ E.
x y 2 = x3 + x2 + x + 1 y2 y2 y
0 1 1 1 1,2
ξ ξ3 + ξ2 + ξ + 1 ξ 3 − 1 = 1 + 2ξ ξ2 ξ, 2ξ
ξ 2 = 1 + 2ξ ξ6 + ξ4 + ξ2 + 1 ξ6 + ξ2 0 0
ξ 3 = 2 + 2ξ ξ9 + ξ6 + ξ3 + 1 2+ξ ξ6 2 + 2ξ, 1 + ξ
ξ6 = 2 + ξ ξ 18 + ξ 12 + ξ 6 + 1 ξ2 + ξ4 + ξ6 + 1 0 0
ξ7 = 1 + ξ ξ 21 + ξ 14 + ξ 7 + 1 ξ5 + ξ6 + ξ7 + 1 1 + ξ = ξ7 -
ξ8 = 1 1 1 1 1,2
13
We can see that E has 12 points in all.
Points of E are
E ={(0, 1), (0, 2), (ξ, ξ), (ξ, 2ξ), (1 + 2ξ, 0), (2 + 2ξ, 2 + 2ξ), (2 + 2ξ, 1 + ξ),
(2, 0), (2 + ξ, 0), (1, 1), (1, 2), ∞}
Points of order 2 are (1+2ξ, 0), (2, 0), (2+ξ, 0). We now compute the subgroup
generated by P1 = (0, 1).
Observe that 2P1 = (0, 2)
For let P1 = (0, 1), x1 = 0, y1 = 1 and 2P1 = (x3 , y3 ) then
x3 =m2 − a − 2x1 ,
y3 =m(x1 − x3 ) − y1
3x2 + 2ax1 + b 2ax1 + b
m= 1 =
2y1 2y1
using a = b = 1, x1 = 0, y1 = 1, we get
2·1·0+1 1
m= = = 2 =⇒ m2 = 1
2·1 2
x3 = 1 − 1 − 2 · 0 = 0
y3 = 1 · (0 − 0) − 1 = −1 = 2
Hence 2P1 = (x3 , y3 ) = (0, 2) = (0, −1).
Next we compute 3P1 as follows, by doing P1 + 2P1 .
Let 3P1 = (x03 , y30 ). Suppose 2P1 = (x2 , y2 ) = (0, 2) and P1 = (x1 , y1 ) = (0, 1)
Since x1 = x2 = 0 this implies that 3P1 = ∞.
Hence (0, 1) is a point of order 3 on E.
Let Q1 = (1, 1) = (x1 , y1 ), and 2Q1 = (x3 , y3 ), then
x3 =m2 − a − 2x1 ,
y3 =m(x1 − x3 ) − y1
3x21 + 2ax1 + b 2ax1 + b
m= =
2y1 2y1
Using a = 1, x1 = 1, y1 = 1, we get
2·1·1+1 3
m= = =0
2·1 2
14
x3 = 02 − 1 − 2 · 1 = −3 = 0
y3 = 0 · (1 − 0) − 1 = 0 − 1 = 2
This implies that 2Q1 = (x3 , y3 ) = (0, 2)
Note that 2P1 = 2Q1 = (0, 2)
We compute 3Q1 = (x003 , y300 ) = Q1 + 2Q1 = (1, 1) + (0, 2). Then
x003 =m2 − a − x1 − x2 ,
y300 =m(x1 − x003 ) − y1
y2 − y1
m=
x2 − x1
Using a = 1, x1 = 1, y1 = 1, x2 = 0, y2 = 2, we get
2−1 1 1
m= = = = 2 =⇒ m2 = 1
0−1 −1 1
x003 = 1 − 1 − 1 − 0 = −1 = 2
y300 = 1 · (1 − 0) − 1 = 0
Hence 3Q1 = (2, 0) this implies that 6Q1 = ∞.
Therefore K = hQ1 |6Q1 = ∞i .
Compute all elements of K.
If H = h(1 + 2ξ, 0)i , then H ≤ E is a subgroup of order 2.
Is E = H ⊕ K ?
Write E as a direct sum of all possible subgroups of E. Is E ∼
= C2 × C6 .
15
We now state rules of addition of points on these curves
First for E1 :
1. P + ∞ = ∞ + P = P ∀P ∈ E1 (including ∞ + ∞ = ∞).
x3 = m2 − x1 − x2 = m2 + x1 + x2 ,
y3 = m(x1 − x3 ) − y1 − c = m(x1 + x3 ) + y1 + c
y2 −y1 y2 +y1
where m = x2 −x1
= x2 +x1
since char(F) = 2
x3 = m2 − 2x1 = m2 , ∵ char(F) = 2
y3 = m(x1 − x3 ) − y1 − c = m(x1 + x3 ) + y1 + c
x2 +a
as char(F) = 2 where m = c
[ If c = 0 then 2P1 = ∞]
1. P + ∞ = ∞ + P = P ∀P ∈ E2 (including ∞ + ∞ = ∞).
x3 = m 2 + m + a + x1 + x 2 ,
y3 = m(x1 + x3 ) + y1 + x3
y2 +y1
where m = x2 +x1
[∵ char(F) = 2]
16
3. If P1 (x1 , y1 ), P2 (x2 , y2 ) 6= ∞ and P1 6= P2 with x1 = x2 , but y1 6= y2
then P1 + P2 = ∞
4. If P1 (x1 , y1 ), P2 (x2 , y2 ) 6= ∞ and P1 = P2 with x1 6= 0 then
2P1 = P1 + P2 = P3 (x3 , y3 ) Where
b x21 + y1
x3 = x21 + , y 3 = x3 + x21 + x3
x21 x1
[If x1 = 0 then 2P1 = ∞]
Theorem: The points on the curve E2 form an additive Abelian group.
#(E) = 5
Let P = (0, 0) = (x1 , y1 ) =⇒ x1 = 0, y1 = 0, suppose 2P = (x3 , y3 ), where
x21 + a
x3 = m2 , y3 = m(x1 + x3 ) + y1 + c where m =
c
i.e. 2
x21 + a x21 + a
x3 = , y3 = (x1 + x3 ) + y1 + c
c c
For this curve y 2 + y = x3 + x, c = 1, a = 1, b = 0 and x1 = 0, y1 = 0 we get:
2 2
0 +1 02 + 1
x3 = = 1, y3 = (0 + 1) + 0 + 1 = 1 · 1 + 1 = 2 = 0
1 1
=⇒ (x3 , y3 ) = (1, 0). Hence 2P = (1, 0)
We next, compute 3P = P + 2P = (0, 0) + (1, 0)
Let x1 = 0, y1 = 0, x2 = 1, y2 = 0 then 3P = (x03 , y30 ) where
y1 + y2
x03 = m2 + x1 + x2 , y30 = m(x1 + x3 ) + y1 + c where m =
x1 + x2
Here
0+0
m= = 0 =⇒ x03 = x1 + x2 = 0 + 1 = 1
0+1
17
and
y30 = y1 + c = 0 + c = c = 1
u2 + a
y5 = (u + x5 ) + v + c = 0(u + x5 ) + v + c = v + c = 1 + 1 = 0
c
=⇒ 6P = (x5 , y5 ) = (0, 0) = P =⇒ 5P = ∞
This can be obtained by observing that
2P + 3P = (1, 0) + (1, 1) = ∞
Hence
E =hP : 5P = ∞i
={P = (0, 0), 2P = (1, 0), 3P = (1, 1), 4P = (0, 1), 5P = ∞}
∼
=C5
18
#(E) = 4
Now let P = (0, 1), then 2P = ∞.
Next if Q = (1, 0), then 2Q = (x3 , y3 ), where
b x21 + y1
x3 = x21 + , y 3 = x3 + x21 + x3
x21 x1
where x1 = 1, y1 = 0, a = 0, b = 1 implies that
1
x3 = 12 + = 1 + 1 = 0,
1
12 + 0
y3 = · 0 + 12 + 0 = 1
1
=⇒ 2Q = (0, 1) = P =⇒ 4Q = 2Q + 2Q = P + P = 2P = ∞.
F4 ={0, ω i | 1 ≤ i ≤ 3; ω 3 = 1, ω 6= 1}
={0, 1, ω, ω 2 | w2 + w + 1 = 0}
={0, 1, ω, 1 + ω}
19
Let 3P = (x3 , y3 ) = P + 2P = (x1 , y1 ) + (x2 , y2 ) where
x1 = 0, y1 = 0, x2 = 1, y2 = 0, We have
x3 = m 2 + x1 + x2 , y3 = m(x1 + x3 ) + y1 + c
where
y1 + y2 0+0 0
m= = = =0
x1 + x2 0+1 1
2
This gives x3 = 0 + 0 + 1 = 1 and y3 = 0 · (0 + 1) + 0 + 1 = 1 [∵ c = 1]
Hence 3P = (x3 , y3 ) = (1, 1).
E =hP i = hP : 5P = ∞i
={P = (0, 0), 2P = (1, 0), 3P = (1, 1), 4P = (0, 1), 5P = ∞}
∼
=C5
Example 12: Let E = {(x, y) ∈ F4 × F4 | y 2 + xy = x3 + 1} ∪ {∞}, where
F4 ={0, ω i | 1 ≤ i ≤ 3; ω 3 = 1, ω 6= 1}
={0, 1, ω, ω 2 | w2 + w + 1 = 0}
={0, 1, ω, 1 + ω}
20
We have computed all the points of E. We found that E has eight points in
all.
E = {(0, 1), (1, 0), (1, 1), (ω, 0), (ω, ω), (ω 2 , 0), (ω 2 , ω 2 ), ∞}
or
E = {(0, 1), (1, 0), (1, 1), (ω, 0), (ω, ω), (1 + ω, 0), (1 + ω, 1 + ω), ∞}
x21 + y1 ω2 + 0
y2 = x2 + x21 + x2 = · 1 + ω2 + 1
x1 ω
=⇒ y2 = ω + ω 2 + 1 = 0
=⇒ 2P = (x2 , y2 ) = (1, 0)
We next compute 4P = 2P + 2P = (x2 , y2 ) + (x2 , y2 ) = (1, 0) + (1, 0).
Let 4P = (x4 , y4 ). Then
a 1
x4 = x22 + 2
= 12 + 2 = 1 + 1 = 0
x2 1
x22 + y2 12 + 0
y4 = x4 + x22 + x4 = · 0 + 12 + 0 = 1
x2 1
=⇒ (x4 , y4 ) = (0, 1) or 4P = (0, 1) = Q
But Q is of order 2. Hence 8P = 2Q = ∞
Hence E = hP i = hP : 8P = ∞i ∼ = C8
21
Leture-18
1
Hence
x3 =m2 − x1 − x2
y3 =m(x1 − x3 ) − y1
y2 − y1
m=
x2 − x1
Since x1 = 2, y1 = 5, x2 = 564, y2 = 156, we get
156 − 5 151
m= = = 151 × 562−1 ≡ 151 × 349 ≡ 52699 ≡ 278 (mod 589)
564 − 2 562
x3 =m2 − x1 − x2 = 2782 − 2 − 564 = 76718 = 148 (mod 589)
y3 =m(x1 − x3 ) − y1 = 278(2 − 148) − 5 = −40593 ≡ 48 (mod 589)
x4 =m2 − 2x2
y4 =m(x2 − x4 ) − y2
3x2 + a
m= 2
2y2
Since x2 = 564, y2 = 156, a = 4, we get
3 · 5642 + 4 954292
m= =
2 · 156 312
112
=⇒ m = ≡ 112 × 312−1 ≡ 112 × 202 ≡ 22624 ≡ 242 (mod 589)
312
x4 =m2 − 2x2 = 2422 − 2 × 564 = 57436 = 303 (mod 589)
y4 =m(x2 − x4 ) − y2 = 242(564 − 303) − 156 = 63006 ≡ 572 (mod 589)
2
Hence P4 (x4 , y4 ) = (303, 572).
We now compute 7P .
Let P7 = (x7 , y7 ) = 7P = 3P + 4P = (148, 48) + (303, 572)
x7 =m2 − x3 − x4
y7 =m(x3 − x7 ) − y3
y4 − y3
m=
x4 − x3
Since x3 = 148, y3 = 48, x4 = 303, y4 = 572, we get
572 − 48 524
m= = = 524 × 155−1 (mod 589)
303 − 148 155
We compute the gcd, the greatest common divisor of 155 and 589. Using
Euclidean Algorithm as follows:
dn = gcd(2n! − 1, m),
3
where k = 2n! , gives that 2n! − 1 = k − 1 is a factor of 2(n+1)! − 1.
Hence
Thus dn |dn+1 ∀n = 1, 2, . . .
We get 13 as a proper divisor of 403. The other divisor of 403 is 31. We also
observe that n = 4 is the least positive integer such that dn gives a proper
factor of 403.
We also compute/conclude that n = 5 is the least n such that dn = d5 = 403
Next, we apply this idea on m = 589. We compute the sequence dn as follows:
What is d5 ?
What is the least n for which 589 gives a proper divisor?
What is the least n such that dn = 589?
Observe that one of the major difficulty in the idea discussed is the growing
size of dn = gcd(2n! − 1, m), as n increase. This can be overcome by observ-
ing that gcd(a, b) =gcd(a + bx, b) ∀a, b, x ∈ Z. So if 2n! − 1 ≡ b (mod m) i.e.
2n! − 1 = qm + b (0 ≤ b < m), then gcd(2n! − 1, m) = gcd(b + mq, m) =
gcd(b, m) =⇒ dm = gcd(b, m). Therefore, we need not calculate exact value
4
of 2n! − 1 but need to know b ≡ (2n! − 1) (mod m). Since 0 ≤ b < m, it
reduces computations a lot. For example d5 for m = 403, can be obtained
as:
Hence
25! − 1 ≡ (k − 1)(k 4 + k 3 + k 2 + k + 1) (mod 403)
where k = 24! ≡ 326 (mod 403), We get
Remark. If a = 3, then a3! = 36 = 729 = 326 (mod 403). Hence in this case
d3 = gcd(a3! − 1, 403) = gcd(326, 403) = 13 and d4 = 403.
gn = gcd(an − 1, m)
where m is the positive integer asked to be factored, and the a0n s are define
as
rn−1
an = an−1 , with a1 = a ∀n ≥ 2,
5
where {rk } is a sequence of positive integer greater than 1. Thus
Now
gn = gcd(an − 1, m) =⇒ gn | an − 1 and
gn | m =⇒ gn | (arnn − 1) ∵ (an − 1) | (arnn − 1)
=⇒ gn | gn+1 ∀n ≥ 1
That is g1 | g2 , g2 | g3 , . . .
Thus, we wish to determine one n (least positive integer in fact) such that
1 gn m, as this makes gn to be a proper factor of m.
For rn = n ∀n ∈ N and a = 2,
gn =gcd(ar1 r2 ···rn−1 − 1, m)
=gcd(21·2·3···(n−1) − 1, m)
=gcd(2(n−1)! − 1, m) = dn−1
Let {qn } be a sequence of all the positive powers of all the primes arranged
in the increasing manner. Suppose {rn } is the sequence of positive integers
such that rn | qn and rn is a prime ∀n ∈ N.
6
For example: Consider positive integers 1 to 100. The terms of the se-
quence {qn } are:
Observe that: lcm, the least common multiple of the numbers 1 to 100, i.e
3. Set a = aj (mod m)
4. Compute d = gcd(a − 1, m)
7
=⇒ d5 = gcd(25!−1 , 403) = gcd(0, 403) = 403
Of course, you could also have argued as follows:
Since d4 < d5 , d4 | d5 , d5 ≤ 403, and d4 = 13, we get d5 = 403.
Do this for m = 589.
Compute d120 for m = 3870573781.
Thus if 2n! ≡ r (mod m), then 2n! −1 ≡ r −1 (mod m). Apply this in proving
that
8
otherwise, start with a new curve E and a new point P on E.
9
We have calculated 4P = (x4 , y4 ) = 2P2 = (303, 572)
x6 =m26 − x2 − x4
y6 =m6 (x2 − x6 ) − y2 where
y4 − y2
m6 =
x4 − x2
572 − 156 416
= =
303 − 564 −261
416
=⇒ m6 = ≡ 416 × 328−1 (mod 589)
328
≡416 × 422 ≡ 30 (mod 589)
2
=⇒ m6 ≡900 ≡ 311 (mod 589).
=⇒ x6 =900 − 564 − 303 ≡ 311 − 564 − 303
≡ − 556 ≡ 33 (mod 589)
y6 =311(564 − 33) − 572 = 311 × 531 − 572
=165141 − 572 = 164569 ≡ 238 (mod 589)
u2 = m22 − u1 − u2 , v2 = m2 (u1 − u2 ) − v1
where
3u21 + A 3 · 332 + 4
m2 = =
2u1 2 · 238
3271
= ≡ 3271 × 476−1 (mod 589)
476
=⇒ m2 =3271 × 172 ≡ 562612 ≡ 117 (mod 589)
=⇒ m22 ≡1172 ≡ 13689 ≡ 142 (mod 589)
=⇒ u2 ≡142 − 33 − 33 ≡ 142 − 66 (mod 589) ≡ 76 (mod 589)
v2 ≡117(33 − 76) − 238 ≡ 117 × (−43) − 238 (mod 589)
≡ − 5269 ≡ 32 (mod 589)
=⇒ 2Q =Q2 = (u2 , v2 ) = (76, 32)
10
=⇒ 4Q =Q4 = 2Q + 2Q = Q2 + Q2 = (76, 32) + (76, 32)
=⇒ u4 =m24 − 2u2 , v4 = m4 (u2 − u4 ) − v2 ,
3 · u22 + 4 3 · 762 + 4
m4 = =
2 · v2 2 · 32
17332 251
m4 = = ≡ 251 × 64−1 (mod 589)
64 64
≡251 × 543 ≡ 234 ≡ 234 (mod 589)
m4 ≡2342 ≡ 568 (mod 589)
2
11
√ √
a ≤ 72), divide a. Of course, the availability of primes up to a, when a
is large could be a problem.
Proposition
√ 1: Let n > 1 be a positive integer such that there exist a
prime q > n − 1 and q|(n − 1). If there exists an integer a such that
1. an−1 ≡ 1 (mod n)
n−1
2. gcd(a q − 1, n) = 1
then n is prime.
Proof: Suppose contrary,
√ that n is composite, then
√ as discussed above there
exists a prime p ≤ n such that p|n. Now q > n − 1 ≥ p − 1 =⇒ q >
p − 1 =⇒ gcd(q, p − 1) = 1 =⇒ u, v ∈ Z such that uq + v(p − 1) = 1 this
implies that
n−1 n−1 n−1
a q =a1· q = a[uq+v(p−1)] q
n−1 n−1
=auq· q · av(p−1) q
n−1
≡auq· q (mod p)
n−1 v· n−1
since av(p−1) q = (ap−1 ) q ≡ 1 (mod p) (using Fermat’s little Theorem ,
aslo n−1
q
∈ N as q|(n − 1)).
n−1 n−1
=⇒ a q ≡ auq· q (mod p)
≡ au(n−1) (mod p)
u
≡ an−1 (mod p)
≡ 1 (mod p) Since p|n and an−1 ≡ 1 (mod n)
n−1
=⇒ p|a q −1
n−1
=⇒ gcd(a q − 1, n) ≥ p > 1 as p|n
The Elliptic Curve Primality Test due to Golawasser and Kilian is based
12
on the following proposition, which is analogous to the Pocklington-Lehmar
primality test.
=⇒ 1 ≤ mp < q
=⇒ gcd(q, mp ) = 1
=⇒ 1 = uq + vmp for some integer u, v ∈ Z
=⇒ uq ≡ 1 (mod mp ), for some u ∈ Zp
Since P = P (x, y) ∈ E, we get Q(x0 , y 0 ) ∈ Ep , where x, y ∈ Zn , x0 , y 0 ∈ Zp
are such that x ≡ x0 (mod p), y ≡ y 0 (mod p).
Now
m m m
q|m =⇒ ∈ Z =⇒ Q = uq Q = (um)Q = u(mQ) = ∞
q q q
13
Since mP = ∞ on E and Q is the same point considered mod p, instead
mod n. Thus mq Q = ∞ on Ep .
But this is a contradiction
on to the condition 2. As this will lead to
m
P = ∞. Because, if mq P is defined and not ∞ on E, then as earlier
q
m
q
Q 6= ∞. The proposition is proved.
13 + 3 × 1 + 1 = 5 ≡ 16 ≡ (±4)2
14
Determine dlog of (6, 9) in E with respect to the base (1, 4).
Does dlog(2,9) (6, 2) in E exist ? If yes, then what is it?
15
(a) Is P ∈ E?
(b) Is Q ∈ E?
(c) Does dlogP Q exist? If yes, then compute it.
(d) Does dlogQ P exist? If yes, then compute it.
(e) What is the group structure E?
x =qm + r (0 ≤ r < m)
=⇒ h =g x = g qm+r = g qm × g r = (g m )q × g r
=⇒ (g m )q = hg −r
hg −s = 1G =⇒ h = g s =⇒ s = dlogg h
g m , (g m )2 = g 2m , (g m )3 , . . .
If g(m )q = g mq , is the first component in some Baby step with second com-
ponent r, then
(g mq , r) ∈ B =⇒ g mq = hg −r =⇒ g mq+r = h =⇒ x = dlogg h
16
Algorithm:
We can now state the analogue of Shanks Baby step-Giant step algorithm
for elliptic curves.
Let E be an elliptic curve of order n = #(E). Suppose P, Q ∈ E are such
that Q = kP and k is the least non negative integer with this property. Then
dlogP Q = k.
So, we set m =the least integer greater or equal to n2 . Then k = mq + r, for
some integer q, r such that 0 ≤ r m
We get
m-Baby steps.
Now, if there is a Baby step (∞, j) ∈ B for some j(0 ≤ j ≤ m − 1), then
Q − jP = ∞ =⇒ Q = jP + ∞ = jP and j = dlogP Q.
If there is no such Baby step then compute Giant steps:
The moment the Giant step q(mP ) is a point in the first component of a
Baby step (q(mP ), r) ∈ B then
17
Set m = 18
2
= 9.
Now k = qm + r for some integers q, r, k = 9q + r (0 ≤ r < m) Baby step
B := {(Q, 0), (Q − P, 1), (Q − 2P, 2), . . . (Q − 8P, 8)}
Observe that P = (1, 4) =⇒ −P = (1, −4) = (1, 7) = R(say)
B := {(Q, 0), (Q + R, 1), (Q + 2R, 2) . . . (Q + 8R, 8)}
where Q = (3, 2) and R = (1, 7)
The Baby steps:
B := {((3, 2), 0), ((3, 2) + (1, 7), 1), ((3, 2) + 2(1, 7), 2), ((3, 2) + 3(1, 7), 3), ((3, 2) + 4(1, 7), 4),
((3, 2) + 5(1, 7), 5), ((3, 2) + 6(1, 7), 6), ((3, 2) + 7(1, 7), 7), ((3, 2) + 8(1, 7), 8)}
= {((3, 2), 0), ((3, 2) + (1, 7), 1), ((3, 2) + (2, 2), 2), ((3, 2) + (0, 10), 3), ((3, 2) + (8, 3), 4),
((3, 2) + (3, 2), 5), ((3, 2) + (5, 3), 6), ((3, 2) + (6, 9), 7), ((3, 2) + (9, 3), 8), ((3, 2), 0),
((5, 3), 1), ((6, 9), 2), ((9, 3), 3), ((4, 0), 4), ((9, 8), 5), ((6, 2), 6), ((5, 8), 7), ((3, 9), 8)}
We observe that the point at infinity ∞ is not not appearing as the first
coordinate in any of the Baby step.
Hence, we need to compute the Giant steps as follows:
(4, 0), 2(4, 0, ), 3(4, 0), . . . i.e. (4, 0), ∞, (4, 0), . . .
since order of (4, 0) is 2.
We also observe that ((4, 0), 4) is a Baby-step.
Hence q = 1, r = 4, m = 9
=⇒ k = qm + r = 1 × 9 + 4 = 13 =⇒ dlogP Q = 13
This can be directly too verified as
P = (1, 4), 2P = (2, 9), 4P = (8, 8), 8P = (9, 8).
We calculate using doubling repeatedly and adding if required.
Hence 13P = 8P +4P +P = (9, 8)+(8, 8)+(1, 4) = (5, 3)+(1, 4) = (3, 2) = Q
18
Lecture-19
G = G1 ∪ G2 ∪ G3 (Gi ∩ Gj = φ for i 6= j)
Define a function
f : G = G1 ∪ G2 ∪ G3 → G
P + R, if R ∈ G1
R → f (R) = 2R, if R ∈ G2
Q + R, if R ∈ G3
1
By induction, prove that (assuming Ri = mi P + ni Q )
Thus,
Ri+1 = mi+1 P + ni+1 Q,
where
mi + 1, if Ri ∈ G1
mi+1 = 2mi , if Ri ∈ G2
mi , if Ri ∈ G3
and
ni , if Ri ∈ G1
ni+1 = 2ni , if Ri ∈ G2
ni + 1, if Ri ∈ G3
mi P + ni Q = mi+j P + ni+j Q
2
will give d number of choices for k = dlogP Q, namely
n 2n (d − 1)n
k, k + ,k + ,...k + ,
d d d
i.e. k + sn
d
, 0≤s≤d−1
Example. Compute if it exists dlogP Q in the curve
E = {(x, y) ∈ F11 × F11 |y 2 = x3 + 3x + 1} ∪ {∞}
where P = (1, 4), and Q = (3, 2). It can be easily verified that P, Q ∈ E
(and dlogP Q = k exists, as we know, but otherwise, we can assume that it
exists and proceed). Since #(E) is small, in fact we have already computed
all points on E, and saw that #(G)=#(E) = 18, where G = hP i .
The group G can be written as the disjoint union.
E = G ={(0, 1), (0, 10), (1, 4), (1, 7), (2, 2), (2, 9)}
∪ {(3, 2), (3, 9), (4, 0), (5, 3), (5, 8), (6, 2)}
∪ {(6, 9), (8, 3), (8, 8), (9, 3), (9, 8), ∞}
= G1 ∪ G2 ∪ G3
where
G1 ={(0, 1), (0, 10), (1, 4), (1, 7), (2, 2), (2, 9)}
G2 ={(3, 2), (3, 9), (4, 0), (5, 3), (5, 8), (6, 2)}
G3 ={(6, 9), (8, 3), (8, 8), (9, 3), (9, 8), ∞}
3
As R2 = (8, 8) ∈ G3 , we get
Ri = mi P + ni Q ∀i ≥ 0 with m0 = 2, n0 = 0
R1 =m1 P + n1 Q = R7 = m7 P + n7 Q
=⇒ (m1 − m7 )P = (n7 − n1 )Q
=⇒ Q = (n7 − n1 )−1 (m1 − m7 )P
=⇒ k = (n7 − n1 )−1 (m1 − m7 ) = dlogP Q. Provided (n7 − n1 )−1 (mod #(G)) exist.
The integer m0i s and n0i s are calculated using the recurrence relations:
mi + 1, if Ri ∈ G1 ni , if Ri ∈ G1
mi+1 = 2mi , if Ri ∈ G2 and ni+1 = 2ni , if Ri ∈ G2 ∀i ≥ 0 (m0 = 2, n0 = 0)
mi , if Ri ∈ G3 ni + 1, if Ri ∈ G3
4
This gives :
m1 =m0 + 1 = 2 + 1 = 3
n1 =n0 = 0 since R0 ∈ G1
=⇒ m2 =m1 + 1 = 3 + 1 = 4
n2 =n1 = 0 since R1 ∈ G1
=⇒ m3 =m2 = 4
n3 =n2 + 1 = 0 + 1 = 1 since R2 ∈ G3
=⇒ m4 =m3 + 1 = 4 + 1 = 5
n4 =n3 = 1 since R3 ∈ G1
=⇒ m5 =m4 = 5
n5 =n4 + 1 = 1 + 1 = 2 since R4 ∈ G3
=⇒ m6 =2m5 = 2 × 5 = 10
n6 =2n5 = 2 × 2 = 4 since R5 ∈ G2
=⇒ m7 =m6 = 10
n7 =n6 + 1 = 4 + 1 = 5 since R6 ∈ G3
This gives m1 = 3, n1 = 0, m7 = 10, n7 = 5 and therefore
(m1 − m7 )P = (n7 − n1 )Q
(3 − 10)P = (5 − 0)Q
or − 7P = 5Q
or Q = (−5−1 × 7 (mod 18))P
Since (5, 18) = 1, we get using the Euclidean /Division Algorithm,
5−1 (mod 18) to be 11 as 11 × 5 = 55 ≡ 1 (mod 18)
Hence Q = (−11 × 7)P = −77P = −5P = 13P =⇒ Q = 13P
Hence k = dlogP Q = 13
This can be directly verified by repeatedly doubling and adding that 13P = Q
5
Silver-Pohlig-Hellman Algorithm For Comput-
ing Logarithm In Elliptic Curves
Recall the idea of the Silver-Pohlig Hellman Algorithm for computing dis-
crete logarithm in a cyclic group G = hg|g n = 1i of order n for an element
h to the base g the generator of G. The idea was first to reduce the DLP
to cyclic groups of prime power order pe , where pe |n but pe+1 - n, and p is a
prime, and then reduce the problem of prime order cyclic groups, evaluating
g discrete logarithm in these groups and then computing discrete logarithm
g, by applying Chinese Remainder Theorem.
So, we shall reiterate the algorithm but with changes according to the group
G = hP |nP = ∞i ≤ E, where E is an elliptic curve and Q, P ∈ G to com-
pute dlogP Q in G and thus in E.
n
For each prime p|n, let np = pe(p)
, and
Pp = n p P ∈ G
Then
=⇒ p(p) (Pp ) = ∞
=⇒ p(p) (np P ) = ∞
=⇒ (p(p) · np )P = ∞
=⇒ n|(p(p) · np )
6
Reduction of DLP to prime power order additive cyclic groups
in Elliptic Curves
H = Pp | pe(p) Pp = ∞ ≤ G ≤ E
kP = Q
=⇒ k(Pp ) = k(np P ) = (knp )P = (np k)P = np (kP ) = np Q = Qp (say)
=⇒ Qp ∈ H = Pp | pe(p) Pp = ∞
np (−kP + Q) = − k(np P ) + np Q
= − k(Pp ) + Qp = −Qp + Qp = ∞
=⇒ O(−kp + Q)|np ∀p|n
=⇒ O(−kp + Q)| gcd(np ) ∀p|n
=⇒ O(−kp + Q)|1
=⇒ O(−kp + Q) = 1
=⇒ − kp + Q = ∞
=⇒ kP = Q
=⇒ k = dlogP Q ∈ E
Recall, Qp = np Q ∈ H = Pp = np P | pe(p) Pp = ∞ Also,
7
Reduction of DLP to prime order cyclic group of an Elliptic Curve
Let H = P | pe(p) P = ∞ ≤ E for an Elliptic Curve E.
Let R ∈ H, then k = dlogP R exists. If A = ∞, then k = 0.
Let A 6= ∞. Then 0 < k < m = pe .
Write
k = k0 + k1 p + k2 p2 + · · · + ke−1 pe−1
[This can be done (prove) that every positive integer a can be written an
integer polynomial in the powers of an another integer b.]
Now kP = R ∵ k = dlogP R in H
8
Computing other coefficients k1 , k2 , . . . , ke−1
Thus
9
as pe P = ∞, since P ∈ H, and |H| = pe .
Hence
=⇒ (pe−1 ki )P = pe−i−1 Ri ∀i ≥ 1
Or ki (pe−1 P ) = pe−i−1 Ri
ki P̄ = pe−i−1 Ri =⇒ pe−i−1 Ri ∈ K = P̄ |pP̄ = ∞
Hence solutions ki0 s are the discrete logs of some element in K. in particular,
we get
ki = dlog(pe−1 P ) (pe−i−1 Ri ) ∀i
Or
ki = dlogP̄ (pe−i−1 Ri ) where P̄ = pe−1 P
Since P̄ is an element of K ≤ E, so P̄ is a point of order p, the prime p|n.
Thus the problem is now completely reduced to finding discrete logarithm in
a cyclic group of order a prime p.
Recall
In particular,
=⇒ k0 = dlog(pe−1 P ) (pe−1 R)
Next,
10
Since k0 has already been determined, Ri is determined and hence k1 can be
determined,
Similarly,
R2 =(k2 p2 + k3 p3 + · · · + ke−1 pe−1 )P
=(k0 + k1 p + · · · + ke−1 pe−1 − k0 − k1 p)P
=(k − k0 − k1 p)P
=kP + (−k0 − k1 p)P
=⇒ R2 =kP − k0 P − (k1 p)P
k2 =dlogP̄ (pe−3 )R2 where P̄ = pP
can be determined as k0 , k1 have been determined, then ki (and hence k) can
be determined.
Since
n
np =
pe(p)
18
=⇒ n2 = = 9, So n2 = 9 for p = 2
2
18
=⇒ n3 = 2 = 2, So n3 = 2 for p = 3
3
11
Corresponding subgroup H of G
Hp=2 = P(p=2) = (4, 0)|2Pp=2 = ∞
Hp=3 = P(p=3) = (2, 9)|9Pp=3 = ∞
=⇒ |Hp=2 | =pe(p) = 21 = 2 and |Hp=3 | = pe(p) = 32 = 9
We know that Qp=2 ∈ Hp=2 and Qp=3 ∈ Hp=3 and the problem is now reduced
to determine discrete logarithm in these subgroups of order pe(p) for p = 2, 3
respectively i.e.
The integer k0 (3) and k1 (3) are determined as follows: Rp=3 = (9, 8) [follows
the notations]. Recall
and
12
This gives R̄1(p=3) = R̄(p=3) = (5, 8). And therefore k1 (3) = dlog(P̄p=3 ) R̄1(p=3) =
dlog(5,8) (5, 8) = 1. Hence
k ≡ k(2) (mod 2)
k ≡ k(3) (mod 9)
=⇒ k ≡ 1 (mod 2)
k ≡ 4 (mod 9)
Apply now the Chinese Remainder Theorem to get k ≡ 13 (mod 18). Hence
dlog(1,4) (3, 2) = 13 ∈ E
This can be verified directly by computing 13P for P = (1, 4) using the
method of repeatedly doubling and adding if required.
13
positive integer ‘b’ and keeps it secret.
Suppose E and a point P on E are known to them. Alice computes the point
aP (by adding P repeatedly a-times) and sends it to Bob. Bob computes
the point bP and sends it to Alice.
Alice, who received bP from Bob, computes a(bP ), adding bP (repeatedly
a-times) and get (ab)P . Similarly, Bob has received aP from Alice. He
computes b(aP ). Now Alice has the point a(bP ) while Bob has the point
b(aP ) of E. Both of them in fact have the same point namely (ab)P as
a(bP ) = (ab)P = (ba)P = b(aP ) in E. This point becomes their common
knowledge.
Now Alice and Bob both have their common knowledge the point (0, 10) ∈
E. They can use it in various applications of Diffie-Hellman key exchange
protocol.
Verify all the calculations.
14
Decision Diffie-Hellman Problem and The Diffie-
Hellman Assumption
If P, aP, bP ∈ E(Fq ) are known is then possible to decide for a given point
Q ∈ E(Fq ), that Q = (ab)P or not. Accordingly, the DDH Assumption is
that it is not easy to do that.
Massey-Omura Cryptosystem
Alice and Bob setup the Massey-Omura cryptosystem for communication as
follows:
2. They also agree that the plain text space as well as cipher text space
are the points of E i.e. the group E.
(a) She chooses and keeps it secret a positive integer a, computes the
point aM ∈ E and sens it to Bob
(b) Bob also chooses and keeps secret a positive integer b. He received
aM from Alice. He computes b(aM ) = baM = abM ∈ E and
sends it to Alice.
(c) Alice received (ab)M from Bob, she computes a−1 (ab)M = bM
and sends it to Bob.
(d) Bob received bM from Alice, he computes b−1 (bM ) = M and thus
gets the message M from Alice.
Note: Alice computes a−1 from a and Bob computes b−1 from b. This,
therefore, requires gcd(a, N ) = 1 as well as gcd(b, N ) = 1, where N is the
order of the group. Hence, while choosing integers a, b, they have to be care-
ful. The a−1 (mod N ) and b−1 (mod N ) can be computed using Division
Algorithm/Euclidean Algorithm.
15
1. They agree on the Elliptic curve:
Now suppose Alice wants to send the message the point M (6, 2) ∈ E
to Bob.
16
(b) Hide the message as the point Q2 = M + k(aP ) ∈ E.
(c) Send to Alice the ordered pair of points (Q1 , Q2 ) ∈ E × E where
Q1 = kP .
(d) Alice receives the pair of points (Q1 , Q2 ) from Bob. She knows
that the message is hidden in the second coordinate point Q2 .
She recreates the mask by doing
aQ1 = a(kP ) = (ak)P = (ka)P = k(aP ) ∈ E
.
(e) Alice retrieves the message from Q2 by doing
Q2 − aQ1 ={M + k(aP )} − a(kP )
=M + {k(aP ) − a(kP )}
=M ∈ E
Example:
1. Let the publicly agreed elliptic curve be
E = E(F11 ) = {(x, y) ∈ F11 × F11 | y 2 = x3 + 3x + 1} ∪ {∞}
and the public base point P (1, 4) ∈ E.
2. Let Alice choose the integer a = 11, keep it secret and publish her
public (encrypting) key aP = 11(1, 4) = (6, 9).
(a) Choose a positive integer k = 13. Create a mask
k(aP ) = 13(6, 9) = (1, 7).
17
(d) Alice received (Q1 , Q2 ) = ((3, 2), (5, 3)). She knows the message
M is hidden in the (second coordinate) point Q2 = (5, 3). She
recreates the mask. She computes aQ1 = 1(3, 2) = (1, 7). This
point aQ1 = a(kP ).
(e) Alice retrieves the message by doing
E := {(x, y) ∈ Fp × Fp | y 2 = x3 + Ax + B; A, B ∈ Fp } ∪ {∞}
and the point P (3, 2). Suppose Alice and Bob have agreed on these publicly.
Let Alice choose and keep it secret the integer a = 3, and Bob b = 5.
Alice computes aP = 3P = (0, 1), and Bob computes bP = 5P = (6, 9).
Suppose Alice sends to Bob instead the point (0, 1), just its x-coordinate i.e.
18
0, and like wise Bob sends to Alice only the x-coordinate of bP i.e. 6. Alice
received from Bob only the x-coordinate say xB = 6. The corresponding yB
satisfies
Similarly, Bob may assume the point sent by Alice A(0, 1) or (0, 10) This
happened in their first exchange i.e. the points (bP ) and (aP ) as sent by
Bob to Alice and by Alice to Bob respectively.
In the next and final round, Alice computes aB (or −aB as the other possi-
bility) i.e. 3(6, 2) or −3(6, 2) [and 5(0,1) or 5(0,10) by Bob].
Observe that
So their common point is (0, 1) or (0,10). They are additive inverse of each
other, make no difference as long as their common knowledge which is x-
coordinate is concerned.
19
(1). Pre-arranged table between message units and points on E. For example
consider the elliptic curve
βj = x3j + Axj + B.
p−1
If βj 2 ≡ 1 (mod p), then βj is a square (mod p) . In that we have got a
corresponding point on E. Recall how the square roots modulo a prime are
calculated. For example, in case p ≡ 3 (mod 4) , a square root (mod p) is
20
p+1
given by yj = βj 4 . The point Pm (xj , yj ) lies on E, and thus can represent m
on
xj E.
The process is reversible. To retrievexj m from Pm (xj , yj ) is to compute
k
, the greatest integer less or equal to k . This is m since
xj mk + j j
= = m + (0 ≤ j < k)
k k k
hx i j
j
=⇒ = m since 0 ≤ < 1
k k
Exercise: Let E = E(F271 ) = {(x, y) ∈ F271 × F271 |y 2 = x3 + 3x + 1} ∪ {∞}.
If it is acceptable that the probability of failure in representing an integer
modulo 271 to a point on E can be 2110 , then represent English Language
letters A to Z, first by representing them by integers 1, 2, . . . 26 and then by
points on the elliptic curve E.
21
curveE over the finite field Fq (So q is a prime or a power of prime). Then
the order N =(also denoted by #(E) ) of E, satisfies :
√
#(E) = q + 1 − tq where |tq | ≤ 2 q.
√ √
Hence q + 1 − 2 q ≤ #(E) ≤ q + 1 + 2 q. We have used this theorem in
some examples to compute the order #(E).
Can the order be computed precisely? Is there any algorithm? Schoof’s
algorithm is the answer to count points on E.
22