CS 6260 Some number theory. Groups

Transcription

1 Let Z = {..., 2, 1, 0, 1, 2,...} denote the set of integers. Let Z+ = {1, 2,...} denote the set of ositive integers and = {0, 1, 2,...} the set of non-negative integers. If a, are integers with > 0 then there are uniue integers r, such that a = + r and 0 # r <. CS 6260 Some number theory We associate to any ositive integer the following two sets: Z ={0, 1,..., 1}, Z ={ i!z : 1#i#1 and gcd(i,)=1 } Grous Def. Let G be a non-emty set and let! denote a binary oeration on G. We say that G is a grou if it has the following roerties: 1. Closure: For every a, b G it is the case that a! b is also in G. 2. Associativity: For every a, b, c G it is the case that (a! b)! c = a! (b! c 3. Identity: There exists an element 1 G such that a! 1 = 1! a = a for all a G. 4. Invertibility: For every a G there exists a uniue b G such that a! b = b! a = 1. inverse, denoted a -1 Fact. Let be a ositive integer. Then Z is a grou under addition modulo, and Z* is a grou under multilication modulo. In any grou, we can define an exonentiation oeration: if i = 0 then a i is defined to be 1, if i > 0 then a i = a! a!!! a (i times) if i < 0 then a i = a -1! a -1!!! a -1 (j=-i times) For all a G and all i,j Z: i+j i j a = a! a i j (a ) = a ij a -i = (a i ) -1 = (a -1 ) i

2 The order of a grou is its size Fact. Let G be a grou and let m = G be its order. Then a m = 1 for all a G Fact. Let G be a grou and let m = G be its order. Then a i = a i mod m for all a G and all i Z. Examle. Let us work in the grou Z * 21 ={1, 2, 4, 5, 8, 10,, 13, 16, 17, 19, 20} under the oeration of multilication modulo 21. m=12. If G is a grou, a set S G is called a subgrou if it is a grou in its own right, under the same oeration as that under which G is a grou. If we already know that G is a grou, there is a simle way to test whether S is a subgrou: it is one if and only if x! y 1 S for all x, y S. Here y 1 is the inverse of y in G. Fact. Let G be a grou and let S be a subgrou of G. Then the order of S divides the order of G mod 21 = 5 86 mod 12 mod 21 = 5 2 mod 12 mod 21 = 25 mod 21 = 4 Algorithms and their running times Since in crytograhy we will be working with BIG numbers, the comlexity of algorithms taking numbers as inuts is measured as a function of the bit-length of the numbers. E.g. PrintinBinary (A), where A=2 k takes k oerations Some basic algorithms Algorithm Inut Outut Running Time IT-DIV a, ( > 0) (, r) with a = + r and 0 r < O( a ) MOD a, ( > 0) a mod O( a ) EXT-GCD a, b ((a, b) (0, 0)) (d, a, b) with d = gcd(a, b) = aa + bb O( a b ) MOD-ADD a, b, (a, b Z ) (a + b) mod O( ) MOD-MULT a, b, (a, b Z ) ab mod O( 2 ) MOD-IV a, (a Z ) b Z with ab 1 (mod ) O( 2 ) MOD-EXP a, n, (a Z ) a n mod O( n 2 ) EXP G a, n (a G) a n G 2 n G-oerations

3 Cyclic grous and generators If g G is any member of the grou, the order of g is defined to be the least ositive integer n such that g n = 1. We let <g> = { g i : i Z n } = {g 0,g 1,..., g n-1 } denote the set of grou elements generated by g. This is a subgrou of order n. Def. An element g of the grou is called a generator of G if <g>=g, or, euivalently, if its order is m= G. Def. A grou is cyclic if it contains a generator. If g is a generator of G, then for every a G there is a uniue integer i Z m such that g i = a. This i is called the discrete logarithm of a to base g, and we denote it by DLog G,g (a DLog G,g (a) is a function that mas G to Z m, and moreover this function is a bijection. Examle. Let =. Then Z * = {1,2,3,4,5,6,7,8,9,10} has order # 1 = 10. We find the subgrous generated by grou elements 2 and 5. We raise them to the owers 0,...,9. i i mod i mod <2> = {1,2,3,4,5,6,7,8,9,10}=Z * <5> = {1,3,4,5,9} 2 is a generator and thus Z* is cyclic. DLog Z,2(a) The function of Z m to G defined by i! g i is called the discrete exonentiation function Choosing cyclic grou and generators The discrete log function is conjectured to be one-way (hard to comute) for some cyclic grous G. Due to this fact we often seek cyclic grous. Examles of cyclic grous: Z * for a rime, a grou of rime order We will also need generators. How to chose a candidate and test it? Fact. Let G be a cyclic grou and let m = G. Let 1!!! 1 n n be the rime factorization of m and let m i = m/ i for i = 1,...,n. Then g G is a generator of G if and only if for all i = 1,..., n: g m i $ 1. Examle. Let us determine all the generators of the grou Z. Its size is m = $() = 10, and the rime factorization of 10 is 2 1! 5 1. Thus, the test for whether a given a! Z is a generator is that a 2 % 1 (mod ) and a 5 $ 1 (mod Gen(Z ) = {2,6,7,8}. a 2 mod a 5 mod Double-checking: Z =10, Z 10 ={1,3,7,9} { 2 i G : i Z 10 }={ 2 1, 2 3, 2 7, 2 9 (mod )} = {2,6,7,8} Fact. Let G be a cyclic grou of order m, and let g be a generator of G. Then Gen(G) = { g i G : i Z m } and Gen(G) = $(m

4 Algorithm for finding a generator The most common choice of a grou in cryto is Z for a rime. Idea. Pick a random element and test it. Chose s.t. the rime factorization of the order of the grou (-1) is known. E.g., chose a rime s.t. =2+1 for some rime. Algorithm FID-GE() ( 1)/2 found 0 While (found 1) do g $ Z {1, 1} If (g 2 mod 1) and (g mod 1) then found 1 EndWhile Return g The robability that an iteration of the algorithm is successful in finding a generator is Gen(Z ) Z 2 = ϕ( 1) 3 = ϕ(2) 2 2 = = 1 2. Suares and non-suares Def. An element a of a grou G is called a suare, or uadratic residue if it has a suare root, meaning there is some b G such that b 2 = a in G. We let QR(G) = { g G : g is uadratic residue in G } We are mostly interested in the case where the grou G is Z for some integer. Defs. An integer a is called a suare mod or uadratic residue mod if a mod is a member of QR(Z If b 2 = a (mod ) then b is called a suare-root of a mod. An integer a is called a nonsuare mod or uadratic non-residue mod if a mod is a member of Z # QR(Z Def. Let be a rime. Define the Legendre symbol of a 1 if a is a suare mod J (a) = 0 if a mod = 0 1 otherwise. Examle. QR(Z )? a 2 mod QR(Z )={1, 3, 4, 5, 9} Recall that Z is cyclic and 2 is a generator. Fact. A generator is always a non-suare. (But not all non-suares are generators DLog Z,2(a) J (a) Facts. Let % 3 be a rime. Then J (a) a 1 for any a Z 2 (mod ) 2 1 (mod ) for any generator g Z g 1 J (ab mod ) = J (a) J (b) for any a Z J (g xy mod ) = 1 if and only if J (g x mod ) = 1 or J (g y mod ) = 1 for any generator g Z and any x,y Z -1 [ ] Pr x $ Z 1 ; y $ Z 1 : J (g xy ) = 1 =3/4 for any generator g Z Fact. Let % 3 be a rime and let g be a generator of Z. Then QR(Z ) = { g i : i! Z!1 and i is even }, and QR(Z ) = ( # 1)/2

5 Grous of rime order Def. An element h of a grou G is called non-trivial if it is not eual to the identity element of the grou. Fact. Any non-trivial member of a grou of rime order is a generator of the grou. Fact. Let % 3 be a rime such that = is also rime. Then QR(Z ) is a grou of rime order. Furthermore, if g is any generator of Z, then g 2 mod is a generator of QR(Z Fact. Let g be a generator of a grou of rime order. Then for any element Z of the grou [ ] Pr x $ Z ; y $ Z : g xy = Z = 1 1 ( 1 1 ) ( 2 1 ) if Z 1 if Z = 1 Examle. Let = 5 and = =. QR(Z ) = {1, 3, 4, 5, 9} We know that 2 is a generator of Z Let s verify that 4 = 2 2 is a generator of QR(Z i i mod