Theoretical Cryptography, Lecture 13

Similar documents
Theoretical Cryptography, Lectures 18-20

An integer p is prime if p > 1 and p has exactly two positive divisors, 1 and p.

CHAPTER 6. Prime Numbers. Definition and Fundamental Results

Discrete Math, Fourteenth Problem Set (July 18)

Cryptography: Joining the RSA Cryptosystem

Sums of Squares. Bianca Homberg and Minna Liu

This is a recursive algorithm. The procedure is guaranteed to terminate, since the second argument decreases each time.

Lecture 11 - Basic Number Theory.

CS 6260 Some number theory

Basic elements of number theory

Basic elements of number theory

Theoretical Cryptography, Lecture 10

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

9 Knapsack Cryptography

Factoring Algorithms Pollard s p 1 Method. This method discovers a prime factor p of an integer n whenever p 1 has only small prime factors.

CPSC 467b: Cryptography and Computer Security

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

All variables a, b, n, etc are integers unless otherwise stated. Each part of a problem is worth 5 points.

Lecture 8: Finite fields

Introduction to Public-Key Cryptosystems:

OWO Lecture: Modular Arithmetic with Algorithmic Applications

Shor s Algorithm. Elisa Bäumer, Jan-Grimo Sobez, Stefan Tessarini May 15, 2015

Applied Cryptography and Computer Security CSE 664 Spring 2018

CS280, Spring 2004: Prelim Solutions

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

Fermat s Little Theorem. Fermat s little theorem is a statement about primes that nearly characterizes them.

COMS W4995 Introduction to Cryptography September 29, Lecture 8: Number Theory

Primality Testing. 1 Introduction. 2 Brief Chronology of Primality Testing. CS265/CME309, Fall Instructor: Gregory Valiant

Shor s Prime Factorization Algorithm

Factoring. there exists some 1 i < j l such that x i x j (mod p). (1) p gcd(x i x j, n).

Homework 7 solutions M328K by Mark Lindberg/Marie-Amelie Lawn

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

Congruences and Residue Class Rings

2 A Fourier Transform for Bivariate Functions

Elliptic Curves Spring 2013 Lecture #12 03/19/2013

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

NOTES ON SIMPLE NUMBER THEORY

CSCB63 Winter Week10 - Lecture 2 - Hashing. Anna Bretscher. March 21, / 30

Instructor: Bobby Kleinberg Lecture Notes, 25 April The Miller-Rabin Randomized Primality Test

A Few Primality Testing Algorithms

CPSC 467b: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security

Lecture 1: Introduction to Public key cryptography

Computational Number Theory. Adam O Neill Based on

LECTURE NOTES IN CRYPTOGRAPHY

1. Algebra 1.7. Prime numbers

Mathematics for Cryptography

7.2 Applications of Euler s and Fermat s Theorem.

1 Overview and revision

Number theory (Chapter 4)

ALG 4.0 Number Theory Algorithms:

Modular Arithmetic and Elementary Algebra

= 1 2x. x 2 a ) 0 (mod p n ), (x 2 + 2a + a2. x a ) 2

CPSC 467b: Cryptography and Computer Security

Discrete Mathematics and Probability Theory Fall 2018 Alistair Sinclair and Yun Song Note 6

Basic Algorithms in Number Theory

SOLUTIONS Math 345 Homework 6 10/11/2017. Exercise 23. (a) Solve the following congruences: (i) x (mod 12) Answer. We have

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

ALGEBRA. 1. Some elementary number theory 1.1. Primes and divisibility. We denote the collection of integers

7. Prime Numbers Part VI of PJE

NUMBER THEORY. Anwitaman DATTA SCSE, NTU Singapore CX4024. CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA

Algorithms (II) Yu Yu. Shanghai Jiaotong University

Linear Congruences. The equation ax = b for a, b R is uniquely solvable if a 0: x = b/a. Want to extend to the linear congruence:

Ma/CS 6a Class 4: Primality Testing

CPSC 467b: Cryptography and Computer Security

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

Elementary Algebra Chinese Remainder Theorem Euclidean Algorithm

Number Theory Math 420 Silverman Exam #1 February 27, 2018

Definition 6.1 (p.277) A positive integer n is prime when n > 1 and the only positive divisors are 1 and n. Alternatively

On the number of semi-primitive roots modulo n

Notes. Number Theory: Applications. Notes. Number Theory: Applications. Notes. Hash Functions I

Lecture 11: Cantor-Zassenhaus Algorithm

download instant at

COMP239: Mathematics for Computer Science II. Prof. Chadi Assi EV7.635

CS 5319 Advanced Discrete Structure. Lecture 9: Introduction to Number Theory II

Divisibility of Trinomials by Irreducible Polynomials over F 2

Topics in Cryptography. Lecture 5: Basic Number Theory

ECE596C: Handout #11

Elliptic Curves I. The first three sections introduce and explain the properties of elliptic curves.

Chapter 6 Randomization Algorithm Theory WS 2012/13 Fabian Kuhn

Number Theory. Modular Arithmetic

The next sequence of lectures in on the topic of Arithmetic Algorithms. We shall build up to an understanding of the RSA public-key cryptosystem.

ECEN 5022 Cryptography

Discrete Mathematics with Applications MATH236

Ma/CS 6a Class 2: Congruences

Lecture Examples of problems which have randomized algorithms

Review. CS311H: Discrete Mathematics. Number Theory. Computing GCDs. Insight Behind Euclid s Algorithm. Using this Theorem. Euclidian Algorithm

CPSC 467: Cryptography and Computer Security

CSCE 564, Fall 2001 Notes 6 Page 1 13 Random Numbers The great metaphysical truth in the generation of random numbers is this: If you want a function

Applied Cryptography and Computer Security CSE 664 Spring 2017

Chuck Garner, Ph.D. May 25, 2009 / Georgia ARML Practice

Discrete Mathematics and Probability Theory Fall 2014 Anant Sahai Note 7

Lecture 4: Number theory

Discrete Math, Second Problem Set (June 24)

Introduction to Cryptology. Lecture 19

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

MATH 145 Algebra, Solutions to Assignment 4

Lecture 7.5: Euclidean domains and algebraic integers

Lecture Notes. Advanced Discrete Structures COT S

CSE 521: Design and Analysis of Algorithms I

Transcription:

Theoretical Cryptography, Lecture 13 Instructor: Manuel Blum Scribe: Ryan Williams March 1, 2006 1 Today Proof that Z p has a generator Overview of Integer Factoring Discrete Logarithm and Quadratic Residues 2 Generators We ll prove the following fact stated in the previous lecture. Fact 2.1 For all primes p, Z p has a generator, i.e. an element g such that for every i Z p, there is a k such that g k = i. Before we do this, we state a very useful and old algebraic lemma. Lemma 2.1 Let F be a field. Let f(x) 0 be a polynomial of degree at most d, with coefficients in F. Then f(x) has at most d roots. By induction on d. When d = 0, f(x) = a for some a 0, so f has no roots. In the induction step, suppose f(x) has a as a root. Dividing f(x) by (x a), we can express f as f(x) = (x a)g(x) + r for some polynomial g of degree d 1, and r F. Since a is a root, it must be that r = 0. By induction hypothesis, g has at most d 1 roots, so we re done. Proof of Fact. We first show that for every d = 2,..., p 1, if there is an element of order d, then there are exactly φ(d) elements in Z p of order d. Suppose a has order d. Consider the polynomial f(x) = x d 1 1 in the field GF (p) (which is Z p with 0 and addition). By the above lemma, we know that f(x) has at most d 1 roots. But since a has order d, each of 1, a, a 2,..., a d 1 are roots, so there are exactly d 1 roots and these are the roots. We claim that a i has order d iff gcd(d, i) = 1: if a di = 1 and a ki 1 for all k s.t. 1 < k < d, then d and i have no common factors. Conversely, if a i had order d < d, then (a d ) i = 1 and (a d ) d = 1 (since a d = 1), so (a d ) gcd(i,d) = 1 as well, but this implies that a has order d < d, a contradiction. 1

But the number of i such that gcd(d, i) = 1 is φ(d). This proves that, if there is an element of order d, then there are exactly φ(d) elements in Z p of order d. Let O(d) be the total number of elements of order d. From the above, we know that every element has some order d that divides p 1, and that either O(d) = 0 or O(d) = φ(d). Now we show φ(d) = p 1. ( ) That is, the sum of φ(d) s such that d divides p 1 is precisely p 1. Then, it must be that for every d, there are φ(d) elements of order d, not 0. Why? Every element has an order d that divides p 1, and the total number of elements in Z p is p 1. Adding up all the elements gives O(d) = p 1. Thus, provided ( ) is true, it must be that O(d) = φ(d) for all d. This implies not only that Z p has a generator, but also that it has φ(p 1) generators (recall that an element of order p 1 is a generator). We proceed to proving ( ): p 1 {a {1,..., p 1} : gcd(a, p 1) = d}, q (p 1) {b {1,..., (p 1)/d} : gcd(b, (p 1)/d) = 1}, ( ) p 1 φ, by definition of φ d φ(q), by rearrangement of terms in the sum 3 Overview of Integer Factoring by counting by properties of gcd Cryptographers often need problem instances that can be easily randomly generated, but difficult to solve. The problem of integer factorization is useful in this regard. We can generate a random n-bit prime easily, as mentioned before: pick a random n-bit number and test for primality. The prime number theorem implies that, with an efficient primality test, this randomized procedure outputs a prime number in expected polynomial time. However, we do not know how difficult it is to factor. The evidence that it is indeed hard is getting weaker and weaker. Before Cryptography was interested in factoring, the best known factoring algorithm (taken from Knuth, Volume 2) could factor in e O(sqrtn ln n) steps, assuming various plausible number-theoretic 2

conjectures. The current best is due to Lenstra (more can be found on Wikipedia), which runs in e O( 3 n ln 2 n), again under natural number-theoretic assumptions. Lenstra s algorithm is currently used in practice, and can factor 200-bit numbers within a few weeks. We will just mention as an aside that Shor proved that a quantum computer, if realized, could factor an n-bit number in O(n 3 ) steps. Question: Are there other schemes that do not use multiplication as a one-way function? Answer: Yes, others exist, but for the next ten years, we will probably still be using multiplication as the primary one-way function of choice. 4 Discrete Logarithm Discrete logarithm is another problem that cryptosystems are based upon. Nobody has yet shown that discrete log and factoring are actually equivalent, but whenever a faster algorithm for one problem is found, then a faster algorithm for the other is found. It would be a good PhD thesis to show that they are indeed computationally equivalent (i.e. given a black box for one of the two problems, you can solve the other efficiently). Let p be a prime, let a Z p, and let g be a generator of Z p. The discrete logarithm problem is to find integer x such that g x a mod p. That is, since g is a generator, there is some power that g can be raised to that yields a, and the problem is to simply find that power. As alluded to above, discrete log seems as hard as factoring. Currently, we know that a quantum computer can also solve it in O(n 3 ) steps, and that it takes the same number of steps to solve as factoring on a deterministic computer as well. The particular choice of n-bit prime does not seem to affect the time complexity as a function of n, and the problem seems difficult for randomly chosen a (i.e. all but a tiny fraction of a s). 4.1 Quadratic Residues We will look at a special case of the discrete log problem: the logarithms that are even numbers. For g a generator of Z p, elements of the form g 2k are called quadratic residues modulo p. Half of the elements in Z p are quadratic residues, the other half are called non-quadratic residues. 1 Quadratic residues have several interesting properties. For one, the order of a quadratic residue is at most (p 1)/2. Theorem 4.1 If x is a quadratic residue modulo p, i.e. x a 2 mod p for some a, then x p 1 2 mod p 1. If x a 2 mod p then x p 1 2 (a 2 ) p 1 2 a p 1 1 mod p, by Fermat s little theorem. Theorem 4.2 Exactly half of the elements in Z p are quadratic residues. There are at least (p 1)/2 residues, given by g 2, g 4, etc. Define f(x) = x p 1 2 1. By 1 Some mathematicians bafflingly call them quadratic non-residues. 3

an earlier lemma, the polynomial f(x) has at most (p 1)/2 roots. Therefore, at most (p 1)/2 elements of Z p satisfy x p 1 2 mod p 1, so there can be at most this many quadratic residues. Note that for non-quadratic residues, a (p 1)/2 mod p 1. But a p 1 mod p 1 by Fermat, so a (p 1)/2 mod p 1. This gives an efficient test to determine if a is a quadratic residue mod p: just compute a (p 1)/2 mod p. Example. Consider Z 7 = {1, 2, 3, 4, 5, 6}. 3 is a generator of Z 7, since 32 = 2, 3 3 = 6, 3 4 = 4, 3 5 = 5, 3 6 = 1. In this case, (p 1)/2 = 3. The quadratic residues are 1, 2, and 4, as 2 3 8 1 mod 7 and 4 3 64 1 mod 7. The non-quadratic residues are the rest: 3, 5, 6. 4.2 Computing Quadratic Residues We will find it convenient to work with primes p satisfying p 3 mod 4. Call p a good prime if it has this property. Good primes have the property that square roots of them can be computed very easily. Theorem 4.3 Let p be a good prime. One can efficiently compute a mod p, for every quadratic residue a. Let a be a quadratic residue. By Fermat, a p a mod p = a p+1 a 2 mod p. Note that (p + 1)/4 is an integer since p 3 mod 4. Therefore a (p+1)/4 a mod p, so computing a is equivalent to computing a (p+1)/4, which can be done efficiently. Example. Let p = 7. Note 7 3 mod 4. As mentioned above, 2 is a quadratic residue. To get a square root of it, we can compute 2 (p+1)/4 = 2 2 4 mod 7. The above method can also be used to prove that a number is not a non-quadratic residue. For example, 3 is not a quadratic residue, since 3 (p+1)/4 = 3 2 2 mod 7, but 2 2 = 4. 4.3 An (Incorrect) Algorithm for Discrete Log We ll now discuss an algorithm that almost computes the discrete logarithm when p is a good prime, for any generator g. The algorithm s intent is to slowly manipulate the equation g x a mod p, recovering the bits of x one-by-one. In the below, the current equation is a variable that is initially defined as g x a mod p. First, compute g 1 using GCD. Then, repeat the following steps until x = 0 or x = 1 (that is, the LHS of the current equation is either 1 or g). 1. Check if a is a quadratic residue. 2. If yes, then take the square root of both sides of the equation as described above. Write down 0 as the next bit of x. (E.g. if x = 1100 in binary, then the equation g 1100 a mod p becomes g 110 a mod p.) 4

3. If no, then multiply both sides of the current equation by g 1. Write down a 1 as the next bit of x. (E.g. if x = 1101 in binary, then the equation g 1101 a mod p becomes g 1100 a g 1 mod p. If the above algorithm is correct, it would mean that discrete logarithm can be computed in polynomial time! (At least, it can be done in the case of good primes.) What s wrong with the above? The problem is that there are actually two possible square roots of a quadratic residue. For example, in Z 7, 4 is a square root of 2, and ( 4) 3 mod 7 is a square root of 2. Only one of these roots is correct, and we don t necessarily obtain it from using the above algorithm. This motivates the problem of finding a principal square root, which we will discuss in subsequent lectures. 5

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback