* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download 4 Number Theory 1 4.1 Divisors
Survey
Document related concepts
Birkhoff's representation theorem wikipedia , lookup
System of polynomial equations wikipedia , lookup
Polynomial ring wikipedia , lookup
Field (mathematics) wikipedia , lookup
Quartic function wikipedia , lookup
Quadratic equation wikipedia , lookup
Root of unity wikipedia , lookup
Quadratic form wikipedia , lookup
Group (mathematics) wikipedia , lookup
Modular representation theory wikipedia , lookup
Factorization wikipedia , lookup
Fundamental theorem of algebra wikipedia , lookup
Eisenstein's criterion wikipedia , lookup
Polynomial greatest common divisor wikipedia , lookup
Factorization of polynomials over finite fields wikipedia , lookup
Transcript
CA642: C RYPTOGRAPHY AND N UMBER T HEORY 4 4.1 1 Number Theory 1 Divisors Division Let a and b be integers. We say that a divides b, or a|b if: ∃d s.t. b = ad If b 6= 0 then |a| ≤ |b|. Division Theorem: For any integer a and any positive integer n, there are unique integers q and r such that 0 ≤ r < n and a = qn + r. The value r = a mod n is called the remainder or the residue of the division. Theorem: If d|a and d|b then d|(xa + yb) for any integers x, y. Proof: a = rd and b = sd for some r, s. Therefore, xa + yb = xrd + ysd = d(xr + ys), so d|(xa + yb) Greatest Common Divisor For integers a and b: The greatest common divisor gcd(a,b) is defined as follows: gcd(a,b) = max(d : d|a and d|b) (a 6= 0 or b 6= 0). Note: This definition satisfies gcd(0,1) = 1. The lowest common multiple lcm(a,b) is defined as follows: lcm(a,b) = min(m > 0 s.t. a|m and b|m) (for a 6= 0 and b 6= 0). a and b are coprimes (or relatively prime) iff gcd(a,b) = 1. Prime Numbers An integer p ≥ 2 is called prime if it is divisible only by 1 and itself. Fundamental Theorem of Arithmetic: every positive number can be represented as a product of primes in a unique way, up to a permutation of the order of primes. There are infinitely many primes • Euclid gave simple proof by contradiction (c. 300BC). The number of primes ≤ n : π(n) ≈ n/ln n • Even though the number of primes is infinite, the density of primes gets increasingly sparse as n → ∞. Geoff Hamilton CA642: C RYPTOGRAPHY AND N UMBER T HEORY 4.2 2 Modular Arithmetic Modular Arithmetic Modular arithmetic is fundamental to modern public key cryptosystems. Given integers a, b, N ∈ Z we say that a is congruent to b modulo N: a≡b (mod N) iff N divides b − a Often we are lazy and just write a ≡ b if it is clear we are working modulo N. The modulo operator is like the C-operator %. Example: 16 ≡ 1 (mod 5) since 16-1 = 3 × 5 Modular Arithmetic For convenience we define the set: ZN = {0, . . . , N − 1} which is the set of remainders modulo N. It is clear that given N, every integer a ∈ Z is congruent modulo N to an element in the set ZN , since we can write: a = q×N +r with 0 ≤ r < N and a ≡ r (mod N) Modular Arithmetic The set ZN has two operations defined on it. • Addition – 11 + 13 mod 16 ≡ 24 (mod 16) ≡ 8 (mod 16). • Multiplication – 11 × 13 (mod 16) ≡ 143 (mod 16) ≡ 15 (mod 16). Given integers a, b ∈ Z we have: • a + b (mod N) ≡ (a (mod N) + b (mod N)) (mod N) • a − b (mod N) ≡ (a (mod N) − b (mod N)) (mod N) • a × b (mod N) ≡ (a (mod N) × b (mod N)) (mod N) Multiplicative Inverse Division a/b in modular arithmetic is performed by multiplying a by the multiplicative inverse of b. The multiplicative inverse of b ∈ ZN is an element denoted b−1 ∈ ZN with: bb−1 ≡ b−1 b ≡ 1 Theorem: b ∈ ZN has a unique inverse modulo N iff b and N are relatively prime i.e. gcd(b,N) = 1. Theorem: If p is a prime then every non-zero element in Z p has an inverse. Geoff Hamilton CA642: C RYPTOGRAPHY AND N UMBER T HEORY 3 Multiplicative Inverse Consider Z10 : • 3 has a multiplicative inverse, since gcd(3,10)=1. – 3 × 7 ≡ 21 ≡ 1 (mod 10). • 5 has no multiplicative inverse, since gcd(5,10)=5. – We have the following table: 0×5 ≡ 0 1×5 ≡ 5 2×5 ≡ 0 3×5 ≡ 5 5×5 ≡ 0 (mod (mod (mod (mod (mod 10) 10) 10) 10) 10) 5×5 ≡ 5 6×5 ≡ 0 7×5 ≡ 5 8×5 ≡ 0 9×5 ≡ 5 (mod (mod (mod (mod (mod Modular Arithmetic 1. Addition is closed: ∀a, b ∈ ZN : a + b ∈ ZN 2. Addition is associative: ∀a, b, c ∈ ZN : (a + b) + c ≡ a + (b + c) 3. 0 is an additive identity: ∀a ∈ ZN : a + 0 ≡ 0 + a ≡ a 4. The additive inverse always exists: ∀a ∈ ZN : a + (N − a) ≡ (N − a) + a ≡ 0 5. Addition is commutative: ∀a, b ∈ ZN : a + b ≡ b + a Modular Arithmetic 6. Multiplication is closed: ∀a, b ∈ ZN : a × b ∈ ZN 7. Multiplication is associative: ∀a, b, c ∈ ZN : (a × b) × c ≡ a × (b × c) Geoff Hamilton 10) 10) 10) 10) 10) CA642: C RYPTOGRAPHY AND N UMBER T HEORY 4 8. 1 is a multiplicative identity: ∀a ∈ ZN : a × 1 ≡ 1 × a ≡ a 9. Multiplication is commutative: ∀a, b ∈ ZN : a × b ≡ b × a 10. Multiplication distributes over addition: ∀a, b, c ∈ ZN : (a + b) × c ≡ a × c + b × c 4.3 Groups, Rings and Fields Groups A group (S, ⊕) consists of a set S and an operation ⊕, satisfying: • Closure: ∀a, b ∈ S : a ⊕ b ∈ S • Associativity: ∀a, b, c ∈ S : a ⊕ (b ⊕ c) = (a ⊕ b) ⊕ c • Identity element e: ∃e ∈ S : ∀a ∈ S : a ⊕ e = e ⊕ a = a • Every element has an inverse element: ∀a ∈ S : ∃a−1 ∈ S : a ⊕ a−1 = a−1 ⊕ a = e • The group S is called commutative or Abelian if: ∀a, b ∈ S : a ⊕ b = b ⊕ a • The order of a group S, denoted by |S|, is the number of elements in S. If a group S satisfies |S| < ∞ then it is called a finite group. Groups Integers, real numbers and complex numbers are groups under addition. • the identity is 0, the inverse of x is −x Non-zero real numbers and non-zero rational numbers are groups under multiplication. • the identity is 1, the inverse of x is x−1 These are all examples of infinite Abelian groups. Questions: • Why are the integers not a group under multiplication? • Why do we say non-zero real numbers above? Geoff Hamilton CA642: C RYPTOGRAPHY AND N UMBER T HEORY 5 Modular Arithmetic Going back to our 10 properties of modular arithmetic we see: • Properties 1-4 say that ZN is a group with respect to addition. • Property 5 says that the group ZN is abelian. • Properties 1-10 say that ZN is a ring. • Other rings you have seen before are the integers, real numbers and complex numbers. – These are all infinite rings, whereas ZN is a finite ring. Fields A field (S, ⊕, ⊗) is a set with two operations ⊕ and ⊗ and two special elements 0, 1 such that: • (S, ⊕) is an abelian group with identity 0. • (S \ {0}, ⊗) is an abelian group with identity 1. • (S, ⊕, ⊗) satisfies the distributive law: ∀a, b, c ∈ S : a ⊗ (b ⊕ c) = (a ⊗ b) ⊕ (a ⊗ c) Example fields: rational numbers, real numbers, complex numbers. Finite Fields A finite field is a field that contains a finite number of elements. There is exactly one finite field of size (order) pn where p is a prime (called the characteristic of the field) and n is a positive integer. If p is a prime Z p is the finite field GF(p) (note here that n = 1 and so is omitted). Finite fields are of central importance in coding theory and cryptography. GF(28 ) is of particular importance as an element can be represented in a single byte. Polynomial Rings Z p [x] The polynomial ring F[x] is the set of all polynomials over variable x with coefficients in the field F. For prime p, Z p [x] is the set of polynomials with coefficients mod p. Arithmetic operations are the same as with polynomials except that coefficients are calculated in Z p . The polynomial ring Z2 [x] is quite frequently used in cryptographic applications as the coefficients of the polynomial can be expressed in bits (e.g. x6 + x3 + 1 ≡ 01001001). For example in Z2 [x]: (1 + x + x2 ) + (x + x3 ) = 1 + x2 + x3 (1 + x + x2 )(x + x3 ) = x + x2 + x4 + x5 (1 + x + x2 )(x + x3 ) (mod x4 + 1) = 1 + x2 (since x + x2 + x4 + x5 = (x + 1)(x4 + 1) + (1 + x2 )) Geoff Hamilton CA642: C RYPTOGRAPHY AND N UMBER T HEORY 6 Finite Fields Z p [x] (mod f (x)) A polynomial f (x) is said to be irreducible if f (x) cannot be expressed as a product of two polynomials of lower degree. f (x) = x2 + 1 is irreducible in Z3 but reducible in Z5 into (x + 2)(x + 3). x7 + x + 1 and x7 + x3 + 1 are irreducible in Z2 . If f (x) is an irreducible polynomial mod p of degree n then Z p [x] (mod f (x)) is a finite field with pn elements. For example in Z2 : (x3 + 1)(x4 + 1) (mod x7 + x + 1) = x4 + x3 + x (x3 + 1)(x4 + 1) (mod x7 + x3 + 1) = x4 Finite Fields Z2 [x] (mod f (x)) In the field Z2 [x] (mod f (x)) the addition (and subtraction) of elements is simply bitby-bit XOR. Multiplication is like regular multiplication without the carries. Doubling an element is a simple bit shift. When a calculation results in a number greater than m bits, it is reduced by XORing it with a multiple of the irreducible polynomial. The evaluation of xi in the finite field Z2 [x] (mod x3 + x + 1): i 001 010 011 100 101 110 111 xi 010 = x 100 = x2 011 = x + 1 110 = x2 + x 111 = x2 + x + 1 101 = x2 + 1 001 = 1 (1000 ⊕ 1011 = 0011) (1100 ⊕ 1011 = 0111) (1110 ⊕ 1011 = 0101) (1010 ⊕ 1011 = 0001) Correspondence Between Integers and Polynomials Z ≡ Z p [x] Prime number p ≡ Irreducible polynomial f (x) of degree n Zp ≡ Z p [x] (mod f (x)) Finite field with p elements ≡ Finite field with pn elements Euler Groups We define the set of invertible elements of ZN as: Z∗N = {a ∈ ZN : gcd(a, N) = 1} The set Z∗N is always a group with respect to multiplication and is called an Euler group. When N is a prime p we have: Z∗p = {1, . . . , p − 1} Examples: Geoff Hamilton CA642: C RYPTOGRAPHY AND N UMBER T HEORY 7 Z∗1 = {0} Z∗2 = {1} Z∗3 = {1, 2} Z∗4 = {1, 3} Z∗5 = {1, 2, 3, 4} Z1 = {0} Z2 = {0, 1} Z3 = {0, 1, 2} Z4 = {0, 1, 2, 3} Z5 = {0, 1, 2, 3, 4} Euler Totient Function φ (N) Euler’s totient function φ (N) represents the number of elements in Z∗N : φ (N) = |Z∗N | = |{a ∈ ZN : gcd(a, N) = 1}| φ (N) is therefore the number of integers in ZN which are relatively prime to N. We know that an element a ∈ ZN has a multiplicative inverse modulo N iff gcd(a,N) = 1. Therefore, there are precisely φ (N) invertible elements in ZN . Euler Totient Function φ (N) Given the prime factorization of N: n N = ∏ pei i i=1 we can compute φ (N) using the following formula: n φ (N) = ∏ pei i −1 (pi − 1) i=1 The most important cases for cryptography are: • If p is prime then: φ (p) = p − 1 • If p and q are both prime and p 6= q then: φ (pq) = (p − 1)(q − 1) Lagrange’s Theorem The order of an element a of a group (S, ⊗) is the smallest positive integer t such that at = 1. Lagrange’s Theorem: If S is a group of size |S| = n then ∀a ∈ S : an = 1 Corollary: the order t of an element a ∈ S divides n = |S|, so if a ∈ Z∗N then the order of a always divides φ (N) Thus if a ∈ Z∗N then aφ (N) ≡ 1 (mod N), since |Z∗N | = φ (N) (Euler’s Theorem). Geoff Hamilton CA642: C RYPTOGRAPHY AND N UMBER T HEORY 8 Fermat’s Little Theorem Not to be confused with Fermat’s Last Theorem . . . Fermat’s Little Theorem: if p is a prime then a p ≡ a (mod p) Fermat’s Little Theorem is a special case of Lagrange’s Theorem. 4.4 Calculating Multiplicative Inverses Greatest Common Divisor (GCD) We need a method to determine when a ∈ ZN has a multiplicative inverse and compute it when it does. We know this happens iff gcd(a,N) = 1. Therefore we need to compute the GCD of two integers a, b ∈ Z. • This is easy if we know the prime factorization of a and b, since: β min(αi ,βi ) a = ∏ pαi i and b = ∏ pi i ⇒ d = gcd(a, b) = ∏ pi • However, factoring is a very expensive operation, so we cannot use the above formula. • A much faster algorithm to compute GCDs is Euclids algorithm. GCD - Euclidean Algorithm To compute the GCD of r0 = a and r1 = b we compute: r0 r1 = = .. . q1 r1 + r2 q2 r2 + r3 rm−2 rm−1 = = qm−1 rm−1 + rm qm rm If d divides a and b then d divides r2 , r3 , r4 and so on. Therefore: gcd(a, b) = gcd(r0 , r1 ) = gcd(r1 , r2 ) = · · · = gcd(rm−1 , rm ) = rm GCD - Euclidean Algorithm As an example of this algorithm we want to show that: 3 = gcd(21,12) Using the Euclidean algorithm we compute gcd(21,12) as: gcd(21,12) Geoff Hamilton = = = = = = gcd(21 (mod 12),12) gcd(9,12) gcd(12 (mod 9),9) gcd(3, 9) gcd(9 (mod 3),3) gcd(0,3) = 3 CA642: C RYPTOGRAPHY AND N UMBER T HEORY 9 XGCD - Extended Euclidean Algorithm Using the Euclidean algorithm, we can determine when a has an inverse modulo N i.e. iff gcd(a,N) = 1. • But we do not know yet how to compute the inverse. Solution: use an extended version of the Euclidean algorithm. Recall that during the Euclidean algorithm we had: ri−2 = qi−1 ri−1 + ri and finally rm = gcd(r0 ,r1 ). Now we unwind the above and write each ri , i ≥ 2 in terms of a and b. XGCD - Extended Euclidean Algorithm Unwinding the various steps in the Euclidean algorithm gives: r2 r3 . ri−2 ri−1 ri rm = = .. . r0 − q1 r1 = a − q1 b r1 − q2 r2 = b − q2 (a − q1 b) = −q2 a + (1 + q1 q2 )b = = = = .. . si−2 a + ti−2 b si−1 a + ti−1 b ri−2 − qi−1 ri−1 a(si−2 − qi−1 si−1 ) + b(ti−2 − qi−1ti−1 ) = sm a + tm b The XGCD takes as input a and b and outputs sm ,tm , rm such that: rm = gcd(a, b) = sm a + tm b XGCD - Multiplicative Inverse Given a, N ∈ Z we can compute d, x, y using XGCD such that: d = gcd(a, N) = xa + yN Considering the above equation modulo N we get: d ≡ xa + yN (mod N) ≡ xa (mod N) Thus if d = 1 then a has a multiplicative inverse given by: a−1 ≡ x (mod N) Remark: the more general equation ax ≡ b (mod N) has precisely d = gcd(a,N) solutions iff d divides b. Geoff Hamilton CA642: C RYPTOGRAPHY AND N UMBER T HEORY 4.5 10 Calculating Modular Exponents Modular Exponentiation Given a prime p and a ∈ Z∗p we want to calculate ax (mod p). It does not make sense to compute y = ax and then y (mod p). Consider 1235 (mod 511) = 28153056843 (mod 511) = 359 There is a large intermediate result so this method takes a very long time and a great deal of space for large a, x and p. 1235 (mod 511) could also be calculated as follows: a a2 a3 a4 a5 = = = = = 123 a × a (mod 511) = 310 a × a2 (mod 511) = 316 a × a3 (mod 511) = 32 a × a4 (mod 511) = 359 This requires four modular multiplications; it is still far too slow. Modular Exponentiation It is much better to compute this example using the steps below: a a2 a4 a5 = = = = 123 a × a (mod 511) = 310 a2 × a2 = 310 × 310 (mod 511) = 32 a × a4 = 123 × 32 (mod 511) = 359 This requires only 3 multiplications. This shows that if we consider the binary representation of the exponent x = xn−1 xn−2 . . . x1 x0 , then the value represented by each bit of the exponent xi can be obtained by squaring the value represented by the previous bit xi−1 . Multiplication is required for every bit which is set after the first one. Thus for an exponent with n bits of which t bits are set, n − 1 squarings and t − 1 multplications. Modular Exponentiation This suggests an algorithm which works through the exponent one bit at a time squaring and multiplying. This is commonly known as the square and multiply algorithm. Right to left variant for calculating y = ax (mod p): y = 1 for i = 0 to n-1 do if xi = 1 then y = (y*a) mod p a = (a*a) mod p end Left to right variant for calculating y = ax (mod p): Geoff Hamilton CA642: C RYPTOGRAPHY AND N UMBER T HEORY 11 y = 1 for i = n-1 downto 0 do y = (y*y) mod p if xi = 1 then y = (y*a) mod p end Chinese Remainder Theorem (CRT) Consider N = 15 = 3 × 5. We can represent every element a of ZN by its coordinates (a (mod 3), a (mod 5)). This leads to the following table: 0 1 2 0 0 10 5 1 6 1 11 2 12 7 2 3 3 13 8 4 9 4 14 Note that all elements in ZN have different coordinates, i.e. given (a1 , a2 ) with 0 ≤ a1 < 3 and 0 ≤ a2 < 5 we can reconstruct a. Chinese Remainder Theorem (CRT) Consider N = 24 = 4 × 6. We can represent every element a of ZN by its coordinates (a (mod 4), a (mod 6)). This leads to the following table: 0 1 2 3 0 0/12 1 2 8/20 1/13 6/18 3 9/21 2/14 7/19 4 4/16 5 5/17 10/22 3/15 11/23 Note that a and a + 12 (mod 24) map to the same coordinates. Therefore, given (a1 , a2 ) with 0 ≤ a1 < 4 and 0 ≤ a2 < 6 we cannot uniquely reconstruct a. Chinese Remainder Theorem (CRT) The previous examples indicate that if N = n1 × n2 with gcd(n1 ,n2 ) = 1, we can replace computing modulo N by computing modulo n1 and modulo n2 : ZN ∼ = Zn1 × Zn2 iff gcd(n1 ,n2 ) = 1 If N = n1 × n2 then it is very easy to compute the coordinates of a ∈ ZN , since these are simply (a (mod n1 )), a (mod n2 )). However, given the coordinates (a1 , a2 ) with 0 ≤ a1 < n1 and 0 ≤ a2 < n2 how do we compute the corresponding a? Geoff Hamilton CA642: C RYPTOGRAPHY AND N UMBER T HEORY 12 Chinese Remainder Theorem (CRT) We can reformulate our reconstruction problem as: Given: N = n1 × n2 with gcd(n1 , n2 ) = 1 Compute: x ∈ ZN with x ≡ a1 (mod n1 ) and x ≡ a2 (mod n2 ) Example: If x ≡ 4 (mod 7) and x ≡ 3 (mod 5) then we have: x ≡ 18 (mod 35) How did we work this out? CRT - Example We want to find x ∈ ZN with N = 35 such that: x≡4 (mod 7) and x ≡ 3 (mod 5) Therefore, for some n ∈ Z we have: x = 4 + 7n and x ≡ 3 (mod 5) Substituting the equality in the second equation gives: 4 + 7n ≡ 3 (mod 5) Therefore, n is given by the solution of: 2n ≡ 7n ≡ 3 − 4 ≡ 4 (mod 5) Hence we can compute n as n ≡ 4/2 (mod 5) ≡ 2 (mod 5), so: x ≡ 4 + 7n ≡ 4 + 7 × 2 ≡ 18 (mod 35) CRT - General Case Let n1 , . . . , nk be pairwise relatively prime and let a1 , . . . , ak be integers. We want to find x modulo N = n1 n2 · · · nk such that: x ≡ ai (mod ni ) for all i The CRT guarantees a unique solution given by: k x = ∑ ai × Ni × yi (mod N) i=1 Ni = N/ni and yi = Ni−1 (mod ni ) Note that Ni ≡ 0 (mod n j ) for j 6= i and that Ni × yi ≡ 1 (mod ni ) Geoff Hamilton CA642: C RYPTOGRAPHY AND N UMBER T HEORY 13 CRT - General Case Example We want to find the unique x modulo N = 1001 = 7 × 11 × 13 such that: x ≡ 5 (mod 7) and x ≡ 3 (mod 11) and x ≡ 10 (mod 13) We compute: N1 = 143, y1 = 5 and N2 = 91, y2 = 4 and N3 = 77, y3 = 12. Then we reconstruct x as: x k ≡ ∑ ai × Ni × yi (mod N) ≡ ≡ 5 × 143 × 5 + 3 × 91 × 4 + 10 × 77 × 12 (mod 1001) 894 (mod 1001) i=1 CRT - Modular Exponentiation Let N = 55 = 5 × 11 and suppose we want to compute 2737 (mod N). This can be done in a number of ways: • Really stupid: using 36 multiplications modulo 55: (((27 × 27) (mod N)) × 27 (mod N)) · · · 27 (mod N) • Less stupid: using 5 squarings and 2 multiplications modulo 55: 5 2 ((272 (mod N)) × 272 (mod N)) × 27 (mod N) • Rather intelligent: using 5 squarings and 2 multiplications modulo 5 and modulo 11 and CRT to combine both results. • Really intelligent: using Lagrange’s theorem, a few multiplications modulo 5 and 11 and CRT to combine both results. 4.6 Primitive Roots Generators For a ∈ Z∗n the set {a0 , a1 , a2 , a3 , . . .} is called the group generated by a, denoted hai. The order of a ∈ Z∗n is the size of hai, denoted |hai|. Examples for Z∗7 : h3i = {1, 3, 2, 6, 4, 5}, so the order of 3 is 6 h2i = {1, 2, 4}, so the order of 2 is 3 h1i = {1}, so the order of 1 is 1 Geoff Hamilton CA642: C RYPTOGRAPHY AND N UMBER T HEORY 14 Primitive Roots a ∈ Z∗n is called a primitive root of Z∗n if the order of a is φ (n). Not all groups possess primitive roots e.g. Z∗n where n = pq and p, q are odd primes. If Z∗n possesses a primitive root a, then Z∗n is called cyclic. If a is a primitive root of Z∗n and b ∈ Z∗n then ∃x s.t. ax ≡ b (mod n). This x is called the discrete logarithm or index of b modulo n to the base a. Examples for Z∗7 : 3 is a primitive root: {30 , 31 , 32 , 33 , 34 , 35 } = {1, 3, 2, 6, 4, 5} = Z∗7 2 is not a primitive root: {20 , 21 , 22 , 23 , 24 , 25 } = {1, 2, 4} 6= Z∗7 Primitive Roots A primitive root exists in Z∗n iff n has a value 2, 4, pk or 2pk for some odd prime p and integer k. To determine whether a is a primitive root of Z∗n , we need to show for all prime factors p1 , . . . , pk of φ (n) that: ∀i ∈ {1 . . . k} : aφ (n)/pi 6= 1 This can be determined using modular exponentiation. For a prime p the number of primitive roots mod p is φ (p − 1) 4.7 Quadratic Residues Quadratic Residues An integer q is called a quadratic residue modulo n if there exists an integer x such that: x2 ≡ q (mod n) Integer x is called the square root of q (mod n). If no such integer x exists, q is called a quadratic nonresidue modulo n. x 0 1 2 3 4 5 6 7 8 Example (n = 11): 2 x (mod 11) 0 1 4 9 5 3 3 5 9 There are six quadratic residues modulo 11: 0, 1, 3, 4, 5, and 9. There are five quadratic non-residues modulo 11: 2, 6, 7, 8, 10. 9 4 10 1 Quadratic Residues If p is a prime exactly half of the numbers in Z∗p are quadratic residues. Euler’s Criterion: Given odd prime p and q ∈ Z∗p : • q is a quadratic residue iff q(p−1)/2 ≡ 1 (mod p). • q is quadratic nonresidue, iff q(p−1)/2 ≡ −1 (mod p). A quadratic residue q ∈ Z∗p cannot be a primitive root, since q(p−1)/2 ≡ 1 (mod p) and the order of a primitive root is p − 1. Geoff Hamilton CA642: C RYPTOGRAPHY AND N UMBER T HEORY 15 Quadratic Residues Modulo n = pq Let n = pq where p and q are large primes. If a ∈ Z∗n is a quadratic residue modulo n, then a has exactly four square roots modulo n in Z∗n . Therefore exactly a quarter of the numbers in Z∗n are quadratic residues modulo n. 4.8 Calculating Modular Square Roots Legendre’s Symbol If p is a prime and a is an integer. 0, if a|p a +1, if a is a quadratic residue modulo p Legendre’s symbol = p −1, if a is a quadratic non-residue modulo p a p By Euler’s criterion: = a(p−1)/2 (mod p). Legendre’s Symbol Properties of Legendre’s symbol: 1. a ≡ b (mod p) ⇒ ap = bp 2. 3. 4. 5. ab p 1 p −1 p 2 p = a p b p =1 = 1, if p ≡ 1 (mod 4) −1, if p ≡ 3 (mod 4) 2 −1)/8 = (−1)(p 6. If p and q are odd primes: p q = (−1)((p−1)/2)((q−1)/2) q p Jacobi’s Symbol Jacobi’s symbol is a generalization of Legendre’s symbol to composite numbers. If n is odd with prime factorization n = p1 × p2 × . . . × pk and a is relatively prime to n: Jacobi’s symbol na = pa1 × pa2 × . . . × pa k a n = −1 ⇒ a is a quadratic non-residue a n = 1 ; a is a quadratic residue Geoff Hamilton CA642: C RYPTOGRAPHY AND N UMBER T HEORY Jacobi’s Symbol Properties of Jacobi’s symbol: 1. a ≡ b (mod n) ⇒ na = b a 2. ab n = n n a a a 3. mn = m n 4. 1n = 1 (n−1)/2 5. −1 n = (−1) 2 6. n2 = (−1)(n −1)/8 b n 16 7. If m and n are odd co-primes: m n = (−1)((m−1)/2)((n−1)/2) n m Computing Square Roots Modulo a Prime If the Legendre symbol is -1, then there is no solution. If p is a prime and a is a quadratic residue modulo p then: a(p−1)/2 ≡ 1 (mod p) (by Euler’s criterion). Multiplying both sides by a: a(p+1)/2 ≡ a (mod p) Taking the square roots of both sides: ±a(p+1)/4 ≡ √ a (mod p) If p ≡ 3 (mod 4), then (p + 1)/4 is an integer, and this can be used to calculate the square root. Computing Square Roots Modulo a Prime If p is a prime s.t. p ≡ 5 (mod 8) and a is a quadratic residue modulo p then: a(p−1)/2 ≡ 1 (mod p) (by Euler’s criterion). so a(p−1)/4 ≡ ±1 (mod p) If a(p−1)/4 ≡ 1 (mod p) then: √ a = a(p+3)/8 (mod p) If a(p−1)/4 ≡ −1 (mod p) then: √ a = 2a(4a)(p−5)/8 (mod p) If p is a prime s.t. p ≡ 1 (mod 8) and a is a quadratic residue modulo p the probab√ lisitic Shanks’ algorithm can be used to calculate a. Geoff Hamilton CA642: C RYPTOGRAPHY AND N UMBER T HEORY 17 Computing Square Roots Modulo a Prime Shanks’ algorithm for square roots modulo p: Choose a random n until one is found such that (n/p) = −1 Let e, q be integers such that q is odd and p − 1 = 2e q y = nq (mod p) r = e x = a(q−1)/2 (mod p) b = ax2 (mod p) x = ax (mod p) while b 6= 1 (mod p) do m Find the smallest m such that b2 = 1 (mod p) r−m−1 t = y2 (mod p) 2 y = t (mod p) r = m x = xt (mod p) b = by (mod p) end return x Computing Square Roots Modulo n = pq If the Jacobi symbol is -1, then√there is no solution. √ If a is a quadratic residue and a (mod p) = ±x √ and a (mod q) = ±y, then we can use the Chinese Remainder Theorem to calculate a. Example: Compute the square root of 3 modulo 11 × 13 √ 3 (mod 11) = ±5 √ 3 (mod 13) = ±4 Using the Chinese Remainder Theorem, we can calculate the four square roots as 82, 126, 17 and 61. Computing Cube Roots Modulo a Prime If p is a prime, the cube root of x can be computed as follows: √ −1 3 x = x3 (mod φ (p)) (mod p) (mod p−1) (mod p) Since φ (p) = p − 1, we have: √ −1 3 x = x3 This depends on 3 having a multiplicative inverse modulo p − 1. √ Example: calculate 3 3 (mod 11) Since gcd(3,10) = 1, 3−1 (mod 10) exists and has the value 7. √ 3 3 (mod 11) = 37 (mod 11) = 9 The same idea can be easily extended to the problem of extracting rth roots, for any odd value of r. For even r, since p − 1 is also even, it has the factor 2 in common, so no multiplicative inverse exists. Geoff Hamilton CA642: C RYPTOGRAPHY AND N UMBER T HEORY 18 Computing Cube Roots Modulo a Prime There is a simpler way of calculating cube roots. Unique cube roots will only exist if p ≡ 2 (mod 3) (if p ≡ 1 (mod 3) then p − 1 would be a multiple of 3). In this case we can find the cube-rooting exponent directly as: (2(p − 1) + 1)/3 This is clearly congruent to 1/3 (mod p − 1), and evaluates to a whole number. For p=11, it evaluates as 7. Geoff Hamilton