Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Basic Number Theory Cryptography – CS 507 Erkay Savas Sabanci University [email protected] Basic Notation • Divisibility (of integers) – Let a and b be integers with a ≠ 0. We say that a divides b, if there is an integer k s.t. b = a · k. – Denoted as a | b. • Propositions – For every a≠0, a | 0 and a | a. Also 1 | b for every b. – If a | b and b | c, then a | c – If a | b and a | c, then a | (s · b + t · c) for all s and t. 10/22/2002 Erkay Savas 2 Prime Numbers • A number p > 1 that is divisible only by 1 and itself is called a prime number. An integer that is not a prime number is called composite number. • Prime Number Theorem: Let π(x) be the # of primes less than x. Then π(x) → x/ln x as x → ∞ (i.e. π(x) ≈ x/ln x) • Theorem: Every positive integer is a product of primes. This factorization is unique. • Lemma: If p is a prime and it divides a product of integers a · b, then either p | a or p | b. 10/22/2002 Erkay Savas 3 Greatest Common Divisor (GCD) • GCD of a and b is the largest positive integer that divides both integers. Denoted as gcd(a, b). • Computation gcd of a and b can be done – by factoring a and b into primes Example: gcd(1728, 135) 1728 = 26 · 32 and 135 = 33 · 5 => gcd(1728, 135) = 32 = 9. – by using Euclidean algorithm Utilizes division by remainder. 10/22/2002 Erkay Savas 4 Example: Euclidean algorithm • gcd(482, 1180) 1180 = 2 · 482 + 216 482 = 2 · 216 + 50 216 = 4 · 50 + 16 50 = 3 · 16 + 2 16 = 8 · 2 + 0 The last nonzero remainder is the gcd 10/22/2002 Erkay Savas 5 GCD • Theorem: Let a and b be two integers, with at least one of them nonzero, and let d = gcd(a, b). Then there exist integers x, y s.t. a·x + b ·y = d. In particular, if a and b are relatively prime(i.e. gcd(a, b) = 1) then a·x +b ·y = 1. • In the last case, x is called the multiplicative inverse of a w.r.t. b since a·x ≡ 1 mod b. 10/22/2002 Erkay Savas 6 Solving a · x + b · y = d Algorithm Extended Euclidean algorithm (EEA) INPUT: two non-negative integers a and b with a ≥ b OUTPUT: d = gcd(a, b) and integers x and y s.t. a·x+b·y = d. 1. If b = 0 then d ← a, x ← 1, y←0 and return(d, x, y). 2. x2 ←1, x1 ←0, y2 ←0, y1 ←1. 3. While b > 0 do the following: 4. q ← a/b, r ← a - qb, x ← x2 - qx1, y ← y2 – qy1 5. a ← b, b ← r, x2 ← x1, x1 ← x, y2 ← y1, and y1← y 6. Set d ← a, x ← x2, y ← y2, and return(d, x, y). 10/22/2002 Erkay Savas 7 Example EEA a = 4864 and b = 3458 q - r - x - y - a b 4864 3458 x2 1 x1 0 y2 0 y1 1 1 1406 1 -1 3458 1406 0 1 1 -1 2 646 -2 3 1406 646 1 -2 -1 3 2 114 5 -7 646 114 -2 5 3 -7 5 76 -27 38 114 76 5 -27 -7 38 1 38 32 -45 76 38 -27 32 38 -45 2 0 -91 128 38 0 32 -91 -45 128 10/22/2002 Erkay Savas 8 Congruence Classes • Let a, b, and n be integers with n ≠ 0. We say that – a ≡ b (mod n) (a is congruent to b mod n) if a- b is a multiple of (positive or negative) n. Thus, a = b + k·n for some integer k (positive or negative) – Proposition: a, b, c, d, n integers with n ≠ 0 and a ≡ b (mod n) and c ≡ d (mod n). Then a+ c ≡ b+ d (mod n), a- c ≡ b- d (mod n), a · c ≡ b · d (mod n) 10/22/2002 Erkay Savas 9 Division in Congruence Classes • • • • We can divide by a (mod n) when gcd(a, n)=1 Example: Solve 2x + 7 ≡ 3 (mod 17) Example: Solve 5x + 6 ≡ 13 (mod 15). Proposition: Suppose gcd(a, n)=1. Let s and t be integers s.t. a · s + n · t = 1. Then a · s ≡ 1 (mod n) s is called the multiplicative inverse of a (mod n) • Extended Euclidean algorithm is a fairly efficient method of computing multiplicative inverses in congruence classes. 10/22/2002 Erkay Savas 10 Chinese Remainder Theorem (CRT) • Suppose gcd(m, n) = 1. Given a and b, there exists exactly one solution x (mod m · n) to the simultaneous congruences x ≡ a (mod m) and x ≡ b (mod n) • Example: Solve x ≡ 3 (mod 7) and x ≡ 5 (mod 15) • Solution: (works only for small numbers). First congruence class: 5, 20, 35, 50, 65, 80, 95, … Calculate the congruences of these numbers (mod 7) 5, 6, 0, 1, 2, 3, 4. => The result is x = 80. 10/22/2002 Erkay Savas 11 Gauss’s algorithm for general case CRT • Simultaneous congruences x ≡ a1 (mod n1), x ≡ a2 (mod n2), …, x ≡ ak (mod nk) has a unique solution modulo n = n1 n2 …nk • Gauss’s algorithm: x = ∑ik=1 ai N i M i mod n, where N i = n ni and M i = N i−1 mod ni • Assignment: Study Garner’s algorithm for CRT Handbook of Applied Cryptography, pages 612-613. 10/22/2002 Erkay Savas 12 Example • Solve x ≡ 3 (mod 7) and x ≡ 5 (mod 15) • a1 = 3 and a2 = 5, n1 = 7 and n2 = 15, and n= 7·15=105 • N1 = n / n1 = 105/7 = 15 M1 = N1-1 mod n1 = 15-1 mod 7 = 1 • N2 = n / n2 = 105/15 = 7 M2 = N2-1 mod n2 = 7-1 mod 15 = 13 • x = a1 N1 M1 + a2 N2 M2 = 3·15·1 + 5·7·13 mod 105 = 500 mod 105 = 80. • Solve the same problem with Garner’s algorithm. 10/22/2002 Erkay Savas 13 CRT has a very important application in RSA cryptography Think of performing xa (mod n) where n = p · q Modular Exponentiation • xa (mod n) • Example: 21234 mod 789, Naïve method: raise 2 to 1234 and then take the modulus. Is it practical (possible)? Practical method: Use binary expansion of the exponent. 1234 = (10011010010)2 10/22/2002 Erkay Savas 15 Modular exponentiation example • 21234 mod 789 and 1234 = (10011010010)2 x=2 x = 2·2 = 4 x = 4·4 = 16 x = 16·16 =256 and x = 256·2=512 x = 512·512=196 and x = 196·2=392 x = 392·392=598 All operations are x = 598·598=187 and x =187·2=374 performed modulo 789 x = 374·374=223 x = 223·223=22 x =22·22=484 and x =484·2=179 x =179 ·179=481 10/22/2002 Erkay Savas 16 Fermat’s little theorem and Euler’s theorem • Fermat’s little theorem: If p is a prime and p does not divide a, then ap-1 ≡ 1 (mod p) • Euler’s theorem: If gcd(a, n)=1, then aφ(n) ≡ 1 (mod n) where φ(n) is defined as the number of integers 1≤ a ≤ n such that gcd(a, n)=1 and called as Euler’s φ-function. • φ(p) = (p-1) 10/22/2002 Erkay Savas 17 Euler’s totient function • If n = p · q then φ(n) = (p-1)·(q-1) (prove this). • If p is a prime and n = pr , then we must remove every pth number (i.e. p, p2, …, pr-1) in order to get the list of a’s with gcd(a, n)=1, which yields φ(pr) = (1-1/p) pr. • In general case any integer can be written as t n = ∏ pi i =1 10/22/2002 therefore 1 φ ( n ) = n ⋅ ∏ 1 − p p n Erkay Savas 18 Example • Example 1: 210 = 1024 ≡ 1 (mod 11) • Example 2: Compute 2-1 (mod 11). 2·29 = 210 ≡ 1 (mod 11) => 2-1 ≡ 29 (mod 11) ≡ 6 (mod 11). • Example 3: φ(10) = φ(2·5) = (2-1) · (5-1) = 4. {1, 3, 7, 9} • Example 4: Compute 243210 (mod 101) We know 2100 ≡ 1 (mod 101) => 243210 = 2432x100 +10 = (2100)432 ·210 ≡ 210 (mod 101) ≡ 14 mod (101). 10/22/2002 Erkay Savas 19 Important principle • Let a, n, x, y be integers with n ≥ 1 and gcd(a, n)=1. If x ≡ y (mod φ(n)) then ax ≡ ay (mod n). In other words, if you want to work mod n, you should work mod φ(n) in the exponent. • Proof: x = y + φ(n)·k from congruence relation. Then a x = a y +φ ( n ) k ≡ a y (aφ ( n ) ) k ≡ a y 1k ≡ a y (mod n) 10/22/2002 Erkay Savas 20 Example • Compute 21301 mod 100. • Solution 1: 21301 ≡ 52 mod 100. • Solution 2: φ(100) = 100 ·(1-1/2) ·(1-1/5) = 40. 1301 ≡ 21 ( mod φ(100)) 21301 ≡ 21301 (mod 40) (mod 100) ≡ 221 (mod 100) ≡ 52 (mod 100). 10/22/2002 Erkay Savas 21 Primitive Roots • Consider powers of 3 (mod 7): 31 ≡ 3, 32 ≡ 2, 33 ≡ 6, 34 ≡ 4, 35 ≡ 5, 36 ≡ 1 powers of 3 generate all the nonzero congruence class elements mod 7. Such elements are called primitive roots or multiplicative generators in the congruence class. • If p is a prime, there are φ(p-1) primitive roots mod p. • Let g be a primitive root for the prime p. Then If n is an integer, then gn ≡ 1 (mod p) iff n ≡ 0 (mod p-1). 10/22/2002 Erkay Savas 22 Square roots mod n • • • • 1. 2. Suppose x2 ≡ b (mod n) where n = pq, has a solution. If the factorization of n is known, the equation can be solved quite easily. Conversely, if we know all solutions, then it is easy to factor n. Proposition: Let p ≡ 3 (mod 4) be prime and let y be an integer. Let x ≡ y(p+1)/4 (mod p). If y has a square root mod p, then the square roots of y mod p are ±x. If y has no square root mod p, then –y has a square root mod p, and the square roots of -y mod p are ±x. 10/22/2002 Erkay Savas 23 Square roots Mod n • Example: Find the square root of 5 mod 11. • (p+1)/4=3 => 53 mod 11=4. Then ±4 are square roots of 5 mod 11. • Example: Find the square root of 2 mod 11. • Square roots for composite modulus. • Example: x2 ≡ 71 (mod 77) 77 = 1×11 => x2 ≡ 1 (mod 7) and x2 ≡ 5 (mod 11) => x ≡ ±1 (mod 7) and x ≡ ±4 (mod 11) Solve the rest using CRT. 10/22/2002 Erkay Savas 24 Square roots Mod n x ≡ 1 (mod 7) and x ≡ 4 (mod 11) => x ≡ 15 (mod 77) x ≡ 1 (mod 7) and x ≡ -4 (mod 11) => x ≡ 29 (mod 77) x ≡ -15 (mod 77) and x ≡ -29 (mod 77) Can we factor n if we know all four solutions? Let n=pq is the product of two primes and we know the four solutions x = ±a, ±b of x2 ≡ y (mod n) . We know that a ≡ b (mod p) and a ≡ -b (mod q). Thus, p (a-b) and q ⁄(a-b). This means that gcd(a-b, n) = p. This is a nontrivial factor of n. • Taking square root modulo n, where n=pq if factorization is not known is as hard as factorization. • • • • • 10/22/2002 Erkay Savas 25 Finite Fields • If p is a prime, the congruence class {0, 1,…, p-1} forms a finite field. There are two operations defined in a field: addition (subtraction) and multiplication. Since every nonzero element has a multiplicative inverse we can also define the division operation. • We use Fp or GF(p) to denote the prime finite field. GF is read as galois field after a famous French Mathematician, Evarista Galois, who died in a duel at the age of 21 before founding the finite field theory. • Is set of integers a field? • Give an example of infinite field. 10/22/2002 Erkay Savas 26 A special class of finite fields • GF(2) is finite field with two elements {0,1} and called binary field. • Let f(x) = xn+an-1 xn-1+…+a1 x+a0 be an irreducible binary polynomial (i.e. ai ∈ {0,1} 0 ≤ I ≤n-1). This means it has no solutions in GF(2). All the solutions are in the binary extension field, GF(2n). • In order to construct a binary extension field GF(2n) we need an irreducible polynomial of degree n. 10/22/2002 Erkay Savas 27 Binary extension fields • Example: Irreducible polynomial x3+x+1 can be used to construct GF(23). • A simple method to construct this field is to find all the binary polynomials whose degrees are smaller than the degree of the irreducible polynomial(n=3). • GF(23)={0, 1, x, x+1, x2, x2+1, x2+x, x2+x+1} • In computer we can use binary strings to represent these elements as GF(23)={000, 001, 010, 011, 100, 101, 110, 111} 10/22/2002 Erkay Savas 28 Operations in GF(2n). • Addition is an operations that act on the corresponding coefficients of the two polynomials when the polynomial representation is used. Example: (x+1)+(x2+1) = x2+ x • Subtraction is identical to the addition. • Multiplication is done by using polynomial arithmetic when the polynomial representation is used. Two steps are involved: 1. Polynomial multiplication 2. Reduction with irreducible polynomial 10/22/2002 Erkay Savas 29 Multiplication in GF(2n). • Example: (x+1)×(x2+1) in GF(23) with x3+x+1 . Step 1: x3+x+ x2+1 which is not the element of GF(23) then a reduction step is necessary Step 2: The remainder of the following division is the result: x3+x+ x2+1/(x3+x+1) = x2. 10/22/2002 Erkay Savas 30 Division in GF(2n). • Every non-zero element has a multiplicative inverse; i.e. for every element of GF(2n) a(x), there exists b(x) s.t. a(x)×b(x) ≡ 1 (mod f(x)). • Thus the division by a non-zero element of GF(2n) is defined. 10/22/2002 Erkay Savas 31 Primitive polynomials and elements • The root of some irreducible polynomials can be used to construct the binary extension field. • Example: f(x)=x4+x+1 Let f(α)=0, then α4+α+1=0 => α4=α+1. • 0 α7=α4+α3 = α3+α +1 1 α8=α4+α2+α= α2+1 α α9= α3+α α10=α4+α2 =α2+α+1 α2 α3 α11=α3+α2+α α12=α4+α3+α2= α3+α2+α+1 α4=α+1 α5=α2+α α13=α4+α3+α2 +α= α3+α2 +1 α6=α3+α2 α14= α4+α3+α=α3+1 α15= α4+α= α+1+α = 1 10/22/2002 Erkay Savas 32 Primitive polynomials and elements • Such polynomials are called primitive polynomials while the root of a primitive polynomial is called primitive element. • Example:f(x)=x4+x3+x2+x+1 is not a primitive polynomial. 0 1 α α2 α3 α4= α3+α2+α+1 α5= α4+α3+α2+α= α3+α2+α+1+α3+α2+α=1 α6=α α7=α2 10/22/2002 Erkay Savas 33