10 Numth Annotated

7/30/2019 10 Numth Annotated

1/45

Intro.NumberTh

Nota3on

Online Cryptography Course


2/45

Background

Wewilluseabitofnumbertheorytoconstruct:

Keyexchangeprotocols Digitalsignatures Public-keyencryp3onThismodule:crashcourseonrelevantconcepts

Moreinfo: readpartsofShoupsbookreferenced

atendofmodule


3/45

Nota3on

Fromhereon:

Ndenotesaposi3veinteger. pdenoteaprime.Nota3on:

Candoaddi3onandmul3plica3onmoduloN


4/45

Modulararithme3c

Examples:letN=12

9+8=5in

57=11in

57=10in

Arithme3cinworksasyouexpect,e.gx(y+z)=xy


5/45

Greatestcommondivisor

Def:Forints.x,y:gcd(x,y)isthegreatestcommon

Example: gcd(12,18)=6

Fact:forallints.x,ythereexistints.a,bsuchthat

a x+b y=gcd(x,y)a,bcanbefoundefficientlyusingtheextendedE

Ifgcd(x,y)=1wesaythatxandyarerela5velyprime


6/45

Modularinversion

Overthera3onals,inverseof2is.Whatabout

Def:Theinverseofxinisanelementyins.t.

yisdenotedx-1.

Example:letNbeanoddinteger.Theinverseof2


7/45

Modularinversion

Whichelementshaveaninversein?

Lemma:xinhasaninverseifandonlyifgcd

Proof:

gcd(x,N)=1a,b:ax+bN=1

gcd(x,N)>1a:gcd(ax,N)>1ax


8/45

Morenota3on

Def: =(setofinver3bleelementsin)=

={x:gcd(x,N)=1}

Examples:

1. forprimep,2. ={1,5,7,11}

Forxin,canfindx-1usingextendedEuclidalgorit


9/45

Solvingmodularlinearequa3

Solve:a x+b=0in

Solu3on:x=b a-1in

Finda-1inusingextendedEuclid.Run3me:O(

Whataboutmodularquadra3cequa3ons?

nextsegments


10/45

EndofSegment


11/45

Intro.NumberTh

FermatandEule


R i


12/45

Review

Ndenotesann-bitposi3veinteger.pdenotesaprim

ZN ={0,1,,N-1} (ZN)* =(setofinver3bleelementsinZN)=

={xZN:gcd(x,N)=1}

CanfindinversesefficientlyusingEuclidalg.:3me=O


13/45

Fermatstheorem(1640)

Thm:Letpbeaprime

x (Zp)*:xp-1=1inZp

Example:p=5.4=81=1inZ5

So:x(Zp)*xxp-2=1x1=xp-2in

anotherwaytocomputeinverses,butlessefficient


14/45

Applica3on:genera3ngrandom

Supposewewanttogeneratealargerandomprime

say,primepoflength1024bits(i.e.p21

Step1:choosearandomintegerp[21024,21025

Step2:testif2p-1

=1inZpIfso,outputpandstop.Ifnot,gotostep1

Simplealgorithm(notthebest).Pr[pnotprime]0s.t.ga=

Examples:ord7()=6;ord7(2)=;ord7(1)=1

Thm(Lagrange):g(Zp)*:ordp(g)dividesp-1

E l li 3 f F


17/45

Eulersgeneraliza3onofFerma

Def:ForanintegerNdefine(N)=|(ZN)*|(Eule

Examples:(12)=|{1,5,7,11}|=4;(p)=

ForN=pq: (N)=N-p-q+1=(p-1)(q

Thm(Euler): x (ZN)*:x(N)=1inZN

Example:5(12)

=54=625=1inZ12

Generaliza3onofFermat.BasisoftheRSAcryptosyste


18/45

EndofSegment


19/45

Intro.NumberTh

Modularethroo



20/45

Modularethroots

Weknowhowtosolvemodularlinearequa3ons:

a x+b=0inZNSolu3on:x=b a

Whatabouthigherdegreepolynomials?

Example:letpbeaprimeandcZp.Canweso

x2c=0,yc=0,z7c=0


21/45

Modularethroots

LetpbeaprimeandcZp.

Def:xZps.t.xe=cinZpiscalledanethroot

Examples: 71/=6in

1/2=5in

11/=1in

21/2doesnotex

h


22/45

Theeasycase

Whendoesc1/einZpexist?Canwecomputeite

Theeasycase:supposegcd(e,p-1)=1

Thenforallcin(Zp)*:c1/eexistsinZpandiseas

Proof:letd=e-1inZp-1.Then

de=1inZp-1

The case e=2: square roo


23/45

Thecasee=2:squareroo

Ifpisanoddprimethengcd(2,p-1)1

Fact:in,xx2isa2-to-1func3on

Example:in:

Def:xinisaquadra5cresidue(Q.R.)ifithasasqua

poddprimethe#ofQ.R.inis(p-1)/2+

1 10

1

2 9

4

8

9

4 7

5

x

x

Eulers theorem


24/45

Euler stheorem

Thm:xin(Zp)*isaQ.R.x(p-1)/2=1inZp

Example:

Note:x0x(p-1)/2=(xp-1)1/2=11/2{1,-1}

Def:x(p-1)/2iscalledtheLegendreSymbolofxoverp

in:15,25,5,45,55,65,75,85

= 1-1111,-1,-1,-1,

Compu3ng square roots mo


25/45

Compu3ngsquarerootsmo

Supposep=(mod4)

Lemma:ifc(Zp)

*isQ.R.thenc=c(p+1)/4inZ

Proof:

Whenp=1(mod4),canalsobedoneefficiently,but

run3meO(logp)

S l i d 3 3


26/45

Solvingquadra3cequa3onsm

Solve:a x2+b x+c=0inZp

Solu3on:x=(-bb24 a c)/2ai

Find(2a)-1inZpusingextendedEuclid.

Findsquarerootofb24 a cinZp(ifoneexistusingasquarerootalgorithm

C 3 th t d N


27/45

Compu3ngethrootsmodN

LetNbeacompositenumberande>1

Whendoesc1/einZNexist?Canwecomputeite

Answeringtheseques3onsrequiresthefactoriza3ono

(asfarasweknow)


28/45

EndofSegment



29/45

Intro.NumberTh

Arithme3calgor


R 3 bi


30/45

Represen3ngbignums

Represen3ngann-bitinteger(e.g.n=2048)ona64-bi

Note:someprocessorshave128-bitregisters(ormore

andsupportmul3plica3ononthem

2bits 2bits 2bits 2bits

n/2blocks

Arithme3c


31/45

Arithme3c

Given:twon-bitintegers

Addi5onandsubtrac5on:linear3meO(n) Mul5plica5on:naivelyO(n2).Karatsuba(1960):

Basicidea:(2bx2+x1)(2by2+y1)withmu

Best(asympto3c)algorithm:aboutO(nlog

Divisionwithremainder:O(n2).

Exponen3a3on


32/45

Exponen3a3on

FinitecyclicgroupG(forexampleG=)

Goal:givenginGandxcomputegx

Example:supposex=5=(110101)2=2+16+4+1

Then:g5=g2+16+4+1=g2g16g4g1

gg2g4g8g16g32g3

The repeated squaring alg


33/45

Therepeatedsquaringalg

Input:ginGandx>0;Output:gx

writex=(xnxn-1x2x1x0)2

yg,z1

fori=0tondo:

if(x[i]==1):zzy

yy2

outputz

exa

Running 3mes


34/45

Running3mes

Givenn-bitint.N:

Addi5onandsubtrac5oninZN:linear3meT+= Modularmul5plica5oninZN:naivelyT=O(n2) Modularexponen5a5oninZN(gx):

O((logx)T)O((logx)n2)O


35/45

EndofSegment



36/45

Intro.NumberTh

Intractableprob

yp g p y

Easy problems


37/45

Easyproblems

GivencompositeNandxinZNfindx-1inZN Givenprimepandpolynomialf(x)inZp[x]

findxinZps.t.f(x)=0inZp(ifoneexists)

Running3meislinearindeg(f).

butmanyproblemsaredifficult

Intractable problems with pr


38/45

Intractableproblemswithpr

Fixaprimep>2andgin(Zp)*oforderq.

Considerthefunc3on:xgxinZp

Now,considertheinversefunc3on:

Dlogg(gx)=xwherexin{0,,q-2}

Example: in:1,2,,4,5,6,7,8

Dlog2():0,1,8,2,4,9,7,

DLOG: more generally


39/45

DLOG:moregenerally

LetGbeafinitecyclicgroupandgageneratorofG

G={1,g,g2,g,,gq-1}(qiscalledthe

Def:WesaythatDLOGishardinGifforallefficientalg

PrgG,xZq[A(G,q,g,gx)=x]


40/45

Compu3ngDlogin(Zp) (n-bit

Bestknownalgorithm(GNFS):run3meexp(

cipherkeysize modulussize

80bits 1024bits

128bits 072bits

256bits(AES) 1360bits

Asaresult:slowtransi3onawayfrom(modp)toellip

Ellip3cgrou

160

256

512

An applica3on: collision resist


41/45

Anapplica3on:collisionresist

ChooseagroupGwhereDlogishard(e.g.(Zp)*forlarg

Letq=|G|beaprime.Choosegeneratorsg,hofG

Forx,y{1,,q}defineH(x,y)=gx hyi

Lemma:findingcollisionforH(.,.)isashardascompu3n

Proof:SupposewearegivenacollisionH(x0,y0)=H(x1,

thengx0 h

y0=gx1 h

y1 gx0-x1=h

y1-y0 h=g

Intractable problems with comp


42/45

Intractableproblemswithcomp

Considerthesetofintegers:(e.g.forn=1024)

Problem1:FactorarandomNin(e.g.for

Problem2:Givenapolynomialf(x)wheredegree(f)

andarandomNin

findxins.t.f(x)=0in

:={N=pqwherep,qaren-bitp

The factoring problem


43/45

ThefactoringproblemGauss(1805):

Bestknownalg.(NFS):run3meexp()for

Currentworldrecord:RSA-768(22digits)

Work:twoyearsonhundredsofmachines Factoringa1024-bitinteger:about10003meshard

likelypossiblethisdecade

Theproblemofdis0nguishingprimenum

compositenumbersandofresolvingthe

theirprimefactorsisknowntobeoneofimportantandusefulinarithme0c.

Further reading


44/45

Furtherreading

AComputa3onalIntroduc3ontoNumberTheoryanV.Shoup,2008(V2),Chapter1-4,11,12

Availableat//shoup.net/ntb/ntb-v2.pdf


45/45

EndofSegment

Documents

10 Numth Annotated