Number Theory and Group Theoryfor Public-Key Cryptography

Similar documents
Numbers. Çetin Kaya Koç Winter / 18

Number Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.

Basic elements of number theory

Basic elements of number theory

Applied Cryptography and Computer Security CSE 664 Spring 2018

MATH 145 Algebra, Solutions to Assignment 4

Congruence Classes. Number Theory Essentials. Modular Arithmetic Systems

LECTURE NOTES IN CRYPTOGRAPHY

Topics in Cryptography. Lecture 5: Basic Number Theory

CPSC 467b: Cryptography and Computer Security

Lecture 3.1: Public Key Cryptography I

Applied Cryptography and Computer Security CSE 664 Spring 2017

Introduction to Cryptography. Lecture 6

Know the Well-ordering principle: Any set of positive integers which has at least one element contains a smallest element.

CS 5319 Advanced Discrete Structure. Lecture 9: Introduction to Number Theory II

Mathematics for Cryptography

CPSC 467: Cryptography and Computer Security

[Part 2] Asymmetric-Key Encipherment. Chapter 9. Mathematics of Cryptography. Objectives. Contents. Objectives

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

Elementary Number Theory Review. Franz Luef

Public Key Encryption

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Chapter 5. Modular arithmetic. 5.1 The modular ring

ECEN 5022 Cryptography

COMP239: Mathematics for Computer Science II. Prof. Chadi Assi EV7.635

Elementary Number Theory MARUCO. Summer, 2018

Outline. Some Review: Divisors. Common Divisors. Primes and Factors. b divides a (or b is a divisor of a) if a = mb for some m

Outline. AIT 682: Network and Systems Security. GCD and Euclid s Algorithm Modulo Arithmetic Modular Exponentiation Discrete Logarithms

AN ALGEBRAIC PROOF OF RSA ENCRYPTION AND DECRYPTION

Mathematical Foundations of Public-Key Cryptography

Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography

Number Theory and Algebra: A Brief Introduction

1 Overview and revision

CSC 474 Network Security. Outline. GCD and Euclid s Algorithm. GCD and Euclid s Algorithm Modulo Arithmetic Modular Exponentiation Discrete Logarithms

Mathematics of Cryptography

2.3 In modular arithmetic, all arithmetic operations are performed modulo some integer.

MATH 433 Applied Algebra Lecture 4: Modular arithmetic (continued). Linear congruences.

Number Theory Proof Portfolio

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

CSC 474 Information Systems Security

The security of RSA (part 1) The security of RSA (part 1)

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

Public-key Cryptography: Theory and Practice

Public Key Cryptography

Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography

The number of ways to choose r elements (without replacement) from an n-element set is. = r r!(n r)!.

Introduction to Public-Key Cryptosystems:

ECE596C: Handout #11

Number Theory. Modular Arithmetic

Iterated Encryption and Wiener s attack on RSA

NUMBER THEORY. Anwitaman DATTA SCSE, NTU Singapore CX4024. CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA

Introduction to Number Theory

A Readable Introduction to Real Mathematics

Number Theory & Modern Cryptography

Lecture 14: Hardness Assumptions

Basic Algorithms in Number Theory

Introduction to Information Security

Number Theory A focused introduction

Some Facts from Number Theory

Basic Algorithms in Number Theory

Exercises Exercises. 2. Determine whether each of these integers is prime. a) 21. b) 29. c) 71. d) 97. e) 111. f) 143. a) 19. b) 27. c) 93.

2 More on Congruences

A SURVEY OF PRIMALITY TESTS

Number theory (Chapter 4)

Congruence of Integers

Notes. Number Theory: Applications. Notes. Number Theory: Applications. Notes. Hash Functions I

Integers and Division

A. Algebra and Number Theory

Theory of RSA. Hiroshi Toyoizumi 1. December 8,

Discrete Mathematics GCD, LCM, RSA Algorithm

Chuck Garner, Ph.D. May 25, 2009 / Georgia ARML Practice

Lecture 4: Number theory

Chapter 8. Introduction to Number Theory

Senior Math Circles Cryptography and Number Theory Week 2

Number Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers

MATH 3240Q Introduction to Number Theory Homework 5

CIS 551 / TCOM 401 Computer and Network Security

This is a recursive algorithm. The procedure is guaranteed to terminate, since the second argument decreases each time.

Introduction to Cybersecurity Cryptography (Part 5)

Introduction to Number Theory

K. Ireland, M. Rosen A Classical Introduction to Modern Number Theory, Springer.

ECE 646 Lecture 5. Mathematical Background: Modular Arithmetic

1. Factorization Divisibility in Z.

CSC 5930/9010 Modern Cryptography: Number Theory

Elementary Number Theory and Cryptography, 2014

The set of integers will be denoted by Z = {, -3, -2, -1, 0, 1, 2, 3, 4, }

Addition. Ch1 - Algorithms with numbers. Multiplication. al-khwārizmī. al-khwārizmī. Division 53+35=88. Cost? (n number of bits) 13x11=143. Cost?

CIS 6930/4930 Computer and Network Security. Topic 5.1 Basic Number Theory -- Foundation of Public Key Cryptography

Basic Algebra and Number Theory. Nicolas T. Courtois - University College of London

D-MATH Algebra II FS18 Prof. Marc Burger. Solution 26. Cyclotomic extensions.

Number theory. Myrto Arapinis School of Informatics University of Edinburgh. October 9, /29

CMPUT 403: Number Theory

4 Number Theory and Cryptography

ICS141: Discrete Mathematics for Computer Science I

A Few Primality Testing Algorithms

Simultaneous Linear, and Non-linear Congruences

Q 2.0.2: If it s 5:30pm now, what time will it be in 4753 hours? Q 2.0.3: Today is Wednesday. What day of the week will it be in one year from today?

MATH 361: NUMBER THEORY FOURTH LECTURE

4 Powers of an Element; Cyclic Groups

Transcription:

Number Theory and Group Theory for Public-Key Cryptography TDA352, DIT250 Wissam Aoudi Chalmers University of Technology November 21, 2017 Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography

Outline Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 2 / 30

Outline Euler's Totient Function What is the group of invertible elements mod N? or what is a group to begin with? Group Theory Operating modulo integers: modular arithmetics How to speed-up decryption? Chinese Remainder Theorem Where does this come from? Euler's Theorem Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 2 / 30

Outline Euler's Totient Function What is the group of invertible elements mod N? or what is a group to begin with? Group Theory Operating modulo integers: modular arithmetics How to speed-up decryption? Chinese Remainder Theorem Where does this come from? Euler's Theorem Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 2 / 30

Preliminaries: some facts about divisibility and primes Euclidean Division Let a, b Z with a > 0, then there exist unique integers q, r such that a = qb + r, with 0 r < b. Example a = 13, b = 6, then 13 = 2 6 + 1, (q = 2, r = 1) Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 3 / 30

Preliminaries: some facts about divisibility and primes Definition (Prime Numbers) A positive integer p > 1 is said to be a prime if it is divisible by 1 and itself only. Example 3, 5, 13, 19, 37, 83. Facts Prime numbers are the building blocks of the natural numbers: any natural number N > 1 can be uniquely written as N = n i=1 p a i i = p a 1 1 pa 2 2 pan n where p 1 < p 2 < < p n and a i N (Fundamental Theorem of Arithmetics). Integer factorization is in general a hard problem. Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 4 / 30

Preliminaries: Extended Euclidean Algorithm (EEA) Greatest Common Divisor The Greatest Common Divisor of two integers is the largest integer that divides both of them. Definition (GCD) The GCD of two positive integers a and b, is the positive integer d such that i) d a and d b (Common Divisor). ii) if e a and e b, then e d (Greatest such divisor). Euclidean Algorithm function gcd(a,b) if b = 0 return a; else return gcd(b, a mod b); Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 5 / 30

Preliminaries: Extended Euclidean Algorithm (EEA) Definition (Relative Primality) If GCD(a, b) = 1, then a and b are said to be relatively prime (or coprime). Definition (Bézout Identity) Let a, b be two positive integers and d = GCD(a, b), then there exist integers s, t Z such that d = as + bt. In other words, d can be written as a linear combination of a, b. One way to find a pair (s, t) is by using the Extended Euclidean Algorithm. Example Find the GCD of 456 and 100 and write it as a linear combination (using Extended Euclidean Algorithm) Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 6 / 30

Extended Euclidean Algorithm (EEA) Remainder 456 100 456s + 100t 1 0 0 1 Quotient Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 7 / 30

Extended Euclidean Algorithm (EEA) 456 100 = 4 Remainder 456 100 456s + 100t 1 0 0 1 Quotient 4 Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 7 / 30

Extended Euclidean Algorithm (EEA) Remainder 456s + 100t Quotient 456 1 0 100 0 1 4 Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 7 / 30

Extended Euclidean Algorithm (EEA) 456-4*100 = 56 Remainder 456 100 56 456s + 100t 1 0 0 1 Quotient 4 Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 7 / 30

Extended Euclidean Algorithm (EEA) Remainder 456s + 100t Quotient 456 1 0 100 0 1 4 56 Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 7 / 30

Extended Euclidean Algorithm (EEA) 1-4*0 = 1 Remainder 456s + 100t 456 1 0 100 0 1 56 1 Quotient 4 Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 7 / 30

Extended Euclidean Algorithm (EEA) Remainder 456s + 100t Quotient 456 1 0 100 0 1 4 56 1 Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 7 / 30

Extended Euclidean Algorithm (EEA) 0-4*1 = -4 Remainder 456s + 100t 456 1 0 100 0 1 56 1-4 Quotient 4 Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 7 / 30

Extended Euclidean Algorithm (EEA) Remainder 456s + 100t Quotient 456 1 0 100 0 1 4 56 1-4 Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 7 / 30

Extended Euclidean Algorithm (EEA) 100 56 = 1 Remainder 456s + 100t Quotient 456 1 0 100 0 1 4 56 1-4 1 Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 7 / 30

Extended Euclidean Algorithm (EEA) 4 = 456*9-100*41 GCD Remainder 456s + 100t Quotient 456 1 0 100 0 1 4 56 1-4 1 44-1 5 1 12 2-9 3 8-7 32 1 4 0 9-41 2 Bézout coefficients Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 7 / 30

Modular Arithmetics Definition (Congruence) Let a, b, n be positive integers such that a, b have the same remainder upon dividing by n, then we say that a is congruent to b modulo n, written a b (mod n). Facts 1 a b (mod n) n a b. 2 kn 0 (mod n) (for any k Z). 3 a b (mod n) a = kn + b (for some k Z). Examples 23 8 (mod 5), since 23 = 3 5 + 8. 1 11 (mod 6), since 6 1 11 = 12. 7 8 (mod 3), since 3 7 8 = 1 (here means does not divide ). Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 8 / 30

Modular Arithmetics Definition (Linear Congruence) A congruence of the form ax b (mod n) is called a linear congruence, which has a solution if and only if there exists x 0 {0, 1,..., n 1} such that ax 0 b (mod n). Note that a linear congruence is like a linear equation except that it is solved modulo n. Lemma The linear congruence ax 1 (mod n) is solvable (i.e., has a solution) if and only if GCD(a, n) = 1 (i.e., a and n are relatively prime). Very useful for computing modular inverses for RSA! Recall: in RSA we choose an encryption exponent e, and then compute the decryption exponent d such that d = e 1 (mod ϕ(n)) e d 1 (mod ϕ(n)). That is, given e, we solve the linear congruence e x 1 (mod ϕ(n)), the solution to which is exactly d, the modular inverse of e in Z ϕ(n). Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 9 / 30

Modular Arithmetics To find the modular inverse of an integer a (mod n): GCD(a, n) = 1 (previous lemma) ax + kn = 1 (Bézout lemma) ax = 1 (mod n) (kn = 0 (mod n)) x = a 1 (mod n). We can find x using EEA! Example Find the modular inverse of 2017 (mod 397). Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 10 / 30

Modular Arithmetics Remainder 2017 397 x 1 0 Quotient Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 11 / 30

Modular Arithmetics 2017 397 = 5 Remainder 2017 397 x 1 0 Quotient 5 Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 11 / 30

Modular Arithmetics Remainder x Quotient 2017 1 397 0 5 Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 12 / 30

Modular Arithmetics 2017-5*397 = 32 Remainder 2017 397 32 x 1 0 Quotient 5 Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 12 / 30

Modular Arithmetics Remainder x Quotient 2017 1 397 0 5 32 Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 13 / 30

Modular Arithmetics 1-5*0 = 1 Remainder 2017 1 397 0 32 1 x Quotient 5 Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 13 / 30

Modular Arithmetics Remainder x Quotient 2017 1 397 0 5 32 1 Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 14 / 30

Modular Arithmetics 397 32 = 12 Remainder x Quotient 2017 1 397 0 5 32 1 12 Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 14 / 30

Modular Arithmetics Remainder x Quotient 2017 397 1 0 5 32 1 12 13-12 2 6 25 2 1-62 Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 15 / 30

Modular Arithmetics GCD Remainder x Quotient 2017 397 1 0 5 32 1 12 13-12 2 6 25 2 1-62 Modular inverse Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 15 / 30

Outline Euler's Totient Function What is the group of invertible elements mod N? or what is a group to begin with? Group Theory Operating modulo integers: modular arithmetics How to speed-up decryption? Chinese Remainder Theorem Where does this come from? Euler's Theorem Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 15 / 30

Euler s Totient Function Definition (Totient Function) The totient function (or Euler Phi function) ϕ( ) : N N, is defined to be the number of positive integers less than n and relatively prime to n. That is, ϕ(n) = {k N, such that k < n and GCD(n, k) = 1}. Facts (important for RSA!) if p is prime, then ϕ(p) = p 1. if N = pq, where p, q are primes, then ϕ(n) = (p 1)(q 1). Why? ϕ is a multiplicative function, meaning that, if GCD(a, b) = 1, then ϕ(ab) = ϕ(a)ϕ(b). As p, q are primes, ϕ(p) = p 1 and ϕ(q) = q 1. Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 16 / 30

Euler s Totient Function Example ϕ(10) = {1, 3, 7, 9} = 4. ϕ(7) = {1, 2, 3, 4, 5, 6} = 6. Is there a formula for ϕ(n)? Yes! Formula for ϕ(n) We have ϕ(p a ) = p a 1 (p 1). ϕ is multiplicative, hence ϕ(ab) = ϕ(a)ϕ(b) N = p a 1 1 pa 2 2 pan n Thus ϕ(n) = ϕ(p a 1 1 pa 2 2 pan n ) = ϕ(p a 1 1 )ϕ(pa 2 2 ) ϕ(pan n ) Example = p a 1 1 1 (p 1 1)p a 2 1 2 (p 2 1) p an 1 n (p n 1). ϕ(600) = ϕ(2 3 3 5 2 ) = ϕ(2 3 ) ϕ(3) ϕ(5 2 ) = 2 2 (2 1) (3 1) 5(5 1) = 160. Note that to compute ϕ(n), we need to know the prime decomposition of N. Good news for RSA! Finding ϕ(n) (without knowing p or q) is as hard as factoring N. Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 17 / 30

Outline Euler's Totient Function What is the group of invertible elements mod N? or what is a group to begin with? Group Theory Operating modulo integers: modular arithmetics How to speed-up decryption? Chinese Remainder Theorem Where does this come from? Euler's Theorem Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 17 / 30

Fermat s Theorem & Euler s Theorem Fermat s Theorem Let a be a positive integer, and p a prime such that p does not divide a, then a p 1 1 (mod p). Example 5 38? (mod 13). a = 5, p = 13 (note that 13 5). 5 38 (5 12 ) 3 5 2 (1) 3 25 1 12 12 (mod 13). Euler s Theorem Let a, n be two relatively prime positive integers with n > 1, then a ϕ(n) 1 (mod n). Exercise: Find the remainder of 3 35 when divided by 20. Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 18 / 30

Fermat s Theorem & Euler s Theorem Correctness Property Why m ed = m (mod N)? d = e 1 (mod ϕ(n)) e d = 1 (mod ϕ(n)) e d = kϕ(n) + 1 m ed (mod N) = m kϕ(n)+1 (mod N) = m kϕ(n) m (mod N) = (m ϕ(n) ) k m (mod N) = (1) k m (mod N) = m (mod N) Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 19 / 30

Outline Euler's Totient Function What is the group of invertible elements mod N? or what is a group to begin with? Group Theory Operating modulo integers: modular arithmetics How to speed-up decryption? Chinese Remainder Theorem Where does this come from? Euler's Theorem Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 19 / 30

Chinese Remainder Theorem Chinese Remainder Theorem (a special case) Let N = pq, where p, q are distinct primes, and let a, b be any two integers, then the system of linear congruences { x a (mod p) x b (mod q) is solvable, and has a unique solution modulo pq. Moreover, the unique solution x is given by x = atq + bsp, where s, t are the Bézout coefficients of p, q respectively (i.e., s, t satisfy sp + tq = 1). Motivation The importance of CRT is that if the prime factors p, q of an integer N are known, then computations modulo N can be reduced to computations modulo p and q separately. In RSA, p, q are chosen to be of roughly the same size ( N), and for a sufficiently large value of N, N is much smaller than N, and consequently arithmetics modulo p and q are much cheaper to perform. Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 20 / 30

Outline Euler's Totient Function What is the group of invertible elements mod N? or what is a group to begin with? Group Theory Operating modulo integers: modular arithmetics How to speed-up decryption? Chinese Remainder Theorem Where does this come from? Euler's Theorem Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 20 / 30

Group Theory Consider the group of all integers Z = {, 2, 1, 0, 1, 2, }. For all a, b Z, a + b Z (we say Z is closed under addition). For all a, b, c Z, (a + b) + c = a + (b + c) (Z is associative). For every element a Z, a + 0 = 0 + a = a (0 is the identity in Z). For every element a Z, there exists an element b = a Z, such that a + b = b + a = 0 (every element in Z has an additive inverse). We say that Z is a Group Under Addition. Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 21 / 30

Group Theory Definition (Group Under Addition) A group G is a set, together with an operation +, satisfying the following properties 1 CLOSURE For all a, b G, the result of the operation +, i.e., a + b, is also in G. 2 ASSOCIATIVITY For all a, b, c G, it holds that, (a + b) + c = a + (b + c). 3 IDENTITY ELEMENT There exists an element e G, such that, for every element a G, it holds that a + e = e + a = a. 4 INVERSE ELEMENT For each a G, there exists an element b G, such that a + b = b + a = e (the inverse of a is usually denoted as a). Definition (Group Under Multiplication) A group G is a set, together with an operation, satisfying the following properties 1 CLOSURE For all a, b G, the result of the operation, i.e., a b, is also in G. 2 ASSOCIATIVITY For all a, b, c G, it holds that, (a b) c = a (b c). 3 IDENTITY ELEMENT There exists an element e G, such that, for every element a G, it holds that a e = e a = a. 4 INVERSE ELEMENT For each a G, there exists an element b G, such that a b = b a = e (the inverse of a is usually denoted as a 1 ). Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 21 / 30

Group Theory We showed that Z is a group under addition. But Z is not a group under multiplication, because although closed, associative, and has identity 1, there exists an element (in fact all elements except for 1 and 1) that has no inverse. For instance, 5 is in Z, but 5 x = 1 has no solution in Z. On the other hand, the set of rational numbers Q (without the element 0), is a group under multiplication, since it is closed, associative, has identity 1, and for every element a Q, the linear equation a x = 1 always has the solution x = a 1 = 1/a (in particular, 5 1 = 1/5). Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 22 / 30

Group Theory Group of Integers Modulo N Define Z N as the set of integers modulo N (e.g., Z 6 = {0, 1, 2, 3, 4, 5}), then Z N is a group under addition. Let us prove this for N = 3, i.e., for Z 3 = {0, 1, 2} 1 CLOSURE 0 + 0 = 0 (mod 3) 0 + 2 = 2 (mod 3) 1 + 2 = 3 = 0 (mod 3) 0 + 1 = 1 (mod 3) 1 + 1 = 2 (mod 3) 2 + 2 = 4 = 1 (mod 3) 2 ASSOCIATIVITY 3 IDENTITY ELEMENT (0 + 1) + 2 = 0 + (1 + 2) (mod 3) 4 INVERSES 0 + 0 = 0 (mod 3) 1 + 0 = 1 (mod 3) 2 + 0 = 2 (mod 3) 0 + 0 = 0 (mod 3) 1 + ( 1) = 1 + 2 = 3 = 0 (mod 3) 2 + ( 2) = 2 + 1 = 3 = 0 (mod 3) But Z 6 is not a group under multiplication because not every element has an inverse (e.g., there exists no x Z 6 such that 4 x = 1 (mod 6)). Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 23 / 30

Group Theory So, to make the set of integers modulo N a group under multiplication, we should only choose the elements a that have inverses, i.e., for which there exists x such that a x 1 (mod N). Recall the lemma: a x 1 (mod N) if and only if GCD(a, N) = 1. Multiplicative Group of Integers Modulo N Define Z N to be the set of integers modulo N and relatively prime to N, that is, Z N = {a Z N, such that GCD(a, N) = 1}. Then, Z N is a group under multiplication. Example Z N Z 6 Z 14 Z 11 = {1, 5}. = {1, 3, 5, 9, 11, 13}. = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10}. is a fundamental group for RSA! It is an algebraic structure where the correctness property of RSA holds. Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 24 / 30

Group Theory Definition (Order of a Group) The order of a group G is its cardinality, i.e., the number of elements in its set. It is denoted as ord(g) or G. Example ord(z 4 ) = {0, 1, 2, 3} = 4 ord(z N ) = {0, 1,..., N 1} = N ord(z N ) =? Lemma The order of Z N is ϕ(n). [recall the definition of ϕ(n)] Example Z 15 = ϕ(15) = ϕ(3 5) = (3 1) (5 1) = 8. [recall that ϕ(p q) = (p 1)(q 1) if p, q are primes] Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 25 / 30

Group Theory Definition (Order of an Element in a Group) The order of an element a in a (multiplicative) group G is the smallest positive integer n such that a n = e, where e is the (multiplicative) identity element of G. Example Z 9 = {1, 2, 4, 5, 7, 8} [note: In Z N, the identity is always 1] What is the order of 2 in Z 9? 2 1 = 2 1 in Z 9 2 4 = 16 = 7 1 in Z 9 2 2 = 4 1 in Z 9 2 5 = 32 = 5 1 in Z 9 2 3 = 8 1 in Z 9 2 6 = 64 = 1 in Z 9 Note: ord(2) = ord(z 9 ) 2 is a generator of Z 9, which means that Z 9 is a cyclic group (definition in a couple of slides). Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 26 / 30

Group Theory Lemma For every element a of a group G, it holds that the order of a divides the order of G, i.e., ord(a) ord(g). Example Z 9 = {1, 2, 4, 5, 7, 8}, Z 9 = ϕ(9) = 6 What is the order of 2 in Z 9? 2 1 = 2 1 in Z 9 2 4 = 16 = 7 1 in Z 9 2 2 = 4 1 in Z 9 2 5 = 32 = 5 1 in Z 9 2 3 = 8 1 in Z 9 2 6 = 64 = 1 in Z 9 since 2 in Z 9 must be a divisor of 6, i.e., 1, 2, 3, or 6. This means that we do not need to check 2 4, 2 5 since 4, 5 are not divisors of 6. Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 27 / 30

Group Theory Definition (Subgroups) A non-empty subset H of a group G is said to be a subgroup of G, if H is itself a group under the same operation of G. Definition (Subgroup generated by an element) Let G be a group and a G. Define < a >= {a i, i N}, then, < a > is a subgroup of G, called the subgroup generated by a. Lemma (Group Generator) An element a of a group G is called a generator of G if < a >= G. That is, every element g of G can be written as a power of a, i.e., for all g G, g = a k (k N). Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 28 / 30

Group Theory Definition (Cyclic Groups) A group G is said to be a cyclic group if it has a group generator, i.e., if there exists an element a G such that < a >= G. Moreover, a is a generator of G if and only if < a > = a = G. Example In Z 11, 2 is a generator since: [recall first that 2 divides Z 11 ] we have Z 11 = ϕ(11) = 10, and in Z 11 2 1 = 2 1 2 5 = 32 = 10 1 2 2 = 4 1 2 10 = 1024 = 1 Thus, 2 = 10 = Z 11. Therefore 2 is a generator of Z 11 and Z 11 is cyclic. Indeed Z 11 = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10} = {20, 2 1, 2 8, 2 2, 2 4, 2 9, 2 7, 2 3, 2 6, 2 5 }. Exercise: Show that Z 8 is not cyclic and list all its subgroups. In fact, Z N is cyclic if and only if N = 2, 4, pa, 2p a (p > 2 a prime, a N). Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 29 / 30

Group Theory Lemma Let G be a group with identity element e, and let a G, then a G = e. Revisiting Euler s and Fermat s Theorems Let a Z N, then a is relatively prime to N, i.e., GCD(a, N) = 1. Z N = ϕ(n). Therefore by the previous lemma, a Z N = a ϕ(n) = 1 in Z N, or equivalently a ϕ(n) 1 (mod N). [Euler stheorem!] Fermat s theorem is a special case where a Z p, where p is prime, so that a ϕ(p) = a p 1 1 (mod p). Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 30 / 30

References 1 Cryptography and Network Security: Principles and practice (Chapters 4.4, 8.1-8.3, 8.5, 9.2). 2 Introduction to Modern Cryptography, Lindell and Katz (Chapter 7.1.1, 7.1.3, 7.1.4, 7.2). Thank you for your attention! Wissam Aoudi Number Theory and Group Theoryfor Public-Key Cryptography 30 / 30

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback