SQUARES IN Z/NZ. q = ( 1) (p 1)(q 1)

Transcription

1 SQUARES I Z/Z We study squares in the ring Z/Z from a theoretical and comutational oint of view. We resent two related crytograhic schemes. 1. SQUARES I Z/Z Consider for eamle the rime = 13. Write the liste of squares in (Z/Z). How many of them? Why? Let be an odd rime. For any integer one defines the Legendre symbol in the following way : = 0 if divides, = 1 if is a non-zero square modulo, = 1 if is not a square modulo. The ma induces a grou homomorhism from F onto {1, 1}. It is a character. Actually = 1 mod. This rovides a first method to comute this symbol efficiently. The famous quadratic recirocity law states that Theorem 1.1. If and q are odd (ositive) rime integers then ( q )( q ) = ( 1) ( 1)(q 1) 4. One can check this theorem on a few small eamles e.g. = 5 and q = 7 or = 5 and q = 3.. COMPUTIG SQUARE ROOTS I Z/Z Assume = 103 and = 46. One checks that mod 103 so 46 is a square modulo 103. We observe that is congruent to 3 modulo 4. So 1 = 51 is odd. The inverse of modulo 51 is 6. Indeed 6 = Set y = 6 mod 103. One has y = 1+51 = so y is a square root of. Comuting y = 6 is easy using fast eonentiation. On finds y = 46 mod 103. We thus have a very efficient method to comute square roots modulo a rime integer congruent to 3 modulo 4. 1

2 SQUARES I Z/Z Assume now that = 101 and = 13 mod 101. One checks that 50 1 mod 101 so is a square modulo 101. The order of in the grou (Z/101Z) divides de 50. The largest odd divisor of 50 is 5 but 5 1 mod 101. So the order of is even. We cannot comute a square root of as in the first eamle. To overcome this difficulty we assume that we know a non-quadratic residue z modulo 101. There are many of them since half of the non-zero residues are not squares. We ick a random integer z between and 1 and we comute z 50 mod 101. With robability 1 the result is 1 and we are done. For eamle z = 46 is fine since z 50 = 1 mod 101. Let us multily by z = 96 mod 101. We get X = z = 36 mod 101. And this time X 5 = 5 z 50 = 1 mod 101 so X has odd order. One easily comutes a square root of X by inverting modulo 5. Indeed 13 = 1+5 so X 13 is a square root of X. Set now y = X 13 z 1. One checks that y is a square root of. Attention : this is a robabilistic method. One does not know a general deterministic olynomial time algorithm to comute square roots modulo a rime. 3. SQUARES I Z/Z Let be an integer with rime decomosition = i e i i. From Chinese remainder theorem we know that an integer is a square modulo if and only if it is a square modulo every e i i. One can comute a square root of by first comuting square roots module every e i i then glue these square roots thanks to Chinese remainder theorem. This is efficient if we know the factorization of. In case = and = 3 we find four square roots in this way. In general, if is odd and has I rime factors one finds k square roots for each in (Z/Z). Conversely, if we have a black bo that returns a square root for any residue modulo then we can find non trivial factors of. Why? We say that there is a robabilistic reduction of the roblem of factoring integers to the roblem of comuting square roots modulo integers. There is also a robabilistic reduction of the roblem of comuting square roots modulo integers to the roblem of factoring integers. So these two roblems have similar comleity (at least in the robabilistic world). 4. THE JACOBI SYMBOL Assume 3 is an odd integer and les = i e i i be its rime decomosition. One defines the Jacobi symbol as = ei. i i The symbol only deends on the class of modulo. It has many evident multilicative roerties inherited from the Legendre symbol. For eamle = 0 if and only if a and a b b are not corime. The quadratic recirocity law can be etended to Jacobi symbols.

3 SQUARES I Z/Z 3 Theorem 4.1 (Gauss). Let M 3 and 3 be odd corime integers. One has 1 = ( 1) M 1 and = ( 1) M 1 8 M and = ( 1) (M 1)( 1) 4. M M M Using this theorem one can quickly comute Jacobi symbols. The algorithm is very similar to Euclidean algorithm. When is not a rime, the Jacobi symbol does not suffice to distinguish quadratic residues from non-quadratic residues. For eamle if = q is a roduct of two distinct odd rimes and is rime to then = 1 if and only if is either a square modulo and modulo q or is neither a square modulo nore modulo q. In this last case one says that is a false square. It is considered to be difficult to distinguish true and false squares. 5. A ZERO-KOWLEDGE IDETIFICATIO PROTOCOL Identification is a crucial need to secure communications. One needs to check the identity of one s contacts. Assume Carole belongs to a secret organization. She needs to contact James. She never met him. In order to avoid any infiltration of the organization, each of them must be able to check that he his dealing with the other. Here is a ossible rotocol. James gets close to Carole and tells her BELOTE. Carole answers REBELOTE. If everything goes well Carole and James know that they are in contact with the right erson. We assume of course that the two asswords (BELOTE and REBELOTE) have been rovided by the organization to each of them. These asswords should be used only once. Otherwise some enemy may intercet and re-use them. Another concern is the man-in-the-middle attack. A false Carole (say Karole) may contact James. James would give her the assword BELOTE to rove himself. Then Karole would quickly contact Carole and send her the assword BELOTE. Carole would accet this assword and answer REBELOTE to Karole. ow Karole would be able to convince James that she is Carole. All these difficulties are consequences of the following two self contradictory rinciles (1) The identity is defined by the knowledge of some information (e.g. a assword) that must be ket secret. () Proving oneself is achieved by unveiling this information (e.g. sending the assword). Biometric identification techniques (fingerrints, iris recognition, voice identification,... ) may be a solution, but this is not the scoe of this tet. The following identification scheme is due to Feige, Fiat and Shamir. It is a Zero-Knowledge identification scheme. James can rove that he knows a secret without unveiling it. To start with, each member X of the organization chooses two large rime integers X and q X and comutes their roduct X = X q X. Then X chooses a random quadratic residue r X modulo X with uniform robability and a square root f X of r X. So f X = r X mod X. Indeed it is simler to choose f X first. The collection of all triles (X, X, r X ) is ublished in the honebook of the organization. The rime factors X and q X and the square root f X are only known to X. It is the knowledge of f X that distinguishes X.

4 4 SQUARES I Z/Z Before contacting James, Carole looks for the trile (J, J, r J ) in the honebook. She contacts the alleged James and try to make sure that he knows a square root of r J modulo. They interact as follows. (1) James icks a random quadratic residue z = u mod J (with uniform robability) and comutes t = zr J mod J. He sends t to Carole. () Carole chooses a random element ɛ (with uniform robability) in {1, 1} and send it to James. (3) If ɛ = 1 James sends u to Carole. Otherwise he sends a square root s of t modulo J (he knows such a square root s = uf J because he knows a square root of r J and a square root of z.) (4) If ɛ = 1, Carole comutes z = t/r J mod J and checks that z = u mod J. (5) If ɛ = 0, Carole checks that s = t mod J. This rotocol runs in time olynomial in log J. It can and should be reeated many (e.g. 1000) times. Carole accets if the condition checked at the last ste has been always satisfied. Otherwise she rejects. If James wants to rove himself, he can answer Carole s questions. And Carole learns nothing about James secret because she only gets a series of random quadratic residues modulo J. She could roduce such a series herself without the suort of James. So she receives no information from him. Assume an enemy (say Octous) claims to be James. He doesn t know any square root of r J. So he cannot know at the same time an s and a u such that s = t and u = z. So he fails to answer correctly with robability 1. When the rotocol is iterated n times the robability for Octous to cheat Carole is 1/ n. The security of the scheme relies on the difficulty of comuting square roots modulo a comosite integer. This is a hard roblem as long as factoring integers is hard. 6. FLIPPIG COIS WITH A TELEPHOE Alice and Bob want to fli a coin to decide who is going to dust-swee tomorrow. However they are not in the same room and they only can interact with a telehone or by mail. They need to ick a random element in {heads, tails} with uniform robability. one of them should be able to influence on the result. The following rotocol rovides a solution under the assumtion that false squares cannot be distinguished from true ones efficiently. (1) Bob chooses two large numbers and q. He comutes the roduct = q and sends it ( to Alice ) (he does not send and q). Bob chooses a residue modulo such that = 1 (with uniform distribution)) and he sends to Alice. () Alice receives and but she doesn t know ans q. So she doesn t know if is a true or a false square. She ick a random element ɛ (with uniform distribution) in {1, 1} and she sends it to Bob.

5 SQUARES I Z/Z 5 (3) Bob comares ɛ and. If they are equal then the result of the rotocol is heads and if they are different the result is tails. Bob sends his conclusion to Alice. He justifies it by transmitting and q. (4) Alice checks ( that ) and ( q) are rime integers and = q. She comutes the Legendre symbols and and checks Bob s claim. q This rotocol runs in time olynomial in log. The robability distribution on the outut is uniform as soon as one of the layers is honest (meaning he eecutes the rotocol correctly). If Bob cheats but Alice is honest then the distribution is uniform because the grou comosition of two random variables, one of which is uniform, is uniform too. If Alice wants to influence on the result she must guess some information about whether is a true or a false square. One assume that it is imossible to get any information about this in olynomial time.