Download 4 Number Theory 1 4.1 Divisors

CA642: C RYPTOGRAPHY AND N UMBER T HEORY
4
4.1
1
Number Theory 1
Divisors
Division
Let a and b be integers. We say that a divides b, or a|b if:
∃d s.t. b = ad
If b 6= 0 then |a| ≤ |b|.
Division Theorem: For any integer a and any positive integer n, there are unique integers q and r such that 0 ≤ r < n and a = qn + r.
The value r = a mod n is called the remainder or the residue of the division.
Theorem: If d|a and d|b then d|(xa + yb) for any integers x, y.
Proof: a = rd and b = sd for some r, s. Therefore, xa + yb = xrd + ysd = d(xr + ys),
so d|(xa + yb)
Greatest Common Divisor
For integers a and b:
The greatest common divisor gcd(a,b) is defined as follows:
gcd(a,b) = max(d : d|a and d|b) (a 6= 0 or b 6= 0).
Note: This definition satisfies gcd(0,1) = 1.
The lowest common multiple lcm(a,b) is defined as follows:
lcm(a,b) = min(m > 0 s.t. a|m and b|m) (for a 6= 0 and b 6= 0).
a and b are coprimes (or relatively prime) iff gcd(a,b) = 1.
Prime Numbers
An integer p ≥ 2 is called prime if it is divisible only by 1 and itself.
Fundamental Theorem of Arithmetic: every positive number can be represented as a
product of primes in a unique way, up to a permutation of the order of primes.
There are infinitely many primes
• Euclid gave simple proof by contradiction (c. 300BC).
The number of primes ≤ n : π(n) ≈ n/ln n
• Even though the number of primes is infinite, the density of primes gets increasingly sparse as n → ∞.
Geoff Hamilton
CA642: C RYPTOGRAPHY AND N UMBER T HEORY
4.2
2
Modular Arithmetic
Modular Arithmetic
Modular arithmetic is fundamental to modern public key cryptosystems.
Given integers a, b, N ∈ Z we say that a is congruent to b modulo N:
a≡b
(mod N) iff N divides b − a
Often we are lazy and just write a ≡ b if it is clear we are working modulo N.
The modulo operator is like the C-operator %.
Example: 16 ≡ 1 (mod 5) since 16-1 = 3 × 5
Modular Arithmetic
For convenience we define the set:
ZN = {0, . . . , N − 1}
which is the set of remainders modulo N.
It is clear that given N, every integer a ∈ Z is congruent modulo N to an element in the
set ZN , since we can write:
a = q×N +r
with 0 ≤ r < N and a ≡ r (mod N)
Modular Arithmetic
The set ZN has two operations defined on it.
• Addition
– 11 + 13 mod 16 ≡ 24 (mod 16) ≡ 8 (mod 16).
• Multiplication
– 11 × 13 (mod 16) ≡ 143 (mod 16) ≡ 15 (mod 16).
Given integers a, b ∈ Z we have:
• a + b (mod N) ≡ (a (mod N) + b (mod N)) (mod N)
• a − b (mod N) ≡ (a (mod N) − b (mod N)) (mod N)
• a × b (mod N) ≡ (a (mod N) × b (mod N)) (mod N)
Multiplicative Inverse
Division a/b in modular arithmetic is performed by multiplying a by the multiplicative
inverse of b.
The multiplicative inverse of b ∈ ZN is an element denoted b−1 ∈ ZN with:
bb−1 ≡ b−1 b ≡ 1
Theorem: b ∈ ZN has a unique inverse modulo N iff b and N are relatively prime i.e.
gcd(b,N) = 1.
Theorem: If p is a prime then every non-zero element in Z p has an inverse.
Geoff Hamilton
CA642: C RYPTOGRAPHY AND N UMBER T HEORY
3
Multiplicative Inverse
Consider Z10 :
• 3 has a multiplicative inverse, since gcd(3,10)=1.
– 3 × 7 ≡ 21 ≡ 1 (mod 10).
• 5 has no multiplicative inverse, since gcd(5,10)=5.
– We have the following table:
0×5 ≡ 0
1×5 ≡ 5
2×5 ≡ 0
3×5 ≡ 5
5×5 ≡ 0
(mod
(mod
(mod
(mod
(mod
10)
10)
10)
10)
10)
5×5 ≡ 5
6×5 ≡ 0
7×5 ≡ 5
8×5 ≡ 0
9×5 ≡ 5
(mod
(mod
(mod
(mod
(mod
Modular Arithmetic
1. Addition is closed:
∀a, b ∈ ZN : a + b ∈ ZN
2. Addition is associative:
∀a, b, c ∈ ZN : (a + b) + c ≡ a + (b + c)
3. 0 is an additive identity:
∀a ∈ ZN : a + 0 ≡ 0 + a ≡ a
4. The additive inverse always exists:
∀a ∈ ZN : a + (N − a) ≡ (N − a) + a ≡ 0
5. Addition is commutative:
∀a, b ∈ ZN : a + b ≡ b + a
Modular Arithmetic
6. Multiplication is closed:
∀a, b ∈ ZN : a × b ∈ ZN
7. Multiplication is associative:
∀a, b, c ∈ ZN : (a × b) × c ≡ a × (b × c)
Geoff Hamilton
10)
10)
10)
10)
10)
CA642: C RYPTOGRAPHY AND N UMBER T HEORY
4
8. 1 is a multiplicative identity:
∀a ∈ ZN : a × 1 ≡ 1 × a ≡ a
9. Multiplication is commutative:
∀a, b ∈ ZN : a × b ≡ b × a
10. Multiplication distributes over addition:
∀a, b, c ∈ ZN : (a + b) × c ≡ a × c + b × c
4.3
Groups, Rings and Fields
Groups
A group (S, ⊕) consists of a set S and an operation ⊕, satisfying:
• Closure: ∀a, b ∈ S : a ⊕ b ∈ S
• Associativity: ∀a, b, c ∈ S : a ⊕ (b ⊕ c) = (a ⊕ b) ⊕ c
• Identity element e: ∃e ∈ S : ∀a ∈ S : a ⊕ e = e ⊕ a = a
• Every element has an inverse element:
∀a ∈ S : ∃a−1 ∈ S : a ⊕ a−1 = a−1 ⊕ a = e
• The group S is called commutative or Abelian if:
∀a, b ∈ S : a ⊕ b = b ⊕ a
• The order of a group S, denoted by |S|, is the number of elements in S. If a group
S satisfies |S| < ∞ then it is called a finite group.
Groups
Integers, real numbers and complex numbers are groups under addition.
• the identity is 0, the inverse of x is −x
Non-zero real numbers and non-zero rational numbers are groups under multiplication.
• the identity is 1, the inverse of x is x−1
These are all examples of infinite Abelian groups.
Questions:
• Why are the integers not a group under multiplication?
• Why do we say non-zero real numbers above?
Geoff Hamilton
CA642: C RYPTOGRAPHY AND N UMBER T HEORY
5
Modular Arithmetic
Going back to our 10 properties of modular arithmetic we see:
• Properties 1-4 say that ZN is a group with respect to addition.
• Property 5 says that the group ZN is abelian.
• Properties 1-10 say that ZN is a ring.
• Other rings you have seen before are the integers, real numbers and complex
numbers.
– These are all infinite rings, whereas ZN is a finite ring.
Fields
A field (S, ⊕, ⊗) is a set with two operations ⊕ and ⊗ and two special elements 0, 1
such that:
• (S, ⊕) is an abelian group with identity 0.
• (S \ {0}, ⊗) is an abelian group with identity 1.
• (S, ⊕, ⊗) satisfies the distributive law:
∀a, b, c ∈ S : a ⊗ (b ⊕ c) = (a ⊗ b) ⊕ (a ⊗ c)
Example fields: rational numbers, real numbers, complex numbers.
Finite Fields
A finite field is a field that contains a finite number of elements.
There is exactly one finite field of size (order) pn where p is a prime (called the characteristic of the field) and n is a positive integer.
If p is a prime Z p is the finite field GF(p) (note here that n = 1 and so is omitted).
Finite fields are of central importance in coding theory and cryptography.
GF(28 ) is of particular importance as an element can be represented in a single byte.
Polynomial Rings Z p [x]
The polynomial ring F[x] is the set of all polynomials over variable x with coefficients
in the field F.
For prime p, Z p [x] is the set of polynomials with coefficients mod p.
Arithmetic operations are the same as with polynomials except that coefficients are
calculated in Z p .
The polynomial ring Z2 [x] is quite frequently used in cryptographic applications as the
coefficients of the polynomial can be expressed in bits (e.g. x6 + x3 + 1 ≡ 01001001).
For example in Z2 [x]:
(1 + x + x2 ) + (x + x3 ) = 1 + x2 + x3
(1 + x + x2 )(x + x3 ) = x + x2 + x4 + x5
(1 + x + x2 )(x + x3 ) (mod x4 + 1) = 1 + x2
(since x + x2 + x4 + x5 = (x + 1)(x4 + 1) + (1 + x2 ))
Geoff Hamilton
CA642: C RYPTOGRAPHY AND N UMBER T HEORY
6
Finite Fields Z p [x] (mod f (x))
A polynomial f (x) is said to be irreducible if f (x) cannot be expressed as a product of
two polynomials of lower degree.
f (x) = x2 + 1 is irreducible in Z3 but reducible in Z5 into (x + 2)(x + 3).
x7 + x + 1 and x7 + x3 + 1 are irreducible in Z2 .
If f (x) is an irreducible polynomial mod p of degree n then Z p [x] (mod f (x)) is a
finite field with pn elements.
For example in Z2 :
(x3 + 1)(x4 + 1) (mod x7 + x + 1) = x4 + x3 + x (x3 + 1)(x4 + 1)
(mod x7 + x3 + 1) = x4
Finite Fields Z2 [x] (mod f (x))
In the field Z2 [x] (mod f (x)) the addition (and subtraction) of elements is simply bitby-bit XOR. Multiplication is like regular multiplication without the carries. Doubling
an element is a simple bit shift.
When a calculation results in a number greater than m bits, it is reduced by XORing it
with a multiple of the irreducible polynomial.
The evaluation of xi in the finite field Z2 [x] (mod x3 + x + 1):
i
001
010
011
100
101
110
111
xi
010 = x
100 = x2
011 = x + 1
110 = x2 + x
111 = x2 + x + 1
101 = x2 + 1
001 = 1
(1000 ⊕ 1011 = 0011)
(1100 ⊕ 1011 = 0111)
(1110 ⊕ 1011 = 0101)
(1010 ⊕ 1011 = 0001)
Correspondence Between Integers and Polynomials
Z
≡ Z p [x]
Prime number p
≡ Irreducible polynomial f (x) of degree n
Zp
≡ Z p [x] (mod f (x))
Finite field with p elements ≡ Finite field with pn elements
Euler Groups
We define the set of invertible elements of ZN as:
Z∗N = {a ∈ ZN : gcd(a, N) = 1}
The set Z∗N is always a group with respect to multiplication and is called an Euler group.
When N is a prime p we have:
Z∗p = {1, . . . , p − 1}
Examples:
Geoff Hamilton
CA642: C RYPTOGRAPHY AND N UMBER T HEORY
7
Z∗1 = {0}
Z∗2 = {1}
Z∗3 = {1, 2}
Z∗4 = {1, 3}
Z∗5 = {1, 2, 3, 4}
Z1 = {0}
Z2 = {0, 1}
Z3 = {0, 1, 2}
Z4 = {0, 1, 2, 3}
Z5 = {0, 1, 2, 3, 4}
Euler Totient Function φ (N)
Euler’s totient function φ (N) represents the number of elements in Z∗N :
φ (N) = |Z∗N | = |{a ∈ ZN : gcd(a, N) = 1}|
φ (N) is therefore the number of integers in ZN which are relatively prime to N.
We know that an element a ∈ ZN has a multiplicative inverse modulo N iff gcd(a,N) =
1.
Therefore, there are precisely φ (N) invertible elements in ZN .
Euler Totient Function φ (N)
Given the prime factorization of N:
n
N = ∏ pei i
i=1
we can compute φ (N) using the following formula:
n
φ (N) = ∏ pei i −1 (pi − 1)
i=1
The most important cases for cryptography are:
• If p is prime then:
φ (p) = p − 1
• If p and q are both prime and p 6= q then:
φ (pq) = (p − 1)(q − 1)
Lagrange’s Theorem
The order of an element a of a group (S, ⊗) is the smallest positive integer t such that
at = 1.
Lagrange’s Theorem:
If S is a group of size |S| = n then ∀a ∈ S : an = 1
Corollary: the order t of an element a ∈ S divides n = |S|, so if a ∈ Z∗N then the order
of a always divides φ (N)
Thus if a ∈ Z∗N then aφ (N) ≡ 1 (mod N), since |Z∗N | = φ (N) (Euler’s Theorem).
Geoff Hamilton
CA642: C RYPTOGRAPHY AND N UMBER T HEORY
8
Fermat’s Little Theorem
Not to be confused with Fermat’s Last Theorem . . .
Fermat’s Little Theorem:
if p is a prime then a p ≡ a (mod p)
Fermat’s Little Theorem is a special case of Lagrange’s Theorem.
4.4
Calculating Multiplicative Inverses
Greatest Common Divisor (GCD)
We need a method to determine when a ∈ ZN has a multiplicative inverse and compute
it when it does.
We know this happens iff gcd(a,N) = 1.
Therefore we need to compute the GCD of two integers a, b ∈ Z.
• This is easy if we know the prime factorization of a and b, since:
β
min(αi ,βi )
a = ∏ pαi i and b = ∏ pi i ⇒ d = gcd(a, b) = ∏ pi
• However, factoring is a very expensive operation, so we cannot use the above
formula.
• A much faster algorithm to compute GCDs is Euclids algorithm.
GCD - Euclidean Algorithm
To compute the GCD of r0 = a and r1 = b we compute:
r0
r1
=
=
..
.
q1 r1 + r2
q2 r2 + r3
rm−2
rm−1
=
=
qm−1 rm−1 + rm
qm rm
If d divides a and b then d divides r2 , r3 , r4 and so on.
Therefore: gcd(a, b) = gcd(r0 , r1 ) = gcd(r1 , r2 ) = · · · = gcd(rm−1 , rm ) = rm
GCD - Euclidean Algorithm
As an example of this algorithm we want to show that:
3 = gcd(21,12)
Using the Euclidean algorithm we compute gcd(21,12) as:
gcd(21,12)
Geoff Hamilton
=
=
=
=
=
=
gcd(21 (mod 12),12)
gcd(9,12)
gcd(12 (mod 9),9)
gcd(3, 9)
gcd(9 (mod 3),3)
gcd(0,3) = 3
CA642: C RYPTOGRAPHY AND N UMBER T HEORY
9
XGCD - Extended Euclidean Algorithm
Using the Euclidean algorithm, we can determine when a has an inverse modulo N i.e.
iff gcd(a,N) = 1.
• But we do not know yet how to compute the inverse.
Solution: use an extended version of the Euclidean algorithm.
Recall that during the Euclidean algorithm we had:
ri−2 = qi−1 ri−1 + ri
and finally rm = gcd(r0 ,r1 ).
Now we unwind the above and write each ri , i ≥ 2 in terms of a and b.
XGCD - Extended Euclidean Algorithm
Unwinding the various steps in the Euclidean algorithm gives:
r2
r3
.
ri−2
ri−1
ri
rm
=
=
..
.
r0 − q1 r1 = a − q1 b
r1 − q2 r2 = b − q2 (a − q1 b) = −q2 a + (1 + q1 q2 )b
=
=
=
=
..
.
si−2 a + ti−2 b
si−1 a + ti−1 b
ri−2 − qi−1 ri−1
a(si−2 − qi−1 si−1 ) + b(ti−2 − qi−1ti−1 )
=
sm a + tm b
The XGCD takes as input a and b and outputs sm ,tm , rm such that:
rm = gcd(a, b) = sm a + tm b
XGCD - Multiplicative Inverse
Given a, N ∈ Z we can compute d, x, y using XGCD such that:
d = gcd(a, N) = xa + yN
Considering the above equation modulo N we get:
d ≡ xa + yN
(mod N) ≡ xa (mod N)
Thus if d = 1 then a has a multiplicative inverse given by:
a−1 ≡ x
(mod N)
Remark: the more general equation ax ≡ b (mod N) has precisely d = gcd(a,N) solutions iff d divides b.
Geoff Hamilton
CA642: C RYPTOGRAPHY AND N UMBER T HEORY
4.5
10
Calculating Modular Exponents
Modular Exponentiation
Given a prime p and a ∈ Z∗p we want to calculate ax (mod p).
It does not make sense to compute y = ax and then y (mod p).
Consider 1235 (mod 511) = 28153056843 (mod 511) = 359
There is a large intermediate result so this method takes a very long time and a great
deal of space for large a, x and p.
1235 (mod 511) could also be calculated as follows:
a
a2
a3
a4
a5
=
=
=
=
=
123
a × a (mod 511) = 310
a × a2 (mod 511) = 316
a × a3 (mod 511) = 32
a × a4 (mod 511) = 359
This requires four modular multiplications; it is still far too slow.
Modular Exponentiation
It is much better to compute this example using the steps below:
a
a2
a4
a5
=
=
=
=
123
a × a (mod 511) = 310
a2 × a2 = 310 × 310 (mod 511) = 32
a × a4 = 123 × 32 (mod 511) = 359
This requires only 3 multiplications.
This shows that if we consider the binary representation of the exponent x = xn−1 xn−2 . . . x1 x0 ,
then the value represented by each bit of the exponent xi can be obtained by squaring
the value represented by the previous bit xi−1 .
Multiplication is required for every bit which is set after the first one.
Thus for an exponent with n bits of which t bits are set, n − 1 squarings and t − 1
multplications.
Modular Exponentiation
This suggests an algorithm which works through the exponent one bit at a time squaring
and multiplying.
This is commonly known as the square and multiply algorithm.
Right to left variant for calculating y = ax (mod p):
y = 1
for i = 0 to n-1 do
if xi = 1 then y = (y*a) mod p
a = (a*a) mod p
end
Left to right variant for calculating y = ax (mod p):
Geoff Hamilton
CA642: C RYPTOGRAPHY AND N UMBER T HEORY
11
y = 1
for i = n-1 downto 0 do
y = (y*y) mod p
if xi = 1 then y = (y*a) mod p
end
Chinese Remainder Theorem (CRT)
Consider N = 15 = 3 × 5.
We can represent every element a of ZN by its coordinates (a (mod 3), a (mod 5)).
This leads to the following table:
0
1
2
0
0
10
5
1
6
1
11
2
12
7
2
3
3
13
8
4
9
4
14
Note that all elements in ZN have different coordinates, i.e. given (a1 , a2 ) with 0 ≤
a1 < 3 and 0 ≤ a2 < 5 we can reconstruct a.
Chinese Remainder Theorem (CRT)
Consider N = 24 = 4 × 6.
We can represent every element a of ZN by its coordinates (a (mod 4), a (mod 6)).
This leads to the following table:
0
1
2
3
0
0/12
1
2
8/20
1/13
6/18
3
9/21
2/14
7/19
4
4/16
5
5/17
10/22
3/15
11/23
Note that a and a + 12 (mod 24) map to the same coordinates.
Therefore, given (a1 , a2 ) with 0 ≤ a1 < 4 and 0 ≤ a2 < 6 we cannot uniquely reconstruct a.
Chinese Remainder Theorem (CRT)
The previous examples indicate that if N = n1 × n2 with gcd(n1 ,n2 ) = 1, we can replace
computing modulo N by computing modulo n1 and modulo n2 :
ZN ∼
= Zn1 × Zn2 iff gcd(n1 ,n2 ) = 1
If N = n1 × n2 then it is very easy to compute the coordinates of a ∈ ZN , since these
are simply (a (mod n1 )), a (mod n2 )).
However, given the coordinates (a1 , a2 ) with 0 ≤ a1 < n1 and 0 ≤ a2 < n2 how do we
compute the corresponding a?
Geoff Hamilton
CA642: C RYPTOGRAPHY AND N UMBER T HEORY
12
Chinese Remainder Theorem (CRT)
We can reformulate our reconstruction problem as:
Given: N = n1 × n2 with gcd(n1 , n2 ) = 1
Compute: x ∈ ZN with x ≡ a1 (mod n1 ) and x ≡ a2 (mod n2 )
Example: If x ≡ 4 (mod 7) and x ≡ 3 (mod 5) then we have:
x ≡ 18 (mod 35)
How did we work this out?
CRT - Example
We want to find x ∈ ZN with N = 35 such that:
x≡4
(mod 7) and x ≡ 3
(mod 5)
Therefore, for some n ∈ Z we have:
x = 4 + 7n and x ≡ 3
(mod 5)
Substituting the equality in the second equation gives:
4 + 7n ≡ 3
(mod 5)
Therefore, n is given by the solution of:
2n ≡ 7n ≡ 3 − 4 ≡ 4
(mod 5)
Hence we can compute n as n ≡ 4/2 (mod 5) ≡ 2 (mod 5), so:
x ≡ 4 + 7n ≡ 4 + 7 × 2 ≡ 18
(mod 35)
CRT - General Case
Let n1 , . . . , nk be pairwise relatively prime and let a1 , . . . , ak be integers.
We want to find x modulo N = n1 n2 · · · nk such that:
x ≡ ai (mod ni ) for all i
The CRT guarantees a unique solution given by:
k
x = ∑ ai × Ni × yi
(mod N)
i=1
Ni = N/ni and yi = Ni−1 (mod ni )
Note that Ni ≡ 0 (mod n j ) for j 6= i and that Ni × yi ≡ 1 (mod ni )
Geoff Hamilton
CA642: C RYPTOGRAPHY AND N UMBER T HEORY
13
CRT - General Case Example
We want to find the unique x modulo N = 1001 = 7 × 11 × 13 such that:
x ≡ 5 (mod 7) and x ≡ 3 (mod 11) and x ≡ 10 (mod 13)
We compute:
N1 = 143, y1 = 5 and N2 = 91, y2 = 4 and N3 = 77, y3 = 12.
Then we reconstruct x as:
x
k
≡
∑ ai × Ni × yi (mod N)
≡
≡
5 × 143 × 5 + 3 × 91 × 4 + 10 × 77 × 12 (mod 1001)
894 (mod 1001)
i=1
CRT - Modular Exponentiation
Let N = 55 = 5 × 11 and suppose we want to compute 2737 (mod N).
This can be done in a number of ways:
• Really stupid: using 36 multiplications modulo 55:
(((27 × 27) (mod N)) × 27 (mod N)) · · · 27 (mod N)
• Less stupid: using 5 squarings and 2 multiplications modulo 55:
5
2
((272 (mod N)) × 272 (mod N)) × 27 (mod N)
• Rather intelligent: using 5 squarings and 2 multiplications modulo 5 and modulo
11 and CRT to combine both results.
• Really intelligent: using Lagrange’s theorem, a few multiplications modulo 5
and 11 and CRT to combine both results.
4.6
Primitive Roots
Generators
For a ∈ Z∗n the set {a0 , a1 , a2 , a3 , . . .} is called the group generated by a, denoted hai.
The order of a ∈ Z∗n is the size of hai, denoted |hai|.
Examples for Z∗7 :
h3i = {1, 3, 2, 6, 4, 5}, so the order of 3 is 6
h2i = {1, 2, 4}, so the order of 2 is 3
h1i = {1}, so the order of 1 is 1
Geoff Hamilton
CA642: C RYPTOGRAPHY AND N UMBER T HEORY
14
Primitive Roots
a ∈ Z∗n is called a primitive root of Z∗n if the order of a is φ (n).
Not all groups possess primitive roots e.g. Z∗n where n = pq and p, q are odd primes.
If Z∗n possesses a primitive root a, then Z∗n is called cyclic.
If a is a primitive root of Z∗n and b ∈ Z∗n then ∃x s.t. ax ≡ b (mod n). This x is called
the discrete logarithm or index of b modulo n to the base a.
Examples for Z∗7 :
3 is a primitive root: {30 , 31 , 32 , 33 , 34 , 35 } = {1, 3, 2, 6, 4, 5} = Z∗7
2 is not a primitive root: {20 , 21 , 22 , 23 , 24 , 25 } = {1, 2, 4} 6= Z∗7
Primitive Roots
A primitive root exists in Z∗n iff n has a value 2, 4, pk or 2pk for some odd prime p and
integer k.
To determine whether a is a primitive root of Z∗n , we need to show for all prime factors
p1 , . . . , pk of φ (n) that:
∀i ∈ {1 . . . k} : aφ (n)/pi 6= 1
This can be determined using modular exponentiation.
For a prime p the number of primitive roots mod p is φ (p − 1)
4.7
Quadratic Residues
Quadratic Residues
An integer q is called a quadratic residue modulo n if there exists an integer x such that:
x2 ≡ q
(mod n)
Integer x is called the square root of q (mod n).
If no such integer x exists, q is called a quadratic nonresidue modulo n.
x
0 1 2 3 4 5 6 7 8
Example (n = 11): 2
x (mod 11) 0 1 4 9 5 3 3 5 9
There are six quadratic residues modulo 11: 0, 1, 3, 4, 5, and 9.
There are five quadratic non-residues modulo 11: 2, 6, 7, 8, 10.
9
4
10
1
Quadratic Residues
If p is a prime exactly half of the numbers in Z∗p are quadratic residues.
Euler’s Criterion: Given odd prime p and q ∈ Z∗p :
• q is a quadratic residue iff q(p−1)/2 ≡ 1 (mod p).
• q is quadratic nonresidue, iff q(p−1)/2 ≡ −1 (mod p).
A quadratic residue q ∈ Z∗p cannot be a primitive root, since q(p−1)/2 ≡ 1 (mod p) and
the order of a primitive root is p − 1.
Geoff Hamilton
CA642: C RYPTOGRAPHY AND N UMBER T HEORY
15
Quadratic Residues Modulo n = pq
Let n = pq where p and q are large primes.
If a ∈ Z∗n is a quadratic residue modulo n, then a has exactly four square roots modulo
n in Z∗n .
Therefore exactly a quarter of the numbers in Z∗n are quadratic residues modulo n.
4.8
Calculating Modular Square Roots
Legendre’s Symbol
If p is a prime and a is an integer.

 0,
if a|p
a
+1, if a is a quadratic residue modulo p
Legendre’s symbol
=

p
−1, if a is a quadratic non-residue modulo p
a
p
By Euler’s criterion:
= a(p−1)/2 (mod p).
Legendre’s Symbol
Properties of Legendre’s symbol:
1. a ≡ b (mod p) ⇒ ap = bp
2.
3.
4.
5.
ab
p
1
p
−1
p
2
p
=
a
p
b
p
=1
=
1,
if p ≡ 1 (mod 4)
−1, if p ≡ 3 (mod 4)
2 −1)/8
= (−1)(p
6. If p and q are odd primes:
p
q
= (−1)((p−1)/2)((q−1)/2)
q
p
Jacobi’s Symbol
Jacobi’s symbol is a generalization of Legendre’s symbol to composite numbers.
If n is odd with prime factorization n = p1 × p2 × . . . × pk and a is relatively prime to
n:
Jacobi’s symbol na = pa1 × pa2 × . . . × pa
k
a
n = −1 ⇒ a is a quadratic non-residue
a
n = 1 ; a is a quadratic residue
Geoff Hamilton
CA642: C RYPTOGRAPHY AND N UMBER T HEORY
Jacobi’s Symbol
Properties of Jacobi’s symbol:
1. a ≡ b (mod n) ⇒ na =
b
a
2. ab
n = n
n
a
a
a
3. mn = m n
4. 1n = 1
(n−1)/2
5. −1
n = (−1)
2
6. n2 = (−1)(n −1)/8
b
n
16
7. If m and n are odd co-primes:
m
n
= (−1)((m−1)/2)((n−1)/2)
n
m
Computing Square Roots Modulo a Prime
If the Legendre symbol is -1, then there is no solution.
If p is a prime and a is a quadratic residue modulo p then:
a(p−1)/2 ≡ 1 (mod p) (by Euler’s criterion).
Multiplying both sides by a:
a(p+1)/2 ≡ a (mod p)
Taking the square roots of both sides:
±a(p+1)/4 ≡
√
a (mod p)
If p ≡ 3 (mod 4), then (p + 1)/4 is an integer, and this can be used to calculate the
square root.
Computing Square Roots Modulo a Prime
If p is a prime s.t. p ≡ 5 (mod 8) and a is a quadratic residue modulo p then:
a(p−1)/2 ≡ 1 (mod p) (by Euler’s criterion).
so a(p−1)/4 ≡ ±1 (mod p)
If a(p−1)/4 ≡ 1 (mod p) then:
√
a = a(p+3)/8 (mod p)
If a(p−1)/4 ≡ −1 (mod p) then:
√
a = 2a(4a)(p−5)/8 (mod p)
If p is a prime s.t. p ≡ 1 (mod 8) and a is a quadratic
residue modulo p the probab√
lisitic Shanks’ algorithm can be used to calculate a.
Geoff Hamilton
CA642: C RYPTOGRAPHY AND N UMBER T HEORY
17
Computing Square Roots Modulo a Prime
Shanks’ algorithm for square roots modulo p:
Choose a random n until one is found such that (n/p) = −1
Let e, q be integers such that q is odd and p − 1 = 2e q
y = nq (mod p)
r = e
x = a(q−1)/2 (mod p)
b = ax2 (mod p)
x = ax (mod p)
while b 6= 1 (mod p) do
m
Find the smallest m such that b2 = 1 (mod p)
r−m−1
t = y2
(mod p)
2
y = t (mod p)
r = m
x = xt (mod p)
b = by (mod p)
end
return x
Computing Square Roots Modulo n = pq
If the Jacobi symbol is -1, then√there is no solution. √
If a is a quadratic residue and a (mod p) = ±x √
and a (mod q) = ±y, then we can
use the Chinese Remainder Theorem to calculate a.
Example:
Compute the square root of 3 modulo 11 × 13
√
3
(mod
11) = ±5
√
3 (mod 13) = ±4
Using the Chinese Remainder Theorem, we can calculate the four square roots as 82,
126, 17 and 61.
Computing Cube Roots Modulo a Prime
If p is a prime, the cube root of x can be computed as follows:
√
−1
3
x = x3
(mod φ (p))
(mod p)
(mod p−1)
(mod p)
Since φ (p) = p − 1, we have:
√
−1
3
x = x3
This depends on 3 having
a multiplicative inverse modulo p − 1.
√
Example: calculate 3 3 (mod 11)
Since
gcd(3,10) = 1, 3−1 (mod 10) exists and has the value 7.
√
3
3 (mod 11) = 37 (mod 11) = 9
The same idea can be easily extended to the problem of extracting rth roots, for any
odd value of r. For even r, since p − 1 is also even, it has the factor 2 in common, so
no multiplicative inverse exists.
Geoff Hamilton
CA642: C RYPTOGRAPHY AND N UMBER T HEORY
18
Computing Cube Roots Modulo a Prime
There is a simpler way of calculating cube roots.
Unique cube roots will only exist if p ≡ 2 (mod 3) (if p ≡ 1 (mod 3) then p − 1 would
be a multiple of 3).
In this case we can find the cube-rooting exponent directly as:
(2(p − 1) + 1)/3
This is clearly congruent to 1/3 (mod p − 1), and evaluates to a whole number.
For p=11, it evaluates as 7.
Geoff Hamilton