Basic Algorithms in Number Theory

Similar documents
Basic Algorithms in Number Theory

Congruences and Residue Class Rings

Basic Algorithms in Number Theory

Public-key Cryptography: Theory and Practice

MTH 346: The Chinese Remainder Theorem

Discrete Logarithm Problem

D-MATH Algebra II FS18 Prof. Marc Burger. Solution 26. Cyclotomic extensions.

M381 Number Theory 2004 Page 1

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

CPSC 467: Cryptography and Computer Security

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

Lecture 11 - Basic Number Theory.

Homework 7 solutions M328K by Mark Lindberg/Marie-Amelie Lawn

Polynomials. Chapter 4

3 The fundamentals: Algorithms, the integers, and matrices

Basic Algorithms in Number Theory

PRIMALITY TESTING. Professor : Mr. Mohammad Amin Shokrollahi Assistant : Mahdi Cheraghchi. By TAHIRI JOUTI Kamal

Fermat s Little Theorem. Fermat s little theorem is a statement about primes that nearly characterizes them.

Basic elements of number theory

Basic elements of number theory

Applied Cryptography and Computer Security CSE 664 Spring 2018

A Few Primality Testing Algorithms

[Part 2] Asymmetric-Key Encipherment. Chapter 9. Mathematics of Cryptography. Objectives. Contents. Objectives

Chapter 5. Modular arithmetic. 5.1 The modular ring

2.3 In modular arithmetic, all arithmetic operations are performed modulo some integer.

4 Number Theory and Cryptography

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

A SURVEY OF PRIMALITY TESTS

COMS W4995 Introduction to Cryptography September 29, Lecture 8: Number Theory

Summary Slides for MATH 342 June 25, 2018

A. Algebra and Number Theory

A Guide to Arithmetic

Mathematics for Cryptography

Corollary 4.2 (Pepin s Test, 1877). Let F k = 2 2k + 1, the kth Fermat number, where k 1. Then F k is prime iff 3 F k 1

Numbers. Çetin Kaya Koç Winter / 18

Part II. Number Theory. Year

Chapter 4. Greatest common divisors of polynomials. 4.1 Polynomial remainder sequences

LECTURE NOTES IN CRYPTOGRAPHY

Math 312/ AMS 351 (Fall 17) Sample Questions for Final

Elementary Number Theory Review. Franz Luef

1. Algebra 1.5. Polynomial Rings

CHAPTER 6. Prime Numbers. Definition and Fundamental Results

Algebraic algorithms

Groups, Rings, and Finite Fields. Andreas Klappenecker. September 12, 2002

1. multiplication is commutative and associative;

Algorithms for Finite Fields

Number Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.

3 Solutions of congruences

CPSC 467b: Cryptography and Computer Security

Number Theory and Group Theoryfor Public-Key Cryptography

2. THE EUCLIDEAN ALGORITHM More ring essentials

Chapter 4 Finite Fields

Factoring univariate polynomials over the rationals

The Berlekamp algorithm

CIS 6930/4930 Computer and Network Security. Topic 5.1 Basic Number Theory -- Foundation of Public Key Cryptography

Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs

TC10 / 3. Finite fields S. Xambó

NUMBER THEORY. Anwitaman DATTA SCSE, NTU Singapore CX4024. CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA

7. Prime Numbers Part VI of PJE

D-MATH Algebra I HS 2013 Prof. Brent Doran. Exercise 11. Rings: definitions, units, zero divisors, polynomial rings

Simultaneous Linear, and Non-linear Congruences

An integer p is prime if p > 1 and p has exactly two positive divisors, 1 and p.

Rings in Coding Theory

School of Mathematics

Math 120 HW 9 Solutions

Slides by Christopher M. Bourke Instructor: Berthe Y. Choueiry. Spring 2006

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

4 Powers of an Element; Cyclic Groups

Discrete logarithms: Recent progress (and open problems)

MATH 433 Applied Algebra Lecture 4: Modular arithmetic (continued). Linear congruences.

Factoring Algorithms Pollard s p 1 Method. This method discovers a prime factor p of an integer n whenever p 1 has only small prime factors.

A Generalization of Wilson s Theorem

Solving the general quadratic congruence. y 2 Δ (mod p),

A quasi polynomial algorithm for discrete logarithm in small characteristic

Introduction to Number Theory 1. c Eli Biham - December 13, Introduction to Number Theory 1

= 1 2x. x 2 a ) 0 (mod p n ), (x 2 + 2a + a2. x a ) 2

CHAPTER 3. Congruences. Congruence: definitions and properties

SOLUTIONS Math 345 Homework 6 10/11/2017. Exercise 23. (a) Solve the following congruences: (i) x (mod 12) Answer. We have

Finite Fields. Mike Reiter

NOTES ON FINITE FIELDS

Outline. Some Review: Divisors. Common Divisors. Primes and Factors. b divides a (or b is a divisor of a) if a = mb for some m

Outline. AIT 682: Network and Systems Security. GCD and Euclid s Algorithm Modulo Arithmetic Modular Exponentiation Discrete Logarithms

Elliptic curves: Theory and Applications. Day 3: Counting points.

IRREDUCIBILITY TESTS IN Q[T ]

One can use elliptic curves to factor integers, although probably not RSA moduli.

Counting points on elliptic curves over F q

CYCLOTOMIC POLYNOMIALS

MATH 361: NUMBER THEORY FOURTH LECTURE

Number Theory. Modular Arithmetic

Chapter 3. Rings. The basic commutative rings in mathematics are the integers Z, the. Examples

Finite Fields and Elliptic Curves in Cryptography

Factorization in Polynomial Rings

ENTRY NUMBER THEORY. [ENTRY NUMBER THEORY] Authors: Oliver Knill: 2003 Literature: Hua, introduction to number theory.

Carmen s Core Concepts (Math 135)

CSC 474 Network Security. Outline. GCD and Euclid s Algorithm. GCD and Euclid s Algorithm Modulo Arithmetic Modular Exponentiation Discrete Logarithms

Number Theory. Final Exam from Spring Solutions

g(x) = 1 1 x = 1 + x + x2 + x 3 + is not a polynomial, since it doesn t have finite degree. g(x) is an example of a power series.

0 Sets and Induction. Sets

Introduction to Information Security

COMP239: Mathematics for Computer Science II. Prof. Chadi Assi EV7.635

Transcription:

Basic Algorithms in Number Theory Algorithmic Complexity... 1 Basic Algorithms in Number Theory Francesco Pappalardi #2 - Discrete Logs, Modular Square Roots, Polynomials, Hensel s Lemma & Chinese Remainder Theorem September 2 nd 2015 SEAMS School 2015 Number Theory and Applications in Cryptography and Coding Theory University of Science, Ho Chi Minh, Vietnam August 31 - September 08, 2015

Basic Algorithms in Number Theory Algorithmic Complexity... 2 Monday s Problems 1. Multiplication: for x, y Z, find x y 2. Exponentiation: for x G (group) and n N, find x n (Complexity of operations in Z/mZ) 3. GCD: Given a, b N find gcd(a, b) 4. Primality: Given n N odd, determine if it is prime (Legendre/Jacobi Symbols - Probabilistic Algorithms with probability of error) 5. Quadratic Nonresidues: given an odd prime p, find a quadratic non residue mod p. 6. Power Test: Given n N determine if n = b k ( k > 1) 7. Factoring: Given n N, find a proper divisor of n

Basic Algorithms in Number Theory Algorithmic Complexity... 3 PROBLEM 8. Discrete Logarithms: Given x in a cyclic group G = g, find n such that x = g n. Need to specify how to make the operations in G If G = (Z/nZ, +) then discrete logs are very easy. If G = ((Z/nZ), ) then G is cyclic iff n = 2, 4, p α, 2 p α where p is an odd prime: famous theorem of Gauß. In (Z/pZ) there is no efficient algorithm to compute DL. Interesting problem: given p, to compute a primitive root g modulo p (i.e. to determine g (Z/pZ) such that g = (Z/pZ) ) Artin Conjecture for primitive roots: any g (except 0, ±1 and perfect squares) is a primitive root for a positive proportion of primes Known to be true assuming the GRH. It is also known that one out of 2, 3 and 5 is a primitive root for infinitely many primes.

Basic Algorithms in Number Theory Algorithmic Complexity... 4 Discrete Logarithms: continues Primordial public key cryptography is based on the difficulty of the Discrete Log problem Several algorithms to compute discrete logarithms are known. One for all is the Shanks Baby Step Giant Step algorithm. Input: A group G = g and a G Output: k Z/ G Z such that a = g k 1. M := G 2. For j = 0, 1, 2,..., M. Compute g j and store the pair (j, g j ) in a table 3. A := g M, B := a 5. For i = 0, 1, 2,..., M 1. -1- Check if B is the second component (g j ) of any pair in the table -2- If so, return im + j and halt. -3- If not B = B A

Basic Algorithms in Number Theory Algorithmic Complexity... 5 Discrete Logarithms: continues The BSGS algorithm is a generic algorithm. It works for every finite cyclic group. It is based on the fact that any x Z/nZ can be written as x = j + im with m = n, 0 j < m and 0 i < m Not necessary to know the order of the group G in advance. The algorithm still works if an upper bound on the group order is known. Usually the BSGS algorithm is used for groups whose order is prime. The running time of the algorithm and the space complexity is O( G ), much better than the O( G ) running time of the naive brute force The algorithm was originally developed by Daniel Shanks.

Basic Algorithms in Number Theory Algorithmic Complexity... 6 Discrete Logarithms: continues In some groups Discrete logs are easy. For example if G is a cyclic group and #G = 2 m then we know that there are subgroups: 1 = G 0 G 1 G m = G such that G i is cyclic and #G i = 2 i. Furthermore { } G i = y G such that y 2i = 1. If G = g, for any a G, either a 2m 1 = 1 or a 2m 1 = g 2m 1 From this property we deduce the algorithm: Input: A group G = g, G = 2 m and a G Output: k Z/ G Z such that a = g k 1. A := a, K = 0 2. For j = 1, 2,..., m. If A 2m j 1, A := g 2j 1 A; K := K + 2 j 1 3. Output K

Basic Algorithms in Number Theory Algorithmic Complexity... 7 Discrete Logarithms: continues The above is a special case of the Pohlig-Hellman Algorithm which works when G has only small prime divisors To avoid this situation one crucial requirement for a DL-resistent group in cryptography is that #G has a large prime divisor. If p = 2 k + 1 is a Fermat prime, then DL in (Z/pZ) are easy. Classical algorithm for factoring have often analogues for computing discrete logs. A very important one is the Pollard ρ method. One of the strongest algorithms is the index calculus algorithm. NOT generic. It works only in F q.

Basic Algorithms in Number Theory Algorithmic Complexity... 8 PROBLEM 9. Square Roots Modulo a prime: Given an odd prime p and a quadratic residue a, find x s. t. x 2 a mod p It can be solved efficiently if we are given a quadratic nonresidue g (Z/pZ) 1. We write p 1 = 2 k q and we know that (Z/pZ) has a (cyclic) subgroup G with 2 k elements. 2. Note that b = g q is a generator of G (in fact if it was b 2j 1 mod p for j < k, then g (p 1)/2 1 mod p) and that a q G 3. Use the last algorithm to compute t such that a q = b t. Note that t is even since a (p 1)/2 1 mod p. 4. Finally set x = a (p q)/2 b t/2 and observe that x 2 = a (p q) b t = a p a mod p. The above is not deterministic. However Schoof in 1985 discovered a polynomial time algorithm which is however not efficient.

Basic Algorithms in Number Theory Algorithmic Complexity... 9 PROBLEM 10. Modular Square Roots: Given n, a N, find x such that x 2 a mod n If the factorization of n is known, then this problem (efficiently) can be solved in 3 steps: 1. For each prime divisor p of n find x p such that x 2 p a mod p 2. Use the Hensel s Lemma to lift x p to y p where y 2 p a mod p v p(n) 3. Use the Chinese remainder Theorem to find x Z/nZ such that x y p mod p v p(n) p n. 4. Finally x 2 a mod n. The last two tools (Hensel s Lemma and Chinese Remainder Theorem) will be covered later

Basic Algorithms in Number Theory Algorithmic Complexity... 10 Polynomials in (Z/nZ)[X] A polynomial f (Z/nZ)[X] is f(x) = a 0 + a 1 X + + a k X k where a 0,..., a k Z/nZ The degree of f is deg f = k when a k 0. Example: If f(x) = 5 + 10X + 21X 3 Z[x], then we can reduce it modulo n. So f(x) X 3 mod 5 which is the same as saying:f(x) = X 3 Z/5Z[X]. f(x) 2 + X mod 3 f(x) 5+3X mod 7 which is the same as saying:f(x) = 2 + X Z/3Z[X]. which is the same as saying:f(x) = 5+3X Z/7Z[X]. For the time being we restrict ourselves to the case of f Z/pZ[X]. The fact that Z/pZ is a field is important. (Notation F p = Z/pZ to remind us this) We can add, subtract and multiply polynomials in F p [X].

Basic Algorithms in Number Theory Algorithmic Complexity... 11 Polynomials in F p [X] We can also divide them!! for f, g F p [X] there exists q, r F p [X] such that f = qg + r and deg r < deg g. Example: Let f = X 3 + X + 1, g = X 2 + 1 F 3 [X]. Then X 3 + X + 1 = (X 2 + X + 2)(X + 1) + 2 so that q = X 2 + X + 2, r = 2

Basic Algorithms in Number Theory Algorithmic Complexity... 12 Polynomials in F p [X] The complexity for summing or subtracting f, g F p [X] with max{deg f, deg g} < n, is O(log p n ). Why? The complexity of multiplying or dividing f, g F p [X] with max{deg f, deg g} < n, can be shown to be O(log 2 (p n )). Important difference: Polynomials in F p [X] are not invertible except when they are constant but not zero. So F p [X] looks much more like Z than like Z/mZ. But if f, g F p [X], the gcd(f, g) exists and it is fast to calculate!!!

Basic Algorithms in Number Theory Algorithmic Complexity... 13 Polynomials in F p [X] As in Z every f F p [X] can be written as the product of irreducible polinomials. The polynomial X p X F p [X] is very special. What is its factorization? Why is it true? X p X = a F p (X a) F p [X]. FLT says that a p = a, a F p. Let s Look at one example.

Basic Algorithms in Number Theory Algorithmic Complexity... 14 PROBLEM 12. Irreducibility Test for Polynomials in F p : Given f F p [X], determine if f is irreducible: Theorem. Let X pn X F p [X]. Then X pn X = f F p [X] f irreducible f monic deg f divides n We cannot prove it here but we deduce an algorithm: Input: f F p [X] monic Output: Irreducible or Composite 1. n := deg f 2. For j = 1,..., n/2 if gcd(x pj X, f) 1 then Output Composite and halt. 3. Output Irreducible. f

Basic Algorithms in Number Theory Algorithmic Complexity... 15 Polynomial equations modulo prime and prime powers Often one considers the problem of finding roots of polynomial f Z/nZ[X]. When n = p is prime then one can exploit the extra properties coming from the identity X p X = a F p (X a) F p [X]. From this identity it follows that gcd(f, X p X) is the product of liner factor (X a) where a is a root of f. Similarly we have that X (p 1)/2 1 = (X a) F p [X]. a F p ( a p )=1 This identity suggests the Cantor Zassenhaus Algorithm

Basic Algorithms in Number Theory Algorithmic Complexity... 16 Cantor Zassenhaus Algorithm CZ(p) Input: a prime p and a polynomial f F p [X] Output: a list of the roots of f 1. f := gcd(f(x), X p X) F p [X] 2. If deg(f) = 0 Output NO ROOTS 3. If deg(f) = 1, Output the root of f and halt 4. Choose b at random in F p g := gcd(f(x), (X + b) (p 1)/2 ) If 0 < deg(g) < deg(f) Output CZ(g) CZ(f/g) Else goto step 3 The algorithm is correct since f in (Step 4) is the product of (X a) (a root of f). So g is the product of X a with a + b quadratic residue. CZ(p) has polynomial (probabilistic) complexity in log p n.

Basic Algorithms in Number Theory Algorithmic Complexity... 17 Polynomial equations modulo prime powers There is an explicit contruction due to Kurt Hensel that allows to lift a solution of f(x) 0 mod p n to a solution of f(x) 0 mod p 2n. Example: (Square Roots modulo Odd Prime Powers. Suppose x F p is a square root of a F p. Let y = (x 2 + a)/2x mod p 2 (y is well defined since gcd(2x, p 2 ) = 1). Then since p 2 divides (x 2 a) 2. y 2 a = (x2 a) 2 4x 2 0 mod p 2 The general story if the famous Hensel s Lemma.

Basic Algorithms in Number Theory Algorithmic Complexity... 18 Polynomial equations modulo prime powers Theorem (Hensel s Lemma). Let p be a prime, f(x) Z[X] and a Z such that f(a) 0 mod p k, f (a) 0 mod p. Then b := a f(a)/f (a) mod p 2k is the unique integer modulo p 2k that satisfies f(b) 0 mod p 2k, b a mod p k. Proof. Replacing f(x) by f(x + a) we can restric to a = 0. Then f(x) = f(0) + f (0)X + h(x)x 2 where h(x) Z[X]. Hence if b 0 mod p k, then f(b) f(0) + bf (0) mod p 2k. Finally b = f(0)/f (0) is the unique lift of 0 modulo p 2k that satisfies f(b) 0 mod p 2k.

Basic Algorithms in Number Theory Algorithmic Complexity... 19 Chinese Remainder Theorem Chinese Remainder Theorem. Let m 1,..., m s N pairwise coprime and let a 1,..., a s Z. Set M = m 1 m s. There exists a unique x Z/MZ such that x a 1 mod m 1 x a 2 mod m 2. x a s mod m s. Furthermore if a 1,..., a s Z/MZ, then x can be computed in time O(s log 2 M).

Basic Algorithms in Number Theory Algorithmic Complexity... 20 Chinese Remainder Theorem continues Proof. Let us first assume that s = 2. Then from EEA we can write 1 = m 1 x + m 2 y for appropriate x, y Z. Consider the integer c = a 1 m 2 y + a 2 m 1 x. Then c a 1 mod m 1 and a a 2 mod m 2. Furthermore if c has the same property, then d = c c is divisible by m 1 and m 2. Since gcd(m 1, m 2 ) = 1 we have that m 1 m 2 divides d so that c c mod m 1 m 2. If s > 2 then we can iterate the same process and consider the system: x c mod m 1 m 2 x a 3 mod m 3.. x a s mod m s.

Basic Algorithms in Number Theory Algorithmic Complexity... 21 Chinese Remainder Theorem (applications) It can be used to prove the multiplicativity of the Euler ϕ function. More precisely, it implies that, if gcd(m, n) = 1, then the map: is surjective. (Z/mnZ) (Z/mZ) (Z/nZ), a (a mod m, a mod n) It can be used to glue solutions of congruence equations. Let f Z[X] and suppose that a, b Z are such that f(a) (modn), f(b) (modm). If gcd(m, n) = 1, then a solution c of x a mod n x b mod m has the property that f(c) 0(modnm).

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback