ALG 4.0 Number Theory Algorithms:

Similar documents
Public Key Encryption

Topics in Cryptography. Lecture 5: Basic Number Theory

Addition. Ch1 - Algorithms with numbers. Multiplication. al-khwārizmī. al-khwārizmī. Division 53+35=88. Cost? (n number of bits) 13x11=143. Cost?

Theory of RSA. Hiroshi Toyoizumi 1. December 8,

Introduction to Public-Key Cryptosystems:

Number Theory and Algebra: A Brief Introduction

CIS 551 / TCOM 401 Computer and Network Security

This is a recursive algorithm. The procedure is guaranteed to terminate, since the second argument decreases each time.

basics of security/cryptography

Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography

Introduction to Cryptography. Lecture 6

Congruence Classes. Number Theory Essentials. Modular Arithmetic Systems

Discrete Mathematics GCD, LCM, RSA Algorithm

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Basic elements of number theory

Basic elements of number theory

CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security

Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography

CSC 474 Network Security. Outline. GCD and Euclid s Algorithm. GCD and Euclid s Algorithm Modulo Arithmetic Modular Exponentiation Discrete Logarithms

RSA Key Generation. Required Reading. W. Stallings, "Cryptography and Network-Security, Chapter 8.3 Testing for Primality

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

Outline. Number Theory and Modular Arithmetic. p-1. Definition: Modular equivalence a b [mod n] (a mod n) = (b mod n) n (a-b)

Outline. Some Review: Divisors. Common Divisors. Primes and Factors. b divides a (or b is a divisor of a) if a = mb for some m

Outline. AIT 682: Network and Systems Security. GCD and Euclid s Algorithm Modulo Arithmetic Modular Exponentiation Discrete Logarithms

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Number Theory. Modular Arithmetic

CSC 474 Information Systems Security

CSE 521: Design and Analysis of Algorithms I

MATH 145 Algebra, Solutions to Assignment 4

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

1. Algebra 1.7. Prime numbers

Practice Number Theory Problems

ECE596C: Handout #11

Introduction to Number Theory

Elementary Number Theory MARUCO. Summer, 2018

Number Theory & Modern Cryptography

OWO Lecture: Modular Arithmetic with Algorithmic Applications

Biomedical Security. Some Security News 9/17/2018. Erwin M. Bakker. Blockchains are not safe for voting (slashdot.org) : From: paragonie.

CS 5319 Advanced Discrete Structure. Lecture 9: Introduction to Number Theory II

Linear Congruences. The equation ax = b for a, b R is uniquely solvable if a 0: x = b/a. Want to extend to the linear congruence:

Chapter 9 Basic Number Theory for Public Key Cryptography. WANG YANG

Elementary Number Theory Review. Franz Luef

CPSC 467: Cryptography and Computer Security

Introduction to Cybersecurity Cryptography (Part 5)

THE RSA ENCRYPTION SCHEME

University of Tokyo: Advanced Algorithms Summer Lecture 6 27 May. Let s keep in mind definitions from the previous lecture:

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

Applied Cryptography and Computer Security CSE 664 Spring 2017

Cryptography. pieces from work by Gordon Royle

Numbers. Çetin Kaya Koç Winter / 18

Lecture 3.1: Public Key Cryptography I

Public Key Algorithms

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

8 Primes and Modular Arithmetic

Factorization & Primality Testing

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

The RSA cryptosystem and primality tests

Ma/CS 6a Class 4: Primality Testing

ECE 646 Lecture 8. RSA: Genesis, Security, Implementation & Key Generation

Lecture 7 Number Theory Euiseong Seo

RSA: Genesis, Security, Implementation & Key Generation

Introduction to Modern Cryptography. Benny Chor

Applied Cryptography and Computer Security CSE 664 Spring 2018

M381 Number Theory 2004 Page 1

Cryptosystem. Traditional Cryptosystems: The two parties agree on a secret (one to one) function f. To send a message M, thesendersendsthemessage

CSE20: Discrete Mathematics

A Guide to Arithmetic

Introduction to Information Security

ECE 646 Lecture 5. Mathematical Background: Modular Arithmetic

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

NOTES ON SIMPLE NUMBER THEORY

Basic Algorithms in Number Theory

ICS141: Discrete Mathematics for Computer Science I

CPSC 467: Cryptography and Computer Security

Math/Mthe 418/818. Review Questions

CIS 6930/4930 Computer and Network Security. Topic 5.1 Basic Number Theory -- Foundation of Public Key Cryptography

A Few Primality Testing Algorithms

A SURVEY OF PRIMALITY TESTS

Chapter 8. Introduction to Number Theory

Chapter 8 Public-key Cryptography and Digital Signatures

CS483 Design and Analysis of Algorithms

1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation

CSE 311 Lecture 13: Primes and GCD. Emina Torlak and Kevin Zatloukal

Name: Mathematics 1C03

Congruence of Integers

p = This is small enough that its primality is easily verified by trial division. A candidate prime above 1000 p of the form p U + 1 is

Cryptography: Joining the RSA Cryptosystem

1 Overview and revision

2 Arithmetic. 2.1 Greatest common divisors. This chapter is about properties of the integers Z = {..., 2, 1, 0, 1, 2,...}.

Algorithms (II) Yu Yu. Shanghai Jiaotong University

PRIMALITY TESTING. Professor : Mr. Mohammad Amin Shokrollahi Assistant : Mahdi Cheraghchi. By TAHIRI JOUTI Kamal

CIS 6930/4930 Computer and Network Security. Topic 4. Cryptographic Hash Functions

CSE 311: Foundations of Computing. Lecture 12: Two s Complement, Primes, GCD

Lecture # 12. Agenda: I. Vector Program Relaxation for Max Cut problem. Consider the vectors are in a sphere. Lecturer: Prof.

Public Key Cryptography

LARGE PRIME NUMBERS (32, 42; 4) (32, 24; 2) (32, 20; 1) ( 105, 20; 0).

Transcription:

Algorithms Professor John Reif ALG 4.0 Number Theory Algorithms: (a) GCD (b) Multiplicative Inverse (c) Fermat & Euler's Theorems (d) Public Key Cryptographic Systems (e) Primality Testing Greatest Common Divisor GCD(u,v) = largest a s.t. a is a divisor of both u,v Euclid's Algorithm procedure GCD(u,v) begin if v=0 then return(u) else return (GCD(v,u mod v)) Main Reading Selections: CLR, Chapter 33 Auxillary Reading Selections: BB, Sections 8.5., 8.5.3, 8.6. Handout : "Lecture Notes on the Complexity of Some Problems in Number Theory" Inductive of Correctness: if a is a divisor of u,v a is a divisor of u - ( u/ v Î ) v = u mod v

Time Analysis of Euclid's Algorithm for n bit numbers u,v T(n) T(n-) + M(n) = O(n M(n)) where M(n) = time to mult two n bit integers = O(n log n log log n). Fibonocci worst case: u = F k, v = F k+ where F 0 = 0, F =, F k+ = F k+ + F k, k 0 k F K = F, F = ( + 5) 5 fi Euclids Algorithm takes log F stages when N = max(u,v). Improved Algorithm (see AHU) T( n) T( n) + O(M(n)) = O(M(n) log n) ( 5 N) = O(n) begin Extended GCD Algorithm procedure Ex GCD( u, v) where u = (u, u, u 3 ), v = (v, v, v 3 ) if v 3 = 0 then return(u) else return ExGCD(v, u - (v Î u 3 /v 3 )) Theorem ExGCD((,0,x),(0,,y)) where =(x',y', GCD(x,y)) x x' + y y' = GCD(x,y) inductively can verify on each call ( xu + yu = u 3 xv + yv = v 3 3 4

Corollary If gcd(x,y) = then x' is the modular inverse of x modulo y Modular Laws for n let x y if x=y mod n we must show x x' = mod y but by previous Theorem, Law A if a b and x y then ax by Law B if a b and ax by and gcd(a,n)= then x y = x x' + y y' = x x' mod y so = x x' mod y let {a,..., a k } {b,..., b k } if Gives Algorithm for Modular Inverse! a i b ji for i=,...,k and {j,..., j k }={,..., k} 5 6

Fermat's Little Theorem ( by Euler) If n prime then a n = a mod n j(n) = number of integers in {,..., n-} relatively prime to n if a 0 then a n 0 a else suppose gcd(a,n) = Then x ay for y a - x and any x so {a,a,..., (n-)a} {,,..., n-} Euler's Theorem If gcd(a,n) = then a j(n) = mod n So by Law A, So by Law B (a) (a) (n-)a (n-) So a n- (n-)! (n-)! let b,..., b j(n) relatively prime to n be the integers < n a n- l mod n 7 8

Le mma {b,..., b j(n) } {ab, ab,...,ab j(n) } If ab i ab j then by Law B, b i b j Since = gcd(b i,n) = gcd(a,n) then gcd(ab i, n) = so ab i = b ji for {j,..., j j(n) } = {,..., j(n)} By Law A and Lemma (ab ) (ab ) (ab j(n) ) b b b j(n) Taking Powers mod n Problem Compute e = e k e k- e e 0 [] X by "Repeated Squaring" a e mod b [] for i = k, k-,..., 0 do begin X X mod b if e i = then X Xa mod b end k output i=0 a e i i binary representation = a Se i i = a e mod b so a j(n) b b j(n) b b j(n) By Law B a j(n) mod n Time Cost O(k) mults and additions mod b k = # bits of e 9 0

Rivest, Sharmir, Adelman(RSA) Encryption Algorithm M = integer message e = "encryption integer" for user A Cryptogram C = E(M) = M e mod n Method () Choose large random primes p,q let n = p q () Choose large random integer d relatively prime to j (n) = j(p) j(q) = (p-) (q-) (3) let e be the multiplicative inverse of d modulo j(n) e d mod j (n) (require e > log n, else try another d) Theorem If M is relatively prime to n, and D(x) = x d (mod n) then D(E(M)) E(D(M)) M D(E(M)) E(D(M)) There must j M e d mod n $ k > 0 s.t. =gcd(d, (n))=-k (n)+de By Symmetry, j So, M ed M k j(n)+ mod n Since (p-) divides j(n) M k j(n)+ M mod p By Euler's Theorem M k j(n)+ M ( mod q ) Hence M ed = M k j(n)+ = M mod n So M ed = M mod n

Security of RSA Cryptosystem Rabin's Public Key Crypto System Theorem If can compute d in polynomial time, then can factor n in polynomial time Use private large primes p,q public n = q p key e d- is a multiple of j(n) But Miller has shown can factor n from any multiple of j(n). message M cryptogram M mod n Corollary If can find d' s.t. M d ' = M d mod n fi d' differs from d by lcm(p-, q-) fi so can factor n. Theorem If cryptosystem can be broken, then can factor key n 3 4

a = M mod n has solutions M = g, b, n- g, n- b where b π { g, n- g } But then g - b = (g - b) (g + b) = 0 mod n So ei ther () p (g - b) and q (g + b) or either () q (g - b) and p (g + b) In either case, two independent solutions for M give factorization of n, i.e., a factor of n is gcd (n, g - b) Rabin's Algorithm for factoring n, given a way to break his cryptosystem. Choose random b, < b < n s.t. gcd( b,n)= let a = b mod n find M s.t. M = a mod n by assumed way to break cryptosystem Wi t h pr obability, M π { b, n - b } fi so factors of n are found else repeat with another b Note: Expected number of rounds is 5 6

Jacobi Function Quadratic Residues a is quadratic residue of n if x a mod n has solution J(a,n) = ( if gcd(a,n)= and a is quadratic residue of n - if gcd(a,n)= and a is not quadratic residue of n 0 if gcd(a,n) π Euler: If n is odd, prime and gcd(a,n)=, then a is quadratic residue of n iff a (n-)/ mod n Gauss's Quadratic Reciprocity Law if p,q are odd primes, J(p,q) J(q,p) = (-) (p-) Rivest Algorithm: (q-)/ 4 ( if a= J(a,n) = J(a/, n) (-) (n -)/ 8 if a even J(n mod a, a) (-) (a-) (n-) else 7 8

Theorem & Primes NP (Pratt) Theorem (Fermat) n > is prime iff $ x, < x < n () x n- mod n () x i π mod n for all i e {,,..., n- } input n n= fi output "prime" n= or (n even and n>) fi output "composite" else guess x to verify Fermat's Theorem Check () x n- = mod n To verify () guess prime factorization of n- = n n n k (a) recursively verify each n i prime (b) verify x (n-)/ n i π mod n note if x (n-) = mod n the least y s.t. x y = mod n must divide n-. So x ya = mod n let a = (n-) so x ya = x (n-)/ n i yn i mod n 9 0

Primality Testing wish to test if n is prime technique W n (a) = "a witnesses that n is composite" W n (a) =true fi n composite W n (a) =false fi don't know Goal of Randomized Primality Tests: e for random a {,..., n-} n composite fi Prob(W n (a) true ) > Solovey & Strassen Primality Test W n (a) = (gcd(a,n) π ) or J(a,n) π a (n-)/ mod n test if Gauss's Quad. Recip. Law is violated So of all a e {,..., n-} are "witnesses to compositness of n"

Definitions Z n = set of all nonnegative numbers < n whi ch are relatively prime to n. generator g of Z n Theorem of Solovey & Strassen If n is composite, then G n- where G = {a W n (a mod n) false} such that for all x e Z n there is i such that g i = x mod n Case G π Z n fi G i s s ubgroup of Z n fi G Z n n- Cas e G = Z n Us e Proof by Cont r adiction so a (n-)/ = J( a,n) mod n for all a relatively prime to n Let n have prime factorization n = P a P a... P k a k, a a... a k 3 Let g be a generator of Z m a where m = P 4

Then by Chinese Remainder Theorem, $ unique a s.t. a = g mod m ( n a = mod m ) Since a is relatively prime to n, a e Z n so a n- = mod n and g n- = mod n Cas e a = a =... = a k = Since n = p... p k k J(a,n) = i= J(a,P i ) k = J(g, p ) i= J(, p i ) Cas e a. Then order of g in Z n a - is p (p -) by known formula, a contradiction since the order divides n-. since a = {g mod p i i= mod p i i π So J(a,n) = - mod n since J(, p i ) = and J(g, p ) = - 5 6

We have shown J(a,n) = - mod n =- mod ( m But by assumption a= mod ( m so a (n-)/ = mod ( m n) n) Hence a (n-)/ π J(a,n) mod ( m n) n) Miller's Primality Test W n (a) = (gcd(a,n) π ) or ( a n- π mod n ) or gcd(a (n-)/ i mod n-, n) π for i e {,...,k} where k = max {i i divides n-} a contradiction with Gauss's Law! Theorem (Miller) Assuming the extended RH, if n is composite, then W n (a) holds for some a e {,,..., c log n} 7 8

Miller's Test assumes extended RH (not proved) Rabin: choose a random a e {,..., n-} test W n (a) Theorem Rabin if n is composite then Prob (W n (a) holds) > fi gives another randomized, polytime algorithm for primality! 9

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback