Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download ModernCrypto2015-Session4-v7
Document related concepts
Transcript
Sharif University of Technology
Department of Computer Engineering
Data and Network Security Lab
A Primer on Computational Number
Theory
Author & Instructor:
Mohammad Sadeq Dousti
Sharif University
Introduction to Modern Cryptography
Spring 2015
1 / 45
Copyright Notice
These set of slides are licensed under Creative
Commons Attribution-NonCommercialShareAlike (CC BY-NC-SA) 4.0.
Basically, this license allows others to use the
slides verbatim, and even modify and incorporate
them into their own work, as long as:
1.
2.
3.
They credit the original author(s);
Their work is used non-commercially;
They license their work under CC BY-NC-SA 4.0.
For further information, please consult:
o
o
https://creativecommons.org/licenses/by-nc-sa/4.0
https://creativecommons.org/licenses/by-ncsa/4.0/legalcode
Sharif University
Introduction to Modern Cryptography
Spring 2015
2 / 45
Outline
Basics of Number Theory
o
o
o
Fermat’s Little Theorem (FLiT)
Primes & Primality testing
o
o
Finding modular multiplicative inverse
Chinese Remainder Theorem (CRT)
ℤn* and Euler’s totient function
Lucas test
Miller–Rabin test
Quadratic Residuosity
Legendre Symbol
o Jacobi Symbol
o Solovay–Strassen primality testing
o Blum integers
o
Sharif University
Introduction to Modern Cryptography
Spring 2015
3 / 45
Basics of Number Theory
Sharif University
Introduction to Modern Cryptography
Spring 2015
4 / 45
Euclidean algorithm
Find the GCD of 972 and 421.
GCD
Sharif University
Introduction to Modern Cryptography
Spring 2015
5 / 45
Continued fractions
To get
inverses,
remove this!
Sharif University
Introduction to Modern Cryptography
Spring 2015
6 / 45
Modular multiplicative inverse
972
= [2, 3, 4, 5, 6]
421
421−1 ≡ 157 mod 972
972−1 ≡ −68 ≡ 353 mod 421
157
2, 3, 4, 5 =
68
421 × 157 − 972 × 68 = 1
421 × 157 ≡ 1 mod 972
972 × (−68) ≡ 1 mod 421
Sharif University
Introduction to Modern Cryptography
Spring 2015
7 / 45
Modular multiplicative inverse (Cont’d)
In general, we want to compute 𝑎−1 mod 𝑏 , where
GCD(a, b) = 1.
Let
𝑎
𝑏
= [𝑐1 , … , 𝑐𝑛−1 , 𝑐𝑛 ].
𝑦
.
𝑥
Compute 𝑐1 , … , 𝑐𝑛−1 =
THEOREM [Old63, §2.3]: 𝑎𝑥 − 𝑏𝑦 = −1 𝑛 .
COROLLARY: 𝑎−1 ≡ −1 𝑛 𝑥 mod 𝑏.
This approach is called extended Euclidean
algorithm.
Sharif University
Introduction to Modern Cryptography
Spring 2015
8 / 45
Chinese Remainder Theorem (CRT)
Given a set of simultaneous congruences:
𝑥 ≡ 𝑎1 mod 𝑚1 ,
𝑥 ≡ 𝑎2 mod 𝑚2 ,
⋯
𝑥 ≡ 𝑎𝑡 mod 𝑚
𝑡 ,solution exists
The
is unique
where the mi pairwise relatively prime,and
find
x.
(mod M).
Solution: For 𝑖 ∈ {1, … , 𝑡}, let:
𝑀 = 𝑚1 𝑚2 ⋯ 𝑚𝑡
𝑏𝑖 = 𝑀/𝑚𝑖
Then 𝑥 ≡
Sharif University
𝑀
𝑎1 𝑏1
𝑚1
+
−1
(mod 𝑚𝑖 )
𝑀
⋯ + 𝑎𝑡 𝑏𝑡
𝑚𝑡
Introduction to Modern Cryptography
(mod 𝑀).
Spring 2015
9 / 45
CRT: Simple Example
𝑥 ≡ 3 (mod 5)
𝑥 ≡ 7 (mod 13)
M = 513 = 65
b1 = 131 (mod 5) = 2
b2 = 51 (mod 13) = 8
x≡3×2×
Sharif University
65
5
+7×8×
Introduction to Modern Cryptography
65
13
≡ 33 (mod 65)
Spring 2015
10 / 45
Multiplicative group of integers modulo n
A group is an algebraic structure.
o
We’ll study groups later.
A group is multiplicative if its operator is
multiplication.
For any n ℕ, let ℤn* denote the set:
{m ℕ | 1 m n and (m, n) = 1}
ℤn* is the multiplicative group of integers modulo n.
The only operation of ℤn* is multiplication modulo n.
Sharif University
Introduction to Modern Cryptography
Spring 2015
11 / 45
Examples
ℤ2* = {1}
ℤ3* = {1, 2}
ℤ5* = {1, 2, 3, 4}
ℤ6* = {1, 5}
ℤ7* = {1, 2, 3, 4, 5, 6}
ℤ8* = {1, 3, 5, 7}
ℤ9* = {1, 2, 4, 5, 7, 8}
ℤ10* = {1, 3, 7, 9}
…
Sharif University
Introduction to Modern Cryptography
Spring 2015
12 / 45
Euler’s totient function
The number of elements in ℤn* can be computed
based on the inclusion-exclusion principle.
Example: Let n = pq, where p and q are primes.
There are n = pq numbers in {1, …, n}
o q of which are multiples of p.
o p of which are multiples of q.
o 1 of which is a multiple of both p and q.
In general,
Euler’s totient function is computed as follows (requires
|ℤpq*| = pq of
p n):q + 1 = (p 1) (p 1)
primeo factorization
o
Euler defined a general function, φ(n), such that
φ(n) = |ℤn*|.
φ(n) is often called Euler’s totient function.
Sharif University
Introduction to Modern Cryptography
Spring 2015
13 / 45
A Primer on Computational
Number Theory
Sharif University
Introduction to Modern Cryptography
Spring 2015
14 / 45
Definition
[Wikipedia]: In mathematics and computer science,
computational number theory, also known as
algorithmic number theory, is the study of
algorithms for performing number theoretic
computations.
[Yan13, p.15]
Sharif University
Introduction to Modern Cryptography
Spring 2015
15 / 45
Fermat’s Little Theorem (FLiT)
[Wikipedia] Pierre de Fermat first stated the theorem
in a letter dated October 18, 1640, to his friend and
confidant Frénicle de Bessy as the following:
p divides ap − 1 − 1 whenever p is prime and a is
coprime to p.
Sharif University
Introduction to Modern Cryptography
Spring 2015
16 / 45
Example
The following can be computed extremely fast on a
computer:
o
Based on FLiT, 110619 is not a prime.
o
We proved this without even knowing the factorization of
110619!
414 ≡ 1
o
2110618 ≡ 73750 (mod 110619)
But 15 is not a prime.
26 ≡ 1
o
(mod 15)
(mod 7)
And 7 is a prime.
Sharif University
Introduction to Modern Cryptography
A primality testing algorithm with one-sided
error:
1. Pick a random a ℤn*
2. compute an 1 (mod n)
3. If the result is not 1, then output
COMPOSITE.
4. Output TEST FAILS.
Spring 2015
17 / 45
Primality Testing
Sharif University
Introduction to Modern Cryptography
Spring 2015
18 / 45
Lucas primality test
Let n > 1 be an integer.
Let Q(m) denote the set of prime factors of m.
n is prime if there exists 1 a n, such that:
an − 1 ≡ 1 (mod n)
a(n − 1)/q ≢ 1 (mod n) for all q Q(n 1)
1.
2.
THEOREM 1: A prime p has at least φ(p 1) certificates in ℤp*.
Every composite integer has a short certificate for
Here, φ(p 1) is the number of generators of ℤp*.
compositeness (i.e., its prime factors).
Pratt
certificates:
a and
1) certify
primality
THEOREM
2: For
all nQ(n
we have
φ(n) =the
(n
/ log logofn).n.
Especially useful when there were no known efficient primality tests.
COROLLARY: Given Q(p 1), Lucas primality test is efficient.
Sharif University
Introduction to Modern Cryptography
Spring 2015
19 / 45
Example
3 does not certify 11:
o
o
o
310 ≡ 1 (mod 11)
32 ≡ 9 (mod 11)
35 ≡ 1 (mod 11)
But 2 certifies 11:
o
o
o
210 ≡ 1 (mod 11)
22 ≡ 4 (mod 11)
25 ≡ 10 (mod 11)
Sharif University
Introduction to Modern Cryptography
Spring 2015
20 / 45
Prime Certification
Pratt certificates established, for the first time, that
PRIMES NP.
However, Pratt certificates cannot be computed
efficiently, as they require the factorization of n 1.
We next pertain to the problem of “Composite
Certificates” without the need to factorize any
number.
Later, when we study Elliptic Curves, we will see an
efficient algorithm to extract certificates for primes.
o
Atkin–Goldwasser–Kilian–Morain certificates.
Sharif University
Introduction to Modern Cryptography
Spring 2015
21 / 45
Miller–Rabin primality test
[HPS14, p. 130]
or one of these ≡ 1
either this ≡ 1
Sharif University
Introduction to Modern Cryptography
≡ 1 due to FLiT
Spring 2015
22 / 45
Miller–Rabin primality test (Cont’d)
[HPS14, p. 131]
THEOREM: Let n be an odd composite number. Then at least 3/4 of
the numbers a between 1 and n − 1 are Miller–Rabin witnesses for n.
Sharif University
Introduction to Modern Cryptography
Spring 2015
23 / 45
Distribution of Primes
PNT: Let π(x) be the primecounting function, that gives the
number of primes less than or
equal to x. Then:
Sharif University
Introduction to Modern Cryptography
Spring 2015
24 / 45
Quadratic Residuosity
Sharif University
Introduction to Modern Cryptography
Spring 2015
25 / 45
Quadratic Residues
q is called a quadratic residue modulo n if there exists
an integer x such that x2 ≡ q (mod n).
Otherwise, q is called a quadratic nonresidue modulo
n.
Deciding whether a given number is a quadratic
residue modulo n:
o
o
o
Easy if n is a prime;
Easy if the prime factorization of n is given;
Hard in general.
Similarly for computing the square root.
Sharif University
Introduction to Modern Cryptography
Spring 2015
26 / 45
Quadratic Residues (Cont’d)
Let QRn and QNRn denote subsets of ℤn*, whose members are
quadratic residues and nonresidues modulo n, respectively.
Assignment: Let p be an odd prime number, and
assume all computations are in ℤp*.
o
a QRp and b QRp
a b QRp
o
a QRp and b QNRp
a b QNRp
o
a QNRp and b QNRp
a b QRp
Proof is simple using the results of the next slide.
Notice that both moduli are p. We later see that x QRpq if and only if x QRp and
x QRq. Do not mix that theorem with this!
Sharif University
Introduction to Modern Cryptography
Spring 2015
27 / 45
Odd and Even Powers of Generators
Let p be an odd prime number , and g be any
generator of ℤp*.
gm QRp for even m.
o
m = 2k
gm = g2k = (gk)2 , which is a square.
gm QNRp for odd m.
o
m = 2k + 1
If gm is a square, there exists x such that x2 ≡ gm.
Using FLiT, we have x p 1 ≡ 1, and:
o
Contradicts the fact that g is a generator.
o
o
Sharif University
Introduction to Modern Cryptography
Spring 2015
28 / 45
Square roots modulo a prime
THEOREM: For any odd prime p, there are exactly
two square roots modulo p for all a QRp.
Proof: Let 𝑦 ∈ ℤ𝑝∗ , and assume x is any square root of
a modulo p. If:
𝑦 2 ≡ 𝑎 ≡ 𝑥 2 (mod 𝑝)
⇒ 𝑦 2 − 𝑥 2 ≡ 0 (mod 𝑝)
⇒ (𝑦 − 𝑥)(𝑦 + 𝑥) ≡ 0 (mod 𝑝)
⇒ 𝑝 | (𝑦 − 𝑥)(𝑦 + 𝑥)
Since p is a prime, we get: Either 𝑝 | (𝑦 − 𝑥) or
𝑝 | (𝑦 + 𝑥), or both. That is, 𝑦 ≡ ±𝑥 mod 𝑝 .
Because 𝑝 ≠ 2, the roots are distinct.
Sharif University
Introduction to Modern Cryptography
Spring 2015
29 / 45
Computing square roots modulo a prime
Euler’s Criterion: If p is an odd prime and a QRp,
then 𝑎(𝑝−1)/2 ≡ 1 (mod 𝑝).
Proof: Let 𝑥 ∈ ℤ∗𝑝 be a square root of a modulo p.
Then, using FLiT:
𝑎(𝑝−1)/2 ≡ 𝑥 𝑝−1 ≡ 1 (mod 𝑝)
If 𝑝 = 4𝑘 + 3 then:
𝑎 ≡ 𝑎 × 1 ≡ 𝑎 × 𝑎(𝑝−1)/2 ≡ 𝑎2𝑘+2
𝑘+1 2
≡ ±𝑎
(mod 𝑝)
o
So, 𝑥 = ±𝑎(𝑝+1)/4 (mod 𝑝) are square roots of a.
What if 𝑝 = 4𝑘 + 1?
o
The above approach does not work!
Sharif University
Introduction to Modern Cryptography
Spring 2015
30 / 45
Computing square roots modulo a prime (Cont’d)
There are (at least) two efficient algorithms which
can compute the square roots modulo any prime:
o
o
Tonelli–Shanks algorithm
Cipolla algorithm
The Cipolla algorithm has better asymptotic
performance.
The Tonelli–Shanks algorithm is better in practice.
We do not describe them here!
Sharif University
Introduction to Modern Cryptography
Spring 2015
31 / 45
Legendre symbol
[HPS14, p. 171]
• FLiT: 𝑎𝑝−1 ≡ 1 (mod 𝑝)
• Modulo odd prime p, the only
square roots of 1 are ±1.
• 𝑎(𝑝−1)/2 ≡ ±1 (mod 𝑝),
depending on whether a is a
quadratic residue.
Euler’s Criterion:
Multiplication Rule:
Sharif University
Introduction to Modern Cryptography
Spring 2015
32 / 45
Quadratic Reciprocity
[HPS14, p. 172]
Quadratic Reciprocity: Let p and q be odd primes.
Sharif University
Introduction to Modern Cryptography
Spring 2015
33 / 45
Example of computing Legendre symbol
Do we really need to
factor?
No, use Jacobi
symbol.
Sharif University
Introduction to Modern Cryptography
Because of
this, powers
are computed
modulo 2.
Spring 2015
34 / 45
Jacobi Symbol
[HPS14, p. 174]
Jacobi
symbol
Sharif University
Legendre symbols
Introduction to Modern Cryptography
Spring 2015
35 / 45
Laws of Jacobi Symbol
[HPS14, p. 174]
Quadratic Reciprocity holds for Jacobi Symbol as
well.
p and q need not be odd primes.
o p and q should only be odd and positive integers.
o
Sharif University
Introduction to Modern Cryptography
Spring 2015
36 / 45
Example of computing Jacobi symbol
This time, we won’t factor 15750 into 2 · 32 · 53 · 7.
Sharif University
Introduction to Modern Cryptography
Spring 2015
37 / 45
Quadratic residuosity modulo a composite
𝑒1
𝑝1
THEOREM: Let 𝑁 =
𝑎 ∈ ℤ𝑛∗ is a
square root modulo N if and only if a is a square root
modulo pi for all 𝑖 ∈ {1, … , 𝑡}.
Proof: Let 𝑎 = 𝑥 2 (mod 𝑁) for some 𝑥 ∈ ℤ∗𝑛 . Using
CRT, a is the unique solution to:
𝑋≡
𝑥2
𝑋 ≡ 𝑥2
𝑒𝑡
⋯ 𝑝𝑡 .Then,
𝑒1
𝑝1 )
(mod
⋯
𝑒𝑡
(mod 𝑝𝑡 )
Therefore, a is a square root modulo
{1, … , 𝑡}.
Assignment: Complete the proof!
Sharif University
Introduction to Modern Cryptography
𝑒𝑖
𝑝𝑖
for 𝑖 ∈
Spring 2015
38 / 45
Jacobi Symbol and quadratic residuosity
𝑎
𝑛
Suppose that
= 1, where n is some odd positive
number.
𝑎
What if
= −1?
Does it mean that a QRn?
𝑛
The answer is YES if n is a prime.
The answer might be NO if n is a composite integer.
Example: Let n = pq, where p and q are distinct odd
primes.
o
Sharif University
𝑎
𝑛
𝑎
𝑝
=
𝑎
𝑞
. Two possible cases:
1.
𝑎
𝑝
= 1 and
𝑎
𝑞
2.
𝑎
𝑝
= −1 and
= 1. Here, a QRn.
𝑎
𝑞
= −1. Here, a QNRn.
Introduction to Modern Cryptography
Spring 2015
39 / 45
Solovay–Strassen primality test
Solovay–Strassen predates Miller–Rabin primality
test, and is less efficient than it.
Solovay–Strassen is very simple…
On input odd integer 𝑛 > 1:
o
Choose a randomly from {2, …, n 1}.
o
Compute the Jacobi Symbol: 𝑏 ←
o
If 𝑏 = 0 or 𝑏 ≢ 𝑎(𝑛−1)/2 (mod 𝑛) output COMPOSITE.
Otherwise, output TEST FAILS.
o
Sharif University
Introduction to Modern Cryptography
𝑎
𝑛
.
Spring 2015
40 / 45
Useful properties
Let n > 2. Define:
o 𝐽𝑛+1
ℤ∗𝑛
= 𝑎∈
o 𝐽𝑛−1
= 𝑎 ∈ ℤ∗𝑛 |
|
𝑎
𝑛
𝑎
𝑛
= +1 .
= −1 .
Notice that 𝑄𝑅𝑛 ⊂ 𝐽𝑛+1 .
Let n = pq, where p and q are odd and distinct primes.
Let 𝑎 ∈ 𝑄𝑅𝑛 , and x be a square root of a modulo n.
o
Using CRT, a has exactly four square roots z modulo n:
𝑧 ≡ ±𝑥 mod 𝑝
𝑧 ≡ ±𝑥 mod 𝑞
o
Assignment: ℤ∗𝑛 = 2|𝐽𝑛+1 = 4 𝑄𝑅𝑛 |.
Sharif University
Introduction to Modern Cryptography
Spring 2015
41 / 45
Blum integers
If 𝑝 ≡ 𝑞 ≡ 3 (mod 4), then n = pq is called a Blum
integer. (p and q should be distinct.)
In this case, −1 ∈ 𝑄𝑁𝑅𝑛 but −1 ∈ 𝐽𝑛+1 .
a has a unique square root in QRn, called the
principal square root of a modulo n.
The Rabin function 𝑓: 𝑄𝑅𝑛 → 𝑄𝑅𝑛 defined by 𝑓(𝑥)
= 𝑥2 (mod 𝑛) is a permutation.
Assignment: Prove the facts stated above.
Sharif University
Introduction to Modern Cryptography
Spring 2015
42 / 45
Factoring vs. extracting square roots
THEOREM: Extracting square roots modulo some Blum
integer n is as hard as factoring n.
Proving one direction is easy: Given the factorization of
n, extract the square root of the input a. Hint:
o
o
o
Let x2 ≡ a (mod p). Since p = 4k + 3, we have x ≡ a p + 1 (mod p).
Let y2 ≡ a (mod q). Since q = 4j + 3, we have y ≡ a q + 1 (mod q).
Use CRT to compute the square root of a modulo n.
Assignment: Use the hint above and present a formal
reduction.
Sharif University
Introduction to Modern Cryptography
Spring 2015
43 / 45
Factoring vs. extracting square roots (Cont’d)
Proving the other direction is clever: Given access
to a square root extractor modulo n, factorize n.
𝒜(a): Arbitrarily outputs one of the four square roots
of a modulo n, or a special symbol ⊥ if 𝑎 ∈ 𝑄𝑁𝑅𝑛 .
This algorithm succeeds with probability 𝜖𝒜 .
Proof idea: Pick a random element 𝑥 ∈ ℤ𝑛∗ . Let 𝑎 ←
𝑥 2 mod 𝑛 , and 𝑦 ← 𝒜(𝑎).
o
o
If 𝑦 = ±𝑥 (mod 𝑛) output FAIL and return.
Let z ← GCD(𝑥 − 𝑦, 𝑛) and output z and
𝑛
.
𝑧
(Why?)
Assignment: Write down the reduction formally, and
compute its concrete parameters.
Sharif University
Introduction to Modern Cryptography
Spring 2015
44 / 45
References
[HPS14]J. Hoffstein, J. Pipher, and J.H. Silverman. An Introduction to
Mathematical Cryptography, Springer, 2014.
[KL14] J. Katz and Y. Lindell. Introduction to Modern Cryptography:
Principles and Protocols, CRC Press, 2014.
[Old63] C.D. Olds. Continued Fractions, Mathematical Association of
America, 1963.
[Yan13] S.Y. Yan. Computational Number Theory and Modern Cryptography.
John Wiley & Sons, 2013.
Sharif University
Introduction to Modern Cryptography
Spring 2015
45 / 45
