Number Theory Algorithms and Cryptography

Algorithms

Prepared by

John Reif, Ph.D.

Analysis of Algorithms

Number Theory Algorithms

a) GCDb) Multiplicative Inversec) Fermat & Euler’s Theoremsd) Public Key Cryptographic Systemse) Primality Testing

Number Theory Algorithms (cont’d)

• Main Reading Selections:• CLR, Chapter 33

Euclid’s Algorithm

• Greatest Common Divisor

• Euclid’s Algorithm

( , ) largest a s.t.

a is a divisor of both u,v

GCD u v

GCD(u,v)

0 then return(u)

(GCD(v,u mod v))

procedure

begin

if v

else return

Euclid’s Algorithm (cont’d)

• Inductive proof of correctness:

if a is a divisor of u,v

a is a divisor of u - ( u/v ) v

= u mod v

Euclid’s Algorithm (cont’d)

• Time Analysis of Euclid’s Algorithm for n bit numbers u,v

2

T(n) T(n-1) + M (n)

= O(n M(n))

= O(n log n log log n)

(where M(n) = time to mult two n bit integers)

Euclid’s Algorithm (cont’d)

• Fibonacci worst case:

k+1

k

k

0 1 k+2 k+1 k

k

u = F , v = F

where F = 0, F = 1, F = F + F , k 0

1F = , = (1 5)

25

Euclid's Algorithm takes log ( 5 N) = O(n)

stages when N = max(u,v).

Here n = number of bits of

N.

Euclid’s Algorithm (cont’d)

• Improved Algorithm

2

nT(n) T + O(M(n))

= O(M(n) log n)

( )

Extended GCD Algorithm

Extended GCD Algorithm (cont’d)

• Theorem

• Proof

GCD((1,0,x),(0,1,y))

= (x', y', GCD(x,y))

where x x' + y y' = GCD(x,y)

Ex

1 2 3

1 2 3

inductively can verify on each call

xu + yu = u

xv + yv = v

Extended GCD Algorithm (cont’d)

• Corollary

If gcd(x,y) = 1 then x' is the

modular inverse of x modulo y

• Proof

we must show x x' = 1 mod y

but by previous Theorem,

1 = x x' + y y' = x x' mod y

so 1 = x x' mod y

Modular Laws

• Gives Algorithm for

• Modular Laws

!Modular Inverse

for n 1

if x y mod nlet x y

Modular Laws (cont’d)

if a b and x y then ax by

if a b and ax by and

gcd(a, n) 1 then x y

Law A

Law B

Modular Laws (cont’d)

i

1 k 1 k

i j

1 k

let {a ,..., a } {b ,..., b } if

a b for i 1,..., k and

{j ,..., j } {1,..., k}

Fermat’s Little Theorem

• If n prime then an = a mod n• Proof by Euler

n

-1

if a 0 then a 0 a

else suppose gcd(a,n) 1

Then x ay for y a x and any x

so {a,2a,..., (n-1)a} {1,2,..., n-1}

Fermat’s Little Theorem (cont’d)

n-1

n-1

So by Law A,

(a) (2a) (n-1)a 1 2 (n-1)

So a (n-1)! (n-1)!

So by Law B

a 1 mod n

Euler’s Theorem

• Φ(n) = number of integers in {1,…, n-1} relatively prime to n

• Euler’s Theorem

• Proof

( )

If gcd(a,n) 1

then = 1 mod na n

1 (n)let b ,...,b be the integers n

relatively prime to n

Euler’s Theorem (cont’d)

• Lemma

• Proof

1 (n) 1 2 (n){b ,...,b } {ab , ab ,..., ab }

i

i j i j

i

i i j

1 (n)

If ab ab then by Law B, b b

Since 1 gcd(b ,n) gcd(a,n)

then gcd(ab ,n) 1 so ab b

for {j ,...,j } {1,..., (n)}

Euler’s Theorem (cont’d)

• By Law A and Lemma

• By Law B

1 2 (n) 1 2 (n)

(n)1 (n) 1 (n)

(ab )(ab ) (ab ) b b b

so a b b b b

(n)a 1 mod n

Taking Powers mod n by “Repeated Squaring”

• Problem: Compute ae mod b

k k-1 1 0

2

i

e e e e e binary representation

[1] X 1

[2] i k, k-1,..., 0

X X mod b

e 1 then X Xa mod b

for do

begin

if

end

outp

i ii i

ke 2 e 2 e

i=0

a =a =a mod but

Taking Powers mod n by “Repeated Squaring” (cont’d)

• Time Cost

O(k) mults and additions mod b

k = # bits of e

Rivest, Sharmir, Adelman (RSA) Encryption Algorithm

• M = integer messagee = “encryption integer” for user A

• Cryptogram

eC E(M) M mod n

Rivest, Sharmir, Adelman (RSA) Encryption Algorithm (cont’d)

• Method

(1) Choose large random primes p,q

let n p q

(2) Choose large random integer d

relatively prime to (n) (p) (q)

(p-1) (q-1)

(3) Let e be

the multiplicative inverse

of d modulo (n)

e d 1 mod (n)

(require e log n, else try another d)

Rivest, Sharmir, Adelman (RSA) Encryption Algorithm (cont’d)

• Theorem

d

If M is relatively prime to n,

and D(x) = x (mod n) then

D(E(M)) E(D(M)) M

Rivest, Sharmir, Adelman (RSA) Encryption Algorithm (cont’d)

• Proof

e d

e d k (n) 1

D(E(M)) E(D(M))

M mod n

There must k 0 s.t.

1 gcd(d, (n)) -k (n) de

So, M M mod n

Since (p-1) divides (n)

k (n) 1 M M mod p

Rivest, Sharmir, Adelman (RSA) Encryption Algorithm (cont’d)

• By Euler’s Theorem

k (n)+1

ed k (n)+1

ed

By Symmetry,

M M (mod q)

Hence M M M mod n

So M M mod n

Security of RSA Cryptosystem

• TheoremIf can compute d in polynomial time,then can factor n in polynomial time

• Proofe· d-1 is a multiple of φ(n)But Miller has shown can factor nfrom any multiple of φ(n)

Security of RSA Cryptosystem (cont’d)

'd d

If can find d' s.t.

M =M mod n

d' differs from d by lcm(p-1, q-1)

so can factor n.

(lcm is the "least common multiple)

Rabin’s Public Key Crypto System

• Use private large primes p, qpublic key n=q pmessage M

cryptogram M2 mod n

• TheoremIf cryptosystem can be broken,then can factor key n

Rabin’s Public Key Crypto System (cont’d)

• Proof

• In either case, two independent solutions for M give factorization of n, i.e., a factor of n is gcd (n, γ -β).

2

2 2

M mod n has solutions

M , , n- , n-

where { , n- }

But then - ( - )( ) 0 mod n

So either (1) p | ( - ) and q | ( )

or either (2) q | ( - ) and p | ( )

Rabin’s Public Key Crypto System (cont’d)

• Rabin’s Algorithm for factoring n, given a way to break his cryptosystem.

2

2

12

Choose random , 1 n s.t. gcd( , n)=1

let mod n

find M s.t. M = mod n

by assumed way to break cryptosystem

with probability ,

M { ,

n- }

so factors of n are found

else repeat with another

Note: Expected number of rounds is 2

Quadratic Residues

2

(n-1)/2

a is quadratic residue of n

if x a mod n has solution

:

If n is odd, prime and gcd(a,n)=1, then

a is quadratic residue of n

iff a 1 mod n

Euler

Jacobi Function

1 if gcd(a,n) 1 and

a is quadratic residue of n

J(a,n) -1 if gcd(a,n) 1 and

a is not quadratic residue of n

0 if gcd(a,n) 1

Jacobi Function (cont’d)

• Gauss’s Quadratic Reciprocity Law

• Rivest Algorithm

(p-1) (q-1)/4

if p,q are odd primes,

J(p,q) J(q,p) (-1)

2

(a-1) (n-1)2 2

(n -1)/8

1 if a=1

J(a,n) J(a/2, n) (-1) if a even

J(n mod a, a) (-1) else

Jacobi Function (cont’d)

• Theorem (Fermat)

n-1

i

x

n 2 is prime iff

, 1 x n

(1) x 1 mod n

(2) x 1 mod n for all

i {1, 2,..., n-2}

Theorem: Primes are in NP

• Proof

n-1

n

n 2 output "prime"

n 1 or (n even and n 2) output "composite"

guess x to verify Fermat's Theorem

Check (1) x 1 mod n

To verify (2) guess prime fac

input

else

i

1 2 k

i

(n-1)/n

torization

of n-1=n n n

(a) recursively verify each n prime

(b) verify x 1 mod n

Theorem & Primes NP (cont’d)

• Note

i

i

(n-1)

y

ya

(n-1) (n-1)/nyayn

if x =1 mod n

the least y s.t. x =1 mod n must

divide n-1. So x =1 mod n

let a= so 1 x =x mod n

Primality Testing

• Testing

• Goal of Randomized Primality Testing

n

n

n

wish to test if n is prime

technique W (a) "a witness that n is composite"

W (a) true n composite

W (a) false don't know

1n 2

12

for random a {1,..., n-1}

n composite Prob (W (a) true) >

So of all {1,..., n-1}

are "witness to compositeness of n"

a

Primality Testing (cont’d)

• Solovey & Strassen Primality Test quadratic reciprocal law

n

(n-1)/2

W (a) (gcd(a,n) 1)

or J(a, n) a mod n

test if Gauss's

Quadratic Reciprocal Law

is vi

olated

Definitions

*n

*n

*n

i

Z set of all nonnegative numbers n

which are relatively prime to n.

generator g of Z

such that for all x Z

there is i such that g x mod n

Theorem of Solovey & Strassen• Theorem

• Proof

-12

n

If , | |

where G = {a | W (a mod n) false}

nn is composite then G

* *n n

*n

Case G Z G is subgroup of Z

|Z | n-1 |G|

2 2

Theorem of Solovey & Strassen (cont’d)

31 2

n

(n-1)/2

1 2 3 1 2 k

Case G Z Use Proof by Contradiction

so a =J(a,n) mod n

for all a relatively prime to n

Let n have prime factorization

n=P P P , ...

Let g be a gener

1

1

*m 1ator of Z where m =P

Theorem of Solovey & Strassen (cont’d)

• Then by Chinese Remainder Theorem,

• Since a is relatively prime to n,

1

1

nm

unique a s.t. a g mod m

a 1 mod ( )

*n

n-1 n-1

a Z so

a 1 mod n and g =1 mod n

Theorem of Solovey & Strassen (cont’d)

1

1

*n

-11 1

2.

Then order of g in Z

is p (p -1) by known formula,

a contradiction since the order divides n-1.

Case

Theorem of Solovey & Strassen (cont’d)

1 2 k

1 k

k

ii 1

k

1 ii 2

i

i

... 1

Since n p p

J(a,n) J(a,p )

J(g,p ) J(a, p )

g mod p i 1 Since a

1 mod p i 1

Case

i

1

So J(a,n) -1 mod n

since J(1,p ) 1

and J(g,p ) -1

Theorem of Solovey & Strassen (cont’d)

1

1

1

1

nm

nm

(n-1)/2 nm

(n-1)/2 nm

We have shown J(a,n) -1 mod n

-1 mod n

But by assumption a 1 mod

so a =1 mod

Hence a J(a,n) mod

a

( )

( )

( )

( )contradiction with Ga

' !uss s Law

Miller

• Miller’s Primality Test

i

n

n-1

(n-1)/2

i

W (a) (gcd(a,n) 1)

or (a 1 mod n)

or gcd (a mod n-1, n) 1

for i {1,..., }

where k max {i| 2 divides n-1}

k

• Theorem (Miller)

Assuming the extended RH,if n is composite, then Wn(a) holds for some

a ∈ {1,2,…, c log 2 n}

• Miller’s Test assumes extended RH (not proved)

Miller (cont’d)

Miller – Rabin Randomized Primality Test

• Theorem

n

choose a random a {1,..., n-1}

test W (a)

1n 2

if n is composite then

Prob (W (a) holds)

gives another randomized, polytime

algorithm for primality!

Number Theory Algorithms and Cryptography

Algorithms

Prepared by

John Reif, Ph.D.

Analysis of Algorithms