Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Sharif University of Technology Department of Computer Engineering Data and Network Security Lab A Primer on Computational Number Theory Author & Instructor: Mohammad Sadeq Dousti Sharif University Introduction to Modern Cryptography Spring 2015 1 / 45 Copyright Notice These set of slides are licensed under Creative Commons Attribution-NonCommercialShareAlike (CC BY-NC-SA) 4.0. Basically, this license allows others to use the slides verbatim, and even modify and incorporate them into their own work, as long as: 1. 2. 3. They credit the original author(s); Their work is used non-commercially; They license their work under CC BY-NC-SA 4.0. For further information, please consult: o o https://creativecommons.org/licenses/by-nc-sa/4.0 https://creativecommons.org/licenses/by-ncsa/4.0/legalcode Sharif University Introduction to Modern Cryptography Spring 2015 2 / 45 Outline Basics of Number Theory o o o Fermat’s Little Theorem (FLiT) Primes & Primality testing o o Finding modular multiplicative inverse Chinese Remainder Theorem (CRT) ℤn* and Euler’s totient function Lucas test Miller–Rabin test Quadratic Residuosity Legendre Symbol o Jacobi Symbol o Solovay–Strassen primality testing o Blum integers o Sharif University Introduction to Modern Cryptography Spring 2015 3 / 45 Basics of Number Theory Sharif University Introduction to Modern Cryptography Spring 2015 4 / 45 Euclidean algorithm Find the GCD of 972 and 421. GCD Sharif University Introduction to Modern Cryptography Spring 2015 5 / 45 Continued fractions To get inverses, remove this! Sharif University Introduction to Modern Cryptography Spring 2015 6 / 45 Modular multiplicative inverse 972 = [2, 3, 4, 5, 6] 421 421−1 ≡ 157 mod 972 972−1 ≡ −68 ≡ 353 mod 421 157 2, 3, 4, 5 = 68 421 × 157 − 972 × 68 = 1 421 × 157 ≡ 1 mod 972 972 × (−68) ≡ 1 mod 421 Sharif University Introduction to Modern Cryptography Spring 2015 7 / 45 Modular multiplicative inverse (Cont’d) In general, we want to compute 𝑎−1 mod 𝑏 , where GCD(a, b) = 1. Let 𝑎 𝑏 = [𝑐1 , … , 𝑐𝑛−1 , 𝑐𝑛 ]. 𝑦 . 𝑥 Compute 𝑐1 , … , 𝑐𝑛−1 = THEOREM [Old63, §2.3]: 𝑎𝑥 − 𝑏𝑦 = −1 𝑛 . COROLLARY: 𝑎−1 ≡ −1 𝑛 𝑥 mod 𝑏. This approach is called extended Euclidean algorithm. Sharif University Introduction to Modern Cryptography Spring 2015 8 / 45 Chinese Remainder Theorem (CRT) Given a set of simultaneous congruences: 𝑥 ≡ 𝑎1 mod 𝑚1 , 𝑥 ≡ 𝑎2 mod 𝑚2 , ⋯ 𝑥 ≡ 𝑎𝑡 mod 𝑚 𝑡 ,solution exists The is unique where the mi pairwise relatively prime,and find x. (mod M). Solution: For 𝑖 ∈ {1, … , 𝑡}, let: 𝑀 = 𝑚1 𝑚2 ⋯ 𝑚𝑡 𝑏𝑖 = 𝑀/𝑚𝑖 Then 𝑥 ≡ Sharif University 𝑀 𝑎1 𝑏1 𝑚1 + −1 (mod 𝑚𝑖 ) 𝑀 ⋯ + 𝑎𝑡 𝑏𝑡 𝑚𝑡 Introduction to Modern Cryptography (mod 𝑀). Spring 2015 9 / 45 CRT: Simple Example 𝑥 ≡ 3 (mod 5) 𝑥 ≡ 7 (mod 13) M = 513 = 65 b1 = 131 (mod 5) = 2 b2 = 51 (mod 13) = 8 x≡3×2× Sharif University 65 5 +7×8× Introduction to Modern Cryptography 65 13 ≡ 33 (mod 65) Spring 2015 10 / 45 Multiplicative group of integers modulo n A group is an algebraic structure. o We’ll study groups later. A group is multiplicative if its operator is multiplication. For any n ℕ, let ℤn* denote the set: {m ℕ | 1 m n and (m, n) = 1} ℤn* is the multiplicative group of integers modulo n. The only operation of ℤn* is multiplication modulo n. Sharif University Introduction to Modern Cryptography Spring 2015 11 / 45 Examples ℤ2* = {1} ℤ3* = {1, 2} ℤ5* = {1, 2, 3, 4} ℤ6* = {1, 5} ℤ7* = {1, 2, 3, 4, 5, 6} ℤ8* = {1, 3, 5, 7} ℤ9* = {1, 2, 4, 5, 7, 8} ℤ10* = {1, 3, 7, 9} … Sharif University Introduction to Modern Cryptography Spring 2015 12 / 45 Euler’s totient function The number of elements in ℤn* can be computed based on the inclusion-exclusion principle. Example: Let n = pq, where p and q are primes. There are n = pq numbers in {1, …, n} o q of which are multiples of p. o p of which are multiples of q. o 1 of which is a multiple of both p and q. In general, Euler’s totient function is computed as follows (requires |ℤpq*| = pq of p n):q + 1 = (p 1) (p 1) primeo factorization o Euler defined a general function, φ(n), such that φ(n) = |ℤn*|. φ(n) is often called Euler’s totient function. Sharif University Introduction to Modern Cryptography Spring 2015 13 / 45 A Primer on Computational Number Theory Sharif University Introduction to Modern Cryptography Spring 2015 14 / 45 Definition [Wikipedia]: In mathematics and computer science, computational number theory, also known as algorithmic number theory, is the study of algorithms for performing number theoretic computations. [Yan13, p.15] Sharif University Introduction to Modern Cryptography Spring 2015 15 / 45 Fermat’s Little Theorem (FLiT) [Wikipedia] Pierre de Fermat first stated the theorem in a letter dated October 18, 1640, to his friend and confidant Frénicle de Bessy as the following: p divides ap − 1 − 1 whenever p is prime and a is coprime to p. Sharif University Introduction to Modern Cryptography Spring 2015 16 / 45 Example The following can be computed extremely fast on a computer: o Based on FLiT, 110619 is not a prime. o We proved this without even knowing the factorization of 110619! 414 ≡ 1 o 2110618 ≡ 73750 (mod 110619) But 15 is not a prime. 26 ≡ 1 o (mod 15) (mod 7) And 7 is a prime. Sharif University Introduction to Modern Cryptography A primality testing algorithm with one-sided error: 1. Pick a random a ℤn* 2. compute an 1 (mod n) 3. If the result is not 1, then output COMPOSITE. 4. Output TEST FAILS. Spring 2015 17 / 45 Primality Testing Sharif University Introduction to Modern Cryptography Spring 2015 18 / 45 Lucas primality test Let n > 1 be an integer. Let Q(m) denote the set of prime factors of m. n is prime if there exists 1 a n, such that: an − 1 ≡ 1 (mod n) a(n − 1)/q ≢ 1 (mod n) for all q Q(n 1) 1. 2. THEOREM 1: A prime p has at least φ(p 1) certificates in ℤp*. Every composite integer has a short certificate for Here, φ(p 1) is the number of generators of ℤp*. compositeness (i.e., its prime factors). Pratt certificates: a and 1) certify primality THEOREM 2: For all nQ(n we have φ(n) =the (n / log logofn).n. Especially useful when there were no known efficient primality tests. COROLLARY: Given Q(p 1), Lucas primality test is efficient. Sharif University Introduction to Modern Cryptography Spring 2015 19 / 45 Example 3 does not certify 11: o o o 310 ≡ 1 (mod 11) 32 ≡ 9 (mod 11) 35 ≡ 1 (mod 11) But 2 certifies 11: o o o 210 ≡ 1 (mod 11) 22 ≡ 4 (mod 11) 25 ≡ 10 (mod 11) Sharif University Introduction to Modern Cryptography Spring 2015 20 / 45 Prime Certification Pratt certificates established, for the first time, that PRIMES NP. However, Pratt certificates cannot be computed efficiently, as they require the factorization of n 1. We next pertain to the problem of “Composite Certificates” without the need to factorize any number. Later, when we study Elliptic Curves, we will see an efficient algorithm to extract certificates for primes. o Atkin–Goldwasser–Kilian–Morain certificates. Sharif University Introduction to Modern Cryptography Spring 2015 21 / 45 Miller–Rabin primality test [HPS14, p. 130] or one of these ≡ 1 either this ≡ 1 Sharif University Introduction to Modern Cryptography ≡ 1 due to FLiT Spring 2015 22 / 45 Miller–Rabin primality test (Cont’d) [HPS14, p. 131] THEOREM: Let n be an odd composite number. Then at least 3/4 of the numbers a between 1 and n − 1 are Miller–Rabin witnesses for n. Sharif University Introduction to Modern Cryptography Spring 2015 23 / 45 Distribution of Primes PNT: Let π(x) be the primecounting function, that gives the number of primes less than or equal to x. Then: Sharif University Introduction to Modern Cryptography Spring 2015 24 / 45 Quadratic Residuosity Sharif University Introduction to Modern Cryptography Spring 2015 25 / 45 Quadratic Residues q is called a quadratic residue modulo n if there exists an integer x such that x2 ≡ q (mod n). Otherwise, q is called a quadratic nonresidue modulo n. Deciding whether a given number is a quadratic residue modulo n: o o o Easy if n is a prime; Easy if the prime factorization of n is given; Hard in general. Similarly for computing the square root. Sharif University Introduction to Modern Cryptography Spring 2015 26 / 45 Quadratic Residues (Cont’d) Let QRn and QNRn denote subsets of ℤn*, whose members are quadratic residues and nonresidues modulo n, respectively. Assignment: Let p be an odd prime number, and assume all computations are in ℤp*. o a QRp and b QRp a b QRp o a QRp and b QNRp a b QNRp o a QNRp and b QNRp a b QRp Proof is simple using the results of the next slide. Notice that both moduli are p. We later see that x QRpq if and only if x QRp and x QRq. Do not mix that theorem with this! Sharif University Introduction to Modern Cryptography Spring 2015 27 / 45 Odd and Even Powers of Generators Let p be an odd prime number , and g be any generator of ℤp*. gm QRp for even m. o m = 2k gm = g2k = (gk)2 , which is a square. gm QNRp for odd m. o m = 2k + 1 If gm is a square, there exists x such that x2 ≡ gm. Using FLiT, we have x p 1 ≡ 1, and: o Contradicts the fact that g is a generator. o o Sharif University Introduction to Modern Cryptography Spring 2015 28 / 45 Square roots modulo a prime THEOREM: For any odd prime p, there are exactly two square roots modulo p for all a QRp. Proof: Let 𝑦 ∈ ℤ𝑝∗ , and assume x is any square root of a modulo p. If: 𝑦 2 ≡ 𝑎 ≡ 𝑥 2 (mod 𝑝) ⇒ 𝑦 2 − 𝑥 2 ≡ 0 (mod 𝑝) ⇒ (𝑦 − 𝑥)(𝑦 + 𝑥) ≡ 0 (mod 𝑝) ⇒ 𝑝 | (𝑦 − 𝑥)(𝑦 + 𝑥) Since p is a prime, we get: Either 𝑝 | (𝑦 − 𝑥) or 𝑝 | (𝑦 + 𝑥), or both. That is, 𝑦 ≡ ±𝑥 mod 𝑝 . Because 𝑝 ≠ 2, the roots are distinct. Sharif University Introduction to Modern Cryptography Spring 2015 29 / 45 Computing square roots modulo a prime Euler’s Criterion: If p is an odd prime and a QRp, then 𝑎(𝑝−1)/2 ≡ 1 (mod 𝑝). Proof: Let 𝑥 ∈ ℤ∗𝑝 be a square root of a modulo p. Then, using FLiT: 𝑎(𝑝−1)/2 ≡ 𝑥 𝑝−1 ≡ 1 (mod 𝑝) If 𝑝 = 4𝑘 + 3 then: 𝑎 ≡ 𝑎 × 1 ≡ 𝑎 × 𝑎(𝑝−1)/2 ≡ 𝑎2𝑘+2 𝑘+1 2 ≡ ±𝑎 (mod 𝑝) o So, 𝑥 = ±𝑎(𝑝+1)/4 (mod 𝑝) are square roots of a. What if 𝑝 = 4𝑘 + 1? o The above approach does not work! Sharif University Introduction to Modern Cryptography Spring 2015 30 / 45 Computing square roots modulo a prime (Cont’d) There are (at least) two efficient algorithms which can compute the square roots modulo any prime: o o Tonelli–Shanks algorithm Cipolla algorithm The Cipolla algorithm has better asymptotic performance. The Tonelli–Shanks algorithm is better in practice. We do not describe them here! Sharif University Introduction to Modern Cryptography Spring 2015 31 / 45 Legendre symbol [HPS14, p. 171] • FLiT: 𝑎𝑝−1 ≡ 1 (mod 𝑝) • Modulo odd prime p, the only square roots of 1 are ±1. • 𝑎(𝑝−1)/2 ≡ ±1 (mod 𝑝), depending on whether a is a quadratic residue. Euler’s Criterion: Multiplication Rule: Sharif University Introduction to Modern Cryptography Spring 2015 32 / 45 Quadratic Reciprocity [HPS14, p. 172] Quadratic Reciprocity: Let p and q be odd primes. Sharif University Introduction to Modern Cryptography Spring 2015 33 / 45 Example of computing Legendre symbol Do we really need to factor? No, use Jacobi symbol. Sharif University Introduction to Modern Cryptography Because of this, powers are computed modulo 2. Spring 2015 34 / 45 Jacobi Symbol [HPS14, p. 174] Jacobi symbol Sharif University Legendre symbols Introduction to Modern Cryptography Spring 2015 35 / 45 Laws of Jacobi Symbol [HPS14, p. 174] Quadratic Reciprocity holds for Jacobi Symbol as well. p and q need not be odd primes. o p and q should only be odd and positive integers. o Sharif University Introduction to Modern Cryptography Spring 2015 36 / 45 Example of computing Jacobi symbol This time, we won’t factor 15750 into 2 · 32 · 53 · 7. Sharif University Introduction to Modern Cryptography Spring 2015 37 / 45 Quadratic residuosity modulo a composite 𝑒1 𝑝1 THEOREM: Let 𝑁 = 𝑎 ∈ ℤ𝑛∗ is a square root modulo N if and only if a is a square root modulo pi for all 𝑖 ∈ {1, … , 𝑡}. Proof: Let 𝑎 = 𝑥 2 (mod 𝑁) for some 𝑥 ∈ ℤ∗𝑛 . Using CRT, a is the unique solution to: 𝑋≡ 𝑥2 𝑋 ≡ 𝑥2 𝑒𝑡 ⋯ 𝑝𝑡 .Then, 𝑒1 𝑝1 ) (mod ⋯ 𝑒𝑡 (mod 𝑝𝑡 ) Therefore, a is a square root modulo {1, … , 𝑡}. Assignment: Complete the proof! Sharif University Introduction to Modern Cryptography 𝑒𝑖 𝑝𝑖 for 𝑖 ∈ Spring 2015 38 / 45 Jacobi Symbol and quadratic residuosity 𝑎 𝑛 Suppose that = 1, where n is some odd positive number. 𝑎 What if = −1? Does it mean that a QRn? 𝑛 The answer is YES if n is a prime. The answer might be NO if n is a composite integer. Example: Let n = pq, where p and q are distinct odd primes. o Sharif University 𝑎 𝑛 𝑎 𝑝 = 𝑎 𝑞 . Two possible cases: 1. 𝑎 𝑝 = 1 and 𝑎 𝑞 2. 𝑎 𝑝 = −1 and = 1. Here, a QRn. 𝑎 𝑞 = −1. Here, a QNRn. Introduction to Modern Cryptography Spring 2015 39 / 45 Solovay–Strassen primality test Solovay–Strassen predates Miller–Rabin primality test, and is less efficient than it. Solovay–Strassen is very simple… On input odd integer 𝑛 > 1: o Choose a randomly from {2, …, n 1}. o Compute the Jacobi Symbol: 𝑏 ← o If 𝑏 = 0 or 𝑏 ≢ 𝑎(𝑛−1)/2 (mod 𝑛) output COMPOSITE. Otherwise, output TEST FAILS. o Sharif University Introduction to Modern Cryptography 𝑎 𝑛 . Spring 2015 40 / 45 Useful properties Let n > 2. Define: o 𝐽𝑛+1 ℤ∗𝑛 = 𝑎∈ o 𝐽𝑛−1 = 𝑎 ∈ ℤ∗𝑛 | | 𝑎 𝑛 𝑎 𝑛 = +1 . = −1 . Notice that 𝑄𝑅𝑛 ⊂ 𝐽𝑛+1 . Let n = pq, where p and q are odd and distinct primes. Let 𝑎 ∈ 𝑄𝑅𝑛 , and x be a square root of a modulo n. o Using CRT, a has exactly four square roots z modulo n: 𝑧 ≡ ±𝑥 mod 𝑝 𝑧 ≡ ±𝑥 mod 𝑞 o Assignment: ℤ∗𝑛 = 2|𝐽𝑛+1 = 4 𝑄𝑅𝑛 |. Sharif University Introduction to Modern Cryptography Spring 2015 41 / 45 Blum integers If 𝑝 ≡ 𝑞 ≡ 3 (mod 4), then n = pq is called a Blum integer. (p and q should be distinct.) In this case, −1 ∈ 𝑄𝑁𝑅𝑛 but −1 ∈ 𝐽𝑛+1 . a has a unique square root in QRn, called the principal square root of a modulo n. The Rabin function 𝑓: 𝑄𝑅𝑛 → 𝑄𝑅𝑛 defined by 𝑓(𝑥) = 𝑥2 (mod 𝑛) is a permutation. Assignment: Prove the facts stated above. Sharif University Introduction to Modern Cryptography Spring 2015 42 / 45 Factoring vs. extracting square roots THEOREM: Extracting square roots modulo some Blum integer n is as hard as factoring n. Proving one direction is easy: Given the factorization of n, extract the square root of the input a. Hint: o o o Let x2 ≡ a (mod p). Since p = 4k + 3, we have x ≡ a p + 1 (mod p). Let y2 ≡ a (mod q). Since q = 4j + 3, we have y ≡ a q + 1 (mod q). Use CRT to compute the square root of a modulo n. Assignment: Use the hint above and present a formal reduction. Sharif University Introduction to Modern Cryptography Spring 2015 43 / 45 Factoring vs. extracting square roots (Cont’d) Proving the other direction is clever: Given access to a square root extractor modulo n, factorize n. 𝒜(a): Arbitrarily outputs one of the four square roots of a modulo n, or a special symbol ⊥ if 𝑎 ∈ 𝑄𝑁𝑅𝑛 . This algorithm succeeds with probability 𝜖𝒜 . Proof idea: Pick a random element 𝑥 ∈ ℤ𝑛∗ . Let 𝑎 ← 𝑥 2 mod 𝑛 , and 𝑦 ← 𝒜(𝑎). o o If 𝑦 = ±𝑥 (mod 𝑛) output FAIL and return. Let z ← GCD(𝑥 − 𝑦, 𝑛) and output z and 𝑛 . 𝑧 (Why?) Assignment: Write down the reduction formally, and compute its concrete parameters. Sharif University Introduction to Modern Cryptography Spring 2015 44 / 45 References [HPS14]J. Hoffstein, J. Pipher, and J.H. Silverman. An Introduction to Mathematical Cryptography, Springer, 2014. [KL14] J. Katz and Y. Lindell. Introduction to Modern Cryptography: Principles and Protocols, CRC Press, 2014. [Old63] C.D. Olds. Continued Fractions, Mathematical Association of America, 1963. [Yan13] S.Y. Yan. Computational Number Theory and Modern Cryptography. John Wiley & Sons, 2013. Sharif University Introduction to Modern Cryptography Spring 2015 45 / 45