CS 4990 / 6990 Lecture Notes Mathematical Foundations for Asymmetric Cryptography

Transcription

1 CS 4990 / 6990 Lecture Notes Mathematical Foundations for Asymmetric Cryptography Mahalingam Ramkumar Department of Computer Science and Engineering Mississippi State University November 13, Elementary Number Theory Also We represent the set of all integers as Z = {, 1, 0, 1,, }, (1) 11 Basic Theorem of Arithmetic Any positive integer n can be written uniuely as a product of prime powers n = i=1 If n = } { i=1 pni i m = i=1 pmi i p ei i, e i 0 () lcm (m, n) = i=1 pmax(ni,mi) i gcd (m, n) = i=1 pmin(ni,mi) i We usually represent gcd(m, n) simply as (m, n) If two numbers n, m are such that n = km, we say m divides n Or n = km, n, k, m Z m n In this light, s = (m, n) is the largest strictly positive integer such that s m and s n We can very easily see that if (m, n) = 1, m a, n a mn a (3) 1 Algorithm for GCD The Euclidean algorithm is a simple algorithm for finding the gcd of two numbers The basis of the algorithm is the fact that if a = b + c, a,, b, c Z, (a, b) = (b, c) (4) This is very easy to see Let s = (a, b) s a, s b a = sa 1, b = sb 1 t = (b, c) t b, t c b = tb, c = tc c = a b = s(a 1 b 1 ) s c Also as s b (as s is the gcd of (a, b), s divides b and c As the greatest number to divide both b and c is t, we have Also s t (5) a = b + c a = t(b + c ) t a But we know t b Thus t divides a and b As s is the largest number that divides both a and b, we have From Es (5) and (6) we have t s (6) s = t (a, b) = (b, c) To take the gcd of two number a 0 and a 1, where a 1 < a 0 we proceed as follows: where i = ai 1 a i, and a 0 = 1 a 1 + a a 1 = a + a 3 a i 1 = i a i + a i+1 a r = r 1 a r 1 + a r a r 1 = r a r + 0 (a 0, a 1 ) = = (a i 1, a i ) = = (a r 1, a r ) = a r (7) If we back-substitute for a r from the rth euation, we can write the (r 1)th euation as a r = a r r 1 a r 1 1

2 We can now use the (r )th euation, viz a r 3 = r a r +a r 1 to replace a r 1 in terms of a r 3 and a r as a r = a r r 1 (a r 3 r a r ) Proceeding back-wards this way, at every stage expressing a i in terms of a i 1 and a i, we finally obtain an expression for a r in a 0 and a 1 as (a 0, a 1 ) = a r = ka 0 + la 1, k, l Z (8) E (8) is usually called Bezout s representation of the gcd of two numbers If d = (a, b) k, l Z : d = ka + lb, then d is the smallest strictly positive integer that can be written as a linear combination of a and b Let us assume that r is the smallest number that can be written as r = ka + lb, k, l Z As d = (a, b) we have a = da 1 and b = db 1 for some a 1, b 1 Z } d = (a, b) r = d(ka r = ka + lb 1 + lb 1 ) d r (9) The only way for r to be the smallest strictly positive integer is when r = d Actually there s an algorithm called the extended Euclidean algorithm which calculates d = (a, b) and simultaneously k, l of the Bezout s representation of the gcd 13 The Extended Euclidean Algorithm We shall just state a very concise form of the algorithm without proof The algorithm which returns (a, b) and k and l such that is as follows: d = (a, b) = ak + bl (10) u := [a 1 0] v := [b 0 1] while v[0] 0 do w := u u := v v := w endwhile d := u[0] k := u[1] l := u[] u[0] v[0] 14 Modular Arithmetic v (11) The set of positive integers less than m is represented as Z m = {0, 1,,, m 1}, (1) For any m, n Z, we can write n = m + r, r Z m, Z (13) We can rewrite E (13) as n r mod m which is read as n is congruent to r modulo m In plain English, r is the reminder of integer division of n by m We can also say n r mod m m (n r) (14) For a, b, c, d Z m, the following identities can be easily proved } { a b mod m a ± c b ± d mod m (15) c d mod m ac bd mod m However, in general b c mod m ab ac mod m (16) ab ac mod m b c mod m (17) We shall see later that the implication holds only when (a, m) = 1 15 Group, Abelian Group, Ring and Field The following properties have to be satisfied for Z m to form a group / abelian group / ring / field wrt + (addition) and (multiplication) 1 Addition is closed Addition is associative a, b Z m, a + b Z m a, b, c Z m, (a + b) + c = a + (b + c) 3 0 is an additive identity a Z m, a + 0 = 0 + a = a 4 The additive inverse of a is m a a Z m, a + (m a) = (m a) + a = 0 5 If all the 4 conditions above are satisfied then Z m forms a group under operation + In addition, if addition is commutative, a, b Z m, a + b = b + a then Z m forms an abelian group

3 6 Multiplication is closed a, b Z m, ab Z m 7 Multiplication is commutative a, b, c Z m, ab = ba 8 Multiplication is associative a, b, c Z m, (ab)c = a(bc) 9 1 is the multiplicative identity a Z m, 1a = a1 = a 1 Modular Inverses We are usually interested in a special case where b = 1 ax = 1 mod m A solution exists only if (m, a) 1 or (m, a) = 1 Such a solution for x can be called the multiplicative inverse of a as we have ax aa 1 1 mod m, and the solution exists only if (a, m) = 1 We saw earlier (Bezout representation) that if (a, m) = 1 then we can find k, l Z such that (a, m) = 1 = ka + lm (18) 10 Distributive property is satisfied wrt to + and a, b, c Z m, (a + b)c = ac + bc, a(b + c) = ab + ac Or ka = 1 + rm, r = l ka 1 mod m k a 1 mod m 11 If all the above properties are satisfied then Z m forms a ring In addition, if every element except 0 has a multiplicative inverse a Z m, a 0, a 1 Z m such that then Z m forms a field aa 1 = a 1 a = 1 In general, Z m satisfies properties 1-10, and thus forms a ring When m = p where p is a prime, then Z m = Z p forms a field Solving Linear Congruences Suppose we have ax b mod m How do we solve for x? Note that the above euation can be rewritten as ax b = m ax + rm = b, r = We know if (a, m) = y, we can write If y b or b = wy, we have y = ak + ml b = wy = wak + wml = (wk)a + (wl)m = xa + rm One can easily see that if ax+rm = b has a solution, then from E (9), y b 11 Prime Fields Z p It can be easily seen that integers modulo a prime number p, Z p form a field Why? Because, a Z p, a 1 Z p, such that aa 1 = 1 as (a, p) = 1 a Z p Systems of Linear Congruences in Z m This is best illustrated with an example x + y mod 106 x 3 mod 106 Seems like a simple enough set of euations You might be tempted to simplify the first euation to x + y 1 mod 106 You can t! Because you need to divide the whole euation by (or multiply by 1 mod 106 which obviously does not exist as (, 106) 1 Substituting the value of x form the second euation in the first we get 6 + y mod 106 y 4 = 10 mod 106 So how do you solve y 10 mod 106? We need to find y such that y 10 = 106 where is an integer A solution exists only if (, 106) 10, which, fortunately is true in this case But unfortunately, the solution is not uniue! In general, as we stated in the previous section, ax b mod m ax + my = b 3

4 has a solution only if (a, m) b If this condition holds, however, we have d = (a, m) solutions! Let us say we found a particular solution x 0, y 0 satisfying ax + my = b (or ax 0 + my 0 = b) The complete set of d solutions are then (verify this!) x i x 0 + mi d, 0 i d 1 (19) For our example, we have = 10, x 0 = 51, y 0 = 0 As d = (, 106) =, we have solutions mod 106 = 51 mod 106 = = 104 Verify that both solutions are correct As another example, the congruence 16x 1 mod 0 has (16, 0) = 4 solutions A particular solution of the euation 16x+0y = 1 is x 0 = 3, y 0 = 3 The complete list of (0, 16) = 4 solutions is mod 0 mod 0 7 mod 0 1 mod 0 In general the solution to a set of simultaneous euations a 11 x 1 + a 1 x + + a 1n x n y 1 mod m a 1 x 1 + a x + + a n x n y mod m a n1 x 1 + a n x + + a nn x n y n mod m can be represented in matrix notation as a 11 a 1 a 1n a 1 a a n a n1 a n a nn or succinctly as The solution is then Ax y x 1 x x n y 1 y y n (0) mod m x A 1 y mod m (1) A 1, the inverse of A is as usual given by A 1 = det(a) 1 adj(a)) () All calculations performed for determining the determinant or adjoint of A should be performed using rules of modular arithmetic 1 Example A = A 1 = det(a) 1 adj(a) mod 11 mod 11 (3) det(a) = (36 8) 3(30 1) + 4(0 18) mod 11 = (8) 3(9) + 4 = = = 8 mod mod 11 adj(a) = A 1 = 7 = (36 8) (30 1) (0 18) (18 16) (1 1) (8 9) (1 4) (14 0) (1 15) T mod 11 = T mod 11 mod 11 If A is not invertible (because the determinant d has no inverse modulo m) then finite multiple solutions might exist Contrast with simultaneous euations in real numbers, where a non invertible matrix implies either a system with no solutions or infinitely many solutions We already saw such an example The system ( 1 0 ) ( ) ( ) x mod 106 (4) y 3 has two solutions (x = 3, y = 51) and (x = 3, y = 104) The determinant of the matrix is, and as does not have an inverse modulo 104, the matrix is not invertible If you prefer to obtain matrix inverses by performing elementary row / column operations you should know that for these operations there are restrictions on the scalars you could use for multiplying euations The scalar should be relatively prime to the modulus m 4

5 3 Chinese Reminder Theorem (CRT) The Chinese Reminder theorem is used to solve a system of euations in multiple modulus We have a system of euations x a 1 mod m 1 x a mod m x a n mod m n where m 1 m n are pairwise relatively prime CRT says that there is a uniue solution x y mod M where M = m 1 m m n The solution is given by y = n a i M i N i mod M (5) i=1 where M i = M m i, and N i M 1 i mod m i We can easily check that all euations are simultaneously satisfied For any base m i the M i N i 1, and all the other terms evaluate to 0 mod m i as M j 0 mod m i, i j It can also be seen that the solution is uniue, modulo M If x 1 and x are two solutions, and if x 3 = X 1 x, we have x 3 0 mod m 1 x 3 0 mod m x 3 0 mod m n which necessarily means x 3 0 mod M or x 1 x mod M 31 Example Solve the following system of euations x 5 mod 13 x 6 mod 11 x 9 mod 17 x 4 mod 19 M = = M 1 = = M = M 3 = = 4199 = 717 M 4 = = N 1 M1 1 mod m mod mod 13 N M 1 mod m mod 11 7 mod 11 N 3 M3 1 mod m mod mod 17 N 4 M4 1 mod m mod mod 19 The solution is 4 x a i M i N i mod M i= mod There is a geometric interpretation of CRT A set of numbers {m 1 m n } : (m i, m j ) = 1, i j, can be interpreted to represent n orthogonal axes Any number x < M = m 1 m n, can be represented by it s n coordinates a 1,, a n which are the residues of x modulo m 1,, m n respectively Every point in the n dimensional space (actually lattice, as we consider only integer points) with coordinates x = (0 a 1 < m 1, 0 a < m,, 0 a n < m n ) uniuely corresponds to an 0 x M A particular case of the CRT, viz, x a mod m 1 x a mod m x a mod M = m 1 m m n (6) x a mod m n is used often This can be seen readily as m i (x a) i M (x a), M = m 1 m m n 3 Not So Elementary Number Theory 31 Euler - Phi Function Two numbers a, b are said to be relatively prime if (a, b) = 1 The Euler-Phi function of m represented as φ(m) evaluates to the number of elements in Z m (or the number of positive integers less than m) that are relatively prime to to m Alternately, φ(m) yields the total number of elements that have multiplicative inverses in the ring Z m It can be shown that where φ(m) = n (p ei i i=0 m = n i=0 p ei 1 i ) (7) p ei i 5

6 311 Special Case - m = p e If m = p, a prime, then φ(p) = p 1 (8) This is easy to see All p 1 numbers 1,,, p 1 are relatively prime to p If m = p e, where e is a strictly positive integer, then φ(p e ) = p e p e 1 (9) This is also very easy to understand Out of the possible p e numbers p e 1 of them are multiples of p (every pth element is a multiple of p) 31 Proof of E (7) For proving E (7), we just need to show that φ() is multiplicative In other words, φ(mn) = φ(m) φ(n), (m, n) = 1 (30) For every 0 j mn 1 Z mn is a solution to a system of two euations j k mod m, 0 k m 1 j l mod n, 0 l n 1 We are only interested in sets of euations where (k, m) = 1 and (l, n) = 1 This is because (j, m) = (k, m) (as j = m+k - recall the proof for the Euclidean algorithm), and if k has a common factor with m, so does j This implies j also has a factor with mn We are only interested in systems of euations whose solution j satisfies (j, mn) = 1 So we have φ(n) possible values of k and φ(m) possible values of l This gives us φ(m) φ(n) uniue sets of euations, with φ(m) φ(n) uniue solutions The uniue solutions satisfy (j, n) = 1, (j, m) = 1 and therefore (j, mn) = 1 This proves E (30) 3 Fermat s Little Theorem (FLT) The actual form of FLT is a Z p, a p 1 1 mod p (31) a Z p, a p a mod p (3) but we tend to use the former form more often There are two proofs for this One by realizing that the field a Z p is just a permutation of Z p The other by applying mathematical induction on a For the first proof we have Z p = {0, 1,,, p, p 1} Consider the set a Z p, where each element of Z p is multiplied by 0 < a < p We can see that no two terms (say ia and ja) can be eual, where 0 i, j, p 1 If they are, it implies ia ja = 0 mod p or p (i j)a We know p a So the only way that p a(i j) is if p (i j) The only possibility is therefore i = j This implies that no two terms of a Z p are eual This further means that a Z p is just a permutation of Z p Therefore the product of all terms of Z p and a Z p should be identical (leaving out the zero term in both sets) Or 1 a p 1 (p 1)! (p 1)! mod p a p 1 1 mod p For the proof by induction on a we know 1 p 1 mod p We assume a p a mod p (33) and have to show that (a + 1) p (a + 1) mod p Now p ( ) p (a + 1) p a p i 1 i a p multiples of p i i=0 a + 1 mod p We can also easily show that for any m = p e, a Z m : (a, m) = 1, a φ(m) 1 mod m (34) by induction on e We know for e = 1 it is indeed true (from FLT) as φ(p 1 ) = p 1 Let us assume it holds for some e 1 a pe 1 p e = 1 + p e 1 k for some integer k and any a Raising both sides to the p th power, we have Thus a pe p e 1 = a φ(pe) = (1 + p e 1 k) p = 1 + k p p e In fact, the congruence + terms which are multiples of p e a φ(pe) 1 mod p e a φ(m) 1 mod m, a : (a, m) = 1 (35) holds for any m (or the corresponding ring Z m ) If m = n i=1 pei i, we have a φ(pe1 1 ) 1 mod p e1 1 a φ(pe ) 1 mod p e a φ(pen n ) 1 mod p en n 1 In E (33) we are able to cancel (p 1)! on both sides because we know that (p 1)! is invertible as every element 1 a p 1 has an inverse! We cannot do this is the modulus is not a prime In general, if ab ac mod m implies b c mod m if and only if (a, m) = 1 6

7 Due to the multiplicativity of φ(m) we also have φ(m) = n i=1 φ(p ei i ) (36) As φ(p ei i ) φ(m) i, we can rewrite the n congruences above as a φ(m) 1 mod p e1 1 a φ(m) 1 mod p e a φ(m) 1 mod p en n From which we can readily conclude that a φ(m) 1 mod m Now why is (a, m) = 1 a necessary condition? We have which implies a φ(m) = aa φ(m) 1 1 mod m a 1 a φ(m) 1 mod m Obviously, a 1 exists only if (a, m) = 1 31 A Special Case - Z m=p1p p n When m = n i=1 p i (or m is just a product of n primes, and not n prime powers), even though E (35) holds only for a : (a, m) = 1, the following congruence holds for all a: a φ(m)+1 a mod m = p 1 p p n (37) where, φ(m) = (p 1 1)(p 1) (p n 1) It is obvious the congruence holds for a : (a, m) = 1 The a s for which (a, m) 1 are a s which are multiples of p i, 1 i n Without loss of generality, let us assume that (a, m) = (a, p i ) = p i 1 Obviously (a, p j ) = 1, j i So we have a φ(m)+1 = a k(pj 1)+1 = (a pj 1 ) k a a mod p j, j i, k Z a 0 mod p i a φ(m)+1 0 a mod p i from which we have 4 Quadratic Congruences 41 Quadratic Congruences Modulo a Prime Solve x a mod p Note that a solution may not exist for any a Z p For example, if we consider Z 7 = {0, 1,, 3, 4, 5, 6}, we have 1 1 mod 7 4 mod 7 3 mod 7 4 mod mod mod 7 Note that there is no number which is the suare root of 3, 5 or 6 Such numbers ({3, 5, 6}) are uadratic nonresidues modulo 7 On the other hand, {1,, 4} are uadratic residues modulo 7 When p 3 mod 4, the solution to x a mod p is which can be easily checked x ±a p+1 4 mod p (41) x = (±a p+1 4 ) = a p+1 = aa p 1 = x x p 1 = x 1 Why do we need p mod 4 = 3? Its the only way p+1 4 will be an integer! x ±a p+1 4 mod p is a solution only if a solution exists! or if a is a uadratic residue Why?: If a solution does not exist, or if a is a uadratic nonresidue, we cannot substitute a p 1 with x p 1 in E () If a solution does not exist a p 1 = 1 We know a p 1 1 mod p, for any a This means a p 1 = ±1 If a solution exists then a p 1 = x p 1 = 1, else, a p 1 = 1 3 The euation x a mod p can have only two solutions Let us assume there is another solution y ±x mod p such that y x mod p This implies Or a φ(m)+1 a mod p k 0 a < m, 1 k n (38) a φ(m)+1 a mod m = p 1 p p n, a Z m (39) E (39), as we shall see later, has implications in RSA It is also to see that a tφ(m)+1 a mod m = p 1 p p n, t Z, a Z m (40) p (x y ) = (x y)(x + y) p (x + y) p (x y) which means p has some factors that are split between x + y and x y, which is a contradiction to our assumption that p is a prime The fact that any uadratic residue in Z p can have only two solutions and the fact that every element in Z p has a uniue 7

8 inverse can be used to prove an interesting theorem called Wilson s theorem: (p 1)! 1 mod p (4) If we have ab 1 mod p, then a = b only if a = b = ±1 (or a = b = 1 and a = b = p 1) This is because we know that 1 has only two suare roots, 1 and p 1 Consider the number p Every number between and p has an inverse which is not eual to itself (1 and p 1 are the only two numbers which are their own inverses) This implies that the numbers p can be paired up into p 3 pairs of numbers and their inverses, from which it is obvious that Therefore, (p )! 1 p 3 1 mod p (p 1)! = (p 1)(p )! p 1 1 mod p (43) 411 Example x mod 3 Therefore x ± 6 mod 3 ±5 mod 3 The two solutions are x 5 mod 3 and x 18 mod 3 (18 = 3-5) Check: 5 and 18 = 34 mod 3 Now what is the solution to x 7 mod 3? Is it x ±7 6 mod 3? Check! x 4 mod 3 and x 19 mod 3 But 4 16 mod 3 and mod 3 Not right! This is because x 7 mod 3 does not have a solution (7 is not a uadratic residue modulo 3) Note that however, 7 16 mod 3 4 Quadratic Congruences Modulo a Composite Now how do you solve x a mod p, where p and are primes? Let n = p Obviously n (x a) This means p (x a) and (x a) So we have x a mod p x a mod If a solution exists, the first euation has two solutions z ±a p+1 4 mod p The second euation again has two solutions, w ±a +1 4 mod So we have solutions in Z p and Z x a mod p x ±z mod p x a mod x ±w mod Actually, when you are calculating x here, you think you are calculating suare root of 7, but you are actually calculating suare root of 7 16 mod 3 due to the fact that a p 1 = 1 and not 1 How do we get a solution in Z n (or modulo n = p)? CRT We have x ±z mod p x ±w mod (44) So we have m 1 = p, m =, M 1 =, M = p, M = p and N 1 1 mod p, N p 1 mod The solution is then x ±zn 1 ± wpn mod n So if a solution exists, there are 4 solutions! x x x 41 Example Solve zn 1 + wpn mod N zn 1 + wpn mod N zn 1 wpn mod N x zn 1 wpn mod N (45) We have n = 77, p = 7, = 11 solutions of x 58 mod 77 (46) x 58 mod 7 x 58 3 mod 11 As p+1 4 =, +1 4 = 3, the solutions are x ± ±4 mod 7 x ±3 3 ±5 mod 11 First we obtain the The second euation has made this simple We know x is a multiple of 11 We have four sets of euations to solve now x 4 mod 7 x 5 mod 11 x 4 mod 7 x 5 6 mod 11 x 4 3 mod 7 x 5 mod 11 x 4 3 mod 7 x 5 6 mod 11 x 60 mod 77 x 39 mod 77 x 38 mod 77 x 17 mod 77 (47) 4 Quadratic Congruences and Factorization In order to solve uadratic congruences in Z m, we saw that we needed to know the factors of the modulus m Conversely, if we know that a, b Z m are suare roots of 8

9 some c Z m (a b c mod m), and a ±b mod m, then we can factorize m We have a b mod m m (a b ) = (a b)(a + b) a b mod m m (a b) a b mod m m (a + b) Therefore n should have some common factors with both a + b and a b, yielding two factors of n as (a b, n) and (a + b, n) As a numerical example, the congruence { (537 98, 55753) = 439 mod ( , 55753) = 17 yields the two factors of = Rabin Cipher - A Quadratic Cipher n = p, p, are large primes n is the public key p, are private A plain text P is encrypted as C P mod n (48) Given P, only the person in possession of the private keys p, can get P by solving the congruences in E(44) to obtain 4 possible solutions for C using E (45) One has to actually examine all the 4 solutions and see which solution is right Which is not very difficult if the message P is a low entropy message An eavesdropper, knowing P mod n and n can do absolutely nothing to calculate P (except of course checking every possible x Z n to see if x P mod n - or the eavesdropper could try to factorize n to get p and, and then use CRT to determine P ) 51 Weakness of Rabin Cipher Rabin Cipher is susceptible to known plain text attack - if all the four possible solutions are revealed Lets us say Oscar chooses a message P and encrypts it with Alice s public key n C P mod n Alice, knowing her own p and solves the uadratic congruences to get four possible values for P Alice should make sure that she never reveals her solutions If the 4 solutions are P 1, P, P 3, P 4, one of the solutions is eual to P, one solution is eual to P The other two are seemingly random solutions (say ±z), which if revealed to Oscar, will enable him to factorize n as we saw in Section 4 We know z P mod n n (P z) z P mod n n (P + z) z P mod n n (P z ) n (P z)(p + z) Therefore P z and n (or P + z and n) have a common non-trivial factor Obviously one of them has to be p and the other So if Oscar has access to the four possible decryption values of the cipher text he created, he can factor Alice s public key n to get her private keys p and 6 Factoring Algorithms 61 Fermat Factorization We have or n = p = (x + y) (x y) = x y y = x n We start with m = n and keeping checking if m n, (m + 1) n, is a perfect suare If it is we have managed to factorize n Obviously we will definitely find a perfect suare at some time because it is guaranteed that ( n + 1 ) n = ( n 1 Why not do the last step directly? Unfortunately the factors it yields are the trivial factors n = n 1) Fermat s factorization is good if p and are close though Unfortunately it can also be worse than brute force factorization For brute force factorization we check approximately n numbers For Fermat factorization the worst case is n + 1 n which is usually much bigger than n (check for a few numbers) ) 6 Pollard p 1 Factorization This method is very effective if p 1 is comprised of many small factors We know Let n = p We know a p 1 1 mod p, a Z p If all factors of p 1 are less than k, then obviously Let a k! a m(p 1) 1 mod p, m Z p (a k! 1) (a k! 1) b mod n b = (a k! 1) nk 9

10 If b = 0 or n (a k! 1) then the p 1 method will not work for the choice of a We just have to try a different a If b 0 however, we have n (a k! 1) p (a k! 1), which implies the gcd (b, n) should yield a factor of n Not knowing p or we choose some convenient value of k and say a =, and check if (b, n) 1, where b = k! mod n If it turns out that (b, n) = 1, then it may mean that all factors of p 1 are not less than k - so we increase k and try again! 61 Example Factorize n = ! mod n, ( , ) = 1 6! mod n, ( , ) = 1 11! mod n, ( , ) = So is a factor of n Dixon s Random Suares (49) The other factor is then By now we know that if we can find two numbers that satisfy the relationship, } x y n (x mod n y ) = (x y)(x + y) n (x y) x ±y mod n n (x + y) and so (n, x y) and (n, x + y) have common nontrivial factors - which have to be p and How do we go about finding numbers that satisfy the relationship x y mod n and x ±y mod n? To start with we try to get many numbers m i such that r i m i mod n is small (meaning easily factorisable) This is not very difficult to do For example, we know numbers of the form r t,s (x t,s ) mod n (s + tn ) mod n We factorize all such r t,s s that we get and retain only ones which are made of small factors Say as an example we might want to consider only r t,s s that are composed entirely of prime factors below p u In other words we only consider x i = x t,s which yield r i = r t,s x t,s mod n that can be written as r i = u k=0 p α k k where p k denotes the kth prime - p 1 =, p = 3, p 3 = 5,, and p 0 = 1 is thrown in to account for negative numbers Now we build a table consisting of a row for each value of r i, and u + 1 columns - corresponding to the u + 1 values of α for k = 0 u For u = 3 for instance, a table may look like this x r p 0 = 1 p 1 = p = 3 p 3 = 5 x r α 0 α 1 α α 3 x 1 r x r x 3 r x 4 r x 5 r Considering the row for x for example, this means x mod n r = = mod n We can rewrite the table above as r p 0 = 1 p 1 = p = 3 p 3 = 5 r α 0 α 1 α α 3 r r r r r where we rewrite the α entries modulo We just want to, (50) know if the powers are odd or even (even numbers become 0 and odd numbers 1) Now try all possible linear combinations of the rows (just add them modulo ) till you get a combination of all zeros For instance if you add the rows 1, and 5 we get all zeros What this means is that r 1 r r 5 is a uadratic residue for which we know the suare root r1 r r 5 = x 1 x x 5 From the table r 1 = ( 1) r = ( 1) where s and t are small are good candidates that may give small values of r t,s Another possibility is r t,s (s + tn ) mod n which yields small negative values for r t,s (51) which yields r 1 r r 5 = ( 1) = ( ) 10

11 from which we get x = x 1 x x 5 = (x 1 x x 5 ) (r 1 r r 5 ) mod n ( ) y So we have found some x, y for which x y mod n Check to ensure that x ±y mod n If the above condition holds, we have succeeded! All this 1/0 business is because we only care if the powers are even or odd The linear combination modulo yielding all zero is euivalent to the products are all even powers so that we can trivially find the suare root As we are looking for out of 4 suare roots (the trivial suare roots don t help) about 50% of the time the x, y pair that we find after the linear combining operation will satisfy x ±y mod n Note the similarity between Fermat factorization and Dixon s random suares For the former we try to find x and y such that x = y + n For the latter we try to find x and y such that x y mod n or x = y + kn, k Z! 631 Example Factorize n = 1319 We have n = 11099, n = 15696, 3 n = 194, 4 n = 198 So some good choices of x i s are 111,11,113, 157, 158, ,,3 etc (Of course, 110,109,156,155,191,190,1, 0 are also good candidates which would yield small negative numbers) x 1 = 111, mod n x = 11, mod n x 3 = 113, mod n x 4 = 157, mod n x 5 =, 3 mod n x 6 = 4, mod n x 7 = 107, 107 ( 1) mod n x 8 = 109, 109 ( 1) mod n x 9 = 110, 110 ( 1) mod n x 10 = 191, 191 ( 1) mod n x 11 = 1, 1 ( 1) mod n Using the relationships above gives you many ways to factorize n = 1319 The euation for x (35) mod n immediately gives us a non trivial relationship mod n From which we can get the factors of n as (1319, ) = 17 or (1319, 11 15) = 97 Another potential option is combining x 1 and x 3 We can see that x 1x mod n or 4 (35) mod n, from which the factors of n can be obtained as (1319, ) = 17 or (1319, 4 30) = 97 Actually we could have also obtained the same relationship 4 (35) mod n directly using the euation for x 6 Also notice that x 1 x mod n which translates to 4 4 mod n doesn t help (on an average we can expect half the relationships we find this way to amount to trivial ones which do not help in factorization) Combining x 1, x 8 and x 9 also yields another trivial relationship ( ) (373) mod n which translates to mod n Also (x 1 x 7 x 11 ) (359) mod n yields another trivial relationship mod n 7 Primality Checking If factoring a number is so hard, then how can we be sure that a large number p or we choose is actually a prime? We need some method to check if a number is a prime This is how we generate large primes We generate a large odd random number and check if it is a prime If not we increment the number by and check again till we get a number which is a prime Now how do we check if a number is a prime? An obvious way of checking if a number n is a prime is by testing if every n divides any prime less than n For very large n (we are talking of numbers with perhaps 100s of digits) this is certainly not feasible Until very recently there was no polynomial time algorithm for determining with absolute certainty if a number is a prime But the new development also is not very practical due to its unacceptable computational complexity Most practical primality checking methods are probabilistic The methods give an assurance that if a number passes the test, the probability that the number is composite is very small The probability of the failure of the test (if the test is unable to detect a composite number) can be made arbitrarily small by increasing the complexity of the testing procedure Most primality checks are based on some form of Fermat s little theorem, a p 1 1 mod p, a Z p Given a number n, if a n 1 1 mod n a Z n (5) then n is a prime Actually this is not strictly true There are some special numbers called Carmichael numbers, which satisfy 3 E (5) and are not primes But those 3 Well, not exactly Carmichael numbers satisfy E (5) when (a, n) = 1 But then this is irrelevant for primality testing as if (a, n) 1 we have already determined that n is not a prime! 11

12 numbers are rare, and so we shall ignore them for the time being 4 If, for a particular a, a n 1 1 mod n, then n is said to be an Euler pseudo-prime to the base a But if we have to check every a to make sure n is a pseudo-prime to base a, then we do not gain anything by using FLT The trick however, is to realize that if the test fails for one number, then it fails for at least n numbers! So if n is composite, the probability that n is pseudo-prime to a random number a is at most half If the test is repeated k times the probability that all the k choices of a pass the test (and therefore result in failure of the method to detect a composite number) is 1 k, which can be made arbitrarily small by increasing k In practice, k = 100 should very easily suffice But now we have to substantiate our claim that if the test fails for a particular number it fails for at least n numbers If n is a pseudo-prime to bases a 1 and a, then it is obvious that 1 n is pseudo-prime to base a 1 a a 1 1, a 1 are also bases for which n is a pseudo-prime, and therefore, so are a 1 a 1 and a 1 1 a What is not so readily obvious is that if n is a pseudoprime to base a and not to base b then n is not a pseudo-prime to base c = ab For if n is a pseudoprime to base c = ab it should be a pseudo-prime to base ca 1 = aba 1 = b, which is not true Let us assume that n is a pseudo-prime to a 1 a k Let there be a b such that n is not a pseudo-prime to base b For every a i for which n is a pseudo-prime we now have a uniue ba 1 for which n is not a pseudo-prime 5 Thus 1 n is pseudo-prime to all bases, or n is not a pseudo-prime to at least half the bases 71 Miller Rabin Test This test is much more efficient, and is used in most RSA implementations We can write n 1 = s r, (53) where r is odd Now for a random a we calculate v 0 a r mod n v 1 v 0 mod n v s v s 1 a n 1 mod n 4 The smallest Carmichael number is 561 = 31117, which satisfies a mod 561, a : (a, 3) = (a, 11) = (a, 17) = 1 5 If {a 1 a k } are uniue then why are {ba 1 ba k } uniue? If v s a n 1 1 mod n, we know that n is composite The test stops here However if v s 1 mod n (which means n is an Euler pseudo-prime to base a), and if we find any v i, i < s such that v i ±1 mod n v i+1 1 mod n, then this means n has non-trivial factors! So n cannot be a prime! On the other hand, if we have either or v 0 ±1 mod n (54) v i 1 ±1 mod n v i 1 mod n, i < s (55) then n is a strong pseudo-prime to base a Obviously, if n is a strong pseudo-prime to base a it is also an Euler pseudo-prime to base a Thus the Rabin-Miller test is a stricter test It has been shown (we will not do that here) that the number of bases for which n is a strong pseudo prime is roughly half the bases for which n is an Euler pseudo-prime So the probability of the failure of the test goes down much faster If k random a s pass the test, then the probability that n is composite is 1 Also, 4 k this test does not fail to identify Carmichael numbers as composites As an example to verify that Carmichael numbers do not pose a problem for the Rabin-Miller test, see that mod 561 (56) However, as 560 = 4 35, with the RM test we have v mod 561 v 1 v mod 561 v v 1 67 mod 561 v 3 v 1 mod 561 Thus failing the RM test for primality We have determined that 67 1 mod (67 1)(67 + 1) and 561 (67 1) 561 (67 + 1) Or we can get two factors of 561 as (66, 561) = 11 and (68, 561) = 17 (the third factor in this case is 3) 8 RSA For RSA, we choose two large primes p and and calculate n = p 1

13 φ(n) = (p 1)( 1) 1 n, e are Public keys d is the Private key e such that (e, φ(n)) = 1 d e 1 mod φ(n) (57) Now we should destroy p,, φ(n) We do not need it any more The person encrypting messages needs to know e and n The person decrypting the message needs to know d and n Destroy p, and φ(n) - they are not needed anymore! Now if P Z n is the message C P e mod n P C d mod n (58) Why? We know ed 1 mod n or ed = tφ(n) + 1, t Z Therefore, C d (P e ) d P ed P tφ(n)+1 P mod n The last step is the result of the euivalence in E (40) Recall that for P : (P, n) = 1, we know very well that P tφn 1 mod n However, for P : (P, n) 1 we still have P tφn+1 P mod n even though in general, P tφn 1 mod n To be able to implement RSA we need efficient algorithms for 1 Generating primes p and Checking if (e, φ(n)) = 1 3 Calculating d e 1 mod n 4 Calculating C P e mod n and P = C d mod n We know how to generate large primes - we generate large odd numbers and test them for primality The Euclidean algorithm can be used for efficiently calculating the gcd of numbers (also page 158 of the text) The extended Euclidean algorithm (also page 160) can be used for obtaining the Bezout representation of the gcd which can be used to calculate the modular inverse (a special form of the extended algorithm - page 161 in the text - is more efficient for this purpose) Calculating powers in the modular domain is done using the suare-and-multiply algorithm, which we shall see in the next section 81 Suare and Multiply Algorithm How do we efficiently calculate y a x mod n? (59) Let b r b r 1 b 0 be the binary representation of x Or x = a x = r b i i i=0 r a bii = a brr a br 1r 1 a b0 (60) i=0 An efficient algorithm for calculating y a x mod n is as follows: z := 1; for i := r down to 0 z := z mod n if (b r = 1) z := z a mod n endif endfor y := z; (61) Consider an example y mod 87 The binary representation for 43 is b We can therefore write = 36 ( ) = = (6) The algorithm E (61) would proceed as follows: i b i z i 1 z i mod n mod n mod n mod n mod n mod n (63) Note the correspondence between E (6) and the last row in the last column of E (63) The suare and multiply algorithm is thus euivalent to E (60) 8 Compromised Decryption Exponent Alice generated her n, e, d She didn t throw away her φ(n) She hid it someplace where nobody else but her can get to it She has her secret exponent d stored in her computer (she has to if she needs to decrypt messages!) Alice suspects that Oscar may have somehow found out her secret exponent d She s glad that she didn t throw away her φ(n) - all she has to do is to change her e, d pair! All she needs to generate another e, d pair is φ(n)! She does not have to go through the tedious process of generating new primes p 1, 1 and then changing her public modulo to N 1 = p 1 1 Now the uestion is, is Alice being smart or stupid? In other words if your secret exponent is compromised 13

14 can you just get away by changing the public and private exponents? Well if Oscar knows e (obviously) and d, he knows ed 1 = tφ(n) = t(p 1)( 1) = x As t may have some non trivial factors, factoring tφ(n) does not help as there is no way to determine if a factor belongs to t or φ(n) Let x = s r = ed 1, where r is odd All we are doing here is removing all the powers of in x = ed 1 (or remove s trailing zeros in the binary representation of x) Now Oscar chooses a random 1 w n 1, and calculates v 0 w r mod n If w r ±1 mod n he chooses a different value of w If v 0 ±1 mod n he calculates v 1 v0 mod n Once again, if v 1 ±1 mod n, Oscar calculates v v1 mod n and so on we know that eventually v s w x mod n 1 mod n, but it is also possible that for some value m < s Oscar gets v m 1 mod n (if v m 1 mod n, then v s 1 mod n, m < s) Suppose v m 1 ±1 mod n This means Oscar has found a non trivial suare root of unity! So he can factorize n the same way we compromised Rabin Cipher with known plain text As v m 1 ±1 mod n, we have n (v m 1 1), n (v m 1 +1) and n (v m 1 1)(v m 1 +1) So we can get a factor of n (p or ) by evaluating the gcd ((v m 1 1), n) or (v m 1 + 1), n) It can be proved that such a non trivial suare root can be found for 50% of the possible choices for w - but the proof is a little involved We ll not do it here But to give a gist of the proof, the choice of w is bad (will fail to factorize n) if either of the two conditions below are true w r 1 mod n w t r 1 mod n for some t, 0 t s 1 We need to get an estimate of the total number of solutions for the two euations above It turns out that the total number is less than n 83 Small Encryption Exponent Many researchers have suggested that we could use small encryption exponents to reduce the computational complexity of RSA So 3 is a good choice We ll digress a little bit here Remember that we couldn t choose 3 as the encryption exponent when p = 7 and = 11 (Assignment 3)? But for serious RSA we ll see that p and have to be chosen such that p 1 and 1 have no small factors (apart from - which has to be a factor as p 1 and 1 are even) This is done for very good reasons which will be explained at a later time (when we consider factoring algorithms) So 3 is a good choice What happens of many RSA implementations choose 3 as their encryption exponent? Let us say there are 3 RSA implementations with moduli n 1, n, n 3 Suppose the same message P is sent to three such people We have P 3 c 1 mod n 1 P 3 c mod n P 3 c 3 mod n 3 Obviously P < n 1, P < n, P < n 3 and therefore P 3 < n 1 n n 3 So if CRT is used to solve the system of euations we get P 3 mod n 1 n n 3, we just need to take the cube root of P 3 Again as P 3 < n 1 n n 3 the regular cube root is the same as the modulo cube root! 84 Common RSA Modulus What happens if both Alice and Bob have the same modulo n (which means same p and ) but different public exponents e 1 and e? Suppose Oscar knows that Charlie has sent the same message P to both Alice and Bob So Oscar knows c 1 P e1 mod n c P e mod n With the knowledge of e 1, e, c 1 and c can Oscar figure out P? If e 1 and e are relatively prime Oscar can calculate r and s such that So all Bob has to do is to get P re 1 + se = 1 c r 1 c s (P e1 ) r (P e ) s = P e1r P es P e1r+es P mod n 9 Exponential Congruences We discussed uadratic congruences extensively Now let s look at more general exponential congruences Going along the same lines as uadratic congruences we could state the problem as one of solving a x b mod n, for x What is more useful, however is solving the following problem g x a mod n for x, given g, a, n In the world of real numbers we would write the solution as x = log g a 14

15 In the discrete world we represent the solution as x = log g,n a (64) 91 Order of an Integer Modulo n Let n, b be positive integers such that b < n Let z be the minimum positive integer satisfying b z 1 mod n We call z as the order of b in the modulo domain n b n = z We can therefore write, for any number x < n x x n 1 mod n If n = p, where p is prime, then for any b < n, Why? We know b p (p 1) (65) b b p 1 mod p b p 1 1 mod p Let us assume for some value of x > b we have We can write where r < b We have b x 1 mod p x = b + r, Z, r Z p b x = b b +r = b b b r 1 mod p b r 1 mod p But r < b, which is a contradiction (or r would be the order and not b ) The only possible solution is however r = 0 Which means b x As this should be true for any x which satisfies b x 1 mod p and (p 1) is one such value, b (p 1) Is is also very simple to show that if b i b j mod p then i j mod b p 9 Order of b u If b p = t, then what is the order of b u? Let Let s = b u p v = (t, u), (t 1, u 1 ) = 1, and t = vt 1, u = vu 1 So we have Specifically Also (b u ) t1 = (b vu1 ) t/v = (b t ) u1 1 mod p s = b u p (b u ) t1 1 mod p b p = t (b u ) s = b us 1 mod p } } s t 1 as (t 1, u 1 ) = 1 So we have } s t 1 s = t t 1 s 1 Thus t us vt 1 vu 1 s t 1 u 1 s t 1 s b u p = s = t 1 = t (t, u) = b ( b, u) (66) 93 Generators An element g Z p is a generator if g p = p 1 Let g be a generator of Z p Now we can show that if Z p has a generator, it has φ(p 1) of them! We know that the order of g u is now g u p = p 1 (p 1, u) Thus if u and p 1 are relatively prime then g u p = g p = p 1 (67) There are φ(p 1) possible u s such that g u is a generator! 94 Divisors of p 1 and Orders of Elements in Z p We know now that the order of any number in Z p divides p 1 Let d 1, d,, d m be the divisors of p 1 Let d 1 < d < < d m 1 < d m Now d 1 = 1, d = (as p 1 has to be even) d m 1 = p 1, and d m = p 1 All the p 1 numbers in the prime field have some order The different values the orders could take are therefore p 1 d 1, p 1 d,, p 1 d m 1, p 1 d m 15

16 or p 1, p 1,,, 1 So how many elements are there of each order? We already know that there are φ(p 1) generators - or φ(p 1) numbers with order p 1 We also know that there is one number with order 1 That s the number 1 itself! Note that φ(1) = 1 There s also exactly one number p 1 with order Again note that φ() = 1 In general we will have φ( p 1 d i ) numbers with order p 1 d i Let us consider a simple example Let p = 7 The divisors of p 1 = 6 are 1,,3 and 6 The orders of various numbers are Element Order Note that φ(6) = φ() φ(3) = 1 = So there are two generators (or elements with order p 1 = 6) - in this case they are 3 and 5 Let us say we knew that 3 was a generator How do we find the other one? The other one has to be of the form 3 u where u is relatively prime to 6 Thats just two numbers 1 and gives you 3 and 3 5 gives you 5 Similarly, we should have φ(3) = numbers of order 3 Let us say we found one such number say 4 So the other number has to be 4 u where (u, 3) = 1 With u = we get the other number 4 = mod 7 We already know trivially, the element with order - that is -1 or p 1 And the number with order 1 is 1 itself Let us consider another example This time p = 11 Element Order We can easily verify that is a generator So what are the other generators? We have all possible u where (u, 10) = 1, or u = 3, 7, 9 The other generators are 3 = 9, 7 = 7 and 9 = 6 We can also uickly check that 3 has order 5 What are the other elements with order 5? They are numbers of the form 3 u where (u, 5) = 1 Or u =, 3, 4 The elements with order 5 are therefore 3 = 9, 3 3 = 5 and 3 4 = 4 The remaining elements are 1 with order 1 and 10 with order There s another interesting observation we can make here As every number should have a uniue order and the order should divide p 1, and we have φ(x) numbers of order x, d i,i=1 m φ( p 1 d i ) = p 1 (68) 10 Algorithms for Discrete Log Given g x a mod p (69) we need to find 0 x p 1 when a, g and p are known Taking logarithm to base g, E (69) can be rewritten as log g g x = x log g a mod p 1 (70) Note that the modulus has changed from p in E (69) to p 1 in E (70) This is a direct conseuence of Fermat s Little Theorem - g x+k(p 1) g x mod p In general for any m g x a mod m log g g x = x log g a mod φ(m) (71) 101 Shank s Algorithm To solve for x where g x a mod p, a Z p, the obvious and straight-forward way would be to try p candidate x s to see which x satisfies the euivalence This would need no memory and would need O(p) computations As an alternative we could precompute and store values of g i mod p for 1 i p or O(p) values of i Then for any given a we just have to look up the table of precomputed values for finding x So we could solve for x using O(p) computations and no storage or O(p) storage and no computation (only table look-up) The uestion now is, are there time-memory trade-offs? The answer is yes Shanks algorithm for discrete logs uses this time memory trade-off to solve for x with O( p) memory complexity and O( p) computational complexity To see how Shank s algorithm works, we can see that we can represent any x Z p 1 as Or x = i + jm, m = p, 0 i, j < m (7) g x g i+jm mod p a(g i ) 1 g x i g i+jm i g jm mod p (73) So all we have to do is to precompute m values of the RHS of E (73), viz, L j g jm mod p, 0 j < m, (74) and for any given a compute m values of the LHS R i ag i mod p, 0 i < m (75) and check for euality of RHS and LHS 6! Whenever we have R i = L j, we know x = jm + i 6 To make the comparison easier, the precomputed values (RHS) are usually stored in an ascending or descending order 16

17 Actually we could also precompute a table of r i = g i mod p, 0 i < m (76) So we would have two precomputed tables (total storage m) One table of r i and the other of L j For a given a we just have to compute ar i = R i to compute the RHS 1011 Example Solve 5 x 11 mod 3 We have m = 3 = 5 For j = 0 4 we calculate g jm mod 3 = 5 5j mod 3 j 5 5j mod (77) This finishes the precomputation part 7 For any value of a we should be able to solve for x with just m = 5 computations For the specific case of a = 11 we have i 11 5 i mod (78) Note that for j = 1 and i = 4 we have g jm a g i 0 mod p Thus x = jm + i = = 9 Check that mod 3 If a = 6 instead, the second table would be different i 6 5 i mod (79) Here we see that euality of the terms in the second columns of the table above and the precomputed table occurs as 19 at j = 3 and i = 3 Which means x = = 18 Check that mod 3 10 Silver, Pohlig and Hellman Algorithm This methods works well when p 1 consists of many small factors Let p 1 = m 1 m m n, 7 We will not try to sort the precomputed table as our table is very small such that (m i, m j ) = 1, i j We know that x is uniue mod p 1 To find x we can euivalently determine the residues of x mod m 1, m,, m n or x χ 1 mod m 1 x χ mod m x χ 1 mod m n We could then use CRT to determine x mod p 1 Consider A i a p 1 m i mod p We can easily calculate A i using suare and multiply algorithm as a, p, m i are known (also note that m i p 1 i) For i = 1, we can see that g x a mod p A 1 a p 1 m 1 The exponent in g x(p 1) m 1 g x(p 1) m 1 can be expanded as x(p 1) m 1 = (χ 1 + km 1 ) m 1 (p 1) = χ 1 m 1 (p 1) + k(p 1), k Z As all terms which are multiples of p 1 in the exponent can be ignored we have A 1 g χ 1 (p 1) m 1 mod p The RHS in the euation above can take only m 1 distinct values as 0 χ 1 < m 1 So we can find χ 1 by brute force so that the above euation is satisfied The same can be repeated for other domains m m n (for i = n) To find the residues χ 1, χ,, χ n we need to check only n i=1 m i (instead of n i=1 m i values if we cannot determine the factors of p 1) Note that if p 1 has small factors the payoff of using this method is tremendous! For example, if p = 003, p 1 = 00 = 71113, we need to check for = 33 congruences instead of checking 00 congruences! As another example, if p = 54001, p 1 = we need to check = 168 congruences instead of Actually we can do better than that! For the example above, realizing = = e1 1 e e3 3 we can achieve what we want by brute forcing only = 10 congruences! This is how Let p 1 = n m i = i=0 n i=1 ei i 17

18 For simplicity let us drop the suffix i We will represent some m i = ei i as m = e, and the residue x χ mod m x χ mod e So x = χ + k e, k Z We can refine this a little further by writing χ itself in base χ = y 0 + y 1 + y + + y e 1 e 1, 0 y i < (80) (This is analogous to writing a number, say 103, as in base 10) We also shall define r,j = g j(p 1) mod p, 0 j 1 and calculate the 1 possible values of r,j and store them in a table Now consider B 0 a p 1 = g x(p 1) mod p Again the exponent can be rewritten as Thus x(p 1) = y 0(p 1) + y 1 + y + + y e 1 e 1 (p 1) = y 0(p 1) + multiples of p 1 B 0 = g y 0 (p 1) mod p = r,j=y0 Or from the table of r,j values we can determine y 0 No we have to evaluate y 1 To do this, we define a 1 = a g mod p y0 gx y0 Also, let p 1 B 1 a 1 = g (x x0)(p 1) mod p We can easily see (by removing terms that are multiples of p 1 in the exponent) that B 1 g y 1 (p 1) mod p r,j=y1 So we have y 1 now! Similarly, by defining and a = a g y0+y1, p 1 B a g y(p 1) = r,y we can determine y Similarly we can find y 3 y e 1, and from the values of y 0 y e 1 we can calculate χ using E (80) Then we repeat this for every prime i, 1 i n to calculate χ 1 χ n 101 Example Given x 8 mod 37 Find x We have p 1 = 36 = 4 9 = 3 We have 1 =, e 1 = and = 3, e =, and n = Also, g =, a = 8, p = 37 First we build the table for 1 = This would consist of values r 1,j, 0 j 1 1, or r,0 and r,1 r,0 = g j(p 1) 1 = 0 1 = 1 r,1 = 1(p 1) 1 = We shall try to find the value of x mod 4 = e1 1 = first We have To find y 0 we calculate χ 1 = y y 1 = y 0 + y 1 a (p 1) 1 = 8 36 mod 37 1 mod 37 Note that the entry r 1,j=0 = 0, which means j = 0 or y 0 = 0 Next to calculate y 1 we evaluate a 1 = a g y0 = a (in this case a 1 = a, as y 0 = 0) Now, p 1 1 a 1 = = 36 mod 37 So we have y 1 = 1 (the entry corresponding to 36 in r,j=1 is 36) Thus χ 1 = y y 1 = mod 4 Next we build the table for = 3 We have to find r 3,0 = g j(p 1) = 0 = 1 r 3,1 = 1(p 1) = 1 6 r 3, = (p 1) = 4 10 χ = y 0 + 3y 1 (The y 0 and y 1 values in the above euation are different from the y 0 and y 1 values for χ 1!) To find y 0 we calculate a (p 1) = mod 37 6 mod 37 18