Number Theory Algorithms and Cryptography Algorithms

Number Theory Algorithms and
Cryptography Algorithms
Prepared by
John Reif, Ph.D.
Analysis of Algorithms
Number Theory Algorithms
a) GCD
b) Multiplicative Inverse
c) Fermat & Eulers Theorems
d) Public Key Cryptographic Systems
e) Primality Testing

Number Theory Algorithms (contd)

Main Reading Selections:
CLR, Chapter 33

Euclids Algorithm

Greatest Common Divisor

Euclids Algorithm

( , ) largest a s.t.
a is a divisor of both u,v
GCD u v =
GCD(u,v)

0 then return(u)
(GCD(v,u mod v))
procedure
begin
if v
else return
=
Euclids Algorithm (contd)
Inductive proof of correctness:

if a is a divisor of u,v
a is a divisor of u - ( u/v ) v
= u mod v

Time Analysis of Euclids Algorithm for n
bit numbers u,v

2
T(n) T(n-1) + M (n)
= O(n M(n))
= O(n log n log log n)
(where M(n) = time to mult two n bit integers)
s
Fibonacci worst case:
k+1
k

k
0 1 k+2 k+1 k
k
u = F , v = F
where F = 0, F = 1, F = F + F , k 0
1
F = , = (1 5)
2
5
Euclid's Algorithm takes log ( 5 N) = O(n)
stages when N = max(u,v).
Here n = number of bits of
u
>
u
u +
N.
Improved Algorithm
2
n
T(n) T + O(M(n))
= O(M(n) log n)
( ) s
Extended GCD Algorithm
1 2 3 1 2 3
3
GCD(u, v)
where u = (u , u , u ) , v = (v , v , v )
if v = 0 then return(u)
return GCD(v, u - (v u v
procedure Ex
begin
else Ex 3 3 / ))
Extended GCD Algorithm (contd)
Theorem

Proof
GCD((1,0,x),(0,1,y))
= (x', y', GCD(x,y))
where x x' + y y' = GCD(x,y)
Ex
1 2 3
1 2 3
inductively can verify on each call
xu + yu = u

xv + yv = v
|
\
Extended GCD Algorithm (contd)
Corollary
If gcd(x,y) = 1 then x' is the
modular inverse of x modulo y

Proof
we must show x x' = 1 mod y
but by previous Theorem,
1 = x x' + y y' = x x' mod y
so 1 = x x' mod y
Modular Laws
Gives Algorithm for

Modular Laws
! Modular Inverse
for n 1
if x y mod n let x y
>
=
Modular Laws (contd)
if a b and x y then ax by
if a b and ax by and
gcd(a, n) 1 then x y
Law A
Law B

=
Modular Laws (contd)
i
1 k 1 k
i j
1 k
let {a ,..., a } {b ,..., b } if
a b for i 1,..., k and
{j ,..., j } {1,..., k}
=
=
Fermats Little Theorem
If n prime then a
n
= a mod n
Proof by Euler
n
-1
if a 0 then a 0 a
else suppose gcd(a,n) 1
Then x ay for y a x and any x
so {a,2a,..., (n-1)a} {1,2,..., n-1}

=

Fermats Little Theorem (contd)

n-1
n-1
So by Law A,
(a) (2a) (n-1)a 1 2 (n-1)
So a (n-1)! (n-1)!
So by Law B
a 1 mod n

Eulers Theorem
(n) = number of integers in {1,, n-1}
relatively prime to n
Eulers Theorem

Proof
( )
If gcd(a,n) 1
then = 1 mod
n
a n
=
1 (n)
let b ,...,b be the integers n
relatively prime to n
<
Eulers Theorem (contd)
Lemma

Proof
1 (n) 1 2 (n)
{b ,...,b } {ab , ab ,..., ab }

i
i j i j
i
i i j
1 (n)
If ab ab then by Law B, b b
Since 1 gcd(b ,n) gcd(a,n)
then gcd(ab ,n) 1 so ab b
for {j ,...,j } {1,..., (n)}

= =
= =

Eulers Theorem (contd)
By Law A and Lemma

By Law B
1 2 (n) 1 2 (n)
(n)
1 (n) 1 (n)
(ab )(ab ) (ab ) b b b
so a b b b b

(n)
a 1 mod n
Taking Powers mod n by Repeated

Squaring
Problem: Compute a
e
mod b

k k-1 1 0
2
i
e e e e e binary representation
[1] X 1
[2] i k, k-1,..., 0

X X mod b
e 1 then X Xa mod b

for do
begin
if
end
outp
=
=
i i
i i
k
e 2 e 2 e
i=0
a =a =a mod b ut

[
Taking Powers mod n by Repeated
Squaring (contd)
Time Cost

O(k) mults and additions mod b
k = # bits of e
Rivest, Sharmir, Adelman (RSA)
Encryption Algorithm
M = integer message
e = encryption integer for user A

Cryptogram

e
C E(M) M mod n = =
Encryption Algorithm (contd)
Method

(1) Choose large random primes p,q
let n p q
(2) Choose large random integer d
relatively prime to (n) (p) (q)
(p-1) (q-1)
(3) Let e be
=
=
=
the multiplicative inverse
of d modulo (n)
e d 1 mod (n)
(require e log n, else try another d)

>
Theorem

d
If M is relatively prime to n,
and D(x) = x (mod n) then
D(E(M)) E(D(M)) M
Proof

e d
e d k (n) 1
D(E(M)) E(D(M))
M mod n
There must k 0 s.t.
1 gcd(d, (n)) -k (n) de
So, M M mod n
Since (p-1) divides (n)

- >
= = +
k (n) 1
M M mod p
+

By Eulers Theorem

k (n)+1
ed k (n)+1
ed
By Symmetry,
M M (mod q)
Hence M M M mod n
So M M mod n
= =
=
Security of RSA Cryptosystem
Theorem
If can compute d in polynomial time,
then can factor n in polynomial time

Proof
e d-1 is a multiple of (n)
But Miller has shown can factor n
from any multiple of (n)
Security of RSA Cryptosystem (contd)
'
d d
If can find d' s.t.
M =M mod n
d' differs from d by lcm(p-1, q-1)
so can factor n.
(lcm is the "least common multiple)
Rabins Public Key Crypto System

Use private large primes p, q
public key n=q p
message M
cryptogram M
2
mod n

Theorem
If cryptosystem can be broken,
then can factor key n

(contd)
Proof

In either case, two independent
solutions for M give factorization of n,
i.e., a factor of n is gcd (n, -|).

2
2 2
M mod n has solutions
M , , n- , n-
where { , n- }
But then - ( - )( ) 0 mod n
So either (1) p | ( - ) and q | ( )
or either (2) q | ( - ) and p | ( )
o
| |
|
| | |
| |
| |
=
=
=
= + =
+
+
(contd)
Rabins Algorithm for factoring n, given a
way to break his cryptosystem.

2
2
1
2
Choose random , 1 n s.t. gcd( , n)=1
let mod n
find M s.t. M = mod n
by assumed way to break cryptosystem
with probability ,
M { ,
| | |
o |
o
|
< <
=
>
= n- }
so factors of n are found
else repeat with another
Note: Expected number of rounds is 2
|
|
Quadratic Residues
2
(n-1)/2
a is quadratic residue of n
if x a mod n has solution
:
If n is odd, prime and gcd(a,n)=1, then
iff a 1 mod n
Euler

Jacobi Function

1 if gcd(a,n) 1 and
J(a,n) -1 if gcd(a,n) 1 and
a is not quadratic residue of n
0 if gcd(a,n) 1
=
|
= =
=
\
Jacobi Function (contd)
Gausss Quadratic Reciprocity Law

Rivest Algorithm
(p-1) (q-1)/4
if p,q are odd primes,
J(p,q) J(q,p) (-1) =
2
(a-1) (n-1)
2 2
(n -1)/8
1 if a=1
J(a,n) J(a/2, n) (-1) if a even
J(n mod a, a) (-1) else
|

\
Jacobi Function (contd)
Theorem (Fermat)

n-1
i
x
n 2 is prime iff
, 1 x n
(1) x 1 mod n
(2) x 1 mod n for all
i {1, 2,..., n-2}
>
- < <
=
e
Theorem: Primes are in NP
Proof

n-1
n
n 2 output "prime"
n 1 or (n even and n 2) output "composite"
guess x to verify Fermat's Theorem
Check (1) x 1 mod n
To verify (2) guess prime fac
input
else
=
= >
=
i
1 2 k
i
(n-1)/n
torization
of n-1=n n n
(a) recursively verify each n prime
(b) verify x 1 mod n

=
Theorem & Primes NP (contd)
Note

i
i
(n-1)
y
ya
(n-1) (n-1)/n ya
yn
if x =1 mod n
the least y s.t. x =1 mod n must
divide n-1. So x =1 mod n
let a= so 1 x =x mod n
Primality Testing
Testing

Goal of Randomized Primality Testing
n
n
n
wish to test if n is prime
technique W (a) "a witness that n is composite"
W (a) true n composite
W (a) false don't know
=
=
=
1
n 2
1
2
for random a {1,..., n-1}
n composite Prob (W (a) true) >
So of all {1,..., n-1}
are "witness to compositeness of n"
a
c
e
Primality Testing (contd)
Solovey & Strassen Primality Test quadratic
reciprocal law

n
(n-1)/2
W (a) (gcd(a,n) 1)
or J(a, n) a mod n

test if Gauss's
Quadratic Reciprocal Law
is vi
= =
=
|
olated
Definitions

*
n
*
n
*
n
i
Z set of all nonnegative numbers n
which are relatively prime to n.
generator g of Z
such that for all x Z
there is i such that g x mod n
= <
e
=
Theorem of Solovey & Strassen
Theorem

Proof

-1
2
n
If , | |
where G = {a | W (a mod n) false}
n
n is composite then G s
* *
n n
*
n
Case G Z G is subgroup of Z
|Z | n-1
|G|
2 2
=
s s
Theorem of Solovey & Strassen (contd)

3 1 2
n
(n-1)/2
1 2 3 1 2 k
Case G Z Use Proof by Contradiction
so a =J(a,n) mod n
for all a relatively prime to n
Let n have prime factorization
n=P P P , ...
Let g be a gener
o o o
o o o
=
> > >
1
1
*
m 1
ator of Z where m =P
o
Then by Chinese Remainder Theorem,

Since a is relatively prime to n,

1
1
n
m
unique a s.t. a g mod m
a 1 mod ( )
- =
=
*
n
n-1 n-1
a Z so
a 1 mod n and g =1 mod n
e
=

1
1
*
n
-1
1 1
2.
Then order of g in Z
is p (p -1) by known formula,
a contradiction since the order divides n-1.
Case
o
o >
1 2 k
1 k
k
i
i 1
k
1 i
i 2
i
i
... 1
Since n p p
J(a,n) J(a,p )
J(g,p ) J(a, p )
g mod p i 1
Since a
1 mod p i 1

Case o o o
=
=
= = = =
=
=
=
=
=

=
[
[
i
1
So J(a,n) -1 mod n
since J(1,p ) 1
and J(g,p ) -1
=
=
=
1
1
1
1
n
m
n
m
(n-1)/2
n
m
(n-1)/2
n
m
We have shown J(a,n) -1 mod n
-1 mod n
But by assumption a 1 mod
so a =1 mod
Hence a J(a,n) mod
a
( )
( )
( )
( )
contradiction with Ga
=
=
=
=
' ! uss s Law
Miller
Millers Primality Test

i
n
n-1
(n-1)/2
i
W (a) (gcd(a,n) 1)
or (a 1 mod n)
or gcd (a mod n-1, n) 1
for i {1,..., }
where k max {i| 2 divides n-1}
k
= =
=
=
e
=
Theorem (Miller)
Assuming the extended RH,
if n is composite, then W
n
(a) holds for some a
{1,2,, c log
2
n}

Millers Test assumes
extended RH (not proved)

Miller (contd)
Miller Rabin Randomized Primality Test

Theorem
n
choose a random a {1,..., n-1}
test W (a)
e
1
n 2
if n is composite then
Prob (W (a) holds)
gives another randomized, polytime
algorithm for primality!
>
Number Theory Algorithms and

Cryptography Algorithms
Prepared by
John Reif, Ph.D.
Analysis of Algorithms

Number Theory Algorithms and Cryptography Algorithms

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Number Theory Algorithms and Cryptography Algorithms

Enviado por

Direitos autorais:

Formatos disponíveis

Number Theory Algorithms and

Fermats Little Theorem (contd)

Taking Powers mod n by Repeated

Rivest, Sharmir, Adelman (RSA)

Rabins Public Key Crypto System

Number Theory Algorithms and

Você também pode gostar