Springer

Berlin
Heidelberg
New York
Barcelona
Hong Kong
London
Milan
Paris
Singapore
Tokyo

Neal Koblitz

Algebraic Aspects
of Cryptography
With an Appendix on Hyperelliptic Curves
by Alfred J. Menezes, Yi-Hong Wu,

and Robert J. Zuccherato

With 7 Figures

Springer

Algorithms and Computation

in Mathematics

Volume 3

Editors
E. Becker M. Bronstein H. Cohen
D. Eisenbud R. Gilman

Yi-HongWu

Neal Koblitz
Department of Mathematics

Department of Discrete and

University of Washington

Statistical Sciences

Seattle, WA 98195, USA

Auburn University
Auburn, AL 36849, USA

e-mail:
[email protected]

Robert
Alfred

J. Menezes

J. Zuccherato

Entrust Technologies

Department of Combinatorics

750 Heron Road

and Optimization

Ottawa, Ontario

University of Waterloo

Canada K1V 1A7

Waterloo, Ontario

e-mail:

Canada N2L 3G1

[email protected]

e-mail:
[email protected]

Corrected Second Printing 1999

The Library of Congress has cataloged the orignal printing as follows:

Library of Congress Cataloging-in-Publication Data

Koblitz, Neal, 1948- . Algebraic aspects of cryptography I Neal Koblitz.

p. em.- (Algorithms and computation in mathematics, ISSN 1431-1550; v. 3)

"With an appendix on hyperelliptic curves by Alfred J. Menezes, Yi-Hong Wu, and

Robert

J. Zuccherato".

Includes bibliographical references and index. ISBN 3-540-63446-o (hardcover: alk. paper)
1. Coding theory. 2. Curves, Elliptic. I. Title. II. Series.
QA268.K585 1998 005.8'2'01512-dc21 97-48779 CIP

Mathematics Subject Classification (1991): nT71, 94A 6o, 68P25, nY16, nY4o

ISSN 1431-1550
ISBN 3-540-63446-o Springer-Verlag Berlin Heidelberg New York
This work is subject to copyright. All rights are reserved, whether the whole or part of the mate
rial is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recita
tion, broadcasting, reproduction on microfilm or in any other way, and storage in data banks.
Duplication of this publication or parts thereof is permitted only under the provisions of the
German Copyright Law of September 9, 1965, in its current version, and permission for use
must always be obtained from Springer-Verlag. Violations are liable for prosecution under the
German Copyright Law.
Springer- Verlag Berlin Heidelberg 1998
Printed in Germany
The use of general descriptive names, registered names, trademarks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the
relevant protective laws and regulations and therefore free for general use.
Cover design: MetaDesign plus GmbH, Berlin.
Typesetting: Typeset in TEX by the author and reformatted by Adam Leinz, Karlsruhe, using a
Springer T EX macro-package.
SPIN 10706488

46/3143- 54 3 2 1 o- Printed on acid-free paper

Preface

This book is intended as a text for a course on cryptography with emphasis on

algebraic methods. It is written so as to be accessible to graduate or advanced
undergraduate students, as well as to scientists in other fields. The first three
chapters form a self-contained introduction to basic concepts and techniques. Here
my approach is intuitive and informal. For example, the treatment of computational
complexity in Chapter 2, while lacking formalistic rigor, emphasizes the aspects
of the subject that are most important in cryptography.
Chapters 4-6 and the Appendix contain material that for the most part has not
previously appeared in textbook form. A novel feature is the inclusion of three
types of cryptography - "hidden monomial" systems, combinatorial-algebraic sys
tems, and hyperelliptic systems - that are at an early stage of development. It is
too soon to know which, if any, of these cryptosystems will ultimately be of
practical use. But in the rapidly growing field of cryptography it is worthwhile
to continually explore new one-way constructions coming from different areas of
mathematics. Perhaps some of the readers will contribute to the research that still
needs to be done.
This book is designed not as a comprehensive reference work, but rather as
a selective textbook. The many exercises (with answers at the back of the book)
make it suitable for use in a math or computer science course or in a program of
independent study.
I wish to thank the participants in the Mathematical Sciences Research Insti
tute's Summer Graduate Student Program in Algebraic Aspects of Cryptography
(Berkeley, 16-27 June 1997) for giving me the opportunity to test-teach parts of the
manuscript of this book and for finding errors and unclarities that needed fixing.
I am especially grateful to Alfred Menezes for carefully reading the manuscript
and making many valuable corrections and suggestions. Finally, I would like to
thank Jacques Patarin for letting me report on his work (some of it not yet pub
lished) in Chapter 4; and Alfred Menezes, Yi-Hong Wu, and Robert Zuccherato
for agreeing to let me include their elementary treatment of hyperelliptic curves
as an Appendix.
Seattle, September 1997

Neal Koblitz

Contents

Chapter 1. Cryptography

......................................

1. Early History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2. The Idea of Public Key Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . .
3. The RSA Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4. Diffie-Hellman and the Digital Signature Algorithm . . . . . . . . . . . . . .
5. Secret Sharing, Coin Flipping, and Time Spent on Homework . . . . . .
6. Passwords, Signatures, and Ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7. Practical Cryptosystems and Useful Impractical Ones . . . . . . . . . . . . .
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

1
2
5
8
10
12
13
17

Chapter 2. Complexity of Computations

18

1. The Big-0 Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2. Length of Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3. Time Estimates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4. P, NP, and NP-Completeness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5. Promise Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6. Randomized Algorithms and Complexity Classes . . . . . . . . . . . . . . . . .
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7. Some Other Complexity Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

18
21
22
23
24
31
34
41
44
45
48
48
52

Chapter 3. Algebra

53

1. Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2. Finite Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3. The Euclidean Algorithm for Polynomials . . . . . . . . . . . . . . . . . . . . . .
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4. Polynomial Rings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

53
55
55
61
63
64
65
70

VIII

Contents

5. Grobner Bases
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

70
78

Chapter 4. Hidden Monomial Cryptosystems

80

1. The Imai-Matsumoto System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
2. Patarin's Little Dragon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
3. Systems That Might Be More Secure . . . . . . . . . . . . . . . . . . . . . . . . . .
96
102
Exercises
Chapter 5. Combinatorial-Algebraic Cryptosystems

103

1. History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2. Irrelevance of Brassard's Theorem . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3. Concrete Combinatorial-Algebraic Systems . . . . . . . . . . . . . . . . . . . . .
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4. The Basic Computational Algebra Problem . . . . . . . . . . . . . . . . . . . . . .
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5. Cryptographic Version of Ideal Membership . . . . . . . . . . . . . . . . . . . . .
6. Linear Algebra Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7. Designing a Secure System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

103
104
105
105
109
111
112
112
113
114

Chapter 6. Elliptic and Hyperelliptic Cryptosystems

117

1. Elliptic Curves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2. Elliptic Curve Cryptosystems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3. Elliptic Curve Analogues of Classical Number Theory Problems . . . .
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4. Cultural Background: Conjectures on Elliptic Curves
and Surprising Relations with Other Problems . . . . . . . . . . . . . . . . . . .
5. Hyperelliptic Curves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6. Hyperelliptic Cryptosystems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

117
129
131
136
137
139

139
144
148
148
154

Appendix. An Elementary Introduction to Hyperelliptic Curves

by Alfred J. Menezes, Yi-Hong Wu, and Robert J. Zuccherato

1.
2.
3.
4.

. . . . . . . . . . 155

Basic Definitions and Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Polynomial and Rational Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Zeros and Poles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Divisors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Contents

IX

5. Representing Semi-Reduced Divisors . . . . . . . . . . . . . . . . . . . . . . . . . .

6. Reduced Divisors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7. Adding Reduced Divisors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

169
171
172
178

... .................. . ................. ...

179

Answers to Exercises
Bibliography

193

Subject Index

201

Chapter 1. Cryptography

Broadly speaking, the term cryptography refers to a wide range of security issues
in the transmission and safeguarding of information. Most of the applications of
algebra and number theory have arisen since 1976 as a result of the development
of public key cryptography.
Except for a brief discussion of the history of private key cryptography (pre1976), we shall devote most of this chapter to the (generally more interesting)
questions that arise in the study of public key cryptosystems. After discussing
the idea of public key cryptography and its importance, we next describe certain
prototypical public key constructions.

1.

Early History

A cryptosystem for message transmission means a map from units of ordinary

text called plaintext message units (each consisting of a letter or block of letters)
to units of coded text called ciphertext message units. The idea of using arith
metic operations to construct such a map goes back at least to the Romans. In
modem terminology, they used the operation of addition modulo N, where N is
the number of letters in the alphabet, which we suppose has been put in one-to-one
correspondence with ZINZ. For example, if N 26 (that is, messages are in the
usual Latin alphabet, with no additional symbols for punctuation, numerals, capital
letters, etc.), the Romans might encipher single letter message units according to
the formula C = P + 3 (mod 26). This means that we replace each plaintext letter
by the letter three positions farther down the alphabet (with the convention that
X >-+ A, Y >-+ B, Z >-+ C). It is not hard to see that the Roman system - or in
fact any cryptosystem based on a permutation of single letter message units - is
easy to break.
In the 16th century, the French cryptographer Vigenere invented a variant on
the Roman system that is not quite so easy to break. He took a message unit
to be a block of k letters - in modem terminology, a k-vector over ZlNZ. He
then shifted each block by a "code word" of length k; in other words, his map
from plaintext to ciphertext message units was translation of (ZINZ)k by a fixed
vector.
Much later, Hill [1931] noted that the map from (ZINZ)k to (ZINZ)k given
by an invertible matrix with entries in ZINZ would be more likely to be secure
=

Chapter 1. Cryptography

than Vigenere's simple translation map. Here "secure" means that one cannot
easily figure out the map knowing only the ciphertext. (The Vigenere cipher, on
the other hand, can easily be broken if one has a long string of ciphertext, by
analyzing the frequency of occurrence of the letters in each arithmetic progression
with difference k. It should be noted that, even though the Hill system cannot
be easily broken by frequency analysis, it is easy to break using linear algebra
modulo N if you know or can guess a few plaintext/ciphertext pairs.)
For the most part, until about 20 years ago only rather elementary algebra and
number theory were used in cryptography. A possible exception was the use of
shift register sequences (see [Golomb 1982] and Chapter 6 and 9.2 of [Lidl and
Niederreiter 1986]).
Perhaps the most sophisticated mathematical result in cryptography before the
1970's was the famous theorem of information theory [Shannon 1949] that said,
roughly speaking, that the only way to obtain perfect secrecy is to use a one-time
pad. (A "one-time pad" is a Vigenere cipher with period k = oo.)
The first harbinger of a new type of cryptography seems to have been a passage
in a book about time-sharing systems that was published in 1968 [Wilkes 1968,
p. 91-92]. In it, the author describes a new one-way cipher used by R. M. Needham
in order to make it possible for a computer to verify passwords without storing
information that could be used by an intruder to impersonate a legitimate user.
In Needham's system, when the user first sets his password, or whenever
he changes it, it is immediately subjected to the enciphering process, and
it is the enciphered form that is stored in the computer. Whenever the
password is typed in response to a demand from the supervisor for the user's
identity to be established, it is again enciphered and the result compared
with the stored version. It would be of no immediate use to a would-be
malefactor to obtain a copy of the list of enciphered passwords, since he
would have to decipher them before he could use them. For this purpose, he
would need access to a computer and even if full details of the enciphering
algorithm were available, the deciphering process would take a long time.
In [Purdy 1974] the first detailed description of such a one-way function was
published. The original passwords and their enciphered forms are regarded as
integers modulo a large prime p, and the "one-way" map from 'l../p'l.. to 'l../p'l..
is given by a polynomial f (x) which is not hard to evaluate by computer but
which takes an unreasonably long time to invert. Purdy used p 264 - 59 and
(
7
J x) x224+1 + a1x224+3 + a2x3 + a3x2 + a4x + a5, where the coefficients a, were
arbitrary 19-digit integers.
=

2.

The Idea of Public Key Cryptography

Until the late 1970's, all cryptographic message transmission was by what can
be called private key. This means that someone who has enough information to
encrypt messages automatically has enough information to decipher messages as

2. The Idea of Public Key Cryptography

well. As a result, any two users of the system who want to communicate secretly
must have exchanged keys in a safe way, e.g., using a trusted courier.
The face of cryptography was radically altered when Diffie and Hellman in
vented an entirely new type of cryptography, called public key [Diffie and Hellman
1976]. At the heart of this concept is the idea of using a one-way function for
encryption.
Definition 2.1. Speaking informally, we say that a one-to-one function f : X -+ Y
is "one-way" if it is easy to compute f(x) for any x E X but hard to compute
f-1 (y) for most randomly selected y in the range of f . *
The functions used for encryption belong to a special class o f one-way func
tions that remain one-way only if some information (the "decryption key") is kept
secret. Again using informal terminology, we can define a public key encryption
function (also called a "trapdoor" function) as a map from plaintext message units
to ciphertext message units that can be feasibly computed by anyone having the
so-called "public" key but whose inverse function (which deciphers the ciphertext
message units) cannot be computed in a reasonable amount of time without some
additional information (the "private" key).

This means that everyone can send a message to a given user using the same
enciphering key, which they simply look up in a public directory. There is no need
for the sender to have made any secret arrangement with the recipient; indeed, the
recipient need never have had any prior contact with the sender at all.
It was the invention of public key cryptography that led to a dramatic expansion
of the role of algebra and number theory in cryptography. The reason is that this
type of mathematics seems to provide the best source of one-way functions. Later
we shall discuss the most important examples.
A curious historical question is why public key cryptography had to wait until
1976 to be invented. Nothing involved in the idea of public key cryptography or
the early public key cryptosystems required the use of 20th century mathematics.
The first public key cryptosystem to be used in the real world - the RSA system
(see below) - uses number theory that was well understood by Euler. Why had
it not occurred to Euler to invent RSA and offer it to the military advisers of
Catherine the Great in gratitude for her generous support for the Russian Imperial
Academy of Sciences, of which he was a member?
A possible reason for the late development of the concept of public key is
that until the 1970's cryptography was used mainly for military and diplomatic
purposes, for which private key cryptography was well suited. However, with the
increased computerization of economic life, new needs for cryptography arose. To
cite just one obvious example, when large sums of money are transferred electro
nically, one must be able to prevent white-collar thieves from stealing funds and
*

In some situations one wants a one-way function to have a stronger property, namely,

that it is hard to compute any partial information about

an odd or even number) for most randomly selected y.

f-1 (y)

(for instance, whether it is

Chapter 1. Cryptography

nosy computer hackers (or business competitors) from monitoring what others are
doing with their money. Another example of a relatively new use for cryptogra
phy is to protect the privacy of data (medical records, credit ratings, etc.). Unlike
in the military or diplomatic situation - with rigid hierarchies, long-term lists of
authorized users, and systems of couriers - in the applications to business trans
actions and data privacy one encounters a much larger and more fluid structure
of cryptography users. Thus, perhaps public key cryptography was not invented
earlier simply because there was no real need for it until quite recently.
Another reason why RSA was not likely to have been discovered in Euler's
time is that in those days all computations had to be done by hand. To achieve
an acceptable level of security using RSA, it would have been necessary to work
with rather large integers, for which computations would have been cumbersome.
So Euler would have had difficulty selling the merits of RSA to a committee of
skeptical tsarist generals.
In practice, the great value of public key cryptography today is intimately
connected with the proliferation of powerful computer technology.
2.1 Tasks for Public Key Cryptography

The most common purposes for which public key cryptography has been applied
are:
(1) confidential message transmission;
(2) authentication (verification that the message was sent by the person claimed
and that it hasn't been tampered with), often using hash functions (see 3.2)
and digital signatures (see 3.3); password and identification systems (proving
authorization to have access to data or a facility, or proving that you are who
you claim to be); non-repudiation (guarding against people claiming not to have
agreed to something that they really agreed to);
(3) key exchange, where two people using the open airwaves want to agree
upon a secret key for use in some private key cryptosystem;
(4) coin flip (also called bit commitment); for example, two chess players in
different cities want to determine by telephone (or e-mail) who plays white;
(5) secret sharing, where some secret information (such as the password to
launch a missile) must be available to k subordinates working together but not to
k- 1 of them;
(6) zero knowledge proof, where you want to convince someone that you have
successfully solved a number-theoretic or combinatorial problem (for example,
you have found the square root of an integer modulo a large unfactored integer, or
you have 3-colored a map) without conveying any knowledge whatsoever of what
the solution is.
These tasks are performed through various types of protocols. The word "pro
tocol" simply means an orderly procedure in which people send messages to one
another.
In 3-5 we shall describe several usable cryptosystems that perform one or
more of the above tasks. We should caution the reader that the cryptosystems

3. The RSA Cryptosystem

described in this book are primitives. In cryptography the term "primitive" means
a basic ingredient in a cryptosystem. In order to construct a practical system one
generally has to modify and combine these primitives in a careful way so as to
simultaneously achieve various objectives related to security and efficiency. For
the most part we shall not deal with the practical issues that arise when one
does this. The best general reference for such issues is the Handbook of Applied
Cryptography [Menezes, van Oorschot, and Vanstone 1996].
2.2 Probabilistic Encryption

Most of the number theory based cryptosystems for message transmission are de
terministic, in the sense that a given plaintext will always be encrypted into the
same ciphertext by anyone. However, deterministic encryption has two disadvan
tages: (1) if an eavesdropper knows that the plaintext message belongs to a small
set (for example, the message is either "yes" or "no"), then she can simply encrypt
all possibilities in order to determine which is the supposedly secret message; and
(2) it seems to be very difficult to prove anything about the security of a system
if the encryption is deterministic. For these reasons, probabilistic encryption was
introduced in [Goldwasser and Micali 1982, 1984]. We shall later (in Chapter 5
and 2.2 of Chapter 6) see examples of probabilistic encryption.
On the negative side, probabilistic encryption systems sometimes are vulner
able to so-called adaptive chosen-ciphertext attack (see Exercise II of 3 of
Chapter 5 and Exercise 6 of 2 of Chapter 6).
We shall next discuss two particularly important examples of public key cryp
tosystems - RSA and Diffie-Hellman!DSA. Both are connected with fundamental
questions in number theory - factoring integers and discrete logarithms, respective
ly. Although the systems can be modified to perform most or all of the six tasks
listed above, we shall describe protocols for only a few of these tasks (message
transmission in the case of RSA, and key exchange and digital signature in the
case of Diffie-Hellman).

3.

The RSA Cryptosystem

3.1 Encryption

Suppose that we have a large number of users of our system, each of whom
might want to send a secret message to any one of the other users. We shall
assume that the message units m have been identified with integers in the range
0 ::; m < N. For example, a message might be a block of k letters in the Latin
alphabet, regarded as an integer to the base 26 with the letters of the alphabet as
digits; in that case N 26k . In practice, in the RSA system N is a number of
between about 200 and 600 decimal digits.
=

Chapter l. Cryptography

Each user A (traditionally named Alice) selects two extremely large primes p
and q whose product n is greater than N. Alice keeps the individual primes secret,
but she publishes the value of n in a directory under her name. She also chooses
at random an exponent e which must have no common factor with p- 1 or q - 1
(and probably has the same order of magnitude as n), and publishes that value
along with n in the directory. Thus, her public key is the pair (n, e).
Suppose that another user B (Bob) wants to send Alice a message m. He looks
up her public key in the directory, computes the least nonnegative residue of m e
modulo n, and sends Alice this value (let c denote this ciphertext value). Bob can
perform the modular exponentiation c = m e (mod n) very rapidly (see Example
3.5 of Chapter 2).
To decipher the message, Alice uses her secret deciphering key d, which is
any integer with the property that de = 1 (mod p- 1) and de = 1 (mod q - 1).
She can find such a d easily by applying the extended Euclidean algorithm to
the two numbers e and l.c.m.(p- 1, q - 1) (see Example 3.4 of Chapter 2; here
"l.c.m." means "least common multiple"). One checks (see Exercise 1 below) that
if Alice computes the least nonnegative residue of cd modulo n, the result will be
the original message m.
What would prevent an unauthorized person C (Catherine) from using the
public key (n, e) to decipher the message? The problem for Catherine is that
without knowing the factors p and q of n there is apparently no way to find a
deciphering exponent d that inverts the operation m >--+ me (mod n). Nor does there
seem to be any way of inverting the encryption other than through a deciphering
exponent. Here I use the words "apparently" and "seem" because these assertions
have not been proved. Thus, one can only say that apparently breaking the RSA
cryptosystem is as hard as factoring n.
3.2 Hash Functions

Before discussing digital signatures, it is necessary to explain what a hash function

is. Suppose that we are sending a message containing l symbols, and we would
like our signature to be much shorter - say, about k symbols. Here is an informal
definition of "hash".
Definition 3.1. A function H(x) from the set of l symbols to the set of k symbols
is called a hash function if H(x) is easy to compute for any x, but
1) no one can feasibly find two different values of x that give the same H(x)
("collision resistant"); and
2) given y in the image of H, no one can feasibly find an x such that H(x) y
("preimage resistant").
=

Much research has been devoted to both the theory and practical implementa
tion of hash functions. We shall not dwell on this. In practice it is not very hard
to find a function that satisfies the properties in Definition 3 .1.
One of the main uses of a hash function is in digital signatures. Suppose that
Bob sends Alice a long message x of l symbols. Both Alice and Bob are using the

3. The RSA Cryptosystem

same hash function - and, in fact, there is no need for them to keep it secret from
their adversary Catherine. After Bob sends Alice the message x, he appends the
hash value H(x). Alice would like to be certain that it was really Bob who sent
the message x, and that Catherine did not alter his message before Alice received
it. Suppose that she can somehow be certain that at least the appended H(x) really
did come from Bob. In that case all she has to do is apply the hash function to the
message she received. If it agrees with H(x), then she is happy: she knows that
Catherine could not feasibly have tampered with x in such a way as to produce a
distorted message x' such that H(x') H(x). The problem that remains is how
Alice can be sure that H(x) really came from Bob.
=

3.3 Signature

Here is how the last problem - how to be certain that H(x) really came from
Bob - can be solved using RSA. For convenience, choose k so that messages
of length k are just small enough to make up one message unit; if the 26-letter
Latin alphabet is being used, then k is the same as at the beginning of 3.1. After
sending the message x, Bob computes the hash value H
H(x). He does not
simply send H to Alice, but rather first raises it to the power of his deciphering
exponent dsob modulo nsob Then Bob sends Alice the whole message x with
H' Hd""' (mod nsob) appended, using Alice's enciphering exponent eAlice and
her modulus nAlice That is, he sends
=

( Hdsob

(mod nsob) ) eAJ"' (mod nAlice) ,

where the notation a (mod n) denotes the least nonnegative residue of a modulo
n. After Alice deciphers the message, she takes the last message unit (which will
look to her like gibberish rather than an intelligible plaintext message unit) and
raises it to the power of Bob's enciphering exponent esob modulo nsob in order
to recover H. She then applies the hash function to the message, and verifies that
the result coincides with H. Here the crucial observation is that Alice knows that
only Bob would know the exponent that is inverted by raising to the e80b-th power
modulo nsob Thus, she knows that it really was Bob who sent her H. She also
knows that it was he who sent the message x, which she received without any
tampering.
It should be noted that this RSA signature has two other features besides simply
allowing Alice to verify that it was in fact Bob who sent the message. In the first
place, because the appended segment H' was encrypted along with the rest of
the message, Bob's privacy is preserved; from the ciphertext an eavesdropper will
not be able to find out who sent the message. In the second place, the signature
ensures non-repudiation; that is, Bob cannot subsequently deny having sent the
message.

4.

Chapter 1. Cryptography

Diffie-Hellman and the Digital Signature Algorithm

The second landmark example of a public key cryptographic system is based on

the discrete logarithm problem. First we define this problem.
(7!../p7!..) *
{1, 2, ... ,p - 1} denote the multiplicative group of
Let JF;
integers modulo a prime p. (This group will be treated in more detail in 2 of
Chapter 3.) Let g E JF; be a fixed element (our "base"). The discrete log problem
in JF; to the base g is the problem, given y E JF;, of determining an integer x such
that y gx (if such x exists; otherwise, one must receive an output to the effect
that y is not in the group generated by g).
=

4.1 Key Exchange

The Diffie-Hellman key exchange works as follows. Suppose that Alice and Bob
want to agree upon a large integer to serve as a key for some private key cryp
tosystem. This must be done using open communication channels - that is, any
eavesdropper (Catherine) knows everything that Alice sends to Bob and every
thing that Bob sends to Alice. Alice and Bob first agree on a primep and a base
element g in JF;. This has been agreed upon publicly, so that Catherine also has
this information at her disposal. Next, Alice secretly chooses a random positive
integer kAlice <p (of about the same magnitude asp), computes the least positive
residue modulo p of gkA"'' (see Example 3.5 of Chapter 2), and sends this to Bob.
k
Meanwhile, Bob does likewise: he sends g aob E JF; to Alice, while keeping ksob
secret. The agreed upon key will then be the integer

lAhcokaob

JF; {1, 2,
=

.,. ,p- 1} ,

which Bob can compute by raising the integer he received from Alice to his secret
ksob-power modulo p, and Alice can compute by raising the integer she received
from Bob to the kAlice-power modulop. This works because in JF; we have

The problem facing the adversary Catherine is the so-called Diffie-Hellman

problem: Given g , gkA, gka E JF;, find gkAka. It is easy to see that anyone who
can solve the discrete log problem in JF; can then immediately solve the Diffie
Hellman problem as well. The converse is not known. That is, it is conceivable
(though thought to be unlikely) that someone could invent a way to solve the
Diffie-Hellman problem without being able to find discrete logarithms. In other
words, breaking the Diffie-Hellman key exchange has not been proved to be equiv
alent to solving the discrete log problem (although some recent partial results
in this direction support the conjectured equivalence of the two problems; see
[Boneh and Lipton 1996]). For practical purposes it is probably safe to assume
that the Diffie-Hellman key exchange is secure provided that the discrete logarithm
problem is intractable.

4. Diffie-Hellman and the Digital Signature Algorithm

4.2 The Digital Signature Algorithm (DSA)

In 1991 the U.S. government's National Institute of Standards and Technology

(NIST) proposed a Digital Signature Standard (DSS) based on a certain Digital
Signature Algorithm (DSA). The role of DSS is expected to be analogous to that
of the older Data Encryption Standard (DES): it is supposed to provide a standard
digital signature method for use by government and commercial organizations.
But while DES is a classical ("private key") cryptosystem, in order to construct
digital signatures it is necessary to use public key cryptography. NIST chose to
base their signature scheme on the discrete log problem in a prime finite field IFP.
The DSA is very similar to a signature scheme that was originally proposed in
[Schnorr 1990]. It is also similar to a signature scheme in [E!Gamal 1985a]. We
now describe how the DSA works.
To set up the scheme (in order later to be able to sign messages), eac h user
Alice proceeds as follows:
1) she chooses a prime q of about 160 bits (to do this, she uses a random number
generator and a primality test);
2) she then chooses a second prime p that is = 1 (mod q) and has about 500 bits
(more precisely, the recommended number of bits is a multiple of 64 between
512 and 1024);
3) she chooses a generator g of the unique cyclic subgroup of IF; of order q

(she does this by computing g -l)/q (mod p) for a random integer g0; if this
number is not equal to 1, it will be a generator);
4) she takes a random integer x in the range 0 < x < q as her secret key, and
sets her public key equal to y gx (mod p).
=

Now suppose that Alice wants to sign a message. She first applies a hash
function to her plaintext (see 3.2), obtaining an integer H in the range 0 < H < q.
She next picks a random integer k in the same range, computes gk (mod p), and
sets r equal to the least nonnegative residue modulo q of the latter number (that is,
gk is first computed modulo p, and the result is then reduced modulo the smaller
prime q). Finally, Alice finds an integer s such that sk = H + xr (mod q). Her
signature is then the pair (r, s) of integers modulo q.
To verify the signature, the recipient Bob computes u1
s-1 H (mod q) and
u2
s-1r (mod q). He then computes gu' yu' (mod p). If the result agrees modulo
q with r, he is satisfied. (See Exercise 2 at the end of the chapter.)
This signature scheme has the advantage that signatures are fairly short, consist
ing of two numbers of 160 bits (the magnitude of q). On the other hand, the security
of the system seems to depend upon intractability of the discrete log problem
in the multiplicative group of the rather large field IFp Although to break the
system it would suffice to find discrete logs in the smaller subgroup generated by
g, in practice this seems to be no easier than finding arbitrary discrete logarithms
in IF;. Thus, the DSA seems to have attained a fairly high level of security without
sacrificing small signature storage and implementation time.
=

10

Chapter 1 . Cryptography

There is a variant of DSA using elliptic curves that might be even harder to
break than the finite-field DSA described above. This elliptic curve version will
be discussed in Chapter 6.
5. Secret Sharing, Coin Flipping,
and Time Spent on Homework
5.1 Secret Sharing

Suppose that you want to give enough information to a group of people so that
a secret password - which we think"of as an integer N- can be determined by
any group of k of them; but if only k - I collaborate, they won't get anywhere.
Here is a way to do this. Choose an arbitrary point P = ( x1 , . . . , x k ) in the
Euclidean space IR\ where the x; are integers and x1 = N. Give each person
in the group a single linear equation in k variables that is satisfied by P. Each
equation determines a hyperplane in IRk that contains P. Choose your equations
so that any k of them are linearly independent. (In other words, the coefficient
matrix of any k of the equations has nonzero determinant.) Then any k people can
solve the corresponding k x k system of linear equations for the point P. But k- I
equations determine a line, and so give no information about the first coordinate
of P. (Here we're assuming that the line is not contained in the first coordinate
hyperplane; a judicious choice of the linear equations will guarantee this.)
Another method of secret sharing is to choose a prime p for each person, and
give him or her the value of the least nonnegative residue of N modulo p. N must
be in a range where it can be uniquely recovered (using the Chinese Remainder
Theorem, see Exercise 9 in 3 of Chapter 2) from its set of remainders modulo p
for k values of p, but not from its remainders for k - I values of p.
5.2 Bit Commitment

Suppose that Alice and Bob want to decide who gets a certain advantage - for
example, who gets to play white in a chess match, or whose city gets to be the
home team for the volleyball championship game. They can determine this by
flipping a coin, provided that they are in the same physical location and both trust
the fairness of the coin. Alternatively, they can "shoot fingers" - again, supposing
that they are in the same place. That is, one of them (say, Alice) calls out "evens".
Then they simultaneously throw out either one or two fingers. If the sum of the
fingers is even (in other words, 2 or 4), then Alice wins. If the sum of the fingers
is odd (in other words, 3), then Bob wins.
A cryptographic problem arises when Alice and Bob are far away from one
another, and when they must act sequentially rather than at the same instant. In
that case they need a procedure for bit commitment.

 5 . Secret Sharing, Coin Flipping, and Time Spent on Homework

11

Definition 5.1. A bit commitment protocol is a procedure whereby Alice puts a

secret bit (that is, either 0 or I) in an "envelope", to be revealed after Bob guesses
which bit it is. Bob must not be able to increase his odds of guessing the right bit
beyond 50%, and Alice must not be able to change the bit after she puts it in the
"envelope".
Here is an example of a bit commitment protocol. Suppose that Alice and
Bob each have a "machine" that takes in a string of m bits and outputs a string
of n bits. The machine should be constructed so as to be rather complicated, for
all practical purposes operating much like a random function from { 0, 1} m to
{ 0, 1 } n . For instance, the machine might be a large Boolean circuit made up of
and-gates, or-gates, and not-gates. After constructing their circuits, Alice and Bob
each send the other a copy of his or her circuit. Next, Alice secretly chooses a
random sequence of m bits. She puts the sequence through both her and Bob's
circuits, and adds the resulting vectors modulo 2 (this is called the XOR operation,
denoted EB: 0 EB 0 = I EB 1 = 0 and 0 EB 1 = 1 EB 0 = 1). She sends the sum to Bob.
Bob now tries to guess the parity of her input, that is, whether there were an odd
or even number of 1 's in it. If he guesses incorrectly, Alice must prove to him that
he is wrong by revealing her input - at which point Bob can verify that the XOR
of the outputs of the two circuits is in fact what Alice sent him before. That is,
the message that Alice sent him prevents her from changing her input after Bob
guesses its parity.
Note that one needs certain conditions in order for this Boolean circuit protocol
to be a fair bit commitment scheme. The circuits must be complicated enough so
that (1) Bob cannot somehow invert them and recover the input, and (2) Alice
cannot find two different inputs of opposite parity that lead to the same output.
(Compare with the two properties in Definition 3 .1.)
5.3 Concealing Information

'Suppose that a teacher wants to find out the average number of hours per week
that the students are spending on homework. If each student were asked to reveal
this number, there would be many distorted answers, for at least two reasons. First,
those who devote hardly any time to their homework might not want the teacher
to know this. Second, those who spend a lot of time on their homework might not
want the other children to know, for fear of seeming odd - a "nerd" or "teacher's
pet".* Note that the teacher is interested in knowing only the average, not any of
the individual values.
Here is a procedure for determining the average while concealing all individual
values. Starting with Alice, the children form a chain going around the classroom
and finally returning to Alice. Alice secretly chooses a number at random, adds to
* The second reason, which is based on the psychology of American children, might
not apply in countries where children do not grow up surrounded by an anti-intellectual
popular culture.

12

Chapter 1 . Cryptography

it her figure for the number of hours she spends on homework, and whispers the
sum to the second student (Beatrice). Beatrice adds her number of hours to the
number she received from Alice, and whispers the sum to Catherine. Catherine
adds the number of hours she spends on homework and passes the sum to the
next child, and so on. Finally, the sum is passed back to Alice, who subtracts her
secret number and reveals the result. The teacher divides this total by the number
of students to find the average. No one has learned anyone else's individual value,
but everyone knows the average.

6. Passwords, Signatures, and Ciphers

Public key cryptosystems for passwords, for signatures, and for encryption all use
one-way functions, but in somewhat different ways. Roughly speaking, any one
way function can be used for passwords, whereas encryption requires the presence
of a "trapdoor". Signatures are somewhere in between. We now explain this.
Recall how a password system works (see the end of 1). Let x >---> y = f(x) be
a function that is easy to compute but computationally impossible to invert - that
is, in practice it is not feasible to compute the inverse function g = f-1 Users'
passwords are values of x in the domain of the function f(x). To keep the list
of passwords out of the hands of intruders (hackers), the computer does not store
these passwords x. Rather, under each user's name it stores the value f(x) that is
obtained by applying the function f to her password x. Any time she wants to log
in, she types her password x. The computer calculates f(x), matches it with the
f(x) under her name, grants her access to the system, and then deletes any record
of x .
Encryption also uses a one-way function f. This function goes from plaintext
message units x to ciphertext message units y, and it depends on the addressee's
encryption key. However, not any one-way function f will work. One needs to
use an f that is a one-way function from the perspective of the general public,
but is a two-way function (that is, both f and its inverse g = f- 1 are easy to
compute) from the perspective of the addressee, who has an additional piece of
information, namely, the decryption key. In the case of RSA, for example, the
additional information can be either a decryption exponent or the factorization of
the modulus n (from which a decryption exponent can easily be found). That is, a
trapdoor one-way function is a function whose one-way status depends on keeping
some piece of information secret. There are many one-way functions - for example,
Purdy's polynomial from lFP to lFP at the end of 1 that are not trapdoor one-way
functions, because even the creators of the system have no advantage over anyone
else in inverting the function. That is, there's no additional amount of information
that anyone knows that could give a method for finding x = f-1 (y).
For a signature system one needs something more than for a password system,
but not a full trapdoor in the sense of the last paragraph. We want a procedure for
Alice to verify that the message m that she received, supposedly from Bob, really
did come from Bob. Bob wants to convince her that only he could have sent her
-

7. Practical Cryptosystems and Useful Impractical Ones

13

the message. Let H(m) be the "hashed message". This is a much shorter sequence
of symbols. The function H must have the property that it is computationally
impossible in practice to find two different messages m and m' such that H(m) =
H(m'). In addition, given a y in the image of H, it must not be feasible to find a
message m such that H(m) = y. The hash function H is publicly known - anyone
can compute H(m) for any message m.
Let y = f(x) be a function that is defined implicitly, in the sense that for any
given x and y it is easy to verify whether or not y = f(x). (This notion is familiar
from calculus - for example, the equation exy = y x defines a curve p assing
through the point (0, 1), and near x = 0 it gives a single-valued function of x, but
this function y = j(x) cannot be expressed in closed form.) Suppose that Alice
knows that only Bob has an additional piece of information needed to compute
the inverse function x = g(y). Then if Bob sends Alice the value H' = g(H(m)),
she can verify that H(m) = j(H'), even though she might not have been able to
compute J(H') and certainly could not have computed g(H(m)). That is, all Alice
has to do to become convinced that Bob sent the message m (and that m was not
tampered with before she received it) is to verify that H(m) = j(H').
To summarize, for a password system we need a function that is easy in one
direction and impossible in the other direction. For an encryption system we need
a function that is easy in one direction and impossible in the inverse direction
unless we know an additional secret piece of information, in which case it is
easy in both directions. For a signature system our function f is impossible in
the inverse direction unless we know an additional secret piece of information (in
which case it is easy in that direction), and it must be easy to verify whether or
not y = f(x) for any given x and y.
In the case of RSA, the one-way function that we used for signatures was
the same as the one-way function that we used for encryption. However, in some
situations it might be advantageous to use a one-way function for signatures that
does not satisfy the more stringent requirements for encryption. We shall give an
example in 3 of Chapter 4.
-

7. Practical Cryptosystems and Useful Impractical Ones

7.1 Criteria for a Cryptosystem to be Practical

The most obvious quality one looks for in a cryptosystem is security. That is, it
must not be feasible for an adversary to break the system. In 5 of Chapter 2 we
give a more precise definition of what it means to break (or "crack") a cryptosys
tem. The science (or art) of trying to break cryptosystems is called cryptanalysis.
One can never be sure - in the sense of a rigorous mathematical proof - that
a public key cryptosystem cannot feasibly be broken. The best one can hope for
is to have a large amount of empirical evidence that
1) the system cannot be cracked without solving a certain mathematical problem,
and

14

Chapter 1. Cryptography

2) there is no method that anyone knows for solving this mathematical problem
in a reasonable length of time, provided that certain conditions are met.
For example, in the case of RSA (1) it is widely believed that there is no way to
break the system without factoring the modulus n; and (2) none of the state-of
the-art factoring algorithms and computer facilities can factor a suitably chosen n
in a reasonable length of time if n has at least 200 digits.
But one has to be cautious. Sometimes attacks are found that might com
promise the cryptosystem without solving the mathematical problem directly. For
example, it turns out that one can sometimes get valuable information by sim
ply timing how long Alice's computer takes to perform the steps in RSA or some
other system (see [Kocher 1996]). Moreover, some implementations of supposedly
secure cryptosystems have been broken because the designers had "cut comers".
In addition, we have to be sure that condition 2) above holds not simply because
few people have attempted to solve the problem. A cryptosystem should be based
on a problem that has been widely studied both theoretically and computationally.
One of the main reasons for the popularity of RSA and the confidence that people
have in it is that its security is based on a famous problem that has interested
mathematicians for centuries and has been seriously studied for decades - integer
factorization.
A second basic practicality issue is efficiency. For instance, one might want
to send vast amounts of encrypted data in just a few seconds. In general, public
key systems for message encryption are much slower than private key systems.
They are fast enough when the message is not extremely long. Even in cases
when the volume of data is great and one needs a private key system, public key
cryptography is extremely useful in exchanging and managing the keys for such
a system.
Besides speed of operation, one might also be interested in economy of space.
For instance, so-called smart cards have very limited memory. This means that it
is desirable to have public key cryptosystems that (1) use fairly simple algorithms
that can be built into a small chip and (2) only need keys of relatively small bit
length. It is for this reason that elliptic curve cryptosystems have been proposed for
such purposes (see Chapter 6). In the case of digital signatures, some of the hidden
monomial cryptosystems (see Chapter 4) might have a similar advantage. If all
known algorithms for breaking a given cryptosystem require fully exponential time
(see Chapter 2) - this is the case for the elliptic curve and the hidden monomial
systems - then one is likely to be able to use short keys while maintaining a high
level of security.
In addition, it is important to have a reasonably efficient algorithm for gen
erating keys. In cases when virtually any random integer in a certain range will
suffice, this is relatively easy. However, if the integers (or other mathematical
objects) needed for the keys must satisfy some additional properties, then we
must put some thought into creating efficient and reliable algorithms that generate
possible keys and test them for suitability.

7 . Practical Cryptosystems and Useful Impractical Ones

15

A final remark should be made on the question of security. Security is a relative

notion. A cryptosystem that is secure for certain purposes (e.g., keeping a message
private for a few hours until it can become public knowledge) might not be secure
if the demands are more stringent (keeping information confidential for the next
25 years). A cryptosystem that cannot be broken using our present-day knowledge
and technology might succumb to cryptanalysts in the 23rd century or to advanced
extraterrestrial mathematicians from a distant star system.
In the other direction, a cryptosystem that would never win the respect of a
professional cryptographer might be quite secure in the face of adversaries who
do not have advanced mathematical training. Such a system could be used, for
example, in children's games and high school math clubs. An example is given in
the exercises below.
7.2 The "Unreasonable Effectiveness" of Theory

In a famous article Eugene Wigner wrote that

. . . the enormous usefulness of mathematics in the natural sciences is so
mething bordering on the mysterious and ... there is no rational explanation
for it. [Wigner 1960]
Wigner was speaking primarily of physics, but a similar observation could be made
about some other branches of science, in particular cryptography.
For example, the study of complexity classes (see Chapter 2) is part of theo
retical computer science - that is, essentially it is a branch of pure mathematics.
It is almost miraculous - in the sense that Wigner uses the term - that it has
much to say about practical matters. For instance, the notion of a "polynomial
time" problem is fundamental in complexity theory (see Definition 4.1 of Chapter
2). However, there is no a priori reason why a polynomial time problem should
be easier to solve in practice than a problem that is not polynomial time. For
instance, suppose that the best algorithm we know for the problem P1 has running
time of order Cn50 , where n is the length of the input (the number of symbols in
the input) and C is a constant; and suppose that the best algorithm we know for
another problem P2 has running time of order Cn1" n . Then P1 is a polynomial
time problem, whereas Pz might not be. Nevertheless, we can solve Pz much faster
than P1 , unless the input involves more than a billion trillion symbols. Of course,
if n ::::: 102 1 , then both algorithms will be completely impractical. Thus, for all
practical purposes P2 is much easier to solve than the polynomial time problem
Pt .
It is curious that the situation just described almost never occurs. Almost all of
the polynomial time problems one encounters in practice have algorithms whose
running times are very reasonable - they are bounded by Cnk with k small (usually
2, 3 or 4) and C not too large. The theoretical class of polynomial time problems
seems to include a large proportion of the problems of practical interest that can
be quickly solved on today's computers, and seems to include very few problems
that cannot be. (See 4.2 of Chapter 2 for more discussion of this point.)

16

Chapter l . Cryptography

A second example of the "unreasonable effectiveness" of theory is that ancient

topics in number theory - the distribution of prime numbers and the factoring of
composite numbers - are at the heart of the most popular practical public key
cryptosystem, RSA. Elliptic curve cryptography provides a third example of the
unexpected connections between practical questions and areas of basic research
that were once thought to be "math for math's sake" (see especially 3 of Chapter
6). Elliptic curves have a rich history in number theory, particularly in the branch
known as arithmetic algebraic geometry. This history reached its culmination
when Andrew Wiles stunned the mathematical world with a proof of Fermat's
Last Theorem based on an elaborate study of the properties of these curves. Wiles'
work is a purely intellectual achievement, without practical consequences as far
as anyone knows. It is remarkable that the same mathematical objects that Wiles
worked with can also be used to construct what many think are among the most
efficient and secure public key cryptosystems.
7.3 The Need for Impractical Cryptography

From a narrow point of view an idea for a cryptosystem is worthless unless the
necessary conditions discussed in 7.1 are satisfied. That is, one must have algo
rithms to set up the system (generate keys) that all but guarantee unbreakability and
algorithms to implement the cryptographic procedures that are at least as efficient
as those of competing systems.
Moreover, one who adheres to this restrictive viewpoint can argue that there
is no real need for a large number of cryptosystems. In fact, in the real world it is
preferable to reach a consensus favoring a small selection of the best available sys
tems. In practice, the way this works is that the leading professional organizations
adopt a formal set of "standards". Such standards are a necessity if one wants a
high level of quality control and interoperability. One can argue that cryptographic
research is worthwhile only insofar as it will ultimately lead to an improved set
of standards or additional standards for newly developed cryptographic purposes.
But one can also look at cryptography from a broader perspective. The subject
is closely connected with other areas of science, such as (l) computational math
ematics, (2) complexity theory, and (3) the theory of games. A cryptographic idea
that may never lead to a new standard in practical cryptography might nonetheless
be worth thinking about because:
1) it might give rise to some interesting questions in theoretical mathematics, and

give mathematicians a new slant on old theories;

2) it might shed light on the interrelationships between complexity classes, and
suggest new directions of research in theoretical computer science;
3) it might provide a natural and entertaining way to popularize mathematics and
computer science among the general public;
4) it might lead to an effective teaching tool to use with children.
In connection with 3) and 4), we make the following definition.

7. Practical Cryptosystems and Useful Impractical Ones

17

Definition 7.1. Kid Krypto i s the development o f cryptographic ideas that are

accessible and appealing (and moderately secure) to those who do not have
university-level mathematical training.
See Exercise 4 below for "kid-RS'; for more examples and discussion see
[Fellows and Koblitz l994a] and [Koblitz 1997].

Exercises for Chapter 1

l . Suppose that p and q are distinct primes, and d and e are two positive integers
such that ed = l (mod l.c.m.(p - l , q- 1)). Let n = pq. Prove that for any integer
m one has med = m (mod n).

2. In the DSA, explain why (a) Bob expects gu1Yu' to agree modulo q with r,
and (b) if they agree, he should be satisfied that it really was Alice who sent the
message.

3. Explain in more detail how to share a secret using the Chinese Remainder
Theorem. (See Exercise 9 in 3 of Chapter 2.)
4. Suppose that the following cryptosystem is introduced among secondary school
students who have learned how to reduce numbers modulo a positive integer n
and how to convert numbers from one base to another (in particular, how to work
with blocks of letters regarded as integers to the base 26). To set up the system,
each student (Alice) chooses any two integers a and b, sets M = ab - l , then
chooses two more integers a' and b' , and finally sets
e =

'

M +a,

d=

b' M +b ,

n=

ed- I

'

b' M +ab' +a' b + I .

Her public key is (n , e), and her private key is d. To send Alice a plaintext m, one
uses the map c = e m (mod n) ; Alice deciphers the ciphertext by multiplying by
d modulo n.
(a) Verify that the decryption operation recovers the plaintext.
(b) Show how to make digital signatures.
(c) Show how the Euclidean algorithm (see 3.3 of Chapter 2) completely
breaks the system.
(d) Can you prove that the ability to crack this cryptosystem (for any choice
of a, b, a', b') implies the ability to solve the equation xr + ys = I for any two
relatively prime integers r and s? Could there be a way to crack the system without
essentially rediscovering a version of the Euclidean algorithm?
(e) Suppose that you are teaching an introductory number theory course. Ins
tead of presenting the Euclidean algorithm to students on a silver platter, you
give them the above cryptosystem, in the hope that it will give them an incentive
to discover the Euclidean algorithm on their own, and thereby better appreciate
its power and beauty. Would this work as a pedagogical method? (See [Koblitz
I997].)

Chapter 2. Complexity of Computations

1. The Big-0 Notation

Suppose that

f(n) and g(n) are functions of the positive integers n which take
n. We say that f(n) = O(g(n))
(or simply f = O(g)) if there exists a constant C such that f(n) is always less
than C g(n). For example, 2n2 + 3n - 3 = 0( n2 ) (namely, it is not hard to prove
that the left side is always less than 3n2 , so 3 can be chosen as the constant C in

positive (but not necessarily integer) values for all

the definition).
In practice, when we use the big-0 notation we do not care about what the
functions f and g are like for small values of n. For this reason, we shall actually
make a somewhat broader definition of the notation.

Definition 1.1. Suppose that for all n ;::: n0 the two functions f(n) and g(n)
are defined, take positive values, and for some constant C satisfy the inequality
f(n) S C g(n). Then we say that f = O(g).

Remarks. 1. Despite the equality sign in the notation f = O(g), we should think
of big-0 as conveying "less than" type information. For example, it is correct to
write nfo = 0(n2 ), but it is incorrect to write n2 = O(nylri).
2. Of course, the variable is not always called n. In any given situation we must
understand clearly what letter is standing for the variable - there might be several
letters in use which are standing for constants. Example 1.3 below illustrates the
importance of knowing what letter is the variable.
3. In practice, we will use this notation only when g(n) is a simpler func
tion than f(n) and does not increase a whole lot faster than f(n) - in other
words, when g(n) provides a "good idea" (a "pretty close upper bound") for
how fast f(n) is increasing. The following statements, all of which are math
ematically correct, are not useful in practice: (1) n2 = 0( n 3 + n 2 ln n + 6683);
(2) n2 = 0( e(n2) ) ; (3) e-n = 0(n2 ).
4. Suppose that f(n) is a sum of terms, one of which is much larger than the
others when n is large. If we let g(n) denote that "dominant term", then we can
write f(n) = O(g(n)). For example, if f(n) is any polynomial of degree 3 (with
positive leading coefficient), then f(n) = 0(n 3 ). Similarly, if f(n) is a polynomial
of degree d (where d is any constant, and the coefficient ad of n d is positive),
then f(n) = O(n d ). The leading term a d n d is the "dominant term".

 1 . The Big-0 Notation

19

5 . I f w e are given f(n) and make a good choice o f g(n) - that is, w e c hoose
g(n) to be a simpler function such that f = O(g) but g(n) does not increase much
faster than f(n) - then the function g(n) is useful in giving us an idea of how
a big increase in n will affect f(n). For example, we can interpret the statement
f(n) = O(n) to mean "if n doubles in size, then f(n) will also roughly double
in size". (Notice that the value of the constant C in the definition of the big-0
notation does not affect the truth of this statement. For example, if f(n) is equal
to roughly 2n, then the words in quotes are true; and they are also true if f(n)
is equal to roughly 200n.) We can interpret the statement f(n) = 0(n2 ) to mean
"if n doubles, then f(n) will increase roughly by a factor of 4". The statement
f(n) = 0(n3 ) would mean that f(n) increases roughly by a factor of 8.
We can interpret the statement f(n) = 0 (2n ) to mean "if n increases by 1, then
f(n) will approximately double in size". For example, the statement 5n3 +() +2n =
0 (2n ) means that for large n the expression on the left roughly doubles if n is

increased by 1, since its dominant term is 2n.

6. If

f(n) and g(n) are two positive functions for n 2: n0, and if
. f(n) = any constant ,
hm
noo g(n)
then it is not hard to show that f = O(g). If the limit is zero, then it is still correct
to write f = O(g); but in that case we also say that "f is little-a of g" and we
write f = o(g). This means that f(n) is much smaller than g(n) when n is large.
--

7. Sometimes we want to make a more precise statement about the relationship

between f(n) and g(n). For example, we might say that as n increases the percent
error in using g(n) in place of f(n) goes to zero. That is, we might have

lim
noo
In that case we write

f(n) = 1
g(n)

f:=<g

and say that "f(n) is asymptotically equal to g(n) for large

if f (n) is any polynomial with leading term a d n d , then f(n)
example is the
Prime Number Theorem.

7r(n)
where

:=< -

In n

n". For example,

ad nd . Another
:=<

'

1r(n) denotes the number of prime numbers less than or equal to n.

8. There are two other commonly used symbols that are closely related to big0: fl and e. The notation f = fl(g) means exactly the same thing as g = O(f).
The notation f = 8(g) means that both f = O(g) and f = fl(g); in other words,
there exist positive constants C 1 , C2, and n0 such that C1g(n) S f(n) S C2g(n)
for n 2: no.

20

Chapter 2. Complexity of Computations

9. These symbols are often used in the middle of formulas rather than right
after an equal sign. For example, if we say that a function is n(lnIn n) , we mean
that there exists a constant C such that for n 2: n0 the function is ::; n InInn . If
we say that a function is neo), we mean that for n 2: n0 it is wedged between
two constant powers of n.

E stands for any positive constant at all, no matter how small

(e.g., E = 0.00 1 ), then In n = O(ne). (We actually can write In n = o(ne) as well.)
To convince yourself of this, try putting in very, very large numbers for n - for
example, extremely large powers of 2 - in the two functions In n and n001 . For
instance, setting n = 2 1 000000 gives 1 000000 In 2 = 693 1 47 . 1 8
for In n on the
left and 2 1 000 (which is a 302-digit number) for ne on the right. More precisely,
using l' Hopital's rule it is easy to show that

Example 1. 1. If

In n
lim - = 0 .
---;
(X)
n
n
Example 1.2. Let f(n) be the number of base-b digits in n, that is, the length of

the number n when it is written to the base b. Here

variable. Then
f(n) = 1 + 1ogb n = 1 +

[ ]

b is constant, and n is our

[: J ,

where [ ] denotes the greatest integer function. Since b (and hence ln b) is a

constant, we conclude that f(n) = O(ln n). Roughly speaking, "the number-of
digits function behaves like a logarithm".
Example 1 . 3 (see Remark 2 above). This example shows the importance of being

clear about what the variable is when one uses big-0, little-a, and asymptotic
equality. We consider the sum of the first n positive integers raised to the k-th
power: L; 1 ik . If we are considering k to be constant and letting n get large,
then we have
that is, f ::=:: g with g(n) = nk+l j(k + 1 ). (To see this, show that nk f(n)
1
is equal to the n-th Riemann sum for the integral J0 xkdx, and conclude that
limn ___,oo f(n)/ g(n) = 1 .) On the other hand, if we regard n as constant and k as
the variable that gets large, then the statement

is false. For example, if n is the constant 2, then this statement says that I + 2k ::=::
! 2k , which is not true. Even the weaker statement I + 2k = 0 ( !1 2k) is false.
k l
k
Final Remark on Big-0. Often we consider functions of more than one variable,

say, f(m, n). In that case the notation f = O(g) is used when g(m, n) is a simple

 I . The Big-0 Notation

21

expression involving m and n such that there exists a constant C with j(m, n) ::;
C g(m, n) provided that m 2: mo and n 2: no (in other words, we are not
interested in small values of the variables).

Example 1 . 4. Let j(m, n) be the number of points with integer x- and y

coordinates that are contained inside an ellipse in the xy-plane with semirnajor
axis m and semiminor axis n. Then j(m, n) = O(mn). In fact, j(m, n) i s ap
proximately equal to the area of the ellipse, which is 1rmn, but the exact value
depends on how the ellipse is situated in the plane. In any case it is not hard to
show that j(m, n) S:: 4mn if m and n are large, and thus j(m, n) = O(mn)_
Exercises for 1

For each of the j(n) in Exercises 1-11, give the letter of the best estimate among
the following:
(a) j(n) = O(ln n) ;
(b) j(n) = 0(ln2 n) ;
(c) j(n) = 0(ln3 n) ;
2
(d) j(n) = O(n) ;
(f) j(n) = 0(n3) ;
(e) j(n) = 0(n ) ;
(g) j(n) = 0(2 n ) ;

(h) j(n) = O(n !) ;

(i) j(n)

O(n n ) .

1 . G).
2. 10 ln3 n + 20n2 .
3 . The number of monomials in x, y, z of total degree at most n.
4. The number of polynomials in x of degree at most n whose coefficients are 0
or 1 .
5 . The number of polynomials in x of degree at most n - 1 whose coefficients are
integers between 0 and n.
6. The area of a fixed shape after it's magnified by a factor of n.
7. The amount of memory space a computer requires to store the number n.
8. The amount of memory space a computer requires to store n2 .
9. The sum of the first n positive integers.
10. The sum of the squares of the first n positive integers.
1 1 . The number of bits (base-2 digits) in the sum of the squares of the first n
positive integers.
For each of the j(m, n) given below, find the best simple function g(m, n)
such that f = O(g).
12. (m2 + 2m - 3)(n + ln2 n + 14).
13 . 2m ln2 n + 3m 2 ln n.
14. rhe largest n-digit number to the base m.
15 . The maximum number of circles of radius 1 / n that fit into a circle of radius
m without overlapping.

22

Chapter 2. Complexity of Computations

2. Length of Numbers

From now on, unless otherwise stated, we shall assume that all of our numbers
are written in binary, and all arithmetic is performed to the base 2. Throughout
this book we shall use the notation log to mean log2 and ln to mean loge.
By the "length" of an integer we mean the number of bits (binary digits) it
has. Recall that
length(n) = 1 + log2 n = 1 +

[:J ,

and this can be estimated by O(ln n).

In this section we shall discuss how to estimate the length of a number which
is arrived at by various arithmetic processes, starting with "input" of known length
(or whose length is assumed to be no greater than a known bound).
Example 2. 1. What is the length of the number that is obtained by

(a) adding together, and

(b) multiplying together
n positive integers each of which has length at most k?

Solution. To answer this question we have to think about how adding and multi
plying affect the length of numbers. It is easy to see that the sum of two numbers
has length either equal to the length of the larger number or else equal to 1 plus
the length of the larger number.
If we add n numbers each of length at most k - that is, each less than 2k then the sum will be less than n2k. Hence, the length of the sum will be at most

k + length(n).
To deal with multiplication, we use the fact that a number m of length k
satisfies: 2k-I ::; m < 2k. Thus, if m 1 has length k and m2 has length l, we can
multiply the two inequalities
<

2k-I ::; m,
2l-I::; m

<

to get: 2k+l-2 ::; m 1 m2

2k
2l

<

2k+1, from which it follows that length(m 1 m2 ) is equal

either to the sum of the lengths of m, and mz or else to 1 less than the sum of the
lengths ofm1 and m2 . Roughly speaking, when we multiply numbers, their lengths

add together. In other words, the lengths of numbers behave like logarithms. (See
Example 1.2.)
Now suppose that we want to multiply together n k-bit numbers m 1 , . . . , m n .
(For example, the m numbers might all be the same, in which case we're raising
a k-bit number to the n-th power.) If we multiply together all n inequalities
i=

then we find that

<
2nk-n -

II m

'

<

1, . . . , n ,

2nk ,

so that the length of the product is between nk - (n - 1 ) and nk.

23

2. Length of Numbers

Usually we're not interested in the exact length, but only in a bound for the
length. In that case we can say simply that multiplying together n numbers of
length at most k results in a number of length at most nk.
A similar discussion applies to subtraction and division (see Exercise 1 below).
Example 2.2. Find the length of n ! .
Solution. Here what w e want i s a simple estimate for the length o f n ! i n the form

O(g(n)). Notice that none of the n numbers that are multiplied together in n! has
length longer than length(n). So we can apply the statement in italics above to
conclude that: length(n ! ) :::; n(length(n)) O(n In n).
==

One might object that O(n I n n) is not the best possible estimate, since, after
all, most of the numbers multiplied together in n ! are quite a bit less than n.
However, notice that most of the numbers from 1 to n have length not a whole
lot less than the length of n. In Exercise 4 below we shall see that length(n !) not
only is less than Cn In n, but also is greater than some other constant C' times
n In n. That is, length(n !) 8(n In n)
==

Exercises for 2
1 . Suppose that a k-bit integer a is divided by an l-bit integer b (where l :::; k) to
get a quotient q and a remainder r:

a== qb + r ,

O:Sr<b .

What is the length of q?

2. In each case estimate the length of the number indicated. Express your answer
using the big-0 notation with a simple function g(n), g(k), g(n, k), etc. Here g
must be expressed using the letters given in the statement of the problem.
(a) The sum of n numbers, each of length at most k.
(b) n4 + 2 S n2 + 40.
(c) A polynomial in n of degree k: a k n k + a k_ 1 nk - 1 + + a 1 n + a0 , where k and
the ai are integer constants.
(d) The product of all prime numbers of k or fewer bits.
(e) (n2 ) ! .
(f) The n-th Fibonacci number. (The Fibonacci numbers are defined by setting
!1 == 1 , fz 1 , and fn+1 fn + fn-1 for n == 2, 3, . . . . )

==

==

3. Find a simple function g(n) such that the length of the n-th Fibonacci number
is asymptotically equal to g(n).

4. Show that at least n/2 of the numbers 1 , 2, 3, . , n have length equal to or

greater than log 2 n - 1 . Then show that n! has length at least equal to 1" (log2 n- 2),
and that for large n this is greater than C' n In n for a suitable constant C' .
.

5. Use Stirling's formula to find a simple function g(n) such that the length
i s asymptotically equal to g(n).

of

n!

24

Chapter 2. Complexity of Computations

6. Suppose that the letters A, B, C, . . , Z are used as base-26 digits. Then the
binary length of
.

is roughly equal to (choose one):

50, 1 50,500, 1 500, 5000, 1 5000, 50000, 1 50000, 500000 , 1 500000, 5000000 .
7. Arrange the following numbers in increasing order, if n is equal to the U.S. na
tional debt measured in kopecks: *
(a) The number of decimal digits i n 2 n .
(b) The number of consecutive zeros at the end of the binary expansion of n!.
(c) The binary length of the value at n of a quintic polynomial whose coefficients are 20-bit integers.
(d) The binary length of [ v'nl!.
(e) The number of primes you have to try to divide into n if you want to be
sure that n is a prime number using the method of trial division.

3. Time Estimates

As mentioned before, we shall assume that all arithmetic is being done in binary,
i.e., with O's and l 's.
3.1 Bit Operations

Let us start with a very simple arithmetic problem, the addition of two binary
integers, for example:
I! II

1 1 1 1 000
+ 00 1 1 1 1 0
1 00 1 0 1 1 0
Suppose that the numbers are both k bits long; i f one o f the two integers has
fewer bits than the other, we fill in zeros to the left, as in this example, to make
them have the same length. Although this example involves small integers (with
k = 7), we should think of k as perhaps being very large, like 500 or 1000.
Let us analyze in complete detail what this addition entails. Basically, we must
repeat the following steps k times:
1. Look at the top and bottom bit and also at whether there's a carry above
the top bit.
* Currently the U.S. national debt is about $5x 1012, and one dollar is worth approxi
mately 5000 rubles. (And one ruble is 100 kopecks.)

3. Time Estimates

25

2. If both bits are 0 and there is no carry, then put down 0 and move on.
3. If either (a) both bits are 0 and there is a carry, or (b) one of the bits is 0,
the other is 1, and there is no carry, then put down 1 and move on.
4. If either (a) one of the bits is 0, the other is 1, and there is a carry, or else
(b) both bits are 1 and there is no carry, then put down 0, put a carry in the next
column, and move on.
5. If both bits are 1 and there is a carry, then put down 1, put a carry in the
next column, and move on.
Doing this procedure once is called a bit operation. Adding two k-bit numbers
requires k bit operations. We shall see that more complicated tasks can also be
broken down into bit operations. The amount of time a computer takes to perform
a task is essentially proportional to the number of bit operations. Of course, the
constant of proportionality - the fraction of a nanosecond per bit operation depends on the particular computer system. (This is an over-simplification, since
the time can be affected by "administrative matters", such as accessing memory.)
When we speak of estimating the "time" it takes to accomplish something, we
mean finding an estimate for the number of bit operations required.
Thus, the time required (i.e., number of bit operations) to add two numbers is
equal to the maximum of the lengths of the two numbers. We write:
Time(k-bit + l-bit) = max(k, 1) .
If we want to express the time in terms of the two numbers added, say m and n,
then, since k =length(m) = O(ln m), we have
Time(m + n) = O ( max(ln m, ln n) )

Notice that there's a big difference between expressing the time for performing a
task on some integers in terms of the integers themselves (in this case m and n )
and in terms of the lengths of the integers (in this case k and l). Depending on
the situation, either type of time estimate might be convenient for us to use. It's
important not to confuse them.
Next, let's examine the process of multiplying a k-bit integer by an 1-bit integer
in binary. For example,
11101
1101
1 1 101
111010
1110 1
101111001
In general, suppose that we use this familiar procedure to multiply a k-bit
integer n by an 1-bit integer m. We obtain at most 1 rows (one row fewer for
each 0 bit in m), where each row consists of a copy of n shifted to the left a
certain distance - that is, with zeros put on at the right end. In order to count bit
operations, we suppose that we perform the addition two rows at a time, by first

26

Chapter 2. Complexity of Computations

adding the second row to the first, then adding the third row to the result from the
first addition, then adding the fourth row to the result of the second addition, and
so on. In other words, we need to perform at most l - l additions. In each addition
we first copy down the right-most bits from the top row that are above the places
in the lower row where we filled in zeros. This process of simply transfering the
bits down counts as an "administrative procedure", not as bit operations, and so
is neglected in our time estimate. So each addition requires only k bit operations.
Thus, the total number of bit operations to get our answer is less than
(l additions) x (k bit operations per addition)

kl .

Before giving other examples of time estimates, we should make several ob

servations. In the first place, we define the time it takes to perform an arithmetic
task to be an upper bound for the number of bit operations, without including any
consideration of shift operations, memory access, etc.
In the second place, if we want to get a time estimate that is simple and
convenient to work with, we should assume at various points that we're in the
"worst possible case". For example, in a multiplication we might have a lot fewer
than l - l additions of nonzero rows. But if we are interested only in big-0
estimates, then we get no benefit by taking this into account.
Time estimates do not have a single "right answer". For example, regarding the
time required to multiply a k-bit number by an l-bit number, all of the following
statements are correct: ( l ) Time = O(kl); (2) Time < kl; (3) Time ::; k(l - l);
( 4) if the second number has an equal number of O-bits and l -bits, then Time
::; kl / 2. In what follows, we shall always use either the estimate Time < kl or
else Time = O(kl).
Next, we note that our time estimate can be expressed in terms of the numbers
multiplied rather than their lengths, as follows:
Time(m x n) = O(ln m ln n)
As a special case, if we want to multiply two numbers of about the same size,
we can use the estimate
Time(k-bit x k-bit) =

0(k2 ) .

It should be noted that much work has been done on increasing the speed of
multiplying two k-bit integers when k is large. With the help of techniques that are
much more complicated than the grade-school method we have been using, mathe
maticians have been able to find a procedure for multiplying two k-bit integers
that requires only O(k ln k ln ln k) bit operations. This is better than 0(k2), and
even better than 0(k1+") for any c > 0, no matter how small. However, in what
follows we shall always be content to use the weaker estimates above for the time
needed for a multiplication.

3. Time Estimates

27

3.2 Algorithms

In general, when estimating the number of bit operations required to do something,

the first step is to decide upon and write an outline of a detailed procedure for
performing the task. We did this earlier in the case of our multiplication problem.
An explicit step-by-step procedure for doing calculations is called an algorithm.
Of course, there may be many different algorithms for doing the same thing. One
may choose to use the easiest one to write down, or one may choose to use
the fastest one known, or one may choose to compromise and make a trade-off
between simplicity and speed. The algorithm used above for multiplying n by m
is far from the fastest one known. But it is certainly a lot faster than repeated
addition (adding n to itself m times).
So far we have discussed addition and multiplication in binary. Subtraction
works very much like addition: we have the same estimate O(k) for the amount of
time required to subtract two k-bit integers. However, we have to slightly broaden
the definition of bit operation to include subtraction. That is, a subtraction bit
operation can be defined just as the addition bit operation was before, except with
"borrows" instead of "carries" and a different list of four alternatives.
Division can be analyzed in much the same way as multiplication, with the
result that it takes O ( l(k - l + l ) ) bit operations to obtain the quotient and remainder
when a k-bit integer is divided by an l-bit integer, where k 2 l (of course, if
k< l, then the quotient is 0 and the "division" is trivial). In other words, given
two positive integers b< a, the time it takes to find q and r such that a = qb + r,
where 0 :::; r< b, depends on the product of the lengths of b and q. (See Exercise
1 of 2.)
Example 3. 1 . Estimate the time required to convert a k-bit integer n to its repre

sentation in the base 1 0.

Solution. The conversion algorithm is as follows. Divide 1 0 = ( 1 0 1 0) 2 into n. The

remainder - which will be one of the integers 0, 1 , 1 0, 1 1 , 1 00, 1 0 1 , 1 10, 1 1 1 ,
1000, or 100 1 - will be the ones digit do. Now replace n by the quotient and
repeat the process, dividing that quotient by ( 1 0 1 0)z, using the remainder as d 1
and the quotient as the next number into which to divide (1010)2 . This process
must be repeated a number of times equal to the number of decimal digits in n,
+ 1 = O(k). Then we're done. (We might want to take our list of
which is
decimal digits, i.e., of remainders from all the divisions, and convert them to the
more familiar notation by replacing 0, 1 , 10, 1 1 , . . . , 100 1 by 0, 1 , 2, 3 , . . . , 9,
respectively.) How many bit operations does this all take? Well, we have O (k)
divisions, each requiring 0(4k) operations (dividing a number with at most k bits
by the 4-bit number ( 1 0 1 0)z). But 0(4k) is the same as O(k) (constant factors
don't matter in the big-0 notation), so we conclude that the total number of bit
operations is O(k) O(k) = 0(k2 ). If we want to express this in terms of n rather
than k, then since k = O(ln n), we can write
Time( convert n to decimal)= 0(ln2 n)

u ]

28

Chapter 2. Complexity of Computations

Example 3.2. Estimate the time required to convert a k-bit integer n to its repre

sentation in the base b, where b might be very large.

Solution. Using the same algorithm as in Example 3 . 1 , except dividing now by the

l-bit integer b, we find that each division takes longer than before (if l is large),
namely, O(kl) bit operations. How many times do we have to divide? Here notice
that the number of base-b digits in n is O(k j l). Thus, the total number of bit
operations required to do all of the necessary divisions is O(k / l) O(kl) = 0(k 2 ).
This turns out to be the same answer as in Example 3. 1 . That is, our estimate for
the conversion time does not depend upon the base to which we're converting (no
matter how large it may be). This is because the greater time required to find each
digit is offset by the fact that there are fewer digits to be found.

Example 3. 3. Estimate the time required to compute n ! .

Solution. We use the following algorithm. First multiply 2 b y 3, then the result
by 4, then the result of that by 5, ... , until you get to n. At the (j - 1 )-th step
you're multiplying j ! by j + 1 . Here you have n - 2 multiplications, where
each multiplication involves multiplying a partial product (namely, j !) by the next
integer. The partial product will start to be very large. As a worst case estimate
for the number of bits it has, let's take the number of binary digits in the last
product, namely, in n ! . According to Example 2.2, length(n ! ) = O(n In n).
Thus, in each of the n - 2 multiplications in the computation of n ! , we are
multiplying an integer with at most O(ln n) bits (namely, j + 1 ) by an integer with
O(n In n) bits (namely, j !). This requires O(n ln2 n) bit operations. We must do
this n - 2 = O(n) times. So the total number of bit operations is O(n ln2 n) O(n) =
0(n2 ln2 n). We end up with the estimate: Time( computing n ! ) = 0(n2 !n2 n).

3.3 The Euclidean Algorithm

a > b > 0, the greatest common

divisor* d of a and b can be computed and the equation

Example 3.4. Show that, given two integers

au + bv = d
can be solved for integers u and v in time O(ln a In b).
Solution. We recall the extended Euclidean algorithm. First, we successively

divide

* Recall from elementary number theory that the greatest common divisor of a and b,
abbreviated g.c.d. , is the largest positive integer d that divides both a and b; if this integer
is I, then a and b are said to be relatively prime.

3. Time Estimates

0 < T1 < b ,
0 < T2 < T1 ,
0 < T 3 < T2 ,

a = qob + r 1 ,
b = q 1 r1 +r2 ,
r1 = q2 r2 +T3 ,

1'! - 2 = q ! - IT! - 1 +T! ,

T!-1 = q! T! + rl+l ,
T! = ql+ITl+l ,

O<r!<rl - 1 ,
0 < 7'!+1 < 7'! ,

so that d = rl+l Then we work backwards, writing

d = rl+l = r1-1 - qrrl
= vrrt+U!-1 1'! - 1 ,
V! = -ql , U!-1 = l
= V! - IT! - 1 +U! - 2T!-2 ,
V!-1 = U! - 1 - q !-I V! ,

= v1r1 +uob ,
= vb + ua ,

29

V = U o q0v 1 , U = v1
-

U! - 2 = V! ,

To estimate the time required for all this, we recall that the number of bit
operations in the division a = q0b + r1 is at most length( b) length(q0). Similarly,
the time for the division r1 _1 = q1 rj + r1+1 is at most length(rj ) length(qj) :::;
length(b) length(q1 ). Thus, the total time for all the divisions is O ( ln b(ln qo +
ln q1 + +In ql+ 1 ) ) = 0 ( (ln b)(In TI qj ) ) . But it is easy to show by induction that
f1 q1 :::; a, and so the bound is O(ln b ln a) . We leave it to the reader to show
that the number of bit operations required to "work backwards" in the Euclidean
algorithm - that is, to compute all of the v1 = u1 - qj v;+l, is also O(ln bIn a).
Thus, the extended Euclidean algorithm takes time 0(ln2 a) .

An immediate consequence of Example 3 .4 is that any congruence

ax = 1 (mod m)
with I a ! < m and g.c.d.(a, m) = l can be solved for x in time 0(ln2 m).

Example 3.5. Suppose that m is a k-bit natural number, N is an l-bit natural

number, and l b l < m . Show how to find the least nonnegative residue of b N
modulo m in time 0(k 2 l).
Solution. This is done by the "repeated squaring method" of modular exponentia
tion (also called the "square and multiply" method). We first write N in binary:

30

Chapter 2. Complexity of Computations

E t-1 . z l - 1 + E t - 2 . 21 - 2 + . . . + C 1 . 2 +E o. We then successively compute

the least nonnegative residue of b21 modulo m for j = l , . . . , l - l . To compute
N =

-I
b21 we take the value just computed for b21 modulo m, square it, and reduce
modulo m. Since none of the numbers we work with could have length more than
2k (because multiplying two residues in {0, l , . . . , m - 1 } gives a number less
than m 2 ), this process takes time O(k 2 ) for each j.
Next, let j 1 , j2 , . . . , j>. be the indices for which Ej " = l , i.e., the locations of
all 1-bits in N. Then N = L z1 v and b N = TI b21 " . We first multiply the least
nonnegative residue of b21 ' and the least nonnegative residue of b2 12 , and reduce
the result modulo m; then we multiply this result by the least nonnegative residue
of b21 3 and reduce modulo m; and so on. The final result will be b N . It is clear
that the time required for the repeated squaring algorithm is 0(k 2 l).

3.4 From Polynomial Time to Exponential Time

We now make a definition that is fundamental in the study of algorithms.

Definition 3.1. An algorithm to perform a computation is said to be a polynomial
time algorithm if there exists an integer d such that the number of bit operations

required to perform the algorithm on integers of total length at most k is O(kd).

Thus, the usual arithmetic operations +, -, x , -;- are examples of polynomial

time algorithms; so is conversion from one base to another. On the other hand,
computation of n! is not. (However, if one is satisfied with knowing n! to only a
certain number of significant figures, e.g., its first 1 000 binary digits, then one can
obtain that by a polynomial time algorithm using Stirling's approximation formula
for n! .)
Remark. The words "perform the algorithm on integers of total length at most

k" in Definition 3 . 1 are a little vague. What is meant is the following. When we
set up a computation, strictly speaking, we should always specify the form of
the "input". Then k in Definition 3 . 1 stands for the total binary length of the
input. In many problems the form of the input is obvious, and is usually not stated
explicitly. In Examples 3.2 and 3.3, the input was the number n written in binary.
However, sometimes one has to be careful, as the following example shows.
Example 3.6. Is there a polynomial time algorithm for determining whether the

m-th Fermat number is prime or composite?

Here it is crucial to specify the form of the input. If the input is the number
n = 2 2 m + l written in binary (i.e., 100 . . . 00 1 with zm - l zeros between the two
l 's ), then the answer to this question is "yes". That is, there are several algorithms
that can determine whether n is prime or composite in time that is bounded by
a polynomial function of zm . However, if the input is the number m written in
binary, then the answer to this question is almost certainly "no". There is no known
algorithm that can determine primality of the m-th Fermat number in time that is
bounded by a fixed power of log2 m.

3. Time Estimates

31

One class o f algorithms that are very far from polynomial time i s the class
of exponential time algorithms. These have a time estimate of the form O ( eck) ,
where c is a constant. Here k is the total binary length of the integers to which
the algorithm is being applied. For example, the "trial division" algorithm for
factoring an integer n can easily be shown to take time O(n l /Z+< ) (where E: > 0
can be arbitrarily small). Since k ;::::; log2 n, the expression inside the big-0 can
also be written as eck , where c = ( + E) In 2.
There is a useful way to classify time estimates in the range between poly
nomial and exponential time. Let n be a large positive integer, perhaps the input
for our algorithm; let 'Y be a real number between 0 and 1 ; and let c > 0 be a
constant.
Definition 3.2. Let
L n ( "f ; C) =

0 ( e c( ( ln n) ( ln ln n ) 1 - ) )

In particular, L n ( l ; c) = O(ec ln n ) = O(nc), and L n (O; c) = O(ec ln ln n ) = O((ln n)c ).

An L("()-algorithm is an algorithm that, when applied to the integer n, has running
time estimate of the form L n ('Y; c) for some c. In particular, a polynomial time
algorithm is an L(O)-algorithm, and an exponential time algorithm is an L( l )
algorithm. By a subexponential time algorithm we mean an L("()-algorithm for
some 'Y < 1 .
Roughly speaking, 'Y measures the fraction of the way we are from polynomial
to exponential time. We saw that the naive trial division algorithm to factor n is an
L( 1 )-algorithm. Until recently, the best general (probabilistic) factoring algorithms
were all L( l / 2)-algorithms. Then with the advent of the "number field sieve" (see
[Lenstra and Lenstra 1 993]) the difficulty of factoring was pushed down to L( 1 /3).
The L("()-terminology is not appropriate for all algorithms. For example, algo
rithms that take much more than exponential time cannot be classified by Definition
3 .2. Nor is the L('Y)-terminology useful for algorithms that are just slightly slower
than polynomial time - such as the 0 ((ln n)c ln ln ln n ) primality test in [Adleman,
Pomerance, and Rumely 1 983].
Some people prefer to give a different definition of "subexponential time".
They use the term for an algorithm with running time bounded by a function of
the form ef (k ) , where k is the input length and f(k) = o(k) (see Remark 6 of 1
for the meaning of little-a). For example, an algorithm taking ek/ In In k operations
would be subexponential time in this sense, but not in the sense of Definition 3.2.
Exercises for 3

1 . (a) Using the big-0 notation, estimate in terms of a simple function of

number of bit operations required to compute 3 n in binary.
(b) Do the same for nn .

the

32

Chapter 2. Complexity of Computations

(c) Estimate in terms of a simple function of n and N the number of bit operations
required to compute Nn .
2. The number of bit operations required to compute the exact value of
101 101 1 100 1 01 1 1 000 1 1 1
(where the numbers are written in binary) is roughly equal to (choose one):
100, 1000, 1 0000, 1 00000, 1000000, 10 1 0 ' 1025 , 107 5 .

3 . The following formula holds for the sum of the first n perfect squares:
n

L l = n(n + 1 )(2n + 1 )/6 .

j= 1

(a) Using the big-0 notation, estimate (in terms of n) the number of bit operations
required to perform the computations in the left side of this equality.
(b) Estimate the number of bit operations required to perform the computations
on the right in this equality.
4. Suppose that you have an algorithm that solves a problem whose input is a

single integer. Let k denote the binary length of this integer. You are interested in
applying this algorithm to numbers of binary length about k = 1 000. You test the
algorithm on numbers of length about 1 00, and find that your computer takes about
1 minute to carry out the algorithm for each such number. How much time will
your computer take to apply the algorithm to a number of binary length k = 1000
if the time estimate for the algorithm is
(a) Ck3 bit operations, where C is some constant?
(b) Ce003k bit operations, where C is some constant?
In each case choose your answer from among the following: (A) 10 minutes; (B)
1 00 minutes; (C) 1 6 hours; (D) 1 week; (E) 2 months; (F) 2 years; (G) 1 00 years;
(H) 1 0000 years; (I) 1000000 years; (J) not enough information given to answer
the question.
5. (a) Using the big-0 notation, estimate the number of bit operations required to
find the sum of the first n Fibonacci numbers (see Exercise 2(f) of 2).
(b) The same for their product.

6. Suppose that you have a list of all primes having k or fewer bits. Using the Prime
Number Theorem and the big-0 notation, estimate the number of bit operations
needed to compute
(a) the sum of all of these primes ;
(b) the product o f all o f these primes;
(c) the k most significant bits in the product of all of these primes.
7. Suppose that m is a k-bit integer, and n is an 1-bit integer (and you don't know
in advance whether k is much bigger than I, l is much bigger than k, or they're

3. Time Estimates

33

about the same size). Find a bound of the form O(g(k, l)) for the number of bit
operations required to compute m 3 n4 . Your function g(k, l) should be as s imple
and efficient as possible.

8. Given a k-bit integer, you want to compute the highest power of this number that
has l or fewer bits. (Suppose that l is much larger than k.) Estimate the number of
bit operations required to do this. Your answer should be a very simple expression
in terms of k and/or l.
9. Suppose that we are given l different moduli m, such that g.c.d.(mi , mj ) = l
for i f= j, and l integers ai such that Ia, I < mi . Let M = TI , mi . According to
the Chinese Remainder Theorem, there exists a unique x in the range 0 ::; x < M
such that x = a, (mod mi) for i = 1 , . . . , l. Suppose that all of the moduli mi
are k-bit integers. In parts (a)-(g) below we recall the steps in the algorithm for
finding x. For each step find a big-0 estimate in terms of k and l for the number
of bit operations required.
(a) Compute M.
(b) For each i compute Mi = M/ m, .
(c) For each i find the least positive residue of M, modulo mi .
(d) For each i find the least positive y, that satisfies y,Mi = 1 (mod mi)
(e) For each i compute a, M,y,.
(f) Add all of the numbers i n part (e).
(g) Find the least nonnegative residue modulo M of the number in part (f) . This
is the desired value x .
(h) Let K denote the total length of the input (i.e., the l-tuple of ai and the l
tuple of mi). Note that kl < K ::; 2kl. Find a big-0 bound in terms of K for
the number of bit operations required to go through all of the steps in the above
Chinese Remainder Theorem algorithm.
10. Arrange the following numbers in increasing order, if n is equal to the number
of mosquitos in New Jersey:
(a) the time required to solve a Chinese Remainder Theorem problem with ap
proximately ln n congruences whose moduli satisfy n < m, < 2n .
(b) the time required to find the value at n of a quintic polynomial whose coeffi
cients are 20-bit integers;
(c) the time required to convert n (which is initially written in binary) to hexade
cimal (base 1 6);
(d) the time required to find the least nonnegative residue of m! modulo p , where
m is an integer of approximately the same size as ln n and p is a prime of
approximately the same size as 2 ln n;
(e) the time required to compute the least nonnegative residue of bn modulo m,
where b and m are numbers of approximately the same size as n.
1 1 . Suppose that an algorithm requires L n ('y ; 1) microseconds when applied to
the integer n (where the constant in the big-0 in Definition 3.2 is taken to be
1). Find the time required to apply the algorithm to a number n ;::::: 1 0 1 00 when
1 = 0, 1 / 3 , 1 /2, and 1 .

34

Chapter 2. Complexity of Computations

4. P, NP, and NP-Completeness

This section is devoted to three fundamental notions of computer science: the

class P of decision problems solvable in polynomial time, the class NP of decision
problems solvable in nondeterministic polynomial time, and the class of NP prob
lems that are "complete". We shall give only an informal introduction to P, NP,
and NP-completeness. For greater rigor and more details, the reader is referred
to standard books on complexity theory, such as [Garey and Johnson 1 979] and
[Papadimitriou 1 994] .
4.1 Problem Instances, Search Problems, and Decision Problems

In what follows, the term "problem" refers to a general description of a task, and
the term "instance" of a problem means a particular case of the task.
Example 4. 1. The Integer Factorization search problem is the problem of either

finding a nontrivial factor M of an integer N or else determining that no nontrivial

factor exists - in other words, that N is prime. Once we are given a particular value
of N and are asked to factor it, we have an instance of the Integer Factorization
search problem.

Example 4.2. The Traveling Salesrep problem is the task of finding the shortest
route that starts from City A, passes through all other cities on the salesrep's list,
and returns to City A. An instance of the Traveling Salesrep problem is a specific
list of cities and the distances between any pair of cities. (Depending on what it
is that the salesrep wants to minimize, instead of distances she might have a list
of the airfare between any two cities or the total cost of travel between the two
cities.)
Example 4.3. The 3-Coloring problem is the task of coloring a given map with
just three colors in such a way that no two neighboring regions have the same
color, if it is possible to do so. Actually, it is more natural to study the problem
of coloring a graph rather than a map, because that is more general (see Exercise
4 below). To be precise, a "graph" is a list of dots (called "vertices") and lines
(called "edges") joining certain pairs of dots. The 3-Coloring problem for graphs
is the task of assigning one of three colors to each vertex in such a way that no
two vertices that are joined by an edge have the same color.

An example of a 3-colorable graph is shown at the top of the next page.

The term "input" refers to all the information that must be specified in order
to describe an instance of the problem. In Integer Factorization the input is simply
the integer N. The term "input length" refers to the number of symbols needed
to list the input. We suppose that a particular system of symbols has been fixed
once and for all. For example, if we are writing numbers in binary, then the input
length for an instance of Integer Factorization is 1 + [log2 N] .
I n the Traveling Salesrep problem with m cities, i f w e suppose that the cities
are numbered from 1 to m, then the input is a particular map from the set of pairs

4. P, NP, and NP-Completeness

35

\tue

(i , j), 1 :::; i < j S m, to the set of natural numbers N. (We are supposing that all
of the distances are positive integers.)
In a 3-Coloring problem with m vertices, if we suppose that the vertices are
labeled from 1 to m, the input may be regarded as a subset of the set of pairs
(i , j), 1 :::; i < j S m. That is, the input is a graph G = (V, E), where V is the
vertex set { 1 , . . , m } and E C { ( i, j) h :S i < j :S m is the set of edges.
In order to give the definitions of P and NP, we first have to modify our
problems so that they are "decision problems". A decision problem is a problem
whose solution (output) consists of a yes-or-no answer. On the other hand, if the
desired output is more than a "yes" or "no" - that is, if we want to find a number,
a route on a map, etc. - then we call the problem a "search problem".
.

Remark. Unlike a decision problem, a search problem might have several correct

answers. For example, in the Traveling Salesrep search problem we want a path
of minimal length that passes through all the cities. (A path passing through all
the cities and returning to its starting point is sometimes called a "tour".) There
may be many different minimal tours.
Example 4.4. An instance of a decision problem version of Integer Factorization

is as follows:
INPUT: Positive integers N and k.
QUESTION: Does N have a factor M satisfying 2 :::; M :::; k?
The problem of actually finding a nontrivial factor M of N is called the Integer
Factorization search problem.

Example 4.5. An instance of the Traveling Salesrep decision problem has the form

INPUT: An integer m, a map from the set of pairs (i, j), 1 :::; i < j :::; m, to
the natural numbers, and an integer k.
QUESTION: Is there a tour of the cities of length :::; k?
The Traveling Salesrep search problem is the problem of finding a tour of
minimal length.
Example 4.6. An instance of the 3-Coloring decision problem has the form

INPUT: A graph

G =

(V, E).

36

Chapter 2. Complexity of Computations

QUESTION: Does this graph have a 3-coloring? In other words, does there
exist a map c from V to a 3-element set such that (i, j) E E ==> c(i) 1 c(j ) ?
For many problems - including Integer Factorization, Traveling Salesrep, and
3-Coloring - the decision problem and the search problem are essentially equiv
alent. This means that an algorithm to do one can easily be converted into an
algorithm to do the other. Let us see how this works in the case of Integer Fac
torization.
First, suppose that we have an algorithm to do the search problem. This means
that, given N, we can apply the algorithm to find a nontrivial factor M, then apply
it again to find nontrivial factors of M and Njl\!I, and so on, until N has been
written as a product of prime powers. Once we have the prime factorization of
N, we can immediately determine whether or not N has a factor in the interval
[ 2 k ] . Namely, the answer to this question is "yes" if and only if the smallest
prime divisor of N is in that interval.
Conversely, suppose that we have an algorithm to do the decision problem.
In that case we can use the method of "20 questions" (also called binary search)
in order to zero in on the exact value of a factor, thereby solving the Integer
Factorization search problem. More precisely, we find a nontrivial factor of N bit
by bit, starting with its leading bit. Let 2n be the smallest power of 2 that is larger
than N. In other words, n is the input length 1 + [log2 N] . First we apply the
decision problem algorithm with k = 2n- l - 1 . If the answer is "no", then N is
prime, because any nontrivial factor M must satisfy M :::; N/2 < 2n - l . In that
case we're done. Now suppose that the answer is "yes". Repeat the algorithm for
the decision problem with k = 2n- 2 - 1 . If the answer is "no", then N must have
a nontrivial factor of the form M = 1 . 2n - 2 + E n - 3 2n- 3 + . . + Eo, where the Ei
are the bits in the binary representation of M. If the answer is "yes", then N must
have a nontrivial factor of the same form but with first bit zero rather than one, i.e.,
M = E n - 3 2n- J + . + Eo . To find the next bit E n- 3 , either set k = 2n - 2 + 2n- 3 - 1
(in the case when the previous application of the algorithm gave a "no" answer) or
else set k = 2n- 3 - 1 (in the case when the previous application of the algorithm
gave a "yes" answer). If the algorithm now answers "no", then you know that
you should choose E n - 3 = 1 ; if it answers "yes", then you may choose E n - 3 = 0.
Continue in this manner, applying the algorithm for the decision problem once to
find each bit in a factor of N. After only n applications of the algorithm, you will
have found a nontrivial factor of N. So the algorithm for the decision problem
has been converted into an algorithm for the corresponding search problem.
,

Example 4. 7. Given an algorithm for the Integer Factorization decision problem,

here is how we use it to factor 9 1 .

First question to algorithm: Does 9 1 have a factor between 2 and 63? Answer:
YES.
Second question: Does 9 1 have a factor between 2 and 3 1 ? Answer: YES.
Third question: Does 9 1 have a factor between 2 and 1 5 ? Answer: YES.
Fourth question: Does 9 1 have a factor between 2 and 7? Answer: YES.

4. P, NP, and NP-Completeness

37

Fifth question: Does 9 1 have a factor between 2 and 3? Answer: NO.

Sixth question: Does 91 have a factor between 2 and 5? Answer: NO.
Seventh question: Does 91 have a factor between 2 and 6? Answer: NO.
We conclude that 7 is a nontrivial factor of 9 1 . Note that this method of
binary search using an algorithm for the Integer Factorization decision problem
will always lead to the smallest nontrivial factor of N.
Thus, from the standpoint of computer science, there is often no loss of gener
ality in working with decision problems rather than search problems.
4.2 P and NP
Definition 4.1. A decision problem P is in the class P of polynomial time problems
if there exists a polynomial p(n) and an algorithm such that if an instance of P
has input length -<::: n, then the algorithm answers the question correctly in time
-<::: p(n).* An equivalent definition is: A decision problem P is in P if there exists
a constant c and an algorithm such that if an instance of P has input length -<::: n,
then the algorithm answers the question in time 0(n).

Notice the close relation between Definitions 4. 1 and 3. 1 : a decision problem

is in P if there exists a polynomial time algorithm (in the sense of Definition 3 . 1 )
that solves it.
Remark. Definition 4. 1 attempts to capture a class of problems that in practice
can be solved rapidly. It is not a priori clear that P is the right class to take for this

purpose. For instance, an algorithm with running time n 100 , where n is the input
length, is slower than one with running time e0000 1 n until n is greater than about
ten million, even though the first algorithm is polynomial time and the second one
is exponential time. In this connection see 7.2 of Chapter 1 .
However, the experience has been that if a problem of practical interest i s i n P,
then there is an algorithm for it whose running time is bounded by a small power
of the input length. Sometimes a problem that is in P or is believed to be in P
has a practical, efficient algorithm that is not polynomial time. An example is the
following Primality problem:
INPUT: A positive integer N.
QUESTION: Is N a prime number?
If the so-called "Extended Riemann Hypothesis" is true, then an algorithm in
[Miller 1 976] will answer this question in polynomial time. However, even if
one assumes the ERH, for N < 1 01000 the most efficient deterministic** algorithm
* We suppose that we have a fixed computer to implement the algorithm, and "time"
refers to the running time on this computer. Alternatively, we could define "time" to be the
number of bit operations required to carry out the algorithm.
** All of the algorithms discussed so far in this chapter are detenninistic; the term "de
terministic" is used to distinguish these algorithms from "randomized" (also called "prob
abilistic") algorithms (see 6) .

38

Chapter 2. Complexity of Computations

known is the method using Gauss and Jacobi sums (see [Adleman, Pomerance, and
Rumely 1 983] and [Cohen and Lenstra 1 984]), which has running time n0n ln nl ,
where n = O(ln N ) i s the input length.
An example of a slightly different sort is given by the problem
INPUT: An elliptic curve E modulo p (see Chapter 6), and an integer k.
QUESTION: Are there 2: k points on E?

The algorithm in [Schoof 1 985] answers this question in time 0(n8), where n =
O(ln p) is the input length. There is an algorithm due to Atkin that is much more
efficient in practice, but no one can prove a rigorous bound on its running time;
in particular, Atkin's algorithm is not known to be polynomial time.
Thus, empirically it seems that the problems in P that are of practical interest
all have efficient algorithms, although in some cases the most efficient algorithms
are different from the polynomial time algorithms and in other cases they are not
the ones that lend themselves to a rigorous analysis of the running time.
Definition 4.2. A decision problem P is in the class NP if, given any instance of

P, a person with unlimited computing power not only can answer the question,
but in the case that the answer is "yes", she can supply evidence that another
person could use to verify the correctness of the answer in polynomial time.
Her demonstration that her "yes" answer is correct is called a "certificate" (more
precisely, a polynomial time certificate).
A decision problem P is said to be in the class co-NP if the above condition
holds with "yes" replaced by "no". That is, for any instance having a "no" answer
there must exist a polynomial time certificate that the "no" answer is correct.
Example 4. 8. Consider the above decision version of Integer Factorization:

INPUT: Positive integers N and k.

QUESTION: Does N have a factor in the interval [2, k] ?
This problem is almost certainly not in P. However, it is in NP. Namely, suppose
that an all-powerful person (such as God or an advanced extraterrestrial being)
factors N and finds that it has a factor NJ E [2, k]. After this person tells you that
the answer is "yes", she supplies NJ, from which you can verify the correctness
of her answer in polynomial time, simply by dividing M into N.
The Integer Factorization problem is also in co-NP, although to see this requires
more thought. If the answer to the above question is "no", the extraterrestrial gives
you the complete prime factorization of N, from which you can immediately see
that there is no prime factor ::; k. At the same time she must also give you a
certificate with which you can verify in polynomial time that each of the prime
factors really is prime. There are various certificates that can be given; the oldest
and simplest is due to Pratt (see, for example, Theorem 8.20 of [Rosen 1 993]).
Example 4. 9. The Traveling Salesrep decision problem is almost certainly not in P

(we'll have more to say about that later). However, it is in NP. That is, suppose that
an extraterrestrial being finds the most economical tour for the traveling salesrep,

4. P, NP, and NP-Completeness

39

and it turns out to have length less than or equal to k. She tells you that the answer
is "yes", and then shows you the route, at which point you can rapidly verify that
her "yes" answer is in fact correct.
In the same way, one easily sees that the 3-Coloring decision problem is in
NP.
If a problem is in P, then trivially it is in NP. That is, PcNP. It is almost certain
that NP is a much bigger class of problems than P, but this has not been proved.
The claim that P#NP is the most famous conjecture in computer science.
4.3 Reducing One Problem to Another
Definition 4.3. Let P 1 and P2 be two decision problems. We say that P 1 reduces to
P2 (more precisely, reduces to P2 in polynomial time) if there exists an algorithm

that is polynomial time as a function of the input length of P 1 and that, given any
instance P1 of P1 , constructs an instance P2 of P2 such that the answer for P1 is
the same as the answer for P2 .

One basic use for this notion of reduction is as follows. Suppose that we have
an efficient algorithm for P2 If P1 reduces to P2 , then we can use the algorithm
for P2 to solve P1 as well. Namely, given an instance of P1 , in polynomial time
we find a corresponding instance of P2 using the algorithm in Definition 4.3 . Then
if we apply our algorithm for P2 to this instance of P2 , the answer we get is also
the answer to our original P1 question. That is, an algorithm for P2 automatically
gives an algorithm for P1 . If our algorithm for P2 is a polynomial time algorithm,
then so is the resulting algorithm for P1 .
Example 4. 10. Let P1 be the following problem:

INPUT: A quadratic polynomial p(X) with integer coefficients.

QUESTION: Does p(X) have two distinct real roots?
Let P2 be the problem
INPUT: An integer N.
QUESTION: Is N positive?
We show that P1 reduces to P2 . Let p(X) aX 2 + bX + c be an instance of P1 .
Set N b2 - 4ac, which can be computed in polynomial time. Then the problem
P2 with input N has a "yes" answer if and only if the problem P1 with input
a X 2 + bX + c has a "yes" answer.
==

==

Definition 4.3 can also be used in a converse way. Suppose that we know (or
believe) the problem P1 to be very difficult. That is, we are virtually certain that
there is no efficient algorithm for it. If P1 reduces to P2, then it follows that there
is no efficient algorithm for P2 either.
Definition 4.3 is a little too restrictive. It is worthwhile to have a broader
definition of polynomial time reduction of P 1 to P2 that allows us to use several

40

Chapter 2. Complexity of Computations

different instances of P2 to solve a single instance of P1 To give such a definition,

we first say what is meant by an "oracle".

Definition 4.4. Let P2 be a decision or search problem. In describing an algorithm

for some other problem P1 , whenever we say "call to a P2 -oracle" we mean
that our algorithm has created an instance of P2 , and we suppose that some
other algorithm then gives us the corresponding P2 -output. The time taken by
this algorithm for P2 is not included in the running time for the algorithm for P1 .
In other words, we pretend that the algorithm for P2 is a "black box" that works
instantaneously.

To use the language of computer programming, we can think of an oracle as a

subroutine that we are free to call upon without including its running time in our
estimate for the total running time of our program.
Definition 4.5. Let P1 and P2 be two problems (either decision problems or search
problems). We say that P1 reduces to Pz in polynomial time if there is a polynomial
time algorithm for P1 that uses at most polynomially many calls to a P2 -oracle.
Example 4. 1 1 . Let P1 be the Integer Factorization search problem, and let Pz be
the Integer Factorization decision problem. We saw that P1 can be solved with n
calls to a P2 -oracle, where n is the input length. (Example 4.7 goes through the
procedure in the case when N = 9 1 , n = 7.) Thus, P1 reduces to P2 .

4.4 NP-Complete Problems

Definition 4.6. A decision problem P in NP is said to be "NP-complete" if every

other problem Q in NP can be reduced to P in polynomial time.

To put it another way, if one had a polynomial time algorithm for an NP

complete problem P, then one would also have polynomial time algorithms for
all other NP problems Q. This would mean that P equals NP, and the P/NP
conjecture would be false. For this reason, no one is likely to come up with a
polynomial time algorithm for any NP-complete problem. In a sense, the NP
complete problems are the most difficult problems in the class NP.
This statement should be taken cautiously. One might be able to produce an
efficient algorithm - even a polynomial time algorithm - that gives an answer to
most instances of a certain NP-complete problem. This would not contradict the
P/NP conjecture.
In practice, though, it is usually hard to efficiently solve large instances of
an NP-complete problem. Often the running times of all known algorithms grow
exponentially with the length of the input.
It can be shown that the Traveling Salesrep problem in Example 4.5 is NP
complete (see [Garey and Johnson 1 979]). Suppose that one has a very complicated
instance with several hundred cities - say, the business class airfare map for the
U.S. It might take millions of millions of years - longer than the lifetime of the

4. P, NP, and NP-Completeness

41

Universe - for the fastest computers to find an optimal solution to this instance of
the Traveling Salesrep problem.
It can also be shown that 3-Coloring is NP-complete.
Finally, note that it is possible for a problem P to reduce to an NP-problem
even though P itself is not likely to be in NP.
Example 4. 12. The Exact Traveling Salesrep problem is the following decision

problem.

INPUT: A set of cities and distances between them, and an integer k.

QUESTION: Does a shortest tour through all the cities have length exactly
equal to k?
To provide a certificate for a "yes" answer it would not be enough simply to
show a tour of length k; the extraterrestrial in Definition 4.2 would have to some
how convince us that there is no shorter tour. It is very unlikely that this could
be done. (The existence of such a certificate would mean that NP=co-NP; see
the answer to Exercise 1 1 (b) below.) On the other hand, one can use the binary
search method to reduce the Exact Traveling Salesrep decision problem to the
Traveling Salesrep decision problem. It is also possible (but a little harder - see
[Papadimitriou 1 994], p. 41 1-4 1 2) to show the converse: that Traveling Salesrep
reduces to Exact Traveling Salesrep. In such a case we say that the two problems
are polynomial time equivalent (sometimes the term "NP-equivalent" is used).
We conclude this section with a definition that applies to problems that are not
necessarily in NP.
Definition 4.7. A decision or search problem is said to be NP-hard if any NP
problem reduces to it.

Because of the transitivity of reduction, to show that a problem is NP-hard it

suffices to find a single NP-complete problem that reduces to it.
Exercises for 4

1 . Arrange these problems from lowest to highest according to input length:

(a) the problem of multiplying together 20 integers, each ;::; 1 0 100 ;
(b) a Traveling Salesrep problem with 20 cities, where all of the distances are
integers between 1 and 100;
(c) the problem of finding the roots of a quadratic polynomial whose coefficients
are integers of about 50 digits;
(d) the problem of finding all prime factors of an integer of about 40 digits.
2. For which of the problems (a)-(d) in Exercise 1 do you know a polynomial
time algorithm?
3 . Using the big-0 notation, find an upper bound in terms of B for the input
length of the Traveling Salesrep problem if the number of cities is at most B and
the distance between any two cities is also at most B.

42

Chapter 2. Complexity of Computations

4. Explain why the 3-Coloring problem for maps may be regarded as a special
case of the 3-Coloring problem for graphs.
5 . Explain how to use an algorithm for the Traveling Salesrep decision problem
to solve the Traveling Salesrep search problem.
6. Suppose that P1 is the problem
INPUT: Two integers.
QUESTION: Are they equal?
Suppose that P2 is the problem
INPUT: Two equations ax +by = 0 and cx +dy = 0, where a, b, c, d are integers.
QUESTION: Do these equations have any common solutions (x, y) other than
(0, 0)?
Show that P2 reduces to P1 by constructing a reduction of instances of one problem
to instances of the other.
7. Suppose that P1 is the problem
INPUT: Two vectors in 3-dimensional space.
QUESTION: Are they proportional?
Suppose that P2 is the problem
INPUT: Two pairs of (non-proportional) vectors in 3-dimensional space.
QUESTION: Do both pairs of vectors span the same plane?
Show that P2 reduces to P 1 by constructing a reduction of instances of one problem
to instances of the other.
8. Let Pt be the problem
INPUT: A polynomial p(X) with integer coefficients.
QUESTION: Is there any interval of the real number line on which p(X)
decreases?
Let P2 be the problem
INPUT: A polynomial p(X) with integer coefficients.
QUESTION: Is there any interval of the real number line on which p(X) is
negative?
Show that P1 reduces to Pz .
9. Let P t be the following search problem:
INPUT: Two integers e and N, where N > 1 is odd.
OUTPUT: An integer d such that the map x ,__. x d modulo N inverts the map
x ,__. xe modulo N for all integers x prime to N, provided that such d exists; if
no such d exists, then the statement that such a d cannot be found.

4. P, NP, and NP-Completeness

43

Let P2 be:
INPUT: An odd integer N > 1 .
OUTPUT: A nontrivial factor M of N, or else the statement that N is prime.
Show that P1 reduces to P2 in the sense of Definition 4.5. P2 is the Integer
Factorization search problem, and P1 is the RSA problem. It is not known w hether
P2 reduces to P 1 (in which case the two problems would be "polynomial time
equivalent").
10. Let p be a fixed prime, and let g be a fixed integer not divisible by p. Let P1
be the following search problem:
INPUT: Two integers a and b.
k
OUTPUT:
( 1 ) If there exist integers k and l such that ak= g (modulo p) and
1
l
b = g (modulo p), then give the least positive residue of g modulo p. (2) If no
such k and l exist, then state that a and/or b is not a power of g modulo P-

Let Pz be the following search problem:

INPUT: An integer a.
k
OUTPUT: An integer k such that a = g (modulo p), if such k exists; other
wise, the statement that no such k exists.
Show that P1 reduces to P2 in the sense of Definition 4.5. P1 is called the Diffie
Hellman problem, and P2 is called the Discrete Logarithm problem. It is not known
whether P2 reduces to P1 , that is, whether the two problems are polynomial time
equivalent. In recent years important partial results have been proved that support
the conjecture that P 1 is equivalent to P2 . See, for example, [Boneh and Lipton
1 996] .
1 1 . Are the following decision problems likely to be in NP? Explain.
(a) INPUT: A positive integer N .
QUESTION: Is 1r(N) an even number?
Recall that 1r(N) denotes the number of primes less than or equal to N.
(b) INPUT: A list of cities and distances between any two cities, and an integer
k.
QUESTION: Do all tours that pass through all of the cities have length greater
than k?
(c) INPUT: A graph and an integer k.
QUESTION: Does the graph have k or more different 3-colorings?

12. If a subexponential time algorithm (see Definition 3 .2) is found for a n NP

complete problem, then any NP problem has a subexponential time algorithm.
True or false? Explain.

44

Chapter 2. Complexity of Computations

5. Promise Problems
5.1 The Cracking Problem

Suppose that we are trying to cryptanalyze a public key cryptosystem. That is, we
know the public enciphering key E and the one-to-one function fE from the set
P of plaintext message units to the set C of ciphertext message units. We intercept
some y E C , and we want to determine the unique x E P such that fE(x) = y.
This is known as the cracking problem for a public key cryptosystem. That is, the
cracking problem is as follows:
INPUT: E, fE : P ---+ C, y E C .
OUTPUT: x E P such that fE(x) = y.
Unlike the problems in the last section, the cryptanalyst knows something other
than the input. Namely, she knows that there exists x E P such that fE (x) = y
(in other words, y is contained in the image of the function), and, moreover, x is
unique. Thus, the cracking problem is of a slightly different sort from our earlier
examples, and so one needs a new definition that captures this situation.
Definition 5.1. A promise problem is a search or decision problem with a condition

attached to it. When analyzing an algorithm for a promise problem, we disregard

what happens when the condition fails - that is, we do not care if the algorithm
gives the wrong answer or no answer at all in such a case.
Example 5. 1. It is natural to regard the cracking problem for any public key en

cryption system as a promise problem. As before, we suppose that we know the

enciphering key E and the function fE : P ---+ C
.

INPUT: E, fE : P ---+ C, y E C.
PROMISE: fE is one-to-one, and y is in the image of fE
OUTPUT: x E P such that fE(x) = y.
Example 5. 2. The following is a promise version of the Integer Factorization search

problem:

INPUT: An integer N > 1 .

PROMISE: N i s a product of two distinct prime numbers.
OUTPUT: A nontrivial factor M of N.
An efficient algorithm for this promise problem would suffice to break RSA. Of
course, in the unlikely event that an efficient algorithm was found that could factor
a product of two primes but not a product of three primes, it would be easy to
modify RSA to use moduli that are products of three primes.

6. Randomized Algorithms and Complexity Classes

45

5.2 The Trapdoor Problem

Example 5.2 is of a different sort from Example 5 . 1 , although it is also related

to the problem of cryptanalyzing a public key encryption system. Example 5.2 is
concerned with solving the underlying mathematical problem upon which RSA is
based, whereas the cracking problem is the narrowest possible description of the
cryptanalyst's task.
It is important to distinguish between these two types of problems. We shall
use the term trapdoor problem for a promise problem that asks us to reverse the
basic mathematical construction of the trapdoor in a public key cryptosystem. If
we find an efficient algorithm for the trapdoor problem, then we will also have an
efficient algorithm for the cracking problem.
The converse is not necessarily true (and even if true, it might be very hard
to prove). That is, there might be ways of solving the cracking problem without
dealing directly with the underlying trapdoor function. No one has been able to
prove, for instance, that the only way to break RSA is to factor the modulus.
6. Randomized Algorithms and Complexity Classes
6.1 An Example
Example 6. 1. The randomized algorithm that follows is one of the best ways of

testing an odd number N to see whether it is prime. More precisely, the test will
determine either that ( 1 ) N is probably prime, or else (2) N is definitely composite.
First we write N - I in the form N - 1 = 28t, where 28 is the largest power
of 2 dividing N - I and t is an odd number. We randomly choose a number
a with 1 < a < N - 1 . Then we raise a to the (N - 1 )-st power modulo N
in two stages: (i) we find the least nonnegative residue of at modulo N by the
"square and multiply" method (see Example 3.5); and (ii) we successively square
at modulo N until we get a2 ' t = aN - I :
at mod N, au mod N, a4t mod N, . . . ,
. . . , a2 ' - ' t mod N, aN - I mod N .

(1)

Now w e note that if N i s a prime number, then

I ) aN - I = 1 (mod N) (this is Fermat's Little Theorem), so that the last number
in ( 1 ) will be 1 ;
2) if not all the numbers in ( 1 ) are I , then the first 1 in the list will be preceded
by N - I (this is because the only square roots of 1 modulo a prime number
N are 1 ).
When both 1 ) and 2) hold, we say that N passes the strong Fermat primality
test to the base a (also called "Miller's test" and "Rabin's probabilistic primality
test"). If N fails either 1) or 2), then it is definitely composite. If, however, N

Chapter 2. Complexity of Computations

46

passes the strong primality test to the base a, then there is "a greater than 75%
chance that N is prime". By this we mean that if N is composite, then it passes
the strong primality test to the base a for fewer than 25% of all a in the range
I < a < N - 1 (for a proof of this fact, see [Rosen 1 993], p. 302-305).
If the strong Fermat primality test is performed for k different randomly chosen
values of a, and if N satisfies 1) and 2) for all of these a, then we can say that
there is "at least a 1 - 4- k probability that N is prime".
6.2 The Complexity Class

RP

This complexity class captures what is going on in Example 6. 1 .

Definition 6.1. We say that a decision problem P is solvable in randomized poly
nomial time (or "probabilistic polynomial time") and we write P E RP if there

exists a polynomial time algorithm that includes a random selection of one or

more integers and, depending on that random choice, produces a "yes" or "no"
answer, where in the former case the "yes" answer is definitely correct and in the
latter case there is a probability greater than 112 that the "no" answer is correct.
In Example 6. 1 we saw that the following Compositeness problem is in RP:
INPUT: A positive odd integer N.
QUESTION: Is N a composite number?
Example 6.2. Another example of a problem in

alence.

RP

is Product Polynomial Inequiv

INPUT: Two sets of polynomials { P1 , , Pm } and { Q 1 , , Qn}, where each

of the P, and Q1 is a polynomial in one or several variables with rational coeffi
cients.
QUESTION: Are f1: 1 Pi and f1= I Qj different polynomials?
.

Here each polynomial in the input is listed by giving its terms with nonzero
coefficients. If the polynomials are "sparse" - that is, if most of their coefficients
are zero - then the input length will be much less than if the polynomials were
given by listing all of the terms (including the ones with zero coefficient) in
lexicographical order.
Notice that the running time for the obvious method of answering the question
- by simply multiplying out both sets of polynomials - is not generally bounded
by a polynomial in the input length. In fact, the number of nonzero terms in each
product polynomial might be exponentially large as a function of the input length.
However, there is a simple method to test whether or not f1 P, = f1 Q1 . Sup
pose that the P, and Q1 are polynomials in l variables X 1 , , X1 In some random
way choose l rational numbers x1 , . , Xl , and evaluate each of the polynomials
at xk = X b k = I , . . . , l. Then determine whether or not

n
m
II Pi(Xi , . . . , Xl ) = II Qj(X] , . . . , Xl )
i=l
;=I

6. Randomized Algorithms and Complexity Classes

47

If not, then you know that the two products of polynomials are unequal; that
is, the answer to Product Polynomial Inequivalence is definitely "yes". If, on the
other hand, the above products of rational numbers are equal, then the answer is
probably "no". Of course, one cannot be sure that two polynomials are identically
equal just because their values at a particular point are equal. But if their values
are equal at a large number of randomly chosen points, then one can say that they
are almost certain to be equal - that there is a probability at least 1 E that "no"
is the correct answer (where E is a constant that does not depend on the input).
Thus, Product Polynomial Inequivalence is in the complexity class RP.
-

E RP, then for any constant E > 0 one has an algorithm whose
"no" answers have a probability greater than 1 E of being correct. It suffices to
take k independent iterations of the algorithm in the definition, where k is chosen
so that 2 - k < E.

Remark. If P

6.3 The Complexity Class BPP

Definition 6.2. We say that a decision problem P is solvable with probability
bounded away from 1/2 in randomized polynomial time and we write P E BPP

if there exist a constant o > 0 and a polynomial time algorithm that includes a
random selection of one or more integers and, depending on that random choice,
produces a "yes" or "no" answer, where in either case the probability that the
answer is correct is greater than I /2 + o .
Remark. Just as in the case of RP (see the previous remark), if P E BPP, then for

any constant E > 0 one has an algorithm whose answers have a probability greater
than 1 E of being correct. Namely, we consider a new algorithm consisting of k
iterations of the algorithm in the definition, followed by a "vote": the answer to the
new algorithm is "yes" if and only if the answer to more than k/2 of the iterations
was "yes". Using standard techniques of probabilities and statistics, one can show
that for any constant o there exists a constant k such that there is a probability
greater than 1 E that the "vote" algorithm gives the correct answer. This is
intuitively obvious if we think of a weighted coin that has 1 /2 + o probability of
landing "heads" rather than "tails". If we toss the coin a sufficiently large number
of times, there is a greater than 99.9% chance that heads will come up more than
tails.
-

The definition of the class BPP is fairly broad. For instance, BPP contains
RP (see Exercise 3 below) and is probably much larger. Yet Definition 4.2 is still
stringent enough to guarantee* that we have a practical algorithm for the problem.

* The word "guarantee" is too strong here. See the discussion of P and practicality
following Definition 4. 1.

Chapter 2. Complexity of Computations

48

Exercises for 6
1 . As a function of the input length in the Compositeness problem, what is the
order of magnitude of time required for a single strong Fermat primality test?

2. Give a simple example of a set of polynomials { P1 , , Pm } such that the

number of terms in f1: 1 P; (after the product is multiplied out) is exponentially
large compared to the total number of nonzero terms in P1 ,
Pm
.

3 . Explain why BPP::::> R PUco-RP. Here co-RP denotes the set of decision problems
that satisfy the definition of RP with "yes" and "no" reversed. For example, the
following Primality problem, which is the reverse of the Compositeness problem,
is in co-RP:
INPUT: A positive odd integer N.
QUESTION: Is N a prime number?
4. Explain the difference between the sense in which you can solve a problem P
if P E RP U co-RP and the sense in which you can solve P if P E RP n co-RP.
(The latter class is often denoted ZPP. In [Adleman and Huang 1 992] it is shown
that Primality belongs to ZPP.)
7. Some Other Complexity Classes
7.1 The Polynomial Hierarchy

P and let E 1 = NP.

Definition 7.1. Define L1 2 to be pNP , which is the class of decision problems that
have a polynomial time reduction (in the sense of Definition 4.5) to a problem in
NP. In other words, P E L12 if there is a problem Q ENP and a polynomial time
algorithm for P that makes at most polynomially many calls on a Q-oracle.
Let L1 1

E2 to be NPNP This is the class of decision problems

whose "yes" answers have a certificate that can be verified by a polynomial time
algorithm using an oracle for a problem in NP. That is, an extraterrestrial with
unlimited computing power could, in the case of a "yes" answer to an instance of
the problem, produce a certificate such that the following holds: there is a problem
Q ENP and a polynomial time algorithm with at most polynomially many calls
on a Q-oracle that you can use to verify the certificate and thereby be certain that
the "yes" answer is correct.
Definition 7.2. Define

Notice the difference between NP and E2 In the former we need certificates

that can be checked in absolute polynomial time. In the latter we are allowed to use
an oracle for any fixed NP-problem in our algorithm for checking the certificate.
The classes L1 2 and E2 make up the "second level of the polynomial hierarchy",
along with IJ2 , which is the co-class of E2 , i.e., the class of problems that belong
to Ez after the question is reversed (so that the answer is "yes" whenever the

7. Some Other Complexity Classes

49

answer to the original problem is "no", and vice-versa). The successive levels of
the hierarchy are defined inductively as follows: L1 k +1 = p E k , Ek+ l = NPE k , and
ilk+ I =co-Ek +J , for k = 2, 3 , . . In other words, each level is constructed using
oracles for problems from the previous level.
.

Definition 7.3. The union of all of these classes, denoted PH, is called the "'poly

nomial hierarchy".

It is easy to see that each level of PH is contained in the next level. It has not
been proved that any of these containments are proper; it is conjectured that they
all are. If the P:rfNP conjecture turns out to be false, then the entire polynomial
hierarchy "collapses"; in other words, PH=P in that case. The study of PH itself
is mainly of theoretical interest; from a practical point of view, there are very few
interesting problems in PH that lie above the second level of the hierarchy.
7.2 Unique P
Definition 7.4. The class UP ("unique P") consists of NP-problems for which
there exists a prescription for a uniquely determined polynomial time certificate
for any instance having a "yes" answer.

For example, the Traveling Salesrep decision problem is not likely to belong to
UP. The obvious certificate for a "yes" answer - a description of a tour of length
::; k - is not, in general, unique. (See the remark preceding Example 4.4.)
On the other hand, any one-to-one function f : X ---+ Y that can be computed
in polynomial time gives a corresponding problem in UP, namely:
INPUT: y E Y.
QUESTION: Is there an x E X such that f(x) = y?
The certificate for a "yes" answer consists simply of the unique x for which
f(x) = y. It can be shown that the one-way encryption functions of public key
cryptography (see Definition 2. 1 of Chapter l) exist if and only if UP is strictly
larger than P.
It is obvious that PcUPcNP; however, neither of these inclusions has been
proven to be a strict inclusion. Of course, a proof either that P:rfUP or that UP:rfNP
would also be a proof of the fundamental P:rfNP conjecture.
7.3 Average Time

The notions of complexity discussed thus far all relate to the worst case of a
problem. For example, an NP-problem P is NP-complete if, roughly speaking, an
algorithm that efficiently solves all instances of P including the most difficult
ones - would lead to an efficient algorithm for any other NP-problem Q. But
suppose that we have an algorithm that efficiently solves most instances of an
NP-problem P (with some reasonable definition of the word "most"). That might
be enough for our practical applications. However, this would not necessarily
-

50

Chapter 2. Complexity of Computations

imply that we have a useful algorithm for Q. It might tum out that our method
of reducing Q to P usually leads to instances of P that are not included in the
"most" - that is, the instances of Q that are of practical interest might reduce to
instances of P that the algorithm cannot solve efficiently.
In cryptographic applications it is not really enough to know that the hardest
instances of the cracking problem or the trapdoor problem (see 5. 1-5 .2) are hard.
What one wants to know is that "most" instances (or most instances constructed
so that some additional conditions hold) are hard. For example, the security of
RSA is based on the assumption that most numbers obtained as the product of
two randomly chosen large primes are hard to factor.
How could one give a precise definition that captures this notion? The following
definition is due to Levin [ 1 984] .

/-Ln be a distribution
on the set of all instances of input length at most n. That means that J-tn is a function
that assigns a non-negative real number to any instance having input length at most
n, and the sum of the values of /-Ln on all such instances is equal to 1 . We say that
P is polynomial time on average with respect to the distributions J-tn if we have
an algorithm that solves P and has the following property: for some c > 0
Definition 7.5. Let P be a decision or search problem, and let

L T(it J-tn(i) = O(n)

as

n -+ oo ,

where T(i) is the time the algorithm takes to solve the instance
taken over all instances i of input length n or less.

i, and the

sum is

Intuitively, if S is a set of instances of P of input length at most n, then

(.z:= i ES P, n(i) ) - I can be thought of as a measure of the amount of time it takes to
find an instance in S by random sampling. Roughly speaking, Definition 7.5 says
that for some c > 0 it will take time at least f(n)" to find an instance of input
length n for which the running time of the algorithm is 2: j(n), where f(n) is a
rapidly growing function of n, such as nk for k large. (See Exercise 2 below.)
For more discussion of Levin's definition and other aspects of average-case
complexity and cryptography, see [Ben-David, Chor, Goldreich, and Luby 1 989]
and [Impagliazzo 1 995] .
7.4 Interaction

Both cryptographic protocols and games are characterized by interaction between

two or more "players". Various complexity classes have been defined to deal with
such situations. One of the most important is the class IP of problems solvable by
interactive proof systems.

Definition 7.6. The class IP consists of all decision problems that are solvable

by a procedure involving two players, one of whom (the "prover") has unlimited
computational power and the other of whom (the "verifier") has a source of random
bits and is subject to a polynomial bound on total computation time.

7. Some Other Complexity Classes

51

In an interactive proof system or the closely related Arthur-Merlin protocol,*

the verifier Arthur and the prover Merlin exchange messages. Merlin is like the
advanced extraterrestrial being in the definition of NP. He is presumed to have
unlimited computing power. He must convince Arthur that a certain instance of a
decision problem has answer 'yes.' Unless the problem is in NP, Merlin won't be
able to convince Arthur by simply sending him a single message (a polynomial
time certificate of a 'yes' answer - see Definition 4.2). Rather, it will probably
take a fairly lengthy interchange of messages before Arthur is convinced beyond
a reasonable doubt that the answer is 'yes.' Arthur might toss a coin and make
queries of Merlin. If he is satisfied with Merlin's responses, eventually he will
have to admit that there is a probability less than E that Merlin could have given
those answers if the correct answer were 'no.'
An important and unexpected result of Shamir [ 1 992] is that the class IP in
Definition 7.6 is the same as the class PSPACE, which consists of all decision
problems that can be solved by an algorithm with a polynomial bound on the
allowed memory but no bound on time. PSPACE is very large: it includes all of
PH (see Definition 7.3) and is probably much bigger.
There are complexity classes that are much, much larger even than the class
IP=PSPACE. For example, EXPSPACE is the class of all decision problems that
can be solved by an algorithm with an exponential bound on the allowed memory.
We shall later (see 4 of Chapter 5) encounter a problem P that is "EXPSPACE
hard". This term means that any problem in EXPSPACE can be reduced to P in
polynomial time.
7.5 Parallelism, Non-uniformity

The complexity concepts in the earlier sections do not cover all possible features
of an algorithm one might construct to break a cryptosystem. For example, some
problems can be solved using massively parallel computations. That is, algorithms
are known that can be greatly speeded up if we have a vast number of computers
all working at once. In other cases, all of the known algorithms have to be carried
out largely in series rather than in parallel, and so it would not help much to have
several processors simultaneously working on the problem.
We will not dwell on massively parallel complexity classes, because thus far
they have not been of great importance in cryptography. However, we shall give
one definition in order to give the flavor of the subject.
Definition 7.7. The class NC consists of decision problems for which there exist

constants C, and Cz and a deterministic algorithm that can solve an instance with
input length n in time bounded by ln ' n using at most n 2 processors at the same
time.
Another concept that has relevance to cryptography is non-uniformity.
*

The name comes from the legendary King Arthur and his wizard Merlin.

52

Chapter 2. Complexity of Computations

Definition 7.8. We say that a problem P is solvable in non-uniform polynomial

time and we write P EP/poly if there exists a polynomial p(n) and a sequence of

algorithms An such that the algorithm A n will solve all instances of input length
at most n in time bounded by p(n).

To show that a problem is in the class P/poly we must give a recipe for the
algorithms An . Notice that Definition 7.8 says nothing about the length of time this
recipe takes. For example, the set-up of these algorithms might require a lengthy
"pre-computation" whose running time grows exponentially in n. However, once
An is set up, it will be able to quickly solve an arbitrary instance of input length
S n.
In practice, it often happens that we know in advance that we will want to
solve instances of a problem P whose input lengths vary in a small range, for
example, 1 00 S n S 1 50. We might be willing to go to tremendous effort to set
up an algorithm that works only for n S 1 50. The time and money to do this
must be spent just once, after which the algorithm handles our needs cheaply and
efficiently. To some extent Definition 7.8 captures this situation.
Exercises for 7

1 . Prove that the trial division algorithm for factorization is not polynomial time
on average. More precisely, consider the problem
INPUT: A positive odd integer N.
OUTPUT: The smallest prime divisor of N.
Define the distribution J-Ln on all instances of binary length S n as follows: J-L n (i) =
1 /2 n - l . In the trial division algorithm one divides all odd numbers 3 , 5 , 7, . . . into
N until one either finds a divisor of N or else reaches VN (in the latter case N
is prime, and the output is N).
2. Suppose that for all c: > 0 there exists k > 1/ c: such that for all n n0 by
random sampling in time nke we can find an instance of P of input length S n for
which our algorithm takes time greater than nk . Show that P is not polynomial
time on average with respect to this algorithm in the sense of Definition 7.5.

3 . Suppose that Levin's property in Definition 7.5 were replaced by the following
slightly simpler statement: L T(i)J-Ln ( i) = O(nc) for some constant c. Show that
a function T(i) that satisfies this property also satisfies Levin's property, but the
converse is false.
4. Show that the following problem is in NC. The input consists of two polynomials
with integer coefficients, where the maximum absolute value of the coefficients is
less than the degree. The input is given by listing all of the coefficients (not only
the nonzero ones). The output is the sum of the two polynomials.
5. Show that NCCP (see Definition 7.8).

Chapter 3. Algebra

1. Fields

We start out by recalling the basic definitions and properties of a field.

Definition 1.1. A field is a set IF' with multiplication and addition operation s that

satisfy the familiar rules - associativity and commutativity of both addition and
multiplication, the distributive law, existence of an additive identity 0 and a mul
tiplicative identity 1 , additive inverses, and multiplicative inverses for everything
except 0.

The following fields are basic in many areas of mathematics: ( 1 ) the field
Q consisting of all rational numbers; (2) the field lE. of real numbers; (3) the field
C of complex numbers; (4) the field 7!.. /p'll.. of integers modulo a prime number p.
The latter field is often denoted IF'P and in some places it is denoted G F(p).

Definition 1.2. A vector space can be defined over any field IF' by the same pro

perties that are used to define a vector space over the real numbers. Any vector
space has a basis, and the number of elements in a basis is called its dimension. An
extension field, by which we mean a bigger field containing IF', is automatically a
vector space over IF'. We call it a finite extension if it is a finite dimensional vector
space. By the degree of a finite extension we mean its dimension as a vector space.
One common way of obtaining extension fields is to adjoin an element to JF: we
say that lK = IF'( a) if lK is the field consisting of all rational expressions formed
using a and elements of IF'.

Definition 1.3. The polynomial ring over the field IF' in the set of variables X

{X 1 , , Xm }, denoted IF'[ X], consists of all finite sums of products of powers of

X1 , . , Xm with coefficients in IF'. (When m = 2 we often use X and Y instead
of X 1 and X2 ; and if m = 3 we often use X, Y, Z.) One adds and multiplies
polynomials in IF'[X] in the same way as one does with polynomials over the
reals. We say that g divides f, where j, g E JF'[X], if there exists a polynomial
h E JF'[X] such that f = gh. The irreducible polynomials f E JF'[X] are those
such that the relation f = gh implies that either g or h is a constant; they play
the role among the polynomials that the prime numbers play among the integers.
In this section all polynomials will be in one variable, so we take m = 1 and
X = X 1 The degree d of a polynomial in one variable is the highest power of X

54

Chapter 3. Algebra

that occurs with nonzero coefficient. We say that the polynomial is monic if the
coefficient of x d is 1 .
Polynomial rings (in one or more variables) have unique factorization, meaning
that every polynomial in lF[X] can be written in one and only one way (except
for constant terms and the order of factors) as a product of irreducible elements
of lF[X].
Definition 1.4. An element ex in some extension field lK containing lF is said to be
algebraic over lF if there is a polynomial in one variable j(X) E lF[X] such that
j(ex) = 0. In that case there is a unique monic irreducible polynomial in lF[X] of

which ex is a root (and any other polynomial that ex satisfies must be divisible by
this monic irreducible polynomial). This monic irreducible polynomial is called
the minimal polynomial of ex.

If the minimal polynomial of ex has degree d, then any element of lF(ex) (that is,
any rational expression involving powers of ex and elements of lF) can be expressed
as a linear combination of the powers 1 , ex, ex2 , . . . , ex d - 1 . Thus, those powers of
ex form a basis of lF(ex) over lF, and so the degree of the extension obtained by
adjoining ex is the same as the degree of the minimal polynomial of ex.
Definition 1.5. Any other root ex' of the minimal polynomial of ex is called a
conjugate of ex over lF. The product of all of the conjugates of ex (including ex
itself) is called its norm.* If ex' is a conjugate of ex, then the fields lF(ex) and JF(ex')
are isomorphic by means of the map that takes any expression in terms of ex to

the same expression with ex replaced by ex'. The word "isomorphic" means that
we have a 1 -to- 1 correspondence between the two fields that preserves addition
and multiplication. If it happens that lF(ex) and lF ( ex') are the same field, we say
that the map that takes ex to ex' gives an automorphism of the field.
For example, ,fi has one conjugate over Q, namely - ,fi, and the map a +
b,fi e-t a - b,fi is an automorphism of the field Q( ,fi) (which consists of all
real numbers of the form a + b,fi with a and b rational).
Definition 1.6. The derivative of a polynomial in one variable and the partial
derivatives of a polynomial in several variables are defined using the nx n - 1 rule

(not as a limit, since limits don' t make sense unless there is a concept of distance
or a topology in lF).

A polynomial f of degree d in one variable X may or may not have a root

r E lF, that is, such that j(r) = 0. If it does, then the degree- ! polynomial X - r
divides J; if (X - r)m is the highest power of X - r that divides f, then we
say that r is a root of multiplicity m. Because of unique factorization, the total
number of roots of f in lF counting multiplicity cannot exceed d. If a polynomial
* Here we are assuming that our field extension is separable, as is always the case in this
book. Algebraic extensions of finite fields and extensions of fields of characteristic zero are
always separable.

2. Finite Fields

55

f E IF'[ X] has a multiple root r , then r will be a root of both f and its derivative
f', and hence a root of the greatest common divisor (see 3) of f and f', which
is denoted g.c.d.(f, f').
Definition 1.7. Given any polynomial f(X) E IF'[X] in one variable, there is an

extension field llC of IF' such that j(X) E l!C[X] splits into a product of linear
factors (equivalently, has d roots in llC counting multiplicity, where d is its degree)
and such that llC is the smallest extension field containing those roots. llC is called
the splitting field of f. The splitting field is unique up to isomorphism, meaning
that if we have any other field l!C' with the same properties, then there must be a
1 -to- 1 correspondence llC l!C' that preserves addition and multiplication.
For example, Q(Vl) is the splitting field of f(X) = X 2 - 2 E Q[X ] . To
obtain the splitting field of j(X) = X 3 - 2 E Q[X] one must adjoin to Q both
12 and A. (Recall that the nontrivial cube roots of 1 are ( - 1 0)/2, so
that adjoining R is equivalent to adjoining all cube roots of 1 .)
Definition 1.8. If a field IF' has the property that every polynomial with coefficients
in IF' factors completely into linear factors, then we say that IF' is algebraically
closed. Equivalently, it suffices to require that every polynomial with coefficients

in IF' have a root in IF'. For instance, the field C of complex numbers is algebraically
closed.
The smallest algebraically closed extension field of IF' is called the algebraic
closure of IF'. It is denoted iF. For example, the algebraic closure of the field of
real numbers is the field of complex numbers.
Definition 1.9. If adding the multiplicative identity 1 to itself in IF' never gives
0, then we say that IF' has characteristic zero; in that case IF' contains a copy of

the field of rational numbers. Otherwise, there is a prime number p such that
1 + 1 + + 1 (p times) equals 0, and p is called the characteristic of the field IF'.
In that case IF' contains a copy of the field 7Lfp7L, which is called its prime field.

Exercises for 1

1 . Let llC be the splitting field of the polynomial X 3 - 2 over IF'. Find the degree of
if IF' is (a) Q; (b) lR; (c) IF's = 7L/57L; (d) JF'7 = 7Lj77L; (e) IF'3 1 = '1L/3 17L. Explain
your answers.

llC

2. Prove that a polynomial in IF'p [X] has derivative identically zero if and only if
it is the p-th power of a polynomial in IF'p [X] . Give a criterion for this to happen.
2. Finite Fields

Let IF' q denote a field that has a finite number q of elements in it. Clearly a finite
field cannot have characteristic zero; so let p be the characteristic of IF' q Then
IF' q contains the prime field IF'P = 7L/p7L, and so is a vector space - necessarily

56

Chapter 3. Algebra

finite dimensional - over IF'p Let f denote its dimension as an IF'P -vector space.
By choosing a basis, we can set up a l -to- 1 correspondence between the elements
of this f -dimensional vector space and the set of all f -tuples of elements in IF'P '
It follows that there must be p f elements in IF'q That is, q is a power of the
characteristic p.
We shall soon see that for every prime power q = p f there is a field of q
elements, and it is unique (up to isomorphism).
But first we investigate the multiplicative order of nonzero elements of IF'q . By
the "order" of a nonzero element we mean the least positive power which is l .
2.1 Existence of Multiplicative Generators of Finite Fields

There are

q 1 nonzero elements, and, by the definition of a field, they form an

-

abelian group with respect to multiplication. This means that the product of two

nonzero elements is nonzero, the associative law and commutative law hold, there
is an identity element l , and any nonzero element has an inverse. The group of
nonzero elements of IF'q is denoted IF' .
It is an easily proved fact about finite groups that the order of any element
must divide the number of elements in the group. Thus, the order of any a E IF'
divides q - l .
Definition 2.1. A generator g of a finite field IF' q is an element of order q - 1 ;
equivalently, g is a generator if the powers of g run through all nonzero elements
of IF'q .

The next theorem gives a basic fact about finite fields. It says that the nonzero
elements of any finite field form a cyclic group; in other words, they are all powers
of a single element.
Theorem 2.1. Every finite field has a generator. If g is a generator of IF', then gJ
is also a generator if and only if g.c.d.0, q - 1 ) = l. Thus, there are a total of
r.p(q - 1 ) different generators of IF', where r.p denotes the Euler r.pjunction.
Proof. Suppose that

a E IF' has order d; that is, ad = l and no lower power of a

gives l . As mentioned above, d divides q - l . Since a d is the smallest power that
equals l , it follows that the elements a, a2 , . . . , a d = 1 are distinct. We claim that
the elements of order d are precisely the r.p(d) values aJ for which g.c.d.(j, d) = l .
First, since the d distinct powers of a all satisfy the equation X d = 1 and since
the polynomial x d 1 has at most d roots in a field, it follows that the powers of
a exhaust all of the roots of this equation. Any element of order d must therefore
be among the powers of a. However, not all powers of a have order d. Namely, if
g.c.d.(j, d) = d' > l , then al has lower order - in fact, (aj ) d f d ' = l . Conversely,
if g.c.d.(j, d) = l , then we can write ju - dv = l for some integers u and v, and
from this it follows that a = a l +dv = (aj )u is a power of a1 , and so a and a1 have
the same order (because each is a power of the other). Thus, aJ has order d if and
only if g.c.d.(j, d) = l .
-

2. Finite Fields

57

This means that, if there is any element a of order d, then there are exactly <p(d)
elements of order d. So for every d dividing q - 1 there are only two possibilities:
no element has order d, or exactly <p ( d ) elements have order d. The rest of the
argument depends on the following lemma.
Lemma 2.1. For any integer N

>

1 one has

L <p(d) = N
diN

To prove the lemma, we partition the set { 0, 1, . . . , N - 1} according to

g.c.d. with N. That is, we put j in the set Sd if g.c.d.(j, N) = d. As d ranges
over all divisors of N, so does the integer d' determined by setting N = d d' .
Clearly, the set Sd consists of the <p(d') different values of j = j' d for which
g.c.d.(j', d') = 1 . Since the set { 0, 1 , . . . , N - 1 } is the disjoint union of the Sd as
d (and hence d') ranges over the divisors of N, it follows that N = L: d ' I N <..p ( d'),
as claimed.
We now return to the proof of the theorem. Every element of IF has some
order d dividing q 1 . And there are either 0 or <p ( d) elements of each possible
order d. Letting N = q - 1 in Lemma 2. 1 , we have l:: d l q I <p(d) = q - 1 , which is
the number of elements in IF . Thus, if we partition the elements of IF according
to their orders, we see that the only way that every element can have some order
d dividing q - 1 is if there are always <p ( d) (and never 0) elements of order d. In
particular, there are <p(q - 1 ) elements of order q - 1 ; and, as we saw in the first
paragraph of the proof, if g is any element of order q - 1, then the other elements
of order q - 1 are precisely the powers gJ for which g.c.d.(j, q - 1 ) = 1. This
completes the proof. D

Corollary 2.1. For every prime p, there exists an integer

of g exhaust all nonzero residue classes modulo p.

g such that the powers

Example 2. 1. We can get all residues mod 19 from 1 to 1 8 by taking powers of

2. Namely, the successive powers of 2 reduced mod 19 are: 2, 4, 8, 1 6, 1 3 ,

9, 1 8, 17, 15, 1 1 , 3, 6, 12, 5, 10, 1 .

7,

14,

2.2 Existence and Uniqueness of Finite Fields

with Prime Power Number of Elements

We prove both existence and uniqueness by showing that a finite field of q = p f

elements is the splitting field (see Definition 1 .7) of the polynomial X q - X . The
following theorem shows that for every prime power q there is one and (up to
isomorphism) only one finite field with q elements.
Theorem 2.2. If IF q is a field of q = pf elements, then every element satisfies the
equation X q - X = 0, and IF q is precisely the set of roots of that equation. Con
versely, for every prime power q = pf the splitting field over IF of the polynomial

Xq - X

is a field of q elements.

58

Chapter 3. Algebra

Proof. First suppose that IF' q is a finite field. Since the order of any nonzero element
divides q - l , it follows that any nonzero element satisfies the equation x q - l = 1 ,
and hence, if we multiply both sides b y X , the equation X q = X. O f course, the
element 0 also satisfies the latter equation. Thus, all q elements of IF'q are roots of
the degree-q polynomial X q - X. Since this polynomial cannot have more than q
roots, its roots are precisely the elements of IF' q Notice that this means that IF'q is
the splitting field of the polynomial X q - X, that is, the smallest field extension
of IF'P that contains all of the roots of this polynomial.
Conversely, let q = p f be a prime power, and let IF' be the splitting field over
IF'P of the polynomial X q - X. Note that X q - X has derivative qX q - l - 1 = - 1
(because the integer q is a multiple of p and so is zero in the field IF'p ); hence, the
polynomial X q - X has no common roots with its derivative (which has no roots
at all), and therefore has no multiple roots. Thus, IF' must contain at least the q
distinct roots of X q - X. But we claim that the set of q roots is already a field.
The key point is that a sum or product of two roots is again a root. Namely, if a
and b satisfy the polynomial, we have a q = a, b q = b, and hence (ab) q = ab, and so
the product is also a root. To see that the sum a + b also satisfies the polynomial
X q - X = 0, we note a fundamental fact about any field of characteristic p:
Lemma 2.2.

(a +b)P = aP +bP

in any field of characteristic p.

The lemma is proved by observing that all of the intermediate terms vanish in
the binomial expansion 'Ljo (j) aP - j OJ , because p ! /(p - j ) !j ! is divisible by p
for 0 < j < p.
Repeated application of the lemma gives us: aP + bP = (a + b)P, aP' + bP' =
(aP + bP)P = (a + b)P' , . . . , aq + bq = (a +b) q . Thus, if aq = a and bq = b it follows
that (a + b) q = a +b, and so a + b is also a root of X q - X. We conclude that the
set of q roots is the smallest field containing the roots of X q - X; in other words,
the splitting field of this polynomial is a field of q elements. This completes the
proof. 0
In the proof we showed that raising to the p-th power preserves addition and
multiplication. We derive another important consequence of this in the next theo
rem.
Theorem 2.3. Let IF'q be the finite field of q = pf elements, and let IJ be the map
that sends every element to its p-th power: !J(a) = ar: Then IJ is an automorphism
of the field IF'q (a 1 -to-1 map of the field to itself which preserves addition and
multiplication - see Definition 1 .5 ). The elements of IF' q which are kept fixed by
IJ are precisely the elements of the prime field IF'p The f -th power (and no lower
power) of the map IJ is the identity map.
Proof. A map that raises to a power always preserves multiplication. The fact that

IJ preserves addition comes from Lemma 2.2. Notice that for any j the j-th power
of IJ (the result of applying IJ repeatedly j times) is the map a ,..... aP' . Thus, the
elements left fixed by IJ j are the roots of XP' - X. If j = 1 , these are precisely
the p elements of the prime field (this is Fermat's Little Theorem). The elements

2. Finite Fields

59

left fixed by a-f are the roots of X q - X, i.e., all of IF q Since the f -th power of a
is the identity map, a- must be 1 -to- 1 (its inverse map is a-f-I : a >--> aP 1 -1 ). No
lower power of a- gives the identity map, since for j < f not all of the elements
of IF q could be roots of the polynomial XP' - X. This completes the proof. D
Theorem 2.4. In the notation of Theorem 2.3, if o: is any element of IF q then
the conjugates of o: over IFP (the elements of IF q which satisfy the same monic
irreducible polynomial with coefficients in IFp ) are the elements a-j (o:) = o:P:
Proof. Let d be the degree of IFp (o:) as an extension of iFw That is, IFp(o:) is a copy

of IFP " . Then o: satifies XP " - X but does not satisfy XP' - X for any j < d. Thus,
one obtains d distinct elements by repeatedly applying a- to o:. It now suffices to
show that each of these elements satisfies the same monic irreducible polynomial
f(X) that o: does, in which case they must be the d roots. To do this, it is enough
to prove that, if o: satisfies a polynomial j(X) E IFp [X], then so does al? Let
f(X) = L, a1 Xj , where a1 E IFw Then 0 = f(o:) = L, a1 o: j . Raising both sides
to the p-th power gives 0 = L,(a1 ai)P (where we use Lemma 2.2). But a = aj ,
by Fermat's Little Theorem, and so we have: 0 = L, a1 (o:P)J = f(o:P), as desired.
This completes the proof. D
2.3 Explicit Construction

So far our discussion of finite fields has been rather theoretical. Our only practical
experience has been with the finite fields of the form IFp = Z/pZ. We now discuss
how to work with finite extensions of IFp . At this point we should recall how in
the case of the rational numbers Q we work with an extension such as Q( Vl).
Namely, we get this field by taking a root o: of the equation X 2 - 2 and looking
at expressions of the form a + bo:, which are added and multiplied in the usual
way, except that o: 2 should always be replaced by 2. (In the case of Q( ) we
work with expressions of the form a + bo: + co: 2 , and when we multiply we always
replace cr 3 by 2.) We can take the same general approach with finite fields.

Example 2.2. To construct IF9 we take any monic quadratic polynomial in lF 3 [X]
which has no roots in IF3 . By trying all possible choices of coefficients and testing
whether the elements 0, l E IF3 are roots, we find that there are three monic
irreducible quadratics: X 2 + 1 , X 2 X - 1 . If, for example, we take o: to be a
root of X 2 + 1 (let's call it i rather than o: after all, we are simply adjoining a
square root of - 1 ), then the elements of IF9 are all combinations a + bi, where a
and b are 0, 1 , or - 1 . Arithmetic in IF9 is thus a lot like arithmetic in the Gaussian
integers (the set of complex numbers a + bi where a and b are integers), except
that in IF9 we work with coefficients a and b that are in the tiny field IF3 .
Notice that the element i that we adjoined is not a generator of IF9 , since it has
order 4 rather than q- 1 = 8. If, however, we adjoin a root o: of X 2 - X - 1 , we can
get all nonzero elements of IF9 by taking the successive powers of o: (remember
that o:2 must always be replaced by o: + 1, since o: satisfies X 2 = X + 1): cr 1 = o:,
-

60

Chapter 3. Algebra

a 2 = a + 1 , a3 = - a + 1 , a 4 = - 1 , a 5 = -a, a6 = -a - 1 , a7 = a - 1, a 8 = 1 . We
sometimes say that the polynomial X 2 - X - l is primitive, meaning that any

root of the irreducible polynomial is a generator of the group of nonzero elements

of the field. There are 4 = ip(8) generators of w; , by Theorem 2. 1 : two are the
roots of X 2 - X - l and two are the roots of X 2 + X - 1 . (The second root of
X 2 - X - l is the conjugate of a, namely, O"(a) = a 3 = - a + 1.) Of the remaining
four nonzero elements, two are the roots of X 2 + 1 (namely i = (a + l )) and the
other two are the two nonzero elements l of IF'3 (which are roots of the degree- 1
monic irreducible polynomials X - l and X + 1 ) .
Recall that i n any finite field IF'q , q = pf , each element a satisfies a unique
monic irreducible polynomial over IF'p of some degree d. Then the field IF'p(a)
obtained by adjoining this element to the prime field is an extension of degree d
that is contained in IF' q . That is, it is a copy of the field IF'P " . Since the big field
IF'p t contains IF'P " ' and so is an IF'P " -vector space of some dimension f', it follows
that the number of elements in IF'p t must be (pd)f' ; in other words, f = df Thus,
d/f. Conversely, for any d/f the finite field IF'P " is contained in IF' q , because any
"
solution of XP = X is also a solution of" X P 1 = X. (To see this, note that
" for
any d', if you repeatedly replace X by X P on the left in the equation X P = X,
dd '
you can obtain X P = 1 .) Thus, we have proved:
Theorem 2.5. The subfields of IF'pf are the IF'P " for d dividing f. If an element of
IF'pf is adjoined to IF'P ' one obtains one of these fields.
It is now easy to prove a formula that is useful in determining the number of
irreducible polynomials of a given degree.
Theorem 2.6. For any q = p f the polynomial X q - X factors in IF'p [X] into the

product of all monic irreducible polynomials of degrees d dividing

f.

IF'p a root a of any monic irreducible polynomial of degree

d/ f, we obtain a copy of JF'P d ' which is contained in IF'p t Since a then satisfies
X q - X = 0, the monic irreducible must divide that polynomial. Conversely, let
Proof. If we adjoin to

j(X) be a monic irreducible polynomial that divides X q - X. Then j(X) must

have its roots in IF'q (since that's where all of the roots of X q - X are). Thus
f(X) must have degree dividing f, by Theorem 2.5, since adjoining a root gives
a subfield of IF'q . Thus, the monic irreducible polynomials that divide X q - X are
precisely all of the ones of degree dividing f. Since we saw that X q - X has
no multiple factors, this means that X q - X is equal to the product of all such
irreducible polynomials, as was to be proved. D
Corollary 2.2. If f is a prime number, then there are (pf - p)/ f distinct monic
irreducible polynomials of degree f in IF'p [X].
Notice that (pf - p)/ f is an integer because of Fermat's Little Theorem for
the prime f, which states that p f = p mod f. To prove the corollary, let n
be the number of monic irreducible polynomials of degree f. According to the
proposition, the degree-p f polynomial X P 1 - X is the product of n polynomials

2. Finite Fields

61

of degree f and the p degree- 1 irreducible polynomials X - a for a E 1Fp. Thus,

equating degrees gives: p f = nf + p, from which the desired equality follow s.
More generally, suppose that f is not necessarily prime. Let n d denote the
number of monic irreducible polynomials of degree d over lFp Using an argllment
similar to the proof of Corollary 2.2, we find that n f = (p f - ' d n d )/ f, where
the summation is over all d < f that divide f.
We now extend the time estimates in Chapter 2 for arithmetic modulo p to
general finite fields.
Theorem 2.7. Let lF q ' where q = pf , be a finite field, and let F(X) be an irreduc
ible polynomial of degree f over lFp Then two elements of lF q can be multiplied
or divided in 0(ln2 q) bit operations. If N is a positive integer, then an element
of lF q can be raised to the N-th power in O(In N ln2 q) bit operations.
Proof. An element of lF q is a polynomial with coefficients in

1Fp = 7l/p7l regarded

modulo F(X). To multiply two such elements, we multiply the polynomials - this
requires O(j l ) multiplications of integers modulo p (and some additions of inte
gers modulo p, which take much less time) - and then divide the polynomial F(X)
into the product, taking the remainder polynomial as our answer. The polynomial
division involves O(f) divisions of integers modulo p and O(jl ) multiplications
of integers modulo p. Since a multiplication modulo p takes 0(ln2 p) bit opera
tions, and a division (using the Euclidean algorithm, for example) takes 0(ln2 p)
bit operations (see Example 3.4 of Chapter 2), the total number of bit operations
is: O(j l ln2 p) = O(ln2 q). To prove the same result for division, it suffices to show
that the reciprocal of an element can be found in time O(ln2 q). Using the Eucli
dean algorithm for polynomials over the field lFP (see 3 below), we must write 1
as a linear combination of our given element in lF q (that is, a given polynomial of
degree < f) and the fixed degree-f polynomial F(X). Using the same argument
as i Example 3 .4 of Chapter 2, we see that this involves O(j l ) operations in
JFP , and hence O(j 2 ln2 p) = 0(ln2 q) bit operations. Finally, an N-th power can
be computed by the repeated squaring method in the same way as modular ex
ponentiation (see Example 3.5 of Chapter 2). This takes O(ln N) multiplications
(or squarings) of elements of lFq , and hence O(ln N ln2 q) bit operations. This
completes the proof. 0
Exercises for 2
I . For p = 2, 3 , 5 , 7, 1 1 , 1 3 and 17, find the smallest positive integer which gener
ates JF;, and determine how many of the integers I , 2, 3 , . . , p - 1 are generators.
.

2. Let (7l/pa7l)* denote all residues modulo pa that are invertible, i.e., are not
divisible by p. Warning: Be sure not to confuse 7l/pa7l (which has pa - p a- t
invertible elements) with lFP a (in which all elements except 0 are invertible) . The
two are the same only when a = I .

Chapter 3 . Algebra

62

(a) Let p > 2, and let g be an integer that generates w;. Let a be any integer
greater than 1 . Prove that either g or (p + 1 )g generates (Z/pa'Z)* . Thus, the latter
is also a cyclic group.
(b) Prove that if a > 2, then (Z/2aZ)* is not cyclic, but that the number 5
generates a subgroup consisting of half of its elements, namely those which are
= l mod 4.
3 . If p is a prime not equal to 7, find a simple way to find the degree over IF'p of
the splitting field of the polynomial X 6 + X 5 + X 4 + X 3 + X 2 + X + 1 .
4. For each degree d :::; 6 , find the number of irreducible polynomials over IF'2 of
degree d, and make a list of them.
5. For each degree d :::; 6, find the number of monic irreducible polynomials over
IF'3 of degree d, and for d :::; 3 make a list of them.
6. Suppose that f is a power of a prime . Find a simple formula for the number
of monic irreducible polynomials of degree f over IF'P .
7. Suppose that a E JF'P, satisfies the polynomial X 2 + aX + b, where a, b E IF'p.
(a) Prove that aP also satisfies this polynomial.
(b) Prove that if a !/. IF'p, then a = -a - aP and b = aP+ 1 .
(c) Prove that if a !f. IF'p and c, d E IF'P ' then (ca + d)P+ l = d2 - acd + bc2 (which
is an element of IF'p).
(d) Let i be a square root of -1 in JF' 1 9, . Use part (c) to find (2 + 3i) 1 0 1 (that is,
write it in the form a + bi, a, b E IF' 1 9).
8. For each of the following fields IF' q , where q = pf , find an irreducible polynomial
with coefficients in the prime field whose root a is primitive (i.e., generates w ; ),
and write all of the powers of a as polynomials in a of degree less than f: (a)
JF'4 ; (b) IF's ; (c) IF'27 ; (d) IF'2s 9. (a) Under what conditions on p and f is every element of IF'p f besides 0 and 1
a generator of w;f ?
(b) Under what conditions is every element besides 0 and l either a generator or
the square of a generator?

10. Let a be the automorphism of IF'q in Theorem 4.2. Prove that the set of elements
left fixed by ai is the field IF'P" , where d =g.c.d.(j, f).
11.

Prove that if b is a generator of w;f and if dl f, then b(P

of w; .

"-

f l )/ (p t) is a generator

12. Prove that the number of k-th roots of unity in IF'p f is equal to g.c.d.(k, pf - l ) .
1 3 . Let q = pf , and consider the field lK = IF'pfn = IF'q n . Prove that the polynomial
g(X) = 2::: ,.;;; 1 X q ' gives an IF'q -linear map from lK to IF' q that is surjective, i.e.,
takes all possible values in IF'q . This polynomial is called the "trace". Also show
that there are exactly qn - l elements of lK with each possible trace. In other words,
the equation g(X) = y has qn - l solutions in lK for each y E IF' q

 3 . The Euclidean Algorithm for Polynomials

63

14. Let q be a power of an odd prime.

(a) Prove that an element z E IF has a square root in IF if and only if z ( q - 1 l/2 = 1 .
If q = 1 (mod 4), and if z E IF is chosen at random, show that there i s a 50%
chance that y = z ( q - 1 )/4 is a square root of - 1 .
(b) Describe how the Euclidean algorithm (see 3.3 of Chapter 2 ) works in the
Gaussian integers.
(c) Suppose that p = 1 (mod 4) and y is an integer between I and p such that
y 2 = - 1 (mod p) . Show that by applying the Euclidean algorithm in part (b) to the
Gaussian integers y + i and p, one can write p as a sum of two squares: p = c2 + d2 .
For example, carry this out when p = 29 and y = 12. If p is a very large prime,
then the above procedure is an efficient way to write p as a sum of two squares.
3. The Euclidean Algorithm for Polynomials

In this section we are still working with polynomials in a single variable. Multi
variable polynomials will be the subject of 4-5.
Definition 3.1. The greatest common divisor of two polynomials f, g E

IF[ X] is
the monic polynomial of largest degree that divides them both. Equivalently, it is
the unique monic polynomial that divides f and g and is divisible by any other
polynomial dividing f and g.
As in the case of integers, we find the g.c.d. of two polynomials by means of
the Euclidean algorithm. The Euclidean algorithm for polynomials over a field IF
is very similar to the Euclidean algorithm for integers (see Example 3.4 of Chapter
2). Here is an example over the field IF2 , where the calculations are particularly
efficient because the field operations are trivial.
Example 3. 1 . Let

j(X) = X4 + X 3 + X 2 + 1 , g = X 3 + 1 E IF2 [X]. Find g.c.d. (f, g)

using the Euclidean algorithm for polynomials, and express the g.c.d. in the form

u(X)j(X) + v(X)g(X).

Solution. Polynomial division gives us the sequence of equalities below, which lead

to the conclusion that g.c.d.(f, g) = X + 1 . (Of course, in a field of characteristic

2 adding is the same as subtracting; that is, a - b = a + b - 2b = a + b.) We have:
f = (X + 1)g + (X 2 + X)

g = (X + 1)(X 2 + X) + (X + 1 )
2
X + X = X(X + 1) .
If we now work backwards in the above column of equalities, we can express

X + 1 as a linear combination of f and g:

X + 1 = g + (X + 1)(X 2 + X)
= g + (X + 1)(f + (X + 1)g)
= (X + 1)j + (X 2 )g .

64

Chapter 3. Algebra

We now break up the Euclidean algorithm into smaller steps, so as to get a

closer look at the procedure with an eye toward generalizing it to polynomials in
several variables (see 5). At each stage we determine just one term of a polynomial
division. We shall give an example over a bigger field.

f(X) = X 3 - 2X 2 + 5, g(X) = 2X 2 + 3X - 4 E IF'1 1 [X] .

Show that f(X) and g(X) are relatively prime, and find u(X) and v(X) such that

Example 3.2. Let

uf + vg = 1 .*

Solution.

f(X) = X 3 - 2X 2 + 5 = ( -5X)g(X) + (2X 2 + 2X + 5)

= (-5X + l )g(X) + ( -X - 2)
2
g(X) = 2X + 3X - 4 = (-2X)(-X - 2) + (-X - 4)
= (-2X + l )(-X - 2) + (-2) .

The last step in a g.c.d. computation is to divide by a suitable constant (here it is

-2) to get a monic polynomial (in this case the constant 1).
We omit the details of the computation of u(X) and v(X) such that uf +vg = 1 .
One obtains u(X) = -X - 5 , v(X) = -5X 2 - 2X - 1 .
Exercises for 3

1 . Use the polynomial version of the Euclidean algorithm to find d =g.c.d.(f, g)

for j, g E IF'p [X] in each of the following examples. In each case express d(X)
in the form d(X) = u(X)f(X) + v(X)g(X).
(a) f = X 3 + X + 1 , g = X 2 + X + 1 , p = 2;
(b) f = X6 + X5 + X4 + X 3 + X2 + x + 1, 9 = X4 + X 2 + x + 1, P = 2;
(c) f = X 3 - X + 1 , g = X 2 + 1, p = 3;
(d) f = X5 + X4 + X 3 - X 2 - x + 1 , 9 = X 3 + X 2 + x + 1, P = 3;
(e) f = X5 + 88x4 + 73X 3 + 83X 2 + 5 1 X + 67, g = X 3 + 97 X 2 + 40X + 38, p = 101 .

2. By computing g.c.d.(f, f'), find all multiple roots of j(X) = X7 + X5 + X4 X 3 - X 2 - X + 1 E IF' 3 [X] in its splitting field.
3. State and prove a polynomial analogue of the Chinese Remainder Theorem (see
Exercise 9 in 3 of Chapter 2).

* For no special reason we are using the least absolute representatives modulo 1 1
numbers {0, 1, 2, 3 , 4, 5} - rather than the least nonnegative residues.

the

4. Polynomial Rings

65

4. Polynomial Rings
4.1 Basic Definitions
Definition 4.1. A ring* is a set

R with a multiplication operation and an addition

operation that satisfy all of the rules of a field (see Definition 1 . 1), except that
nonzero elements need not have multiplicative inverses.

The most familiar example of Definition 4. 1 is the ring of integers Z:. Another
example is the ring of Gaussian integers Z:[i] ; it consists of all complex numbers
of the form a + bi, where a and b are integers. A third example of a ring is the set
of all expressions of the form a + bX, where a and b are in a field IF and where
multiplication is defined by the rule (a + bX)(a' + b' X) = aa' + (ab' + a'b)X. Also
note that any field IF is automatically a ring.
Definition 4.2. An integral domain is a ring

This means that if xy = 0 for

x, y

R with no nontrivial zero divisors.

E R, then either x or y is zero.

The first two examples above - Z: and Z:[i] - are integral domains, but the
third one is not. Namely, in the third example (bX)(b' X) = 0 for b, b' E IF.
Definition 4.3. If

R is a ring, then the polynomial ring in m variables

X = { X 1 , , Xm } over R is the set of all finite expressions of the form
L: ai , , . . . , ,= X ; ' X:;; , where ai, , . . . ,,= E R and the ij are nonnegative integers.

Such polynomials are added and multiplied in the usual way. The polynomial ring
is denoted R[X] or else R[X1 , , Xm] . We sometimes use the vector notation
i = (i1 ,
, im) and write ai X i to denote ai, , . . . ,i= X! ' x:;; . The total degree
of a monomial term a i X i is defined to be i 1 + + im, and the total degree of a
polynomial is the maximum of the total degrees of its nonzero monomial terms.

Definition 4.4. If

R is a ring, then an ideal of R is a subset that is closed under

addition and subtraction and under multiplication by any element of R. That is, an
additive subgroup I c R is an ideal if ra E I for every a E I and every r E R.
The unit ideal is the ideal consisting of all elements of R; a proper ideal is an
ideal that is not the unit ideal, that is, an ideal that is properly contained in R.
Obviously, an ideal is the unit ideal if and only if it contains 1 . By a nontrivial
ideal we mean any ideal other than the zero ideal or the unit ideal.
Notice that if R is a field, then it has no nontrivial ideals. This is because, if
a E I is a nonzero element, then a has an inverse a - I in R, and so 1 = a - I a is
in I. Conversely, if R is not a field, then there is some nonzero element r E R
that does not have a multiplicative inverse. Then the ideal of all multiplies of r this is denoted R r - is a nonzero proper ideal.

* More precisely, a commutative ring with identity. However, all rings in this book are
commutative and contain 1; so we shall simply use the term "ring" for a commutative ring
with identity.

66

Chapter 3. Algebra

Definition 4.5. A proper ideal I of R is said to be a maximal ideal if there is no

ideal of R strictly contained between I and R. A proper ideal I of R is said to be

a prime ideal if, whenever a product r-1 r-2 belongs to I (where r-1 , r-2 E R) either
r-1 or r-2 must belong to I.

In the case of the familiar ring Z it is not hard to show that any maximal ideal
is the set of multiples of some fixed prime number. The prime ideals are the same,
except that the zero ideal is a prime ideal as well (but it is not a maximal ideal).
In the case of the polynomial ring in two variables IC[X, Y ] it is not hard to
show that any maximal ideal is of the following form: it is the set of all polynomials
that vanish at a fixed point (x0 , y0 ) E IC 2 . The prime ideals consist of ( 1 ) all of the
maximal ideals, (2) the zero ideal, and (3) all ideals of the form IC[X, Y] f(X, Y),
where f(X, Y) is a fixed irreducible polynomial.
Definition 4.6. A set of generators of an ideal I in a ring

R is a set of elements
of I such that any element of I is a finite linear combination of elements in the
set (with coefficients in R). An ideal is said to be finitely generated if it has a
finite set of generators. If I is generated by the set of elements { ! 1 , . . . , fz } c I,
then we write either I = 2::: ; 1 R J; or else simply I = Cf1 , . . . , ft ).

Definition 4.7. A principal ideal I in a ring R is an ideal generated by a single

element. That is, for some fixed f E I the ideal I consists of all elements of R
of the form a f , where a E R. An integral domain is said to be a principal ideal
domain (or PID) if all of its ideals are principal ideals.

For example, Z is a PID. That is, any ideal I c Z is of the form :La for some
integer a. If we are given a set of generators of I, this number a is the g.c.d. of
these generators; we find a using the Euclidean algorithm (see Example 3.4 of
Chapter 2).
It is also not hard to show that Z[i] is a PID.
4.2 The Hilbert Basis Theorem

Definition 4.8. A ring

generated.

is said to be Noetherian if any ideal of

is finitely

Any field (or any PID) is trivially a Noetherian ring, since every ideal has a
single generator. An important and less trivial class of examples is the polynomial
rings. The Hilbert Basis Theorem essentially says that all such rings are Noetherian.
Theorem 4.1. If R is a Noetherian ring, then so is the polynomial ring in one
variable R[X].
Proof. Let I be an ideal of R[X]. We must show that I is finitely generated. For

each n = 0, 1 , 2, . . . let Jn C R denote the set consisting of 0 and all leading

coefficients of polynomials in I of degree n. It is easy to check that Jn is an ideal
of R. It is also clear that Jn C Jn+ l for n = 0, 1 , 2, . . . ; this is because, if the
degree-n polynomial f is in I, then so is the degree-(n + 1) polynomial X f, which

4. Polynomial Rings

67

has the same leading term. We set J = U:o ln. Clearly J is an ideal of R. By
assumption, any ideal of R is finitely generated. That means that J is generated
by a finite set of elements r,, each of which is in some In, . If we take N to be
the maximum n; , we conclude that the entire generating set - and hence all of J
- is contained in lN . That is, J = JN . (In other words, 1n+1 = In for n 2: N.)
Since R is assumed to be Noetherian, each of the ideals In has a finite set of
generators { rn, 1 , . . . , rn, ln } . The union of these sets as n = 0, 1 , . . . , N generates
all of J. For each Tn,i let fn , t denote a degree-n polynomial in I whose le ading
coefficient is rn,i . We claim that the union of the sets {fn, 1 , , fn, ln } as n =
0, 1 , . . . , N generates all of I.
To see this, let us suppose that f E I has degree n. Its leading term, which
belongs to In, can be written in the form i aiTn,i with a, E R, provided that
n .::; N. If n > N, then In = JN, and we can write the leading term as a
linear combination of the rN , i This means that the polynomial f - ' adn,i (or
f - i a;jN,, in the case n > N) is an element of I of degree less than n. In other
words, f can be expressed as a linear combination of the fn,t plus a polynomial
f E I of lower degree. If we then apply the same argument to f, that is, if we
express it as a linear combination of polynomials in our set plus a polynomial
of still lower degree, and if we continue in this way, we eventually arrive at an
expression for f as a linear combination of fn,,, n = 0, 1 , . . , N, i = 1 , 2, . , ln .
This completes the proof of the theorem. 0

Corollary 4.1. If F is a field and X

then F[X] is a Noetherian ring.

= { X 1 , . . . , Xm } is a finite set of variables,

Proof. The corollary follows immediately from the theorem if we use induction

on

m. 0

Corollary 4.2. There is no infinite sequence of strictly increasing ideals

in F[X 1 , . . . , Xm].

I1

fz C

Proof. If there were, let

I denote the union of all of the ideals, which itself is

clearly an ideal. By Corollary 4. 1 , I has a finite set of generating elements. Each
of them is an element of some I, . Let n be the maximum of these i. Then I = In,
and so we could not have a strictly larger ideal In+ l C I. 0
4.3 Homomorphisms and Transcendental Elements
Definition 4.9. If

R and R' are two rings, then a homomorphism tp from R to

R' is a map that preserves addition and multiplication and takes the multiplicative
identity 1 E R to the multiplicative identity in R' (which is usually also denoted
1). That is,

and
for all r 1 , r2 E R, and tp( l ) = 1 .

Here are two basic examples of ring homomorphisms.

68

Chapter 3. Algebra

Example 4. 1. Let I be an ideal of the ring R, and define R' to be the set of

equivalence classes of elements of R, where r1 r2 if and only if r2 - r1 E I.

We write the equivalence class of r E R in the form r +I E R' . The multiplication
and addition operations in R carry over to similar operations in R', so R' is a ring
that is denoted R/ I and is called the "quotient ring" of R by the ideal I. The map
r >--+ r + I from R to R' is a ring homomorphism, called the "canonical surjection"
from R to R/ I.

It is an easy consequence of Definition 4.5 that an ideal I C R is a maximal

ideal if and only if R/ I is a field, and it is a prime ideal if and only if R / I is an
integral domain.
Example 4.2. Let R be a ring, and let R' be a ring containing R. Let X =

{X 1 , . . . , Xm } be a finite set of variables. Given any m elements t 1 , . . . , tm E R'

there is a unique ring homomorphism from the polynomial ring R[X] to R' such
that Xi goes to ti for i = 1 , . . . , m. The image of the homomorphism is a subring
of R' containing R that is denoted R[tt , . . . , tm].
I n Example 4.2 suppose that R = IF and R' = IF' are fields. I f all o f the ti are
algebraic over IF (that is, if each one satisfies a polynomial equation with coeffi
cients in IF), then it is not hard to show that IF[ t 1 , , tm] is a finite dimensional
vector space over IF, and so itself is a field. On the other hand, if any of the ti
is transcendental over IF that is, if t, does not satisfy any polynomial equation
over IF then one can show that IF[tt , . . . , tm] is not a field. We leave the proofs,
which are not difficult and can be found in many textbooks, to the reader.

4.4 Hilbert Nullstellensatz*

Suppose that we have a set of polynomials J, E IF[ X] = IF[X1 , , Xm] with

coefficients in a field IF. We might be interested in the set of points (a1 , . . . , am) E
IFm where all of these polynomials vanish, that is, where fi (a1 , , a m ) = 0 for
all i. Let I be the ideal generated by all of the fi : this is the set of all linear
combinations of the fi with coefficients in IF[X]. Clearly, if all of the J, vanish at
the point (at , . . . , am), then so do all f E I.

Definition 4.10. Let

lK be an extension field of IF. The zero set of an ideal

IF[X1 , , Xm] in ocm is the set of all (a1 , , am) E lKm such that
f(at , . . . , am) = 0 for all f E I.
To what extent can we characterize an ideal of IF[X] by giving its zero set
m
in IF ? In other words, if two ideals I and I' vanish at exactly the same subset
m
of IF , are they the same ideal? The answer is no, as we see from the following
I

examples.

Example 4.3. (a) Let

IF be the real numbers (or else the field of 3 elements, or

any other field that does not contain a square root of - 1 ) , and let m = 1 . Let I be
* The word "Nullstellensatz" is German for "zero point theorem".

4. Polynomial Rings

69

the unit ideal and let I' be the ideal generated by the polynomial X 2 + 1 E lF [X] .
Both I and I' vanish at the empty set of points.
(b) Let IF = IFq , and let m = 1 . Let I be the zero ideal, and let I' be the ideal
generated by the polynomial X q - X E IF[X]. Both I and I' vanish at all points
of IF.
(c) Let IF be any field, and let m = 1 . Let I be the ideal generated by the
polynomial X E IF[X], and let I' be the ideal generated by X 2 E IF[X]. Both I
and I' vanish on the set { 0}.
Despite the possibilities illustrated in Example 4.3, the correspondence between
ideals and their "zero sets" is crucial for the branch of mathematics known as
algebraic geometry. A fundamental theorem of Hilbert clarifies what is going on
in Example 4.3, and gives a more satisfactory answer to the question posed above.
The theorem that follows is known as "weak Hilbert Nullstellensatz".
Theorem 4.2. Suppose that IF is an algebraically closed field, and I is a proper
ideal of the polynomial ring IF[X] = IF[XJ , . . . , Xml Then there exists a1 , . . . ,am E
IF such that all of the polynomials in I vanish at the point (a! , . . . , am).
Sketch of Proof. If I is not itself a maximal ideal, let M be a maximal ideal of
IF[X] that contains it. Let IF' denote the quotient ring IF[X]/M, and let t, denote
the image of X; under the canonical surjection from IF[X] to IF' . By the remark
following Example 4. 1, IF ' is a field. By the remark following Example 4.2, all of
the t; are algebraic over IF. Since IF is algebraically closed, this means that ti E IF,
i = 1 , . . . , m . We take (a1 , . . . , am) to be the point (t1 , . . . , tm). Then all <Jf the
polynomials Xi - a; , i = 1 , . . . , m, are in M. Since the ideal generated by the
X; - a, is maximal, this ideal must be M. It follows that all polynomials in M
and hence all polynomials in I - vanish at (a1 , . . . , am). 0

The next theorem is known as "strong Hilbert Nullstellensatz".

Theorem 4.3. Suppose that IF is an algebraically closed field, and I is an ideal of
the polynomial ring IF[X] = IF[X1 , . . . , Xml Suppose that f E IF[X] vanis hes at
m
every point (a! , . . . , am) E IF at which all of the polynomials in I vanish. Then
there exists an integer n such that f n E I. *
Sketch of Proof. Let

f E R = IF[X] satisfy the condition in the theorem. We

derive Theorem 4.3 from Theorem 4.2, which we apply to the polynomial ring
R' = IF[X1 , . . . , Xm , Xm+d in one more variable. Let J be the ideal of R' that
is generated by all polynomials in I and also the polynomial 1 - f Xrn+ l If
(a 1 , . . . , am , am+ 1 ) were a point where all of the polynomials in J vanish, then all
of the polynomials in I would vanish at (a1 , . . . , am), and so f would also vanish
there. But then 1 - f Xm+ l would take the value 1 at (a1 , . . . , am , am+1). Hence,
there is no point (a1 , , am , am+! ) where all of the polynomials in J vanish. By

I.

The set of all f E IF[X] such that r E I for some integer

The radical of I is itself an ideal (see Exercise 6 below).

is called the

radical

of

70

Chapter 3. Algebra

Theorem 4.2, this means that J is the unit ideal. Hence, 1 is an element of J,
and so we can write 1 as a linear combination of the polynomial 1 f Xm+l and
elements of I (with coefficients in R' = IF[X, , . . . , Xm , Xm+ I D We then make
the substitution Xm+l = 1/ f. (More precisely, by taking Xm+ l to 1/ f we map
IF[X1 , , Xm , Xm+I l to the subring IF[X] [ l / f] of the field IF( X) of all rational
functions of X1 , , Xm.) After we do that, the expression for 1 in terms of the
polynomial 1 f Xm+ l and the elements of I becomes an expression for 1 in
terms of elements of I involving just the variables X1 , . . . , Xm but having f to
various powers in the denominator. Multiplying through by f n for some integer n,
we clear denominators. The result is an expression for f n as a linear combination
of elements of I. This proves the theorem. D
-

Exercises for 4

1 . Describe the maximal ideals of (a) the polynomial ring lF[X] in one variable,
where IF is a field (not necessarily algebraically closed); and (b) the polynomial
ring Z[X] in one variable over the ring of integers.
2. Give an example of a sequence of prime ideals (0) c P1 c c Pd (where
each inclusion is a proper inclusion, and the value of d is given below) in
each of the following polynomial rings: (a) IF[X, Y], d = 2; (b) Z[X], d = 2;
(c) IF[X1 , , Xm], d = m. The maximum value of d for which such a sequence
of prime ideals can be found is called the dimension of the ring. One can show
that the dimension of the ring in part (c) is m note the agreement with the
m
vector-space dimension of the corresponding space IF on which the polynomials
are evaluated. Show that an integral domain that is not a field has dimension 1 if
and only if every nonzero prime ideal is maximal.
.

3. Show that a principal ideal domain that is not a field has dimension 1 . The
converse is not true, however. For example, in the ring R = Z[ VlO] all nonzero
prime ideals are maximal. Show that the ideal I generated by 3 and VfO + 1 is
such a (maximal) prime ideal, but is not principal.

4. Let I be the ideal of Q[X, Y] consisting of all polynomials that vanish at all
points of the form (x, 0) and also at the point (0, 1). Find generators for I.
5 . Show that the polynomial ring in infinitely many variables over a field (that is,
U;:;;'= 1 IF[X, , . . . , Xm]) is not Noetherian.
6. Prove that the radical of an ideal is an ideal.
5. Grobner Bases

An ideal I in the polynomial ring R = IF[ X] = IF[X1 , , Xm] is usually given

to us in the form of a list of generating elements: I = (f1 , . . . , fz). Such a set of
generating elements is sometimes called a basis, even though the representation
of an element of I as an R-linear combination of the fi is certainly not unique.
.

 5 . Grabner Bases

71

There are an unlimited number of possible bases for an ideal I , and we would
like to find a particularly convenient one. If we had a way of finding a "best
possible" basis, then we would be in a much better position to answer various
questions about ideals, such as: (1) Given I = (j1 , , fl ) and I' = (j{ , . , J[, ) ,
are they the same? (2) Given I = ( /1 , . . , fl ) and an element f E R, does f belong
to I? And if so, how can we express f as an R-linear combination of the fi ? Our
goal in this section is to find a way to compute a "particularly convenient" basis
for an ideal I C lF[XJ , . . . , Xml
.

5.1 Order of Terms

By a "power product" in a polynomial we mean a monomial Xi = x;' x;;;:

that occurs with nonzero coefficient; and by a "term" of a polynomial we mean a
power product taken together with its coefficient, i.e., ai Xi = ai , , ... , , Xi' x;;;: .
When looking for an efficient description of a polynomial ideal I, our first item
of business is to decide how to order the terms from "highest" to "lowest" in a
polynomial such as

f(X, Y, Z) = X 3 - X 2 Y2 Z + X 2 YZ2 - X 2 Z4 + XY 2 - xz 3
+ y 3 Z 3 + Y2 Z + Z4 E lF[X, Y, Z] ,
where

lF is some field. The two most common ways are as follows:

1 ) In the lexicographical ordering the terms are listed in the same order in which

the power products would appear in a dictionary if they were ordinary words
in an alphabet consisting of X1 , . . . , Xm (or X, Y, Z in the case m = 3). The
above polynomial is listed in lexicographical order.
2) In the degree-lexicographical ordering the power products are listed from high
est to lowest total degree, and the terms with a fixed total degree are listed in
lexicographical order. For the polynomial f(X, Y, Z) given above, the degree
lexicographical order is

f(X, Y, Z) = - xz z4 + y3 z3 - x 2 y 2 z + x 2 yz2
- x Z 3 + Z4 + X 3 + XY 2 + Y 2 z .

(1)

For the rest o f this section w e shall use the degree-lexicographical ordering
unless explicitly stated otherwise.
Many other schemes for ordering the terms are possible. For detailed infor
mation on this and other topics discussed in this section we highly recommend
[Adams and Loustaunau 1994] ; we shall follow the notation and terminology of
that textbook. Another readable textbook on the subject is [Cox, Little, and O' Shea

1 997].

Notice that if we have any two different power products Xi and Xj, either Xi >
> Xi in the degree-lexicographical ordering. Another important
observation is that, given any power product Xi, there are only finitely many
power products xj such that xi > xj.

Xj or else Xj

72

Chapter 3. Algebra

Definition 5.1. The leading term of a polynomial is the first term that appears
when the polynomial is listed according to the agreed upon ordering. If f E
JF[X1 , . . . , Xm ] , we let lt(j) denote the leading term of f.
For example, the leading term in the above polynomial j(X, Y, Z) is X 3 in the
lexicographical ordering and is -X 2 Z4 in the degree-lexicographical ordering.
5.2 Polynomial Division

Suppose that the leading term of g divides the leading term of f, where j, g E
lF[X1 , , Xm ] ; in other words, every Xi that appears in lt(g) appears to at least
as great a power in lt(j). In that case we can get rid of the leading term of f
by subtracting a suitable multiple of g - the multiple is the ratio of lt(j) to lt(g ).
More generally, any term of f that is divisible by lt(g) can be replaced by smaller
terms (in the sense of the degree-lexicographical ordering) if we subtract a suitable
multiple of g. That gives us the following definition.
Definition 5.2. We say that f reduces to h modulo g in one step if a,X 1 is a term
of f that is divisible by lt(g) and

In that case we write

f ...J... h .
In the important special case when lt(j) is divisible by lt(g), we have
h=f-

lt(j)
g ,
lt(g)

and lt(h) is strictly less than lt(j) (in the degree-lexicographical ordering).
Example 5. 1. Let j(X, Y, Z)

E lF[X, Y, Z] be the polynomial in ( l ), where lF is

any field; and let g 1 (X, Y, Z) = X Z3 - Y 2 Z 2 Then f reduces to
h, (X, Y, Z) = - XY 2 Z 3 + Y3 Z 3 - X 2 Y 2 Z + X 2 YZ2

(2)

modulo g1 in one step. We can continue the process, since lt(g 1 ) divides lt(h1 ).
We see that h 1 reduces to
hz(X, Y, Z) = - Y4 Z2 + Y 3 Z 3 - X 2 Y 2 Z + X 2 Y Z 2
(3)
- X Z 3 + Z4 + X 3 + XY 2 + Y 2 Z
modulo g1 That is, f reduces to h2 modulo g1 in two steps. We cannot further re
duce the leading term by subtracting multiples of g 1 , because lt(h 2 ) is not divisible
by lt(g1 ). However, if we want, we can make one further reduction, replacing h2
by hz + g, = _y4 zz + yJ z 3 - x z y z z + X z yz z - y z z z + Z4 + X 3 + XY z + y z Z.

 5 . Grobner Bases

73

Definition 5.3. Let F = {91 , . . . , 9! } e lF[ XI , . . . , Xm] , and let f E IF[ XI , . . . , Xm ] .

We say that f reduces to h modulo the set ofpolynomials F if we have a sequence
of polynomials beginning with h0 = f and ending with h k = h such that hj reduces
to hj +l modulo some 9 E F in one step, j = 0, 1 , . . . , k - 1 .
Example 5. 2. Let F = {91 , 92 } , where 9 1 = XZ 3 - Y 2 Z2 and 92 = Y2 Z - YZ2 ;
and let f be the polynomial in (1). Continuing with Example 5 . 1 , we see that h2
reduces modulo 92 to
h3(X, Y, Z) = -X 2 Y 2 Z + X2 YZ2 - XZ3 + Z4 + X 3 + XY2 + Y 2 Z ,

and h3 reduces modulo 92 to

h4 (X, Y, Z)

-X Z3 + Z4 + X 3 + XY 2 + Y 2 Z .

Next, h4 reduces modulo 91 to

hs (X, Y, Z) = Y2 Z2 + Z4 + X 3 + XY 2 + Y 2 Z ,
-

and h5 reduces modulo 92 to

h6(X, Y, Z) = -Y Z 3 + Z4 + X 3 + XY 2 + Y 2 Z .

We cannot further lower the leading term, because lt(h6) is not divisible by either
lt(91 ) or lt(92 ). We can perform one more reduction step, because lt(92 ) divides
the last term of h6 ; this gives us
h(X, Y, Z) = h1(X, Y, Z) = -YZ 3 + Z4 + X 3 + XY 2 + YZ2
We say that f reduces to h = h7 modulo F, because

In Example 5.2, we would have arrived at the same polynomial h if we had

reduced h1 modulo 92 (rather than 91 ), and then reduced the result (which we
denote h;) modulo 9I That is, we would have obtained the following sequence of
reduction steps:
j h1 _!!2_., h; h 3 h4 hs h6 h .
However, sometimes when we reduce f E lF[X] modulo F = {91 , , 9! } it makes
a big difference in what order we choose to take the 9, .
Example 5.3. Let f(X, Y, Z) = X 2 Y2 + XY E IF[X, Y, Z], where IF is any field;
and let F = {91 , 92 , 93 } , where 9I (X, Y, Z) = Y 2 + Z2 , 92 (X, Y, Z) = X 2 Y + YZ,
and 93 (X, Y, Z) = Z 3 + XY. If we first reduce f modulo 91 we obtain -X 2 Z2 +
XY, which cannot be reduced further, because neither of its terms is divisible by
lt(91 ), lt(92 ), or lt(93 ). On the other hand, if we first reduce f modulo 92 we obtain
-Y 2 Z + XY, which can be reduced modulo 91 to get Z 3 + XY. Finally, we can
reduce the last result modulo 93 to get 0.
.

74

Chapter 3 . Algebra

5.3 Grobner Bases

In Example 5.3 we have an unpleasant situation. If we are lucky enough to start

the sequence of reductions by dividing by 92 (rather than by 91 ), then we end up
with 0. This means that we can write f as a linear combination of the 9i - namely,
f = Y92 - Z 9 1 + 93 But if we start out by reducing modulo 91 , we get stuck after
the first step. For this reason, the set F in Example 5.3 is not a good choice of
basis polynomials for the ideal generated by 91 , 92 , 93 . The next definition, which
gives one of the most basic notions in computational algebra, provides us with a
criterion for making a better choice of basis polynomials.
Definition 5.4. Let F = {91 , . . . , 9l } C IF[X] = IF[X 1 , . . . , Xm ] be a finite set of
polynomials in m variables over a field IF; and let I be the ideal of IF[X] that they
generate. We say that F is a Grabner basis for the ideal I if every nonzero f E I
has leading term that is divisible by the leading term of at least one of the 9, .
Theorem 5.1. In the notation of Definition 5.4, F is a Grabner basis for I if and
only if every f E I reduces to 0 modulo F.
Proof. Suppose that F is a Grabner basis and f

E I. Since lt(j) is divisible by

lt(9, , ) for some i 1 , we can reduce modulo 9,, to get h 1 Clearly h 1 E I, and h 1 has
lower leading term than f in the sense of our chosen order of terms (most likely
the degree-lexicographical ordering). We can then repeat the process, reducing h 1
modulo 9, , to get h2 . Since the power product in the leading term gets lower each
time, we eventually have to end up with 0.
Conversely, if F is not a Grabner basis, then there exists f E I such that lt(j)
is not divisible by lt(9,) for any i . Such an f cannot be reduced modulo F to an
h with lower leading term. This completes the proof. 0

In other words, if we have a Grabner basis for I, then we have a simple

procedure - successive reduction modulo the basis polynomials - for expressing
any element of I in terms of the basis. Moreover, given an arbitrary element
f E lF[X], we can use the same method to determine whether or not f E I.
Namely, we keep reducing modulo the Grabner basis until we can go no further.
If we have reduced f to 0, then f E I (and we can explicitly write f in terms of
the basis elements); otherwise, f I.
In addition, given another ideal I', we can determine whether or not I' C I:
I' c I if and only if each of the given generating polynomials of I' is in I. Finally,
if we have Grabner bases for both of the ideals I and I' , we can easily determine
whether or not I = I' : equality holds if and only if each element in one basis can
be reduced to 0 modulo the polynomials in the other basis.
We shall soon see - in Theorem 5.3 - that every ideal has a Grabner basis. In
order to use Grabner bases, we need an efficient way to determine if a given basis
F is a Grabner basis and, if not, we need an algorithm to construct a Grabner
basis from F. The difficulty is that there are infinitely many elements in I, and
so the criterion in Definition 5.4 (or the one in Theorem 5 . 1 ) cannot be checked

5.

75

Grobner Bases

for all of those elements one by one. Fortunately, it turns out that we need only
worry about a small number of elements of I.
Definition 5.5. The S-polynomial of two nonzero polynomials j,
E

lF[X1 , . . . , Xm] is

L
L
S (j , 9 ) = lt(J
/ - lt(9 ) 9

'

where L denotes the least common multiple of the leading terms of f and 9, that
is, the power product of lowest total degree that is divisible by both lt(j) and lt(9).
Example 5. 4. In Example 5.2 we find that

S(9 1 , 92 ) = XYZ4 - Y 4 Z2
In Example 5.3 we have

S(g i , 92 ) = X2 Z2 - Y 2 z ;
S(91 , 93 ) = Z5 - XY 3 ;
S(92 , 93 ) = -X 3 Y2 + YZ4 .

Theorem 5.2 (Buchberger). In the notation of Definitions 5.4 and 5.5, F is a

Grabner basis for I if and only if S(9i , 9J ) reduces to zero modulo F for every

9i , 9J E F.

S(9i , 9J ) E I, the "only if" direction is immediate from

Theorem 5 . 1 . Now suppose that the condition in the theorem holds. By Definition
5 .4, it suffices to show that for any f E I we have lt(gi) dividing lt(j) for some i.
Without loss of generality, we may suppose that all of the 9i are monic , since
both the hypothesis and the conclusion of the theorem are unaffected if each 9i is
replaced by the polynomial obtained by dividing 9, by its leading coefficient.
Since j E I, we can write j in the form j = 2::: ;= 1 hi9i Let x r be the largest
power product (with respect to the degree-lexicographical ordering) that one finds
in the leading term of any of the hi9,, i = 1 , . . . , l. It could easily happen that
x r is larger (with respect to the degree-lexicographical ordering) than the leading
term of j, because it could be canceled when we take the sum of all the hi9i Of
all possible ways that f can be written in the form I:;= l hi9i, suppose that we
have chosen a way such that x r is minimal.
If x r is the power product in lt(j), then lt(g,) divides lt(j) for some i, and
we are done. So suppose that the power product in lt(j) is strictly less than xr .
To prove the theorem it suffices to show that there is then a way to write f in
the form 2::: ;= 1 h:9i with all terms in h;9i smaller than x r , because that would
contradict our assumption about minimality of x r .
Consider the products h,9, having the power product x r in its leading
term. Without loss of generality, suppose that the first l' products in the sum
j = 2::: ;= 1 hi9i are the ones having x r in the leading term. For i = 1 ,
l' let
h, = c, X r + hi , where h, consists of lower terms, i.e., the power products in hi
are less than x r , in the degree-lexicographical ordering. Note that for i = 1 , . . , l'
Proof. Since clearly

76

Chapter 3 . Algebra

we have xr = xr, lt(9; ). For i = 1 , . . . , l' - 1 let xs, be the least common multiple
of lt(9,) and lt(9i+l ) ; and let X1, = xr-s, . Consider the sum

c1 X1' S(91 , 92 ) + (c1 + c2 )X1' S C 92 , 93 )

+ (ci + c2 + c3 )X1' S(93 , 94) +

(4)

This sum is equal to

(5)

since the last coefficient c1 + + cl ' is zero (this is because the leading power
product in L h;9; is less than Xr). On the one hand, the sum in (5) is equal to

(6)
On the other hand, the sum in (5) is the same as the sum in (4). By assumption,
each S-polynomial in (4) can be reduced to 0 modulo F. Because the leading
term in X 1' S(9; , 9i+ l ) is strictly less than xr, the process of reducing S(9; , 9i+ l )
to zero will lead to an expression for X1' S(9; , 9>+1) in the form L = l hij 9j in
which lt(hij 9J) < xr for all i , j . Hence, the sum in (6) can be expressed in the
form L = I h'j 9J , where lt(h'j 9J ) < xr for all j. Then our original polynomial f
can be expressed in the form

l
l
l'
f = L h,9; = L (c;X r, + h;)9; + L h;9,
'=I
i= l
i.::::l ' +l
l'
l
l
= l.:: < h;' + h;)9, + 2..::: ch;' + h;)9; = 2..::: h;9i ,
i= l
i=l
i;;;l ' + l
where h; = h;' + h; for i = 1 , . . , l' and h; = h;' + h; for i = l' + l , . . . , l. By
construction, all of the power products in h;9; are less than xr. This completes
the proof. D
.

5.2, we find that S(91 , 92 ) = XY Z 4 - Y4 Z2 reduces to

-Y 4 Z2 + Y3 Z 3 modulo 91 in one step, and -Y4 Z2 + Y3 Z3 reduces to 0 modulo
92 in one step. Hence F is a Grobner basis. In Example 5.3, on the other hand,
S(g1 , 92 ) cannot be reduced to 0 modulo F; hence, F is not a Grobner basis.

Example 5.5. In Example

5.

77

Griibner Bases

Theorem 5.3. Let I C IF[ X, , . . . , Xml be the ideal generated by F' = {g, , . . . , gl ' }.
Suppose that for any 1 ::; i < j ::; l ' one reduces the S-polynomial S(gi , gj ) (see
Definition 5. 5) modulo F' until a polynomial hij is obtained that either is 0 or
else has leading term that cannot be reduced. In the latter case, hij is added to
the set F'. One continues in this manner, adding gl'+ l , gl'+2 , . . . to the set F ', until
one has a set F = {gi , . . . , gl } such that S(gi , gj ) reduces to 0 modulo F for all
1 ::; i < j ::; l. This algorithm terminates in a finite number of steps, and gives a
Grabner basis of I.
l' ::; j ::; l let Jj be the ideal generated by lt(gJ ), lt(g2 ),
. . . , lt(gj ). By construction, each lt(gj ) for j > l ' is not divisible by any of the
earlier lt(g1 ), lt(g2 ), . . . , lt(g1 _ 1 ). Thus, the ideals

Proof. For each j with

Jl' c Jl'+ l

Jl'+2 c . . .

form a strictly increasing sequence. By Corollary 4.2 of the Hilbert Basis Theorem,
there can be only finitely many ideals, and hence only finitely many gi . Thus, the
algorithm terminates. The resulting set F is a Grabner basis by Theorem 5.2. D
Example 5. 6. In Example 5.5 we saw that the set F' = {g1 , g2 , g3 }, where g1 =

Y 2 + Z2 , g2 = X 2 Y + YZ, g3 = Z3 + XY, is not a Grabner basis for the ideal

I it generates, because S(g1 , g2 ) = X 2 Z2 - Y 2 Z cannot be reduced to 0. If
we set g4 = S(g1 , g2 ) and F = {g1 , gz , g3 , g4 } . we easily check that all of the
following polynomials reduce to 0 modulo F: S(g1 , g2 ) = g4 , S(g1 , g3 ) Z 5 XY 3 , S(g1 , g4 ) = X 2 Z4 +Y4 Z, S(gz , g3 ) = -X 3 Y 2 +YZ4 , S(gz , g4 ) = Y 3 Z+YZ 3 ,
and S(g3 , g4 ) = X 3 Y + Y 2 Z2 . Thus, F is a Grabner basis for I.
=

5.4 Reduced Grobner Bases

Definition 5.6. A Grabner basis {g1 , . . . , gt } of an ideal I c IF[X1 ,

, Xml is
said to be minimal if all of the gi are monic and if lt(gi) does not divide lt(_gj ) for
i =f. j, i , j = l , . . . , l.
.

Given a Grabner basis F, all we need to do to obtain a minimal Grabner

basis is to successively remove from F any gi whose leading term is divisible by
the leading term of another element of F. More precisely, suppose that w e have
a Grabner basis of I consisting of l + 1 polynomials g1 , . . . , gl+I , one of whose
leading term divides the leading term of another. Without loss of generality, we
suppose that lt(g 1 ) divides lt(g1+J ). Suppose that g1+1 reduces to h modulo g1 in
one step, where lt(h) < lt(g1+1 ). Since h E I, h can be reduced to 0 modulo the
set {g1 , , g1 , gl+I } . However, g1+1 cannot be used in reducing h to 0, because its
, gl .
leading term is greater than It( h); hence h is a linear combination of g1 ,
Then gl+I is also a linear combination of g1 , . . . , g1 , and so {g1 , . . . , gl } is a basis
for I. It is a Grabner basis because, if the leading term of f E I is divisible by
lt(gl+I ), it is also divisible by lt(g1 ). Thus, the criterion in Definition 5.4 still holds
after g1+1 has been removed from the set.

78

Chapter 3. Algebra

Definition 5.7. A Grabner basis { 9 1 , , 91 } of an ideal I C IF'[ XI , . . . , Xm l is

said to be reduced if all of the 9i are monic and if none of the terms of 9i is
divisible by !t(9J ) for j f= i.
Example 5 . 7. The Grabner basis in Example 5.6 is minimal, but it is not reduced,
because the term -Y2 Z in 94 is divisible by !t(9 1 ). If we reduce 94 modulo 9 1
and then modulo 93 , and if we replace 94 by 9 = 94 + Z9 1 - 93 = X 2 Z2 - XY,
we obtain the reduced Grabner basis { 9 1 , 92 , 93 , 9D

Once we have a minimal Grabner basis { 9 1 , , 91 } we can obtain a reduced

Grabner basis as follows. First reduce 91 modulo 92 , , 91 until no term of the
resulting polynomial h 1 is divisible by lt(9i) for i = 2, . . . , l. Then replace 91 by
h 1 . Next, reduce 92 modulo h1 , 93 , . . . , 91 until no term of the resulting polynomial
h2 is divisible by !t(h 1 ) or lt(9i) for i = 3, . . . , l; and replace 92 by h2 . Continue
in this manner until 9 1 , , 91 have been replaced by h 1 , , h1 It is easy to see
that { h 1 , , h1 } is a reduced Grabner basis.
In summary, given a set of generators F for an ideal I c IF'[X1 , . . , Xm ] , here
is how to obtain a reduced Grabner basis:
1) For each pair of polynomials in F, compute the S-polynomial and reduce it
modulo F. After reducing it as far as possible, add the reduced polynomial to
F if it is not 0. Continue until all S-polynomials of pairs of elements of the
expanded F reduce to 0.
2) Go through the polynomials in F, deleting the ones whose leading term is
divisible by the leading term of another polynomial in the list.
3) Make the polynomials in F monic by dividing each one by its leading coeffi
cient.
4) Successively replace each polynomial in F by the result obtained by reducing
it modulo all of the other elements of F.
.

Theorem 5.4. Every ideal of IF'[ XI , . . . , Xm l has a unique reduced Grabner basis.
Proof. The above procedure gives a reduced Grabner basis. It remains to prove

uniqueness. Suppose that { 9 1 , . . , 91 } and { h1 , , h1' } are two reduced Grabner

bases for the same ideal. By Exercise 3 below, l = l' and we may assume that
lt(9i)=lt(hi) for i = 1 , . . , l. We claim that 9i = hi for i = 1 , . . . , l. Otherwise,
since 9i - hi E I, by Definition 5.4 the leading term of 9, - h, would have to
be divisible by !t(9J )=!t(h1 ) for some j. Clearly j f= i, since lt(9i - hi) <lt(9,).
Then a term of either 9i or hi would be divisible by !t(9j ) =lt(h1 ), contradicting
Definition 5.7. D

Exercises for 5

Use the degree-lexicographical ordering in these exercises.

1 . Suppose that F = { 9 1 , . . . , 9! } C IF'[XJ , . . . , Xm l is a set of linear forms (poly
nomials of total degree 1 with zero constant term). Let I be the ideal generated by

5.

Grabner Bases

79

F. Give necessary and sufficient conditions for F to be: (a) a minimal Grabner
basis; (b) a reduced Grabner basis.
2. Suppose that F = {91 ,
, 91 } c IF[ X] is a set of polynomials in one variable.
Let I be the ideal generated by F. Give necessary and sufficient conditions for F
to be a reduced Grabner basis.
3. Prove that if F = { 9 1 , , 91 } and F' = { 9 ; , . . . , 9f, } are both minimal Grabner
bases of the same ideal I, then l = l' . Also prove that (after renumbering if
necessary) one has lt(9;)=lt(9; ), i = 1 , . . . , l.
4. True or False? Please explain.
(a) Generalizing the case when m = 1 (see Exercise 2), one can find an upper
bound in terms of m for the number of elements in a reduced Grabner basis of
an ideal in IF[X, , . . . , Xm].
(b) The number o f elements i n a basis for a n ideal I o f IF[X, , . . . , Xm] i s always
greater than or equal to the number of elements in a minimal Grabner basis.
(c) If G is a Grabner basis, then the set of all polynomials that cannot be reduced
modulo G (see Definition 5.3) is a set of representatives for the quotient ring

IF[ X]/ I.

5. Find the reduced Grabner basis for the ideal consisting of all polynomials in

IF[X, Y] that vanish at the two points (0, 0) and ( 1 , 1).

6. Find the reduced Grabner basis for the ideal in IF[X1 ,

Xm] consisting of
all polynomials whose power products are all of total degree at least n.
7. Find the reduced Grabner basis for the ideal in IF[X, Y, Z] generated b y 91 =
XZ, 9z = XY - Z, and 93 = YZ - X.
8. Find the reduced Grabner basis for the ideal in IF[ X, Y] generated by 91 =
X 2 Y - Y, 92 = Y 2 - X, and 93 = X 2 Y2 - XY.
9. Find the reduced Grabner basis for the ideal in IF[X, Y, Z] generated b y 91 =
X3 - Y Z, 92 = Y3 - X Z, and 93 = XY - Z.
10. Find the reduced Grabner basis for the ideal in IF[X, Y] generated by 9 1 =
X 2 - y 2 , 92 = X3 - y3, and 93 = X 2 Y - XY 2 .
1 1 . Find the reduced Grabner basis for the ideal in IF[ X, Y, Z] generated by 91 =
X3 - Y, 92 = Y3 - X, and 93 = X 2 Y 2 - XY.
12. Suppose that I is an ideal of IF[X] = IF[X1 ,
, Xml Let lF denote the
algebraic closure of IF.
(a) Suppose that f E IF[X] can be written as a linear combination of elements of
I with coefficients in lF[X]. Prove that f can be written as a linear combination
of elements of I with coefficients in IF[X].
(b) Let G be a Grabner basis for I. Let I be the ideal of lF[X] generated by the
elements of I. Show that G is a Grabner basis for I.
1 3 . Let G be a Grabner basis for an ideal I in IF[X1 , , Xml Suppose that there
are only finitely many points (with coordinates in the algebraic closure of IF) where
all of the polynomials in I vanish. Prove that for each i = 1 , . . . , m there exists
an element of G whose leading term is of the form cX1 .

. .

Chapter 4. Hidden Monomial Cryptosystems

1. The Imai-Matsumoto System

1.1 The System

Let IK be an extension of degree n of the finite field IF q , where q is a power of

2, and let f3 I , (32 , . . , f3n E IK be a basis of IK as an IF q -vector space. Alice will
be using the Imai-Matsumoto system in K She regards each element of IK as an
n-tuple over IFq . Alice may choose to keep her basis secret, in which case we
cannot assume that a cryptanalyst (whom we shall name "Catherine") knows what
basis she is using.
Both plaintext message units and ciphertext message units will be n-tuples
over IF q . We will use the vector notation x = (x1 , , Xn) E IF; for plaintext
and fj = (y 1 , , Yn) E IF; for ciphertext. When working with matrices, we shall
consider vectors to be column-vectors (although in the text we shall continue
writing them as rows).
In transforming plaintext into ciphertext, Alice will work with two intermediate
vectors, denoted u = (u, , . . . , U n) E IF; and v = ( v 1 , , Vn) E IF; . Given a
vector in IF; , we shall use boldface to denote the corresponding element of IK
with respect to the basis /3j . For example, if u = ( u1 , . . . , un) E IF; , then we set
U = UJ /3 1 + + U nf3n E K
Next, Alice chooses an exponent h, 0 < h < q n , that is of the form
.

h=l+l

and satisfies the condition g.c.d.(h, q n 1 ) = 1 . (Recall that q was chosen to be

a power of 2; if q were odd, then g.c.d.(h, q n 1 ) would be at least 2.) The
condition g.c.d.(h, q n 1 ) = 1 is equivalent to requiring that the map u >-> u h on
IK is one-to-one; its inverse is the map u >-> u h ' , where h' is the multiplicative
inverse of h modulo q n 1 .
Alice may choose to keep h secret. However, since there are relatively few
possible values for h, she must assume that Catherine will be prepared to run
through all possibilities for h. That is, even if she keeps h secret, the security of
her system must lie elsewhere.
In addition, Alice chooses two secret affine transformations, i.e., two invertible
n x n-matrices A = {aij hi, J n and B = {bi1 } I i, j n with entries in IFq , and
two constant vectors c = (ci , . . . , en) and d = (d 1 , , dn). The purpose of the two
-

 1 . The Imai-Matsumoto System

81

affine transformations i s to "hide the monomial map" u f--7 uh hence the name
"hidden monomial cryptosystem".
We now describe how Alice gets her public rule for going from plaintext
x E IF to ciphertext '[} E IF . First, she sets
-

u = Ax+c .
Next, she would like to have v E lK simply equal to the h-th power of u
then set
(that is, v = B '[J + d) ,

E JK,

and

where v E IF is the vector corresponding to v E lK. However, her public encryp

tion rule will go right from x to '[}, and will not directly involve exponentiation at
all.
In order to get formulas going from x directly to '[}, Alice notices that. since
8
v = uh and h = q + 1 , she has
(1)
Recall that for any k = 1 , 2, . . , n the operation o f raising to the q k -th power in
lK is an 1Fq -linear transformation. Let p( k) = {p ) } l :<; i ,j:S n be the matrix of this
linear transformation in the basis (31 , , f3n , i.e.,
.

(k )
f3iqk = '\"'
P;1 /3j ,
J=l

for 1 :::=; i, k :::=;

basis, i.e.,

n.

(k l E IFq ,

P;1

(2)

Alice also writes all products of basis elements in terms of the

(3,(31

for each 1 :::=; i , j :::=;

n.

= L m,j z/3z ,

l=l

(3)

Now equation ( 1 ) can be expanded to give

(4)

If we use (3) and then compare the coefficients of f3z on the left and right sides
of (4), for each l we obtain
Vz =

(5)

Of course, Alice knows all of the coefficients m p.jl and p;v . She now uses her
affine relations
(6)
v = By + d ,
u = Ax + c ,

82

Chapter 4. Hidden Monomial Cryptosystems

to replace u; by c, + L p a,pX p and replace V! by d1 + L u bl u Yu in (5). When she

gathers coefficients of each product x,x1 , she obtains n equations, each with a
polynomial of total degree 2 in the x 1 , , X n on the right and with a linear ex
pression in the y1 , , Yn on the left. Using linear algebra, she can get n equations
that express each y; as a polynomial of total degree 2 in the x 1 , . . , X n
Alice makes these n equations public. If Bob wants to send her a plaintext
message x, he substitutes the x, in these equations and finds the y1 . On the other
hand, Catherine, who knows only the ciphertext (and the public key), must solve
a nonlinear system for the unknowns x; .
When Alice receives the ciphertext y, she uses her knowledge of A, B, c, d,
and h to recover x, without having to solve the publicly known equations for the
n
x; . Namely, let h' be the multiplicative inverse of h modulo q - 1 , so that the
h
map u = v h' inverts the map v = u on lK. Alice first computes 'iJ = By + d, then
raises v = I: v;f3, E IK to the h' -th power (i.e., sets u = v h' ), and finally computes
x = A- 1 ca - c).
The following diagram summarizes Alice's decryption:

Y I , , yn
.lJ.

v = By + d
.lJ.

v = L; v;/3;
.lJ.

u = v h'
.lJ.

x = A - l eu - c) .

Remark. The cryptosystem described above is a simplified version of the one

proposed in the original paper [lmai and Matsumoto 1 989] . Instead of using a
single extension IK of degree n over lFq , they wrote n as a sum n = n 1 + + n d
and used d extensions IK1 , . . , !Kd , where lK; has degree n; over lFq They chose
a different exponent h; = l + 1 in each IK;, where g.c.d.(h; , q n - 1) = 1 . The
n components of the vector u were split up into d subsets of n; components, and
the corresponding element u; E IK; was transformed to v; E IK; by raising it to
the h;-th power.
At first, this greater generality might seem to contribute to the security of the
system. However, it turns out that the cryptanalysis in 1 .2 goes through just as
well for this more general system. For details about breaking the original Imai
Matsumoto system, see [Patarin 1 995] .
.

Example 1 . 1 . Here is a "toy example" of the Imai-Matsumoto system. That

means that its purpose is to illustrate the mechanical operation of the cryp
tosystem, but its parameters are too small to give any security. Let q = 2,
n = 5, and let IK be represented as the set of polynomials in lF2 [X] modulo

 1 . The Irnai-Matsurnoto System

83

the irreducible polynomial f(X) = X 5 + X 4 + X 3 + X + l . We use the basis

{,8 1 , ,82 , ,83 , ,84 , ,85 } = { 1 , X, X2 , X3 , X4 } . Further let B = 3, h = 9, h' = 7, and set

A{ ) ' (j ) ,
0

1
0
0 0
l 0
0 0
c = ( 1 , 0, 1 , 1 , 1 ) ,

Then

A'=

0 1
1
0
1
1

l
1
1
0
0

(! )

0 0
0 l
B=
l 0
1 0
0 0
d = (l , 0 , 1 , 0 , 0)

=
n-'

0
0
1
0
0

1
l
0
0
0

0
0
1
1
1

0
1
l
1
1

(i J

Thus, the u-vector is expressed in terms of the x-vector as follows: Uj = Xj + X3 +

X4 + 1 , Uz = Xz +X3 +Xs, U3 = XJ +xz +Xs + 1 , U4 = Xz +X4 + 1 , U5 = X4 +Xs + l . If we
write v = u9 = (ui +uzX +u3X2+u4X 3 +usX 4 )(u1 +uzX8+u3X 1 6+u4 X24 +u5X 3 2)
and reduce the product on the right modulo f(X), we find that v is expressed in
terms of x as follows:

V I = 1 + X1 2 + X J X3 + X J X2 + X4 + X4 X5 + X 1 X4 + XzX4
+ XJ + Xz + x3x5 + x2 2
Vz = X5X1 + X3X 2 + Xt 2 + XzX5 + Xs 2 + X4 + X1X4 + X1
+ X3 2 + Xz + X3X5
V3 = X J X3 + X1 + X 1 X2 + X3X2 + X3X4 + Xz + X3 + X4 2 + X3X5 + Xz 2
V4 = X3X4 + X1 2 + Xs 2 + X3 + 1 + XJ X3 + X1 X4 + XzX4 + X4 2 + Xz 2
V5 = X3X2 + 1 + X5X1 + X3 + X5 + Xs 2 + X J X3 + X J X 2 + X4
+ X J X4 + X3 2 + X2 + X4 2 + X3X5
Finally, the public equations relating y to x are:
Yl = X3X2 + 1 + X5X 1 + X3 + X5 + Xs 2 + X1 X3 + X 1 X2 + X4 + X J X4
+ X3 2 + Xz + xl + X3X5
Yz = X3X4 + X1 2 + XzX4 + X2 2 + X3X2 + X5X1 + X5 + X J X2 + X4
+ X3 2 + Xz + X3X5
Y3 = 1 + X1 2 + X1 + X3 + X4 + X5 + X4 2 + XJ Xz + X4X5 + X3X2
+ xz 2 + xzxs + xs 2
Y4 = 1 +x1 x4 +x3 2 +xz +x3 +xs +x4 2 + X3X5 + xsx1 + x 1 x 2 + X4 X5 + x?
YS = X 1 + X t Xz + X3X 2 + Xz + X3X5 + x1 2 + Xs 2 + X J X4 + XzX4 .

84

Chapter 4. Hidden Monomial Cryptosystems

1.2 Patarin's Cryptanalysis

At Crypto ' 95 , Jacques Patarin showed how to break the Imai-Matsumoto cryp
tosystem. His idea, though ingenious, is actually quite simple. He noticed that if
one takes the equation v = u h = uq " + l , raises both sides to the (q B - 1 )-th power,
and multiplies both sides by uv, one gets an equation

(7)
that leads to equations in x1 , . . . , Xn , Y 1 , . . . , Yn that are linear in both sets of
variables. Using linear algebra, Catherine the cryptanalyst can find these equations
even if she has no idea what Alice's parameters are. These equations probably
won't be quite enough to uniquely determine the plaintext from the ciphertext. But
they will reduce the search for the plaintext x to a small enough affine subspace
of w; so that, in all likelihood, even an exhaustive search will be feasible. We now
give more details.
Catherine knows, of course, that Alice is using the Imai-Matsumoto cryptosys
tem in a field extension lK of degree n over IFq (where q is a power of 2). She thus
knows that an equation of the form (7) holds, and that there are linear relations
(2) and (3) and affine relations (6) that together lead to equations of the form

l = 1 , . . . , n. Equation (8) is derived in exactly the same way in which, starting

from the right hand side of ( l), we obtained polynomials of total degree 2 in
x1 , . . . , Xn (see equations ( l ) through (6)). To break the Imai-Matsumoto cryp
tosystem, Catherine's strategy is to ignore the public equations, and instead find
the much better equations (8) that are linear in both sets of variables x and fj.
At first Catherine has no idea what the coefficients in these relations are,
because she does not know the coefficients in (6), (2), or (3) (since she does not
even know the basis fJ1 , . . . , f3n ). However, she can generate a large number of
plaintext-ciphertext pairs (x1 , . . . , Xn , Y 1 , . . . , Yn ) by simply using Alice's public
equations (just as Bob would do in order to send Alice messages). Any such 2n
tuple can be substituted into (8) to yield a linear equation in the (n + 1 ) 2 unknown
coefficients a,j , (3, , /i , 8 in an equation of the form (8).
In this way Catherine will eventually be able to find a maximal set of L
linearly independent equations of the form (8) that are satisfied by all plaintext
ciphertext pairs. We know that many such equations will come from (7), and it is
possible (though probably not likely) that there will be some other equations of
the form (8) that do not come from (7). To simplify the argument that follows, let
us assume that all of the equations (8) that are satisfied by all plaintext-ciphertext
pairs actually come from (7). If there are any additional equations, then they will
only help Catherine break the cryptosystem more easily. Suppose that there are L
independent equations indexed by l = l , . . . , L, as in (8). Will they be enough to

1.

The Imai-Matsumoto System

85

uniquely determine the plaintext x corresponding to a given ciphertext y? Probably

not, for the following reason.
When Catherine raised both sides of the equation v
uh to the
(qB - l )-th power and then multiplied through by uv, she lost information. To
put it another way, new "extraneous" solutions - ones that do not correspond to
plaintext-ciphertext pairs - were introduced by exponentiating both sides of the
equation. This difficulty is familiar from high school algebra, where one might re
move a radical in an equation by squaring both sides, only to find that the resulting
solution is extraneous, i.e., not a solution of the original equation. (For example,
the equation JX+I - v'x = 2, which has no real solutions, can be "solved" to
get the extraneous solution x = 9/ 1 6.)
Let us suppose that Catherine has found a complete set of independent equa
tions (8) that are satisfied by all plaintext-ciphertext pairs. She then intercepts a
ciphertext vector y0 and substitutes its coordinates into all of the equations ( 8). At
that point she has L linear equations in the n unknowns x 1 , . . . , X n How many
of these L equations are independent? In general, this number - let's call it ;1 will be less than L, and it may depend upon the particular y0.
Equivalently, how many different solutions x will the system (8) have (after
y0 has been substituted in place of y)? We know that the plaintext vector provides
one solution, and so the equations are consistent. From linear algebra we then
know that the space of solutions is an (n - A)-dimensional affine space in IF
(by an "affine" space we mean a linear subspace shifted by a constant vector). In
other words, when we regard the equations (8) as a system of linear equations in
X t , . . . , Xn after the substitution y = y0, it will have exactly q n- A solutions .
On the other hand, these equations in x 1 , . . . , Xn are equivalent to the equation
(7) (regarded as an equation in the unknown u after a specific value v0 , where
v0 = By0 + d, has been substituted for v). Here remember that, for simplicity, we
are assuming that all of the equations in (8) come from (7). That is, the solutions
of (7) are in one-to-one correspondence with the solutions to the system (8). When
v = v0 is fixed, how many solutions u are there to (7)? First, there is the trivial
solution u = 0. Then there is the unique solution u0 = vg ' of the equation v = uh
that was raised to the (qB - l )-th power to get (7). If u is another nonzero solution
of (7) with v = v0, then we have both
and
Hence, u< q" - l ) = uh< q" - l ). Raising both sides of the last equality to the h'-th
power (which inverts the h-th power map in JK), we find that u6 " - l = u q" - l . This
means that u differs from u0 by a factor that is a (qB - 1 )-th root of unity in K
Conversely, if ( is any (qB - l )-th root of unity in lK, then clearly u = ( u0 will be
a nonzero solution of (7).
How many ( q8 - 1 )-th roots of unity are there in JK? Since the nonzero elements
of lK form a cyclic group of order qn - 1 , there are g.c.d.(qB - 1 , q n - 1) such roots.
(See Exercise 12 of 2 in Chapter 3.) By Exercise 1 below, g.c.d.(qB - 1 , q n - 1 ) =
q d - 1 , where d =g.c.d.(B, n). When we count the zero solution, we conclude that

86

Chapter 4. Hidden Monomial Cryptosystems

there are exactly q d solutions

(8) (with fj = fj0 ). That is,

of (7) (with v = v0 ), and hence

solutions x of

n - A = d = g.c.d.(B , n) .

(9)

The number in (9) is a measure of how far Catherine is from uniquely deter
mining x from her equations (8). She can use the equations (8) to determine a
d-dimensional affine space that contains the desired plaintext vector. Then she has
to search among the q d vectors to find the plaintext.
What is the largest that d can be? Since 8 was chosen so that g.c.d.( qll + 1 , q n 1) = 1 , it is easy to rule out d = n and d = n/2. It is, however, possible to have
d = 8 = n/3 (see Exercise 3 below).
We conclude that Catherine has to search through a space that has at most
113 the dimension of the entire space of possible plaintexts. This means that the
Imai-Matsumoto system is either insecure or inefficient. That is, even if 8 = n/3,
in order to make the system resistant to exhaustive search attacks, one must choose
n to be 3 times larger than originally thought.
Despite the weakness in their system, Imai and Matsumoto contributed a valu
able idea for a cryptosystem. Soon after breaking the particular system that they
had proposed, Patarin found ways to modify it so as to resist attacks such as the
one described above. These modifications will be the subject of 2-3.
Exercises for 1

Let a, b, n, 8, and q be positive integers with

b

..

q 2':

2. Prove:

1 . g.c.d.(q a 1 , q 1) q g.c.d.(a ,b) 1 .

2 . If q is even and g c d .( 2 8 , n) = 1 , then g.c.d.( qll + 1 , q n 1 ) = l .
3. If q is even and n i s an odd multiple of 8 , then g.c.d.(q8 + 1 , q n - l ) = l .
4 . In Example 1 . 1 , encrypt the following plaintext vectors using the public equa
tions: (a) (0 , l , 0 , 0 , 0) ; (b) ( 1 , 1 , 1 , 1 , 1) ; (c) ( 1 , 0 , 0 , 1 , 1 ); (d) ( 1 , 0 , 1 , 0 , 1). In each
case decrypt your ciphertext using the secret information B, d, h', c, and A - I ;
_

you should get your plaintext back again.

5. Let q = 2, n = 3, and let lK be represented as the set of polynomials in

lF2 [X] modulo the irreducible polynomial f(X) = X 3 + X + l . Use the basis
{,8 1 , ,82 , ,83 } = { 1 , X, X2 } ; and let e = 2, h = 5, h' = 3. Further set
A

( i D

B=

o r )

c=

( 1 , 0, 1 ) '

d = ( 1 , 0 , 0) .

First express (u1 + u2 X + u3X2)h in terms of the basis with coefficients of the
form I: u,uJ Then find the public equations for fj in terms of x.

2. Patarin's Little Dragon

87

2. Patarin's Little Dragon

After breaking the lmai-Matsumoto cryptosystem, Patarin proposed a variant that

at first seemed resistant to the type of cryptanalysis in 1 .2. After describing this
system, we outline an initial attempt at cryptanalysis, using crude linear algebra,
that failed. We next give a simple method to break the system if the exponent
is not carefully chosen. Finally, we describe the more intricate technique that
Coppersmith and Patarin used to break the Little Dragon for any exponent.
2.1 The System

Much of the set-up is the same as in 1 . 1 . As before, ][{ is an extension of degree n

of the finite field lFq and /31 , /32 , . , f3n E ][{ are a basis of ][{ as an lF q -vector space.
Using this basis, Alice, who is preparing to use the Little Dragon cryptosystem in
IK, regards each element of ][{ as an n-tuple over lFq . Alice may choose to keep
her basis secret, in which case we cannot assume that Catherine the cryptanalyst
knows what basis she is using.
Both plaintext message units and ciphertext message units will be n-tuples
over lFq We will use the vector notation x = (xi , . . , Xn ) E lF for plaintext and
y = (y1 , , Yn ) E lF for ciphertext. As before, Alice works with two intermediate
vectors u = ( u 1 , . , Un) E lF and v = (v 1 , , Vn ) E lF . Given a vector in lF ,
we use boldface to denote the corresponding element of ][{ with respect to the
basis /3j .
In the Little Dragon cryptosystem, the exponent h has a slightly different
form than in the lmai-Matsumoto system. Namely, Alice chooses an exponent h,
0 < h < qn , such that h + 1 is a sum of two different powers of q, i.e.,
.

h = l + q "'

( 1 0)

1 ,

and such that g.c.d.(h, q n - 1) = 1 . It is no longer necessary for q to be even. For

now we allow Alice to choose the two integers B and r.p arbitrarily in { 1 , . . , n - 1 },
subject only to the condition that h be prime to q n - 1 . However, in 2.3 we will see
that there are some values that give "weak" exponents, i.e., exponents for which
the cryptosystem can be readily broken. Alice may choose to keep h secret. But
since there are relatively few possibilities for h, she must assume that Catherine
the cryptanalyst is prepared to run through all possible h. That is, even if she
keeps h secret, the security of her system cannot depend on that.
In addition, Alice chooses two secret linear transformations, i.e., two invertible
n x n-matrices A = {aij h i,j n and B = {biJ h i,j n with entries in lFq . *
.

* In the original paper [Patarin 1 996b] , Alice chooses affine rather than linear transfor
mations. That is somewhat more general, but most likely the added generality does not
substantially improve the security of Little Dragon and related systems. In any case, for
simplicity we shall assume that the transformations are linear rather than affine.

88

Chapter 4. Hidden Monomial Cryptosystems

We now describe how Alice gets her public rule for going from plaintext

x E lF; to ciphertext fj E lF; . First, she sets

Next, she would like to have v
then set

u = Ax .
E

lK simply equal to the h-th power of u E lK, and

y = B- ' v ,

where v E lF; is the vector corresponding to v E K But her public encryption

rule will go right from x to fj without directly involving exponentiation.
Alice notices that, if v = uh , then by ( 1 0) she has

(11)

A s i n 1 . 1, she uses the fact that for any k = 1 , 2 , . . , n the operation of raising to
the q k -th power in lK is an lF q -linear transformation. Again let p( k ) = {p\ ) } I ::; , ,; ::; n
be the matrix of this linear transformation in the basis (31 , , f3n (see equation
(2)); and let m,1 1 be the coefficients when the product (3;(3j is written as a linear
combination of (31 (see equation (3)). Note that ( 1 1) can be .expanded to give
.

(12)
by (2). If we use (3) and then compare the coefficients of (31 on the left and right
sides of ( 12), for each l we obtain

2:= m,jz u;v1 =

I ::; i ,j $ n

l S: i , j ,JJ. , v-5: n

Of course, Alice knows all of the coefficients mij l and

transformations A and B, where

u = Ax ,

( 1 3)

Pl).

She now uses her

v = By ,

to replace u; by L p aip X p and replace v1 by L,. b1 ,.y,. in ( 1 3). When she gathers
coefficients of each product Xi Yj and each product x , x1 , she obtains n equations

2:= C,j l Xi Yj + 2:= dij l XiX; = 0

l=

1 , 2, . . , n.

l $ i ,; $ n

l $ , $j $ n

( 1 4)

Alice makes the equations (14) public. In other words, her public key consists
of the n 3 + n 2 coefficients Ci;l , d,1 1 . If Bob wants to send her a plaintext message
x, he substitutes the x, in ( 14) and solves for the Yj by Gaussian elimination. Here
it is crucial that the system ( 1 4) is linear in the y1 once the x; are known. On the

2. Patarin's Little Dragon

89

other hand, someone who knows only the ciphertext (and the public key) is faced
with the daunting task of solving the nonlinear system (14) for the unknowns x; .
When Alice receives the ciphertext y, she uses her knowledge of A, B, and h
to recover x, without having to solve ( 14) for the x; . Let h' be the multiplicative
h
inverse of h modulo q n - 1 , so that the map u = vh' inverts the map v = u on
K Alice first computes v = By, then raises v = I": vi/3; E IK to the h' -th power
(i.e., sets u = vh' ), and finally computes x = A - 1 u.
The following diagram summarizes Alice's decryption:

Yt ,

-lJ

, Yn

v = By
v

-lJ

= I": vj3;
-lJ

u = vh'

2.2 A Failed Cryptanalysis

Here is a first attempt to break the Little Dragon cryptosystem.

We won't worry about what basis of IK over lFq was used by Alice. We'll
just use our own convenient basis. Of course, the linear formulas relating u to
x and v to y are different in our basis, but they're still linear maps. Let A' and
B' denote the matrices of these linear transformations. Assume that the exponent
h is known (because of its form h = qe + q <P - 1 , there are only a fairly small
number of possibilities to be guessed). To break the cryptosystem it suffices to
know the matrices A' and B'. We regard the 2n2 entries of the matrices A' and
B' as unknowns, and we generate a large number of plaintext/ciphertext pairs
(X t , . . . , Xn , Yt , . . , Yn ). Each such 2n-tuple can be substituted into the formulas
.

u = A' x ,

v = B'y ;

and the resulting expressions for the u; and Vj (in terms of the 2n 2 unknowns) can
be substituted into ( 13) (more precisely, into the equations of the form ( 1 3) that
we derive using our own basis rather than Alice's basis). Each plaintext/ciphertext
pair gives n equations (one for each l = 1 , . . . , n) in the 2n2 unknowns.
These equations are quadratic, rather than linear. However, if we introduce new
variables Wp for all of the products of unknowns that appear (i.e., each wp replaces
either a product of the form a;j bk l or a product of the form a;j a k z), then we obtain
linear equations in the O(n4 ) new variables. By varying the plaintext/ciphertext
pair, we get a vast number of equations in these O(n4 ) variables. We then use

90

Chapter 4. Hidden Monomial Cryptosystems

Gaussian elimination to find the unknowns w p , and from them it is easy to find
the original 2n2 unknowns, i.e., the entries in the matrices A' and B ' .
Of course, it's crucial to be able to generate enough equations in the 0(n4 )
unknowns wp , so that the only common solution found by elimination will be the
one that's compatible with the fact that each w p is really a product of two of the
original 2n2 unknowns.
At first glance it seems that, because of the complicated equations (14) used
to generate plaintext/ciphertext pairs, we could get enough independent linear
equations. However, on closer examination we find that this approach to breaking
the system will not work. The reason is that one obtains only O(n3 ) independent
linear equations in the O(n4 ) variables.
To see this, let us look again at the equations that result from ( 1 3) after
we make the substitutions u = A'x and v B ' y. After we replace the pro
ducts a,1 b k t and a;1 a kl by the corresponding w p , these equations may be regard
ed as linear equations in the w p whose coefficients are quadratic expressions in
(xi , . . . , X n , Yl , . . . , Yn ). More precisely, those coefficients are linear expressions
in the n2 + n(n + 1 )/2 products x;y1 (1 ::; i, j ::; n) and x;x1 (1 ::; i ::; j ::; n).
'
Suppose that for each l we construct the following map <1>1 from JF' + n( n+ l )/2 to
'
the space of linear equations in the 0(n4 ) variables Wp . To each z E IF' +n( n + l l/ 2
we associate the linear equation obtained by replacing the n2 products x;yj by
the first n2 components of z and the n(n + 1 )/2 products x;Xj by the remaining
components of z in the equation in the w p that comes from the l-th equation in
( 1 3).
No matter how many plaintext/ciphertext pairs (x1 , . . . , Xn , y1 , . . . , Yn ) we use,
all of the equations in the O(n4 ) variables wp that we obtain will be in the image
of one of the <1>1 , l = 1 , . . . , n. Each image is at most (n2 +n(n+ 1 )/2)-dimensional.
Thus, the maximum number of independent equations we can possibly hope to
generate is n 3 + 1 n2 , which is not nearly enough.
=

2.3 Weak Exponents When

q =

Let lK be an extension of IF'2 of degree n. In this section we show how to break

Little Dragon if h is a "weak exponent" in the following sense.
In 2. 1 we allowed any exponent h of the form h
2 e + 2'' - 1 with
g.c.d.(h, 2 n - 1 ) = 1 . We now suppose that h is such that from the equation
=

( 1 5)
one can obtain an equation of the following form by raising both sides of ( 1 5) to
some power prime to 2 n - 1 and multiplying both sides of ( 1 5) by powers of v
and u:
( 16)
where the number of powers of 2 in the exponents is small (for example, k, k' ::; 5).

2. Patarin's Little Dragon

Example 2. 1. Suppose that n =

91

6 and h = 24 + 22 - 1 = 19. Then raising both sides

of ( 15) to the 3rd power and multiplying by u8 gives v 1 +2 u23 = u65 = u2 , which is
of the form ( 1 6) with k = 2, k' = 0, a = 3, f3 = 1 .
In the cryptanalysis, we use the fact that each map v >--> v2 ' " , u >--> u2Q ,
v >--> v2'" , and u >--> u2 13 is linear. If we follow tbe same procedure that we used
to derive the equations ( 14) from the relation (1 1), we see that ( 1 6) leads to a set
of n equations of the form

1 :S s 1 :S

:S s k :S n , 1 :S so :S n

e s , , . . . ,s . ,so , l Ys , Y sz . . . Y sk X so

( 17)
l=

1 , 2, . . . , n.

Remark. Notice that

( 1 6) and (17) are equivalent to one another, i.e. , any

(x 1 , . . , X n , Y1 , . . . , Yn ) satisfying (17) gives (by means of the matrices A and
B) elements u, v E lK satisfying (16). For u, v i- 0 equation ( 1 6) is also equivalent
to equation ( 1 5).
.

Suppose that Catherine is trying to break Alice's Little Dragon, and knows her
exponent h. (As mentioned in 2. 1 , there are not many possibilities for h, and so
Catherine is prepared to run through all possible h.) Suppose tbat h is "weak", i.e.,
the relation ( 1 5) implies a relation of the form (16). Catherine then knows, first of
all, that Alice's plaintext/ciphertext pairs will satisfy a set of at least n equ ations
of tbe form (17). Second, she knows that, if she finds tbis set of equations of the
form (17), then, by the above remark, for any nonzero n-tuple (y1 , , Yn ) there
will be only one nonzero n-tuple (x1 , . . , Xn) that satisfies the set of equ ations
( 17). Thus, after she finds the equations (17), all that she has to do to decrypt a
ciphertext (y1 , . . . , Yn ) is to substitute it into ( 17) to obtain a linear system in the
unknowns x, that has a unique nonzero solution. That solution is tbe plaintext.
So we have reduced the cryptanalysis to finding all equations of tbe form (17)
that are satisfied by plaintext/ciphertext pairs (x1 , . . . , Xn , Y1 , . . . , Yn ). We regard the
coefficients e s , , . . , s . , so ,l and ft, , . . , t.,,to , l as unknowns, and generate a large num
ber of plaintext/ciphertext pairs. For each such 2n-tuple (x 1 , . . . , Xn , Y1 , . . , Yn)
we obtain a set of n equations ( 17) that are linear in the unknowns. Without loss
of generality we may assume that k > k'. Then there are 0 ( n k+2 ) unknowns,
and so we expect that after trying 0 ( nk +2 ) different 2n-tuples (x1 , . . , Yn) we
will have a complete set of independent equations in the variables e8 , , , s . , so , l
and it, h ,to ,l Using Gaussian elimination, we find tbe solution space of the
equations, i.e., a basis for tbe space of e- and !-coefficients that give equations
satisfied by all plaintext/ciphertext pairs. In other words, we find a maximal set of
independent equations of the form (17) that are satisfied by all plaintext/ciphertext
pairs. As explained above, this set of equations breaks the cryptosystem, because
tbe equations are linear in the plaintext variables x 1 , , Xn .

..

'

92

Chapter 4. Hidden Monomial Cryptosystems

Remark. The above cryptanalysis in the case of weak exponents works just as well
if y is related to v and x is related to u by affine rather than linear transformations.
2.4 The Little Dragon is a Paper Tiger:
the Coppersmith-Patarin Cryptanalysis (see [Patarin 1 996b])

In this section we show how to break the Little Dragon cryptosystem in the general
case.
Let Y be the n-dimensional IF'q -vector space of possible ciphertext vectors
{ Y I , . . . , Yn } . Recall that for any vector v = ( v1 , . . , Vn ) E IF' we use boldface
to denote the corresponding element of lK with respect to Alice's fixed basis
.

f3 J , . . . , f3n :

= VJ /3 1 + + Vn f3n

( 1 8)
JK .
Suppose that we somehow managed to stumble upon a bilinear* map that we
denote * from Y x Y to Y:
E

( 19)
(y, y ' ) ....... y " = y * y '
such that if v = By, v ' = By ', and v" = By ", then v " = v v ' . In other words,
when the map is translated into v-vectors using the matrix B it becomes the
multiplication map in K Actually, we shall be satisfied with a map * which has a
somewhat weaker property. Namely, we shall be happy if the map * satisfies the
following condition: there exists some fixed nonzero p, E lK such that for all y and
y ', if we apply the matrix B to y, y ' and y " = y * y ', then the resulting vectors
satisfy

v" = p, v v ' .
(20)
Even without knowing B, if we somehow knew that (20) holds, then we could
say that an h' -fold iteration of our operation * applied to a ciphertext vector would
produce a vector that is related to the plaintext vector x by a fixed linear matrix.
We now explain this. Let y be our ciphertext vector. We define y " by setting
y ' = y in ( 1 9), i.e., y " = y * y; we then define y '" to be y * y " ; and in general
we define
We define

y(j) = y * y<J - I ) '

ff.i

ff
l = B jl '

j = 2, 3 , . . ' h' .
.

j = l , 2, . , h' ,
and, as always, we let v(j) denote the element of lK corresponding to
( 1 8). By applying (20) repeatedly, we find that
j = 1 , 2, . . . , h' ;
. .

v(j) as in

* A map from Y x Y to a vector space is "bilinear" if it is linear in each argument when

the other argument is kept fixed.

2. Patarin's Little Dragon

93

in particular,
i.e.,

u = v h ' = p, - < h' - 1l v < h ' )

Let M b e the matrix o f multiplication by p, - (h' - 1) E lK in the basis /3 1 , . . . , f3n .

Then
x = A - 1 u = A - 1 M1f h ' l = A - 1 MBy(h' l .
In other words, the plaintext vector is equal to the fixed matrix C = A- 1 MB
times the h' -th power (in the sense of the *-operation) of y, as claimed.
So if we knew that (20) holds, we would know that

x = cy< h')

(2 1 )

for some fixed n x n-matrix C. A t that point it would be easy to find the entries of
C = {c;i h <::: i , ; <::: n as follows. We generate a number of plaintext/ciphertext pairs
Xt = (xO l , . . . , Xnt ), Yt = (Yot , . . . , Ynt) for l = 1 , 2, . . . , L. It is a simple matter to
generate such a pair; in fact, in a public key cryptosystem anyone must be able
to encrypt any plaintext of her choosing. In the present situation this is done by
arbitrarily choosing the vector x1 and then solving the equations ( 14) (which are
linear in the y-variables) for the corresponding ciphertext vector. When we have
the ciphertext vector, we find its h' -th power under * (using the repeated squaring
method, as in Example 3.5 of Chapter 2), which we then put in the right side of
(2 1 ). From each plaintext/ciphertext pair x1 , Yt we get a set of n linear equations
(2 1 ) in the unknown matrix entries c;j . Once we do this for slightly more than
n different 2n-tuples (xot , . . . , Xn l , Yol , . . . , Ynz) , l = 1 , . . . , L with L > n, we are
almost certain to be able to solve for the n2 unknowns Cij .
As soon as we know the matrix C, we know how to decrypt using (21 ), and
we have broken Alice's system. Thus, what we need for the cryptanalysi s is a
bilinear map * : Y x Y --> Y with the desired property. The remainder of this
section is devoted to finding such a map *
For each l = 1, 2, . . . , n, let Dz = Dz(x1 , . . . , Xn , Y 1 , . . . , Yn) denote the first of
the two sums in ( 1 4), and set 8 = (61 , . . . , Dn). The sum Dz comes from the left
side of ( 1 3) (which is unknown to Catherine, who doesn't even know Alice's basis
(31 , , f3n) by means of the unknown matrices A and B. That is, the first s um in
( 1 4) came from the product u v on the left in ( 1 1).
To create the map * the idea is to exploit the trivial fact that for any A E lK

A(uv) = u(Av)

(22)

For every A f. 0 we claim that (22) gives rise to a corresponding pair of n x n

n
matrices S and T with entries in lFq such that for all (x 1 , . . . , Xn , Y1 , . . . , Yn) E lF
the l-th component of S 8 is given by
( S 8) t =

1 <::: i ,j <::: n

c,j zx;(T y)j ,

(23)

94

Chapter 4. Hidden Monomial Cryptosystems

where (T y)1 is the j-th component of T y. Namely, given >., if we knew the matrix
B, and if we knew the matrix A of multiplication by ). in Alice's basis fJ1 , . . . , f3n ,
then we would set T B- 1 AB and S = A. This is because B- 1 AB y is the vector
corresponding to >.v, and so the right side of (23) would be the (31 -component of
the right side of (22). On the left in (23) note that the l-th component of A 8 is the
(31 -component of >.(uv) E lK, since the l-th component of 8 is the (31 -component
of uv.
Of course, we do not know B or A. However, what we do know is that such
matrices S and T must exist. Moreover, the set of matrices T which have this
property (i.e., for which there exists S such that (23) holds) is a vector space of
dimension at least n over IF' q Namely, this set contains the set B- 1 AB as A ranges
over the n-dimensional vector space of matrices corresponding to all >. E K In
practice, it seems that the vector space of matrices T is usually n-dimensional, i.e.,
it usually does not contain anything other than the matrices B- 1 AB for >. E K
In what follows, for simplicity we shall assume that the vector space of matrices
T for which (23) can be solved for S is of dimension exactly n.
Let the matrices T1 , . . . , Tn be a basis for this space, so that an arbitrary solu
tion T can be written in the form T t 1 T1 + +t n Tn , where t = (t 1 , . . . , t n ) E IF'.
A basis of matrices T1 , , Tn can be found from (23) by Gaussian elimination,
where we regard the 2n2 entries in the matrices S and T as unknowns and use a
large number of plaintext/ciphertext pairs (x1 , . . . , X n , y1 , . . . , Yn ) to get as many
equations in these unknowns as we need. (See our earlier discussion of how to
solve equation (2 1 ) for the matrix C.) So from now on we suppose that we have
found the matrices T1 , . . . , Tn .
Suppose that we had a function t = j(>.) from lK to IF' - in other words, an
n-tuple of functions t; = J; (A ) from lK to IF' q - that gives us the T corresponding
to >., i.e., that satisfies I: f, (>.)T; = B- 1 AB for all ). E lK, where A denotes the
matrix of multiplication by ). in the basis (3 1 , , f3n Such a function f would
give a linear map (in fact, a vector space isomorphism) between lK and the space
of solutions T. Now let g; be the map from vectors y to IF'q that takes y to 'iJ = By
and then applies J; to v I: v1 (3j :
n
g, : y >-+ 'iJ By >-+ v = L vj f3; >-+ t; j; (v) .
i =j
=

If we knew g, we could define our operation * as follows:

n
y " y * y ' = L g;(y)T;y ' .
i=l
=

(24)

Then we would have v" = v v', where, as always, v denotes the element 2::: v;(3;
of lK corresponding to 'iJ = By, and similarly for v' and v".
However, as remarked before, we do not really need v" v v' ; it suffices to
have (20). Thus, we will be satisfied with a linear map f that satisfies a more
general property. Namely, for an arbitrary fixed nonzero J.l E lK and for every
=

2. Patarin's Little Dragon

95

>. E lK let A enote the matrix of multiplication by p,>. in the basis (31 , . : , /3n
Suppose that t = j(>.) is a linear map from lK to lF such that for some fixed p,
one has I: j;(>.)T, B - 1 AB for all >. E lK; and let g(y) be the map obtained by
composing this f with B as before. If we knew such a g, then all we woulc.J. have
to do is define * by (24) with this g. We would then have v" = p, v v' , wh.ich is
the relation (20) that we need.
How do we find such a linear map g? We use the crucial but obviou s fact that
any operation * satisfying (20) is commutative. Let G = {9ij } be the matrix. of g:
g(y) Gy. Let G; denote the i-th row of G. If we can find G, then we de fine *
by setting

Y * Y'

n
= "L_ G;'f} T;y ' .

(25)

i= l

We regard the entries 9ij in G as unknowns, and we use the fact that the
operation in (25) is commutative, i.e.,
n

L G;'f}T;fj1 L G;fj1T;y .
(26)
i= 1
Let (T,)uT denote the aT-entry of the matrix T;. For 1 :::; j1 , ]2 , ko :::; n we choose
y to be the j 1 -th standard basis vector, choose y ' to be the j2 -th standard basis
=

vector, and compare the k0-th component of the vector equation (26). We obtain
n

L G,J I (T;) koj, = L G,j, (T;) koji .

i= 1
i= l
This gives us n3 equations in the unknowns G,j . We know that there is at least an
n-dimensional solution space - since every fixed p, E lK gives a matrix G and
in practice it is not likely for there to be other solutions G that do not come about
in this way. All we need to find is any nonzero solution G in this n-dimen sional
space of solutions. Once we have such a G, we define the * operation by (25),
-

and then, as explained before, we can break Alice ' s cryptosystem. This concludes
our description of the Coppersmith-Patarin cryptanalysis of Little Dragon.

Exercises for 2

1 . Show that an equation of the form ( 1 6) with q in place of 2 cannot be obtained

without the assumption that q = 2.
2. Show that h = 2n - 2 + 2n - 3 1 is a weak exponent with the same k and k' as
in Example 2. 1 .
-

96

Chapter 4. Hidden Monomial Cryptosystems

3. Systems That Might Be More Secure

Patarin investigated several generalizations and extensions of the Imai-Matsumoto

system that in some cases appear to resist attacks such as the ones in 1 .2 and
2.4. In this section we discuss some of these systems.
3.1 Big Dragon

lK is an extension of degree n of the finite field IF'q of characteristic 2, and

E lK form a basis of lK as an IF' q -vector space. Alice may keep

/3 1 , !32 , . . . , f3n

her basis secret, if she chooses. As usual, by means of the basis she thinks of each
element of lK as an n-tuple over IF' q . We use boldface for an element of lK and
overlining for the corresponding n-tuple.
Again x = (x 1 , . . . , Xn ) E IF' denotes plaintext, f) = (YJ , . . . , Yn ) E IF' denotes
ciphertext, and u = ( u 1 , . . . , un ) E IF' and v = ( v 1 , . . . , Vn ) E IF' are two interme
diate vectors. These intermediate vectors are related to x and y as in (6), where
the matrices A and B and the fixed vectors c and d are secret.
Alice now chooses an integer h of the form
(27)
such that g.c.d.(h, qn - 1) = 1 . She chooses a secret IF'q -linear map 1jJ : lK --> K
(One might want to allow 1jJ to be affine rather than linear.) The relation between
u and v is that
7/J(v)
h
U
=
(28)
u, v E w
for
""'"' v 1
..J. 0 .
v
Equivalently, for u, v E lK we want to have
(29)
Since we want the correspondence between u and v to be a bijection, 1jJ must
be chosen so that the map v >--> 7/J(v)/v is one-to-one on the set JK* of nonzero
elements of JK.
Example 3. 1. If q = 2, a is an integer such that g.c.d.(a, n) = 1 , and

the map

4>(v ) = 11- v q

11- E

JK * , then

has the required property. (See Exercise 1 of 1 .) Here Alice keeps a and 11- secret.
Example 3.2. If

f.J-,

E JK * are any secret elements, then the affine map

7/J(v) = 11- v +

has the required property.

Recall how in 1 Alice came up with n polynomial equations of degree 2
in the x, and degree 1 in the y, , starting from the relation ( 1 ). She used the

3. Systems That Might Be More Secure

k

97

coefficients expressing (3'; in terms of a basis, expressing (3,(31 in terms of a basis,

and expressing x and y in terms of u and v (see (2), (3) and (6), respectively).
If we proceed in the same way starting with the equation (29), we arrive at
n polynomial equations (one for each basis element) of total degree 3 in the
variables { x 1 , , x n , Y t , . , Yn } but only of degree 1 in the Yi . That is, a typical
term would have the form c,1 k x,x1 yk , and there might also be x;yk -terms. x,x1 terms, Yk -terms, and s o on. A s in 1 and 2, Alice makes these n equations
public. If Bob wants to send her a plaintext message unit x, he substitutes those
plaintext coordinates in the equations and solves the resulting linear system for
the ciphertext y. Given a ciphertext y, the intruder Catherine is confronted with a
set of nonlinear equations for the x;. Alice, on the other hand, can use equation
(28) to decipher. That is, she uses (6) to transform y to v, then computes
.

u = (1/J(v)/v) h ' ,

where h' is the inverse of h modulo q n - 1 . Finally, she again uses (6) to transform
u to x.
Unfortunately, as explained in Patarin's expanded version of [ 1 996b] , the Big
Dragon is often vulnerable to the same type of attack as Little Dragon (see 2.4),
at least when the function 1/;(v) is publicly known. If 1/;(v ) is kept secret, however,
it is not clear how to attack the system. Even in that case one must be cautious,
because the system is very new. Until a large number of people have spent a lot
of time trying to break the Big Dragon with secret 1/J, we cannot have confidence
in its security.
3.2 Double-Round Quadratic Enciphering (see [Goubin and Patarin 1 998a])

Let lK be an extension of degree n of IF q , where n is odd and q = 3 (mod 4).

As before, (3 1 , f32, . . , f3n E lK form an IFq -basis of lK. We suppose that this basis
is publicly known; however, Alice will later introduce secret matrices in order to
disguise the identification of lK with IF . As before, we use boldface for elements of
lK and overlining for the corresponding n-tuples. Thus, if x = (x 1 , , X n ) E IF ,
then X = X t f3 t + + X n f3n E lK.
Alice chooses three secret invertible n x n-matrices A, B, and C with entries
in IF q To transform plaintext x into ciphertext y, she uses four intermediate vectors
u, v, w, z. She successively sets
.

u = Ax ,

w = Bv ,

y = Cz .

Using the coefficients mij l in (3), along with the entries in A and B , Alice
can express each w1 as a homogeneous quadratic polynomial in the n vari
ables x 1 , , X n . In other words, she can obtain relations of the form Wt =
2:.:: 1 <,< ] < n CY. ij l x,x1 , l = 1 , . . . , n, where a,1 t E IFq . Similarly, she can express
y in terms of w using n homogeneous quadratic polynomials in the n variables
w 1 , . . . , W n . Composing these two maps, she finally obtains n polynomials
.

98

Chapter 4. Hidden Monomial Cryptosystems

that are homogeneous of degree 4. Alice's public key consists of the polynomials
Her private key is the triple of matrices A, B, C.
There is one minor problem with this cryptosystem: the squaring map from IK*
to IK* is not bijective, but rather is 2-to- 1 . That is, both x and -x give the same
ciphertext. However, it is not hard to straighten this out by slightly modifying the
message space in which we take the plaintext and ciphertext. We now show how
to make this modification.
Let the message space M be a convenient set of representatives modulo I
of the nonzero vectors in JF . For example, if lF q = lFP i s a prime field, choose
M to be the set of elements whose first nonzero component x; is between I and
(p - 1 )/2. If lF q is an extension of degree > I of a prime field lFP ' then write
elements of lF q in terms of a fixed lFp-basis, and define M to be the set of nonzero
vectors x E JF whose first nonzero component x; has the property that its first
nonzero component in the lFP -basis falls between 1 and (p - 1 )/2.
For any nonzero x E JF , exactly one of the elements {x, -x} is in M. We
shall write x to denote whichever of these two elements belongs to M. The linear
maps given by the matrices A, B, and C may be regarded as maps from M to M.
We shall write, for example, u = A ( x) = A x.
If an element u E IK* has the property that the corresponding vector u belongs
to M, then we shall also write u E M; in this way M may be regarded as a subset
of IK* . For any u E IK* we write u to denote whichever of u or -u belongs to
M.
The squaring maps v = u2 and z = w2 , when considered as maps from M to
M, are bijections. This is because - 1 is a non-square in lK (here we are using the
assumption that q = 3 (mod 4) and n is odd), and so for any x E IK* exactly one
of the two elements x and -x is a square.
To summarize, Alice gives her encryption map from M to M in the form of n
degree-4 polynomials in n variables x = (x1 , , X n) :
pz .

y = p(x) ,

p(x) = (p1 (x) , . . . , Pn (X)) ,

which she computed by successively applying the maps

x f--7 u = A x f--7 v = (u)2 f--7

f--7 w = B v f--7 z = (wl f--7 y = C z .
To decrypt a message y, Alice uses the fact that raising to the
power inverts the squaring map. Namely, if we have v = (u)2 , then
v< q n + l )/ 4 u< q n + l )/2 = u < qn - 1 )/2 . u = u .

( qn4+ 1 ) -th

(Again we're using the assumption that q = 3 (mod 4) and n is odd. We shall
return to the subject of computing square roots in lF q in more generality in 1 .8
of Chapter 6.) Thus, Alice goes from y to x as follows:

3. Systems That Might Be More Secure

99

y f-> z = c-l (y) f-> w = (z) ( q n +l )/4 f->

qn +l ) /4 r--> x = A - 1 (u) .
1
r--> v = B - (w) r--> u = (v) (
Catherine, who is trying to break the cipher without knowing A, B, or C, is faced
with the problem of solving a system of n degree-4 equations in the n unknowns
X] , . . . , X n
Why are two rounds necessary? Couldn't we simply set y = B v, in which
case each yz would be given by a quadratic polynomial in x 1 , , X n ? It turns
out that such a one-round quadratic encryption is insecure. Goubin and Patarin
[ 1 998a] show this as follows. Let y = f(x) be given by the composition of the
three maps
u = Ax ,
v = u2 ,
y = Bv ,
(30)
where A and B are secret. Consider the following function m 2n variables
X t , . . . , Xn , X , . . . , x :
.

r.p(x, x' ) =

(tcx + x') - J(x - x'))

From (30) it follows that r.p(x, x' ) is bilinear; that is, it has the form r.p(x, x' ) =
L O'.;j XiXj Namely, if we let u = A x and u' = A x' , we see that B- 1 r.p(x , x' ) is
the vector corresponding to the following element of lK:

( c u + u' 2 - u - u' 2 ) = u u ' .

)

Since u u ' is a bilinear function of x, x' , so is r.p(x, x' ).

Using r.p(x, x' ), Catherine can break the system. The way she does this is very
similar to the cryptanalysis in 2.4. See Exercise 4 below.
At present the double-round quadratic encryption has not been broken. One
possible approach to cryptanalyzing it is to try to separate the degree-4 map
y = p(x 1 , , X n ) into its two quadratic components. That is, one would want
to solve the following problem: Let pz (x 1 , . . . , X n ), l = 1 , . . . , n, be homogeneous

degree-4 polynomials in n variables. Suppose that there exist quadratic polynomials pz (WJ , . . . , wn), l = l , . . . , n, and wz (X J , . . . , x n ), l = l , . . . , n, such that
pz (X J , . . . , X n ) = pz (WJ (X J , . . . , X n ), . . . , Wn(X J , . . . , X n )) for l = 1 , . . . , n. Find an
algorithm that computes the pz and wz if one is given the pz.

This is a special case of the general problem of functional decomposition of

polynomials, where one tries to express multivariate polynomial functions as a
composition of polynomials of lower degree. Such problems are usually quite
intractable; the running times for algorithms to solve them tend to grow exponen
tially with the number n of variables. See [Dickerson 1 989] and [von zur Gathen
1 990a and 1 990b].
In [ 1 998a] Goubin and Patarin compare the running times of the double-round
quadratic cryptosystem with those of other cryptosystems, such as RSA. They
conclude that Alice's decryption goes much faster, and so lends itself to efficient
implementation on smart cards. However, more work has to be done before one
can have confidence in the security of the system.

1 00

Chapter 4. Hidden Monomial Cryptosystems

3.3 Signatures

From 2, 3, and 6 of Chapter 1 recall that a hash function mapping a long

message M to a much shorter sequence of symbols H must have the following
property. It is computationally infeasible for Catherine to tamper with M in such
a way as to create a new message with the same hash value H. Also recall from
Chapter 1 that a digital signature of a message from Bob to Alice means the
following. Bob performs an operation H >-+ x that Alice is sure could only have
been performed by Bob. Bob appends this signature x to the plaintext message M
before encrypting the whole thing and sending it to Alice.
Suppose that Bob wants to set up a digital signature system that gives signatures
that are as short as possible - say, about 64 bits. He is willing to do a fair amount
of computation to calculate each signature, but he is severely limited in the size
of the signature. Here is Patarin's proposed system for short signatures.
We suppose that Bob, like Alice before, is working over a field lK of degree
n over IF q . We further suppose that q is small (possibly q = 2). We let the hash
function take values in an m-dimensional iFq -vector space V. In practice, m will
usually be greater than n (for example, m ::::; 2 n) .
The procedure described below will not work for all possible hash values
H E V, but only for about 63% of them (see Exercise 5 at the end of this section;
here we are supposing that fH in (3 1 ) behaves like a random polynomial as H
varies). Bob needs to have several different values for H, so that he can be virtually
certain that the procedure will work for at least one of them. For instance, if he
has a list of 26 hash values for his message, then the probability will be only about
one in 200 billion that the procedure will not work for any of the values. One way
to get 26 different hash values is to apply the hash function to the message with a
single letter A through Z appended. Of course, Alice knows that she should accept
a signature for any one of the 26 hash values that result from such a modified
message.
Rather than a monomial u h , Bob constructs a polynomial in u whose degree
d is less than some reasonable bound (Patarin suggests d ::; 8000). The powers of
u are all either a power of q or a sum of two powers of q, and the coefficients
are affine IF q -vector space functions 1/J; : V --> JK. The powers of u and the
coefficient functions 1/J, are kept secret. In other words, Bob selects a secret degree
d polynomial
l
k
a
fH(u) = 1/Jo( H) + L 1/J ; (H)u q , + L 1/J;(H)uq + q '
i= k +l
i= l

(3 1 )

Let u = Ax+ c, a s i n ( 6); and let y 1 , . . . , Ym denote the components o f a vector

H E V. Bob uses the relations (2), (3) and (6) to transform fH to n polynomials
F; (x, y) E IF q [X J , . . . , x n , Y l , Ym ] (one for each element of Bob's fixed 1F q
basis of lK), each of which has total degree 2 in the variables x 1 , . . . , X m and total
degree 1 in the variables Y 1 , . . . , Ym Bob makes the F; public.

3. Systems That Might Be More Secure

101

When Bob wants to sign a hash value H = (y1 , , Ym ), he substitutes this

value into the coefficients 1/J;(H) and considers the resulting degree-d poly nomial
fH E JK[u] . He finds a root of the equation fH = 0, provided that this polynomial
has a root in K Below we will describe an efficient algorithm for finding a root,
if there is one. If there is no root, then he starts trying the other 25 values of H,
until he finds one for which the equation fH = 0 has a root in K Let u be such
a root. Using (6), he transforms u to a vector x, which he sends to Alice. This
x E JF is his signature.
Alice's task now is pretty simple. She computes the 26 hash values of the
message with an appended letter. For each such value H = (y1 , , yTTl) she
checks whether or not F;(x1 , . . . , X n , Y 1 , . . . , Ym ) = 0 , i = 1 , . . . , n. If any of the
26 values of H combines with the signature x to give a solution of this system
of equations, then Alice knows that Bob really did send the message, and the
message has not been tampered with. Otherwise, she knows that Catherine has
been causing trouble.
Notice that if Catherine tries to impersonate Bob and send her own message
with hash value H = (y1 , . . . , Ym ), then to find a signature vector x she has to
solve a system of n equations of degree 2.
Because the 1/J, are affine functions, Catherine would be able to solve the
equations for y given any x. Because m > n, she could actually find a large
number of y corresponding to each x. But such y would not do her much good,
since she'd be unable to reverse the hash function to find a message with hash
value y. If for some reason we wanted to prevent Catherine even from finding y,
we could replace the affine 1/J; by higher-degree polynomials. However, from a
practical standpoint there does not seem to be any reason to make the coefficients
more complicated in such a way.
Finally, we explain how Bob can find a root u E lK of the polynomial
fH (X) E JK[X] in (3 1 ) if it has such a root, that is, if the polynomial j(X) =
g.c.d.(jH (X), Xq n - X) has degree greater than zero. Let 7J be a randomly chosen
nonzero element of K Consider the polynomial g(X) = gTJ (X) = LZ, 1 (7]X)q' .
The polynomial 91 (X) = L xq' is the trace map. By Exercise 1 3 in 2 of Chapter
3, for fixed 7J the polynomial g(X) takes any given value c E lFq for exactly q n - 1
different X E K For any c E lFq the polynomial

j(X) = g.c . d. (j(X), g(X) - c)

(32)

is equal to the product of (X - u) over all roots u E lK of fH (X) such that 7JU
has trace c.
Bob varies 7J randomly, and makes the g.c.d. computation in (32) and the
analogous computations with j(X) replaced by the factors of j(X) that are split
off by the earlier g.c.d. computations. Although occasionally he might get a trivial
g.c.d. - either 1 or j(X) - it can be shown that he is almost certain to be able to
progressively split off factors of j(X) in JK[X], until he finally obtains a factor of
the form X - u. For more details of this algorithm, along with other methods of
finding roots of polynomials over finite fields, see [Lid! and Niederreiter 1 986].

1 02

Chapter 4. Hidden Monomial Cryptosystems

Exercises for 3

1 . Let lK = IF2 n . Show that the squaring map is bijective. But explain why the
cryptosystem in 3.2 is completely insecure when q = 2, and in fact when q is any
power of 2.
2. Is the squaring map bijective on GL2 (IF2 n )? Explain. (Here GL2 (lK) denotes
the set of invertible 2 x 2-matrices with entries in K)
3. If q were = 1 (mod 4) or if n were even in 3.2, show that the encryption map
x >-> u >-> v >-> w >-> z >-> y would be 4-to- 1 rather than 2-to- 1 .
4 . Using the bilinear map .p(x, x' ) in the text and proceeding as in 2.4, show how
to break the one-round quadratic enciphering (30).
5. Show that for a large finite field lK = IF q n and large d, the proportion of monic
degree-d polynomials f(X) having a root in lK is very close to 1 - 63.2%.
Do this in two ways:
(a) Make the heuristic assumption that such polynomials may be regarded as
random functions from lK to K For each x E lK there is a 1 - ( 1 / q) probability
that the value of such a function is nonzero. Then compute the probability that
f(x) = 0 for some x E K
(b) Without making the heuristic assumption in part (a), work directly with poly
nomials. Use the fact that the number of monic degree d polynomials that are
divisible by (x - X I )(x - x2 ) (x - Xr) is q d- r _

Chapter 5. Combinatorial-Algebraic Cryptosystems

1. History

About twenty years ago, a combinatorial cryptosystem called the Merkle-Hellman

Knapsack met with a great deal of enthusiastic acclaim [Hellman and Merkle
1 978]. For message transmission it was much more efficient than its main com
petitor at the time, which was RSA. Moreover, it was thought to be almost prov
ably secure. Whereas the security of RSA is based on the difficulty of factoring
large integers, that of Merkle-Hellman is based on the conjecturally more difficult
Subset Sum problem, which is known to be NP-complete (see Definition 4.6 of
Chapter 2).
But within a few years Adi Shamir [ 1984] completely broke Merkle-Hellman,
by showing that the subproblem (special case) of Subset Sum that its security re
lies upon can be solved in polynomial time. (This did not, of course, disprove the
P#NP conjecture, since Shamir's algorithm was only for a subproblem.) Although
generalizations and modifications of Merkle-Hellman were introduced in an at
tempt to salvage the situation, in the 1980's most of them were also broken by
Shamir, Brickell, Lagarias, Odlyzko and others (see [Brickell 1 985] and [Odlyzko
1 990]). This painful experience traumatized many cryptographers, and partly for
this reason combinatorially based cryptosystems fell into disfavor.
There was a second reason for the pessimism about combinatorial cryptogra
phy: Brassard's theorem [Brassard 1 979]. This theorem, in the words of Odlyzko
[ 1 990], "says essentially that if breaking a cryptosystem is NP-hard [see Defini
tion 4.7 of Chapter 2] , then NP=co-NP [see Definition 4.2 of Chapter 2] , which
would be a very surprising complexity theory result". The common interpretation
of Brassard's theorem was that cryptography must be based not on NP-complete
problems - which include most of the interesting problems of combinatorics - but
rather on problems that are thought to be of intermediate difficulty (that is, strictly
between P and NP-complete), such as factoring large integers or finding discrete
logarithms in a finite field. This feeling was summarized in an important article by
Selman [ 1 988], who said: "There can be no hope to transform arbitrary problems
in NP-P into public key cryptosystems."
However, we now have some evidence that this verdict condemning combi
natorial cryptography might have been premature. In the first place, there is less
in Brassard's theorem than meets the eye. Namely, the central hypothesis of the
theorem seems not to hold for the combinatorial constructions that have recently

1 04

Chapter

5.

Combinatorial-Algebraic Cryptosystems

been proposed for public key cryptosystems. In the second place, in [Fellows and
Koblitz 1 994b] we show how to generate an entire class of hybrid combinatorial
and-algebraic cryptosystems.
2. Irrelevance of Brassard's Theorem

In a public key cryptosystem there are two types of one-way functions:

1) the encryption function (whose inversion is the cracking problem see 5 . 1
of Chapter 2); and
2) the underlying function used to construct the trapdoor (see 5.2 of Chapter 2).
-

In combinatorial cryptography it is the second of these that uses a basic problem

in combinatorics. It is also the second type of function that was considered in
[Brassard 1 979] . So in what follows we shall use the term "one-way function" in
the sense 2). (When we first discussed this term in 6 of Chapter 1, we understood
it in the sense 1 ).)
In [Brassard 1 979] the two examples given were for the RSA (factoring) and
Diffie-Hellman (discrete log) cryptosystems. In RSA the one-way function r.p is:

r.p ..

mul tipl y
----+

lM
1

(P=set of primes, N=set of natural numbers). In Diffie-Hellman the one-way

function r.p is
exponentiate to base g
r.p : Z/(q - 1 )Z
(g is a fixed element of the finite field lF q).

Brassard's theorem assumes the following condition:

( 1)

image( r.p) E co-NP .

That is, there must exist a polynomial time certificate for something not being in
the image of r.p (see Definition 4.2 of Chapter 2). This hypothesis tends to hold for
number-theoretic one-way functions. For example, it is not hard to show that there
exists a polynomial time certificate that n E N is a prime or a product of three
or more primes, or that y E lF; is not in the subgroup generated by g. But most
likely the assumption ( 1 ) does not hold for most combinatorial one-way functions.
Example 2. 1. Reversible cellular automata ([Kari 1992] ; see also [Guan 1 987]

and [Wolfram 1 986]). A d-dimensional cellular automaton is defined as follows.

Let S be a finite set whose elements are called "states", and let a1 ,
an E
d
d
z be a fixed set of vectors. A "neighborhood" of a vector x E z is the set
{x+a1 , , x+an } A "configuration" C is a map from z d to S, i.e., an assignment
of states to vectors (or "cells"). A cellular automaton is defined by a "local rule"
f : s n --+ S. Such a local rule determines a map A from one configuration
.

. ,

3. Concrete Combinatorial-Algebraic Systems

l OS

to another as follows: A(C)(x) = f(C(x + a 1 ), , C(x + lin )). In other words, the
state of the configuration A(C) at the cell x depends only on the states of C at
the neighboring cells x + a; in a manner described by f. A cellular automaton is
said to be "reversible" if A is injective, that is, if every configuration C' can be
uniquely retraced back one step to a configuration C such that A(C) = C 1
In Kari's cryptosystem, {A;} is a set of easy-to-invert reversible cellular au
tomata. The one-way function tp is composition of cellular automata:

tp :

(A;, , . . . , A;, ) r-> A = A;,

o o

A,, .

It is hard to imagine what polynomial time certificate could exist that would show
that a given reversible cellular automaton cannot be written as a composition of
the A; .
Example 2. 2. Rewrite systems [Do Long Van, Jeyanthi, Siromoney, and Subra
manian 1 988] . Let G be an arbitrary (nonabelian) group given by finitely many
generators and relations. Then tp is a construction that successively inserts rela
tions in the middle of words, starting from a word in two elements u0 , 'U 1 E G.
This tp is not likely to have image in co-NP, because of the undecidability of the
word problem in group theory [Novikov 1955].

Similarly, in the case of the combinatorial one-way functions proposed below

(see 3), Brassard's theorem says nothing. More precisely, if the theorem's hypo
thesis ( 1 ) were to hold in our situation, then it is easy to show that this would
imply NP=co-NP.
In other words, in all of these systems an extremely unlikely consequence
would immediately follow from the hypothesis of Brassard's theorem. Thus, it is
not valid to use Brassard's theorem as an argument against combinatorial crypto
graphy.
Exercises for 2

1 . Find a simple polynomial time certificate that y E IF' is not in the subgroup
generated by g .

2. Let A be a d-dimensional cellular automaton whose states are S = {0, 1 } and

whose local rule f : {0, l } n --> {0, 1 } is addition modulo 2. Show that whether or
not A is reversible depends on the choice of integer n and vectors a 1 , . . , Zin E zd
that define the neighborhoods.
.

3. Concrete Combinatorial-Algebraic Systems

3.1 Polly Cracker

We now describe a general public key cryptosystem, which Fellows has called
"Polly Cracker". Let IF' be a finite field, and let T = {t, } 1 be a set of variables.
Alice wants to be able to receive messages m E IF' from Bob. Her secret key is

1 06

Chapter

5.

Combinatorial-Algebraic Cryptosystems

a random vector y E IFn , and her public key is a set of polynomials B = { qj } in

IF[T] such that
(2)
for all j .

To send the message m, Bob generates an element

(3)
of the ideal J C IF[T] generated by B, and sends her the polynomial

c=p+m .
(Notice that this is probabilistic rather than deterministic encryption; see 2.2 of
Chapter 1 .) When Alice receives the ciphertext polynomial c, she finds m by
evaluating it at y:
c(y) = p(y) + m = m .

For example, suppose that IF = IF z, and m is a single bit. The cracking problem
in the sense of [Selman 1 988] (see 5. 1 of Chapter 2) for Polly Cracker is then:
INPUT: Generators B C IF2 [T] of an ideal J, and a polynomial c E IF2 [T] .
PROMISE: Either c E J or c + 1 E J.
QUESTION: Is c E J?
TRAPDOOR: A point where J vanishes.

Remark. It is very easy for Alice to construct a pair

(private key = y ,

public key = B) .

Namely, she chooses a random y, arbitrary polynomials qj , and sets qj = qj -qJ (y).
Of course, it is a nontrivial matter for her to choose the keys in such a way that
the system is secure.
3.2 Special Cases of Polly Cracker for Famous Combinatorial Problems

We now show how to construct special cases of Polly Cracker for NP-problems
such as Graph 3-Coloring and Graph Perfect Code.
Example 3. 1. Graph 3-Coloring. (See Example 4.3 of Chapter 2.)
PUBLIC KEY: A graph G = (V, E).

PRIVATE KEY: A proper 3-coloring, i.e., a map v >--> i v E { 1 , 2, 3 } on the

vertices v E V such that uv E E ==? iu #- iv .
A basis B = B(G) of polynomials in the variables { tv,i : v E V, 1 ::; i ::; 3 }
is given as follows. Let B = B 1 U B2 U B3 , where

B 1 = {tv, ! + tv, 2 + tv, 3 - 1 : V E V } ;

Bz = {tv , itv , J v E V, 1 :S: i < j :S: 3 } ;
B3 = {tu,itv ,i : uv E E, 1 :S: i :S: 3 } .

3. Concrete Combinatorial-Algebraic Systems

1 07

By setting a variable tv,i equal to 1 if the vertex v is colored i and 0 otherwise,

we can find a point in the zero set of B if we know the private key (see Exercise
1 below). In Exercise 1 we shall also see that this zero set is non-empty if and
only if the graph G is 3-colorable.
Example 3. 2. Subset Perfect Code.

PUBLIC KEY: A finite set of variables T and a set of subsets Tj c T,

j = 1 , . . . , k, such that T = U T1 .
PRIVATE KEY: A subset To C T such that To n T1 consists of one element,
j = 1 , . . . , k.
A basis B of polynomials in the variables t E T is given as follows. Let
B = B1 U B2 , where

Bt = { 1 - I > : 1
t E T,

:S j :S

k} ;

Example 3. 2a. Graph Perfect Code.*

PUBLIC KEY: A graph G = (V, E).

PRIVATE KEY: A perfect code, i.e., a subset V' C V such that every vertex
of V is in the neighborhood N[v] of one and only one v E V'. (By de finition,
N[v] consists of v itself and all vertices joined to v by an edge.)
A basis B of polynomials in the variables {tv : v E V} is given as follows.
Let B = B 1 U B2 , where

Bt = { l -

u EN[v ]

tu

v E V} ;

B2 = {tutu' : u, u' E N[v] , u f:. u' , v E V } .

Another way of describing which products tutu' are in B2 is that they are the ones
for which dist(u, u') = 1 or 2, where the distance between two vertices means the
minimum number of edges that must be traversed to go from one to the other.

Remark. Example 3 .2a is the special case of Example 3.2 where Tj consists of
the variables tu as u ranges over the neighborhood of the j-th vertex of V .

In each of these cases:

Knowing the graph G = (V, E) or the subsets Tj C T (the public key) is

equivalent to knowing the basis B for the ideal J.

* The term "perfect code" comes not from cryptography but from the theory of error
correcting codes. For example, take the edge-graph of the cube whose vertices are the
points (x, y, z) where x, y , z E {0, 1 } , and note that the two points (0, 0, 0) and ( I , 1 , I )
form a perfect code. This i s a one-error-correcting Hamming code.

108

Chapter

5.

Combinatorial-Algebraic Cryptosystems

Knowing a solution to the NP-hard combinatorial problem (the private key) is

equivalent to knowing a point y at which the ideal J vanishes. (See Exercise 1
below.)
To send Alice a message m, Bob randomly generates an element of J and adds
m to it.
To decipher the message, Alice simply evaluates this polynomial at y.
This construction is quite general. In fact, one can prove the following
Theorem 3.1. For any NP search problem one can construct such a system, i. e., a
set B ofpolynomials (ofpolynomial size) corresponding to an instance of the prob
lem, such that knowing a point at which B vanishes is polynomial time equivalent
to knowing a solution to the search problem.

A complete proof of this theorem has not yet been written down; but see
[Fellows and Koblitz 1 994b] for a sketch of a proof.
3.3 Generalization of Polly Cracker

Suppose that Alice has a Grabner basis G = {g 1 , . , g1 } (see Definition 5.4 of

Chapter 3) of an ideal I in IF'[T], where T is a set of variables. G is Alice's secret
key. Let S c IF'[T] be the set of all polynomials that cannot be reduced modulo G
(see Definition 5.3 of Chapter 3); this is a set of representatives for the quotient
ring IF'[T]/ I (see Exercise 4(c) of Chapter 3, 5). Suppose that the set S is publicly
known, even though G is not. A message unit m is an element of S.
n
Example 3.3. Let T = { t 1 , . . . , tn } and let y E IF' be a secret point. Alice sets
G = {t 1 - YI , . . . , tn - Yn } ; in this case S = IF' is simply the set of constant
polynomials.
.

Next, Alice chooses a set B = { Qj } of polynomials in the ideal I. For example,

given an arbitrary polynomial cfi , she could set Q; = Cf; -q] , where qj is the element
of S that she gets from reducing Qj modulo the Grabner basis G. Alice ' s public
key is the set of polynomials B. Let J be the ideal generated by these polynomials.
To send a message m E S, Bob randomly chooses an element p = 2:: hj qj E J
and sends Alice the ciphertext polynomial c = p + m. Alice deciphers the message
by reducing c modulo the Grabner basis.
The special case in Example 3.3 when the Grabner basis is G = { t; - y; } gives
our earlier Polly Cracker system.
n
Example 3.4. Let T = { t 1 , . . . , tn } and let y E IF' be a secret point. Let I be the
ideal consisting of polynomials that vanish to total order at least d at the point
y; by definition, this is the ideal generated by the set G of monomials of the
form 11;:, 1 (t; - y,)"'' where the o:; are nonnegative integers whose sum is d. It is
easy to see that G is the reduced Grabner basis for I. The set S consists of all
polynomials of total degree less than d. The special case d = 1 is, of course, Polly
Cracker (Example 3.3).

3. Concrete Combinatorial-Algebraic Systems

1 09

Exercises for 3

1 . (a) In Examples 3 . 1 , 3 .2 and 3.2a construct a one-to-one correspondence between

private keys and points y at which B vanishes. (b) In each case show that t2 - t
belongs to the ideal J for each variable t.
2. Generalize Example 3 . 1 to the Graph m-Coloring problem (the search for
proper coloring by m colors, where m 2: 2 is an arbitrary fixed integer).

3 . Suppose that the field IF contains three cube roots of unity (in particu lar, its
characteristic is not 3). In Example 3 . 1 , instead of the set of variables {tv,,} use the
set of variables {xv : v E V}. Set B' = B; U B, where B; = {x - 1 : v E V}
and B = {x + XuXv + X : uv E E}.
(a) Construct a one-to-one correspondence between proper 3-colorings and points
at which B' vanishes.
(b) Construct a ring isomorphism between the quotient ring of IF[ {tv,,}] modulo
the ideal J generated by B and the quotient ring of IF[ { Xv }] modulo the ideal J'
generated by B' .
4. Generalize Exercise 3 to m-colorings.
5. Consider the construction in Exercise 3 in the case of the graph consisting
merely of two vertices and an edge between them. Show that B' { X3 - 1 , X2 +
XY + Y 2 , Y3 - 1 } is already a reduced Grabner basis for the ideal J'. Let (x;, y;),
i = 1, 2, 3, 4, 5, 6, be the six points corresponding to the proper colorings of the
graph (see Exercise 3 (a)). Let f E IF[X, Y]. Prove that f E J' if and only if
j(x; , y;) = 0 for 1 ::; i ::; 6. In other words, prove that J' = J", where J" is the
ideal of polynomials that vanish ai all six points.
=

6. Prove that Catherine the cryptanalyst can break the cryptosystem in 3.3 if she
can find a Grabner basis G' = {g; , . . . , gf, } for the ideal J generated by B. Even
though in Chapter 3 we saw that there is an algorithm for finding a Grabner basis
of any ideal, in the present situation its running time is likely to be prohibitively
long.

7. Here is a simplified version of the Graph Perfect Code system (Example 3.2a).
Let us work over the field IF2 , and suppose that Bob wants to send Alice a secret
message consisting of a single bit b ("yes" or "no"). He has a copy of Alice's
graph (her public key), in which she knows a secret perfect code. Bob randomly
assigns a bit to each of the vertices of the graph except for one. He then assigns
a bit to the last vertex in such a way that the mod 2 sum of the bits is b. Next,
he replaces the bit cv assigned to each vertex v by a new bit c determined by
summing (mod 2) all of the bits that had been assigned to the neighboring vertices:
c = L: u EN[ v ] Cu . He finally returns the graph to Alice with the bits c annotating
the vertices. To decipher the message, Alice takes the sum of c over the perfect
code V' (which is her secret key). That is, she has b = L: v EV Cv = L v EV ' c ,
where the last equality follows from the definition of a perfect code.
(a) Explain how this is a special case of Example 3 .2a.

1 10

Chapter

5.

Combinatorial-Algebraic Cryptosystems

(b) Show how to break the system by linear algebra modulo 2.

(c) Could this function as a Kid Krypto system? (See Definition 7. 1 in Chapter 1 .)

8. Here is a variant of Exercise 7. We now work over the rational integers Z, and
let m E Z be a message that Bob wants to send to Alice. He assigns an integer
Cv to each vertex v except for one of them, and then assigns an integer to the last
vertex in such a way that the sum of all of the integers cv is m. He next replaces
each integer Cv by the integer c L u EN[v ] Cu, and returns the graph to Alice
along with the integers c . As before, Alice deciphers by summing the c over the
perfect code.
(a) Show how to break this system by linear algebra over Q.
(b) Could this Kid Krypto system be of pedagogical value? Could it make high
school students eager to learn linear algebra or even to rediscover it by themselves?
(See [Koblitz 1997].)
(c) If the graph is r-regular (that is, if every vertex has r edges emanating from
it), then show that even without linear algebra it is easy to break the system.
=

9. Describe one-way constructions of instances of 3-Coloring and of Graph Perfect

Code (see Examples 3 . 1 and 3.2a). That is, the person doing the construction knows
a solution, but the instance might seem difficult to someone who sees only the
final result and not the process of construction.

10. The Satisfiability problem of symbolic logic was the first problem to be proved
to be NP-complete; it is often used as a point of departure in proving results (such
as NP-completeness) about other problems. To define the Satisfiability decision
problem, we use the symbol p, for a logical variable, 'Pi for its negation, and
V for disjunction (inclusive 'or' ). By a clause we mean a finite set of p, or 'Pi
connected by V, such as p 1 V 'P3 V p4 . The input in Satisfiability is a finite set
of clauses. The question is whether there exists an assignment of truth values
{pi } ------+ { T, F} that makes all of the clauses true. Let JF be an arbitrary field.
(a) Show how to construct a special case of Polly Cracker such that the polynomials
have a common zero if and only if the corresponding set of clauses is satisfiable.
In other words, prove Theorem 3.1 for Satisfiability.
(b) Modify this construction so that there is a one-to-one correspondence between
zeros of the polynomial ideal and truth assignments (that is, functions {Pi} ------+
{T, F}) that make all of the clauses true.
1 1 . Show how an adversary (Catherine) can cryptanalyze a Polly Cracker ciphertext
c using an adaptive chosen-ciphertext attack. What this means is the following.

Suppose that two companies B (Bob's company) and C (Cathy's company) are
communicating with A (Alice's company) using Alice's public key. On many
questions C is cooperating with A, but there is one extremely important customer
who is taking competing bids from a group of companies led by A and B and from
a different consortium led by C. C knows that B has just sent A the encrypted
amount of their bid (suppose that its successive binary digits mi are each sent as
a ciphertext c,), and she desperately wants to know what it is. So she sends A a

4. The Basic Computational Algebra Problem

Ill

sequence of ciphertexts c; , supposedly part of a message on an unrelated subject.

She then informs A that she had a computer problem, lost her plaintext, and thinks
that an incomplete sequence of bits was encrypted for Alice. Could Alice please
send her the decrypted bits m; that she obtained from the c; , so that Cathy can
reconstruct the correct message and re-encrypt it? Cathy then is able to use the m;
to find the mi , because she constructed the c; using the c., and then lied to Alice
about it. Alice is willing to give Cathy the m; because she is unable to see any
connection between the c; and the ci or between the m; and the mi , and because
Cathy's request seems reasonable when they are exchanging messages about a
matter on which they are cooperating.

4. The Basic Computational Algebra Problem

In Polly Cracker cryptography the underlying computational algebra problem is

Ideal Membership:
INPUT: Polynomials qj , c E lF [T], where lF is a field and T is a finite set of
variables.
QUESTION: Does c belong to the radical of the ideal generated by the qj ?
(See Theorem 4.3 of Chapter 3.)
This problem has the following natural certificates:

If "yes", give a natural number

e N = L, hj qj .

and polynomials h1 E lF [T] such that

If "no", give a point y (with coordinates in an algebraic extension of JF) such

that q1 (y) = 0 for all j but c(y) f. 0.

Because both "yes" and "no" instances have certificates, we might be tempted
to conclude that Ideal Membership - like factoring (see Example 4.8 of Chapter 2)
- belongs to both NP and co-NP. That would be very wrong, in fact, as wrong as
one can possibly be. It can be proved (see Remark 2 below) that Ideal Membership
is neither in NP nor in co-NP. The difficulty is that in general neither certificate
has polynomial size as a function of the input length. On the other hand, the
instances of Ideal Membership that arise in our application to cryptography (see
3. 1 ) must have certificates of reasonable size, because Bob will do a limited
amount of computation to come up with the hj and Alice will choose a point y
with coordinates in a small field.
Remarks. 1. In the special case c = 1, results which give bounds on the degree
of hj or the field extension degree of the coordinates of y are called "effective
Nullstellensatz".

The Ideal Membership problem is EXPSPACE-hard (see 7.4 of Chapter 2)

[Mayr and Meyer 1982]. In particular, this implies that it is in neither NP nor
co-NP.
2.

1 12

Chapter 5. Combinatorial-Algebraic Cryptosystems

3. In general, the degrees of the h1 grow doubly exponentially in the number of

variables (see [Moller and Mora 1 984] and [Huynh 1 986a]). For definitive results
in the case of effective Nullstellensatz, see [Kollar 1 988].
4. Even when sharply restricted - for example, to the case of only 4 variables or
to the case when all of the qj have the form Ti M (where Ti is a variable and
-

M is a monomial) - the Ideal Membership problem is NP-hard [Huynh 1 986b] .

5. It can also be shown that the extension degree of the field generated by the
coordinates of y might grow exponentially as a function of the input length.

Exercise for 4

1 . Give an example where the extension degree of the field generated by the coor
dinates of a point y in a "no" certificate for Ideal Membership grows exponentially
or nearly exponentially.
5. Cryptographic Version of Ideal Membership

Mindful of the Merkle-Hellman fiasco (see 1 ), we must avoid the fallacy of

assuming that the intractability of the general Ideal Membership problem implies
intractability of the instances that must be solved to break Polly Cracker. Bob does
not use h1 of superexponential degree, and Alice does not choose her point y in
a field extension of exponentially high degree.
We want cracking the cipher to be difficult not only as a function of the
cryptanalyst's input, but also as a function of the work that Bob and Alice have
to perform. This motivates the next two definitions.
Definition 5.1. By "phantom input" we mean a string of symbols that is not part

of the input but whose length is included in input length. In other words, we
suppose that the input includes a string of meaningless symbols of length equal
to that of the phantom input.

The cryptographic version of Ideal Membership is a "promise problem", where

the promise is that the polynomial in question, namely c, differs from the ideal
by a unique element of the message set. In the case of Polly Cracker (3.1), this
means that p = c m belongs to J for some m E lF and that J is not the unit
ideal. This promise can be certified by giving hj and y such that (2) and (3) hold.
-

Definition 5.2. We take the phantom input in a promise problem to be a certificate

of correctness of the promise. In the case of Ideal Membership, we call the resulting
promise problem Phantom Ideal Membership.
Open Question of Cryptographic Interest. What can be said about the complex
ity of Phantom Ideal Membership? Could it possibly be polynomial time? (If so,
then Polly Cracker is truly cracked.)

6. Linear Algebra Attacks

1 13

6. Linear Algebra Attacks

There are essentially two ways I know of to attack the cryptosystems in 3. The
first method applies to systems of the type in 3.2 that are based on a supposedly
hard instance of an NP-hard combinatorial problem. Namely, one tries to solve the
underlying combinatorial problem, in the hope that Alice has done a poor job with
her one-way construction of an instance of the problem. If one succeeds, then one
is in the same position as Alice, and can immediately decrypt any message sent
to her.
It is not known whether or not efficient algorithms exist that with a probability
close to 100% will produce hard solved instances of an NP-hard problem. In other
words, no one has been able to give a systematic way for Alice to carry out a
one-way construction of Perfect Code, 3-Coloring, or any other NP-hard problem
that has withstood attempts to give a subexponential time algorithm that solves
most of the instances constructed. For instance, in 1988 Kucera and Micali thought
that they had a method to get hard instances of the NP-complete problem C lique.*
However, A. Broder soon found a subexponential time algorithm that solves those
instances.
On the other hand, no one has been able to prove that an unexpected conse
quence (such as P=co-NP) would result from the existence of a polynomial time
algorithm to produce hard solved instances. So the matter is wide open.
The second approach to cryptanalysis looks for weaknesses in Bob's construc
tion of the ciphertext c rather than in Alice's construction of the keys. If this
approach succeeds, then the cryptanalyst will know a particular secret message m,
but will not necessarily be able to decipher the next message that Bob sends to
Alice, particularly if he does a better job choosing his coefficient polynomials hi .
The method is as follows. Suppose that we are in the situation of 3. 1 (it is
not hard to extend the method to the generalization of Polly Cracker in 3. 3). Set
up to constant ,
and solve for the unknown hi . That is, regard the coefficients in the hi as un
knowns, and get linear equations by equating nonconstant monomial terms of
L hiqJ and c.
If c and the q1 are "sparse" polynomials - for example, if only 2( d) of their
O( n d ) monomial terms are nonzero, where d is the degree and n is the number of
variables - then the method in this general form is exponential time. However, a
serious attack on Ideal Membership is possible by refining this method, i.e. , using
"intelligent" linear algebra. The existence of such an attack caused T. Mora and
* Given a graph G (V, E) and an integer k, a k-clique is a subset of k vertices in V all
pairs of which are connected by edges in E. The Clique problem asks whether a k-clique
exists.
=

1 14

Chapter 5. Combinatorial-Algebraic Cryptosystems

others [ 1 993] to conjecture that Ideal Membership cannot be used to construct a

public key system. *
Here is one version of the intelligent linear algebra attack. It was proposed by
H. W. Lenstra, Jr. (private communication):
"Let C be the set of monomials occurring in c, and let Qj be the set of
monomials occurring in qj . Then the cryptanalyst might believe that any
monomial d occurring in hj is such that d QJ intersects C. The set D of
those d's is easy to determine and is not too large, and so linear algebra
solves the problem in deterministic polynomial time - provided, of course,
that the belief is correct.
"But to defeat that belief, Bob must artfully build at least one monomial
d' into at least one hJ such that d' times any term in qJ is canceled in the
entire sum (so that it doesn't occur in C). Also, the monomials d' with that
property should not be too few and/or too easy to guess, since otherwise
the cryptanalyst would simply adjoin those d' to D."
A Polly Cracker cryptosystem is obviously insecure if it succumbs to such a
linear algebra attack.

7. Designing a Secure System

Can a version of Polly Cracker be devised that is secure? (Here we are leaving
aside the question of efficiency.) The following is an attempt to design such a
system. We shall work with Graph Perfect Code (Example 3.2a). We suppose that
IF = lF2 ;
the graph G = (V, E) has perfect code V ' ;
n = #V, and n' = #V' ;
d =degree of the ciphertext polynomial c.
For convenience, let us also suppose that G is 3-regular (i.e., every vertex has 3
edges emanating from it), in which case n = 4n'. Here the order of n and d to
have in mind is:

n ;:::j 500 ,

d ;:::j 2 log2 n ;:::j 1 8 .

* The authors also cite two theorems to support their skepticism. The first, from [Giusti
1 984] , states that, even though the degrees of the polynomials in a Grabner basis can be
extremely large, for "almost all" ideals they are not. More precisely, in the parameter space
of ideals generated by s polynomials in n variables of degree bounded by D there is a
Zariski-open set where the ideals have reduced Grabner basis consisting of polynomials
of degree at most (n + 1)D n. (A "Zariski-open" set is the complement of the zero set
of an ideal; see Definition 4 . 1 0 of Chapter 3 .) The second theorem, from [Dickenstein,
Fitchas, Giusti, and Sessa 1 99 1 ] , states that if a function is constructed by adding multiples
h1 q1 of elements in an ideal, where the degree of h1 q1 is known to be bounded by D,
then in testing Ideal Membership by means of a Grabner basis one can ignore steps in the
algorithm involving polynomials of degree greater than D.
-

7. Designing a Secure System

1 1S

We now describe how to construct a degree-d polynomial c in the variaoles tv ,

V, that encrypts m =0 or 1 . Recall that the ideal J is generated by all t ,J u '
for which dist(u, u') = 1 or 2, and by all 1 - L u EN[ v J tu as v ranges over V.
Let do be chosen :::::: d / 3 . We construct Cf, e = 1 ' . . . ' d, i n three stag es: (I)
e = 1, (II) 1 < e :::; do, and (III) do < e :::; d. Then we set c = Cd .

Step. I. Construct a linear form

setting

C1

c 1 that contains about half of the variaoles by

L L

v u EN[ v ]

tu ,

where the outer sum is taken over a randomly chosen subset of V of cardinality
here the cardinality is even if m = 0 and odd if m = 1 .

:::::: n ' /2;

R denote the following "reduction" modulo J o f monomials TI t " :

replace each power av > 1 by the first power, and replace the monomial oy zero
if it contains two variables t u and tv with dist(u, v) = 1 or 2. Suppose that Cf_ 1
has been constructed, where I < e :::; d0. For each monomial lvf in Cf _ 1 , select a
random vertex vM , replace M by

Step. II. Let

n(M uEN[LvM] tu ) ,

and let Cf denote the resulting sum (after any cancelation).

M
-

e > do, and C f- 1 has been constructed. The construction

of cc is as in Step II, except that the choice of VM for each
is no longer
completely random. Namely, VM is chosen at a distance 2 from one of the vertices
whose variable occurs in M. If the graph is 3-regular, then R (M L u EN[v M l tu)
will consist of at most 2 monomials. Namely, it will consist of 3 'T/ monomials,
where 'T/ ?: I is the number of neighbors of VM (besides VM itself) that are at a
distance 1 or 2 from some vertex whose variable occurs in M. In particular, if VM
is "surrounded by the vertices in M", then M L u EN[ v M l tu disappears under the
reduction R.
We can visualize the presence of M in the graph as shown in the picture at
the bottom of the page. Every vertex whose variable occurs in M is represented

Step. III.Suppose that

1 16

Chapter

5.

Combinatorial-Algebraic Cryptosystems

by a HUGE swollen dot. Every vertex at a distance 1 from a huge swollen dot is
depicted by a big (but not huge) dot, and every vertex at a distance 2 from a huge
swollen dot is depicted by a medium-size dot. All other vertices are small dots.
Big thick legs connect the huge dots to the neighboring big dots, and thinner legs
connect the big dots to the neighboring medium-size dots.

So we choose the v M for higher and higher degrees e in such a way that the
"spiders" corresponding to the vertices in the monomials M start to "circle their
prey". When v M is surrounded, the corresponding term in C vanishes.
So far, this "directed randomness" seems to have thwarted attempted linear
algebra attacks. But one cannot have confidence in this approach to constructing
a cryptosystem until much more effort has been devoted to investigating such
attacks.

1)
2)
3)
4)

We conclude by listing some open questions concerning implementation:

What one-way constructions lead to hard instances, say, of 3-Coloring or of
Perfect Code?
What sparse constructions of polynomials will resist a clever linear algebra
attack?
Can one get random-self-reducibility (see [Feigenbaum, Kannan, and Nisan
1 990]) and hard-on-average (see [Levin 1 984]) cracking problems?
Can these systems be made efficient?

Chapter 6. Elliptic and Hyperelliptic Cryptosystems

For there exists a certain Intelligible which you must perceive by the flower of mind.
- Beginning of The Chaldean Oracles * (p. 49 of [Majercik 1 989])

Starting in about 1985, the theory of elliptic and hyperelliptic curves over finite
fields has been applied to various problems in cryptography: factorization of inte
gers, primality testing, and construction of cryptosystems. In this chapter we shall
discuss the last of these. One of the main reasons for interest in cryptosystems
based on elliptic and hyperelliptic curves is that these curves are a source of a
tremendous number of finite abelian groups having a rich algebraic structure.
In many ways the elliptic curve groups and the jacobian groups of hyperelliptic
curves are analogous to the multiplicative group of a finite field. However, they
have two advantages: there are far more of them, and they seem to provide the
same security with smaller key size. We shall be more specific about this later.
We shall start by giving the basic definitions and facts about elliptic curves.
Our account will emphasize concrete examples and algorithms rather than proofs
and the general theory. For a more systematic treatment of elliptic curves, see
[Silverman 1 986] , [Husemoller 1 987], and [Koblitz 1 993] .
After that w e shall describe some cryptosystems based o n elliptic curves and
briefly discuss some open questions that arise from cryptographic applications. In
5-6 we shall treat hyperelliptic curves and cryptosystems.

1. Elliptic Curves
1.1 The Equation

An elliptic curve E over a field lF is a curve that is given by an equation of the

form

(1)
Y 2 + a 1 XY + a3 Y = X 3 + azX 2 + a4 X + a6 ,
ai E lF .
2
We let E(lF) denote the set o f points (x, y) E lF that satisfy this equation, along
with a "point at infinity" denoted 0. If lK is any extension field of lF, then E(JK)
denotes the set of (x, y) E JK2 that satisfy ( 1 ), along with 0. In order for the

curve ( 1 ) to be an elliptic curve it must be smooth. This means that there is

no point of E(W) (recall that W denotes the algebraic closure of lF) where both
*

My thanks to Ron Rivest for piquing my interest in Chaldean poetry.

1 18

Chapter 6. Elliptic and Hyperelliptic Cryptosystems

partial derivatives vanish (see Definition 1 .6 of Chapter 3). In other words, the two
equations
(2)
cannot be simultaneously satisfied by any (x, y) E E(IF').
If IF' is not of characteristic 2, then without loss of generality we may suppose
that a1 = a 3 = 0 (see Exercise l (a) below). In the important case of characteristic
2 we have the so-called "supersingular" case with Y 2 + a 3 Y on the left in ( 1 )
and the "nonsupersingular" case with Y 2 + a1 XY o n the left; i n the latter case
without loss of generality we may suppose that a1 = 1 (see Exercise l (b) below).
(In characteristic 2 we may also suppose that a2 = 0 in the supersingular case and
that a4 = 0 in the nonsupersingular case; see Exercise 3(b) below.) The reason for
the subscripts in a1 and a3 on the left of ( 1 ) and in a2 , a4 , and a6 on the right
will be explained soon.
If the characteristic of IF' is neither 2 nor 3, then, after simplifying the left
side of (2), by a linear change of variables (namely, X -+ X - a2 ) we can also
remove the X 2 -term. That is, without loss of generality we may suppose that our
elliptic curve is given by an equation of the form
Y2

X 3 + aX + b ,

a, b E IF ,

char IF' f. 2, 3 .

(3)

In this case the condition that the curve be smooth is equivalent to requiring
that the cubic on the right have no multiple roots. This holds if and only if
the discriminant of X 3 + aX + b, which is - (4a 3 + 27b2 ), is nonzero. (Recall
that the discriminant of a monic polynomial of degree d with roots r1 , , rd is
IT ifj < ri - rJ ) = (- l) d< d - 1 ) / 2 IT i < j (r, - rj ) 2 .)
For any extension field OC of IF', the set E(OC) forms an abelian group whose
identity element is 0. To explain the rules for adding points, it is best to look first
at elliptic curves defined over the real number field R For example, the graph of
the elliptic curve Y 2 = X 3 - X is shown on the next page.
Notice that for large X the curve goes out to infinity much like the function
Y = X 3 1 2 , which can be parameterized by setting X = T2 and Y = T3 We often
say that "X has degree 2" and "Y has degree 3". The subscripts of the a's in
( 1 ) indicate the degrees that must be given to the coefficients in order that the
equation ( 1 ) be homogeneous, that is, in order that each term have total degree 6.
That is the reason why it is traditional to label the subscripts in ( 1 ) in a way that
at first looks peculiar.
1.2 Addition Law
Definition 1.1. Let E be an elliptic curve over the real numbers given by equation

(3), and let P and Q be two points on E. We define the negative of P and the
sum P + Q according to the following rules:
1 ) If P is the point at infinity 0, then we define - P to be 0. For any point Q we
define O + Q to be Q; that is, 0 serves as the additive identity ("zero element")

 I . Elliptic Curves

1 19

of the group of points. In what follows, we shall suppose that neither P nor
Q is the point at infinity.
2) The negative -P is the point with the same x-coordinate as P but negative
y-coordinate; that is, -(x, y) = (x, -y). It is obvious from equation (3) that
(x, -y) is on the curve whenever (x, y) is. If Q -P, then we define P + Q
to be the point at infinity 0.
3) If P and Q have different x-coordinates, then we shall soon show that the line
PQ intersects the curve in exactly one more point R (unless is tangent
to the curve at P, in which case we take R P, or at Q, in which case
we take R = Q). Then we define P + Q to be - R , that is, the mirror image
(with respect to the x-axis) of the third point of intersection. The geometrical
construction that gives P + Q is illustrated in the drawing below.
=

4) The final possibility is that P = Q. Then let be the tangent line to the curve at
P, let R be the only other point of intersection of with the curve, and define
2P - R . ( R is taken to be P if the tangent line has a "double tangency" at
=

P, in other words, if P is a point of inflection.)

The above set of rules can be summarized in the following succinct manner:
the sum of the three points where a line intersects the curve is zero .

If th line passes through the _point at infinity 0, then this ration has the form
P + P + O 0 (where P and P are symmetrical points), i.e., P -P. Otherwise,
it has the form P + Q + R 0, where P, Q, and R are the three points in rule 3)
or 4).
We now show why there is exactly one more point where the line through
P and Q intersects the curve; at the same time we will derive a formula for the
coordinates of this third point, and hence for the coordinates of P + Q.
Let (X t , yJ ), (x2 , y2 ) and (x 3 , y3 ) denote the coordinates of P, Q and P + Q,
respectively. We want to express X 3 and Y3 in terms of x 1 , y1 , x 2 , y2 . Suppose
that we are in case 3) in the definition of P + Q, and let y = ax + {3 be the
=

1 20

Chapter 6. Elliptic and Hyperelliptic Cryptosystems

equation of the line through P and Q (which is not a vertical line in case 3)).
Then a = ( Y2 - yJ )j(x2 - x 1 ) , and {3 = y1 - ax 1 A point (x, ax + {3) E lies on the
elliptic curve if and only if (ax + f3i = x 3 + ax + b. Thus, there is one intersection
point for each root of the cubic equation x 3 - (ax + {3)2 + ax + b. We already know
that there are the two roots x 1 and x 2 , because (x 1 , ax 1 + {3), (x 2 , ax2 + {3) are the
points P, Q on the curve. Since the sum of the roots of a monic polynomial is
equal to minus the coefficient of the second-to-highest power, we conclude that the
third root in this case is x 3 = a 2 - x 1 - x2 . This leads to an expression for x 3 , and
hence for both coordinates of P + Q = ( X 3 , -( ax 3 + {3) ), in terms of x 1 , x 2 , y 1 , Y2 :

2
X3 = ( Y2 Y I ) - X I - X 2 ;
X 2 - X]
(4)
y Y3 = -y ] + ( 2 Y I ) (X I - X 3 ) .
X2 - X J
The case when P = Q is similar, except that a is now the derivative dy / dx at
P. Implicit differentiation of equation (3) leads to the formula a = (3xi + a)j2y 1 ,
---

and so we obtain the following formulas for the coordinates of twice P:

(5)

Example 1.1. Let P = (0, 0) on the elliptic curve

2P = P + P and 3P = P + 2P.

Y2 + Y

Solution. We first transform the equation to the form (3) by making the change
of variables Y -> Y - . X -> X + 1 On this curve P becomes Q = (- 1 , ).
Using (5), w e obtain 2 Q = ( , - ). Then from (4) w e have 3 Q = 2Q + Q = (, ).
Notice that 3Q = -(2Q), and hence Q is a point of order 5, i.e., 5Q = 0. Back
on the original curve we have 2P = ( 1 , - 1 ), 3P = ( 1 , 0) = -2P.

There are several ways of proving that the above definition of P + Q makes the
points on an elliptic curve into an abelian group. One can use an argument from
projective geometry, a complex analytic argument with doubly periodic functions,
or an algebraic argument involving divisors on curves. The only group law that
is not an immediate consequence of the geometrical rules 1 )-4) is the associative
law. That can be proved from the following fact from the projective geometry of
cubic curves (see Exercise 4 below):
Proposition. Let l 1 , l 2 , b be three lines that intersect a cubic in nine points
PI , . . . ' Pg (counting multiplicity), and let z; , t; , be three lines that intersect the
cubic in nine points Q 1 , Qg. If Pi = Q, for i = 1 , . . . , 8, then also Pg = Qg.
,

As in any abelian group, we use the notation nP to denote P added to itself

n times if n is positive, and - P added to itself In I times if n is negative.

 I . Elliptic Curves

121

We have not yet said much about the "point at infinity" 0. By definition, it is the
identity of the group law. In the above graph of the curve Y 2 = X3 - X, thi s point
should be visualized as sitting infinitely far up the y-axis, in the limiting direction
of the ever-steeper tangents to the curve. It is the "third point of intersection" of
any vertical line with the curve; that is, such a line has points of intersec tion of
the form (xi , Y I ) , (xi , -yi ) and 0. A more natural way to introduce the point 0
is as follows.
1.3 Projective Coordinates

By the projective plane over the field IF we mean the set of equivalence classes
of triples (X, Y, Z) (not all components zero) where two triples are said to
be equivalent if they are a scalar multiple of one another; in other words,
(X' , Y ' , Z') "' (X, Y, Z) if (.AX' , .AY ' , .AZ' ) = (X, Y, Z) for some .A E IF. S uch an
equivalence class is called a projective point. If a projective point has nonzero Z,
then there is one and only one triple in its equivalence class of the form (x, y, 1):
simply set x = X/Z, y = Y/ Z. Thus, the projective plane can be identified with
all points (x , y) of the ordinary ("affine") plane plus the points for which Z = 0.
The latter points make up what is called the line at infinity; roughly speaking, it
can be visualized as the "horizon" on the plane. Any equation F(![, Y) = 0 of a
curve in the affine plane corresponds to a homogeneous equation F(X, Y, Z) = 0
satisfied by the corresponding projective points: simply replace X by X/ Z and Y
by Y/Z and multiply by a power of Z to clear the denominators. For example, if
we apply this procedure to the affine equation (3) of an elliptic curve, we obtain
its "projective equation" Y 2 Z = X3 + aX Z 2 + bZ3 The latter equation is satisfied
by a projective point (X, Y, Z) with Z f. 0 if and only if the corresponding affine
point (x, y), where x = X/Z and y = Y/Z, satisfies (3). In addition to the points
with Z f. 0, what projective points (X, Y, Z) satisfy the equation F = 0? Setting
Z = 0 in the equation, we obtain 0 = X3, which means that X = 0. But the
only equivalence class of triples (X, Y, Z) with both X and Z zero is the class
of (0, 1 , 0). This is the point we call 0. It is the point on the intersection of the
y-axis with the line at infinity.
1.4 Elliptic Curves over C

We saw that if IF is any field of characteristic f. 2, 3, then the equation of an

elliptic curve can be given in the form (3). The algebraic formulas (4)-(5) for
adding points on an elliptic curve over the reals actually make sense over any
such field IF, and can be shown to give an abelian group law on the curve.
In particular, let E be an elliptic curve defined over the field C of complex
numbers. Thus, E is the set of pairs (x, y) of complex numbers satisfying equation
(3), together with the point at infinity 0. Although E is a "curve", if we think in
terms of familiar geometrical pictures, it is 2-dimensional. That is, it is a surface
in the 4-real-dimensional space whose coordinates are the real and imaginary parts
of x and y. We now describe how E can be visualized as a surface.

1 22

Chapter 6. Elliptic and Hyperelliptic Cryptosystems

Let L be a lattice in the complex plane. This means that L is the abelian group
of all integer combinations of two complex numbers w 1 and w2 (where w 1 and w2
span the plane; that is, they do not lie on the same line through the origin). We
write L Zw1 + Zw2 . For example, if w 1 I and w2 i, then L is the Gaussian
integers, the square grid consisting of all complex numbers with integer real and
imaginary parts.
Given an elliptic curve (3) over the complex numbers, it turns out that there
exist a lattice L and a complex function, called the "Weierstrass g;J-function" and
denoted g;JL (z), that has the following properties:
( 1 ) g;JL(z) is analytic except for a double pole at each point of L;
(2) g;JL(z) satisfies the differential equation g;J 2 g;Ji + ag;JL + b, and hence for
any z rfc L the point (g;JL(z), g;J (z)) lies on the elliptic curve E;
(3) two complex numbers z1 and z2 give the same point (g;JL(z), g;J(z)) on E
if and only if z1 - z2 E L;
(4) the map that associates any z rfc L to the corresponding point (g;JL(z), g;J (z))
on E and associates any z E L to the point at infinity 0 E E gives a 1 -to- 1
correspondence between E and the quotient of the complex plane by the subgroup
L (denoted CjL);
(5) this 1 -to- 1 correspondence is an isomorphism of abelian groups. In other
words, if z1 corresponds to the point P E E and z2 corresponds to Q E E, then
the complex number z1 + z2 corresponds to the point P + Q.
Thus, we can think of the abelian group E as equivalent to the complex plane
modulo a suitable lattice. To visualize the latter group, note that every equivalence
class z + L has one and only one representative in the "fundamental parallelogram"
consisting of complex numbers of the form uw1 + vw2 , 0 -::; u, v < 1 (for example,
if L is the Gaussian integers, the fundamental parallelogram is the unit square).
Since opposite points on the parallel sides of the boundary of the parallelogram
differ by a lattice point, they are equal in C/ L. That is, we think of them as "glued
together". If we visualize this - folding over one side of the parallelogram to meet
the opposite side (obtaining a segment of a cylinder) and then folding over again
and gluing the opposite circles - we see that we obtain a "torus" (surface of a
donut), pictured below.
As a group, the torus is the product of two copies of a circle. That is, its
points can be parameterized by ordered pairs of angles (a, (3). (More precisely, if
=

 l . Elliptic Curves

1 23

the torus was obtained from the lattice L = Zw 1 + Zwz, then we write an element
in C/ L in the form uw 1 + vw2 and take a = 21ru, f3 = 21rv.) Thus, we caa think
of an elliptic curve over the complex numbers as a generalization to two real
dimensions of the circle in the real plane. In fact, this analogy goes much further
than one might think. The "elliptic functions" (which tell us how to go back from
a point (x, y) E E to the complex number z for which (x, y) = (PL(z ) , p(z)))
tum out to have some properties analogous to the familiar arcsine function (which
tells us how to go back from a point (x, y) on the unit circle to the real n umber
a that corresponds to that point when we "wrap" the real number line around the
circle). In the algebraic number theory of elliptic curves, one finds a deep analogy
between the coordinates of the "n-division points" on an elliptic curve (the points
P such that nP is the identity 0) and the n-division points on the unit circle
(which are the n-th roots of unity in the complex plane).
The order of a point P on an elliptic curve is the smallest integer n such that
nP = 0; of course, such a finite n need not exist. It is often of interest to find
points P of finite order on an elliptic curve, especially for elliptic curves defined
over Q.
Example

1 . 2.

Find the order of P = (2 , 3) on y 2 = x 3 + 1 .

Solution. Using (5), we find that 2 P = (0, 1 ) and 4P = 2(2P) = (0, 1 ) Thus,
4P = -2P, and so 6P = 0. Hence, the order of P is 2, 3 or 6. But 2P = (0, 1 ) # 0,
and if P had order 3, then we would have 4P = P, which is not true. So P has
order 6.
-

An important concept in the study of elliptic curves is complex multiplication.

We say that a curve E defined over C has complex multiplication by a complex
number a tfc Z if multiplication by a maps the lattice L to itself. It is not hard
to show that if E has complex multiplication - that is, if such an a exists - then
Q(a) is an imaginary quadratic field (called the CM-field of E). In that case the
set of all a such that aL c L forms a subring of finite index (called an "order")
in the ring of integers of this imaginary quadratic field.
Whenever aL c L, multiplication by a corresponds to an endomorph ism of
the elliptic curve E. For instance, if E is the elliptic curve in Example 1 .2, it turns
out that L is a grid of vertices of equilateral triangles in the plane. That is , up to
scaling it is the ring Z[(], where ( = ( - 1 + H) / 2. This ring Z[(] is also the
set of a such that aL c L. The case a = ( corresponds to the automorphism of
the elliptic curve given by taking P = (x, y) to the point ((x, y).
Similarly, the elliptic curve Y2 = X 3 - X has complex multiplication by
the Gaussian integer ring Z[i]. The case a = i corresponds to the automorphism

(x, y) >-+ ( -x, iy).

Chapter 6. Elliptic and Hyperelliptic Cryptosystems

1 24

1.5 Elliptic Curves over Q

In equation (3), if a and b are rational numbers, it is natural to look for rational
solutions (x, y). There is a vast theory of elliptic curves over the rationals. Mordell
[1922] proved that the abelian group is finitely generated. This means that it
consists of a finite "torsion subgroup" Etors , consisting of the rational points of
finite order, plus the subgroup generated by a finite number of points of infinite
order:

E(Q)

R:J

Etors EB '!./ .
The number r of generators needed for the infinite part is called the rank; it is zero
if and only if the entire group of rational points is finite. The study of the rank
r and other features of the group of points on an elliptic curve over Q is related
to many interesting questions in number theory and algebraic geometry. We shall
discuss this further in 3 and 4.
1.6 Characteristics 2 and 3

If char(lF) 2, then an elliptic curve cannot be put in the form (3); in fact, the
curve (3) is never smooth in characteristic 2 (see Exercise 2 below). In the case
of characteristic 3, one cannot eliminate the a2 X 2 -term if it is not already zero.
Thus, we cannot use the formulas (4)-(5) directly.
However, we can find formulas analogous to (4)-(5) that apply to elliptic
curves whose equation has the more general form ( 1 ), which can be used in
any characteristic. Again we first suppose that our elliptic curve is defined over
R and we translate the geometrical addition rules 1 )-4) into equations for the
x- and y-coordinates of P + Q and 2P. The resulting formulas are aesthetically
rather unappealing, and will not be given here. What we do need are the formulas
analogous to (4) and (5) that one gets
=

1) when a1

a3 0 in ( 1 ) but a2 is not necessarily zero, so that we can work in

characteristic 3 :

X3

( Yz - Yt ) 2
---

Xz - Xt

- az - X t - xz

Y3

( Y2 - Yt

-y l + --- ( XJ - X 3 ) (6)
Xz - XJ

when adding distinct points; and

( 3xi + 2azx t + a4 ) 2
- az - 2 Xt ,
2y t
( 3xi + 2azXt + a4 )
( XJ - X 3 )
Y3 = -y l +
2yt

X3

(7)

when doubling a point (note that in characteristic 3 the slope term here sim
plifies to (a2 x1 - a4 ) j y t ) ;

 1 . Elliptic Curves

125

2) when a 3 = a4 = 0 in ( 1 ) but a1 is nonzero and may be assumed to be equal to

1 (see Exercises 1 (b) and 3(b) below), and char(IF) = 2 (the nonsupersingular
case):

(
(

)
)

Y 1 + Y 2 Y 1 + Y2 + x1 + X + a ,
X3 = ---2 +
2 2
X! + X 2
X! + X2
Yl + Y2 (X + X ) + +
Y3 =
I J X} Y l
X 1 + X2
---

(8)

when adding distinct points; and

(9)

when doubling a point;

3) when a1 = a 2 = 0 in ( 1 ) but a3 f 0, and char(IF) = 2 (the supersingular case):

( Y1 + Y2 ) 2 + X1 + x2 ,

x3 =

---

X 1 + X2

( 1 0)

when adding distinct points; and

XJ

xi + a
-a23- '

(1 1)

when doubling a point.

I n all cases the rules for adding a point P1 = (x 1 , y! ) t o P2 = (x2 , y2 ) to obtain

P1 + P2 = (x 3 , y3 ) can be written in the form of rational expressions for x 3
and Y3 in terms of x1 , x2 , y 1 , Y2 and the coefficients ai .
Note that for an elliptic curve in the general form ( 1 ) the negative of a point
P = (x, y) is the point -P = (x, - a 1 x - a 3 - y).

P3

1.7 Elliptic Curves over a Finite Field

For the rest of this section we shall let IF be the finite field IF q of q = pf elements.
Let E be an elliptic curve defined over IF q If p f 2, 3, then we suppose that E
is given by an equation of the form (3). If p = 3, then we also need to allow an
X 2 -term on the right in (3). If p = 2, then there are two cases: the nonsupersingular
case
( 1 2)
and the supersingular case
( 1 3)
(see Exercises 1 (b) and 3(b) below).
If an elliptic curve E is defined over IFq , then it is also defined over F q r for
r = 1 , 2, . . , and so it is meaningful to look at solutions - called "IFqr -points" - in
.

Chapter 6. Elliptic and Hyperelliptic Cryptosystems

1 26

extension fields of the defining equation of the curve. We let Nr denote the number
of F qr -points on E. (Thus, N1 = N is the number of points with coordinates in
our "ground field" F q )
From the numbers Nr one forms the "generating series" Z(E /F q ; T), which
is the formal power series defined by setting
L NrTr / r
Z(E/Fq ; T) = e

( 14)

in which T is an indeterminate, the notation EjFq designates the elliptic curve

and the field we're taking as our ground field, and the sum on the right is over all
r = I , 2, . . . . It can be shown that the series obtained by taking the infinite product
of the exponential power series e NrT r f r actually has positive integer coefficients.
This power series is called the zeta-function of the elliptic curve (over Fq ), and is
a very important object associated with E.
The following theorem of Hasse, which says that this zeta-function has a rather
simple form, is of great practical value, since it shows how to determine all of the
Nr once one knows N1 .
Theorem 1.1. The zetajunction of an elliptic curve is a rational function of T
having the fonn
2
z EjF . T) -- 1 - aT + qT
( 1 5)
(
q'
( I - T)(l - q T)
'

where only the coefficient of T in the numerator depends on the particular elliptic
curve E. This coefficient is related to N = N1 as follows: N = q + 1 - a. In addition,
the discriminant of the quadratic polynomial in the numerator is negative or zero
(that is, a2 :::; 4q ) and so this polynomial has two complex conjugate roots a, a
both of absolute value y!q. (More precisely, 1 / a and 1 /a are the roots, and a, a
are the " reciprocal roots ".)

For a proof, see V.2 of [Silverman 1 986] .

Corollary 1.1. Let Nr denote the number of Fqr -points on E, and set N = N1 and
a = q + 1 - N. Let a and a be the roots of the quadratic polynomial T 2 - aT + q.
Then

where

Nr = l a r I I

1 12

qr + I - ar

- ar '

( 1 6)

denotes the usual complex absolute value.

The corollary is an immediate consequence of Theorem 1 . 1 , as we see by

writing the numerator of the right side of ( 15) in the form ( 1 - aT)( l - aT),
replacing the left side by ( 1 4), and then taking the logarithm of both sides. Here we
use the identity ln( l - cT) = - L cr Tr /r. This corollary shows how to determine
all of the Nr once you know N N1 .
Example 1 . 3. The zeta-function of the elliptic curve Y 2 + Y = X3 over F2 is
easily computed from the fact that there are three F2 -points. (Always remember
to include the point at infinity when counting the number of points on an elliptic
curve.) We find that
=

 I . Elliptic Curves

Z (E / F2 ; T) = (1

+ 2T 2 )/( l

1 27

- T)( l - 2T) .

Thus, the reciprocal roots of the numerator are i !2. This leads to the formula
if r is odd ;
if r is even .

( 1 7)

Remark. In general, an elliptic curve is said to be supersingular if p divides

the coefficient a in ( 1 5), or equivalently, if N = 1 (mod p). In Exercise 17
below, we see that in the case p = 2 our earlier use of the terms "supersin gular"
and "nonsupersingular" agrees with this definition. The equation in Example 1 .3,
considered over F q . gives a supersingular elliptic curve whenever q = 2 (mod 3)
(see Exercise 10 below).
Another corollary of Theorem 1 . 1 is the following basic fact (which often goes
by the name of "Hasse's theorem").
Corollary 1.2. The number N of 'Fq -points on an elliptic curve defined over Fq
lies in the interval
q + 1 - 2yq ::; N ::; q + 1 + 2yfii .
( 1 8)

This corollary follows because lq + 1 - N l = Ia! ::; .y'4q by Theorem 1 . 1 .

Thus, Hasse's theorem says that the size of the group E over F q is fairly
close to that of the finite field itself. Starting with the seminal paper [Schoof
1 985], a great deal of effort has been put into developing efficient algorithms to
determine N = #E for an arbitrary elliptic curve E. After work by A. 0. L. Atkin,
N. Elkies, F. Morain, V. Miller, J. Buchmann and his students, and S. A. Vanstone
and his students, it has become practical to compute #E over fields Fq where q
has several hundred digits. For example, in [Lercier and Morain 1 995 and 1 996]
#E is computed for an arbitrary elliptic curve over 'Fq where q = p = 10499 + 1 5 3
and where q = 2 1 301 . See also [Lehmann, Maurer, Muller, and Shoup 1 994] .
On the other hand, it is important to note that there are many elliptic curves
for which # E can be easily computed without using the sophisticated ideas of
Schoof, Atkin, and others.

Example 1.4. Let E be the elliptic curve Y 2 = X3 -X defined over F p In Exercise

10 below we shall consider the supersingular case when p = 3 (mod 4). Here we
suppose that we are in the more interesting nonsupersingular case when p = 1
(mod 4). It can be shown (see 2 of Chapter 2 in [Koblitz 1 993] or 4 of Chapter 1 8
i n [Ireland and Rosen 1 990]) that the number o f points N = p+ 1 - a on E can be
found by writing p as the sum of two squares p = c2 + d2 and setting a = 2c, where
c is uniquely determined by requiring that the following congruence of Gaussian
integers hold: c + i d = 1 (mod 2 + 2 i ) . This means that c is odd and d is even;
and we replace c by -c if either 4ld and c = 3 (mod 4) or else 4 J d and c = 1
(mod 4 ) . Here are the first few cases: p = 5 = ( - 1 )2 + 22 , N = 5 + 1 - 2(- 1 ) = 8;
p = 1 3 = 3 2 + 2 2 , N = 1 3 + 1 - 2 ( 3 ) = 8 ; p = 1 7 = 1 2 + 42 , N = 1 7 + 1 - 2 ( 1 ) = 16;

and so on.

128

Chapter 6. Elliptic and Hyperelliptic Cryptosystems

Even if p = 1 (mod 4) is an extremely large prime, it is not hard to write

it as a sum of squares. To do this, one first finds a square root y of - 1 in IFP
(if we choose a random x E IF; and raise it to the
-th power, there is a
50% chance that we'll get l and a 50% chance that we' ll get a square root of
- 1 ). One then uses the Euclidean algorithm in the Gaussian integer ring to find
the greatest common divisor of the Gaussian integers p and y + i. This g.c.d. will
coincide with c + di or c - di up to a factor of 1 or i. See Exercise 14 in 2
of Chapter 3.

( )

1 . 8 Square Roots

We now give a probabilistic algorithm for finding points on an elliptic curve E

defined over a finite field IF q We shall suppose that q is odd; when q is a power
of 2, one can use the method in Exercises 3-4 of 2.
Since q is odd, we may suppose that the equation of E is in the form Y 2 =
f(X), where f(X) is a cubic polynomial. If we choose values of x at random,
then every time f(x) is a square in IF there are two points of the form (x, y ) on
the curve. From Hasse's theorem (Corollary 1 .2) we see that this happens about
50% of the time. For each x that is not a root of f(x), it is/ easy to determine
whether or not f(x) is a square - simply compute f(x)< q - l l 2 l ; f(x) is a
square if and only if you get + 1 . In what follows we suppose that we have found
a value of x such that z = f(x) is a square in IF . It remains to find a square root
y E IF; of z.
If/ we happen to have q = 3 (mod / 4), then all we have to do is take y
z ( q+l l 4 , at which point y 2 = z z( q - I ) Z = z. If q = 1 (mod 4), then we use
an "approximation" procedure due to Shanks [ 1 972] that depends on the highest
power of 2 dividing q - 1 . Suppose that q - l = 28t, where t is odd and s 2: 2. Let
u be a non-square in IF; ; such an element
can be found by choosing u at random
/
until you find one for which u(q- l ) 2 = - 1 . Set v = ut ; then v is a primitive
(28)-th root of unity in IFq We
/ get an "approximate" solution y1 to the equation
y 2 z by setting y1 = z(t+ l l 2 . Then Y ? = z zt. Since zt is a (2 s - l )-th root of
unity, there is a power v 1 such that y = y1 v- l is a square root of z. Equivalently,
we need
=

( 1 9)
The (28)-th root of unity v 1 is the "correction term" that we need to convert y1 to
a square root of z. We find the binary digits in l lo + 1 1 2 + lz 22 + + l s - 2 2 8 - 2
2
=

inductively, starting with 10. Raising both sides of ( 19) to the (28- )-th power, we
see that 10 = 0 if and only if we obtain l on the right; otherwise lo = 1 . We next
raise both sides of ( 1 9) to the (28- 3 )-th power to determine whether h is 0 or 1 .
We continue in this way until we finally determine 10, . , l 8 _ 2 so that ( 1 9) holds.
This completes our description of the algorithm.
It is easy to verify that the above probabilistic algorithm for finding a point
on E takes time 0(ln3 q) (see Theorem 2.7 in Chapter 3).

..

 1 . Elliptic Curves

1 29

One might ask whether there is a deterministic polynomial-time algorithm for

finding points (other than the point at infinity) on an elliptic curve. No such algo
rithm is known in general, although there are some special cases where we have a
simple deterministic algorithm (see Exercise l of 2). The square root alg<Jrithm
above is not deterministic polynomial-time unless one assumes the Riemann Hy
pothesis, because of the difficulty in deterministically finding a non-square u . If
q is a prime p that is not congruent to l modulo 1 6, then [Schoof 1 985] contains
a deterministic polynomial-time square root algorithm that does not assume the
Riemann Hypothesis.
But the main obstacle to a deterministic polynomial-time algorithm for finding
a point on E is not the problem of taking the square root of f(x). Rather, it is
finding x E lFq such that f(x) is a square. Although about 50% of the elements
x have this property, no efficient deterministic way is known to find such an x
except in some special cases. All deterministic methods require exponential time.
It is remarkable that no one knows how to find a point on an elliptic curve (other
than the point at infinity) in subexponential time.
On the other hand, if we are satisfied with probabilistic methods (as we always
are if we work in practical cryptography), then we have nothing to worry about.
Exercises for I
l . Show that a linear change of variables can be used to transform the left side of
equation ( 1 ) to the form
(a) Y 2 if the characteristic of the field lF is not 2; and
(b) Y 2 + XY if char(lF) 2 and the XY-term in equation ( 1 ) is nonzero.
=

2. If char(lF)

2, show that there is no elliptic curve ( l ) with

at

a3

0.

3. (a) In the case when char(lF) -of 2, suppose that equation ( l ) has been transformed
as in Exercise l (a) so that a 1 a 3 0. Show that the equation defines an elliptic
curve (in other words, a smooth curve) if and only if the cubic polynomial on the
right has no multiple roots.
(b) In the case when char(IF) 2 and either a 1 or a 3 (but not both) is nonzero,
give simple conditions for equation ( 1 ) to define an elliptic curve. Also show that
if a 1 -of 0, then without loss of generality we may suppose that a4 0; while if
a 3 # 0, then we may suppose that a2 0.
4. Show how the proposition in 1 .2 can be used to prove the associative law for
E(JR).
=

5. How many points P such that nP

(a) C? (b) JR?

0 are there on an elliptic curve over

6. Let P be a point on an elliptic curve of the form (3) over JR. Give a geometric
condition that is equivalent to P being a point of order (a) 2; (b) 3; (c) 4.
7. On the elliptic curve Y 2 X 3 - 36X let P ( - 3 , 9) and Q ( -2, 8 ) . Find
P + Q and 2P.
=

1 30

Chapter 6. Elliptic and Hyperelliptic Cryptosystems

8. Each of the following points has finite order on the given elliptic curve over Q.
In each case, find the order of P.
(a) p = (0, 1 6) on Y 2 = X 3 + 256.
(b) P = ( , ) on Y 2 = X 3 + X.
(c) P = (3, 8) o n Y 2 = X 3 - 43X + 1 66.

9. Let E be a curve (3) defined over the rational numbers. For simplicity, suppose
that a, b E :Z. Let P be a point on E(Q ). Find a bound in terms of k for the
logarithm of the denominator of the x-coordinate of 2 k P.

10. Let E be either (a) the curve Y2 = X3 - X defined over the field lFq , where
3 (mod 4 ) , or else (b) the curve Y2 + Y = X 3 defined over the field lF q , where
q = 2 (mod 3). In both cases show that one has an elliptic curve (that is, the curve
is smooth); prove that N1 = q + 1 ; and find formulas for Nr .
1 1 . Let E j lF2 be the elliptic curve Y 2 + Y = X 3 , and let q = 2 r .
(a) Express the coordinates of - P and 2P in terms of the coordinates of P.
(b) Show that every P E E(JF16) (except for 0) has order 3.
(c) Show that every P E E(JF16) is actually in E(lF4). Then use Hasse's theorem
with q = 4 and with q = 1 6 to determine the number of lFwpoints. Your answer
should agree with the formula for N4 in (17).
12. Let E /lFP have equation Y2 + Y = X 3 - X + 1, where p = 2 or 3. Show that
N, = 1 , and find a simple formula for Nr .
13. Find an elliptic curve E defined over JF4 that has only one lF4-point (the
point at infinity). Find a simple formula for Nr in that case. Show that one has
(2 r - 1 )P = 0 for all P E E(lF4r ).
14. Given an /-bit integer n and a point P E E(JFq ), where q is a k-bit prime
power, prove that nP can be computed in time 0(k2 l).
15. In the notation of Corollary 1 . 1 , find a recursive relation expressing Nr+l in
terms of Nr and Nr - I that can be used to compute the sequence Nr extremely
rapidly once you know a.
16. For a = 0 or 1 , let Ea be the elliptic curve Y2 + XY = X 3 + aX 2 + 1 over
lFz . Find #Ea(lFz ) and Z(Ea/lFz ; T) for a = 0, 1 . Using Exercise 15, show that
#Ea(lFzr) is four times a prime when a = 0, r = 5, 7, 13, and is twice a prime
when a = 1 , r = 3, 5, 7, 1 1 . It is easy by computer to find larger prime values of
r for which #Ea(lFzr )/#Ea(lFz) is a prime (see also 3.2 below). Such curves are
q =

suitable for elliptic curve cryptography, in part because they lend themselves to
especially efficient computation of multiples of points (see [Salinas 1 997]).

17. Prove that if lF is a finite field of characteristic 2, then #E(lF) is odd in the
supersingular case ( 1 3) and even in the nonsupersingular case ( 1 2). Conclude that
the coefficient a in the numerator of Z(E / lF; T) is even in the supersingular case
and odd in the nonsupersingular case.

2. Elliptic Curve Cryptosystems

131

2. Elliptic Curve Cryptosystems

2.1 History

Elliptic curve cryptosystems were proposed i n 1 985 independently b y Victor Miller

and by me. The two advantages that we saw were ( 1 ) the greater flexibility in
choosing the group (that is, for each prime power q there is only one multiplicative
group JF , but there are many elliptic curve groups E /lF q ), and especially (2) the
absence of subexponential time algorithms to break the system if E is suitably
chosen.
At first, elliptic curve cryptography seemed like the sort of notion that would
be of practical utility only in the distant future, if at all. However, as often happens
in cryptography, the distant future came quickly. Now, a little more than a decade
later, many people have developed usable implementations. Some of the most
advanced work in this field (both practical and theoretical) has been done in
Waterloo, Canada by an interdisciplinary group headed by S. A. Vanstone.
A few years after the invention of elliptic curve cryptosystems, Menezes, Oka
moto, and Vanstone [ 1 993] found a new way to tackle the discrete log problem
(see Definition 2.1 below) upon which the security of elliptic curve cryptos ystems
is based. Namely, given an elliptic curve E defined over lFq , they used the Wei!
pairing (see III.8 of [Silverman 1 986]) to imbed E into the multiplicative group
of some extension lF q k . This reduces the problem to the discrete log problem in
JFk (see 4 of Chapter 1). However, in order for this to be of any use, the ex
tension degree k must be small. Essentially the only elliptic curves for which k
is small are the supersingular ones. These include a few simple equations, such
as the examples in Exercise 10 of 1 , and also all equations of the form ( 13) in
characteristic 2; however, the vast majority of elliptic curves are nonsupe rsingu
lar. For them, the Menezes-Okamoto-Vanstone reduction almost never leads to a
subexponential time algorithm (see [Balasubramanian and Koblitz 1 998]).
Thus, the basic open question in elliptic curve cryptography is whether or not
one can find a subexponential time algorithm for the discrete log problem on some
class of nonsupersingular elliptic curves. At present no one seems to have any idea
how to do this.
Meanwhile, because of progress in computing finite field discrete logarithms
and in factoring integers, the key sizes necessary in order for the most popular
public key systems to be secure are growing substantially. Thus, Odlyzko's article
[Odlyzko 1 995] on this subject concluded with the following sentence:
"It might therefore be prudent to consider even more seriously elliptic curve
cryptosystems."

1 32

Chapter 6. Elliptic and Hyperelliptic Cryptosystems

2.2 Key Exchange and Message Transmission

One of the most attractive uses of a public key cryptosystem is for key exchange
(where actual message transmission will be done by an unrelated private key
system). The key can be any more-or-less "random" integer that the two users
Alice and Bob agree upon but no one else knows. The unique feature of public key
cryptography for key exchange is that Alice and Bob can arrive at their common
key using only public, unencrypted communication.
The first public key cryptosystem was the Diffie-Hellman key exchange [Diffie
and Hellman 1 976] (see 4 of Chapter 1). It can be adapted for elliptic curves as
follows. First note that a "random" point on an elliptic curve E can serve as
a key, since Alice and Bob can agree in advance on a method to convert it to
an integer (for example, they can take the image of its x-coordinate under some
agreed upon simple map from IF q to the natural numbers).
So suppose that E is an elliptic curve over IF q . and Q is an agreed upon (and
publicly known) point on the curve. Alice secretly chooses a random integer kA
and computes the point kAQ, which she sends to Bob. Likewise, Bob secretly
chooses a random ks , computes ksQ, and sends it to Alice. The common key
is P = kA ksQ. Alice computes P by multiplying the point she received from
Bob by her secret kA ; Bob computes P by multiplying the point he received from
Alice by his secret k3 . An eavesdropper who wanted to spy on Alice and Bob
would have to determine P = kAksQ knowing Q, kAQ, and ksQ, but not kA
or k3 . The eavesdropper's task is called the "Diffie-Hellman problem for elliptic
curves".
It is not hard to modify the Diffie-Hellman protocol for the purpose of message
transmission, using an idea of ElGamal [ 1 985a] . Suppose that the set of message
units has been imbedded in E in some agreed upon way (see Exercises 2-4 below),
and Bob wants to send Alice a message M E E. Alice and Bob have already
exchanged kAQ and ks Q as in Diffie-Hellman. Bob now chooses another secret
random integer l, and sends Alice the pair of points (lQ, M + l(kAQ)). To decipher
the message, Alice multiplies the first point in the pair by her secret kA and then
subtracts the result from the second point in the pair.
The Diffie-Hellman and ElGarnal systems can be broken if one can solve the
"discrete log problem" in the group E.
Definition 2.1. The discrete logarithm problem in the group G to the base g E G
is the problem, given y E G, of finding an integer x such that gx = y (xg = y

when the group operation in G is written additively), provided that such an integer
exists (in other words, provided that y is in the subgroup generated by g). Thus, in
the case G = E, the elliptic curve discrete logarithm problem to the base Q E E
is the problem, given P E E, of finding an integer x such that P = xQ if such x
exists.
It is easy to see that the Diffie-Hellman problem can be solved if the discrete
log problem can be. Namely, the eavesdropper, who knows Q and kA Q, finds the
secret kA and then has broken the cipher. The converse - the assertion that the

2. Elliptic Curve Cryptosyste ms

133

Diffie-Hellman problem is equivalent to the discrete log problem - is a conjecture

but has not been proved. For the latest partial results supporting the conjectural
equivalence of these two problems, see [Boneh and Lipton 1996] and [Maurer and
Wolf 1 998].
The system that Diffie and Hellman originally proposed used the multiplicative
group G = IF . The discrete logarithm problem in the multiplicative group of a well
chosen finite field is hard: in practice, it seems to require about the same amount of
time as factorization of an integer of approximately the same size as the finite field
(see [van Oorschot 1992]). However, as in the case of factorization, there are many
subexponential time algorithms to do this. More precisely, most good discrete Jog
algorithms have running time of the form L q ( l /2) = exp ( 0( J!n q In In q)) ; and
with the discovery and development of the "number field sieve" (see [Lenstra and
Lenstra 1 993] and [Gordon 1 993 and 1 995]), the heuristic asymptotic running
time (at least in the case when q = p is a prime) has been reduced to Lq(l/ 3) =
exp ( 0( \!In q In In2 q) ) .
However, no subexponential time algorithm is known in the case of elliptic
curves (except for supersingular ones, see 2. 1). The only methods available for
finding discrete logs on E /IF q are the methods that apply to arbitrary groups. All
of them have running time of the form L q ( l ) = q 0 0) = exp ( O(ln q) ) , provided
that #E is divisible by a large prime ("large" means that its order of magnitude is
not much less than that of q).
2.3 Discrete Log Algorithm in Groups of Smooth Order
Definition 2.2. Let B be a positive real number. An integer is said to be B-smooth

if it is not divisible by any prime greater than B.

If the order of our group G is B-smooth for a reasonably small B, then

discrete logarithms in G can be efficiently computed by the following method of
Si!ver-Pohlig-Hellman [Hellman and Pohlig 1 978].
Let G be a group of order #G = f1 pf ' . We shall write the group law additively,
and let 0 denote the identity element. Suppose that #G is B-smooth; in oth.er words
Pi :::; B for all i. If the bound B is fairly small, then one can use the following
algorithm to find the discrete logarithm of y E G to the base g. First we find the
exact order of g. This can be done by computing (#G /Pi)g for the different Pi,
and then (#G/PI)g whenever (#Gjp,)g = 0, and so on, until we find the smallest
N = f1 p' such that Ng = 0.
Our task is to find a positive integer x < N such that xg = y. If no such x
exists, then the algorithm that follows will break down, and we will know that
there is no solution.
Our method is to find x modulo pr , where pr is one of the prime powers in the
factorization of N, and then use the Chinese Remainder Theorem (see Exercise 9
in 3 of Chapter 2) to find x modulo N = f1 pr . So suppose that p is a fixed prime
divisor of N, and let x = xo + x1p + + Xr - JPr - l (mod pr ), where 0 :::; x , :::; p - 1
for i = 0, I , . . . , r - 1 .

1 34

Chapter 6. Elliptic and Hyperelliptic Cryptosystems

To find the unknown digit x0 , we multiply both sides of the equality xg = y

by N' = Njp, obtaining x0 (N' g) = N'y. We could simply try the p different
possibilities for x0 until we find the one for which the last equality holds; if
no such x0 E { 0, l , . . , p 1 } exists, that means that y is not in the subgroup
generated by g. This procedure requires O(p) steps. If p is fairly large, we might
instead want to use Shanks' "baby-step-giant-step" method, which requires only
O(y'P) steps. Namely, we let b = [ y'P] + 1 , and we write our unknown xo in the
form x0 = ib - j, where 1 :::; i, j :::; b. We compute the b values i(bN' g), 1 :::; i ::; b,
and the b values (N'y) + j(N' g), 1 :::; j :::; b, and we compare the two lists. When
we have the match ibN' g = N' y + j N' g, we know that x0 = ib - j.
Once w e know x0 , w e find x1 b y setting N" = Njp2 and considering the
equality (x0 + x1p)(N" g) = N"y, i.e., x1 (N' g) = N"(y - x0 g). We use the same
procedure that we used to find x0 . We continue this process, inductively finding
Xz , . . . , Xr -1 Once we know x modulo pr for all piN, we use the Chinese Re
mainder Theorem to find x, 1 :::; x < N. This completes the description of the
algorithm.
.

Remarks. 1. Unlike index-calculus algorithms for discrete logs in IF , in which

most of the work is in precomputations (which are not repeated if one wants
another discrete log in the same field), the above algorithm must be substantially
repeated for each individual discrete logarithm.
2. Because of the importance of the discrete logarithm problem on an elliptic

curve, much effort has been devoted to obtaining even minor increases in speed.
A method based on Pollard's p-method [Pollard 1 978], which has been efficiently
parallelized in [Van Oorschot and Wiener 1 994, 1 998], is somewhat faster than
the above combination of Silver-Pohlig-Hellman and baby-step-giant-step.

3. Whenever the security of a cryptosystem is based on the discrete logarithm

problem in a group G, to thwart attacks by any of these algorithms it is important
to choose G so that it has non-smooth order - in other words, so that #G is
divisible by a very large prime. In practice, all known algorithms that work in
an arbitrary group become infeasible if #G is divisible by a prime of 40 or more
decimal digits.
2.4 Digital Signature

We now describe the elliptic curve analogue (ECDSA) of the U.S. government
Digital Signature Algorithm (see 4 of Chapter 1). The ECDSA is currently being
studied by the standards committees of several professional organizations, and
it may soon be adopted as a digital signature standard that can be used as an
alternative to the DSA.
ECDSA Key Generation. For simplicity, we shall use elliptic curves defined over

a prime field IFp, although the construction can easily be adapted to other finite
fields as well. Let E be an elliptic curve defined over IFP , and let P be a point

2. Elliptic Curve Cryptosystems

1 35

of prime order q in E(IFp); these are system-wide parameters. (Note that here, as
in the DSA in 4 of Chapter 1 , q denotes not a power of p, but rather a different
prime number. Unlike in the DSA, where q is much smaller than p, in the E CDSA
q is about the same size as p.) Each user Alice selects a random integer x in the
interval 1 < x < q - 1 and computes Q = xP. Alice's public key is Q; her private
key is x.
ECDSA Signature Generation. To sign a message

1)
2)

3)
4)

m, Alice does the following:

She selects a random integer k in the interval 1 < k < q - 1 .
She computes k P = (x1 , y1 ) and r = x1 mod q (that is, x1 is regarded as an
integer between 0 and p - 1 , and r is taken to be its least non-negative residue
modulo q). If r = 0, she returns to step 1 ). (If r = 0, then the signing equation
s = k- 1 (H(m) + xr) mod q does not involve the private key x; hence, 0 is not
a suitable value for r.)
She computes k- 1 mod q .
She computes s = k- 1 (H(m) + xr) mod q , where H(m) is the hash value of
the message. If s = 0, she returns to step 1 ). (If s = 0, then s - 1 mod q, which
is required in step 3) of signature verification, does not exist. Note that if k is
chosen at random, then the probability that either r = 0 or s = 0 is negligibly
small.)

5) The signature for the message

m is the pair of integers (r, s).

ECDSA Signature Verification. To verify Alice's signature

m, Bob should do the following:

1 ) Obtain an authenticated copy of Alice's public key Q.

2) Verify that r and s are integers in the interval [ 1, q - 1].
3) Compute w = s- 1 mod q and H(m).
4) Compute u1 = H(m)w mod q and u2 = rw mod q .
5) Compute u 1 P + uzQ = (xo, Yo) and v = xo mod q .
6) Accept the signature if and only if v = r.

(r, s) of the message

The basic difference between ECDSA and DSA is in the generation of r. The
DSA does this by taking the random power (a k mod p) and reducing it modulo
q, thus obtaining an integer in the interval [ 1 , q - 1 ] . (Recall that in DSA q is a
1 60-bit prime divisor of p - 1 , and a is an element of order q in IF;.) The ECDSA
generates the integer r in the interval [ 1 , q - 1] by taking the x-coordinate of the
random multiple kP and reducing it modulo q .
To obtain a security level similar to that of DSA, the parameter q should have
about 1 60 bits. If this is the case, then DSA and ECDSA signatures have the same
bitlength (320 bits).
Instead of using E and P as system-wide parameters, we could fix only the
underlying finite field IFP for all users, and let each user select her own elliptic
curve E and point P E E(IFp). In this case, the defining equation for E, the
coordinates of the point P, and the order q of P must also be included in the
user's public key. If the underlying field IFp is fixed, then hardware and software

1 36

Chapter 6. Elliptic and Hyperelliptic Cryptosystems

can be built to optimize computations in that field. At the same time, there are an
enormous number of choices of elliptic curve E over the fixed 1Fp.
Exercises for 2
l . In the ECDSA, explain why (a) Bob expects the x-coordinate of u1 P + u2 Q to
agree modulo q with r, and (b) if they do agree, then he should be satisfied that
it was really Alice who sent the message.

2. If E /lFq is either of the types of elliptic curves in Exercise 10 of 1 , describe

a deterministic method of imbedding plaintext as points on the curve. If E /lFq is
some other type of elliptic curve, where q is odd, describe a probabilistic method
of doing this.
3. Let q = 2r , and let {,6 1 , . . , f3r } be a basis of lF q over JF2 Let Tr(z) = 2::= ;;-; 1 z 2 '
be the trace function. By Exercise 1 3 in 2 of Chapter 3, Tr(z) is an additive map
from lF q to lF2 that takes the value 1 for q /2 elements of lF q and the value 0 for
the other q/2 elements of lF q .
(a) For z E lF q show that the equation u2 + u = z can be solved for u E lF q if and
only if Tr(z) = 0. If Tr(z) = 0, describe an algorithm for finding u.
(b) If {,61 , . , f3r } is a normal basis (that is, f3i = ,62 ' - ' , i = 1, . . . , r, for some
fixed ,6 E lF q ), give a simple criterion for z to have trace zero, and describe a very
easy way to solve the equation u 2 + u = z in that case.
(c) Let E be an elliptic curve of the form ( 1 2) or (13) defined over 1F q . Using part
(a), describe a probabilistic algorithm for finding points on E.
.

E with equation ( 1 2) over a small field lF q , q = 2r ,

where you are free to vary the a2 , a6 E lFq . Let f denote a prime number (which
you are also free to vary). Let N = #E(lF q ), and let N1 = #E(lFq t ). Describe
an algorithm for finding a2 , a6 E 1F q and a prime f such that NJ IN is a prime

4. Consider an elliptic curve

number, if such a2 , a6, and f exist.

5. Suppose that the best algorithm for discrete logarithms in JF requires time
exp (0 ( (ln q) 1 1\ln ln q)2 1 3 ) ) . Show that the Menezes-Okamoto-Vanstone reduc
tion does not give a subexponential time algorithm if k (In q) 2 , where k is the
degree of the extension field of lF q in which the elliptic curve group is imbedded.
Thus, if l is a prime dividing #E(JF q ) that has the same order of magnitude as q,
and if l J q k 1 for k < ln2 q, then the Menezes-Okamoto-Vanstone reduction
does not lead to a subexponential time algorithm for the discrete logarithm in the
group of order l in E(lFq ).
-

6. Show how Cathy could mount an adaptive chosen-ciphertex attack on the El

Gamal encryption system in 2.2 (see Exercise 1 1 of 3 of Chapter 5).

3. Elliptic Curve Analogues of Classical Number Theory Problems

1 37

3. Elliptic Curve Analogues

of Classical Number Theory Problems

There are basically three approaches to choosing an elliptic curve for a crypto
system. In each case one looks for a curve whose order #E has a very large
prime factor, and in each case the question of the likelihood of encountering such
a curve leads to some interesting conjectures that are supported by heuristic ar
guments and computational evidence. However, proving them remains a difficult
unsolved problem.
3.1 Fix a "Global" Elliptic Curve and Vary the Prime

For example, let E be an elliptic curve Y 2 = /(X) = X 3 + aX + b defined over the

field Q of rational numbers. If p is any odd prime not dividing the denominators
of the coefficients or the discriminant of /(X), then one can consider the elliptic
curve E over IFP that is obtained by simply reducing the coefficients modulo p.
That elliptic curve will always contain as a subgroup the image of the torsion
subgroup E1ors of the curve over Q (see 1 .5). But one expects that in many cases
the quotient will have prime order.
QUESTION. For a fixed curve E over Q, what can be said about the probability
as p varies that

#E mod p
#Etors
is a prime number? Can one prove (for any fixed E) that there are infinitely many
p for which this number is prime?
This question is analogous to a classical unsolved problem of number theory.
Namely, if instead of E we take the multiplicative semigroup of nonzero integers,
which has torsion subgroup { I } , then an analogous question is: As p varies,
what can be said about the probability that

#IF;

P t = -2- = #{ 1 }
p-

i s prime? Are there infinitely many such "Sophie Germain primes" p 1 for which
p = 2p 1 + 1 is prime?*
The question about Sophie Germain primes is of interest when using a Diffie
Hellman type cryptosystem in the multiplicative group of a prime field IFp, and the
analogous elliptic curve question given above is of interest when using an elliptic
curve cryptosystem. In both cases one needs the order of the group to be divisible
* In 1 823 Sophie Germain proved the so-called "first case" of Fermat's Last Theorem for
prime exponents PI for which 2p1 + I is prime. This was the first maj or result on Fermat's
Last Theorem for a large class of exponents.

1 38

Chapter 6. Elliptic and H yperelliptic Cryptosystems

by a large prime so that the Silver-Pohlig-Hellman method (see 2.3) cannot be

used to find discrete logs.
It should be noted that the denominator #Etors in the elliptic curve question
is often 1 , and in any case it cannot be much larger than in the Sophie Germain
prime question. According to a deep result of Mazur, there are at most 16 torsion
points on an elliptic curve over Q (see [Mazur 1977]).
For a discussion of conjectures that would answer the above question for
elliptic curves, see [Koblitz 1 988].
Another natural question in this context is the following. Suppose that P is a
point of infinite order in the group of the elliptic curve E over Q. As p varies,
what is the probability that the image modulo p of P generates E modulo p? For
results on this problem, see [Gupta and Murty 1 986] . This question is the analogue
of a classical problem of E. Artin, who conjectured formulas for the probability
that a fixed integer a (such as 2 or 10) generates w; as p varies. Note that a
generates w; if and only if the base-a expansion of 1 /p has the longest possible
period p - 1 .
3.2 Fix an Elliptic Curve over a Small Field
and Then Consider It over IF'q' As r Varies

IF' q

Since E(IF' q r ' ) is a subgroup of E(IF' q r ) whenever r' l r, large prime factors of
#E(IF' q r ) are more likely to occur when r is prime than when r is composite. In
the case of prime r, the best one can hope for is that

is prime. (Here

#(E(IF' q r))
#(E(IF' q ))

l ar 1 2
a-1
-

a is a reciprocal root of the numerator of Z(EjiF'q ; T).)

QUESTION. For fixed E /IF' q , what is the probability as r varies that the above
number is prime? Can one ever prove that there are infinitely many r such that it
is prime?
Virtually nothing is known about this question. It is analogous to the classical
Mersenne prime problem, as we see by replacing by 2.

3.3 Fix the Field of Definition

IF'q and Vary the Coefficients

According to Hasse's theorem (Corollary 1 .2), #E falls in a rather small interval

around q + 1 , namely,
[q + 1 - 2yq, q + 1 + 2yq] .

As E ranges over all elliptic curves defined over IF' q , the number #E is distributed
fairly uniformly in this interval, except that the density drops off near the endpoints
(see [Waterhouse 1969] and [Lenstra 1987]). Thus, the probability that #E is prime

4. Cultural Backgrou nd

1 39

(or has a prime factor greater than some lower bound) is essentially the same as
the probability that a random integer in an interval of the form [ q , q + cvq] (c a
constant) has this property. But unfortunately, at present almost nothing can be
proved about the occurrence of primes in such "short" intervals. It is not even
known whether there exists a c such that the interval [q, q + cvq] always contains
at least one prime as q -----> oo.
Exercises for 3
I . State a number theory problem similar to the Sophie Germain prime problem
that relates to the cryptographic suitability of curves of the type in Exercise 10 of
1.

2 . Let E b e the elliptic curve Y2 + Y = X 3 - X defined over Q , and let P (0, O).
It can be shown that E ( Q ) is an infinite cyclic group generated by P. Find an
example of a prime p such that the curve E(lFp) given by the same equation
considered over lFP is not generated by the point (0, 0).
=

3. Let E be the curve Y2 + Y = X3 - X + 1 over JF (see Exercise 12 of 1 ) . State a

2
problem relating to cryptographic suitability of E (JFz r ) that is closely analogous to
the Mersenne prime question. (However, regardless of the answer to this question,
the Menezes-Okamoto-Vanstone reduction leads to a subexponential algorithm,
because the curve is supersingular. The same remark applies to Exercise 1 . )

4. Cultural Background: Conjectures on Elliptic Curves

and Surprising Relations with Other Problems
4.1 Congruent Numbers

The following "congruent number problem" has been around since ancient times
(see Chapter XVI of [Dickson 1952] and Section D27 of [Guy 1 9 8 1 ] ) : Given a
natural number N, does there exist a right triangle with rational sides whose area is
N? Is there an easy way to determine whether an arbitrary N is such a congruent
number? Because of the famous 3-4-5 triangle, any high school student can see
that N = 6 is a congruent number. So is N = 5, although not every high school
student would be able to show that: the simplest example of a right triangle with

rational sides and area 5 is the q-6 -6 triangle. It turns out that 1 , 2, 3, and 4
are not congruent numbers.
It is not hard to show that N is a congruent number if and only if the elliptic
curve Y2 = X3 - N2 X = X(X - N)(X + N) has a nontrivial point, where
"nontrivial" means excluding the point at infinity and the other three points of
order two: (0, 0) and (N, 0). For instance, in the case N = 6 (see Exercise 7
of I ) the point P = ( -3 , 9), which is a point of infinite order on the curve
Y2 = X3 - 3 6X , corresponds to the 3-4-5 right triangle.

1 40

Chapter 6. Elliptic and Hyperelliptic Cryptosystems

For more information on the congruent number problem see [Koblitz 1 993]
and [Tunnell 1 983].
4.2 Fermat's Last Theorem

In 1 985 Gerhard Frey suggested that if AP + BP = CP were a counterexample to

Fermat's Last Theorem, then the elliptic curve

Y 2 = X(X - AP )(X + B P )
would have a very surprising property. Its discriminant would be
so every prime factor in this discriminant would occur to a very large power.
Frey thought that it would then have to violate the so-called Taniyama conjecture.
K. Ribet was able to prove that Frey's hunch was correct [Ribet 1 990] ; then,
working intensively for many years, A. Wiles (partly in joint work with R. Taylor)
proved that no such curve can violate the Taniyama conjecture, and hence there
can be no counterexample to Fermat's Last Theorem.
A more detailed discussion of this dramatic story would take us too far afield.
See [Faltings 1 995] for a concise summary of Wiles' proof.
4.3 The Birch-Swinnerton-Dyer Conjecture

Whenever we have an elliptic curve E as in (3) defined over the rational numbers
(that is, a, b E Q), we can consider it modulo p for any prime p that does not
divide either the denominator of a or b or the discriminant -(4a3 + 27b2 ). This is
a curve defined over IFp ; as in 3 . 1 , we shall denote it "E mod p " . For a fixed E
over Q and variable p, let Np denote #(E mod p). (This use of the subscript with
N is different from that in Corollary 1 . 1 .)
Recall from l that Np = (Zip - 1 )( ap 1 ) , where ap and Zip are the quadratic
imaginary numbers of absolute value .JP that one gets from factoring the numerator
of ( 1 5).
As p increases, suppose that we want to get an idea of whether or not Np tends
to be toward the right end of the interval [p + 1 - 2-JP, p + 1 + 2-JP] (see ( 1 8)),
that is, whether or not there tend to be more points on the curve than one would
expect if the right side of equation (3) (modulo p) had exactly a 50% chance of
producing a quadratic residue as p and x vary. We might expect that if our original
curve over Q has infinitely many points - that is, if its rank r is positive (see 1 .5)
- then these points would be a plentiful source of mod-p points, and Np would
tend to be large; whereas if r = 0, then NP would straddle both sides of p + 1
equally. This is the intuitive idea of the (weak) Birch-Swinnerton-Dyer conjecture
(see [Birch and Swinnerton-Dyer 1 963, 1 965] and [Cassels 1 966]).
To measure the relative size of Np and p as p varies, let us form the product
IT -JJ; . Because
P
-

4. Cultural Background

N = (i'i" - l)(a - 1 ) = ( ]!_

a
a - 1 )( !
p p
p
p
p

it follows that our product over p of the ratios

- 1) =

141

(p - a )(p - Zi ) ,
p
p

p/N can be written as follows:

p

p2
p
IJ NP = IJ (p - a )(p - ap ) = IJ
p
p
p
p

t
"" P
( -

p)

t - ""P

p)

One might expect that this infinite product would converge to zero if NP has a
tendency to be significantly larger than p, and would converge to a nonzero value
if
is equally likely to be above or below
As it happens, this infinite product
does not converge at all. However, it can be viewed as the value at s = l of the
function
1
.
t
P
""
II ( 1 ) ( - .'2. )

N
p

p.

This infinite product can easily be shown to converge for any s with real part
greater than 3 /2; and, like the Riemann zeta-function that it resembles, it can be
analytically continued onto the rest of the complex plane. (The latter property is
deep ; it has been proved for a very broad class of elliptic curves over Q, but
remains a conjecture for elliptic curves not in this class.) The Birch-Swinnerton
Dyer conjecture states that this function vanishes at s = I if and only if the
rank r of the group of E over Q is greater than zero, and that, moreover, its
order of vanishing at s = 1 is equal to r. The conjecture further says that the
leading coefficient in the Taylor expansion at s = 1 can be expressed in terms of
certain number-theoretic invariants of E. In the 1 980 ' s important partial results
were proved in support of this remarkable conjecture, but in its most general form
it remains a very difficult open problem.

4.4 The Sato-Tate Distribution

There is another question that naturally arises when we fix an elliptic curve
over Q, let vary, and study

N = #(E mod p) = p + 1 - a - Zi = p + I - 2 yp Re
p p
p
If we choose a to have non-negative imaginary part, then p-112a is on the upper
p
p
unit semicircle. Let eP E [0, 1r] be its argument. According to a conjecture of Sato
and Tate (see [Tate 1 965]), if E does not have complex multiplication (see the
end of 1 . 4), then as p increases the ep are distributed like the function sin2 e.
Equivalently, the probability that p-112a has argument between e and e 11e is
p
proportional (in the limit for large p and small !1e) to the area under the segment

( ) .

between e and e + !1e of the graph of the semicircle function y = Vf=XZ. (See the
drawing on the next page, where the shaded area is yf1x sin e(
cos e)f1e =
sin2 e 1 11e 1 , since

y = sin e

and X = COS e.)

fe

1 42

Chapter 6. Elliptic and Hyperelliptic Cryptosystems

As far as I know, neither the Birch-Swinnerton-Dyer conjecture nor the Sato

Tate conjecture has had any application to cryptography. However, the somewhat
different question of how #E (IFp ) is distributed in the interval [p + 1
2Vfl, p +
I + 2YPJ for fixed p and variable coefficients a, b E IFP is important in elliptic
curve factorization [Lenstra I 987], elliptic curve primality testing [Goldwasser and
Kilian 1 986] , and the design of elliptic curve cryptosystems (see 3 . 3 ) .
-

4.5 Back to Cryptography:

Why No One Knows How to Find a "Factor Base"
Example 4. 1 . Let E be the elliptic curve Y2 + Y = X 3 X over the field Q of
rational numbers (see Exercise 2 of 3). Its group of rational points is infinite
cyclic and is generated by P = (0, 0). Using the formulas in 1 , it is easy to see
that 2 P = ( 1 , 0) and that, if the coordinates of nP are (x, y) for n :::: 2, then the
3
2
coordinates of (n + I ) P are ( ( ) - x, - ( ) + y - I ). So we can quickly compute
a table of the exact rational coordinates of nP for I :; n :; 50. To get an idea of
-

how fast the numerators and denominators of the coordinates grow, on the next
page we tabulated the absolute value of the y-coordinate of nP for 7 :; n :; 50.
Notice the parabolic appearance of this table. We see that the number of digits
needed to express the coordinates of nP grows quadratically as a function of n.
In other words, the height - defined as max{ l a l , l b l , l e i , l d l } for nP = (a/b, cjd)
(with x = a/b and y = cjd written in lowest terms) - grows superexponentially:

height(nP) = e0( n'l . It can be shown that this extremely rapid growth occurs for
any Q-point P of infinite order on an elliptic curve. In this connection see Exercise
9 of I .

This means that there are very few points on E mod p that can be obtained
by reduction modulo p of a Q-point of E having small height. This is in striking
contrast with the group IF;, many of whose elements are obtained by reducing
small integers modulo p. It is for this reason that most people are doubtful about
the possibility of applying to the elliptic curve discrete log problem the index
calculus methods that have been so successful in factoring integers and in finding
discrete logs in IF . For more discussion of this question see [Miller I986] .

4. Cultural Background

8
69
ill
435
343
2065
64
3612
12167
28888
24389
43355
205379
26161 19
2146689
28076979
30959144
332513754
274625
331948240
3574558889
8280062505
50202571769
641260644409
553185473329
18784454671297
43021 15807744
318128427505160
578280195945297
10663732503571536
1469451780501769
663163345
75107447
238670664494938073
8938035295591025771
13528653463047586625
58831063075349192
1 045
487424450554237378792
316361 13722016288336230
3432162824438440101 1 1
435912379274109872312968
2035972062206737347698803
4197440172185492981 1774227
63061816101
17 1 948456692661
2 1 8161629337133031
1419201915
4801616835579099275862827431
75438882723673582435599634760 I
495133617181351428873673516736
86493818646310922606526774743956
I 05831230775844387744754441796151
122016683239503259568882
1 9182513256
8087 1745605559864852893980186125
253863219659861232674408424330433645
14178548353
441787877145505009163000 1 1
80758747641526362425597637684850206815
2721731623875246881242101
10592404899171
43588991327 1 63432486545613116071636697601
346674091
18422632032070193604742966179656
13092420486726785928582676734341299347
1 15698
191 1563313687376346904659714182809942964351
218948344630454
30613 71288657290348890980594400
4593462133720075853302175244236393876880522193
878446167724531925433595104275654803292506071599
15267283591567237967601
2146
1 16976332770247608521
4807254728839078
1 19392263025228532640630997
5292943
2378445201665390432342402872337758652921
13468549857
12419643898898289363236991349175656292 1318307752469249
1583853196263084439374759692219941737 51192384064000
000
868821552128922745886
129830694180295524 10839095 1 53302800
7719988083527334876319975431871665925171
1787046519688993
5387 5991960 I 04970765283107373605344809310387645985049959200
1 12693242618274179956651080434 126947419217320185504463599
4736963419597991005921784696415662858882109120520022240208657
355249054882656146689928924348737
753020 I 08842889350429734899925927488449207
478407 5840220078303129323057
57678725926478259255853
17409395093926185106885631047952575457813864890094033864975902849
8988854703297735806987625854273224398026564032032776384182186736165
12789521 106940379462098473081947860361
167209079884962192477681 132744
14833357599838577779951 121277275124199036386947622283276346814
240664101
12217591
1
1452560613778332
1270302173 1989593599
4557778424776691316115
4372
2921408709420522 1480230038284783574921809 1 7657247420669644915752607
6526744
3987
454979903851
57
4416485987
4198500898417335456037004381292650442289963339
49253432232175037853939274934357858897623864482230655849646172771417862103019
1 1 1 1599924813736177345961430101881701789905659558155903791530971080388326125
1559271
12153376166237405 1 4518966145859285850662560621449737978910137952277603645
626031
19606309056626706148210887786481951
19381113554492507243553294512904673973173265
850386423 198272668162937613 1719799
65343698144990446428357439135977881 124804221
159564798621271700005828929931002008441744804573070282618997694000714045237979692864
27

143

1 44

Chapter 6 . Elliptic and Hyperelliptic Cryptosystems

5. Hyperelliptic Curves
In this section we shall give the main definitions and properties of hyperelliptic
curves and their jacobians. Details and proofs can be found in the Appendix.
Let IF be a finite field, and let lF denote its algebraic closure (see Definition
1 . 8 of Chapter 3).

5.1 Definitions

Definition 5.1. A hyperelliptic curve

of the form

C of genus g over IF (g 2: I )

C : v2 + h(u)v = f(u)

is an equation

IF[u, v] ,
(20)
where h(u) E IF[u] is a polynomial of degree at most g and f(u) E IF[u] is a monic
polynomial of degree 2g + 1 . This curve must be smooth at all points (x, y) E lF x lF
that satisfy the equation y 2 + h(x)y = f(x) (that is, no such points satisfy the partial
derivative equations 2y + h(x) = 0 and h'(x)y - J'(x) = 0).
Let lK be a field containing IF. By a IK-point P E C we mean either the symbol
oo (called the point at infinity on the curve C) or else a solution (x, y) E lK x lK
of the equation (20).
Definition 5.2. If P = (x, y) is a IK-point of the hyperelliptic curve (20), we define
its opposite P to be the other point with the same x-coordinate that satisfies the
equation of the curve: P = (x, -y - h(x)). If P = oo, we take P = oo .

Definition 5.3. A divisor o n C is a finite formal sum of IF-points D = I: m; P; .

Its degree i s the sum o f the coefficients I: m; . I f lK i s an algebraic extension of
IF, we say that D is defined over lK if for every automorphism IJ of lF that fixes

lK one has I: m;P[" = D, where pu denotes the point obtained by applying IJ to

the coordinates of P (and oo u = oo ) . Let D denote the additive group of divisors
defined over lK (where lK is fixed), and let D0 denote the subgroup consisting of
divisors of degree 0.

Definition 5.4. The greatest common divisor of D

= I: m;P; E D0 and D' =

I: m; P, E D0 is defined to be (I: min( m, , m;>P;) - ( * ) oo , where the coefficient
( * ) is chosen so that the greatest common divisor has degree 0.
IF
Definition 5.5. Given a polynomial G(u, v) E [u, v], we can considerIFG(u, v) as a
function on the curve (equivalently, as an element of the quotient ring [u, v]j(v 2 +
h(u)v - f(u)), see Example 4. 1 in Chapter 3). This means that we lower the power
of v in G(u, v) by means of the equation of the curve until we have an expression
of the form G(u, v) = a(u) - b(u)v. We let (G(u, v)) = (I; m;P;) - ( * ) oo E D0
denote the divisor of the polynomial function G(u, v), where the coefficient m; is
the "order of vanishing" of G(u, v) at the point P; . For a more precise definition,
see the Appendix.

5. Hyperelliptic Curves

145

Definition 5.6. A divisor of the form (G(u, v)) - (H(u, v)) - that is, the divisor
of the rational function G(u, v)/ H(u, v) - is called a principal divisor. We let .Jf

(more precisely, .Jf(lK), where lK is a field containing lF) denote the quotient of the
group ][))0 of divisors of degree zero defined over lK by the subgroup lP' of principal
divisors coming from G, H E JK[u, v]. .Jf = ][))0 /IP' is called the jacobian of the
curve.
5.2 Addition on the Jacobian

Definitions 5.3 and 5.6 apply to any curve C. Why, then, do we insist on working
with the jacobian group of a hyperelliptic curve? The first reason is that Definition
5.6 is rather abstract - .Jf is defined as the quotient of one infinite group by another.
In order to set up computations on .Jf one needs an easily described set of divisors
that represent the equivalence classes of ][))0 modulo lP'. In the case of hyperelliptic
curves, one can show (either using the Riemann-Roch theorem as in [Fulton 1 969]
or in a more elementary way as in the Appendix) that every element of .Jf can be
uniquely represented by a so-called reduced divisor.

2:: miP, - (*)oo E ][))0 is said to be reduced if:

l ) All of the m, are non-negative, and m, ::; l if Pi is equal to its opposite.
2) If Pi f. Pi , then Pi and Pi do not both occur in the sum.
3) I: m, ::; g.
Any reduced divisor D = I: miPi - ( * )oo E ][))0 can be uniquely represented as
the g.c.d. of the divisor of the function a(u) = fl(u - x,) m , and the divisor of the
function b(u) - v, where Pi = (xi , Yi) and b(u) is the unique polynomial of degree
less than deg(a(u)) such that b(xi) = y, for each i and b(u)2 + h(u)b(u) - j(u) is
Definition 5.7. A divisor D =

divisible by a(u). (See the Appendix for a proof.) If D is represented in this way,
we write D = div(a, b).
The second reason why we work with hyperelliptic rather than more general
curves is that it is relatively straightforward to add two elements of .Jf More
precisely, given two reduced divisors D1 = div(a1 , b 1 ) and D2 = div(a2 , b2), it is
not hard to compute the reduced divisor D3 that is equivalent to D1 + D2 in the
group Jr. The algorithm to do this is closely analogous to the classical number
theoretic algorithm for composing two binary quadratic forms. This algorithm goes
back to Gauss; for a modem treatment see, for example, Chapters 9-10 of [Rose
1 994] .
There i s a conceptual explanation for the existence of an algorithm for addi
tion on the jacobian of a hyperelliptic curve that is similar to the algorithm for
composing quadratic forms. From a modem viewpoint, the equivalence classes
of binary quadratic forms are elements of the divisor class group (usually called
the ideal class group) of the imaginary quadratic field Q( Vd) (where d is the
discriminant of the quadratic forms). In an analogous way, the hyperelliptic curve
(20) gives rise to the function field consisting of rational functions G(u, v)/ H(u, v)
considered modulo the quadratic relation v 2 + h(u)v = f(u). This function field is a
_

146

Chapter 6. Elliptic and Hyperelliptic Cryptosystems

quadratic extension of the basic field JK(u), just as Q( Vd) is a quadratic extension
of the basic field Q. Moreover, the definition of the jacobian - the quotient of
the degree 0 divisors by the divisors of rational functions - is analogous to the
definition of the ideal class group of Q( Vd) as the quotient of the divisors (ideals)
by the principal ideals generated by elements of Q( Vd).
If our curve C were given by a more complicated equation in u and v, in which
v occurred to powers greater than 2, then this analogy would no longer hold, and
in most cases it would be much more difficult to compute in the jacobian of the
curve.
The algorithm for adding two reduced divisors D 1 = div(a 1 , b 1 ) and D2 =
div(a2 , b2 ) in .Jf is described in detail in the Appendix. Here we shall give the

algorithm only in the special case when the polynomials a1 (u) and a 2 (u) are
relatively prime. In that case we can use the Euclidean algorithm for polynomials
(see 3 of Chapter 3) to write s 1 a1 + s 2 a2 = 1 for some polynomials s 1 (u) and
sz(u). We set a = a 1 a2 , and we let b equal s 1 a 1 b2 + s 2 a 2 b 1 modulo a (that is, b is
the remainder when the polynomial s 1 a 1 b2 + s 2 a2 b1 is divided by a). If deg(a) :::; g,
we are done: we set D3 = div(a, b). Otherwise, we set a' = (f - hb - b2 )/a and
then b' = -h - b modulo a'. If deg(a') :::; g, we set D3 = div(a ' , b '). Otherwise,
we set a" = (f - hb' - b' 2 )ja' and b" = -h - b' modulo a", and so on, until we
obtain D3 = div(a3 , b3 ) with deg(a 3 ) :::; g. See the Appendix for a proof that ( I )
the degree of a, a', a" , . . keeps decreasing until it becomes less than or equal to
g, and (2) D3 = D 1 + Dz in .Jf.
.

5.3 The Zeta-Function

As in the case of elliptic curves, the zeta-function of a hyperelliptic curve is a basic

tool in computations. Let .Jf be the jacobian of a hyperelliptic curve C defined over
IF'q and given by the equation v 2 + h( u)v = j( u). Let IF'q " denote the de gree-r
extension of IF'q , and let Nr denote the order of the (finite) abelian group .Jf(IF' q " ).
Denote by Mr the number of IF'q r -points on C, including the point at infinity.
Definition 5.8. Let

#C(IF'q " ) for r 2:

1.

C be a hyperelliptic curve defined over IF'q , and let Mr =

The zetajunction of C is the power series
(2 1 )

The following theorem about the zeta-function, generalizing Theorem 1 . 1 , was

proved by A. Wei!.
Theorem 5.1. Let C be a hyperelliptic curve of genus
Z(C /IF'q ; T) be the zeta-function of C.
1 ) Z(C/IF'q ; T) is a rational function of the form

Z ( C/IF'q T)
' -

(1

g defined over IF'q

P(T)
- T)( l - qT) '

and let

(22)

5 . Hyperelliptic Curves

147

where P(T) is a polynomial of degree 2g with integer coefficients of the fo rm

P(T) = 1 + a1 T + + a9 _zT9 - 2 + a9 _ 1 T 9 - 1 + a9 T9
+ q a9 - 1 T 9+ 1 + l a9 _zT9+2 + + q 9 - 1 a 1 T2 9 - 1 + q 9 T2 9
2) P(T) factors as

g
P(T) = IT ( l - aiT)( l - ai T) ,
i: 1
where each a, is a complex number of absolute value y!i, and
complex conjugate of a,.
3) Nr = #.JJ (JF q r ) is given by

a,

denotes the

g
Nr = IT I 1 - a l 2 ,
i: 1
where

I I

(23)

denotes the usual complex absolute value. In particular, N1 = P( l ).

From Theorem 5. 1 it follows that to compute Nr for arbitrary r one needs

only to (i) find the coefficients a1 , a2 , . . . , a9 of P(T), hence determining P(T); (ii)
factor P(T) to obtain the ai ; and (iii) use equation (23). One can find a1 , a2 , , a9
by computing M1 , lvfz, . . . , M9 . Namely, we note that if we multiply both sides
of equation (22) by ( l - T)( l - q T), we obtain

P(T) = ( l - T)( l - qT)Z(C /Wq ; T) .

Taking logarithms of both sides, using (2 1), and then differentiating with respect
to T, we have
P'(T) "'
-- = L- (Mr+ 1 - l - q r+ 1 )Tr .
P(T) r:O:O
By equating coefficients of T0, T 1 , , yg- 1 on both sides, we see that the first
g values M1 , M2 , . . . , M9 suffice to determine the coefficients a1 , a2 , . . . , a 9 , and
hence Nr for all r.
The following procedure determines Nr in the case g = 2:
1 ) By exhaustive search, compute M1 and M2 .
2) The coefficients of Z ( C jWq ; T) are given by

a1 = Nh

- l -

and

3) Solve the quadratic equation X 2 + a1 X + (a2 - 2q) = 0 to obtain two solutions

'Y1 and 'Y2

4) Solve X 2 - 11 X + q = 0 to obtain a solution a1 , and solve X 2 - 'YzX + q = 0
to obtain a solution a2 .
5 ) Then Nr = 1 1 - a ] l 2 I I - a2 1 2 .

148

Chapter 6. Elliptic and Hyperelliptic Cryptosystems

Exercises for 5

l . Let .JJ be the jacobian of a hyperelliptic curve C of genus g defined over lFq .
Show that Nr = #.]J(lFq r ) lies in the interval [( q r / 2 - 1 ) 2 9 , ( q r/ 2 + 1 ) 2 9 ] .
2. Suppose that the numerator of Z(CjlFq ; T) factors over IQ into a product of
polynomials of degree ::; do . Prove that any prime divisor of Nr = #.]J(lF q r ) is no
greater than ( qr 1 2 + 1 ) do . Thus, we have a better chance of getting groups with non
smooth order (see Definition 2.2) if the numerator of Z(C /lF q ; T) is irreducible
over IQ. (See [Koblitz l 99 l c] for results on irreducibility of the numerator of
Z(CjlF q ; T) for certain families of curves.)
3. Suppose that C has genus 2 and is defined over lFP ' where p > 2. If NI1
M2 = 1 (mod p) , prove that Nr = 1 (mod p) for all r.
4. Let C be a hyperelliptic curve of the form v 2 + v = j(u) defined over lF2 . Prove
that M1 = l (mod 2) and M2 = 1 (mod 4). If C has genus 2, prove that Nr is
odd for all r.
5. Let C have the form v2 + uv = j(u) over JF2 . Prove that M1 = 0 (mod 2) and
M2 = 0 (mod 4). If g = 2, prove that Nr is even for all r.

6. Let g = 2. By analogy with Exercise 15 of l , find a recursive relation involving

/'J and ')'2 that makes it possible to compute the sequence Nr very rapidly.
6. Hyperelliptic Cryptosystems

The elliptic curve Diffie-Hellman key exchange and ElGamal message transmis
sion that we discussed in 2 carry over word for word to the jacobian group of a
hyperelliptic curve.
To implement a hyperelliptic discrete log cryptosystem, a suitable curve C and
underlying finite field lF q must be selected. It is crucial that the order #.lJ(lF q ) of the
jacobian of C be divisible by a large prime number (see 2.3). Given the current
state of computer technology, #.lJ(lF q ) should be divisible by a prime number l of at
least 40 decimal digits. In addition, to avoid the attack of Frey* and Ri.ick [ 1 994],
which, generalizing [Menezes, Okamoto, and Vanstone 1 993], reduces the discrete
logarithm problem in .JJ ( lF q ) to the discrete logarithm problem in an extension field
lF;k , l should not divide q k - l for any small k (say, l ::; k ::; 2000/(log 2 q)).
A secondary consideration is that we would like for there to be efficient im
plementations of the arithmetic in lFq ; finite fields of characteristic 2 appear to be
the most attractice from this point of view.
* This is the same Frey who in 1 985 had the idea that ultimately led to Wiles' proof
of Fermat's Last Theorem (see 4.2); he subsequently became interested in elliptic and
hyperelliptic cryptography.

6. Hyperelliptic Cryptosystems

1 49

6. 1 Examples in Characteristic 2
Example 6. 1 . Consider the following hyperelliptic curve

IFz :

C of genus 2 defined over

By a simple count we find that ]1;!1 = 3 and M2 = 9; hence a1 = 0 and a2 = 2. The

solutions of X 2 - 2 = 0 are 'YI = J2 and 'Yz = - J2. Solving X 2 - J2X + 2 = 0,
we have a 1 = ( J2 + ;6i)/2; and solving X 2 + J2X + 2 = 0, we obtain a2 =
( - J2 + ;6i)/2. The numerator of the zeta-function is l + 2T2 + 4T4 , and
if r = 1 , 5 mod 6 ,
if r = 2, 4 mod 6
if r = 3 mod 6 ,
if r = 0 mod 6 .
,

For r = 1 0 1 ,

Nw1 =
= 642775217703596 1 102 167848369367 1 857 1 1 289268433934 16474761 6257,
which has prime factorization
7 607 . 1 5 1 276822241 373525586440300526410583932437477852063 1 853993 .
Hence, N1 0 1 is divisible by a 58-decimal digit prime /58 . However, since / 58 divides
(2 101 ) 3 1 , the system is vulnerable to the Frey-Ri.ick attack, and offers us no
more security than a discrete log system in IF2 JoJ . Hence the curve C is not suitable
for cryptographic applications.
-

u383 + l over IF 2 has genus g 1 9 1 .

Because of the special form of this curve, its zeta-function can easily b e computed
(see [Koblitz 1 99 1 c]); its numerator is l + (7 1 1 2 87 )T 1 91 + 2 1 9 1 T382 It turns out
that N = N1 is of the form 3/58 , where / 58 is the 58-digit prime
Example 6. 2. The hyperelliptic curve v2 + v

1 046 1 8362256444679397263 1570497937095686563 1 83433452530347

Unlike Example 6. 1 , this curve is not vulnerable to the Frey-Ri.ick reduction,
since /58 J 2 k - l for k ::; 2000. However, there is another reason why it would
not be wise to use a hyperelliptic curve of high genus over a small finite field. In
[Adleman, DeMarrais, and Huang 1994] the authors give an L p, gt ( 1 /2)-algorithm
(see Definition 3.2 of Chapter 2) for the discrete logarithm problem on the jacobian
of a high-genus hyperelliptic curve defined over IFP . In other words, for fixed p
their algorithm runs in time exp( 0( vg In g)) for large g. Although the algorithm in
its current form would not quite be feasible for the curve in this example, it is close
enough to the practical range that one cannot have confidence in the cryptographic
suitability of the curve. (Actually, the algorithm of Adleman, DeMarrais, and
Huang applies only to odd p; however, it is very likely that an analogous algorithm
can be developed for p = 2.)

150

Chapter 6. Elliptic and Hyperelliptic Cryptosystems

The hyperelliptic curve v 2 + v = u 7 over JF'2 has genus g = 3. The

numerator of its zeta-function (see [Koblitz 1 99 1c]) is 1 - 2T3 + 8T6 . It turns out
that N47 is equal to 7142 , where 1 42 is the 42-digit prime

Example

6. 3.

398227592830903984669824 1 9047946078096 1 207 .

Neither the Frey-Ruck reduction nor the Adleman-DeMarrais-Huang algorithm
can feasibly be applied to this example.
6. 4. (a) Consider the curve v 2 + uv = us + u2 + 1 over JF' . The numerator
2
of the zeta-function (see [Koblitz 1 989]) is 1 - T - 2T3 + 4T4 . One finds that N6 1
is equal to 21 J7 , where 1 37 is the 37 -digit prime

Example

2658455988447243530986550320280662477 .
(b) If C is the curve v 2 + uv = u s + 1 over JF'2 , then the numerator of Z(C/lF'2 ; T)
is 1 + T + 2T3 + 4T4 , and one finds that N67 is equal to 814o, where 14o is the
40-digit prime
27222589355968729 1243746439787 10928461 87 .
As in Example 6.3, there is no known subexponential time algorithm that can
feasibly be applied to these two examples.
6.2 Example over a Large Prime Field
6. 5. Let n = 2g + 1 be an odd prime, and let p
the hyperelliptic curve

Example

1 (mod n). Consider

(24)
over JF'P . Its jacobian .JJ is a quotient of the jacobian of the famous Fermat curve
xn + yn = 1 , which in characteristic zero has no nontrivial rational points by Fer
mat's Last Theorem ([Wiles 1995] and [Taylor and Wiles 1 995]). These jacobians
have been studied for many years; in fact, it was the zeta-functions of Fermat
curves and "diagonal" hypersurfaces that Andre Wei! cited as evidence for his
famous conjectures [Wei! 1 949] . A detailed treatment can be found, for example,
in [Ireland and Rosen 1 990]. I will state what we need without proof.
Let ( = e 2 7n/ n , and let a E lF'p be a fixed non-nth-power. There is a unique
multiplicative map x on JF'; such that x ( a ) = (. We extend this character X to IFp
by setting x(O) = 0. The Jacobi sum of the character x with itself is defined as
follows:
(25)
J(x , x) = L x (y)x ( 1 - y) .

yE JF'p
For 1 :e:; i :e:; n - 1 let ai be the automorphism of the field Q(() such that ai(() = ( i .
Then an easy counting argument shows that the number of points on the curve
(24 ), including the point at infinity, is equal to

6. Hyperelliptic Cryptosystems

151

n-1
M = p + 1 + L: ai (J(x, x)) ;
i= 1

and one can also show (see [Wei! 1 949] and [Ireland and Rosen 1 990]) that
- J(x, X ) and its conjugates are the reciprocal roots of the numerator of the zeta
function of this curve. In other words,

The number N of points on the jacobian .JJ of C is equal to the value at I of the
numerator of Z(C/Wp ; T); that is,

n- 1
N = II a;(J(x, X ) + 1) = N(J(x , X ) + 1) ,
i= 1

(26)

where N denotes the norm of an algebraic number.

Along with the curve C given by (24), we also consider its "twists" by non
nth-powers and by non-squares. To do this, let /3 be a fixed non-square in IFP , and
consider the equation

/3 -i (v + ) 2 = a.J un +

for i = 0, I and j = 0, 1 , . . . , n - 1 , where a. is the fixed non-nth-power that was

chosen above. This equation can be rewritten in the form

(2 7 )
By analogy with (26) one finds that the number of points on the jacobian of the
curve (2 7 ) is given by

i = 0, 1 , j = 0, 1 , . . . , n - 1 .

(28)

When i = 0, it follows from (30) below that No,o is divisible by n2 and No,j
is divisible by n for j = 1 , 2, . . , n - 1 . Hence, in that case the most one can
hope for is that N0 , 0 jn2 or N0 ,1 /n be a prime. When i = 1 , there is no such
obstruction to N1 ,J itself being prime. Thus, after we compute J(x, x) for our
chosen n and p = I (mod n), we will want to compute the numbers (28) and
test n - 2 N0 , 0 , n - I No,/j , and N1 ,J for primality, j = 0, 1 , . . . , n 1 . Since N,,J is
of order p9 = p( n - I l 2 , we see that to get jacobians whose order is divisible by
a prime of at least 40 digits we should choose p greater than the bounds in the
following table:
.

>

1040

>

5
1 0 20

>

10 1 3

>

11
108

>

13
X

1 06

>

17

105

First suppose that n ;::: 13. Since p has order of magnitude 5000000 for n =
1 3 and less for n > 13, it is feasible to compute J(x, x) from the definition
(25 ) . However, because of the Adleman-DeMarrais-Huang algorithm, one should

152

Chapter 6. Elliptic and Hyperelliptic Cryptosystems

choose n and p so that lnp > n; so we probably should take n = 1 3 . Thus, we

might choose n = 13 and p > 5000000, p = 1 (mod 1 3). For each such p, we
compute J(x, X ) from (25) and test the 26 numbers 1 9 No ,o, n No,j , and N1 ,j
for primality. When we find that the number in (28) is a prime or 1 3 or 1 69
times a prime, we can use the corresponding equation (27) for our hyperelliptic
cryptosystem.
For n :::; 1 1 we would like to have a way of computing the Jacobi sum J(x, x)
that is much faster than the definition (25). In the case n = 3 - that is, when C is
an elliptic curve - this is easy (and essentially goes back to Gauss, who gave an
explicit formula for the number of points on the curve (24) when n = 3). Namely,
let a be an integer such that a3 = 1 (mod p), a ?/=- 1 (mod p); such an a can be
found by computing a/P- 1 )/ 3 in IFp (Recall that a is a fixed non-cube in IFp ) Now
compute the greatest common divisor of p and a - ( in the Euclidean ring :[(],
( = ( - 1 + i J3)/2. Then J(x, x) = ( k g.c.d.(p, a - (), where the root of unity
( k is chosen so that J(x, X ) = - 1 (mod 3) in :[(]. This method of computing
J(x, x) is very fast, taking O(ln3 p) bit operations.
For n = 2g + 1 2 5, if we choose p to be a generalized Mersenne prime of the
form
an - 1
p= ,
then it is again very easy to compute J(x, x) . Suppose that a, our fixed non-nth
power modulo p, is chosen so that a (P- 1 ) / n = a (mod p). Then one can show
that
g
(29)
J(x, x) = ( k II (a - crj 1 (()) ,
i= 1

where ( k is chosen so that

(30)
in the ring :[(] (see p. 227 of [Ireland and Rosen 1 990] for (30)). Using the fact
that
(j = ( 1 + ( - 1 )j = 1 + j(( - 1 ) (mod (( - 1 )2 ) ,
it is trivial to find the value ( k , which depends only on a modulo n. In the case
n = 5, this root of unity is given in the following table:
a mod 5
(3 1 )
( lc
Letting n = 5 and a 2 105 , I quickly found the following cases where p =
a4 + a3 + a2 + a + 1 is prime and the order of the jacobian over IFP is divisible by

a large prime:

a = 100003 ,
p = 10001 30006400 14200 1 2 1 ,
N0 , 1 = 5 2000520059203862 158324 1 90070 1 8068330298 1
a = 10001 2 ,
p = 1000490090 1073692262 1 ,
N0 ,4 = 5 200 1 9608400055 1 5407 1 89980443046 127658801

6. Hyperelliptic Cryptosystems

and

a = 1000 1 8 ,

153

p = 10007301 999243381 1 15 1 ,

N1 ,o = 1001460933 1407 17778676780045695757701 334 1

I n the general case when p is not o f the form (an - 1 ) / (a - 1 ), it is still
possible to determine J(x, x) in polynomial time in ln p for fixed n. The key step
is to find a single generator for a prime ideal of Z[(] lying over p; one way to
do this is to use the LLL-algorithm [Lenstra, Lenstra, and Lovasz 1 982) to find
a short vector in the lattice in IRn - l corresponding to the ideal generated by the
two elements p and (a - () (where, as before, the rational integer a is an n-th root
of unity modulo p). More details can be found in [Buhler and Koblitz 1 998] ; see
also [Lenstra 1 975] and [Buchmann and Williams 1987].
6.3 Future Work

There are several areas of research that need to be pursued before hyperelliptic
curve cryptosystems are adopted in practical applications.
1 ) As in the case of elliptic curve cryptosystems, a key security question is wheth
er there exists a subexponential time algorithm for the discrete log problem in
the general case or for special classes of curves.
2) It would be worthwhile to investigate the conditions under which the reduction
in [Frey and Ruck 1994] leads to a subexponential time algorithm. Most likely,
except in the "supersingular case" (when all of the reciprocal roots of the zeta
function have the same "p-adic norm", as in Example 6. 1 but not in Examples
6.2-6.5), this almost never occurs.
3) The algorithm in [Adleman, DeMarrais, and Huang 1 994] should be improved
upon and extended to the case p = 2 and the case of powers q = pf with f > 1 .
4 ) Further research needs to be done on the efficient implementation of the ad
dition rule in the jacobian. Slightly more efficient algorithms may arise if one
considers different forms of the defining equation. Some asymptotically faster
variants of the reduction algorithm in the Appendix are described by Cantor
[ 1 987] (for large g) and by Petersen [ 1 994] (in the case g = 2).
5) One of the methods of looking for a suitable hyperelliptic curve is to select
at random a defining equation over a large finite field IFq and compute #](IFq )
directly. Pila [ 1990] presented a generalization of the algorithm in [Schoof
1 985] that does this in deterministic polynomial time (for fixed genus). As has
already happened in the case of elliptic curves, further work is likely to lead to
simplifications and increased efficiency, so that it becomes feasible to compute
the order of random jacobian groups. (See also [Poonen 1 996] and [Adleman
and Huang 1 996] .)

1 54

Chapter 6. Elliptic and Hyperelliptic Cryptosystems

Exercises for 6

1 . Using (29) and (3 1), find J(x, x) when n = 5, p = 1 1 .

2. In Example 6.5, make a table of ( k when n = 7 (see (3 1 )).

Appendix. An Elementary Introduction

to Hyperelliptic Curves

by Alfred J. Menezes, Yi-Hong Wu, and Robert J. Zuccherato

This appendix is an elementary introduction to some of the theory of hyperelliptic

curves over finite fields of arbitrary characteristic that has cryptographic relevance.
Cantor's algorithm for adding in the jacobian of a hyperelliptic curve is presented,
along with a proof of its correctness.
Hyperelliptic curves are a special class of algebraic curves and can be viewed
as generalizations of elliptic curves. There are hyperelliptic curves of every genus
g 2: l . A hyperelliptic curve of genus g = 1 is an elliptic curve. Elliptic curves have
been extensively studied for over a hundred years, and there are many books on
the topic (for example, [Silverman 1986 and 1 994], [Husemoller 1 987], [Koblitz
1 993], [Menezes 1 993]).
On the other hand, the theory of hyperelliptic curves has not received a s much
attention by the research community. Most results concerning hyperelliptic curves
which appear in the literature on algebraic geometry are couched in very general
terms. For example, a common source cited in papers on hyperelliptic curves is
[Mumford 1984] . However, the non-specialist will have difficulty specializing (not
to mention finding) the results in this book to the particular case of hyperelliptic
curves. Another difficulty one encounters is that the theory in such books is usually
restricted to the case of hyperelliptic curves over the complex numbers (as in
Mumford's book), or over algebraically closed fields of characteristic not equal to
2. The recent book [Cassels and Flynn 1 996] is an extensive account of curves of
genus 2. (Compared to their book, our approach is definitely "low-brow".)
Recently, applications of hyperelliptic curves have been found in areas outside
algebraic geometry. Hyperelliptic curves were a key ingredient in Adleman and
Huang's random polynomial-time algorithm for primality proving [Adleman and
Huang 1 992] . Hyperelliptic curves have also been considered in the design of error
correcting codes [Brigand 1 99 1 ] , in the evaluation of definite integrals [B ertrand
1 995], in integer factorization algorithms [Lenstra, Pila and Pomerance 1993],
and in public-key cryptography (see Chapter 6 of the present book). Hyperelliptic
Authors' addresses: Alfred J. Menezes, Department of Combinatorics and Optimization,
University of Waterloo, Waterloo, Ontario, Canada N I L 3G l , e-mail: ajmeneze @ math.
uwaterloo.ca; Yi-Hong Wu, Department of Discrete and Statistical Sciences, Auburn Uni
versity, Auburn, AL 36849, USA; Robert J. Zuccherato, Entrust Technologies, 7 5 0 Heron
Road, Ottawa, Ontario, Canada Kl V 1 A7, e-mail: robert.zuccherato @entrust.com .

! 56

Appendix. An Elementary Introduction to Hyperelliptic Curves

curves over finite fields of characteristic two are particularly of interest when
implementing codes and cryptosystems.
Charlap and Robbins [ 1988] presented an elementary introduction to elliptic
curves. The purpose was to provide elementary self-contained proofs of some
of the basic theory relevant to Schoof's algorithm [Schoof 1985] for counting the
points on an elliptic curve over a finite field. The discussion was restricted to fields
of characteristic not equal to 2 or 3. However, for practical applications, elliptic
and hyperelliptic curves over characteristic two fields are especially attractive.
This appendix, similar in spirit to the paper of Charlap and Robbins, presents
an elementary introduction to some of the theory of hyperelliptic curves over
finite fields of arbitrary characteristic. For a general introduction to the theory of
algebraic curves, consult [Fulton 1969] .
1. Basic Definitions and Properties
Definition 1.1. Let ][i' be a field and let iF be the algebraic closure of ][i' (see
Definition 1 . 8 of Chapter 3). A hyperelliptic curve C of genus g over ][i' (g 1 )

is an equation of the form

C

v 2 + h(u)v = j(u)

lF'[u, v] ,

(1)

where h(u) E lF'[u] i s a polynomial of degree at most g, j(u) E ][i' [u ] is a monic

polynomial of degree 2g + 1 , and there are no solutions (u, v) E iF x iF which
simultaneously satisfy the equation v 2 + h(u)v = f(u) and the partial derivative
equations 2v + h(u) = 0 and h'(u)v - f'(u) = 0.
A singular point on C is a solution (u, v) E iFx iF which simultaneously satisfies
the equation v2 + h(u)v = f(u) and the partial derivative equations 2v + h(u) = 0
and h'(u)v - f'(u) = 0. Definition 1 . 1 thus says that a hyperelliptic curve does not
have any singular points.
For the remainder of this paper it is assumed that the field ][i' and the curve C
have been fixed.

Lemma 1.1. Let C be a hyperelliptic curve over ][i' defined by equation ( 1 ).

1 ) If h(u) = 0, then char(lF') f. 2.

If char(lF') f. 2, then the change of variables u ---> u, v ---> (v - h(u)/2)
transforms C to the form v 2 = f(u) where degu f = 2g + 1.
3) Let C be an equation of the form ( 1 ) with h(u) = 0 and char(lF') f. 2. Then C
is a hyperelliptic curve if and only if j(u) has no repeated roots in iF.

2)

Proof.
l ) Suppose that

h(u) = 0 and char(lF') = 2. Then the partial derivative equations

reduce to f'(u) = 0. Note that degu J'(u) = 2g. Let x E iF be a root of the
equation f'(u) = 0, and let y E iF be a root of the equation v 2 = f(x). Then
the point (x, y) is a singular point on C. Statement 1) now follows.

 1 . Basic Definitions and Properties

157

2) Under this change of variables, the equation (l) is transformed to

(v - h(u)/2)2 + h(u)(v - h(u) / 2) = f(u) ,
which simplifies to v 2 = f(u) + h(u)2 /4; note that deguCf + h2 /4) = 2g + l .
3) A singular point (x, y ) on C must satisfy y2 = j(x), 2 y = 0 , and f'(x) = 0.
Hence y = 0 and x is a repeated root of the polynomial j(u). D
Definition 1.2. Let lK be an extension field of IF. The set of lK-rational points on
C, denoted C(JK), is the set of all points P = (x, y) E lK x lK that satisfy the
equation ( 1 ) of the curve C, together with a special point at infinity* denoted oo .

The set of points C(JF) will simply be denoted by C. The points in C other than
oo are called .finite points.
Example 1 . 1 . The illustrations on the next page show two examples of hyperelliptic
curves over the field of real numbers. Each curve has genus g = 2 and h(u) = 0.

Definition 1.3. Let P = (x-"--y ) be a finite point on a hype_Eelliptic curve C. The

opposite of P is the point P = (x, -y - h(x)). (Note that P is indeed on C.) We
also dfine the opposite of oo to be oo = oo itself. If a finite point P satisfies
P = P, then the point is said to be special; otherwise, the point is said to be
ordinary.
:

v 2 + uv = u5 + 5u4 + 6u 2 + u + 3 over the

finite field JF'7 Here, h(u) = u, f(u) = u5 + 5u4 + 6u2 + u + 3 and g = 2. It can
be verified that C has no singular points (other than oo ) , and hence C is indeed a
hyperelliptic curve. The IF rrational points on C are
C(lF'7 ) = {oo , ( 1 , 1), ( 1 , 5), (2, 2), (2, 3), (5 , 3), (5 , 6), (6, 4)}
The point (6, 4) is a special point.
1 ) C1 : v2 = u5 + u4 + 4u3 + 4u2 + 3u + 3 = (u + 1)(u2 + l )(u2 + 3). The graph of
Example 1.2. Consider the curve C

cl in the real plane is shown below.

* The point at infinity lies in the projective plane P2(lF). It is the only projective point
lying on the line at infinity that satisfies the homogenized hyperelliptic cure e ation. If
g ;::: 2, then oo is a singular (projective) point; this is allowed, since oo rt lF x JF.

158

Appendix. A n Elementary Introduction t o Hyperelliptic Curves

2) C2 : v2 = u s - 5u 3 + 4u = u(u - 1 )(u + l )(u - 2)(u + 2). The graph of C2 in

the real plane is shown below.

IF2s = IF2 [x]j(x s + x 2 + 1 ), and let a be a

root of the primitive polynomial x 5 + x2 + 1 in IF2, . The powers of a are listed in
Table 1 .
Example 1.3. Consider the finite field

an
0
1
a
2
az
3
a3
4
a4
a2 + 1
5
6
a3 + a
7
a4 + az
8 a3 + a2 + 1
9 a4 + a3 + a
a4 + 1
10

...11..

...11..

11
12
13

14
15

16
17
18
19
20

21

a2 + a + 1
a3 + a2 + a
a4 + a3 + az
4
a + a3 + a2 + 1
a4 + a3 + a2 + a + 1
a4 + a3 + a + 1
a4 + a + 1
a+l
a2 + a
a3 + a2
a4 + a3

Table 1. Powers of a in the finite field

an
a4 + a 2 + 1
22
23 a3 + a2 + a + 1
24 a4 + a3 + a2 + a
a4 + a3 + 1
25
26 a4 + a2 + a + 1
27
a3 + a + 1
a4 + a 2 + a
28
a3 + 1
29
a4 + a
30
31

...11..

IF2s = IF2 [x]j(x5 + x 2 + 1 )

Consider the curve C : v 2 + (u2 + u)v = us + u3 + 1 of genus g = 2 over the

finite field lF'2s Here, h(u) = u2 + u and f(u) = us + u3 + 1 . It can be verified that
C has no singular points (other than oo ) , and hence C is indeed a hyperelliptic
curve. The finite points in C(IF2s ), the set of lF'2s -rational points on C, are:
.

(1 , 1)
(as , a I S ) (as , a27 )
(a 9 , a3 0 ) (a i o , a 23) (a iO , a3o )
(a i s , a s ) (a I s , a23) (a is , a29 )
(azo , a 29 ) (a23 , 0) (a23 , a4 )
(a27 , a 2 ) (azs , a7 ) (azs , a i6 )
(a3 o , a i6 )
Of these, the points (0, 1) and ( 1 , l ) are special.
(0, 1 )
(a 9 , a 27 )
(a I s , 0)
(azo , a I S )
(a27 , 0)
(a3o , 0)

(a7 , a4 )
(a 14 , a 8 )
(a i9 , a 2 )
(az s , a)
(a29 , 0)

(a? , a zs)
(a i4 , a i9 )
(a i9 , a28 )
(a z s , a i4 )
(a29 , a)

2. Polynomial and Rational Functions

159

2. Polynomial and Rational Functions

This section introduces basic properties of polynomials and rational functions that
arise when they are viewed as functions on a hyperelliptic curve.
Definition 2.1. The coordinate ring of C over

ring

lF' [C]

JF', denoted

lF'[C] , is the quotient

lF' [u, v]/(v2 + h(u)v - f(u)) ,

where (v2 + h(u)v - f(u)) denotes the ideal in lF'[u, v] generated by the polynomial
+ h(u)v - /(u).(See Example 4. 1 in Chapter 3 for the definition of "quotient
ring".) Similarly, the coordinate ring of C over lF is defined as
v2

lF[C]

F[u, v]j(v 2 + h(u)v - f(u)) .

An element of F[C] is called a polynomial function on C.

Lemma 2.1. The polynomial r(u, v) = v 2
and hence F[C] is an integral domain.

+ h(u)v - f(u) is

irreducible over lF,

Proof. If r(u, v) were reducible over lF, it would factor as (v - a(u))(v - b(u))
for some a, b E F[u] . But then degu(a b) = degu f = 2g + 1 and degu(a + b) =
degu h ::; g, which is impossible. 0

Observe that for each polynomial function G(u, v) E F[C] , we can repeat
edly replace any occurrence of v 2 by f(u) - h(u)v, so as to eventually obtain a
representation
G(u, v)

a(u) - b(u)v ,

where a(u) , b(u) E lF[u] .

It is easy to see that the representation of G(u, v) in this form is unique.

Definition 2.2. Let G(u, v) = a(u) - b(u)v be a polynomial function in lF'[C] .
The conjugate of G(u, v) is defined to be the polynomial function G(u, v) =
a(u) + b(u)(h(u) + v).
Definition 2.3 Let G(u, v) = a(u) - b(u)v be a polynomial function in F[C]. The
norm of G is the polynomial function N(G) = GG .

The norm function will be useful in transforming questions about polynomial

functions in two variables into easier questions about polynomials in a single
variable.
Lemma 2.2. Let G, H E F[C] be polynomial functions.
l) N(G) is a polynomial in F[u].
2) N(G) = N(G).
3) N(GH) = N(G)N(H).

1 60

Appendix. An Elementary Introduction to Hyperelliptic Curves

G = a - bv and H = e - dv, where a, b, e, d E iF[u] . *

1 ) Now, G = a + b(h + v) and

Proof. Let

2)

N(G) = G G = (a - bv)(a + b(h + v)) = a2 + abh - b2 f E iF[u]

The conjugate of G is

G = (a + bh) + ( - b)(h + v) = a - bv = G .
3)

N(G) = G G = GG = N(G).
GH = (ae + bdj) - (be + ad + bdh)v, and its conjugate is
GH = (ae + bdj) + (be + ad + bdh)(h + v)

Hence

= ae + bdf + beh + adh + bdh2 + bev + adv + bdhv

= ae + be(h + v) + ad(h + v) + bd(h2 + hv + f)
= ae + be(h + v) + ad(h + v) + bd(h2 + 2hv + v 2 )
= (a + b(h + v))(c + d(h + v))

=GH .
Hence

N(GH) = GHGH = GHG H = GGHH = N(G)N(H). o

Definition 2.4. The function field IF( C) of C over IF is the field of fractions of
IF[ C) . Similarly, the function field iF( C) of C over iF is the field of fractions of
iF[ C). The elements of iF( C) are called rational functions on C.

Note that iF[ C) is a subring of iF( C), i.e., every polynomial function is also a
rational function.
Definition 2.5. Let R E iF(C), and let P E C, P f. oo. Then R is said to be
defined at P if there exist polynomial functions G, H E iF[C] such that R = G / H
and H(P) f. 0; if no such G, H E iF[ C) exist, then R is not defined at P. If R is
defined at P, the value of R at P is defined to be R(P) = G(P)/ H(P).

It is easy to see that the value R(P) is well-defined, i.e., it does not depend
on the choice of G and H. The following definition introduces the notion of the
degree of a polynomial function.
Definition 2.6. Let G(u, v) = a(u) - b(u)v be a nonzero polynomial function in
iF[ C) . The degree of G is defined to be

deg ( G ) = max { 2 deg u (a) , 2g + l + 2 deg u (b) }

Lemma 2.3. Let

G, H E iF[ C).

l) deg(G) = degu (N(G)).

* If not explicitly stated otherwise, the variable in all polynomials will henceforth be
assumed to be u .

3. Zeros and Poles

2)

161

deg(G H) = deg(G) + deg(H).

3) deg(G) = deg(G).

Proof.

1) Let G = a(u) - b(u)v. The norm of G is N(G) = a 2 + abh - b2 f. Let d 1 =

degu(a(u)) and d2 = degu(b(u)). By the definition of a hyperelliptic curve,

degu(h(u)) ::; g and deguCf(u)) = 2g + 1. There are two cases to consider:
Case 1: If 2d1 > ig + 1 + 2d2 then 2d1 :2: 2g + 2 + 2d2 , and hence d1 :2: g + I + d2
Hence
degu(a2 ) = 2dl :2: d1 + g + 1 + d2 > d1 + d2 + g :2: degu(abh) .

Case 2: If 2d1 < 2g + 1 + 2d2 then 2d 1 ::; 2g + 2d2 , and hence d1

::; g + d2 Thus,
.

degu(abh) ::; d1 + d2 + g ::; 2g + 2d2 < 2g + 2d2 + 1 = degu(b2 j) .

It follows that
degu(N(G)) = max(2dl , 2g + 1 + 2d2 ) = deg(G) .
2)

We have
deg(GH) = degu(N(GH)) , by 1)
= degu(N(G)N(H)) , by part 3) o f Lemma 2.2
= degu(N(G)) + degu(N(H))
= deg( G) + deg( H) .

3) Since N(G) = N(G), we have deg(G) = degu(N(G)) = degu(N(G)) = deg(G).

0

R = G / H E IB\C) be a rational function.

1) If deg(G) < deg(H) then the value of R at oo is defined to be R(oo) = 0.

Definition 2.7. Let

If deg(G) > deg(H) then R is not defined at oo.

3) If deg(G) = deg(H) then R(oo) is defined to be the ratio of the leading coef
ficients (with respect to the deg function) of G and H.

2)

3. Zeros and Poles

This section introduces the notion of a uniformizing parameter, and the orders of
zeros and poles of rational functions.

f(C) be a nonzero rational function, and let P E C. If

R(P) = 0 then R is said to have a zero at P. If R is not defined at P then R is
said to have a pole at P, in which case we write R(P) = oo.
Definition 3.1. Let R E

Lemma 3.1. Let G E f[C] be a nonzero polynomial function, and let P

G(P) = 0, then G( ih = 0.

C.

If

1 62

Appendix. An Elementary Introduction to Hyperelliptic Curves

Proof. Let G = a(u) - b(u)v and P = (x, y). Then G = a(u) + b(u)(v + h(u)),
P = (x, -y - h(x)), and G( P) = a(x) + b(x)( -y - h(x) + h(x)) = a(x) - yb(x) =
G ( P ) = 0. D

The next three lemmas are used in the proof of Theorem 3 . 1 , which establishes
the existence of uniformizing parameters.
Lemma 3.2. Let P = (x, y) be a point on C. Suppose that a nonzero polynomial
function G = a(u) - b(u)v E lF[C] has a zero at P, and suppose that x is not a
root of both a(u) and b(u). Then G(P) = 0 if and only if P is a special point.
Proof. If P is a special point, then G(P) = 0 by Lemma 3 . 1 . Conversely, suppose
that P is an ordinary point, i.e., y :f. ( -y - h(x)). If G(P) = 0 then we have:
a(x) - b(x)y = 0
a(x) + b(x)(h(x) + y) = 0 .

Subtracting the two equations, we obtain b(x) = 0, and hence a(x) = 0, which
contradicts the hypothesis that x is not a root of both a(u) and b(u). Hence if
G(P) = 0, it follows that P is special. D
Lemma 3.3. Let P = (x, y) be an ordinary point on C, and let G = a(u) - b(u)v E
!F[C] be a nonzero polynomial function. Suppose that G(P) = 0 and x is not a
root of both a(u) and b(u). Then G can be written in the form (u - x)" S, where
8 is the highest power of (u - x) that divides N(G), and S E lF(C) has neither a
zero nor a pole at P.
Proof. We can write

G=G.

= N!!}) = a2 + abh - b2 f

a + b(h + v)
G
G
Let N(G) = (u - x)8 d(u), where 8 is the highest power of (u - x) that divides
N(G) (so d(u) E lF[u] and d(x) :f. 0). By Lemma 3 2 , G(P) :f. 0. Let S = d(u)jG.
Then G = (u - x)8 S and S(P) :f. 0, oo. D
.

Lemma 3.4. Let P = (x, y) be a special point on C. Then (u - x) can be written

in the form (v - y)2 S(u, v), where S(u, v) E IF( C) has neither a zero nor a pole
at P.

Proof. Let H = (v - y) 2 and S = (u - x)j H, so that (u - x) = H S. We will show

that S(P) :f. 0, oo. Since P is a special point, 2y + h(x) = 0. Consequently, since
P is not a singular point, we have h'(x)y - f'(x) :f. 0. Also, f(x) = y2 + h(x)y =
y 2 + ( - 2y)(y) = -y 2 Now,
H(u, v) = (v - y)2 = v2 - 2yv + y2 = f(u) - h(u)v - 2yv + y2 .

Hence

1
_=
S(u, v)

( f(u) + y2 ) - v ( h(u) + 2y )
u-x

u-x

(2)

3. Zeros and Poles

1 63

Notice that the right hand side of (2) is indeed a polynomial function. Let s(u) =
H(u, y), and observe that s(x) = 0. Moreover, s'(u) = J'(u) - h'(u)y , whence
s'(x) -f. 0. Thus (u - x) divides s(u), but (u - x)2 does not divide s(u). It f<Jllows
that the right hand side of (2) is nonzero at P, and hence that S(P) -f. 0, oo , as
required. 0

Theorem 3.1. Let P E C. Then there exists a function U E iF\C) with U(P) = 0
such that the following property holds: for each nonzero polynomial function G E
iF[C], there exist an integer d and a function S E iF( C) such that S(P) i 0, oo
and G = U d S. Furthermore, the number d does not depend on the choice of U.
The function U is called a uniformizing parameter for P.
Proof. Let G(u, v) E iF[C] be a nonzero polynomial function. If P is a finite point,
suppose that G(P) = 0; if P = oo, suppose that G(P) = oo. (If G(P) =/= 0, oo,

then we can write G = U0 G where U is any polynomial in iF[C] satisfying

U(P) = 0.) We prove the theorem by finding a uniformizing parameter for each
of the following cases: 1 ) P = oo; 2) P is an ordinary point; and 3) P is a special
point.
1) We show that a uniformizing parameter for the point P = oo is U = u9 jv.
First note that U(oo) = 0 since deg(u9 ) < deg(v). Next, write

- deg(G). Let S = (vjug ) d G. Since deg(v) - deg(u9 ) = 2g + 1 2g = 1 and d = - deg(G), it follows that deg(u- g d G) = deg(v- d ). Hence
S(oo) -f. 0, oo.
2) Assume now that P = (x, y) is an ordinary point. We show that a uniforrnizing
parameter for P is U = (u - x); observe that U(P) = 0. Write G = a(u) - b(u)v.
Let (u - x Y be the highest power of (u - x) which divides both a(u) and b(u),
and write
G(u, v) = (u - xnao(u) - b0 (u)v) .
By Lemma 3.3, we can write (a0 (u) - b0 (u)v) = (u - x)8S for some integer
s 2: 0 and some S E iF(C) such that S(P) "f. 0, oo. Hence G = (u - xrs s
satisfies the conclusion of the theorem with d = r + s.
3) Assume now that P = (x, y) is a special point. We show that a uniformizing
parameter for P is U = (v - y); observe that U(P) = 0. By replacing any
powers of u greater than 2g with the equation of the curve, we can write
G(u, v) = u29 bz9 (v) + u2 9 - 1 bz g - 1 (v) + + ub 1 (v) + bo(v) ,
where each bi(v) E iF[v]. Replacing all occurrences of u by ((u - x) + x) and
expanding, we obtain
G(u, v) = (u - x)29 bz 9 (v) + (u - x)29 - 1 bzg - l (v) + + (u - x)b1 (v) + bo(v)
= (u - x)B(u, v) + bo(v) ,
where d

1 64

Appendix. An Elementary Introduction to Hyperelliptic Curves

where each bi(v) E F[v], and B(u, v) E F [C]. Now G(P) = 0 implies bo(Y ) =
0, and so we can write b0(v) = (v - y)c(v) for some c E F[v]. By the proof of
Lemma 3.4 (see equation (2)), we can write (u - x) = (v - y)2 /A(u, v), where
A(u, v) E F[C] and A(P) :f. 0, oo. Hence

)B(u, v) + c(v)
G(u, v) = (v - y) -}(u,
v)
(v
y)
[(v
v)
v)c(v)]
=
A (u, v) - y)B(u, + A(u ,
(v - y)
det
=
A(u, v) G J (U, v )

[ (v

Now if G1 (P) :f. 0, then we are done, since we can take S = GJ /A . On the
other hand, if G 1 (P) = 0, then c(y) = 0 and we can write c(v) = (v - y)cJ (v)
for some c 1 E F[v ]. Hence
G = (v - y) 2

[ BA(u,(u, v)v) + CJ (v)]

(v - y)2 [B(u, v) + A(u, v)c (v)

1 ]
A(u, v )
(v - Y i G (u, v ) .
=
A(u , v) 2
=

def

Again, if G 2 (P) :f. 0, then we are done. Otherwise, the whole process can be
repeated. To see that the process terminates, suppose that we have pulled out
k factors of v - y. There are two cases to consider.
a) If k is even, say k = 2l, we can write

(v - yf1
A(u, v)l D(u, v)
where D E iF[C]. Hence, A1G = (v - y) 2 1 D = (u - xi A1 D, whence
G = (u-x)1 D. Taking norms of both sides, we have N(G) (u-xi1 N(D).
G=

Hence k S degu(N(G)).
b) If k is odd, say k = 2l + 1, we can write

(v y)2 ! + 1 u v)
A(u, v)l + l D ( , '
where D E iF[C]. Hence, A 1 + 1 G = (v - y)2 1 + 1 D (u - xiA1(v - y)D,
whence AG = (u - x)1(v - y)D. Taking norms of both sides, we have
N(AG) = (u - xi1 N(v - y)N(D). Hence 2l < degu(N(AG)), and so
G=

k s degu(N(AG)).
In either case, k is bounded by degu(N(AG)), and so the process must termi
nate.
To see that d is independent of the choice of U, suppose that U1 is another
uniformizing parameter for P. Since U(P) = U1 (P) = 0, we can write U = Uf A

3. Zeros and Poles

1 65

and U1 = Ub B, where a 1 , b 1, A, B E F(C), A(P) f. 0, oo, B ( P) f.

0, oo. Thus U = (Ub B)a A = uab BaA. Dividing both sides by U, we Qbtain
uab- I BaA = 1 . If we substitute P in both sides of this equation, we see that
ab - 1 = 0. Hence a = b = 1 . Thus G = UdS = Uf (AdS), where AdS has neither
a zero nor a pole at P. 0
The notion of a uniformizing parameter is next used to define the order of
a polynomial function at a point. An alternative definition from [Koblitz 1989],
which is more convenient to use for computational purposes, is given in Definition
3.3. Lemma 3.6 establishes that these two definitions are in fact equivalent_
P E C.
Let u E F(C) be a uniformizing parameter for P, and write G = uds where
S E F(C), S(P) f. 0, oo. The order of G at P is defined to be ordp(G) = d.

Definition 3.2. Let G E F[C] be a nonzero polynomial function, and let

Lemma 3.5. Let G 1 , Gz E F[C] be nonzero polynomial functions, and let P E

Let ordp(G 1 ) = r 1 , ordp(Gz ) = rz .

I ) ordp(GI Gz) = ordp(G 1 ) + ordp(Gz).

2)

If r1

f. rz, then ordp(GI + Gz) = rnin(r1 , rz). If r 1 = rz and G1 f. - G2,

+ Gz) rz .

ordp(G 1

C.

then

U be a uniformizing parameter for P. By Definition 3.2, we can write

G I = ur, S I and Gz = ur, Sz, where SI , Sz E F( C), s! (P) f. 0, 00 , Sz(P) F 0, 00 .
Without loss of generality, suppose that r 1 r2 .
1) G I G2 = ur, +r'(SI Sz), from which it follows that ordp(G I G z ) = Tj + 1"2 .
2) G l + Gz = ur'(Ur, -r, s! + Sz). If Tj > Tz , then (Ur, -r, SI )(P) = 0, S2(P) f.
0, oo, and so ordp(G 1 + Gz) = rz. If r1 = rz , then (81 + Sz)(P) f. oo (although it
may be the case that (81 + S2 )(P) = 0), and so ordp(G 1 + Gz) r2 . 0
Proof. Let

We now give an alternate definition of the order of a polynomial function at a

point.
Definition 3.3. Let G = a(u) - b(u)v E F[C] be a nonzero polynomial function,
and let P E C. The order of G at P, denoted ordp(G), is defined as follows:

1) If P = (x , y) is a finite point, then let r be the highest power of

2)

('U

- x)

that divides both a(u) and b(u), and write G(u, v) = (u - xr<a0(u) - b0(u)v).
If a0(x) - b0(x)y f. 0, then let s = 0; otherwise, let s be the highest power
of (u - x) that divides N(a0(u) - bo(u)v) = a6 + aoboh - b6f. If P is an
ordinary point, then define ordp(G) = r + s. If P is a special point, then define
ordp(G) = 2r + s .
If P = oo, then
ordp(G) =

- max { 2 degu (a), 2g + 1 + 2 degu (b) } .

Lemma 3.6. Definitions 3.2 and 3.3 are equivalent. That is, if the order function
of Definition 3. 3 is denoted by ord, then ordp(G) = ordp(G) for all P E C and
all nonzero G E F[ C] .

1 66

Appendix. An Elementary Introduction to Hyperelliptic Curves

Proof. If P = oo, the lemma follows directly from the proof of part 1 ) of Theorem

3. 1 . For the case when P is an ordinary point, the lemma follows directly from
Lemma 3.3 and the proof of part 2) of Theorem 3. 1 .
Suppose now that P = (x, y ) is a special point, and let G = a - bv. Let r be
the highest power of (u - x) which divides both a(u) and b(u), and write
G = (u - x t{ ao(u) -

def

bo(u)v) = (u - x r H(u, v) .

Let ordp(H) = s. Then, by Lemma 3 .4,

ordp(G) = ordp((u - xn + ordp(H) = 2r + s .
Now since v - y is a uniformizing parameter for P, we can write
Multiplying both sides by A2 and taking norms, we have
N(A z )N(H) = (y2 + h(u)y - f(u))8 N(AI ) .
Now N(A 1 )(x) f. 0, since A 1 (P) f. 0 and P is special (Lemma 3 . 1 ). Similarly,
N(A2 )(x) f. 0. Also, u = x is a root of the polynomial y2 +h(u)y - f(u). Moreover,
u = x is not a double root of y2 + h(u)y - f(u), since h'(x)y - f'(x) f. 0. It
follows that (u - x) 8 is the highest power of (u - x) that divides N(H). Hence,
ordp(G) = 2r + s = ordp(G). 0
Lemma 3.7 is a generalization of Lemma 3 . 1 .
Lemma 3.7. Let G E iF[C] be a nonzero polynomial function, and let P E C.
Then ordp(G) = ord _p (G).
Proof. There are two cases to consider.

1 ) Suppose P = oo; then P = oo. By Definition 2.6 and part 2) of Definition

3.3, ordp(G) = - deg(G) and ord _p(G) = ordp(G) = - deg(G). By part 3) of
Lemma 2.3, deg(G) = deg(G). Hence, ordp(G) = ord _p(G).
2) Suppose now that P = (x, y) is a finite point. Let G = a(u) - b(u)v = (u xr H (u , v), where r is the highest power of (u - x) that divides both a(u) and
b(u) and H(u, v) = ao(u) - bo(u)v. If H(x , y) f. 0, then let s = 0; otherwise,
let s be the highest power of (u - x) that divides N(H). Now G = (u - xr H,
where H = (ao + boh) + bov. Recall that H(P) = 0 if and only if H(P) = 0.
Since (u - x) does not divide both ao + boh and bo (since otherwise, (u - x)Jao),
and s is the highest power of (u - x) that divides N(H) = N(H), it follows
from Definition 3.3 that ord _p(G) = ordp(G). 0
Theorem 3.2. Let G E iF[C] be a nonzero polynomial function. Then G has a .finite
number of zeros and poles. Moreover, I: P E G ordp(G) = 0.
Proof. Let n = deg(G); then deg,.(N(G)) = n. We can write

N(G) = GG = (u - XJ )(u - Xz ) (u - Xn )

4. Divisors

1 67

where x, E iF, and the Xi are not necessarily distinct. The only pole of G is at p =
oo, and ord00 (G) = -n. If Xi is the u-coordinate of an ordinary point P = (x,, Yi)
on C, then ordp(u - x,) = 1 and ord ? (u xi ) = 1 , and (u - xi) has no other zeros.
If Xi is the u-coordinate of a special point P = (xi , Yi) on C, then ordp(u - xi) =
2, and (u - Xi) has no other zeros. Hence, N(G), and consequently also G,
has a finite number of zeros and poles, and moreover l:; PEG\ { oo } ordp(N (G)) =
2n. But, by Lemma 3.7, l:; PEG\ {oo } ordp(G) = l:; PEG\ { oo } ordp(G), and hence
l:; PEG\{ oo } ordp(G) = n. We conclude that l:; PEG ordp(G) = 0. D

Definition 3.4. Let R = G / H E iF( C) be a nonzero rational function, and let

P E C. The order of R at P is defined to be ordp(R) = ordp(G) - ordp(H ).

It can readily be verified that ordp(R) does not depend on the choice of G
and H, and that Lemma 3.5 and Theorem 3.2 are also true for nonzero rational
functions.
4. Divisors

This section presents the basic properties of divisors and introduces the jacobian
of a hyperelliptic curve.
Definition 4.1. A divisor D is a formal sum of points on

D=

L mpP , mp E Z ,

PEG

where only a finite number of the integers mp are nonzero. The degree of D,
denoted deg D, is the integer l:; PEG mp. The order of D at P is the integer mp;
w e write ordp( D ) = mp.
The set of all divisors, denoted D, forms an additive group under the addition
rule:

L mpP + L npP = L (mp + np)P .

PEG

PE G

PEG

The set of all divisors of degree 0, denoted D0 , is a subgroup of D.

Definition 4.2. Let D1 = l:; PEG mpP and D 2 = l:; PEG npP be two divisors.
The greatest common divisor of D 1 and D2 is defined to be

g.c .d.( D, , Dz ) = L min(m p , np)P

PEG

(Note that g.c.d.(D 1 , D2 ) E

Definition 4.3. Let

- (2.:: min(mp , np))

PEG

oo .

0
D .)

R E iF(C) be a nonzero rational function. The divisor

div(R) = L (ordpR)P .
PEG

of R is

1 68

Appendix. An Elementary Introduction to Hyperelliptic Curves

Note that if R = G / H then div(R) = div(G) - div(H). Theorem 3.2 shows

that the divisor of a rational function is indeed a finite formal sum and has degree
0.

Example 4. 1. If = (x , y) is an ordinary point on C, then div(u - x) =

If = (x, y) is a special point on C, then div(u - x) =

2P - 2oo.

P+P-2oo.

Lemma 4.1. Let G E lF[C] be a nonzero polynomial function, and let div(G) =
Then div(G) = PEG
PEG

mpP.

mpP.

Proof. The result follows directly from Lemma

3.7. 0

If R 1 , R2 E IF( C) are nonzero rational functions, then it follows from part 1 )

o f Lemma 3.5 that div(R 1 Rz) = div(R 1 ) + div(Rz ).
Definition 4.4. A divisor D E

]]))0 is called a principal divisor if D = div(R) for

some nonzero rational function R E lF( C). The set of all principal divisors, denoted
is a subgroup of ]]))0 . The quotient group ] = ]]))0 /IP' is called the jacobian of the
curve C. If D 1 , Dz E ]]))0 then we write D1 D 2 if D 1 - D2 E lP'; D1 and D2
are said to be equivalent divisors.
lP',

Definition 4.5. Let D =

supp(D) =
EC

PEG
I mp # 0}.

{P

mpP be a divisor. The support of D is the set

miPi ( mi)oo, where each mi 2: 0 and the Pi's are finite points such that when
Pi E supp(D) one has P, !f. supp(D), unless Pi = P,, in which case m, = 1 .
Lemma 4.2. For each divisor D E ]]))0 there exists a semi-reduced divisor D 1 E ]]))0
Definition 4.6. A semi-reduced divisor is a divisor of the form D =

such that D

Dt .

P E G mpP. Let (C1 , C2 ) be a _!lartition of the set of ordinary

Proof. Let D =

points on C such that 1 ) P E C1 if and only if P E C2 ; and 2) if P E C1 then

mp 2: m-p . Let Co be the set of special points on C. Then we can write
D = L mpP + L mpP + L mpP - moo .
PE

PE

PE

Consider the following divisor

D1

L mp div(u - x) - L

D-

P=(x,y)EGo

P=(x,y)EGz

[ ] div(u - x) .
P

Then D 1 D. Finally, by Example 4. 1 , we have

D1

L (mp - m -p)P + L (mp - 2 [P ] ) P - m1 oo

PEGt

for some integer

PEGo

m 1 2: 0, and hence D 1 is a semi-reduced divisor. 0

169

5 . Representing Semi-Reduced Divisors

5. Representing Semi-Reduced Divisors

This section describes a polynomial representation for semi-reduced divis ors of
the jacobian. It leads to an efficient algorithm for adding elements of the j acobian
(see 7).

Lemma 5.1. Let P = (x, y) be an ordinary point on C, and let R E IF\ C) be a

rational function that does not have a pole at P. Then for any k 2: 0, there are
i
unique elements co , c 1 , , Ck E iF and Rk E iF( C) such that R = 2:: =0 c;(u - x) +
k
(u - x) + l Rk, where Rk does not have a pole at P.

Proof. There is a unique c0 E

namely co = R(x , y), such that P is a zero of

R - c0 . Since (u - x) is a uniformizing parameter for P, we can write R - eo
(u
x)R1 for some (unique) R 1 E ( C) with ordp (R1 ) 2: 0. Hence R = c0 + (u - x)R1
The lemma now follows by induction. 0

iF,

iF

k
In the next lemma, when we write "mod ( u - x ) ", we mean modulo the ideal
k
generated by (u - x) in the subring of C) consisting of rational functions that
do not have a pole at P. Thus , the conclusion in Lemma 5 . 1 can be re stated:
k
R = l:: =O c; (u - x) (mod (u - xl+ 1 ).

iF(

Lemma 5.2. Let P = (x, y) be an ordinary point on C. Then for each

there exists a unique polynomial bk (u) E iF[u] such that
1 ) degu bk < k;
2) bk (x) = y; and
k
3) b (u) + bk (u)h(u) = j (u) (mod(u - x ) ).
k

2: 1,

Proof. We apply Lemma 5 . 1 to R(u, v) = v. Let v = 2:: , I c;(u - x)' + (u k- !

k
i
x) Rk - ! , where c; E lF and Rk- ! E JF(C). Define bk (u) = l:: i =O c;(u - x) .
From the proof of Lemma 5 . 1 , we know that c0 = y, and hence b k ( x ) = y.

k
Finally, since v2 + h(u)v = f(u), if we reduce both sides modulo (u - x) we
k
obtain bk(ui + bk (u)h(u) = f (u) (mod(u - x) ) . Uniqueness is easily pro ved by
induction on k. 0

The following theorem shows how a semi-reduced divisor can be represented

as the g.c.d. of the divisors of two polynomial functions .

Theorem 5.1. Let D = 2:: m;P, (2:: m; )oo be a semi-reduced divisor, where
= (x, y,). Let a(u) = fJ(u - x;)m' . There exists a unique polynomial b(u)
satisfying: 1) degu b < degu a; 2) b(x, ) = y; for all i for which m; f. 0; and 3)
a(u) divides (b(u)2 + b(u)h(u) - f(u)). Then D = g . c.d. (div(a(u)), div(b(u) - v)).
-

P;

Notation: g.c.d. (div(a(u)), div(b(u) - v)) will usually be abbreviated to

div(a(u) , b(u) - v) or, more simply, to div(a, b).

Proof. Let C1 be the set of ordinary e_oints in supp(D), and let Co be the set of
special points in supp(D). Let Cz = { P : P E C1 } . Then we can write

1 70

Appendix. An Elementary Introduction to Hyperelliptic Curves

D=

Pi +

mi Pi - moo ,

P, E C,

P, ECo

where m, , m are positive integers.

We first prove that there exists a unique polynomial b('u) which satisfies the
conditions of the theorem. By Lemma 5.2, for each Pi E C1 there exists a unique
polynomial bi(u) E IF[u] satisfying 1) degu bi < mi ; 2) bi (Xi ) = Yi ; and 3) (u
xi)m, l br ('u) + b,(u)h(u) - f(u). It can easily be verified that for each P, E C0 ,
bi (u) = Yi is the unique polynomial satisfying 1 ) degu bi < 1 ; 2) bi(Xi ) = Yi ;
and 3) (u - xi ) l br(u) + bi (u)h(u) - f(u). By the Chinese Remainder Theorem for
polynomials (see Exercise 3 in 3 of Chapter 3), there is a unique polynomial
b(u) E IF[u] , degu b < 2.:= mi , such that
b(u)

bi (u) (mod(u - Xi )m' ) for all i .

It can now be verified that b(u) satisfies conditions 1 ) , 2) and 3) of the theorem.
Next,
div(a(u)) = div

( li eu - x,)m, ) =

2P, +

mi P, +

mi.Pi - (*)oo .

In addition,
div(b(u) - v ) =

ti Pi +

P, EGo

si Pi +

P, EC,

P, EC\(C0uC1 UC2 U { oo })

mi Pi - (*)oo ,

where each s , 2: mi since (u - Xi)m, divides N(b - v) = b2 + hb - f. Now if

P = (x, y) E C0 , then (u - x) divides b2 + bh - f. The derivative of this polynomial
evaluated at u = x is
2b(x)b'(x) + b'(x)h(x) + b(x)h'(x) - J '(x)
= b'(x)(2y + h(x)) + (h'(x)y - f'(x))
= h'(x)y - J '(x) , since 2y + h(x) = 0

f:. O .
Thus, u = x is a simple root of N(b - v) = b2 + bh - f, and hence ti = 1 for all i .
Therefore,
g.c.d.(a(u) , b(u) -

v) = L
P, E Co

as required.

Pi +

mi P, - moo = D ,

P, EC,

Note that the zero divisor is represented as div( 1, 0). The next result follows
from the proof of Theorem 5 . 1 .
Lemma 5.3. Let a( u), b( u) E IF[u] be such that degu b < degu a. If a l (b2 + bh - f),
then div(a, b) is semi-reduced.

6. Reduced Divisors

17 1

6. Reduced Divisors

This section defines the notion of a reduced divisor and proves that each coset in
the quotient group ] = lDP /IP' has exactly one reduced divisor. We can therefore
identify each element of ] with its reduced divisor.
Definition 6.1. Let D = 2.:= m,P, - (2.:= m; )oo be a semi-reduced divisor. If
2.:= m; :::; g (g is the genus of C) then D is called a reduced divisor.
Definition 6.2. Let D = l:= PE C mpP be a divisor. The norm of D is defined to

be

IDI =

PE C \ { oo }

l mp l

Note that given a divisor D E IDP, the operation described in the proof of
Lemma 4.2 produces a semi-reduced divisor D1 such that D1 "' D and I D 1 I :::;; I D I .
Lemma 6.1. Let R be a nonzero rational function in IF'( C). If R has no finite
poles, then R is a polynomial function.
Proof. Let R = G / H, where G , H are nonzero polynomial functions in F[C] .
Then R =
= GH/N(H), and s o w e can write R = (a - bv)jc, where
a, b, c E F[u], c f. 0. Let x E lF be a root of c. Let P = (x , y) E C where y E lF,
and let d 2: 1 be the highest power of (u - x) that divides c.

If P is ordinary, then ordp(c) = ordp- (c) = d. Since R ha:_ no finite poles,

ordp(a - bv) ;:::: d and ord p-(a - bv) 2: d. Now since P and P are both zeros
of a - bv, we have a(x) = 0 and b(x) = 0. It follows that ordp(a) 2: d and
ordp(b) ;:::: d. Hence (u - x) d is a common divisor of a and b, and it can be
canceled with the factor (u - x) d of c.
Suppose now that P is special. Then ordp(c) = 2d. Since R has no finite poles,
ordp(a - bv) ;:::: 2d. Then, as in part 3) of the proof of Theorem 3 . 1 , we can write
a - bv =

(v - y)2 d D
Ad

where A and D are nonzero polynomial functions in F[C] , and A satisfies (v -y) 2 =
(u - x)A. Hence a - bv = (u - x) d D. Again, the factor (u - x) d of a - bv can be
canceled with the factor (u - x) d of c.
This can be repeated for all roots of c; it follows that R is a poly nomial
function. 0
Theorem 6.1. For each divisor D E IDP there exists a unique reduced divisor D1
such that D "' D1
Proof. Existence. Let D' be a semi-reduced divisor such that D' "' D and I D' I :::;
I D I (see the proof of Lemma 4.2). If I D' I :::; g, then D' is reduced and we are done.

Otherwise, let P1 , P2 ,

, Pg+ l

be finite points in supp(D'). The points

P;

are not

172

Appendix. A n Elementary Introduction t o Hyperelliptic Curves

necessarily distinct, but a point P cannot occur in this list more than ordp(D')
times. Let div(a(u), b(u)) be the representation of the divisor
P1 + P2 + + Pg+ l - (g + l)oo
given by Theorem 5 . 1 . Since degu(b) :::; g, we have deg(b(u) - v)
hence

2g + I , and

P1 + P2 + + Pg+ l + Q l + + Q 9 - (2g + 1 )oo

for some finite points Q 1 , Q2 , . . . , Q 9 Subtracting this divisor from D' gives a
divisor D", where D" D' D and I D" I < I D' I We can now produce another
semi-reduced divisor D111 D" such that I D111 1 :::; I D" I After doing this a finite
number of times, we obtain a semi-reduced divisor D1 with I D1 1 :::; g, and we are
done.
Algorithm 2 in 7 describes an efficient algorithm which, given a semi-reduced
divisor D = div(a, b), finds a reduced divisor D1 such that D ,....., D 1 ; the algorithm
only uses a and b.
Uniqueness. Suppose that D 1 and D2 are two reduced divisors with D1 ,....., D 2 ,
D 1 f. D2 . Let D3 be a semi-reduced divisor with D3 ,....., D 1 - D2 obtained as in
the proof of Lemma 4.2. Since D 1 f. D2 , there is a point P such that ordp(D1 ) f.
ordp(D2 ). Suppose, without loss of generality, that ordp(D 1 ) = m 1 1 , and either
1) ordp(D2 ) = 0 and ord j>(D2 ) 0, or 2) ordp(D2 ) m2 with 1 :::; m 2 < m1 ,
or 3 ) ordp (D2 ) m2 with 1 :::; m2 :::; m1 . (If P is special, then 3) cannot occur.)
In case 1), ordp(D3 ) m1 1. In case 2), ordp(D3 ) = (m1 - m2 ) 1. In case
3), ordp(D3 ) (m1 + m2 ) I . In all cases, ordp(D3 ) 1 , and so D3 f. 0. Also,
I D3 1 :::; I D 1 - D2 l :::; I Dd + I D2 I :::; 2g. Let G be a nonzero rational function
in iF(C) such that div(G) D3 ; since D1 ,....., D2 , and D3 ,....., D1 - D2 . we know
that D 3 is principal and hence such a function G exists. By Lemma 6. 1 , since
G has no finite poles, it must be a polynomial function. Then G a(u) - b(u)v
for some a, b E iF[u] . Since deg(v) 2g + I and deg(G) ID 3 1 :::; 2g, we must
have b(u) = 0. Suppose that degu(a(u)) I, and let x E iF be a root of a(u).
Let P = (x, y) be a point on C. Now, if P is ordinary, then both P and P are
zeros of G, contradicting the fact that D 3 is semi-reduced. If P is special, then it
must also be a zero of G of order at least 2, again contradicting the fact that D3
is semi-reduced. Thus, degu(a(u)) 0 and so D3 0, a contradiction. 0
div(b(u) - v)

rv

rv

rv

7. Adding Reduced Divisors

Let C be a hyperelliptic curve of genus g defined over a finite field JF, and let ]
be the jacobian of C. Let P = (x, y) E C, and let u be an automorphism of iF
over IF'. Then P" f(x" , y" ) is also a point on C.

I: mpP is said to be defined over lF if

D" f I: mpP" is equal to D for all automorphisms u of iF over IF'.

Definition 7.1. A divisor D =

7. Adding Reduced Divisors

173

A principal divisor is defined over lF if and only if it is the divisor of a rational

function that has coefficients in lF. The set ](lF) of all divisor classes in ] that
have a representative that is defined over lF is a subgroup of ]. Each element of
](lF) has a unique representation as a reduced divisor div(a, b), where a, b E lF[u],
degu a :::; g, degu b < degu a; and hence ](lF) is in fact a finite abelian group . This
section presents an efficient algorithm for adding elements in this group.
Let Dt = div(a t , bJ ) and Dz = div(az , bz) be two reduced divisors defined
over lF (that is, a1 , a2 , b1 , bz E lF [u] ). Algorithm 1 finds a semi-reduced divisor
D = div(a, b) with a, b E lF [u] , such that D "'" Dt + Dz . Algorithm 2 reduces
D to an equivalent reduced divisor D' . Notation: b mod a denotes the remainder
polynomial when b is divided by a.
Algorithms 1 and 2 were presented in [Koblitz 1 989]. They generalize ear
lier algorithms in [Cantor 1 987] , in which it was assumed that h(u) = 0 and
char(lF) f. 2.
Algorithm 1

INPUT: Semi-reduced divisors D1 = div(at , bt ) and Dz = div(az , bz), both defined

over lF.
OUTPUT: A semi-reduced divisor D = div(a, b) defined over lF such that
D '"" Dt + Dz .
1) Use the Euclidean algorithm (see 3 of Chapter 3) to find polynomials d 1 , e 1 ,
e2 E lF [u ] where dt = g.c.d.(at , az ) and dt = e 1 a 1 + ez az .
2) Use the Euclidean algorithm to find polynomials d, CJ , Cz E lF [u ] where d =
g.c.d.(dt , bt + bz + h) and d = Ct dt + cz(bt + bz + h).
3) Let s 1 = c1 e1 , s2 = c1 e 2 , and s 3 = cz, so that
(3)

4) Set

(4)

and
(5)

Theorem 7.1. Let D 1 = div(a1 , b 1 ) and D2 = div(az , bz ) be semi-reduced divisors.

Let a and b be defined as in equations (4) and (5). Then D = div(a, b) is a semi
reduced divisor and D "'" Dt + Dz .
Proof. We first verify that b is a polynomial. Using equation (3), we can write

s 1 a1 bz + szazbt + s 3 (b1 bz + f)
d
bz (d - s z az - s3 (b1 + bz + h)) + szazbt + s 3 (bt b2 + f)
d
szaz(bt - bz) - s 3 (bi + bzh - f)
= b2 +
d

1 74

Appendix. An Elementary Introduction to Hyperelliptic Curves

Since dla 2 and a2 l (b + b2 h - f), b is indeed a polynomial.

Let b = (s1 a1 b2 + s 2 a2 b1 + s 3 (b1 b2 + f))/ d + sa, where s E lF[u] . Now
s 1 a 1 b2 + s 2 a2 b1 + s 3 (b1 b2 + f) - dv
+ sa
d
s1 a1 b2 + s 2 a2 b1 + s 3 (b1 b2 + f) - s 1 a1 v - s 2 a2 v - s 3 (b1 + b2 + h)v
=
+ sa
d
s1 a1 (b2 - v) + s2 a2 (b1 - v) + s 3 (b1 - v)(b2 - v)
=
(6)
+ sa .
d
From (6) it is not hard to see that alb2 + bh - f. Namely, b2 + bh - f is obtained
by multiplying the left side of (6) by its conjugate: (b - v)(b + v + h) = b2 + bh - f.
Thus, to see that alb2 + bh - f it suffices to show that a1 a2 divides the product of
( s1 a1 (b2 - v) + s 2 a2 (b1 - v) + s 3 (b1 - v)(b2 - v) ) with its conjugate; and this follows
because a1 l bf + b1 h - f = (b1 - v)(b1 +v + h) and a2 l b + b2 h - f = (b2 - v)(b2 + v + h).
Lemma 5 .3 now implies that div(a, b) is a semi-reduced divisor.
We now prove that D D 1 + D2 . There are two cases to consider.
1 ) Let P = (x, y) be an ordinary point. There are two subcases to consider.
a) Suppose that ordp(D1 ) = m 1 , ord-p(D1 )
0, ordp(D2 ) = m2 , and
ord -p(D2 ) = 0, where m1 ;::: 0, m2 ;::: 0. Now ordp(a l ) = m 1 , ordp(a 2 ) =
m2 , ordp(b1 - v) ;::: m 1 , and ordp(b2 - v) ;::: m2 . If m1 = 0 or m2 = 0 (or
both) then ordp(d1 ) = 0, whence ordp(d) = 0 and ordp(a) = m1 + m 2 . If
m1 ;::: 1 and m 2 ;::: 1 , then, since (b1 + + h)(x) = 2y + h(x) f. 0, we have
ordp(d) = 0 and ordp(a) = m1 + m 2 . From equation (6) it follows that
b-v=

Hence, ordp(D) = m 1 + m2 .
b) Suppose that ordp(D! ) = m1 and ord -p(D2 ) = m2 , where m1 ;::: m2 ;::: 1 .
We have ordp(a1) = m1 , ordp(a2 ) = m2 , ordp(d1 ) = m2 , ordp(b1 v) ;::: m1 , ordp(b2 - v) = 0, and ord-p ( - v) ;::: m2 . The last inequality
implies that ordp(b2 + h + v) ;::: m2 , and hence ordp(b1 + b2 + h) ;::: m 2 or
(b1 + + h) = 0. It follows that ordp(d) = m 2 and ordp(a) m1 - m2 .
From equation (6) it follows that
=

ordp(b - v) ;::: min{ m1 + 0, m2 + m1 , m1 + 0} - m2 = m1 - m2

Hence, ordp(D) = m1 - m2 .
= (x, y) be a special point. There are two subcases to consider.
a) Suppose that ordp(D1 ) = 1 and ordp(D2 ) = 1 . Then ordp(a1 )
2,
ordp(a2 ) 2, and ordp(d1 ) = 2. Now (b1 + b2 + h)(x) = 2y + h(x) = 0,
whence either ordp(b1 + b2 + h) ;::: 2 or b1 + b2 + h = 0. It follows that
ordp(d) = 2 and ordp(a) = 0. Hence, ordp(D) = 0.
b) Suppose that ordp(D1 )
1 and ordp(D2 ) = 0. Then ordp(a1 )
2,
ordp(a2 ) = 0, whence ordp(d1 ) = ordp(d) = 0 and ordp(a) = 2. Since
ordp(b1 - v) = 1 , it follows from equation (6) that ordp(b - v) ;::: 1 . It can
be inferred from equation (6) that ordp(b - v) ;::: 2 only if ordp(s 2 a2 +

2) Let P

7. Adding Reduced Divisors

175

s 3 (bz - v)) 2: 1. If this is the case, then ordp(sz az + s 3 (bz + h + v)) 2: 1,

and hence ordp(szaz + s 3 (b1 + bz + h)) 2: 1 (or s z az + s 3 (b1 + b2 + h) = 0).
It now follows from equation (3) that ordp(d) 2: 1, a contradiction. Hence
ordp(b - v) = 1 , whence ordp(D) = 1 . D
Example 7. 1 . Consider the hyperelliptic curve C : v 2 + (u2 + u)v = u5 + u 3 + 1
of genus g = 2 over the finite field JF2s (see Example 1 .3). P = (a 30 , 0) is an
ordinary point in C(JF2s ), and the opposite of P is P = (o: 3 0 , a 1 6 ). Q1 = (0, 1) and
Q 2 = ( 1 , 1 ) are special points in C(lF2s ). The following are examples of computing
the semi-reduced divisor D = div(a, b) = D1 + Dz , for sample reduced divisors D1
and D2 (see Algorithm 1 ).
1) Let D 1 = P + Q 1 - 2oo and D2 = P + Qz - 2oo be two reduced divisors. Then
Dt = div(a 1 , b1 ), where a 1 = u(u + a 30 ), bt = au + 1 , and Dz = div(a z , bz ),
where a2 = (u + 1)(u + a 3 0 ), bz = a23 u + o: 1 2 .
1) dt = g.c.d.(at , az) = u + a 30 ; dt = at + az .
2) d = g.c.d.(d1 , b1 + b2 + h) = u + o: 3 0 ; d = 1 dt + 0 (bt + bz + h).
3) d = a1 + az + 0 (bt + bz + h).
4) Set a = a 1 az /d2 = u(u + 1) = u2 + u, and

b=
=

1 at bz + 1 az bt + O (bt bz + f)
mo d a
d
1 (mod a) .

Check:
div(a) = 2Qt + 2Qz - 4oo
3
div ( b - v) = Q I + Qz + L P, - 5oo ,
i= l
div(a, b) = Q I + Qz - 2oo .

where Pi f. Q I , Qz

2) Let D1 = P + Qt - 200 and Dz = Q I + Qz - 2oo. Then Dt = div(a t , bt ) , where

at = u(u + a 30 ), bt = au + 1 , and Dz = div(az , bz), where az = u(u + 1), b-z = 1 .
1
1) d t = g.c.d.(at , az) = u ; dt = o: 1 4 a1 + a 4 a2 .
2) d = g.c.d.(d1 , b1 + b2 + h) = u; d = 1 u + 0 (bt + bz + h).
3) d = a 1 4 a1 + a 1 4 az + 0 (bt + bz + h).
4) a = (u + a 3 0 )(u + 1); b = a 1 4 u + o: 1 3 (mod a). Check:

div(a) = 2Q 2 + P + P - 4oo
3
div(b - v) = P + Qz + L P, - 5oo ,
i= l
div(a, b) = P + Q2 - 2oo .

where Pi f. P, P , Qz

3) Let D1 = P + Q 1 - 2oo and D2 = P + Qz - 2oo. Then D1 = div(a 1 , b t ), where

a 1 = u(u + o: 30 ), b 1 = au + 1 , and Dz = div(az , bz ), where az = (u + o: 30 )(u + 1),
bz = a 1 4 u + a l 3 .

176

Appendix. An Elementary Introduction to Hyperelliptic Curves

1) d1 = g.c.d.(a1 , az ) = (u + a 30 ); d1 = 1 a 1 + 1 az .
2) d = g.c.d.(d1 , b 1 + bz + h) = 1 .
3 ) d = (a 1 5 u + a4 )a 1 + (a 1 5 u + a4 )az + a 1 5 (b1 + bz + h).
4) a = u(u + l)(u + a 30 ) 2 ; b = a 1 7 u3 + a26 u2 + a2 u + 1 (mod a). Check:

div(a) = 2P + 2 P + 2Q I + 2Q z - 8oo
2
div(b - v) = 2P + Ql + Q z + .2::: P, - 6oo ,

where P, f. P, P , Q1 , Qz

i=l

div(a, b) = 2P + Q l + Qz - 4oo .
Algorithm 2

INPUT: A semi-reduced divisor D = div(a, b) defined over lF.

OUTPUT: The (unique) reduced divisor D' = div(a' , b') such that D' ,..., D.
1 ) Set
and

b ' = (-h - b) mod a' .

2) If deg" a' > g then set a +- a', b +- b' and go to step 1 .
3 ) Let c be the leading coefficient of a', and set a' +- c - 1 a' .
4) Output(a',b').
Theorem 7.2. Let D = div(a, b) be a semi-reduced divisor. Then the divisor D' =
div(a' , b') returned by Algorithm 2 is reduced, and D' ,..., D.
Proof. Let a' = (f - bh - )/a and b' = (-h - b) mod a'. We show that
1 ) degu(a') < degu(a);
2) D' = div(a' , b') is semi-reduced; and
3) D ,..., D'.
The theorem then follows by repeated application of the reduction process (step 1
of Algorithm 2).
1) Let m = deg,. a, n = deg" b, where m > n and m 2: g + 1. Then deg,. a' =
max(2g + 1 , 2n) - m. If m > g + 1 , then max(2g + 1 , 2n) 2(m - 1), whence
degu a' m - 2 < degu a. If m = g + 1 , then max(2g + 1 , 2n) = 2g + 1 , whence
degu a' = g < degu a.
2) Now f - bh - b2 = aa'. Reducing both sides modulo a', we obtain
f + (b' + h)h - (b' + h)2 = 0 (mod a ' ) ,

which simplifies to
f - b ' h - (b ' ) 2 = 0 (mod a ' ) .
Hence a' J(f - b'h - (b')2 ). It follows from Lemma 5.3 that div(a' , b') is semi
reduced.

7. Adding Reduced Divisors

177

E supp(D) : P is special}, C1 = {P E supp(D) : P is ordinary} ,

and C2 = { P : P E C1 }, so that
D = L P, + L m;P, - (*) OO .

3) Let Co = {P

P, ECt

P, E Co

Then, as in the proof of Theorem 5 . 1 , we can write

div(a)

P, ECo

and

2P; +

P, E Ct

m;P; +

P, ECt

m;P; - (*)oo

where n; 2 m; , c3 is a set of points in C\(Co u c, u Cz u { 00} ), S; 2 I , and

s; = l if P; is special. Since b2 + bh - f = N(b - v), it follows from Lemma
4. 1 that
div(b2 + bh - f)
= L 2P; + L n;P, + L n;P; + L s;P; + L s;P, - ( * )oo ,
P, ECt

P, E C,

P, ECo

and hence
div(a') = div(b2 + bh - f) - div(a)
=

t;P; +

t,Pi +

siPi +

siPi - (*)oo ,

where ti = ni - mi and c; = {P, E Ct : ni > m; }. Now b' = -h - b + sa'

for some s E IF['U] . If P, = (x i , y,) E c; U C3 , then b'(x;) -h(x;) - b(x;) +
s(xi)a'(xi) = -h(x;) - Yi Then, as in the proof of Theorem 5 . 1 , it follows
that
div(b' - v)
L OP; + L riPi + L OP, + L w;Pi + L z;P; - (*)OO ,
=

P, EC,

where Ti 2 ti , Wi 2 Si , w, l if P, E c3 is special, and c4 is a set of points

in C\(C; U C3 U {oo}). Hence,
=

div(a ' , b') =

L tiPi +

P, EC
-

P, EC

P, E C,

t;P; -

D' .

P, E C,

= D - div(b - v ) ,
whence D

s;P; - ( * )oo
siPi + (*)oo

178

Appendix. A n Elementary Introduction t o Hyperelliptic Curves

Note that all of the computations in Algorithms I and 2 take place in the field

lF itself (and not in any proper extensions of lF). In Algorithm 1, if degu a1 ::::; g

and degu az ::::; g, then degu a ::::; 2g. In this case, Algorithm 2 requires at most
1 + [g /2] iterations of step 1 .
Example 7. 2. Consider the hyperelliptic curve C : v 2 + (u 2 + u)v = us + u 3 + I
of genus g = 2 over the finite field lF2, (see Examples 1 .3 and 7 . 1 ). Consider the
semi-reduced divisor D = (0, 1) + ( 1 , 1 ) + (as , a 1 s ) - 3oo. Then D = div(a, b),
where
and
Algorithm 2 yields

a' (u) = u z + aisu + a26 '

b ' (u) = a 23 ,u + a 2I .
Hence, D "' div(a' , b' ) = (a2 8 , a7 ) + (a29 , 0) - 2oo.
Exercises

1 . Verify that the curves C in Examples 1 .2 and 1 .3 have no singular points (except
for oo).
2. Let R E lF(C) be a non-zero rational function, and let P E C. Prove that
ordp(R) does not depend on the representation of R as a ratio of polynomial
functions (see Definition 3 .4).
3. Prove Lemma 5.3.
4. Let C be the curve in Example 1 .2. Find the divisor of the polynomial function
G(u, v) = v2 + uv + 6u4 + 6u 3 + u2 + 6-u.
5 . Let C be the curve in Example 1 .2. Find the polynomial representation for the
semi-reduced divisor D = 2(2, 2) + 3(5, 3) + ( 1 , 1) + (6, 4).
6. Let C be the curve in Example 1 .2. Use Algorithm 1 to compute D 3 =
div(a 3 , b3 ) = D1 +D2 , where D1 = div(u2 +6, 2u+6) and Dz = div(u2 +4u+2, 4u+ 1).
Check your work by computing these divisors explicitly.

7. Let C be the curve in Example 1 .2. Consider the semi-reduced divisor D =

div(u7 + 2u6 + 3us + 6u 3 + 4u + 5 , 5u6 + Sus + 6u4 + 4u 3 + 5u2 + 4). Use Algorithm 2
to find the reduced divisor equivalent to D.

Answers to Exercises

Chapter 1

1 . Prove that me d = 1 (mod p) and (mod q) separately. When working modulo

p, the case m = 0 (mod p) is trivial, and the case m =/'. 0 (mod p) reduces to
Fermat's Little Theorem, i.e., the congruence mp - l = 1 (mod p).
-'
2. (a) g u ' y u' = g s ( H+xr) = g k (mod p). (b) No one knows any way to find (r, s)
without knowing k and x, that is, without either being Alice or finding discrete
logs in lF;.
Chapter 2
1. l . f 2. e 3 . f 4. g 5 . i (in fact, (n + l) n ::=:: e nn) 6. e 7. a 8. a 9. e I O. f.

1 1 . a 12. 0(m2 n) 13. 0(m 2 ln2 n) (or else O(m In n(m + In n)), which has a
more complicated but more "accurate" g(m, n)) 14. O(mn) 1 5 . 0(m2 n2 ).
2. 1. k - l or k - l + l bits. 2. (a) O(k + ln n), (b) O(ln n), (c) O(ln n), (d) 0(2 k ),
(e) 0(n2 ln n), (f) O(n).
3. By showing that fn is the lower-left entry in the n-th power of the matrix
and then diagonalizing this matrix, derive the formula fn

( )

(T/n - rt)/ ..JS. where T/ is the golden ratio ( 1 + VS)/2 and 'fj is its conjugate
( 1 - v's)/2. Then choose g (n) = n log2 T/ 0.694242n.
5. g (n) (log2 e)n In n. 6. 15000.
7. (c) <(e) <(d)<(a)<(b), since (a) ::=:: (log 1 0 2)n 0.3n, (b) ::=:: n, (c) ::=:: 5 log2 n,
(d) ::=:: yn log2 n, (e) ::=:: 2 yn/ ln n.
3. 1 . (a) 0(n2 ), (b) 0(n2 In2 n), (c) 0(n2 In2 N). 2. 1000000.
3. (a) O(n ln2 n), (b) O(ln2 n). 4. (a) 16 hours, (b) 1000000 years.
5. (a) 0(n2 ), (b) 0(n4 ). 6. (a) 0(2 k ), (b) 0(22 k ), (c) 0(k2 k ).
7. O((k + l) 2 ) (also correct: 0(k 2 + l 2 )) . 8. O(l 2 ).
9. (a) 0(k 2 l 2 ), (b) 0(k 2 l 2 ), (c) 0(k 2 l 2 ), (d) 0(k 2 l),
(e) 0( k2 l 2 ), (f) 0( k l 2 ), (g) 0(k 2 l2 ), (h) 0( K2 ).
10. (c) <(d)<(b)< (e)<(a), since (a) 0(ln4 n), (b) 0(ln2 n), (c) negligible (since one
just replaces each block of 4 bits by the corresponding name of a hexadecimal
digit), (d) O(ln n(ln In n) 2 ), (e) O(ln3 n).
=

Answers to Exercises

1 80

1 1 . 0.00023 sec for 'Y

years for 'Y = 1 .

0, 1 7 1 sec for 'Y

1 /3, 74 years for

'Y =

1 /2,

>

1 08 6

4. 1 . (d),(c),(b),(a). 2 . (a) and (c). 3. 0(B 2 ln B).

4. Given a map, construct the graph whose vertices correspond to regions of
the map and whose edges connect vertices whose corresponding regions have a
common border. It is not hard to see that coloring maps is equivalent to coloring
planar graphs.
5. First find the length k of a path of minimal distance, using binary search. After
that you need to actually find a path of distance k. To do this, start with city # 1 .
Set it = 1 . For j = 2, 3 , . . . , m increase the distance for each ( 1 , j) b y 1 , and each
time ask if the new Traveling Salesrep problem still has a path of length k. The
first time the answer is "no", choose that value of j - call it i2 - to be the city you
go to from city #1 . Then go through the same procedure with i t = 1 replaced by
i 2 (and taking the cities in the order j = 2, 3 , . . , i 2 - 1 , i 2 + 1 , . . . , m). Continue
in this way until you go to all of the cities.
6. Given an instance of P2 , choose your two integers for Pt to be ad and be. The
answer to P2 is "yes" if and only if these two integers are equal.
7. Given an instance of P2 , construct an instance of Pt by taking the cross-product
of each pair of vectors in the input of P2 .
8. Given an instance of Pt , let the p(X) in P2 be the derivative of the p(X) in Pt .
9. Use the algorithm for P2 to find the complete prime factorization of N: N =
p' p2 pr . Once you have this factorization, you can easily compute the Euler
<p-function <p(N) (p' - p' - t )(p2 - p2 - t ) (p r - p r - t ). Now use the
Euclidean algorithm to determine whether g.c.d.(e, <p(N)) = 1 and, if it is, find
integers d and y such that ed - y<p(N) 1 . This d is the desired output for Pt .
If g.c.d.(e, <p(N)) turns out to be greater than 1 , then simply state that no such d
exists.
10. Use the algorithm for P2 to find k and l in Pt , after which it is trivial to find
gk l modulo p.
1 1 . (a) No, because, as far as anyone knows, the only way to demonstrate the
correctness of an answer is to go through the calculation of the exact value of
7r(N), and no way is known to do this in polynomial time.
(b) No, because it is hard to imagine a certificate of the non-existence of paths
of length less than or equal to k. This problem is the reverse of the Traveling
Salesrep decision problem in the sense that the answer to the question in Exer
cise l l (b) is "yes" if and only if the answer to the Traveling Salesrep question
is "no". Sometimes this problem is called "co-Traveling Salesrep". It belongs
to the class co-NP, consisting of all problems whose co-problems are in NP. If
this problem were in NP, it would follow that the class NP and the class co
NP are identical. It is conjectured that NP#co-NP. As in the case of the P#NP
conjecture, mathematicians and computer scientists would be absolutely astounded
if this conjecture were shown to be false. Thus, hardly anyone thinks that the co
Traveling Salesrep problem is in NP.
.

Chapter 3

181

(c) No, because i n general k might be exponentially large in the number of vertices,
so a certificate of a "yes" answer cannot simply be a list of all k 3-coloring s. It's
hard to imagine what such a certificate could be.
12. False. When our NP problem P reduces to the NP-complete one, suppose
that the input length is squared. Then an L( 1 /2)-algorithm for the NP-complete
problem gives a fully exponential algorithm for P.
6. 1. 0(n3 ), where n = O(ln N) is the input length.
2. For example, let P, = xr - ' + 1 . In that case f1;':: 1 P, = I;- I XJ .
7. 1 . Just look at the contribution to the sum in Definition 7.5 of the prime
numbers N between 2n - I and 2n . This contribution is

where 1T(2n) denotes the number of primes less than 2n .

2. Suppose that we are given any c: > 0. Take c:' = c:/2. The hypothesis (with
c:' in place of c:) means that there exists k > 1 / c:' such that for n 2': no the set
S of instances i of input length n for which T(i) 2': n k is large enough so
1 1 (i) > n - k ' Then "' .
that '\"
11 (i) >
- n k ( < <' ) = n k ' , which is not
, E s r
n
, E S T(i)" rn
O(n), since kc:' > 1 .
3. The implication in one direction can be proved directly or from HOlder's in
equality. To disprove the converse, suppose, for example, that T(i) = 4n for i E S
and T( i) n for i :. S, where S is a set of instances such that I: iES J.l n ( i) 2 n .
Then Levin's property holds, but the modified property does not.
4. Use a processor for each power of X. If n is the maximum degree of the
two polynomials, then you have O(n) processors, each of which takes O(ln n) bit
operations, because of the condition on the size of the coefficients.
5. If a single processor did the work of the O(nc' ) processors in series (i.e., one
at a time), the time it would need is O(lnc' nc' ) = O(nC, +Cz).
=

Chapter 3
1. 1 . (a) 6, since you need to adjoin both and H;

(b) 2, since you need only to adjoin H; (c) 2, much like part (b);
(d) 3 , since JF'7 already has R = 2, but you need to adjoin ;
(e) 1 , since JF' 3 1 already has 3 roots of the polynomial (namely: 4, 7, 20).
2. The criterion is that XJ occurs with nonzero coefficient only if plj. In that case
the polynomial is the p-th power of the polynomial obtained from it by replacing
each XJ by XJ I P (see Lemma 2.2).
2. 1 .

2 3 5 7 11
prime p
2 2 3 2
smallest generator
2 2 4
number of generators

17
3
8

1 82

Answers to Exercises

2. (a) If gP- 1 = 1 mod p2 , then replace g by (p + 1)g and show that then one
has gP - 1 = 1 + g1p with g 1 prime to p. Now if gi = 1 mod p"' , first show
that p - 1 lj, i.e., j = (p - 1 )j1 , and so ( 1 + g 1 p)i' = 1 mod p"' . But show that
( 1 + 91P)J ' = 1 + J 1 9 1 P + higher powers of p, and then p"'- 1 must divide J 1
(b) For the first part, show that 1 , 2"'- 1 1 , and 2"' - 1 are all square roots of
1 modulo 2"' , and so the group is not cyclic; the proof of the second part (which
reduces to showing that 5J cannot be = 1 mod 2"' unless 2"'- 2 l j) is similar to
part (a).
3 . You need the 7th roots of unity in order to have a splitting field; the degree f
of the splitting field is the smallest power such that pf = 1 mod 7 ; this is either
1 , 2, 3 or 6.
4. 2 for d = 1 : X, X + 1 ; 1 for d = 2: X 2 + X + 1 ; 2 for d = 3 : X 3 + X 2 + 1 ,
X 3 + X + 1 ; 3 for d = 4 : X4 + X 3 + 1 , X4 + X + 1 , X4 + X 3 + X 2 + X + 1 ; 6 for
d = 5 : x s + X 3 + 1 , x s + X 2 + 1 , x s + X4 + X 3 + X 2 + 1 , x s + X 4 + X 3 + x + 1,
X 5 + X 4 + X 2 + X + 1 , X 5 + X 3 + X 2 + X + 1 ; 9 for d = 6 : X 6 + X 5 + 1 , X 6 + X 3 + 1 ,
X6 + X + 1 , X 6 + X 5 + X4 + X 2 + 1 , X 6 + X 5 + X4 + X + 1 , X6 + X 5 + X 3 + X 2 + 1 ,
X 6 + X 5 + X 2 + x + 1 , x 6 + X4 + X 3 + x + 1 , X 6 + X 4 + X 2 + x + 1 .
5. 3 for d = 1 : X , X 1 ; 3 for d = 2 : X 2 + 1 , X 2 X - 1 ; 8 for d = 3 :
X 3 + X2 (X - 1), X 3 - X 2 (X + 1), X 3 (X 2 - 1), X 3 - x 1 ; 1 8 for
d = 4; 48 for d = 5 ; 1 16 for d = 6. 6. (pf - pf f)/ f.
7. (a) Raising 0 = o:2 + bo: + c to the p-th power and using the fact that bP = b and
cP = c, we obtain 0 = (o:P)2 + bo:P + c.
(b) The polynomial's two distinct roots are then o: and o:P. Then a is minus the
sum of the roots, and b is the product of the roots.
(c) (co: + d)P+ 1 = (co:P + d)( co: + d), and then multiply out and use part (b).
(d) (2 + 3i) 509+ 1 )+ l = (22 + 3 2 ) 5 (2 + 3i) = 14(2 + 3i) = 9 + 4i.
8. (a) Let o: be a root of X 2 + X + 1 = 0; then the three successive powers of o:
are o:, o: + 1 , and 1 .
(b) Let o: be a root of X 3 + X + 1 = 0; then the seven successive powers of o: are
0:, 0:2 , 0: + 1 , 0:2 + 0:, 0:2 + 0: + 1 , 0:2 + 1 , 1 .
(c) Let o: be a root of X 3 - X - 1 = 0 ; then the 26 successive powers of o: are o:,
0:2 , o: + 1 , 0:2 + 0:, o:2 + o: + 1 , 0: 2 - 0: + 1 , -o:2 - o: + 1 , -0:2 - 1 , - o: + 1 , -o: 2 + o:,
o: 2 - o: - 1 , -o:2 + 1 , - 1 , followed by the same 1 3 elements with all +'s and -'s
reversed.
(d) Let o: be a root of X2 - X + 2 = 0; then the 24 successive powers of o: are
o:, o: - 2, -o: - 2, 2o: + 2, -a: + 1 , 2, then the same six elements multiplied by 2,
then multiplied by - 1 , then multiplied by -2, giving all 24 powers of o:.
9. (a) p = 2 and 2! - 1 is a "Mersenne prime".
(b) Besides the cases in part (a), also you can have: ( 1 ) p = 3 and (3 f - 1 )/2 a
prime (as in part (a), this requires that f itself be prime, but that is not sufficient,
as the example f = 5 shows), and (2) p of the form 2p' + 1 with p' a prime and
f = 1 . It is not known, incidentally, whether there are infinitely many finite fields
with any of the conditions in (a)-(b) (but it is conjectured that there are). Primes
p' for which p = 2p' + 1 is also prime are called "Germain primes" after Sophie

Chapter 3

1 83

Germain, who in 1 823 proved that the first case of Fermat's Last Theorem holds
if the exponent is such a prime.
10. Reduce to the case when j = d by showing that 0'1 (a) = a and O' f (IL) = a
imply that O'd(a) = a.
d
1
1 1 . Show that b' = b (P -l)/(p -t ) is in lFPd by showing that it is fixed under O'd
(that is, raising to the pd -th power); to show that it is a generator, note that all of
the powers (b ' )J , j = 0, . . . , pd - 2 are distinct, because the first p f - 1 powers of
b are distinct.
12. Let d =g.c.d.(k, p f - 1). Since dlpf - 1 , the cyclic group lF;1 clearly has
d d-th roots of unity. Each of them is also a k-th root. Conversely, by writing
d = uk + v(pf - 1) you can show that any k-th root is also a d-th root.
1 3 . For x, x' E lK it is easy to show that g(x) q = g(x) (and hence g(x) E lF q) and
that g( ex + c' x') = cg(x) + c' g(x') for c, c' E lFq . In order to show that g( x) takes
all possible values y E lF q because of the lFq -linearity of g it suffices to show
that g is not identically zero. This follows because a polynomial of degree q n - l
cannot have q n roots. The last assertion now follows because if V denotes the
(n - 1 )-dimensional lF q -subspace of lK that g maps to 0, then xo + V is the set of
elements that g maps to Yo E lFq (here xo is any fixed element of lK whose trace
is y0 , and the notation x0 + V means all vectors x such that x - x0 E V).
14. (a) This follows immediately from the fact that lF is cyclic.
(b) The only difference with the situation over Z is that, when dividing a by b (or
r1 _ 1 by r1 ), one chooses the quotient to be the Gaussian integer that lies closest
to ajb in the complex plane. (If there are two or more equally distant, then we
choose one of them arbitrarily.) For example, 29 = 2( 1 2 + i) + (5 - 2i). (c) The
Gaussian integers have unique factorization (up to multiplication by the units 1 ,
i). The prime factorization of p i s ( c + di)(c - di), where c and d are integers
such that c2 + d2 = p. Since Pi(Y + i)(y - i), it follows that either c + di or c - di
must divide y + i, and hence must be the g.c.d. of p and y + i.
3. 1. (a) d(X) = 1 = X 2 g + (X + l)f; (b) d(X) = X 3 + X 2 + 1 = f + (X 2 + X )g; (c)
d(X) = 1 = (X - l)f - (X 2 - X + l )g; (d) d(X) = X +1 = (X - 1)f - (X 3 -X 2 + 1 )g ;
(e) d(X) = X + 78 = (SOX + 20)f + (5 1X 3 + 26X 2 + 27X + 4)g.
2. Since g.c.d.(f, f') = X 2 + 1 , the multiple roots are o: 2 , where o: is the generator
of lF in the text .
3 . There exists a solution to a set of congruences modulo pairwise relatively
prime polynomials, and that solution is unique up to multiples of the product of
the moduli. In other words, there is a unique solution of degree less than the sum
of the degrees of the moduli.
4. 1 . (a) the principal ideals generated by an irreducible polynomial; (b) the ideals
generated by a prime number p and a polynomial f E Z[X] whose reduction
modulo p is irreducible as an element of lFp [X] .
2. (a) P1 = (X), P2 = (X, Y); (b) P1 = (X), P2 = (X, p) where p is any prime; (c)
P1 = (X1 , . . . , X1 ) for j = 1 , . . , m.
3. Show that the quotient ring R/ I is a field of 3 elements. Show that if it were
principal, then R/ I would have to have more than 3 elements.
.

1 84

Answers to Exercises

4. I = (xy, y2 - y).
5. Let I be the ideal consisting of all polynomials with zero constant term. Suppose
that it is generated by a finite set {!1 , . . . , fm }. Let XN be any variable not
appearing in any of the k Then the polynomial XN is in I, but it cannot be
written as a linear combination of the k
6.(j Suppose that r E I and 9 m E I. Using the binomial expansion, show that

9)n+m E I. Thus, the radical is closed under addition and subtraction. The
rest of the verification that the radical is an ideal is immediate.
5. 1 . When written as rows of a matrix, the coefficients of the linear forms must
give a row-echelon matrix in (a) and a reduced row-echelon matrix in (b) (up to
a rearrangement of the rows).
2. l = 1 , and 91 is the monic polynomial that generates the (principal) ideal I.
3. Since 9; E I, it follows that lt(9D is divisible by one of the lt(9i ), say lt(91 ).
Similarly, lt(9J ) is divisible by one of the lt(9D But this i must be 1, because lt(9D
cannot divide lt(9; > for any i f:. 1 , by the definition of a minimal Grobner basis.
Since both 91 and 9; are monic and lt(91 ) and lt(9; ) divide one another, it follows
that 91 and 9; have the same leading term. Continue in this way for 9 , 9 , . . .
4 . (a) False (see Exercise 6 below). (b) False (see Exercise 7 below). (c) True.
5. {X - Y, Y 2 - Y}. 6. The set of power products of total degree n.
7. {9, , 9z , 93 , 94 , 95 }, where 94 = S(91 , 9z ) = Z2 and 95 = S(9 , , 93 ) = X 2 . 8. {X
Y, Y 2 - Y}. 9. {9 1 , 92 , 93 , 94 }, where 94 = 8(9 1 , 93 ) = X 2 Z - Y 2 Z.
10. {9, , 92 , 93 , 94 } , where 94 = S(91 , 92 ) = -XY 2 + Y 3 , is a Grobner basis; and
{91 , -94 } = { X 2 - Y2 , XY 2 - Y 3 } is the reduced Grobner basis.
1 1 . Let 94 = 8 (91 , 93 ) = X 2 Y - Y 3 , 95 = S(9z , 93 ) = XY 2 - Y, 96 = S(9z , 95 ) =
-X2 + Y 2 ; then {91 , . . . , 96 } is a Grobner basis, and {9z , 95 , -96 } is the reduced
Grobner basis.
12. Let lK c IF denote a finite extension of IF that contains all of the coefficients
of the polynomials that one is working with; and let (31 = 1 , !32 , . , f3t be a basis
for lK over IF. (a) In the relation that expresses f in terms of elements of I with
coefficients in JK[X], the coefficients (in IF) of any power product can be equated,
and so the (31 -component of those coefficients can be equated. The result is a
relation expressing f in terms of elements of I with coefficients in IF[X]. (b)
Similar to part (a). Show that if f E 1, and if we write f = I;;= , (3if,, where
fi E IF[X], then each f, E I.
13. Use the previous exercise to reduce to the case where IF is algebraically closed.
If the set of points is empty, then 1 E I by Theorem 4.2, and so 1 E G and the
claim is trivial. Otherwise, let f E IF[Xil be a polynomial that vanishes at the i-th
coordinates of all of the points. By Theorem 4.3, fn E I for some n. Conclude
that some power of X, is divisible by the leading term of an element of G.
.

Chapter 4

1 85

Chapter 4
1. 1 . Suppose that a ;:::: b. First show that if a = q b + r is the first step of the
Euclidean algorithm for a and b (i.e., r is the remainder when a is divided by b),
then qr - 1 is the remainder when qa - 1 is divided by qb - 1. Thus, the algorithm
that gives g.c.d.(qa - 1 , qb - 1 ) mimics the algorithm that gives g.c.d.(a, b), in the
sense that each remainder r; in the computation of g.c.d. (a, b) becomes qr' - 1 .
See also Theorem 2.5 of Chapter 3 , from which i t follow s that IFq d is the largest
field contained in both IF q" and IFq b , where d =g.c.d. ( a, b).
2. Let d =g.d.c.(q0 + 1 , qn - 1). By Exercise 1 , g.c. d.(q20 - 1 , qn - 1 ) = q - 1 . Since
q0 + 1 divides q20 - 1 , this means that dJg.c.d.(l + 1 , q - 1). Since q0 + 1 = 1 e + 1 = 2
(mod q - 1 ), it follows that dJ2. But d must be odd, since q is even.
'
3 . Let n = n'B, where n' is odd. Then qn - 1 = (- l) n - 1 = -2 (mod. qe + 1 ).
Hence, g.c.d.(l + 1 , q n - 1) divides 2. Again use the fact that q is even to conclude
that d = 1 .
4 . (0, 0, 0, 1 , 1 ) ; (0, 0, 1 , 0, 1 ); ( 1 , 0, 0, 0, 0); (0, 1 , 0, 0, 0).
5 . (UJ +uzX +u3X2) 5 = (uf+u+u+UzUJ)+(u+u+U J UJ)X +('u+u 1 u2 +u1 u3)X2 ;
V i = X X3 + X3 + Xz + x/ + X1 2 + Xi + X! XJ , Vz = Xz2 + X i 2 + Xzx3 + x3 + Xz,
2
V3 = X J 2 + Xi + XzX J + 1 + X32 ; Yl = XzX3 + X3 + Xz + X32 + Xi 2 + XJ + XiXJ + 1 ,
Yz = x32 + Xi + X1 X3 + 1 + xz2, Y3 = x1 2 + x1 X3 + xz2 + XzX J .

2. 1 . If 2 is replaced by a prime power

q > 2 in ( 16), then for each nonzero

solution u, v we also have the solutions a u , v for nonzero a E IF q This contradicts
the assumption that ( 15) gives a 1-to- 1 correspondence between u and v and the
fact that ( 1 5) and ( 1 6) are equivalent for nonzero u and v.
'
2. Since 3 h + 2 - (2n - 1) = 2 n - J , one has v3 u2 = u 3 h+2 = u2n- .
l
3. 1 . The map X f-7 x2n- inverts the squaring map; this proves bijectivity. When
q = 2, the maps v = u2 and z = w2 are linear (see (2) with q = 2, k = 1 ) . Hence
fj = D x for some n x n-matrix D. Such a cryptosystem can easily b broken by
finding 0( n) plaintext/ciphertext pairs. If q = 2 r ' the system is still easy to bn:ak:
because IK may be regarded as an extension of IF2 of degree nr, in which case the
ciphertext and plaintext (regarded as nr-tuples of O's and 1 's) are related by. an
nr x nr-matrix.

=
for all a E IFz .
n
3 . If i denotes a square root of - 1 in IK, then u and iu all lead to the same fj.
4. It suffices to find a bilinear map * : Y x Y --> Y such that (20) holds, afte;
which (2 1 ) holds (up to 1) with h' = (qn + 1)/4; and C can be found as in
2.4 using O(n) plaintext/ciphertext pairs. In order to find the bilinear map *, first
find an n-dimensional space of matrices T such that for some matrix S one has
T <p(x, x') = <p(S x, x'). Let Ti , i = 1, . . . , n, be a basis for this space of matrices;
find a matrix G by solving (26); and define * by (25).
.
q
5 . (a) The probability that none of the values is zero is equal to ( 1 - i") r;
(b) Use the "inclusion-exclusion" counting principle to show that the probability,.
2. No, since

( n

Answers to Exercises

1 86

is

(q1 ) q (2q) !__q2 + (3q) !__q3 - (4q) !__q4 + . . . = 1 - ( 1 - q )

-

Chapter 5

2. 1 . An integer n such that g n is the identity but y n is not. 2. If n = 1 , A is

always reversible, since it just translates the configuration; if n is even, A is never
reversible, since A(C1 ) = A( Co ) = C0 , where Ci is the configuration with all cells
in state i.
3. 1 . (a) In Example 3 . 1 , given a 3-coloring v >--+ iv , let Yv,i take the value 1 if
i = i v and 0 otherwise. In Example 3.2, given To, let y have t-coordinate 1 if t E To
and 0 otherwise. In Example 3.2a, given V' c V, let Yv take the value 1 if v E V'
and 0 otherwise. (b) In Subset Perfect Code, note that for each T1 and each t E Tj
the ideal J contains the element ( L: t ' E T, , t ' rt tt' ) + t ( 1 - l:: t ' E T t ' ) = t - t 2 .
,
The argument for 3-Coloring is similar.
2. T = {tv,, : v E V, 1 ::; i ::; m } ; in Bt take tv, l + tv, 2 + + tv, m - 1 , in Bz
let 1 ::; i < j ::; m, and in B3 let 1 ::; i ::; m.
3. See 4.
4. Assume that IF contains a primitive m-th root of unity (. (In particular, m is
not divisible by the characteristic of IF.) Set Bi = { x ;;' - 1
v E V} and
B = { x :;' - 1 + x :;' - 2 xv + x:;' -3x + + xx ;;' -3 + xux;;'- 2 + x ;;' - 1 : uv E E}.
(a) Given an m-coloring v >--+ iv , set Yv equal to ('" . (b) Set Xv = 2:: ;':: 1 (J tv, j and

t v, t
.

ffi

j
"'m ;-- i
L.J j :; l ( Xv ) .

5. Obviously J' C J" . Suppose that f E J", i.e., f(X, Y) vanishes at the six
points (xi , Yi) = ( 1 , (), ( 1 , (), ((, 1), ((, (), ( ( , 1), and (( , (). Modulo J' we can
reduce f(X, Y) to the form aXY 2 + bXY + cY 2 + dX + eY + h. Substituting
(X, Y) = (x, Yi) for i = 1 , 2, 3 , 4, 5, 6, we obtain six linear homogeneous equations
in the six unknown coefficients a, b, c, d, e, h. Show that the determinant is nonzero,
and hence a = b = c = d = e = f = 0.
6. Catherine reduces the ciphertext c modulo G ' to get c m', where denotes
"modulo the ideal J" and m' cannot be further reduced modulo G' . Since c m,
it follows that m' - m E J. Note that m cannot be further reduced modulo G ' ,
since each lt(g;) is divisible by lt(gj ) for some gj E G. Hence m' - m = 0.
7. (a) Modulo the ideal generated by B 1 (see Example 3.2a) one can write b =
l: v E V Cv = l: v EV Cv (l: u EN[ v ] tu) = l: u EV ctu. (b) Regard the equations c =
l: u EN[v J Cu as a system of linear equations in the unknowns Cu.
8. (a) Same as 7(b). (c) In that case m = 2:: Cv = r l 2:: c .
9. In 3-Coloring start with a set of dots labeled 1 , 2, or 3 at random. Draw
random edges between pairs of vertices, never connecting two vertices with the
same label. Then make another copy of the graph with the labels removed. In
Perfect Code start with a set of dots that will be your solution V'; then draw
several line segments emanating from each vertex. The outer endpoints of these

Chapter 6

1 87

lines will be the vertices in V \ V'. Finally, draw a bunch of additional edges
between the different outer endpoints; and make another copy of the graph that
has no indication of the location of the original vertices.
10. (a) Let p, correspond to ti, let p, correspond to ti - 1 , and let V corresp ond to
multiplication of polynomials. Let T correspond to 0 and F correspond to 1 . Then
any truth assignment that makes all of the clauses true corresponds to a fllnction
{ ti } ---> {0, 1 } that makes all of the corresponding polynomials vanish. It is easy
to see that if a point at which all the polynomials vanish has a coordinate that is
not 0 or 1, then that coordinate can be replaced by 0 or 1 without affecting the
vanishing of the polynomials; in this way one gets a point that corresponds to a
truth assignment map on the {pi}. (b) Throw in the polynomials tf - ti for all i,
thereby forcing the coordinates of points in the zero set to be 0 or 1.
1 1 . Cathy chooses a random permutation 1r of the indices i, and for each i chooses
an element c;' E J. She then sets c; = c1r (i ) + c ( i ) Here the <' should be chosen
so as to cancel many of the terms in c, and change the degrees of some of the
ciphertext polynomials, so that the set of ciphertext { c; } does not look much like
the set {c, } . After Alice sends her the m;, Cathy immediately finds mi = m-'Cil.

4. 1 . Let p range through all prime numbers less than N, and for each p choose
an irreducible polynomial qp(tp) of degree p over IF', where T = {tp}p<N is the
set of variables. Let c = 1 in the Ideal Membership problem. The input length
is proportional to l: P N2 / 1n N. (See the Prime Number Theorem in 1 of
Chapter 2. If you choose qP to be sparse - namely, to have O(ln N) nonzero terms
- then the input length is O(N).) On the other hand, the extension degree of the
field generated by a common zero ( . . . , Yp, . . . ) is f1 p, which is of magnitude eN .
Chapter 6

1. 1 . (a) Let Y --t Y - ( a 1 X + a3 ) / 2 to get Y 2 on the left.

(b) Let X --t X - a 3 ja1 To reduce to the case when a 1 = 1, replace X by aiX
and Y by aiY, and then divide the entire equation by a.
2. Let f(X) be the cubic on the right in ( 1 ), and let X be any root of r ex) =
X 2 + a4 . Let y be a square root of f(x). Then (x, y) is a point on the curve that
satisfies (2).
3. (a) Let f(X) be the cubic on the right. The Y -partial is zero at a point (x, y)
when y = 0, i.e., f(x) = 0; and the X-partial is zero when f ' (x) = 0. But
f(x) = f ' (x) = 0 has a solution if and only if f(X) has a multiple root.
(b) If a 1 = 0 and a 3 f. 0, then it is always smooth, because the Y -partial is the
constant a 3 . If a 1 f. 0 and a3 = 0, then it is smooth unless a6 = (a4 jad. If a 1 f. 0,
then to get rid of a4 replace Y by Y + a4 /ar ; if a 3 f. 0, then to get rid of a2
replace Y by Y + eX where c2 = a2 .
4. You want to prove that (P + Q) + R = P + (Q + R). Take the general case (where
P, Q, and R are not collinear, are not negatives of one another, and are not the
point at infinity). Let 1 1 be the line through P, Q, and -(P + Q); let 1 2 be the line

1 88

Answers to Exercises

through 0, R, and -R; and let 1 3 be the line through -P, -(Q + R), and a third
point S = P + (Q + R). Let z; be the line through Q. R and -(Q + R); let l be the
line through 0, P, and -P; and let l be the line through -R, -(P + Q) and a
third point S' = (P + Q) + R. Conclude that S = S ', i.e., P + (Q + R) = (P + Q) + R.
5 . Over IC there are always n2 points P such that nP = 0; over R there are n
when n is odd, and there are either n or 2n when n is even, depending on whether
the curve has 1 or 2 connected components, respectively. (The curve Y 2 = X 3 - X
is an example with 2 connected components, and the curve Y 2 = X 3 + X is an
example with 1 .)
6. (a) P is on the x-axis; (b) P is an inflection point; (c) P is a point where a
line from an x-intercept of the curve is tangent to the curve.
7. P + Q = (6, 0), 2P = C , - ). 8. (a) 3; (b) 4; (c) 7.
9. In order to work only with integers, we can use projective coordinates (X, Y, Z)
(also called "homogeneous coordinates"). Given a rational point (x, y), choose
projective coordinates that are relatively prime integers (this determines those
coordinates up to 1). Then instead of a bound on the denominator of the x
coordinate of a point, it suffices to find a bound on the maximum projective
coordinate. When the equations (5) for doubling a point are written in terms
of projective coordinates, one obtains x3 , Yj , z3 as fourth degree polynomials in
X1 , Y1 , Z1 . This gives a bound of the form 0(4 k ) for the logarithm of the maximum
of the projective coordinates of 2 k P. To put it another way, the denominator of
the x-coordinate of nP might grow as rapidly as eCn2) (here n = 2 k ).
10. Use Exercise 3 to prove smoothness. To show that N1 = q + 1 in (a), note that
if x =f. 0, 1 , then for exactly one of the pair x the expression x 3 - x will have
two square roots in lFq (this is because - 1 is a non-square in lF ); in (b) note that
any element of lF q - in particular, y 2 + y for any y - has exactly one cube root.
Finally,
r
;
Nr - qqr ++ 11 -, 2( -q) r / 2 , rr odd
even .
1 1 . (a) If P = (x, y), then -P = (x, y + 1 ) and 2P = (x4 , y4 + 1).
(b) Use part (a) t o find that 4 P = (x 1 6 , y 1 6 ) = ( x , y) = P .
(c) B y part (b), w e have 2 P = -P , i.e., (x4 , y4 + 1 ) = ( x , y + 1 ); but this means
that x4 = x and y4 = y, so that x, y E JF4 . By Hasse's theorem, the number N of
points is within 2.J4 = 4 of 5 and is within 2-/16 = 8 of 17; hence, N = 9.
12. Both over lF2 and lF3 there is no solution to the equation, so the only point
is the point at infinity. The numerator of the zeta-function is 1 - 2T + 2T2 and
1 - 3T + 3T2, respectively. Nr is the square of the complex absolute value of
( 1 + i? - 1 and ( 1 + w? - 1 , respectively, where w = ( - 1 + i-/3)/2.
13. Y2 + Y = X 3 + a, where a E lF4 , a =f. 0, 1. Nr = (2r - 1) 2 Finally, for
r
P = (x, y) we have 2P = (x4 , y4 ), and so 2r P = (x4 , y4r ) = (x, y) = P.
14. See Example 3.5 of Chapter 2 (modular exponentiation).
1 5 . Let ao = 2, a 1 = a, and ar = ar + a r . Then Nr = q r + 1 - ar and ar+I =
_

aar - qar - I

Chapter 6

1 89

16. Let Na,r = #Ea CJF'zr ). Then Na, l = 3 + ( - 1 ) a and Z(Ea /IFz ; T) = ( 1 + ( - 1 ) a T +
2T2) / ( 1 - T)( 1 - 2T). We have: No,s = 4 1 1 , No,? = 4 2 9, No,13 = 4 2003 ;
N1 ,3 = 2 7, N1 ,s = 2 1 1 , N1 ,1 = 2 7 1 , N1 , 1 1 = 2 99 1 .
17. A point of order 2 exists on a curve in the form ( 1 ) if and only if y =
-a1x - a 3 - y for some (x, y) on the curve.
1
2. 1 . (a) If x is Alice's secret key, then u 1 P + u2 Q = (u1 + u2 x)P = s- (H(m) +
xr)P = kP. (b) No one knows any way to find (r, s) without knowing k and x,
that is, without either being Alice or finding discrete logs on the elliptic curve.
See also Exercise 2 at the end of Chapter 1 .
3
2 . In the case of the elliptic curve Y2 = f(X) = X - X over IF q with q = 3 (mod
4), let x E IFq correspond to the message m. Note that precisely one of the pair
f(x), - f(x) is a square in IFq . In some convenient way choose a subset S c IF ,
#S = (q - 1 ) / 2 , such that exactly one of the pair y belongs to S for each y E IF; .
If f(x) = 0, imbed m as the point (x, 0). Otherwise, imbed m as the point (x, y)
if f(x) is a square and as the point ( -x, -y) if j(x) is not a square, where y is
chosen to be the unique square root of f(x) (or -f(x) = J(-x)) that is in S. In
the case of the curve Y2 + Y = X 3 , let y E lF q correspond to the message m. If
y = 0 or - 1 , imbed m as the point (0, y); otherwise set x = (y2 + y)CZ - q) / 3 , in
which case (x, y) is a point on E. In the case of an arbitrary elliptic curve, choose
a subset So c IFq and a small subset S1 c IF q such that every element of IFq can
be written in at most one way as a sum of an element of S0 and an element of S 1 .
For example, if q = p and IFq is a prime field, we might choose S 1 to consist of the
integers 0, 1 . . . , 2 k - 1 and So to consist of 0, 2 k , 2 2 k , 3 2 k , . . . , ( [2- k p] - 1 ) 2 k .
We let a message correspond to an element x0 E S0, and then add x1 to x0 for
various x1 E S1 until we obtain a value x = x0 + x1 such that f(x) is a square in
IFq . At that point we can use a probabilistic algorithm to find a square root y of
f(x) (see 1 .8), and we can imbed m as the point (x, y).
3. (a) If u is such a solution, then Tr(z) =Tr(u 2 )+Tr(u) = 2Tr(u) = 0, and so all z
for which a solution u exists must have trace zero. Since the map u >-+ u2 + u is
2-to- 1 , its image consists of half of IFq ; hence, the image consists of all z having
trace zero. Now let z = { 101 , . . . , Er } E IF; be the vector obtained by expressing z in
terms of the basis; and let 'ii = { 7Jl , . . . , 7Jr } be the unknown vector corresponding
to a solution u of the equation u2 + u = z. Let M be the matrix (with respect to
the basis { ,81 , , ,Br }) of the squaring map, which is an IF2 -linear map on IFq
Then the equation u2 + u = z i s equivalent to the equation ( M + J)u = z , where I
is the r x r identity matrix. This equation can be solved by Gaussian elimination
over IF2 .
(b) Tr(z) = 0 if and only if an even number of components Ei are 1 . To find u,
set 1)1 = 0 and 7Ji = Ei + 7Ji - l for i = 2, 3 , . . . , r. That gives one of the solutions of
the equation u2 + u = z; the components of the other solution u + 1 are obtained
by replacing 7Ji by 1 + 1Ji , i = 1 , . . . , r.
(c) Let x be a random nonzero element of IF q In the case of equation ( 1 2) set
z = x + a2 +x-2a6, and compute the trace of z. If Tr(z) = 1 , choose a different x. If
Tr(z) = 0, then find a solution u to the equation u2 +u = z as in part (a). Set y = xu.

1 90

Answers to Exercises

Then y2 + xy = x2 (u2 + u) = x2 z = x3 + a2 x2 + a6 , so that P = (x, y) is a point on

the curve ( 1 2). In the case of equation ( 1 3) set z = a:J 2 (x3 + a4 x + a6 ), and compute
the trace of z . If Tr(z) = 1 , choose a different x. If Tr(z) = 0, then find u such
that u2 + u = z, and set y = a3 u. Then y2 + a 3 y = a(u2 + u) = az = x 3 + a4 x + a6 ,
as desired.
4. For any elliptic curve ( 1 2) over IFq , the number N = #E(IFq ) is an even number
in the interval q + 1 - 2ylq < N < q + 1 + 2ylq. For each such N, use Exercise 1 5
of 1 to rapidly compute the corresponding Nf . Test NfIN for primality, and stop
when you find N such that Nf IN is prime. It then remains to find az , a6 E IFq such
that there are N points on the elliptic curve over IFq that is given by ( 1 2). Let a2
run through IF q and a6 run through IF . Since q is small, for each pair az , a6 E IFq
the following simple algorithm to compute N = # E(IF q ) is fast enough. First set
N = 2 (to account for the point at infinity and the point with zero x-coordinate).
Then let x run through IF . For each such x set z = x + a2 + x- 2 a6 , and compute
Tr(z). If Tr(z) = 0, increment N by 2; if Tr(z) = 1 , leave N unchanged.
5 . 0 ((In qk) 1 1 3 ) 2 0 (o n q) 2 ln q f 1 3 = O(ln q).
6. Much as in Exercise 1 1 of 3 of Chapter 5, Cathy permutes the message units
and then for each ciphertext c = (lQ, M + l(kA Q)) she randomly chooses l ' and
sets c' = (lQ + l ' Q, M + l (k A Q) + l '(k A Q)) = ((l + l ' )Q, M + (l + l ' )(kA Q)). The
tragically gullible Alice deciphers c' for Cathy, because she doesn't recognize any
connection with the ciphertext she received from Bob.

3. 1 . How often is (p + 1) I 4 prime as p ranges over primes congruent to 3 modulo

4? How often is (p+ 1 ) I 6 prime as p ranges over odd primes congruent to 2 modulo

3?

2. If you compute nP E E(Q) for n = 1, 2, . . . , you find that 1 1P has denominator

divisible by p = 2 3 . This means that, if you work modulo 23, you find that 1 1 times
the point (0, 0) on E(IF23 ) is equal to the point at infinity. Use Hasse's theorem to
conclude that (0, 0) does not generate the group E(IF23).
3. For what prime values of r is (1 + it - 1 a prime Gaussian integer?
5. 1 . Use part 3) of Theorem 5 . 1 and the fact that lai l = qr/Z.
2. In part 3) of Theorem 5. 1 , group together the a, according to which irreducible
factor ( 1 - ai T) divides.
3. Since pla1 and plaz, it follows that /' I and /'z are of the form (ap
Vbp)l2. Since ai = (/'i + Vl'f - 4p)l2, it follows that when the product Nr =
( 1 - aD( l - aj)(l - aD( l - a{) is multiplied out, all of the terms but the 1 will
be divisible by p.
4. Besides the point at infinity, solutions (x, y) of the equation come in pairs (x, y),
(x, y + 1); hence, M1 = 1 (mod 2). Show that Mz - 1 is equal to twice the number
of x E IF4 such that f(x) E IF2 , and that the latter set is either IF2 or all of IF4 . The
last assertion is proved in a manner similar to Exercise 3.
5 . Besides the point at infinity and the one point of the form (0, y), the other points
can be handled as in Exercise 4. If g = 2, show that a 1 is odd, a2 is even, and
hence N1 = P( l ) is even. Since N1 INr , Nr is also even for any r .

Appendix

191

6. Let So = 2, S ] = 'Yl Sr = a] + ar, to = 2, tl = 12 tr = Clz + a{ . Show that

Nr (q r + 1 )(q r + 1 - (s r + tr )) + sr tr and Sr+ l = 'Yl Sr - q sr- ] , tr+l = 'Y2 tr - qtr- 1
=

6. 1 . 1 1 = ( ( -2)5 - 1 )/( -2 - 1 ), so choose

(3 ) = 2 + ( + 4(2 + 2(3 . 2. Here is the table:

a = -2; J(x, x) = (2( -2 - ()( -2 -

a mod 1 0 2
3
4
5
6
( k
(4 - (3 - (5 ( -( 6 (2
Appendix
4. ( 1 , 1 ) + ( 1 , 5) + 2(2, 2) + 2(2 , 3) + 4(6, 4) - l Ooo. 5 . Div(u7 + 2u6 + Su5
3u3 + 6u2 + Su + 3 , 6u6 + 4u5 + 6u4 + 2u3 + 5u2 + 3u + 3).
6. D3 = Div(u2 + 6u + 5 , 4u + 1). 7. Div(u2 + u + 5, 4u + 4).

3u4 +

Bibliography

W.W. Adams, P. Loustaunau ( 1 994) : An Introduction to Grabner Bases, Amer. Math. So

ciety, Providence.
L.M. Adleman ( 1 979): A subexponential algorithm for the discrete logarithm problem with
applications to cryptography, Proc. 20th IEEE Symp. Foundations of Computer Science,
55-60.
L.M. Adleman, J. DeMarrais ( 1 993): A subexponential algorithm for discrete logarithms
over all finite fields, Math. Camp. 61, 1-15.
L.M. Adleman, J. DeMarrais, M.-D. Huang ( 1 994) : A subexponential algorithm for discrete
logarithms over the rational subgroup of the jacobians of large genus hyperelliptic curves
over finite fields, Algorithmic Number Theory, Lect. Notes Comp. Sci. 877, S pringer
Verlag, 28-40.
L.M. Adleman, M.-D. Huang ( 1 992) : Primality Testing and Abelian Varieties over Finite
Fields, Lect. Notes Math. 1512, Springer-Verlag.
L.M. Adleman, M.D. Huang ( 1 996): Counting rational points on curves and abelian varieties
over finite fields, in Henri Cohen, ed. , Algorithmic Number Theory, Proc. Second Intern.
Symp., ANTS-II, Springer-Verlag, 1-16.
L.M. Adleman, C. Pomerance, R.S. Rumely ( 1 983): On distinguishing prime numbers from
composite numbers, Annals Math. 117, 173-206.
G.B. Agnew, R.C. Mullin, S.A. Vanstone ( 1 993): An implementation of elliptic curve
cryptosystems over lF21ss , IEEE Journal on Selected Areas in Communications 11, 804813.
A.O.L. Atkin ( 1 99 1) : The number o f points o n an elliptic curve modulo a prime, unpublished
manuscript.
E. Bach ( 1 990): Number-theoretic algorithms, Annual Reviews in Computer Science 4, 1 1 21 72.
E. Bach, J. Shallit ( 1 996): Algorithmic Number Theory, Vol. 1, MIT Press.
R. Balasubramanian, N. Koblitz ( 1 998): The improbability that an elliptic curve has
subexponential discrete log problem under the Menezes-Okamoto-Vanstone algorithm,
J. Cryptology 11, 1 4 1-145.
T. Becker, V. Weispfenning ( 1 993): Grabner Bases: A Computational Approach to Com
mutative Algebra, Springer-Verlag.
S. Ben-David, B. Chor, 0. Goldreich, M. Luby ( 1 989): On the theory of average case
complexity, Proc. 21st ACM Symp. Theory of Computing, 204-2 16.
E.R. Berlekamp ( 1 970): Factoring polynomials over large finite fields, Math. Camp. 24,
7 1 3-735.
L. Bertrand ( 1 995): Computing a hyperelliptic integral using arithmetic in the Jacobian of
the curve, Applicable Algebra in Engineering, Communication and Computing 6, 275298.
B .J. Birch, H.P.F. Swinnerton-Dyer ( 1 963, 1 965): Notes on elliptic curves I and II, J. Reine
Angew. Math. 212, 7-25 and 218, 79-1 08 .
I. Blake, X. Gao, A. Menezes, R . C . Mullin, S . A . Vanstone, T . Yaghoobian ( 1 992 ): Appli
cations of Finite Fields, Kluwer Acad. Pub!.

1 94

Bibliography

D. Boneh, R. Lipton ( 1 996) : Algorithms for black-box fields and their applications to
cryptography, Advances in Cryptology - Crypto '96, Springer-Verlag, 283-297.
G. Brassard ( 1 979): A note on the complexity of cryptography, IEEE Trans. Infonnation
Theory 25, 232-233.
E.F. Brickell ( 1 985): Breaking iterated knapsacks, Advances in Cryptology - Crypto '84,
Spinger-Verlag, 342-358.
E.F. Brickell, A.M. Odlyzko ( 1 988): Cryptanalysis: A survey of recent results, Proc. IEEE
76, 578-593.
D. Le Brigand ( 1 99 1 ): Decoding of codes on hyperelliptic curves, Eurocode '90, Lect.
Notes Comp. Sci. 514, Springer-Verlag, 1 26- 1 34.
J. Brillhart ( 1 972): Note on representing a prime as a sum of two squares, Math. Comp.
26, 1 0 1 1 - 1 0 1 3 .
J. Brillhart, D.H. Lehmer, J.L. Selfridge, B. Tuckerman, S.S. Wagstaff, Jr. ( 1 988): Factor
izations of bn I, b
2, 3, 5, 6, 7, 10, I I , 1 2 Up to High Powers, Amer. Math. Soc.
J. Buchmann, V. Muller ( 1 99 1 ) : Computing the number of points of elliptic curves over
finite fields, presented at Intern. Symp. on Symbolic and Algebraic Computation, Bonn,
July 1 99 1 .
J . Buchmann, H.C. Williams ( 1 987): O n principal ideal testing i n algebraic number fields,
]. Symbolic Comp. 4, 1 1 - 1 9.
J. B uchmann, H.C. Williams ( 1 988): A key exchange system based on imaginary quadratic
fields, J. Cryptology 1, I 07-1 1 8 .
J. B uchmann, R . Scheidler, H . C . Williams ( 1 994): A key-exchange protocol using real
quadratic fields, J. Cryptology 7, 1 7 1- 1 99.
J. Buhler, N. Koblitz ( 1 998) : Lattice basis reduction, Jacobi sums, and hyperelliptic cryp
tosystems, Bull. Austral. Math. Soc. 57, 1 47- 1 54.
L. Caniglia, A. Galligo, J. Heintz ( 1 988): Borne simple exponentielle pour les degres dans
le theoreme des zeros sur un corps de caracteristique quelconque, C. R. Acad. Sci. Paris
307, 255-258 .
D. Cantor ( 1 987): Computing i n the jacobian o f a hyperelliptic curve, Math. Comp. 48,
95-101 .
J.W.S. Cassels ( 1 966): Diophantine equations with special reference to elliptic curves, J.
London Math. Soc. 41, 193-29 1 .
J.W.S . Cassels, E.V. Flynn ( 1 996) : Prolegomena to a Middlebrow A rithmetic of Curves of
Genus 2 , Cambridge Univ. Press.
L. Charlap, D. Robbins ( 1 988): An elementary introduction to elliptic curves I and II,
CRD Expository Reports No. 3 1 and 34, Institute for Defense Analysis, Princeton.
H. Cohen ( 1 993): A Course in Computational Algebraic Number Theory, Springer-Verlag.
D. Coppersmith ( 1 984): Fast evaluation of logarithms in fields of characteristic two, IEEE
Trans. Infonnation Theory 30, 587-594.
D. Coppersmith, A.M. Odlyzko, R. Schroeppel ( 1 986): Discrete logarithms in GF(p) ,
Algorithmica 1, 1-15.
J.-M. Couveignes ( 1 994): Quelques calcules en theorie des nombres, Thesis, Universite de
Bordeaux I.
D.A. Cox, J. Little, D. O' Shea ( 1 997): Ideals, Varieties, and Algorithms: An Introduction to
Computational Algebraic Geometry and Commutative A lgebra, 2nd ed. , Springer-Verlag.
T. Denny, 0. Schirokauer, D. Weber ( 1 996): Discrete logarithms: the effectiveness of the
index calculus method, in Henri Cohen, ed., Algorithmic Number Theory, Proc. Second
Intern. Symp., ANTS-II, Springer-Verlag, 337-36 1 .
A . Dickenstein, N . Fitchas, M . Giusti, C . Sessa ( 1 99 1 ): The membership problem for
unmixed polynomial ideals is solvable in single exponential time, Discrete Appl. Math.
33, 73-94.
M. Dickerson ( 1 989): The functional decomposition of polynomials, Ph.D. Thesis, Depart
ment of Computer Science, Cornell University.
=

Bibliography

1 95

L.E. Dickson ( 1 952): History of the Theory of Numbers. Volume 2. Diophantine A nalysis,
Chelsea.
W. Diffie, H. Fell ( 1 986): Analysis of a public key approach based on polynomial substi
tutions, Advances in Cryptology - Crypto '85, Springer-Verlag, 340-349.
W. Diffie, M.E. Hellman ( 1 976): New directions in cryptography, IEEE Trans. Info rmation
Theory 22, 644-654.
Do Long Van, A. Jeyanthi, R. Siromoney, K.G. Subramanian ( 1 988): Public key cryptosys
tems based on word problems, ICOMIDC Symp. Math. of Computation, Ho Chi Minh
City, April 1988.
Y. Driencourt, J. Michon ( 1 987): Elliptic codes over a field of characteristic 2, J. Pure
Appl. Algebra 45, 1 5-39.
T. E!Gamal ( 1 985a) : A public key cryptosystem and a signature scheme based on discrete
logarithms, IEEE Trans. Information Theory 31, 469-472.
T. ElGamal ( 1 985b ): A subexponential-time algorithm for computing discrete logarithms
over GF(p2 ), IEEE Trans. Information Theory 31, 473-48 1 .
G . Failings ( 1 995): The proof of Fermat's Last Theorem by R . Taylor and A . Wiles, Notices
of the Amer. Math. Soc. 42, 743-746.
J. Feigenbaum, S. Kannan, N. Nisan ( 1 990): Lower bounds on random-self-reducibility
(extended abstract), Fifth Annual Structure in Complexity Theory Conference, IEEE
Comput. Soc. Press, 1 00-109.
J. Feigenbaum, R. Lipton, S .R. Mahaney ( 1 989): A completeness theorem for almost
everywhere invulnerable generators, Technical Memorandum, AT&T Bell Laboratories.
M.R. Fellows, N. Koblitz ( 1 993): Kid Krypto, Advances in Cryptology - Crypto '92,
Springer-Verlag, 37 1-389.
M.R. Fellows, N. Koblitz ( 1 994a): Combinatorially based cryptography for children (and
adults), Congressus Numerantium 99, 9-4 1 .
M.R. Fellows, N . Koblitz ( 1 994b): Combinatorial cryptosystems galore ! , Contempora ry
Math. 168, 5 1-6 1 .
G . Frey, H . Riick ( 1 994): A remark concerning m-divisibility and the discrete logarithm
in the divisor class group of curves, Math. Camp. 62, 865-874.
W. Fulton ( 1 969): Algebraic Curves, Benjamin.
M.R. Garey, D.S. Johnson ( 1 979): Computers and Intractability: A Guide to the Theory
of NP-Completeness, W.H. Freeman & Co.
J. von zur Gathen ( 1 990a): Functional decomposition of polynomials: the tame case, ].
Symbolic Camp. 9, 28 1-299.
J. von zur Gathen ( 1 990b): Functional decomposition of polynomials: the wild case, J.
Symbolic Camp. 10, 437-452.
G. van der Geer ( 1 99 1 ) : Codes and elliptic curves, in Effective Methods i n Algebraic
Geometry, Birkhauser, 1 59-168.
G. van der Geer, J. van Lint ( 1 988): Introduction t o Coding Theory and Algebraic Geometry,
Birkhauser.
M. Giusti ( 1 984): Some effectivity problems in polynomial ideal theory, EUROSAM 84:
Proc. Intern. Symp. on Symbolic and A lgebraic Computation, Cambridge, England,

Springer-Verlag, 1 59-1 7 1 .
S . Goldwasser, J . Kilian ( 1 986): Almost all primes can be quickly certified, Proc. 1 8th
ACM Symp. Theory of Computing, 3 16-329.
S. Goldwasser, S. Micali ( 1 982): Probabilistic encryption and how to play mental poker
keeping secret all partial information, Proc. 14th ACM Symp. Theory of Computing, 365377.
S . Goldwasser, S. Micali ( 1 984): Probabilistic encryption, J. Comput. System Sci. 28, 270299.
S. Golomb ( 1 982): Shift Register Sequences, 2nd ed. , Aegean Park Press.
D.M. Gordon ( 1 993) : Discrete logarithms in GF(p) using the number field sieve, SIAM
J. Discrete Math. 6, 1 24-138.

1 96

Bibliography

D.M. Gordon ( 1 995) : Discrete logarithms in GF(pn ) using the number field sieve, preprint.
D.M. Gordon, K. McCurley ( 1 993): Massively parallel computation of discrete logarithms,
Advances in Cryptology - Crypto '92, Springer-Verlag, 3 1 2-323.
L. Goubin, J. Patarin ( 1 998a): Trapdoor one-way permutations and multivariate polynomials,
to appear.
L. Goubin, J. Patarin ( l 998b): A new analysis of Matsumoto-Imai like cryptosystems, to
appear.
P. Guan ( 1 987): Cellular automaton public-key cryptosystem, Complex Systems 1, 5 1-56.
R. Gupta, M.R. Murty ( 1 986): Primitive points on elliptic curves, Compositio Math. 58,
1 3-44.
R.K. Guy ( 1 98 1 ) : Unsolved Problems in Number Theory, Springer-Verlag.
G. Harper, A. Menezes, S.A. Vanstone ( 1 993): Public-key cryptosystems with very small
key lengths, Advances in Cryptology - Eurocrypt '92 , Springer-Verlag, 1 63-173.
M.E. Hellman, R.C. Merkle ( 1 978): Hiding information and signatures in trapdoor knap
sacks, IEEE Trans. Information Theory 24, 525-530.
M.E. Hellman, S. Pohlig ( 1 978): An improved algorithm for computing logarithms over
GF(p) and its cryptographic significance, IEEE Trans. Information Theory 24, 1 06-1 10.
M.E. Hellman, J.M. Reyneri ( 1 983): Fast computation of discrete logarithms in GF(q),
Advances in Cryptology - Crypto '82, Plenum Press, 3-13.
LN. Herstein ( 1 975): Topics i n Algebra, 2nd ed. , Wiley.
L.S. Hill ( 1 93 1 ): Concerning certain linear transformation apparatus of cryptography, Amer.
Math. Monthly 38, 1 35-154.
M.-D. Huang, D. Ierardi ( 1 994): Efficient algorithms for the effective Riemann-Roch
problem and for addition in the Jacobian of a curve, 1 Symbolic Comp. 18 , 5 1 9-539.
D. Husemiiller ( 1 987): Elliptic Curves, Springer-Verlag.
D.T. Huynh ( l 986a): A superexponential lower bound for Grabner bases and Church-Rosser
commutative Thue systems, Information and Control 68, 196-206.
D.T. Huynh ( 1 986b): The complexity of the membership problem for two subclasses of
polynomial ideals, SIAM J. Comput. 15, 58 1-594.
H. Imai, T. Matsumoto ( 1 985): Algebraic methods for constructing asymmetric crypto
systems, Algebraic Algorithms and Error- Correcting Codes, Proc. Third Intern. Conf,
Grenoble, France, Springer-Verlag, 108-1 19.
H. lmai, T . Matsumoto ( 1 989): Public quadratic polynomial-tuples for efficient signature
verification and message-encryption, Advances in Cryptology - Eurocrypt '88, Springer
Verlag, 4 1 9-453 .
R. Impagliazzo ( 1 995): A personal view o f average-case complexity, IEEE Trans. Infor
mation Theory, 1 34-147.
K. Ireland, M.l. Rosen ( 1 990) : A Classical Introduction t o Modem Number Theory, 2nd
ed. , Springer-Verlag.
D.S. Johnson ( 1 990): A catalog of complexity classes, in Handbook of Theoretical Computer
Science, Vol. A, Elsevier, 67- 1 6 1 .
B. Kaliski ( 1 987): A pseudorandom bit generator based o n elliptic logarithms, Advances
in Cryptology - Crypto '86, Springer-Verlag, 84-103.
B . Kaliski ( 1 99 1 ): One-way permutations on elliptic curves, J. Cryptology 3, 1 87-1 99.
J. Kari ( 1 992): Cryptosystems based on reversible cellular automata, unpublished manuscript.
D.E. Knuth ( 1 973): The A rt of Computer Programming. Vol. 3, Addison-Wesley.
D.E. Knuth ( 1 98 1 ): The A rt of Computer Programming. Vol. 2, 2nd ed., Addison-Wesley.
K. Kobayashi, Y. Nemoto, K. Tamura ( 1 990): Public key cryptosystem using multivariate
polynomials, Proc. Symp. on Cryptography and Information Security, Nihondaira, Japan.
N. Koblitz ( 1 987): Elliptic curve cryptosystems, Math. Comp. 48, 203-209.
N. Koblitz ( 1 988): Primality of the number of points on an elliptic curve over a finite
field, Pacific 1 Math. 131, 1 57- 1 65 .
N. Koblitz ( 1 989): Hyperelliptic cryptosystems, 1 Cryptology 1, 1 39- 1 50.

Bibliography

1 97

N. Koblitz ( 1 990) : A family of jacobians suitable for discrete log cryptosystems, Advances
in Cryptology - Crypto '88, Springer-Verlag, 94-99.
N. Koblitz ( l 99 l a): Constructing elliptic curve cryptosystems in characteristic 2, A dvances
in Cryptology - Crypto '90, Springer-Verlag, 156- 167.
N. Koblitz ( 1 99 l b): Elliptic curve implementation of zero-knowledge blobs, J. Cryp tology
4, 207-2 1 3 .
N. Koblitz ( l 99 l c): Jacobi sums, irreducible zeta-polynomials, and cryptography, Canadian
Math. Bull. 34, 229-235.
N . Koblitz ( 1 992): CM-curves with good cryptographic properties, Advances in Cryptology
- Crypto '91 , Springer-Verlag, 279-287.
N. Koblitz ( 1 993): Introduction to Elliptic Curves and Modular Forms, 2nd ed. , SpringerVerlag.
N. Koblitz ( 1 994) : A Course in Number Theory and Cryptography, 2nd ed., Springer-Verlag.
N. Koblitz ( 1 997) : Cryptography as a teaching tool, in Cryptologia 21, 3 1 7-326.
N. Koblitz, A. Menezes, S.A. Vanstone ( 1 998): The state of elliptic curve cryptography,
to appear in Designs, Codes and Cryptography.
P. Kocher ( 1 996): Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and
other systems, Advances in Cryptology - Crypto 96, Springer-Verlag, 104-1 1 3 .
J. Kollar ( 1 988): Sharp effective Nullstellensatz, J. Amer. Math. Soc. 1, 963-975 _
K . Koyama, U . Maurer, T. Okamoto, S.A. Vanstone ( 1 993): New public-key schemes based
on elliptic curves over the ring Zn , Advances in Cryptology - Crypto '91 , Springer
Verlag, 252-266.
L. Kucera, S. Micali ( 1 988): Cryptography and random graphs, unpublished manuscript.
B. LaMacchia, A.M. Odlyzko ( 1 99 1 ) : Computation of discrete logarithms in prime fields,
Designs, Codes and Cryptography 1, 47-62.
S. Lang ( 1 978): Cyclotomic Fields, Springer-Verlag.
S. Lang ( 1 984) : Algebra, 2nd ed., Addison-Wesley.
G. Lay, H. Zimmer ( 1 994): Constructing elliptic curves with given group order over large
finite fields, Algorithmic Number Theory, Lect. Notes Camp. Sci. 877, Springer-Verlag,
250-263 .
F. Lehmann, M. Maurer, V. Miiller, V. Shoup ( 1 994): Counting the number of points on
elliptic curves over finite fields of characteristic greater than three, Algorithmic Number
Theory, Lect. Notes Camp. Sci. 877, Springer-Verlag, 60-70.
A.K. Lenstra, H.W. Lenstra, Jr. ( 1 993): The Development of the Number Field Sieve, Lect.
Notes Math. 1554, Springer-Verlag.
A.K. Lenstra, H.W. Lenstra, Jr., L. Lovasz ( 1 982): Factoring polynomials with rational
coefficients, Math. Ann. 261, 5 1 5-534.
H.W. Lenstra, Jr. ( 1 975): Euclid's algorithm in cyclotomic fields, J. London Math. Soc.
10, 457-465 .
H.W. Lenstra, Jr. ( 1 987): Factoring integers with elliptic curves, Annals Math. 126, 649673 .
H.W. Lenstra, Jr., J. Pila, C. Pomerance ( 1 993): A hyperelliptic smoothness test. I, Philos.
Trans. Roy. Soc. London 345, 397-408.
R. Lercier ( 1 996): Computing isogenies in IF2n , in Henri Cohen, ed. , Algorithmic Number
Theory, Proc. Second Intern. Symp., ANTS-II, Springer-Verlag, 1 97-2 1 2.
R. Lercier, F. Morain ( 1995): Counting the number of points on elliptic curves over finite
fields: strategies and performances, Advances in Cryptology - Eurocrypt '95, Springer
Verlag, 79-94.
R. Lercier, F. Morain ( 1 996): Counting points on elliptic curves over IF'p n using Co uveignes'
algorithm, preprint.
L. Levin ( 1 984): Problems complete in "average" instance, Proc. 1 6th ACM Symp. Theory
of Computing, 465 .
R. Lid!, H. Niederreiter ( 1 986): Introduction to Finite Fields and Their Applications,
Cambridge Univ. Press.
'

1 98

Bibliography

R. Majercik ( 1 989): The Chaldean Oracles: Text, Translation, and Commentary, E.J. Brill.
U. Maurer, S. Wolf ( 1 998): The security of the Diffie-Hellman protocol, to appear in
Designs, Codes and Crypography.

E. Mayr, A. Meyer ( 1 982): The complexity of the word problem for commutative semi
groups and polynomial ideals, Advances in Math. 46 , 305-329.
B. Mazur ( 1 977): Modular curves and the Eisenstein ideal, lnst. Hautes Etudes Sci. Publ.
Math. 47, 33-1 86.
K. McCurley ( 1 990a): The discrete logarithm problem, Cryptology and Computational Num
ber Theory, Proc. Symp. Appl. Math. 42, 49-74.
K. McCurley ( 1 990b): Odds and ends from cryptology and computational number theory,
Cryptology and Computational Number Theory, Proc. Symp. Appl. Math. 42 ( 1 990), 1 451 66.
W. Meier, 0. Staffelbach ( 1 993): Efficient multiplication on certain non-supersingular
elliptic curves, Advances in Cryptology - Crypto '92 , Springer-Verlag, 333-344.
A. Menezes ( 1 993): Elliptic Curve Public Key Cryptosystems, Kluwer Acad. Pub!.
A. Menezes, T. Okamoto, S.A. Vanstone ( 1 993): Reducing elliptic curve logarithms to
logarithms in a finite field, IEEE Trans. Information Theory 39, 1 639- 1 646.
A. Menezes, P. van Oorschot, S.A. Vanstone ( 1 996): Handbook of Applied Cryptography,
CRC Press.
A. Menezes, S .A. Vanstone ( 1 990): The implementation of elliptic curve cryptosystems,
Advances in Cryptology - Auscrypt '90, Springer-Verlag, 2- 1 3 .
A . Menezes, S . A . Vanstone ( 1 993): Elliptic curve cryptosystems and their implementation,
J. Cryptology 6, 209-224.
A. Menezes, S .A. Van.stone, R.J. Zuccherato ( 1 993): Counting points on elliptic curves
over lF2 m , Math. Comp. 60, 407-420.
V. Miller ( 1 986): Uses of elliptic curves in cryptography, Advances in Cryptology - Crypto
'85, Springer-Verlag, 4 1 7-426.
J.S. Milne ( 1 986a): Abelian varieties, in G. Cornell and J.H. Silverman, eds., Arithmetic
Geometry, Springer-Verlag, 1 03-150.
J.S. Milne ( 1 986b): Jacobian varieties, in G. Cornell and J.H. Silverman, eds., Arithmetic
Geometry, Springer-Verlag, 1 67-2 1 2.
H.M. Moller, F. Mora ( 1 984) : Upper and lower bounds for the degree of Gri:ibner bases,
EUROSAM 84: Proc. Intern. Symp. on Symbolic and Algebraic Computation, Cambridge,

Springer-Verlag, 1 72- 1 83 .
T. Mora e t al. [pseudonyms Boo Barkee, Deh Cac Can, Julia Ecks, Theo Moriarty, R.F. Ree]
( 1 993): Why you cannot even hope to use Gri:ibner bases in public key cryptography:
An open letter to a scientist who failed and a challenge to those who have not yet failed,
unpublished manuscript.
F. Morain ( 1 99 1 ): Building cyclic elliptic curves modulo large primes, Advances in Cryp
tology - Eurocrypt '91 , Springer-Verlag, 328-336.
L.J. Mordell ( 1 922): On the rational solutions of the indeterminate equations of the third
and fourth degrees, Proc. Camb. Phil. Soc. 21, 1 79-1 92.
V. Miiller, S.A. Vanstone, R. Zuccherato ( 1 998): Discrete logarithm based cryptosystems
in quadratic function fields of characteristic 2, Designs, Codes and Cryptography 14,
1 59- 178.
R. Mullin, I. Onyszchuk, S.A. Vanstone, R. Wilson ( 1 988/1989): Optimal normal bases in
GF(pn ), Discrete Appl. Math. 22, 149-16 1 .
D . Mumford ( 1 984): Tata Lectures on Theta /1, Birkhliuser.
P.S . Novikov ( 1 955): On the algorithmic unsolvability of the word problem in group theory,
Trudy Mat. Inst. im. Steklova 44, 1 - 1 43.
A.M. Odlyzko ( 1 985): Discrete logarithms in finite fields and their cryptographic signifi
cance, Advances in Cryptology - Eurocrypt '84, Springer-Verlag, 224--3 14.
England,

Bibliography

1 99

A.M. Odlyzko ( 1 990): The rise and fall of knapsack cryptosystems, Cryp tology an.d Com
putational Number Theory, Proc. Symp. Appl. Math. 42, 75-88.
A.M. Odlyzko ( 1 995): The future of integer factorization, CryptoBytes 1 , No. 2, 5- 12.
S . O'Malley, H. Orman, R. Schroeppel, 0. Spatscheck ( 1 995) : Fast key exchange with
elliptic curve systems, Advances in Cryptology - Crypto 95 Springer-Verlag, 43-56.
C.H. Papadimitriou ( 1 994) : Computational Complexity, Addison-Wesley.
J. Patarin ( 1 995): Cryptanalysis of the Matsumoto and Imai public key scheme of Eurocrypt
' 88, Advances in Cryptology - Crypto 95 , Springer-Verlag, 248--26 1 .
J. Patarin ( 1 996a): Hidden fields equations (HFE) and isomorphisms o f polynomials (IP):
two new families of asymmetric algorithms, Advances in Cryptology - Eurocrypt '96,
Springer-Verlag, 3 3-48.
J. Patarin ( l 996b): Asymmetric cryptography with a hidden monomial, Advances in Cryp
tology - Crypto '96, Springer-Verlag, 45-60.
M. Petersen ( 1 994): Hyperelliptic cryptosystems, Technical Report, Univ. Aarhus, Denmark.
J. Pila ( 1 990) : Frobenius maps of abelian varieties and finding roots of unity in finite
fields, Math. Camp. 55, 745-763.
J. Pollard ( 1 97 8) : Monte Carlo methods for index computation mod p , Math. Comp. 32,
9 1 8-924.
B. Poonen ( 1 996) : Computational aspects of curves of genus at least 2, in Henri Cohen,
ed., Algorithmic Number Theory, Proc. Second Intern. Symp., ANTS-II, Springer-Verlag,
283-306.
G. Purdy ( 1 974): A high-security log-in procedure, Communications of the ACM 17,
442-445.
M.O. Rabin ( 1 980): Probabilistic algorithms for testing primality, J. Number Theory 12 ,
1 28-1 38.
K. Ribet ( 1 990): On modular representations of Gal(Q , IQI ) arising from modular forms,
Invent. Math. 100, 43 1 -476.
R. Rivest ( 1 990): Cryptography, in Handbook of Theoretical Computer Science, Vol. A,
Elsevier, 7 1 7-755.
R. Rivest, A. Shamir, L.N. Adleman ( 1 978): A method for obtaining digital signatures and
public-key cryptosystems, Communications of the ACM 21 , 1 20- 126.
H.E. Rose ( 1 994): A Course in Number Theory, 2nd ed., Clarendon Press.
K. Rosen ( 1 993): Elementary Number Theory and Its Applications, 3rd ed., Addison-Wesley.
R. Scheidler, A. Stein, H.C. Williams ( 1 996): Key-exchange in real quadratic congruence
function fields, Designs, Codes and Cryptography 7, 1 53-1 74.
R. Scheidler, H.C. Williams ( 1 995): A public-key cryptosystem utilizing cyclotomic fields,
Designs, Codes and Cryptography 6, l l7-1 3 l .
0. Schirokauer ( 1 993): Discrete logarithms and local units, Philos. Trans. Roy. Soc. London
345, 409-423.
C.P. Schnorr ( 1 99 1 ) : Efficient signature generation by smart cards, J. Cryptology 4, 1611 74.
R. Schoof ( 1 985): Elliptic curves over finite fields and the computation of square roots
mod p, Math. Camp. 44, 483-494.
R. Schoof ( 1 987): Nonsingular plane cubic curves, J. Combinatorial Theory, Ser. A 46,
1 83-2 1 1 .
E. Seah, H.C. Williams ( 1 979): Some primes of the form (an - 1 )/(a - 1), Math. Camp.
33, 1 337-1 342.
A.L. Selman ( 1 988): Complexity issues in cryptography, Computational Complexity Theory,
Proc. Symp. Appl. Math. 38, 92-107 .
A . Sharnir ( 1 984): A polynomial time algorithm for breaking the basic Merkle-Hellman
cryptosystem, IEEE Trans. Information Theory 30 , 699-704.
A. Shamir ( 1 992) : IP=PSPACE, Journal of the ACM 39, 869-877.
D. Shanks ( 1 972): Five number-theoretic algorithms, Congressus Numerantium 7, 5 1-70.
D. Shanks ( 1 985): Solved and Unsolved Problems in Number Theory, 3rd ed. , Chelsea.
'

'

Bibliography

200

C.E. Shannon ( 1 949): Communication theory of secrecy systems, Bell Syst. Tech. J. 28,
656--7 1 5 .
J. Silverman ( 1 986): The Arithmetic of Elliptic Curves, Springer-Verlag.
J. Silverman ( 1 994): Advanced Topics in the Arithmetic of Elliptic Curves, Springer-Verlag.
J. Solinas ( 1 997) : An improved algorithm for arithmetic on a family of elliptic curves,
Advances in Cryptology - Crypto '97, Springer-Verlag, 357-37 1 .
J . Tate ( 1 965): Algebraic cycles and poles of zeta functions, Proc. Purdue Conf, i 963,
93-1 10.
R. Taylor, A. Wiles ( 1995): Ring-theoretic properties of certain Heeke algebras, Annals
Math. 141, 553-572.
J. Tunnell ( 1 983): A classical Diophantine problem and modular functions of weight 3/2,
invent. Math. 72, 323-334.
P. van Oorschot ( 1 992) : A comparison of practical public-key cryptosystems based on inte
ger factorization and discrete logarithms, in G. Simmons, ed., Contemporary Cryptology:
The Science of information Integrity, IEEE Press, 289-322.
P. van Oorschot, M. Wiener ( 1 994) : Parallel collision search with application to hash func
tions and discrete logarithms, Proc. 2nd ACM Conf. on Computer and Communications
Security, Fairfax, Virginia, 2 1 0-2 1 8 .
P. van Oorschot, M. Wiener ( 1 998): Parallel collision search with cryptanalytic applications,
to appear in J. Cryptology.
E. Volcheck ( 1 994): Computing in the Jacobian of a plane algebraic curve, Algorithmic
Number Theory, Lect. Notes Comp. Sci. 877, Springer-Verlag, 22 1-233.
W. Waterhouse ( 1 969): Abelian varieties over finite fields, Ann. Sci. Ecole Norm. Sup. 2,
521-560.
D. Weber ( 1 996): Computing discrete logarithms with the general number field sieve, in
Henri Cohen, ed. , Algorithmic Number Theory, Proc. Second Intern. Symp., ANTS-II,
Springer-Verlag, 391-403.
A. Wei! ( 1 949): Numbers of solutions of equations in finite fields, Bull. A m e r. Math. Soc.
55, 497-508.
E.P. Wigner ( 1 960) : The unreasonable effectiveness of mathematics in the natural sciences,
Comm. Pure Appl. Math. 13, 1-14.
A. Wiles ( 1 995): Modular elliptic curves and Fermat's Last Theorem, Annals Math. 141,
443-55 1 .
H.S. Wilf ( 1 984): Backtrack: An 0( 1 ) expected time graph coloring algorithm, Inform.
Process Lett. 18 , 1 1 9- 1 22.
M.V. Wilkes ( 1 968): Time-Sharing Computer Systems, Elsevier.
S. Wolfram ( 1 986): Cryptography with cellular automata, Advances in Cryptology - Crypto
85 Springer-Verlag, 429-432.
'

Subj ect Index

p-function 1 22
r-Regular Graph 1 10
3-Coloring 1 06
- problem 34, 35
Abelian Group 56
Addition
- on elliptic curve 1 1 8
- on hyperelliptic jacobian 145
- time estimate 25
Affine
- plane 1 2 1
- space 85
Algebraic
- closure 55
- element 54
- geometry 69
- - arithmetic 16
Algebraically Closed 55
Algorithm 27
- deterministic 37
- probabilistic 45
- randomized 45
Arithmetic Algebraic Geometry 1 6
Arthur-Merlin Protocol 5 1
Asymptotically Equal 1 9
Attack
- chosen-ciphertext 5, 1 10, 1 36
- linear algebra 1 1 3
Authentication 4
Automorphism 54
Average-Case Complexity 50, 1 1 6
Baby-Step--Giant-Step
Basis
- normal 1 3 6
- o f ideal 7 0
- o f vector space 53
Big-0 1 8
Bilinear Map 92
Binary
- digit 22

1 34

- quadratic form 145

- search 36
Birch-Swinnerton-Dyer Conjecture
Bit 22
- commitment 4, 1 0
- operation 25
Boolean Circuit 1 1
BPP 47
Brassard's Theorem 103, 104
Breaking a Cryptosystem 1 3
Buchberger's Theorem 75

140

Canonical Surjection 68
Catherine
- hours on homework 1 2
- the cryptanalyst 6, 8, 80, 8 7 , 109
- the Great 3
Cellular Automaton 104
Certificate 38
- for Ideal Membership I l l
- of primality 38
- unique 49
Characteristic of Field 55
Chinese Remainder Theorem 33
- for polynomials 64, 170, 1 83
Chosen-Ciphertext Attack 5, 1 1 0, 1 36
Ciphertext 1
Clique 1 1 3
CM-Field 123
co-NP 38, 41, 104, 1 80
Coin Flip 4, 10
Collision Resistant 6
Combinatorial Cryptosystem 103
Combinatorial-Algebraic Cryptosystem
105
Complex Multiplication 123
Complexity 1 8
- average-case 50, 1 1 6
- computational 1 8
- probabilistic 45, 46
- randomized 45, 46
Compositeness Problem 46

202

Subject Index

Computational Complexity 1 8
Concealing Information 1 1
Congruent Number Problem 139
Conjugate 54
- of polynomial function on C 159
Coordinate Ring 1 59
Cracking Problem 13, 44, 1 04
- for Polly Cracker 106
Cryptanalysis 1 3
- o f Little Dragon 92
Cryptography 1
- impractical 1 6
- practical 1 3
Cryptosystem
- combinatorial-algebraic 1 03
- elliptic curve 1 3 1
- hyperelliptic 148
- Imai-Matsumoto 80
Curve
- elliptic 1 1 7
- hyperelliptic 1 44, 156
Cyclic Group 56
Decision Problem 35
Degree
- of divisor 1 44, 1 67
- of field extension 53
- of polynomial 53
- - on C 160
- total 65
Degree-lexicographical Order 7 1
Derivative 54
Deterministic
- algorithm 37
- encryption 5
Diffie-Hellman
- key exchange 8, 1 32
- one-way function 1 04
- problem 8, 43, 1 32, 1 3 3
Digital Signature Algorithm 9
- elliptic curve variant 1 34
Dimension
- of ring 70
- of vector space 53
Discrete Log Problem
- in arbitrary group 1 32
- in finite field 8, 9, 43, 103
- on elliptic curve 1 3 1 , 132, 1 42
- on hyperelliptic jacobian 148, 1 5 3
Discriminant 1 1 8, 140
Division Points 1 23
Divisor
- equivalence of 168
- norm of 1 7 1

- o f a rational function 145, 1 67

- on a curve 1 20, 144, 1 67
- principal 145, 168
- reduced 145, 1 7 1
- semi-reduced 168
- support of 168
Dominant Term 1 8
DSA 9
- elliptic curve variant 1 34
ECDSA 1 34
Efficiency 14
ElGamal
- cryptosystem 1 32, 1 36
- signature 9
Elliptic
- curve 16, 38, 1 1 7
- - complex multiplication 1 23
- - cryptosystem 1 3 1
- - digital signature algorithm 134
-- endomorphism 123
-- in characteristics 2 and 3 124
- - nonsupersingular 1 1 8, 125, 1 27, 1 3 1
- - over IC 1 2 1
- - over Q 1 24, 130
-- over lR 1 1 8
- - over finite field 1 25
- - rank 1 24
- - supersingular 1 1 8, 125, 127, 1 3 1
- function 123
Endomorphism
- of elliptic curve 123
Envelope 1 1
Equivalent Divisors 1 68
Error-Correcting Code 1 07 , 155
Euclidean Algorithm 28
- for Gaussian integers 63, 1 83
- for polynomials 63
Euler cp-Function 56
Exponential Time 14, 3 1
EXPSPACE 5 1
- -hard 5 1 , 1 1 1
Extension Field 53
Extraterrestrial Being 1 5 , 38, 48, 5 1
Fermat
- Last Theorem 1 40, 1 50, 1 83
- Little Theorem 45
- prime 30
- strong primality test 45
Fibonacci Number 23, 32
Field 53
- algebraically closed 55
- automorphism 54

Subject Index
- extension 53
- finite 55
- isomorphism 54
- prime 55
- splitting 55
Finite
- field 55
- point 1 57
Frequency Analysis 2
Function
- defined at P E C 1 60
- doubly periodic 1 20
- elliptic 123
- field 1 60
- hash 4, 6, 13, 100
- one-way 2, 3, 12, 104
- - Diffie-Hellman I 04
- - RSA 1 04
- rational
- - on C 1 60
- - pole 1 6 1
- - value at oo 1 6 1
- - value at P E C 1 60
- - zero 1 6 1
- trapdoor 3, 1 2
Fundamental Parallelogram

Height of a Point 142

Hidden Monomial 87
Hilbert
- Basis Theorem 66
- Nullstellensatz 69
- - strong 69
- - weak 69
Homogeneous
- coordinates 188
- equation 1 1 8, 1 2 1
Homomorphism 67
Hyperelliptic
- cryptosystem 148
- curve 144, 1 56
- - supersingular ! 53

1 22

Gaussian Integers 59, 63, 65, 122

Generator
- of finite field 56
- of ideal 66
Genus 1 44, 1 56
Germain, Sophie 1 37, 1 83
Grobner Basis 74
- minimal 77
- reduced 78
Graph 34
- r-regular 1 10
- coloring 34, 1 06
- Perfect Code 1 07 , 1 14
- planar 1 80
Greatest Common Divisor
- of divisors 144, 167
- of Gaussian integers 63, 1 83
- of integers 28
- of polynomials 55, 63
Ground Field 126
Group
- abelian 56
- cyclic 56
Hard-on-Average 50, 1 1 6
Hash Function 4 , 6 , 1 3 , 100
Hasse's Theorem ' 1 27

203

Ideal 65
- finitely generated 66
- maximal 66
- Membership I l l , 1 1 2, 1 87
- - Phantom 1 1 2
- nontrivial 65
- prime 66
- principal 66
- proper 65
- radical of 69, 1 1 1
- unit 65
- zero set of 68, 69, 107
Identification 4
Imai-Matsumoto Cryptosystem 80
Inclusion-Exclusion 185
Information
- concealing of I I
- theory 2
Input 30, 34
- length 1 5 , 30, 34
Instance of Problem 34
Integer Factorization Problem 14, 1 6, 3 1 ,
34-36, 40, 103
Integral Domain 65
Interaction 50
Interactive Proof System 50, 5 1
IP 50, 5 1
Isomorphism 54
Jacobi Sum 1 50
Jacobian 145, 1 68
Key
- exchange 3, 4, 8, 132
- generation 14, 1 6
- private 2
- public I , 3
Kid Krypto 17, 1 1 0

204

Subject Index

Knapsack

1 03

Lattice 1 22
Leading Term 72
Length
- of input 1 5 , 30, 34
- of number 20, 22
Lexicographical Order 7 1
Line at Infinity 1 2 1
Little Dragon 87
- cryptanalysis of 92
- with weak exponent 90
Little-o 1 9
Map Coloring 34, 42
Massively Parallel 5 1
Maximal Ideal 66
Menezes-Okamoto-Vanstone Reduction
1 3 1 , 1 36
Merkle-Hellman Knapsack 1 03
Mersenne Prime 1 38, 1 39, ! 52, 1 82
Message Unit 1
Miller's Test 45
Minimal
- Grtibner basis 77
- polynomial 54
Modular Exponentiation 29, 1 8 8
Monic Polynomial 54
Mordell Theorem 1 24
Multiplication
- time estimate 26
NC 5 1
Neighborhood i n Graph 107
Noetherian Ring 66
Non-repudiation 4, 7
Non-uniformity 5 1
Nonsupersingular 1 1 8, 125, 127, 1 3 1
Norm
- of algebraic number 54, 1 5 1
- of divisor 1 7 1
- o f polynomial function o n C 159
Normal Basis 1 36
NP 38
- -complete 40
- -equivalent 4 1
- -hard 4 1 , 103, 1 1 2
- and co-NP 38, 4 1 , 103, 105, 1 1 1 , 1 80
Nullstellensatz 69
- effective I l l
- strong 69
- weak 69
Number Field Sieve 3 1 , 1 3 3

One-Time Pad 2
One-Way Function 2, 3, 1 2, 1 04
- Diffie-Hellman 1 04
- RSA 1 04
Opposite Point 144, 1 57
Oracle 40
Order
- degree-lexicographical 7 1
- in an imaginary quadratic field 123
- lexicographical 7 1
- of an element 56
- of divisor at a point 167
- of function at a point 1 65, 1 67
- of point on elliptic curve 1 23
- of terms 7 1
Ordinary Point 157
p 37
- rfNP conjecture 39, 40, 49, 1 03, 1 80
Paper Tiger 92
Parallel 5 1
Password 2 , 4 , 1 2
Perfect Code 1 07
- Graph 1 07, 1 1 4
- Subset 1 07
PH 48
Phantom
- Ideal Membership 1 1 2
- input 1 1 2
PID 66
Plaintext
Point
- at infinity 1 17 , 1 2 1 , 144, 1 57
- finite 157
- of finite order 1 24
- opposite 1 44, 157
- ordinary 157
- singular 1 56
- special 1 57
Pole of Rational Function 1 6 1
Polly Cracker 1 05
- generalization 108
- linear algebra attack 1 1 3
Polynomial
- function on C 1 59
- hierarchy 48
- monic 54
- primitive 60
- ring 53, 65
- sparse 46, 1 1 3, 1 1 6, 1 87
Polynomial Time 1 5 , 30, 3 1 , 37
- certificate 3 8
- equivalent 4 1 , 43
- on average 50

Subject Index
- probabilistic 46
- randomized 46
Power Product 7 1
Preimage Resistant 6
Primality
- problem 37, 48
- test 3 1
- - probabilistic 45
Prime
- field 55
- ideal 66
- Mersenne 182
- Number Theorem 19, 1 87
Primitive
- in cryptography 5
- polynomial 60
Principal
- divisor 145, 1 68
- ideal 66
Private Key 2
Probabilistic
- algorithm 45
- complexity class 45, 46
- encryption 5, 1 06
- polynomial time 46
- primality test 45
Problem
- cracking 1 3 , 44
- decision 35
- instance 34
- NP-complete 40
- promise 44
- reducing one to another 39
- search 35
Product Polynomial Inequivalence
Projective
- coordinates 1 2 1 , 1 88
- equation of elliptic curve 1 2 1
- geometry 1 20
- plane 1 2 1 , 1 57
- point 1 2 1
Promise Problem 44
- phantum input 1 1 2
Protocol 4
PSPACE 5 1
Public Key I , 3
Quadratic Enciphering
Quotient Ring 68

- complexity class 45-47

- polynomial time 46
- self-reducibility 1 16
Rank
- of elliptic curve 124
Rational Function
- on C 1 60
- pole 1 6 1
- value at oo 1 6 1
- value at P E C 1 60
- zero 1 6 1
Reduced
- divisor 145, 1 7 1
- Grobner basis 78
Reduction
- of f E lF[X] modulo g 72
- of one problem to another 39
Relatively Prime 28
Repeated Squaring 29, 93
Rewrite System 1 05
Riemann Hypothesis 37, 1 29
Ring 65
- coordinate 159
- homomorphism 67
- Noetherian 66
- polynomial 53
- quotient 68
RP 46
RSA 3, 16, 43, 104

46

97

Rabin's Probabilistic Primality Test

Radical 69, I l l
Random
- algorithm 45

205

45

S-Polynomial 75
Satisfiability 1 1 0
Sato-Tate Distribution 141
Search Problem 35
Secret Sharing 4
Self-Reducibility
- random 1 16
Semi-Reduced Divisor 1 68
Series 5 1
Signature 4 , 7 , 12, 1 00
Silver-Pohlig-Hellman Algorithm 1 33,
138
Singular Point ! 56
Smart Card 14
Smooth
- curve 1 17
- integer 1 33
Sparse Polynomial 46, 1 1 3, 1 1 6, 1 87
Special Point ! 57
Spider 1 1 6
- circling prey 1 1 6
Splitting Field 55
Square and Multiply 29
Square Roots in IF q 98, 128

206

Subject Index

Standards 16, 1 34
Stirling's Formula 23, 30
Strong Fermat Primality Test 45
Subexponential Time 3 1
Subset
- Perfect Code 107
- Sum 1 03
Supersingular 1 1 8, 1 25, 1 27 , 1 3 1 , ! 5 3
Support o f a Divisor 1 6 8
Taniyama Conjecture 1 40
Term 7 1
- leading 72
- order 70, 7 1
Three-Coloring 1 06
- problem 34, 35
Time
- exponential 3 1
- polynomial 30, 3 1 , 37
- subexponential 3 1
Torsion Subgroup 1 24, 1 37
Torus 1 22
Total Degree 65
Tour 35
Toy Example 82
Trace 62, 1 83
Transcendental Element 68
Trapdoor 104
- function 3, 1 2
- problem 45, 1 04
Traveling Salesrep Problem 34, 38
Twists 1 5 1

Uniformizing Parameter 1 63
Unique
- factorization 54
- p 49
Unreasonable Effectiveness 1 5
U P 49
Value of Rational Function
- at oo 1 6 1
- at P E C 1 60
Vector Space 53
Vigenere Cipher l
Weak Exponent 90
Weierstrass
- g::>- function 1 22
Wei!
- pairing 1 3 1
- theorem 1 46
Word Problem 105
XOR

Zariski -Open Set 1 1 4

Zero
- knowledge 4
- of rational function 1 6 1
- set o f ideal 68, 69, 1 07
Zeta-Function
- of elliptic curve 1 26
- of hyperelliptic curve 1 46
ZPP 48

Printing (computer to plate): Mercedes-Druck, Berlin

Binding: Buchbinderei Liideritz

&

Bauer, Berlin

ll