# Chapter 4: Algebra

## Setup

In [None]:
:dep mathlib = { git = "https://github.com/Tranduy1dol/mathlib" }
:dep curvelib = { git = "https://github.com/Tranduy1dol/curvelib" }
:dep sha2 = "0.10"

## Summary

---
This chapter introduced:

- **Communicative group**
  - Finite group and its attributes: Order, Generator, etc.
  - Cyclic group and Cyclic group exponentiation
  - Factor group
  - Pairings
  - Cryptographic group: DLP (Discrete Logarithm Problem), CDHP (Computational Diffie-Hellman Problem), DDH-secure (The decisional Diffie-Hellman assumption)
- **Communicative Ring**
  - Hash into Arithmetic Modular
- **Field**
  - Prime field and Prime Extension field
- **Project Plane**

### Cyclic Group Exponentiation Implementation

In [None]:
/// Performs cyclic group exponentiation.
pub fn cge(g: u64, mut x: u64, n: u64) -> u64 {
    let mut result = 1;
    let mut base = g;
    while x > 0 {
        if x & 1 == 1 {
            result = (result * base) % n;
        }
        base = (base * base) % n;
        x >>= 1;
    }
    result
}

// Test
assert_eq!(cge(3, 5, 13), 9);
assert_eq!(cge(5, 3, 23), 10);
println!("3^5 mod 13 = {}", cge(3, 5, 13));

---

### Exercise 33

> Consider example 16 again, and let $\mathbb{\mathbb{Z}}^*_5$ be the set of all remainder classes from $\mathbb{Z}_5$ without the class 0. Then $\mathbb{Z}^*_5 = \{1, 2, 3, 4\}$. **Show that $(\mathbb{Z}^*_5, \cdot)$ is a commutative group**.

Consider all properties of a communicative group on $\mathbb{Z}^*_5$, we have:

- **Commutativity**: for all elements $g_1$, $g_2 \in \mathbb{Z}_5^*$, we have $g_1\cdot g_2 = g_2\cdot g_1$.
- **Associativity**: for all elements  $g_1$, $g_2$, $g_3 \in \mathbb{Z}_5^*$, we have
$g_1\cdot (g_2\cdot g_3) =(g_1\cdot g_2)\cdot g_3$.
- **Existence of a neutral element**: $1$ is the neutral element of $\mathbb{Z}_5^*$.
- **Existence of an inverse**: all elements in $\mathbb{Z}_5^*$ have inverse.
So that $\mathbb{Z}_5^*$ is a communicative group.

---

### Exercise 34

> Generalizing the previous exercise, consider the general modulus $n$, and let $\mathbb{Z}^*_n$ be the set of all remainder classes from $\mathbb{Z}_n$ without the class 0. Then $\mathbb{Z}^*_n = \{1, 2, \ldots, n - 1\}$. **Provide a counter-example to show that $(\mathbb{Z}^*_n, \cdot)$ is not a group in general**. Find a condition such that $(\mathbb{Z}^*_n, \cdot)$ is a commutative group, compute the neutral element, give a closed form for the inverse of any element and prove the commutative group axioms.

With $n$ is a prime number, $(\mathbb{Z}_n^*, \cdot)$ is a communicative group with $1$ is the neutral element.

---

### Exercise 35

> Let $n \in \mathbb{N}$ with $n \ge 2$ be some modulus. **What is the order of the remainder class group $(\mathbb{Z}_n, +)$?**

The remainder class will have element from $0$ to $n-1$, so the order of $(\mathbb{Z}_n, +)$ is $n$.

---

### Exercise 36

> Consider the group $(\mathbb{Z}_6, +)$ of modular 6 addition from example 11. **Show that $5 \in \mathbb{Z}_6$ is a generator, and then show that $2 \in \mathbb{Z}_6$ is not a generator**.

We have $5^1=5$, $5^2=4$, $5^3=3$, $5^4=2$, $5^5=1$, $5^6=0$. We can generate all elements of $\mathbb{Z}^*_6$ by multiply $5$,
so that $5$ is a generator.
Do the same to $2$, we will have the result that can't generate all elements of $\mathbb{Z}_6^{*}$ by multiply $2$, so $2$ is
not a generator.

---

### Exercise 37

> Let $p \in P$ be prime number and $(\mathbb{Z}^*_p, \cdot)$ the finite group from exercise 34. **Show that $(\mathbb{Z}^*_p, \cdot)$ is cyclic**.

> [!NOTE]
> TODO: Implement solution

---

### Exercise 38

> Let $(G, +)$ be a finite cyclic group of order $n$. **Consider algorithm 5 and define its analog for groups in additive notation**.

Efficient Scalar Multiplication.

In [None]:
/// Performs efficient scalar multiplication by double-and-add method.
pub fn esm(g: u64, mut x: u64, n: u64) -> u64 {
    let mut result = 0;
    let mut base = g;
    while x > 0 {
        if x & 1 == 1 {
            result = (result + base) % n;
        }
        base = (base * 2) % n;
        x >>= 1;
    }
    result
}

assert_eq!(esm(3, 10, 13), 4);
assert_eq!(esm(7, 10, 23), 1);
println!("3 * 10 mod 13 = {}", esm(3, 10, 13));

---

### Exercise 39

> Consider the previous example 40, and **show that $\mathbb{Z}^*_5$ is a commutative group**.

Consider all properties of a communicative group on $\mathbb{Z}_5^{*}[2]$, we have:

- Commutativity: Same as $\mathbb{Z}_5^*$.
- Associativity: Same as $\mathbb{Z}_5^*$.
- Existence of a neutral element: 1 is the neutral element of $\mathbb{Z}_5^*[2]$.
- Existence if an inverse: since $4\cdot 4=1$ and $1\cdot 1=1$ over $\mathbb{Z}_5^{*}[2]$, all elements in $\mathbb{Z}_5^{*}[2]$ have
inverse.
So that $\mathbb{Z}_5^*[2]$ is a communicative group.

---

### Exercise 40

> Consider the finite cyclic group $(\mathbb{Z}_6, +)$ of modular 6 addition from example 36. **Describe all subgroups of $(\mathbb{Z}_6, +)$**. Identify the large prime order subgroup of $\mathbb{Z}_6$, define its cofactor clearing map and apply that map to all elements of $\mathbb{Z}_6$.

Since $6=3\cdot2\cdot1$, we have all subgroup of $\mathbb{Z}_6$ as below:

- $\mathbb{Z}_6[1]=\{0\}$
- $\mathbb{Z}_6[2]=\{0, 2\}$
- $\mathbb{Z}_6[3]=\{0,2,4\}$
- $\mathbb{Z}_6[6]=\{0,1,3,2,4,5\}$

$3$ is the large prime order subgroup of $\mathbb{Z}_6$, we get the cofactor clearing map $(+)^2: \mathbb{Z}_6\rightarrow \mathbb{Z}_6[3]$:

- $0+0=0,$
- $1+1=2,$
- $2+2=4,$
- $3+3=0,$
- $4+4=2,$
- $5+5=4$

---

### Exercise 41

> Let $(\mathbb{Z}^*_p, \cdot)$ be the cyclic group from exercise 37. **Show that, for $p \ge 5$, not every element $x \in F^*_p$ is a generator of $F^*_p$**.

> [!NOTE]
> TODO: Implement solution

---

### Exercise 42

> Let $G_1, G_2$ and $G_3$ be finite cyclic groups of the same order $n$, and let $e(\cdot, \cdot) : G_1 \times G_2 \to G_3$ be a pairing map. **Show that, for given $g_1 \in G_1, g_2 \in G_2$ and all $a, b \in \mathbb{Z}_n$, the following identity holds: $e(g_1^a, g_2^b) = e(g_1, g_2)^{a \cdot b}$**.

For $G_1$ we have $g_1, g_1' \in G_1$, for $G_2$ we have $g_2, g_2' \in G_2$. <br>
If $g_1=g_1'$ we have $e(g_1^a, g_2)=e(g_1,g_2)\cdot e(g_1,g_2)\cdot ...=e(g_1,g_2)^a$. <br>
If $g_2=g_2'$ we have $e(g_1^a, g_2^b)=e(g_1^a,g_2)\cdot e(g_1^a,g_2)\cdot ...=e(g_1,g_2)^{a\cdot b}$. <br>

---

### Exercise 43

> Consider the remainder class groups $(\mathbb{Z}_n, +)$ from example 34 for some modulus $n$. **Show that the following map is a pairing map: $e(\cdot, \cdot) : \mathbb{Z}_n \times \mathbb{Z}_n \to \mathbb{Z}_n, (a, b) \mapsto a \cdot b$**. Why is the pairing not non-degenerate in general, and what condition must be imposed on $n$ such that the pairing will be non-degenerate?

> [!NOTE]
> TODO: Implement solution

---

### Exercise 44

> Consider the multiplicative group $\mathbb{Z}^*_{13}$ of modular 13 arithmetic from example 34. **Choose a set of 3 generators of $\mathbb{Z}^*_{13}$, define its associated Pedersen Hash Function, and compute the Pedersen Hash of $(3, 7, 11) \in \mathbb{Z}_{12}$**.

I chose set $\lbrace2, 11, 7\rbrace$ from generators of $\mathbb{Z}_{13}=\lbrace2,6,7,11\rbrace$. Construct Pedersen Hash as below: <br>
$H_{\lbrace2,7,11\rbrace}:\mathbb{Z}_{12}\times \mathbb{Z}_{12} \rightarrow \mathbb{Z}^{*}_{13}; (x_1,x_2,x_3)\rightarrow2^{x_1}\cdot7^{x_2}\cdot11^{x_3}$ <br>
With $(3,7,11)\in \mathbb{Z}_{12}$, compute the results: $H(3,7,11)=2$

---

### Exercise 45

> Consider the Pedersen Hash from exercise 44. **Compose it with the $\texttt{SHA256}$ hash function from example 47 to define a hash-to-group function**. Implement that function in Sage.

Compose the $\texttt{SHA256}$ with the Pedersen Hash from the previous ex., we have the hash function as below:
$\texttt{SHA256}\_H_{\lbrace2,7,11\rbrace}:\lbrace0,1\rbrace^{*} \rightarrow \mathbb{Z}^{*}_{13}; 
(s)\rightarrow2^{\texttt{SHA256}(s)_0}\cdot7^{\texttt{SHA256}(s)_1}\cdot11^{\texttt{SHA256}(s)_3}$

In [None]:
use sha2::{Digest, Sha256};

/// Hashes a byte slice to a value in \mathbb{Z}_n (integers modulo n) using SHA-256.
pub fn hash_to_\mathbb{Z}n(n: u128, k: usize, s: &[u8]) -> u128 {
    let k = std::cmp::min(k, 128);
    let mut c = 0u128;
    loop {
        let mut s_prime = Vec::from(s);
        s_prime.extend(c.to_le_bytes());

        let hash = Sha256::digest(&s_prime);

        let mut \mathbb{Z} = 0u128;
        for (i, byte) in hash.iter().enumerate().take((k + 7) / 8) {
            \mathbb{Z} |= (*byte as u128) << (i * 8);
        }
        \mathbb{Z} &= (1 << k) - 1;

        if \mathbb{Z} < n {
            return \mathbb{Z};
        }
        c += 1;
    }
}

let n = 1000;
let k = 16;
let seed = b"example_seed";
println!("Hash to Zn: {}", hash_to_Zn(n, k, seed));

---

### Exercise 46

> Consider the multiplicative group $\mathbb{Z}^*_{13}$ of modular 13 arithmetic from example 34 and the parameter $k = 3$. **Choose a generator of $\mathbb{Z}^*_{13}$, a seed and instantiate a member of the family given in (4.27) for that seed**. Evaluate that member on the binary string < 1, 0, 1 >.

Chose seed $\lbrace a_0, a_1, a_2\rbrace=\lbrace 1,2,3,4\rbrace$, generator $2$, the hash compute as below:
$F(1,0,1)=2^{1\cdot2^{1}\cdot3^{0}\cdot4^{1}}=2^8=9$ over $\mathbb{Z}_{13}$

---

### Exercise 47

> Consider the ring of modular 5 arithmetics $(\mathbb{Z}_5, +, \cdot)$ from example 16. **Show that $(\mathbb{Z}_5, +, \cdot)$ is a field**. What is the characteristic of $\mathbb{Z}_5$? Prove that the equation $a \cdot x = b$ has only a single solution $x \in \mathbb{Z}_5$ for any given $a, b \in \mathbb{Z}^*_5$.

In the previous ex., we note that $(\mathbb{Z}_5,+)$ , $(\mathbb{Z}_5^{*}, \cdot)$ are communicative group. Distributivity also holds for
all elements. So that $(\mathbb{Z}_5, +, \cdot)$ is a field.
The characteristic of $(\mathbb{Z}_5, +, \cdot)$ is 5, because $1+1+1+1+1=5$, plus 1 five time.
For each $a\in \mathbb{Z}_5$ has only 1 inverse, so that $x=ba^{-1}$ is unique.

---

### Exercise 48

> Consider the ring of modular 6 arithmetics $(\mathbb{Z}_6, +, \cdot)$ from example 11. **Show that $(\mathbb{Z}_6, +, \cdot)$ is not a field**.

Not all elements in $\mathbb{Z}_6^{*}$ has inverse, so that $(\mathbb{Z}_6,+,\cdot)$ is not a field.

---

### Exercise 49

> **Construct the addition and multiplication table of the prime field $\mathbb{F}_3$**.

```
+  0 1 2
 +------
0| 0 1 2
1| 1 2 0
2| 2 0 1

*  0 1 2
 +------
0| 0 0 0
1| 0 1 2
2| 0 2 1
```

---

### Exercise 50

> **Construct the addition and multiplication table of the prime field $\mathbb{F}_{13}$**.

```
 +   0  1  2  3  4  5  6  7  8  9 10 11 12
  +---------------------------------------
 0|  0  1  2  3  4  5  6  7  8  9 10 11 12
 1|  1  2  3  4  5  6  7  8  9 10 11 12  0
 2|  2  3  4  5  6  7  8  9 10 11 12  0  1
 3|  3  4  5  6  7  8  9 10 11 12  0  1  2
 4|  4  5  6  7  8  9 10 11 12  0  1  2  3
 5|  5  6  7  8  9 10 11 12  0  1  2  3  4
 6|  6  7  8  9 10 11 12  0  1  2  3  4  5
 7|  7  8  9 10 11 12  0  1  2  3  4  5  6
 8|  8  9 10 11 12  0  1  2  3  4  5  6  7
 9|  9 10 11 12  0  1  2  3  4  5  6  7  8
 10| 10 11 12  0  1  2  3  4  5  6  7  8  9
 11| 11 12  0  1  2  3  4  5  6  7  8  9 10
 12| 12  0  1  2  3  4  5  6  7  8  9 10 11

 *   0  1  2  3  4  5  6  7  8  9 10 11 12
  +---------------------------------------
 0|  0  0  0  0  0  0  0  0  0  0  0  0  0
 1|  0  1  2  3  4  5  6  7  8  9 10 11 12
 2|  0  2  4  6  8 10 12  1  3  5  7  9 11
 3|  0  3  6  9 12  2  5  8 11  1  4  7 10
 4|  0  4  8 12  3  7 11  2  6 10  1  5  9
 5|  0  5 10  2  7 12  4  9  1  6 11  3  8
 6|  0  6 12  5 11  4 10  3  9  2  8  1  7
 7|  0  7  1  8  2  9  3 10  4 11  5 12  6
 8|  0  8  3 11  6  1  9  4 12  7  2 10  5
 9|  0  9  5  1 10  6  2 11  7  3 12  8  4
 10|  0 10  7  4  1 11  8  5  2 12  9  6  3
 11|  0 11  9  7  5  3  1 12 10  8  6  4  2
 12|  0 12 11 10  9  8  7  6  5  4  3  2  1
```

---

### Exercise 51

> Consider the prime field $\mathbb{F}_{13}$ from exercise 50. **Find the set of all pairs $(x, y) \in \mathbb{F}_{13} \times \mathbb{F}_{13}$ that satisfy the following equation: $x^2 + y^2 = 1 + 7 \cdot x^2 \cdot y^2$**.

```
[(0, 1), (0, 12), (1, 0), (2, 4), (2, 9), (4, 2), (4, 11), (5, 6), (5, 7), (6, 5), (6, 8), (7, 5), (7, 8), (8, 6), (8, 7), (9, 2), (9, 11), (11, 4), (11, 9), (12, 0)]
```

---

### Exercise 52

> Consider the prime field $\mathbb{F}_{13}$ from exercise 50. **Compute the Legendre symbol $(\frac{y}{p})$ and the set of roots $\sqrt{y}$ for all elements $y \in \mathbb{F}_{13}$**.

$\frac{0}{13}=0^6=0, \sqrt{0}=0$. <br>
$\frac{1}{13}=1^6=1, \sqrt{1}=\lbrace1,12\rbrace$. <br>
$\frac{2}{13}=2^6=-1$. <br>
$\frac{3}{13}=3^6=1,\sqrt{3}=\lbrace4,9\rbrace$. <br>
$\frac{4}{13}=4^6=1,\sqrt{4}=\lbrace2,11\rbrace$. <br>
$\frac{5}{13}=5^6=-1$. <br>
$\frac{6}{13}=6^6=-1$. <br>
$\frac{7}{13}=7^6=-1$. <br>
$\frac{8}{13}=8^6=-1$. <br>
$\frac{9}{13}=9^6=1,\sqrt{9}=\lbrace3,10\rbrace$. <br>
$\frac{10}{13}=10^6=1,\sqrt{10}=\lbrace6,7\rbrace$. <br>
$\frac{11}{13}=11^6=-1$. <br>
$\frac{12}{13}=12^6=1,\sqrt{12}=\lbrace5,8\rbrace$.

---

### Exercise 53

> Consider the extension field $\mathbb{F}_{3^2}$ from the previous example and **find all pairs of elements $(x, y) \in \mathbb{F}_{3^2}$, for which the following equation holds: $y^2 = x^3 + 4$**.

```
[(0, 2), (0, 1), (x + 2, 2*x + 2), (x + 2, x + 1), (2*x + 2, x + 2), (2*x + 2, 2*x + 1), (2, 0), (1, x), (1, 2*x)]
```

---

### Exercise 54

> **Show that the polynomial $Q = x^2 + x + 2$ from $\mathbb{F}_3[x]$ is irreducible**. Construct the multiplication table of $\mathbb{F}_{3^2}$ with respect to $Q$ and compare it to the multiplication table of $\mathbb{F}_{3^2}$ from example 68.

$Q(0)=0^2+0+2=2$ <br>
$Q(1)=1^2+1+2=1$ <br>
$Q(2)=2^2+2+2=2$ <br>
So that $Q(x)=x^2+x+2$ is irreducible.

---

### Exercise 55

> **Show that the polynomial $P = t^3 + t + 1$ from $\mathbb{F}_5[t]$ is irreducible**. Then consider the extension field $\mathbb{F}_{5^3}$ defined relative to $P$. Compute the multiplicative inverse of $(2t^2 + 4) \in \mathbb{F}_{5^3}$ using the Extended Euclidean Algorithm. Then find all $x \in \mathbb{F}_{5^3}$ that solve the following equation: $(2t^2 + 4)(x - (t^2 + 4t + 2)) = (2t + 3)$.

$P(0)=0^3+0+1=1$ <br>
$P(1)=1^3+1+1=3$ <br>
$P(2)=2^3+2+1=1$ <br>
$P(3)=3^3+3+1=1$ <br>
$P(4)=4^3+4+1=4$ <br>
Use ```Sage``` and see that $4t^2+4t+1$ is inverse of $2t^2+4$, multiple both side of equation we have: <br>
$x-(t^2+4t+2)=(2t+3)(4t^2+4t+1)$ <br>
$x = 3t^3+t^2+3t$ <br>
Reduce this result by apply Euclid Long division, we have
$x=t^2+2$ <br>

---

### Exercise 56

> Consider the prime field $\mathbb{F}_5$. **Show that the polynomial $P = x^2 + 2$ from $\mathbb{F}_5[x]$ is irreducible**. Implement the finite field $\mathbb{F}_{5^2}$ in Sage.

$P(0)=0^2+2=2$ <br>
$P(1)=1^2+2=3$ <br>
$P(2)=2^2+2=1$ <br>
$P(3)=3^2+2=1$ <br>
$P(4)=4^2+2=3$ <br>

---

### Exercise 57

> **Construct the so-called Fano plane**, that is, the projective plane over the finite field $F_2$.

```
(0 : 0 : 1)
(0 : 1 : 1)
(1 : 0 : 1)
(1 : 1 : 1)
(0 : 1 : 0)
(1 : 1 : 0)
(1 : 0 : 0)
```

---