Algebra and Number Theory

Similar documents
Algebra and Number Theory

ECEN 5022 Cryptography

Number Theory and Algebra: A Brief Introduction

Chapter 5. Modular arithmetic. 5.1 The modular ring

Applied Cryptography and Computer Security CSE 664 Spring 2018

Public-key Cryptography: Theory and Practice

Part II. Number Theory. Year

Mathematics for Cryptography

Chapter 9 Mathematics of Cryptography Part III: Primes and Related Congruence Equations

Introduction to Information Security

CPSC 467b: Cryptography and Computer Security

Summary Slides for MATH 342 June 25, 2018

Number Theory and Group Theoryfor Public-Key Cryptography

PRIMALITY TESTING. Professor : Mr. Mohammad Amin Shokrollahi Assistant : Mahdi Cheraghchi. By TAHIRI JOUTI Kamal

Lecture notes: Algorithms for integers, polynomials (Thorsten Theobald)

A Few Primality Testing Algorithms

Introduction to Number Theory

Number Theory. CSS322: Security and Cryptography. Sirindhorn International Institute of Technology Thammasat University CSS322. Number Theory.

Basic elements of number theory

Basic elements of number theory

Corollary 4.2 (Pepin s Test, 1877). Let F k = 2 2k + 1, the kth Fermat number, where k 1. Then F k is prime iff 3 F k 1

1. Algebra 1.7. Prime numbers

A. Algebra and Number Theory

Topics in Cryptography. Lecture 5: Basic Number Theory

NUMBER THEORY. Anwitaman DATTA SCSE, NTU Singapore CX4024. CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA

Foundations of Cryptography

Primality Testing. 1 Introduction. 2 Brief Chronology of Primality Testing. CS265/CME309, Fall Instructor: Gregory Valiant

CPSC 467: Cryptography and Computer Security

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

Introduction to Number Theory 1. c Eli Biham - December 13, Introduction to Number Theory 1

K. Ireland, M. Rosen A Classical Introduction to Modern Number Theory, Springer.

Lecture Notes, Week 6

University of Tokyo: Advanced Algorithms Summer Lecture 6 27 May. Let s keep in mind definitions from the previous lecture:

Elementary Number Theory MARUCO. Summer, 2018

Know the Well-ordering principle: Any set of positive integers which has at least one element contains a smallest element.

D-MATH Algebra II FS18 Prof. Marc Burger. Solution 26. Cyclotomic extensions.

Lecture 14: Hardness Assumptions

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

4 Powers of an Element; Cyclic Groups

Math/Mthe 418/818. Review Questions

Elementary Algebra Chinese Remainder Theorem Euclidean Algorithm

ALG 4.0 Number Theory Algorithms:

Applied Cryptography and Computer Security CSE 664 Spring 2017

CSE 521: Design and Analysis of Algorithms I

MATH 145 Algebra, Solutions to Assignment 4

MATH 25 CLASS 21 NOTES, NOV Contents. 2. Subgroups 2 3. Isomorphisms 4

Lecture 8: Finite fields

Introduction to Cybersecurity Cryptography (Part 5)

Chapter 8. Introduction to Number Theory

IRREDUCIBILITY TESTS IN F p [T ]

RSA Key Generation. Required Reading. W. Stallings, "Cryptography and Network-Security, Chapter 8.3 Testing for Primality

Quadratic Congruences, the Quadratic Formula, and Euler s Criterion

Introduction to Cryptography. Lecture 8

Computer Science COMP-547A Cryptography and Data Security

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

A SURVEY OF PRIMALITY TESTS

Basic Algorithms in Number Theory

Computational Number Theory. Adam O Neill Based on

Number theoretic algorithms for cryptographic applications

Course 2316 Sample Paper 1

Advanced Algorithms and Complexity Course Project Report

A Generalization of Wilson s Theorem

Introduction to Cryptology. Lecture 20

arxiv: v1 [math.gr] 15 Oct 2017

LECTURE NOTES IN CRYPTOGRAPHY

The number of ways to choose r elements (without replacement) from an n-element set is. = r r!(n r)!.

CS6750: Cryptography and Communica7on Security

Notes on Primitive Roots Dan Klain

The primitive root theorem

Elementary Number Theory Review. Franz Luef

Introduction to Cryptography. Lecture 6

Number Theory Proof Portfolio

Math 314 Course Notes: Brief description

NUMBER SYSTEMS. Number theory is the study of the integers. We denote the set of integers by Z:

A Guide to Arithmetic

= 1 2x. x 2 a ) 0 (mod p n ), (x 2 + 2a + a2. x a ) 2

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

REMARKS 7.6: Let G be a finite group of order n. Then Lagrange's theorem shows that the order of every subgroup of G divides n; equivalently, if k is

Factorization & Primality Testing

Pseudo-random Number Generation. Qiuliang Tang

Groups in Cryptography. Çetin Kaya Koç Winter / 13

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

Discrete Logarithms. Let s begin by recalling the definitions and a theorem. Let m be a given modulus. Then the finite set

Lecture 3.1: Public Key Cryptography I

How To Test If a Polynomial Is Identically Zero?

Introduction to Quantum Information Processing QIC 710 / CS 768 / PH 767 / CO 681 / AM 871

Basic Algorithms in Number Theory

Definitions. Notations. Injective, Surjective and Bijective. Divides. Cartesian Product. Relations. Equivalence Relations

Part IA Numbers and Sets

SOLUTIONS Math 345 Homework 6 10/11/2017. Exercise 23. (a) Solve the following congruences: (i) x (mod 12) Answer. We have

A polytime proof of correctness of the Rabin-Miller algorithm from Fermat s Little Theorem

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

1 Structure of Finite Fields

CSC 373: Algorithm Design and Analysis Lecture 30

Elementary Number Theory and Cryptography, 2014

CSC 474 Information Systems Security

Mathematics of Cryptography

CSCI 1590 Intro to Computational Complexity

Postmodern Primality Proving

Transcription:

2012 Fall, Algebra and Number Theory p. 1/37 Algebra and Number Theory Wen-Guey Tzeng Department of Computer Science National Chiao Tung University

2012 Fall, Algebra and Number Theory p. 2/37 Residues Letaand b be integers and n be a positive integer. a b: a divides b, or a is a divisor of b. gcd(a, b): greatest common divisor. Relatively prime a b: gcd(a, b) = 1. Prime factorization: n = p e 1 1 p e 2 2 p e k k, wherep i s are different primes. Euler s totient function is ϕ(n) = p e 1 1 1 p e 2 1 2 p e k 1 k S : the number of elements in the set S. (p 1 1)(p 2 1) (p k 1).

2012 Fall, Algebra and Number Theory p. 3/37 Definition 1 (congruent modulo) a b (mod n) if and only if n (a b). Definition 2 (congruent residue) For an integera, "r = a mod n", where r is the least non-negative integer such that a r (mod n). Equivalently, r = a a/n n. (a mod n±b mod n) mod n = (a±b) mod n. (a mod n b mod n) mod n = (a b) mod n. a±b a±c (mod n) b c (mod n). a b a c (mod n) and a n b c (mod n).

2012 Fall, Algebra and Number Theory p. 4/37 Euclidean algorithm Find gcd(a, b) efficiently. Find integers r and s with ra + sb = gcd(a, b) efficiently.

2012 Fall, Algebra and Number Theory p. 5/37 Related problems 1. Congruential residue: given a, b and n, solve ax b (mod n). Ifb = 1,x = a 1 mod n. 2. kth roots: given a and n, solve x k a (mod n) (or x = a 1/k mod n). 3. Primality test: given n, determine whether n is prime? 4. Factoring: given n, find all prime factors of n. 5. Discrete logarithm: given g,y and n, solve g x y (mod n) (or x = log g y mod n).

2012 Fall, Algebra and Number Theory p. 6/37 Efficiency 1. The runtime is polynomially proportional to the length (size) of the input. 2. For a given numbern, there are two measures: value val(n) (or simply, n) length (size) len(n) (or n ). 3. We have len(n) = log 2 val(n) +1. 4. Note thatval(n) = O(2 n ). For example,val(13) = 13 and len(13) = 4. 5. a b mod n is polynomial-time computable, with respect to len(a) + len(b) + len(n).

2012 Fall, Algebra and Number Theory p. 7/37 Chinese remainder theorem There is a solution for the equation system x r i (mod n i ),1 i m, wheren i n j for i j. Solution x = r 1 N 1 (N 1 1 mod n 1 )+ +r m N m (N 1 m mod n m), wheren i = n 1 n 2 n m /n i.

2012 Fall, Algebra and Number Theory p. 8/37 Isomorphism ψ : Z n Z n1 Z n2 Z nm ψ(x) (x mod n 1,x mod n 2,...,x mod n m ) Example n = pq,x (x mod p,x mod q) : Z n Z p Z q. Application to compute x = a b mod n we compute (x 1 = a b mod p,x 2 = a b mod q). Combine x 1,x 2 for x.

2012 Fall, Algebra and Number Theory p. 9/37 Group Group G = (S, ): a sets and an operator such that: 1. (Closure) For everyx,y S, x y S. 2. (Associativity) For every x, y, z S, (x y) z = x (y z). 3. (Identity) There ise S such that for everyx S, x e = e x = x. 4. (Inverse) For everyx S, there isy S such that x y = e. G is Abelian (or commutative) if for everyx,y S, x y = y x.

2012 Fall, Algebra and Number Theory p. 10/37 1. (Z,+): Z is the set of integers and+is the regular addition. 2. (Q\{0}, ): Q is the set of all rational numbers and is the regular multiplication. 3. (Z n,+): + Z n = {0,1,...,n 1} and + is the congruent addition (mod n). 4. (Zn, ): Zn = ({x x Z n,gcd(x,n) = 1}. is the congruent multiplication (modn). 5. (Z[x],+): Z[x] is the set of all polynomials with coefficients over Z and + is the addition of polynomials.

2012 Fall, Algebra and Number Theory p. 11/37 Finite group ord(g) or G : the number of elements in G. {}}{ g k = g g g. k Theorem 3 IfGis a finite group, g G,g G = e. Proof. LetG = {g 1,g 2,...,g m } and G g = {gg 1,gg 2,...,gg m }. We haveg g = G, which implies g 1 g 2 g m = gg 1 gg 2 gg m. Therefore,g 1 g 2 g m = g m g 1 g 2 g m, and thus g m = e.

2012 Fall, Algebra and Number Theory p. 12/37 (Fermat): a p 1 mod p = 1 for 1 a p 1. (Euler): a ϕ(n) mod n = 1 fora n. IfGis finite, for any g G,g i = g i mod G. For any g G,g 1 = g G 1.

2012 Fall, Algebra and Number Theory p. 13/37 Subgroup H = (S, ) is a subgroup of G = (S, ) if H is a group and S S. The smallest subgroup of G is({e}, ) and the largest subgroup is itself (S, ). Theorem 4 (Lagrange s Theorem) IfH is a subgroup of a finite group G, then ord(h) ord(g).

2012 Fall, Algebra and Number Theory p. 14/37 Corollary 5 Iford(G) is prime, G has only two trivial subgroups. Theorem 6 For any g G, g = {g i i 0} is a subgroup of G. Definition 7 The order ofg is the least n such that g n = e. Also, ord(g) = g.

2012 Fall, Algebra and Number Theory p. 15/37 Cyclic group A group G is cyclic if and only if there isg G with g = G. The elementg is called a generator (primitive root) of G. Every group G of a prime order is cyclic and every element in G {e} is a generator. Every subgroup H of a cyclic group is also cyclic with generator g ord(g)/ord(h). LetGbe cyclic and ord(g) = m. Then, g is a generator of G if and only if g m/p 1 for every prime factorpofm.

2012 Fall, Algebra and Number Theory p. 16/37 GroupZ p Zp is cyclic. ord(zp) is p 1, not prime. The number of generators isϕ(p 1). QR p = {a a x 2 has solutions } is a group. QNR p = {a a x 2 has no solutions} is not a group. For odd prime p, QR p = QNR p = (p 1)/2. Ifgcd(k,p 1) = 1, it is easy to compute the k-th root a 1/k mod p = a k mod p, wherekk = 1 (mod p 1).

2012 Fall, Algebra and Number Theory p. 17/37 Compute square roota 1/2 mod p Casep = 4k +3: a 1/2 = a (p+1)/4 mod p. Casep = 4k +1: let(p 1)/2 = 2 L r, r is odd. 1. Idea: find s > 0,a r b 2s = 1. Thus, a 1/2 = a (r+1)/2 b s. 2. Method: (a) Randomly find b QNR p, that is, b (p 1)/2 = 1. (b) Lety 0 = a 2Lr b s 0 = 1, s 0 = 0. For i = 1 to L do (wherey i = a 2L ir b s i = 1) if y 1/2 i 1 = a2l ir b s i 1/2 = 1 then s i = s i 1 /2 else s i = s i 1 /2+(p 1)/2 Note: All s i are even and ally i = 1. Think about! (c) y L = a r b s L = 1, wheres L is even.

2012 Fall, Algebra and Number Theory p. 18/37 Computea 1/2 mod pq 1. Compute x 1 = a 1/2 mod p and x 2 = a 1/2 mod q 2. By the CRT, we have a 1/2 = [x 1 q(q 1 mod p)+x 2 p(p 1 mod q)] mod pq.

2012 Fall, Algebra and Number Theory p. 19/37 Legendre symbol Definition 8 For an odd prime p and a Z, L(a,p) = ( a 1 if [a] QR p p ) = 1 if [a] QR p 0 if p a Euler s criteria: L(a,p) = a (p 1)/2 mod p. Quadratic reciprocity: for odd primespand q, L(p,q) L(q,p) = ( 1) (p 1)(q 1)/4. Multiplicative: L(ab, p) = L(a, p)l(b, p). L( 1,p) = 1 if and only if p mod 4 = 1. L(2,p) = 1 if and only if p mod 8 = ±1.

2012 Fall, Algebra and Number Theory p. 20/37 Euler s criterion Theorem 9 Letpbe prime. For any a Zp, a QR p if and only if a (p 1)/2 1 (mod p). Proof. ( ) Sincea QR p,a = b 2 mod p. Thus, a (p 1)/2 (b 2 ) (p 1)/2 1 (mod p). ( ) Letg be the generator of Zp and a = g i for some 1 i p 1. Thus, a (p 1)/2 g i(p 1)/2 1 (mod p). We havep 1 i(p 1)/2 i is even.

2012 Fall, Algebra and Number Theory p. 21/37 GroupG q of a prime orderq Merits: every element except1is a generator. Ifp = 2q +1, then the subgroup G q = QR p = {g 2 mod p g G} is a group of order q. Example: p = 11 = 2 5+1. G 5 = {1,3,4,5,9} mod 11 The general form is p = kq +1, where q is a sufficiently large prime, say, 160 bits. Then, the subgroup G q = {g k g Zp } = {g g = e, or ord(g) = q} which is the kth residuosity.

2012 Fall, Algebra and Number Theory p. 22/37 DL assumption R n : the set ofn-bit primep = 2q+1, whereq is also prime. Assumption 10 No probabilistic poly-time algorithm can solve any significant portion of instances ofx = log g y mod p, where p = 2q +1 is prime and g,y G q. Formally, for any probabilistic poly-time algorithm A, for any k > 0, there is m 0, such that for any m > m 0, Pr p R m,g G q \{1},y G q [A(y,g,p) = log g y mod p] 1/m k.

2012 Fall, Algebra and Number Theory p. 23/37 GroupZ n Hard problems (ϕ(n) is unknown) 1. To find prime factorization ofn. 2. To determine quadratic residuosity over Zn. 3. To solve the kth root problem over Zn for any fixed k 2. 4. To find generators of Zn if Z n is cyclic. Zn is cyclic iff n = 2,4,p k, or 2p k, wherepis odd prime. For n = pq,a QR n if and only ifa QR p and a QR q.

2012 Fall, Algebra and Number Theory p. 24/37 Factoring n = pq and computingϕ(n) 1. Factoring n = pq computing ϕ(n): easy. 2. Computing ϕ(n) factoring n = pq: ϕ(n) = (p 1)(q 1) = n (p+q)+1. Leta = p+q = n ϕ(n)+1 and b = n = pq. Solve the quadratic equation x 2 ax+b = 0 forpand q.

2012 Fall, Algebra and Number Theory p. 25/37 Jacobi Symbol Definition 11 For an odd n = p e 1 1 p e 2 2 p e r r and a Z, J(a,n) = ( a n ) = L(a,p 1) e 1 L(a,p 2 ) e2 L(a,p r ) e r. Letn = pq. IfJ(a,n) = 1,a QNR n ; J(a,n) = 1 does not imply a QR n. Since it may be J(a,n) = 1 = L(a,p) L(a,q) = ( 1)( 1). Quadratic reciprocity law: n and m are odd with gcd(n,m) = 1, J(m,n) = ( 1) (m 1)(n 1)/4 J(n,m). J(a,n): poly-time computable without prime factors of n.

2012 Fall, Algebra and Number Theory p. 26/37 LetJ +1 n = {a Z n J(a,n) = 1}. LetJ 1 n = {a Z n J(a,n) = 1}. QR n J +1 n. Elements in J +1 n \QR n are called pseudo-squares of Z n. J 1 n QNR n. If an odd n = m 2 for somem, J(a,n) = 1 for alla. Otherwise, J +1 n = J 1 n = ϕ(n)/2.

2012 Fall, Algebra and Number Theory p. 27/37 Blum integer n = pq, wherep mod 4 = q mod 4 = 3. 1 J +1 n, but 1 QR n. J +1 n = J 1 n = ϕ(n)/2. QR n = ϕ(n)/4. J +1 n QR n = J +1 n QNR n = ϕ(n)/4.

2012 Fall, Algebra and Number Theory p. 28/37 QR assumption J(a,n) leaks information about a. LetB m be the set of Blum integers of m-bit length. Assumption 12 No probabilistic poly-time algorithm can solve the problem: given a Blum integer n and a number a with J(a,n) = 1, determine whether a QR n. Formally, for any probabilistic poly-time algorithm A, for any k > 0, there is m 0, for everym > m 0, Pr n Bm,a Zn,J(a,n)=1[A(a,n) = L(a,n)] 1/2+1/m k.

2012 Fall, Algebra and Number Theory p. 29/37 Primes 1. π(x) = {p x p is prime} x ln(x). The density 1/ln(x) is quite high. 2. π b,c (x) = {p x p = bk +c is prime,k Z} 3. π b,c (x) x. ϕ(b)ln(x) = {p x p = bk +c is prime,k is prime} x. ϕ(b)ln(x/b)ln(x)

2012 Fall, Algebra and Number Theory p. 30/37 Solovay-Strassen primality test LetB n = {a Z n J(a,n) = a(n 1)/2 mod n}. B n is a subgroup of Z n. Ifnis an odd prime,b n = Z n. Fact: If n is not prime and B n = Zn, then n = p 1 p 2 p k.

2012 Fall, Algebra and Number Theory p. 31/37 Theorem 13 Ifnis an odd composite, B n ϕ(n)/2. Proof. By the above fact, we consider n = p 1 p 2...p k only. Letv QNR p1. Find x for: 1. x 1 (mod p 2 p 3 p k ), and 2. x v (mod p 1 ). IfB n = Zn, J(x,n) = J(v,p 1 )J(1,p 2 p 3 p k ) = 1 = x (n 1)/2 mod n. Therefore,x (n 1)/2 1 (mod p 2 p 3 p k ). This contradicts with x (n 1)/2 1 (mod p 2 p 3 p k ).

2012 Fall, Algebra and Number Theory p. 32/37 Algorithm Input: odd n>1; 1. Randomly selectsa 1,a 2,...,a m Zn; 2. If some a i B n, output(composite); 3. Output (PRIME). Error probabilities Pr[output=PRIME n is not prime] 1/2 m. Pr[output=PRIME n is prime] = 1.

2012 Fall, Algebra and Number Theory p. 33/37 Example Test if n = 221 is prime? Randomly choose a 1 = 47 and compute a (n 1)/2 mod n = 47 110 mod 221 = 1 mod 221 and J(47,221) = 1 Randomly choose a 2 = 2 and compute a (n 1)/2 mod n = 2 110 mod 221 = 30 mod 221 and J(2,221) = 1 Thus, 221 is not prime.

2012 Fall, Algebra and Number Theory p. 34/37 Rabin-Miller primality test Letn 1 = 2 t u, u is odd. LetB n = {b Zn θ(b,n) = 1}, where 1 if b u = 1 orb u2j = 1 for some0 j t 1 θ(b,n) = 0 otherwise. B n is a subgroup of Zn. Ifnis an odd prime,b n = Zn. Ifnis odd and composite, B n ϕ(n)/4. Error probabilities Pr[output=PRIME n is not prime] 1/4 m. Pr[output=PRIME n is prime] = 1.

2012 Fall, Algebra and Number Theory p. 35/37 Poly-time algorithm for Primality AKS algorithm, March, 2003 O(logn 12 ) Latest: O(logn 6 ) Theorem 14 For any a Zp, p is prime if and only if (x a) p x p a (mod p). (1) Consider (x a) p x p a (mod x r 1,p). This can be evaluated in O(r 2 log 3 p). Ifpis prime, it holds for all(a,r).

2012 Fall, Algebra and Number Theory p. 36/37 Ifpis composite, it holds for a few (a,r). There exists a prime r of size O(log 6 p) such that - r 1 contains a prime factorq of size at leastr 1/2+δ for some constant δ > 0, and - q ord r (n) Ifpis composite, for any such r, the number of a s that satisfies the equation is smaller than O(r 1/2 logp). A deterministic poly-time algorithm for primality test is to find an (r,a) that does not satisfy (x a) p x p a (mod x r 1,p). The runtime iso(log 12 n).

2012 Fall, Algebra and Number Theory p. 37/37 Input: n > 1; 1. if (n is of form a b, b > 1), then return(composite); 2. r=2; 3. while (r < n) { 4. if (gcd(n,r) 1) then return(composite); 5. if (r is prime) 6. letq be the largest prime factor of r 1; 7. if (q 4 rlogn) and n (r 1)/q 1 (mod r), then break; 8. r=r+1; } 9. for a=1 to 2 rlogn 10. if ((x a) n x n a (mod x r 1,n)), then return (COMPOSITE); 11. return(prime).

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback