Linear Congruences. The equation ax = b for a, b R is uniquely solvable if a 0: x = b/a. Want to extend to the linear congruence:

Similar documents
Private Key Cryptography. Fermat s Little Theorem. One Time Pads. Public Key Cryptography

Notes. Number Theory: Applications. Notes. Number Theory: Applications. Notes. Hash Functions I

Introduction to Public-Key Cryptosystems:

Number Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

ICS141: Discrete Mathematics for Computer Science I

Cryptography. pieces from work by Gordon Royle

CHAPTER 6. Prime Numbers. Definition and Fundamental Results

Carmen s Core Concepts (Math 135)

CS March 17, 2009

Public Key Encryption

A Guide to Arithmetic

Cryptography. P. Danziger. Transmit...Bob...

Integers and Division

Mathematical Foundations of Public-Key Cryptography

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

Lecture 1: Introduction to Public key cryptography

Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography

CPSC 467b: Cryptography and Computer Security

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

CS483 Design and Analysis of Algorithms

Instructor: Bobby Kleinberg Lecture Notes, 25 April The Miller-Rabin Randomized Primality Test

Math.3336: Discrete Mathematics. Mathematical Induction

Chapter 5. Number Theory. 5.1 Base b representations

Section Summary. Division Division Algorithm Modular Arithmetic

Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography

Basic elements of number theory

Basic elements of number theory

Theme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS

Discrete mathematics I - Number theory

MATH 145 Algebra, Solutions to Assignment 4

10 Public Key Cryptography : RSA

Number Theory and Cryptography

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

basics of security/cryptography

An integer p is prime if p > 1 and p has exactly two positive divisors, 1 and p.

Introduction to Modern Cryptography. Benny Chor

CPSC 467b: Cryptography and Computer Security

Chapter 8 Public-key Cryptography and Digital Signatures

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

Addition. Ch1 - Algorithms with numbers. Multiplication. al-khwārizmī. al-khwārizmī. Division 53+35=88. Cost? (n number of bits) 13x11=143. Cost?

download instant at

A polytime proof of correctness of the Rabin-Miller algorithm from Fermat s Little Theorem

Applied Cryptography and Computer Security CSE 664 Spring 2018

CRYPTOGRAPHY AND NUMBER THEORY

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

Ma/CS 6a Class 2: Congruences

Public Key Cryptography. All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other.

Number theory (Chapter 4)

Ma/CS 6a Class 2: Congruences

RSA: Genesis, Security, Implementation & Key Generation

ECE 646 Lecture 8. RSA: Genesis, Security, Implementation & Key Generation

Applied Cryptography and Computer Security CSE 664 Spring 2017

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

ALG 4.0 Number Theory Algorithms:

The security of RSA (part 1) The security of RSA (part 1)

10 Modular Arithmetic and Cryptography

A SURVEY OF PRIMALITY TESTS

The RSA cryptosystem and primality tests

CPSC 467b: Cryptography and Computer Security

1. Algebra 1.7. Prime numbers

CPSC 467: Cryptography and Computer Security

For your quiz in recitation this week, refer to these exercise generators:

CHAPTER 3. Congruences. Congruence: definitions and properties

INTEGERS. In this section we aim to show the following: Goal. Every natural number can be written uniquely as a product of primes.

Number Theory and Group Theoryfor Public-Key Cryptography

CSE 311 Lecture 13: Primes and GCD. Emina Torlak and Kevin Zatloukal

Eindhoven University of Technology MASTER. Kleptography cryptography with backdoors. Antheunisse, M. Award date: 2015

Public Key Algorithms

Foundations of Network and Computer Security

Part IA Numbers and Sets

Elementary Number Theory Review. Franz Luef

Aspect of Prime Numbers in Public Key Cryptosystem

Public-Key Cryptosystems CHAPTER 4

ECE596C: Handout #11

cse 311: foundations of computing Spring 2015 Lecture 12: Primes, GCD, applications

Name: Mathematics 1C03

Elementary Number Theory MARUCO. Summer, 2018

Ma/CS 6a Class 4: Primality Testing

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

THE MILLER RABIN TEST

Introduction to Number Theory

8.1 Principles of Public-Key Cryptosystems

Public-Key Encryption: ElGamal, RSA, Rabin

CPSC 467: Cryptography and Computer Security

4.5 Applications of Congruences

MATH 363: Discrete Mathematics

cse 311: foundations of computing Fall 2015 Lecture 12: Primes, GCD, applications

Discrete Mathematics GCD, LCM, RSA Algorithm

The RSA public encryption scheme: How I learned to stop worrying and love buying stuff online

3 The fundamentals: Algorithms, the integers, and matrices

CSE 311: Foundations of Computing. Lecture 12: Two s Complement, Primes, GCD

Number Theory and Algebra: A Brief Introduction

CSE20: Discrete Mathematics

Foundations of Computer Science Lecture 10 Number Theory

The set of integers will be denoted by Z = {, -3, -2, -1, 0, 1, 2, 3, 4, }

Pseudo-random Number Generation. Qiuliang Tang

Transcription:

Linear Congruences The equation ax = b for a, b R is uniquely solvable if a 0: x = b/a. Want to extend to the linear congruence: ax b (mod m), a, b Z, m N +. (1) If x 0 is a solution then so is x k := x 0 + km, k Z... since km 0 (mod m). So, uniqueness can only be modulo m. How many solutions modulo 4 to 2x 2 (mod 4)? 2 1 2 3 2 (mod 4). Claim If gcd(a, m) = 1 then (1) has at most one solution modulo m. Proof. Suppose r, s Z are solutions of (1). a(r s) 0 (mod m) m r s r s (mod m). 1

Linear Congruences cont. The key to finding a solution: x = b/a = ba 1 where a 1 is the solution to ay = 1. Claim. Let m N +, a Z. Suppose ā Z s.t aā 1 (mod m). Then for any b Z, x = bā is a solution of ax b (mod m). Proof. a(bā) aāb 1 b b (mod m). Example: to solve 3x 4 (mod 7) first find 3 (mod 7): 2 3 6 1 (mod 7) 2 3 (mod 7). x = 3 4 = 2 4 = 8 satisfies 3x 4 (mod 7). Does ā always exist? Can you solve 2x 1 (mod 4)? 2 0 2 2 0 (mod 4) and 2 1 2 3 2 (mod 4). What about 2x 1 (mod 2n)? What about 2 modulo 3? When does ā exist? Is it unique? How can we find it? 2

Inverse Modulo m Theorem. If a, m are relatively prime integers and m > 1 then there exists a unique inverse of a modulo m denoted as ā. Proof. s, t Z s.t. as + mt = 1 as 1 (mod m) s is an inverse modulo m Since an inverse is a solution to ax 1 (mod m) uniqueness was already proved. Cor. ā is given by the extended Euclid algorithm. Example: gcd(3, 7) = 1 3 modulo 7 7 = 2 3+1 2 3+7 = 1 3 2 (mod 7). 3

The Chinese Remainder Theorem Example. Pick an integer n [0, 104]. Tell me its remainders modulo 3, 5, and 7 (r 3, r 5, r 7 ). Let me guess : n = 70r 3 + 21r 5 + 15r 7 mod 105. Def. m 1,..., m n are pairwise relatively prime if i, j, gcd(m i, m j ) = 1. Theorem. Let m 1,..., m n N + be pairwise relatively prime. The set of equations x a i (mod m i ) i = 1, 2... n (2) has a unique solution modulo M := n 1 m i. Comments: If x is a solution then so is x + km for any k Z. There exists a unique solution x N [0, M 1]. Example: a solution to x r 3 (mod 3), x r 5 (mod 5), x r 7 (mod 7) is x = 70r 3 + 21r 5 + 15r 7 mod 105. The key: 70 mod 3 = 1, 70 mod 5 = 0, 70 mod 7 = 0 21 mod 3 = 0, 21 mod 5 = 1, 21 mod 7 = 0 15 mod 3 = 0, 15 mod 5 = 0, 15 mod 7 = 1 4

Proof of the CRT Proof. A solution exists if x i, i = 1,..., n s.t.: x i 1 (mod m i ) x i 0 (mod m j ) j i. (3) Indeed, x := n 1 a jx j satisfies n n x a j (x j mod m i ) a j δ ij a i (mod m i ). j=1 j=1 We prove (3) constructively: let s i = M/m i. Then, s i = i j m j 0 (mod m j ) for j i. s i has an inverse modulo m i, s i... since gcd(m i, s i ) = 1. Let x i := s i s i. For i = 1,..., n, x i satisfies (3). In our example: s 3 = 5 7 = 35, s 3 = 2 s 5 = 3 7 = 21, s 5 = 1 s 7 = 3 5 = 15, s 7 = 1. Uniqueness: suppose x and y satisfy (2). x y 0 (mod m i ) for i = 1,..., n. The next lemma completes the proof: Lemma. If m i N + are pairwise relatively prime and m i s for i = 1,..., n then n 1 m i s. 5

Proof of the CRT cont. Lemma. If m i N + are pairwise relatively prime and m i s for i = 1,..., n then n 1 m i s. Proof. By induction on n. For n = 1 the statement is trivial. Assuming it holds for n = N we want to prove it for n = N + 1. Let a := N 1 m i and let b = m N+1. l Z s.t. s = la... by the inductive hypothesis a s. b s b l... because a and b are relatively prime. k Z s.t. l = bk. s = al = abk ab s. 6

Computer Arithmetic with Large Integers Want to work with very large integers. Choose m 1,..., m n pairwise relatively prime. To compute N 1 + N 2 or N 1 N 2 : N i (N i mod m 1,..., N i mod m n ) N 1 + N 2 (N 1 + N 2 mod m 1,..., N 1 + N 2 mod m n ) N 1 N 2 (N 1 N 2 mod m 1,..., N 1 N 2 mod m n ) The lhs of the last two equation can readily be computed component wise. Requires efficient transition: Advantages: N (N mod m 1,..., N mod m n ). Allows arithmetic with very large integers. Can be readily parallelized. Example. The following are pairwise relatively prime. {m i } 5 1 = {2 35 1, 2 34 1, 2 33 1, 2 29 1, 2 23 1} We can add and multiply positive integers up to M = 5 1 m i > 2 184. 7

Fermat s Little Theorem If p is a prime and p a Z then a p 1 1 (mod p). Moreover, for any a Z, a p a (mod p). Proof. Let A = {1, 2,..., p 1}, and let B = {1a mod p, 2a mod p,..., (p 1)a mod p}. 0 / B so B A. A = p 1 so if B = p 1 then A = B. Let 1 i j p 1, then ia mod p ja mod p ia ja (mod p) p a(i j) A = B. (p 1)! = p 1 (ia mod p) a p 1 (p 1)! i=1 a p 1 1 (mod p)... since gcd((p 1)!, p) = 1. In particular, a p a (mod p). The latter clearly holds for a s.t. p a as well. (mod p). 8

Private Key Cryptography Alice (aka A) wants to send an encrypted message to Bob (aka B). A and B might share a private key known only to them. The same key serves for encryption and decryption. Example: Caesar s cipher f(m) = m + 3 mod 26. ABCDEFGHIJKLMNOPQRSTUVWXYZ WKH EXWOHU GLG LW THE BUTLER DID IT Note that f(m) 3 mod 26 = m Slightly more sophisticated: f(m) = am + b mod 26 Example: f(m) = 4m + 1 mod 26... oops f(0) = f(13) = 1. Decryption: solve for m, (am + b) mod 26 = c, or am c b (mod 26). Need ā, or gcd(a, 26) = 1. Weakness of this cipher: suppose the triplet QMB is much more popular than all other triplets... 9

Private Key cont. However, some private key systems are totally immune to non-physical attacks: A and B share the only two copies of a long list of random integers s i for i = 1,..., N. A sends B the message {m i } n i=1 encrypted as: c i = m i + s K+i mod 26 for i = 1,..., n. A also sends the key K and deletes s K+1,..., s K+n. B decrypts A s message by computing c i s K+i mod 26. Upon decryption B also deletes s K+1,..., s K+n. Pros: bullet proof cryptography system Cons: horrible logistics Cons (any private key system): Only predetermined users can exchange messages 10

Public Key Encryption A uses B s public encryption key to send an encrypted message to B. Only B has the decryption key that allows decoding of messages encrypted with his public key. BIG advantage: A need not know nor trust B. 11

RSA Generating the keys. Choose two very large (hundreds of digits) primes p, q. Let n = pq. Choose e N relatively prime to (p 1)(q 1). Compute d, the inverse of e modulo (p 1)(q 1). Publish the modulos n and the encryption key e. Keep the decryption key d to yourself. Encryption protocol. The message is divided into blocks each represented as M N [0, n 1]. Each block M is encrypted: C = M e (mod n). Example. Encrypt stop using e = 13 and n = 2537: s t o p 18 19 14 15 1819 1415 1819 13 mod 2537 = 2081 and 1415 13 mod 2537 = 2182 so 2081 2182 is the encrypted message. We did not need to know p = 43, q = 59 for that. By the way, gcd(13, 42 58) = 1. 12

RSA cont. Decryption: compute C d mod n. Claim. C d mod n = M. Lemma Suppose p is prime. Then for a Z p a and k 0 (mod p 1) a k 1 (mod p). m 1 (mod p 1) a m a (mod p). Proof of Claim. ed 1 (mod p 1) and ed 1 (mod q 1)... since ed 1 (mod (p 1)(q 1)) M ed M (mod p), and M ed M (mod q). M ed M (mod n). M ed mod n = M. C d mod n = [M e mod n] d mod n = M ed mod n = M. Proof of lemma. k = l(p 1) for some l Z. a k = ( a p 1) l ( a p 1 mod p ) l 1 (mod p). If p a, a m a (mod p) for any m. If p a, use m 1 0 (mod p 1) above. 13

Probabilistic Primality Testing RSA requires really large primes. The popular way of testing primality is through probabilistic algorithms. The procedure for randomized testing of n s primality is based on a readily computable test T(b, n): is b Z n := {1,..., n 1} a witness for n s primality. Example. Is b n 1 1 (mod n)? The answer is always positive if n is prime. Unfortunately, the answer might be positive even if n is composite: 2 340 1 (mod 341) and 341 = 11 31. The probability that a randomly chosen b will be a witness to the primality of the composite n, depends on T. Machine Learning: false positive rate of T on n, FP(n). Need to control the overall FP rate of T: establish a lower bound q, on the probability of a false witness for any n. If m randomly chosen bs have all testified that n is prime then the probability that n is composite q m. 14

Probabilistic Primality Testing cont IsPrime(n, ε, [T, q]): Primality Testing Input: n N + - the prime suspect ε (0, 1) - probability of false classification T - a particular prime test FPr - a lower bound on Prob(false witness) Output: yes, with probability 1 ε, or no P r = 1 while P r > ε randomly draw b Z n := {1, 2..., n 1} if T(b, n) P r := P r FPr else return no return yes, with probability 1 ε For a given ε, the complexity clearly depends on FPr, the false positive rate of T. How many false witnesses b can there possibly be? 15

Fermat s Pseudoprimes Def. If n is a composite and b n 1 1 (mod n) then n is a Fermat pseudoprime to the base b. Let T F be the Fermat test and assume n is composite. n is a Fermat pseudoprime to the base b if and only if T F (b, n) is a FP. What is the probability, q n, that T F (b, n) yields a FP for a randomly chosen b Z n := {1, 2,..., n 1}? If k = {b Z n : T F (b, n) is positive}, for k out of the n 1 possible bs, T F (b, n) gives a FP. Since each of the bs is equally likely to be drawn, q n = k/(n 1). Are there composites n which are Fermat pseudoprimes to relatively many bases b? 16

Carmichael numbers Def. A composite n which is a Fermat pseudoprime for any b with gcd(n, b) = 1 is a Carmichael number. Example. n = 561 is a Carmichael number. Suppose b Z n with gcd(b, n) = 1. n = p 1 p 2 p 3 with p 1 = 3, p 2 = 11, p 3 = 17. Check: n 1 0 (mod p i 1) for i = 1, 2, 3. b n 1 1 (mod p i ) for i = 1, 2, 3... since p i b. b n 1 1 (mod n). T F can perform miserably on Carmichael numbers: it will yield a FP for most bs. Example. If n = p 1 p 2 p 3 is a Carmichael numbers then 1 q n n/p 1 1 n 1 + n/p 2 1 n 1 + n/p 3 1 n 1 1 p 1 + 1 p 2 + 1 p 3 Aside: Use of a Carmichael number instead of a prime factor in the modulus of an RSA cryptosystem is likely to make the system fatally vulnerable - Pinch (97). 17

The Rabin-Miller Test Input: n = 2 s t + 1 where t is odd and s N b Z n T RM : Does exactly one of the following hold? b t 1 (mod n) or b 2jt 1 (mod n) for one 0 j s 1. Claim. If n is prime, T RM (b, n) is positive b Z n. Fact. If n is composite the FP rate is at most 1/4. The probability that a composite n will survive m tests T RM (b, n) with randomly chosen bs is 4 m. The claim is a corollary of the following lemma. Lemma. If p 2 is prime and p b 2st 1 then p divides exactly one factor in b 2st 1 = (b t 1)(b t + 1)(b 2t + 1)... (b 2s 1t + 1). Note that in our case p = 2 s t + 1 so for b relatively prime to p, p b 2st 1 by Fermat s theorem. Sketch of lemma s proof. 18

Induction on s, base is trivial. p b 2st 1 p (b 2s 1t 1)(b 2s 1t + 1). But p cannot divide both factors since then p (b 2s 1t + 1) (b 2s 1t 1) = 2. 19

Pseudorandom Numbers For the randomized algorithms we need a random number generator. Most languages provide you with a function rand. There is nothing random about such a function... Being deterministic it creates pseudorandom numbers. Example. The linear congruential method. Choose a modulus m N +, a multiplier a {2, 3,..., m 1} and an increment c Z m := {0, 1,..., m 1}. Choose a seed x 0 Z m (time is typically used). Compute x n+1 = ax n + c (mod m). Warning: a poorly implemented rand(), such as in C, can wreak havoc on Monte Carlo simulations. 20

Database 101 Problem: How can we efficiently store, retrieve and delete records from a large database? For example, students records. Each record has a unique key (e.g. student ID). Shall we keep an array sorted by the key? Easy retrieval but difficult insertion and deletion. How about a table with an entry for every possible key? Often infeasible, almost always wasteful. 21

Hashing Store the records in an array of size N. N should be somewhat bigger than the expected number of records. The location of a record is given by h(k) where k is the key and h is the hashing function which maps the space of keys to Z N. Example: h(k) := k mod N. A collision occurs when h(k 1 ) = h(k 2 ) and k 1 k 2. To minimize collisions makes sure N is sufficiently large. You can re-hash the data if the table gets too full. A good hashing function should distribute the images of the possible set of keys fairly evenly over Z N. Ideally, P (h(k) = i) = 1/N for any i Z N. When collisions occur there are mechanisms to resolve them (buckets, next empty cell, etc.) 22

Tentative Prelim Coverage IMPORTANT: The only type of calculator that you can bring with you to the prelim is one without any memory or programming capability. If you have any doubt about whether or not your calculator qualifies it probably doesn t but feel free to ask one of the professors. Chapter 0: Sets Set builder notation Operations: union, intersection, complementation, set difference Relations: reflexive, symmetric, transitive, equivalence relations transitive closure Functions Injective, surjective, bijective Inverse function Important functions and how to manipulate them: exponent, logarithms, ceiling, floor, mod, polynomials 23

Summation and product notation Matrices (especially how to multiply them) Proof and logic concepts logical notions (,, ) Proofs by contradiction Chapter 1 You do not have to write algorithms in their notation You must be able to read algorithms in their notation Chapter 2 induction vs. strong induction guessing the right inductive hypothesis inductive (recursive) definitions Number Theory - everything we covered in class including Fundamental Theorem of Arithmetic gcd, lcm Euclid s Algorithm and its extended version Modular arithmetics, linear congruences, modular inverse 24

CRT Fermat s little theorem RSA Probabilistic primality testing Chapter 4: Section 4.1, 4.2, 4.3 Sum and product rule 25

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback