Download Algorithms for GCD, Multiplicative Inverse, and Solving Linear

ECE 646 - Lecture 5
Algorithms for
GCD, Multiplicative Inverse,
and Solving Linear Congruences
Motivation:
Public-key ciphers
1
RSA as a trap-door one-way function
PUBLIC KEY
ciphertext
C = f(M) = Me mod N
C
message
M
M = f-1(C) = Cd mod N
PRIVATE KEY
N=P⋅Q
P, Q - large prime numbers
e ⋅ d ≡ 1 mod ((P-1)(Q-1))
RSA keys
PUBLIC KEY
{ e, N }
PRIVATE KEY
{ d, P, Q }
P, Q:
P, Q - large prime numbers
N:
N=P⋅Q
e:
d:
gcd(e, P-1) = 1 and gcd(e, Q-1) = 1
e ⋅ d ≡ 1 mod ((P-1)(Q-1))
d = e-1 mod ((P-1)(Q-1))
2
Mini-RSA keys
PUBLIC KEY
PRIVATE KEY
{ e, N }
{ d, P, Q }
P, Q:
P=5
Q = 11
N:
N = P ⋅ Q = 55
e:
gcd(e, 5-1) = 1 and gcd(e, 11-1) = 1
d:
3 ⋅ d ≡ 1 mod 40
e=3
d=27
Mini-RSA as a trap-door one-way function
message
M=2
PUBLIC KEY
ciphertext
C = f(2) = 23 mod 55 = 8
C=8
M = f-1(C) = 827 mod 55 = 2
PRIVATE KEY
N = 5 ⋅ 11
5, 11 - prime numbers
3 ⋅ 27 ≡ 1 mod ((5-1)(11-1))
3
Basic definitions
Greatest common divisor
Greatest common divisor of a and b, denoted by gcd(a, b),
is the largest positive integer that divides both a and b.
d = gcd (a, b) iff
1) d | a and d | b
2) if c | a and c | b then c ≤ d
4
gcd (8, 44)
=
gcd (-15, 65) =
gcd (45, 30)
=
gcd (31, 15)
=
gcd (0, 40)
=
gcd (121, 169) =
Relatively prime integers
Two integers a and b are relatively prime or co-prime
if gcd(a, b) = 1
5
Properties of the greatest common divisor
gcd (a, b) = gcd(b, a) = gcd (b, a-kb)
for any k ∈ Z
Quotient and remainder
Given integers a and n, n>0
∃! q, r ∈ Z
such that
a = q⋅ n + r
and
0≤r<n
q – quotient
q=
a
n
r – remainder
(of a divided by n)
r = a - q⋅ n = a –
= a div n
= a mod n
a
⋅n =
n
6
32  mod 5 =
-32 mod 5 =
Integers coungruent modulo n
Two integers a and b are congruent modulo n
(equivalent modulo n)
written a ≡ b
iff
a mod n = b mod n
or
a = b + kn, k ∈ Z
or
n|a-b
7
Algorithms
Euclid’s Algorithm
for computing gcd(a,b)
i
qi
ri
-2
-1
0
1
q-1
q0
q1
r-2 = max(a, b)
r-1 = min(a, b)
r0
r1
…
…
…
t-1
t
qt-1
rt-1 = gcd(a, b)
rt=0
ri+1 = ri-1 mod ri
qi =
ri-1
ri
ri+1 = ri-1 - qi ⋅ ri
8
Euclid’s Algorithm
Example: gcd(36, 126)
i
-2
-1
0
1
qi
ri
q-1 = 3
q0 = 2
q1
r-2 = max(a, b) =126
r-1 = min(a, b) =36
r0 = 18 = gcd(36, 126)
r1 = 0
ri+1 = ri-1 mod ri
qi =
ri-1
ri
ri+1 = ri-1 - qi ⋅ ri
Multiplicative inverse modulo n
The multiplicative inverse of a modulo n is an integer [!!!]
x such that
a ⋅ x ≡ 1 (mod n)
The multiplicative inverse of a modulo n is denoted by
a-1 mod n (in some books a or a*).
According to this notation:
a ⋅ a-1 ≡ 1 (mod n)
9
Extended Euclid’s Algorithm (1)
ri = xi ⋅ a + yi ⋅ n
i
qi
ri
xi
yi
-2
-1
0
1
q-1 = ⎣ n/a ⎦
q0
q1
r-2 = n
r-1 = a
r0
r1
x-2=0
x-1=1
x0
x1
y-2=1
y-1=0
y0
y1
ri+1 = ri-1 - qi ⋅ ri
…
…
…
…
…
yi+1 = yi-1 - qi ⋅ yi
t-1
t
qt-1
rt-1
rt=0
xt-1
xt
yt-1
yt
qi =
ri-1
ri
xi+1 = xi-1 - qi ⋅ xi
rt-1 = xt-1 ⋅ a + yt-1 ⋅ n
Extended Euclid’s Algorithm (2)
rt-1 = xt-1 ⋅ a + yt-1 ⋅ n
rt-1 = xt-1 ⋅ a + yt-1 ⋅ n ≡ xt-1 ⋅ a (mod n)
If
rt-1 = gcd (a, n) = 1
then
xt-1 ⋅ a ≡ 1 (mod n)
and as a result
xt-1 = a-1 mod n
10
Extended Euclid’s Algorithm
for computing z = a-1 mod n
i
qi
ri
xi
-2
-1
0
1
q-1 = ⎣ n/a ⎦
q0
q1
r-2 = n
r-1 = a
r0
r1
x-2=0
x-1=1
x0
x1
…
…
…
…
t-1
t
qt-1
rt-1 = 1
rt=0
xt-1 = a-1 mod n
xt = ±n
Note:
ri-1
qi =
ri
ri+1 = ri-1 - qi ⋅ ri
xi+1 = xi-1 - qi ⋅ xi
If rt-1 ≠ 1 the inverse does not exist
Extended Euclid’s Algorithm
Example z = 20-1 mod 117
i
-2
-1
0
1
2
3
4
qi
ri
q-1 = 5
q0 = 1
q1 = 5
q2 = 1
q3 = 2
r-2 = 117
r-1 = 20
r0 = 17
r1 = 3
r2 = 2
r3 = 1
r4 = 0
Check:
xi
qi =
ri-1
ri
x-2= 0
ri+1 = ri-1 - qi ⋅ ri
x-1= 1
x0 =-5
xi+1 = xi-1 - qi ⋅ xi
x1 = 6
x2 = -35
x3 = 41 = 20-1 mod 117
x4 = -117
20 ⋅ 41 mod 117 = 1
11
Solving equations of the form a ⋅ x ≡ b mod n
(linear congruences)
The equation
a ⋅ x ≡ b mod n
has
1. one solution iff gcd(a, n) = 1
x = a-1 ⋅ b (mod n)
2. no solutions iff d = gcd(a, n) ≠ 1, and
d|b
3. d solutions iff d = gcd(a, n) ≠ 1, and d | b
The solutions are
x0, x0 + n/d, x0 + 2 ⋅ n/d, x0 + 3 ⋅ n/d, …, x0 + (d-1) ⋅ n/d,
where x0 = (a/d)-1 ⋅ (b/d) (mod n/d)
Solving equations of the form a ⋅ x ≡ b mod n
(linear congruences)
Case 1:
x
0
Case 2:
0
Case 3:
n
n
n/d
0 x0 n/d
n/d
n
12