Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Foundations of Cryptography
Document related concepts
Line (geometry) wikipedia , lookup
List of prime numbers wikipedia , lookup
Laws of Form wikipedia , lookup
Factorization wikipedia , lookup
Vincent's theorem wikipedia , lookup
Fundamental theorem of algebra wikipedia , lookup
Elementary mathematics wikipedia , lookup
Transcript
Foundations of Cryptography Ville Junnila [email protected] Department of Mathematics and Statistics University of Turku 2016 Ville Junnila [email protected] Lecture 10 1 of 18 The order of a number (mod n) Definition 3.1 Let a, n ∈ Z be such that gcd(a, n) = 1 and n ≥ 1. The order of a number a (mod n) is the smallest positive integer k such that ak ≡ 1 (mod n), i.e., the order of a ∈ Z∗n . We denote k = ordn (a). We also say that a belongs to the exponent k (mod n). Ville Junnila [email protected] Lecture 10 2 of 18 The order of a number (mod n) Theorem 3.5 Let a, m, n, r , s ∈ Z be such that gcd(a, n) = 1, n ≥ 1 and m, r , s ≥ 0, and denote k = ordn (a). Then the following hold: 1 k|ϕ(n), 2 ar ≡ as (mod n) ⇔ r ≡ s (mod k), 3 ar ≡ 1 (mod n) ⇔ r ≡ 0 (mod k), 4 1, a, a2 , . . . , ak−1 are non-congruent modulo n and 5 ordn (am ) = k/ gcd(k, m). Example Determine ord19 (3) and ord19 (36 ). Ville Junnila [email protected] Lecture 10 3 of 18 The order of a number (mod n) Definition 3.2 If ordn (a) = ϕ(n), i.e., Z∗n is a cyclic group generated by a, then a is called the primitive root modulo n. Example By the previous example, we have ord19 (3) = 18. Therefore, as ϕ(19) = 18, we have ord19 (3) = ϕ(19) and 3 is a primitive root modulo 19. Theorem 3.6 If a is a primitive root modulo n, then all the primitive roots modulo n are am , where 1 ≤ m ≤ ϕ(n) and gcd(m, ϕ(n)) = 1. Therefore, there are ϕ(ϕ(n)) non-congruent primitive roots modulo n. Ville Junnila [email protected] Lecture 10 4 of 18 The order of a number (mod n) Example Recall that 3 is a primitive root modulo 19. Let us find all the primitive roots modulo 19. Ville Junnila [email protected] Lecture 10 5 of 18 Primitive roots modulo p ∈ P Let p be a prime. In what follows, we consider the following question: How many non-congruent numbers a belong to a given exponent k, i.e., ordp (a) = k. Recall that k|(p − 1) since ϕ(p) = p − 1. If a belongs to the exponent k modulo p, then a is a root of the congruence xk ≡ 1 (mod p). (1) Theorem 3.7 If ordp (a) = k, then the number of non-congruent roots of congruence (1) is k. The numbers 1, a, a2 , . . . , ak−1 (mod p) are the non-congruent roots. Ville Junnila [email protected] Lecture 10 6 of 18 (2) Primitive roots modulo p ∈ P Theorem 3.8 Let p be a prime. 1 If k|(p − 1), then there exist ϕ(k) non-congruent numbers that belong to exponent k modulo p. If a is one of those, then am , where 1 ≤ m ≤ k − 1 and gcd(m, k − 1) = 1, are the other numbers belonging to the exponent k. 2 Thus, there exist ϕ(p − 1) non-congruent primitive roots modulo p. If a is one of those, then am , where 1 ≤ m ≤ p − 1 and gcd(m, p − 1) = 1, are the other numbers belonging to the exponent p − 1, i.e., the primitive roots modulo p. Example By the previous example, the primitive roots modulo 19 are 31 , 35 , 37 , 311 , 313 , 317 ≡ 3, 15, 2, 10, 14, 13 Ville Junnila [email protected] Lecture 10 7 of 18 (mod 19). Primitive roots modulo p ∈ P Remark For calculations, we are often interested in the smallest possible primitive roots. Usually quite small ones indeed exist. Example The smallest primitive root modulo 19 is 2. Remark It can be shown that a primitive root modulo n exists if and only if n = 1, 2, 4, p t or 2p t , where p is an odd prime and t is a positive integer. Ville Junnila [email protected] Lecture 10 8 of 18 Primitive roots modulo p ∈ P Theorem 3.9 An integer n > 1 is a prime if and only if there exists an integer x such that x n−1 ≡ 1 (mod n) and for all prime factors q of n − 1 we have x (n−1)/q 6≡ 1 (mod n). Remark Previous theorem can be used for primality testing. Although it is difficult to find the prime factors of n − 1 in general, we may choose n in such a way that the factors are known. As the primitive root modulo a prime is usually small, a number satisfying the conditions of the theorem can be quickly found. Example Let us show that n = 28 + 1 = 257 is a prime number. Ville Junnila [email protected] Lecture 10 9 of 18 Primitive roots modulo p ∈ P Remark By Theorem 3.8, there exists primitive root modulo p ∈ P as ϕ(p − 1) ≥ 1. Definition 3.3 Let p be a prime, r a primitive root modulo p and a an integer such that p - a. An integer i such that 0 ≤ i ≤ p − 2 and ri ≡ a (mod p) is called the index of a to the base r modulo p. We denote i = indr a. Ville Junnila [email protected] Lecture 10 10 of 18 Primitive roots modulo p ∈ P Example Consider the indices to the base 3 modulo 19. We have k 0 1 2 3 4 5 6 7 8 9 3k (mod 19) 1 3 9 8 5 15 7 2 6 18 k 10 11 12 13 14 15 16 17 18 3k (mod 19) 16 10 11 14 4 12 17 13 1 Ville Junnila [email protected] Lecture 10 11 of 18 Primitive roots modulo p ∈ P Example Consider the indices to the base 3 modulo 19. We have k 1 2 3 4 5 6 7 8 9 ind3 (k) 0 7 1 14 4 8 6 3 2 k 10 11 12 13 14 15 16 17 18 ind3 (k) 11 12 15 17 13 5 10 16 9 Ville Junnila [email protected] Lecture 10 12 of 18 Primitive roots modulo p ∈ P Theorem 3.10 Let r be a primitive root modulo p, p - a and p - b. Now indr (ab) ≡ indr a + indr b (mod p − 1) and, for any n ∈ N, indr (an ) ≡ n · indr a (mod p − 1) Example Apply the previous theorem to ind3 (15) modulo 19. Ville Junnila [email protected] Lecture 10 13 of 18 Discrete logarithm Discrete logarithm Let p be a prime, r a primitive root modulo p and a an integer such that p - a. The index of a to the base r modulo p is sometimes also called the discrete logarithm of a to the base r . Then we denote indr (a) = logr (a). Discrete logarithm problem (DLP) The task of computing logr (a) when a, r and p are given is called the discrete logarithm problem (DLP). No efficient algorithm is known for solving DLP (when p is large, say p > 22000 ). Public key cryptosystem El Gamal The public key cryptosystem El Gamal is based on the algorithmic difficultness of DLP (see the course Cryptography 1). Recall that RSA was based on the difficultness of factorizing a composite number. Ville Junnila [email protected] Lecture 10 14 of 18 Quadratic Residues Remark Let a, n ∈ Z. Clearly, −1 = n − 1 always belongs to Z∗n . Therefore, for any a ∈ Z∗n , we have −1 · a = −a ∈ Z∗n . Furthermore, this implies that Z∗n = {±a | 1 ≤ a ≤ Ville Junnila [email protected] n and gcd(a, n) = 1}. 2 Lecture 10 15 of 18 Quadratic Residues Recall the following definitions of mth and square roots of real numbers. Definition (mth root) Let a ∈ R. If there exists x ∈ R such that x m = a, then we say that x is mth root of a and denote √ m a = x. Definition (square root) Let a ∈ R. If there exists x ∈ R such that x 2 = a, then we say that x is square root of a and denote Ville Junnila [email protected] Lecture 10 √ 16 of 18 a = x. Quadratic Residues Definition (mth root modulo n) Let n ∈ N+ and a ∈ Z∗n . If there exists x ∈ Z∗n such that x m = a, then we say that a is mth power residue modulo n. Definition (square root modulo n) Let n ∈ N+ and a ∈ Z∗n . If there exists x ∈ Z∗n such that x 2 = a, then we say that a is quadratic residue modulo n. Ville Junnila [email protected] Lecture 10 17 of 18 Quadratic Residues Definition 4.1 Let a, n ∈ Z be such that n ≥ 1 and gcd(a, n) = 1. If there exists x ∈ Z such that x 2 ≡ a (mod n), then we say that a is a quadratic residue (QR) modulo n. Otherwise, a is a quadratic non-residue (QNR) modulo n. Example 4.1 Determine the QRs and QNRs modulo 9. Ville Junnila [email protected] Lecture 10 18 of 18
