jithin raj

8/10/2019 jithin raj

1/24

Introduction to Modern Cryptography

Lecture 6

1.Testing Primitive elements in Zp2.Primality Testing.

3.Integer Multiplication & Factoringas a One Way Function.


2/24

Testing Primitive Elements mod p

Let pbe a prime number so that the primefactorization of p-1is no!n"

p-1 # $1e1$%e% &$e '$1($%(&($primes)*

Theorem" gZpis a primitive element inZpiff

g(p-1)+$1( g(p-1)+$%(& ( g(p-1)+$ are all 1 mod p

,lgorithm"Efficiently compute allkpowers.Caveat"e$uires factorization of p-1*


3/24

Proof

. Ifgis a primitive mod pthengimod p/ 1 for all 1 0 i0p-%

. Ifgis not a primitive element mod p(let dbe the order ofg* ddivides p-1(let $be a prime divisor of 'p-1)+d(

then. gd# 1 mod p( ddivides 'p-1)+$( and sog'p-1)+$#1 mod p*


4/24

> isprime(!"#"$%

true> p'!"#"$ p ' )6*$)"++,))-,*+,"+,,,)*),6)$)$..6+))6$.$")+$"+".+$..*"*,)$

> a' (p#$%/ ' 0 printing supressed

> +!a mod p 0 na1ve e2ponentiation

3rror4 integer too large in conte2t 0in5easile

> + &! a mod p M7PL3 8as 9no:le

$ 0 t8us + is not a primitive element mod p

> veri5y (6 &! ((p#$%/% mod p 4 $4 e;ual%

5alse> i5actor(p#$4easy% 0 t8e


5/24

> p'!"#"$' 0 4+4.4,-."$4+$,+-" are t8e easy 5actors o5p#$

> veri5y (6 &! ((p#$%/+% mod p 4 $4 e;ual%

true

0 t8us 6 isnota primitive element mod p

> FactorsList'4+4.4,-."$4+$,+-"?'

> g'++"6' 0 a candidate primitive element (@ t8e $. t8I tried%

> 5or ; in FactorsList do

> print(;4veri5y(g &! ((p#$%/;% mod p4$4e;ual%% od

45alse

+45alse

.45alse

,-."$45alse

+$,+-"45alse

Testing Primitive Element 'cont*)

o far( %223%4loos lie a good candidate 'it passed all fivetests it !ent through)* 5o!ever( !e cannot no! for sure!ithout factoring1391408329525731694572885376794002392773810411297233333

*


6/24

http"++!!!*spd*dcu*ie+6ohnbcos+

from 7ohn Cosgrave( Math 8ept(t* Patric9s College(8ublin( IEL,:8*

Primality Testing

, prime number !ith%;;; digit '


7/24

Primality Testing

Input" , positive integer M( %n-1>M>%n

8ecision Problem" Is Ma composite number?

8ecision problem is in :P 'guess ? verify).

earch Problem" @ind prime factors ofM.

@actoring integers deterministically is no!no!n to be tractable


8/24

Primality Testing

Auestion" Is there a better !ay to solve thedecision problem 'test if Mis composite) thanby solving the search problem 'factoring M)?

Basic Idea olovay-trassen( 13DD:To sho! that Mis composite(enough to findevidencethat M doesnotbehave lie a prime.

uch evidence need not include any primefactor of M.


9/24

Primality Testing

Evidence that M isnonprime may come from@ermatFs little theorem:,ny 1> a> Msatisfying aM-1 1 suppliesconcrete evidence that M isnon prime'but nofactorization G )

EHample: >M'*))))))-""*:>769967665& (M#$)mod M;

$-6$".6- M iscomposite

ill J@ermat testK al!aysfind such evidence?


10/24

Primality Testing

There are some M !here@ermat test fails!

EHample: >M'.."++"*"$"'>769967665& (M#$)mod M;

1>3222223664& (M#$)mod M;

1

ell( maybeM isprimeafter all?>gcd(66$"4M%;

66$"

End of story regarding M


11/24

Aarmic8ael Bumers

Composites M !here @ermat test fails

(aM-1=1)for mosta,1(M#$)mod 15442 ; (M-1) mod 6618; (M-1) mod 2206;0

0

0

Theorem" Mis a Carmichael number iff

M#p1p

%p

2&p

' % )( allp

iare distinct primes,

and every pi satisfies pi-1 dividesM-1.

Carmichael numbers" are( still infinitely many.

EHample


12/24

3vidence t8atM isnonprime

, !itness a( 1 > a > M such that either

1* gcd' a (M) >1 implies Mhas nontrivial factors *

2.aM-1 1mod M implies the size of themultiplicative group MNis smaller than M-1.

3.a%#1mod M but a M -1 implies 1has more than t!os$uare rootsin M*.


13/24

Cac9 to our 5avoriteM.."++"*"$"Being a Carmichael number( !e !onFt easily

find a !itness that is either a non trivialfactor or fluns the @ermat test.8enote M-1#%r* o bM-1# 'br)% # 1mod M.

If br M -1 mod M( then a#br is a !itnessof type '2).

>769967665& ((M#$)/2)mod M;

187977462064

>3222223664& ((M#$)/2)mod M;

206734298217

Ootcha!In both casesa% # 1 buta M -1.


14/24


15/24

Let M-1#%

r!here ris odd.Pic 1> b>M.Compute mod M

a;# br

( a1# 'a;)%

( a%# 'a1)%

(&( a# 'a-1)%

.1.If a 1 then M iscomposite.

Let6 be the smallest indeH !itha6 # 1mod M.

2.If ; >6 and a6-1 M-1thenM iscomposite.

3vidence t8atM isAomposite

Call b satisfying'1)or'%) a smart !itness.


16/24

Miller T8eorem ($"**%

Let M#%rQ1!here ris odd.If M is composite thenthereisN a small smart !itness b

(small means b> 'log M)%.

*,ssuming a 'yet) unproven number theoreticstatement" The eHtended iemann hypothesis


17/24

Eain T8eorem ($")-%

Let M#%rQ1!here ris odd.If M is composite thenat least2M+< of allb in the range

1 Mare smart !itnesses.

:o assumption re$uired( and proof employsonly elemetrary tools.


18/24

Miller#Eain Primality Testing

Input" dd integer M'%n-1 > M > %n).epeat 1;; times:Pic bat random '1> b>M).

Chec if b isasmart !itness ' poly'n) time).

If one or more b isasmart !itness( outputMis composite.

ther!ise output JMis prime.


19/24


20/24

Primality Testing

In terms of compleHity classes( this algorithm(and its predecessor( olovay-trassen

algorithm) imply

Composites RP

RP=Random Poly Time one sided error.Easy fact! RP is contained in "P.


21/24


22/24

Crea9ing Be:s' Primes is in P

Manindra 7gra:al4 BeeraG Hayal4 Bitina2ena 4 India Institute o5 Tec8nology4

Hanpur'


23/24

Integer Multiplication & Factoring

as a One Way FunctionJ

p# $=p#

%ard

easy

&.! 'an a pu(lic key system (e (ased

on t%is o(servation?????


24/24

Be2t uGect

,*" , public ey cryptosystem

hamir ,delmanivest

Documents

jithin raj