CS 6260 Some number theory. Groups

Similar documents
CS 6260 Some number theory

Jacobi symbols and application to primality

Advanced Cryptography Midterm Exam

Cryptography. Lecture 8. Arpita Patra

QUADRATIC RECIPROCITY

Cryptography Assignment 3

Computational Number Theory. Adam O Neill Based on

Pseudorandom Sequence Generation

RECIPROCITY LAWS JEREMY BOOHER

MATH342 Practice Exam

MATH 371 Class notes/outline October 15, 2013

x 2 a mod m. has a solution. Theorem 13.2 (Euler s Criterion). Let p be an odd prime. The congruence x 2 1 mod p,

Outline. EECS150 - Digital Design Lecture 26 Error Correction Codes, Linear Feedback Shift Registers (LFSRs) Simple Error Detection Coding

CDH/DDH-Based Encryption. K&L Sections , 11.4.

Public Key Cryptosystems RSA

QUADRATIC RECIPROCITY

3 Properties of Dedekind domains

Practice Final Solutions

Practice Final Solutions

MATH 361: NUMBER THEORY EIGHTH LECTURE

Cryptanalysis of Pseudorandom Generators

ANALYTIC NUMBER THEORY AND DIRICHLET S THEOREM

The Jacobi Symbol. q q 1 q 2 q n

QUADRATIC RECIPROCITY

The Hasse Minkowski Theorem Lee Dicker University of Minnesota, REU Summer 2001

Modeling Chebyshev s Bias in the Gaussian Primes as a Random Walk

arxiv: v1 [math.nt] 9 Sep 2015

MATH 3240Q Introduction to Number Theory Homework 7

Probabilistic Algorithms

Elementary Analysis in Q p

Lecture 8 Public-Key Encryption and Computational Number Theory

By Evan Chen OTIS, Internal Use

Tanja Lange Technische Universiteit Eindhoven

DIRICHLET S THEOREM ON PRIMES IN ARITHMETIC PROGRESSIONS. 1. Introduction

We collect some results that might be covered in a first course in algebraic number theory.

(Workshop on Harmonic Analysis on symmetric spaces I.S.I. Bangalore : 9th July 2004) B.Sury

Chapter 2. Finite Fields (Chapter 3 in the text)

Elliptic Curves Spring 2015 Problem Set #1 Due: 02/13/2015

Verifying Two Conjectures on Generalized Elite Primes

MATH 361: NUMBER THEORY ELEVENTH LECTURE

Quadratic Reciprocity

SOME SUMS OVER IRREDUCIBLE POLYNOMIALS

The Arm Prime Factors Decomposition

RINGS OF INTEGERS WITHOUT A POWER BASIS

Classification of Finite Fields

16 The Quadratic Reciprocity Law

Introduction to Arithmetic Geometry Fall 2013 Lecture #10 10/8/2013

DIRICHLET S THEOREM ABOUT PRIMES IN ARITHMETIC PROGRESSIONS. Contents. 1. Dirichlet s theorem on arithmetic progressions

An Overview of Witt Vectors

Math 4400/6400 Homework #8 solutions. 1. Let P be an odd integer (not necessarily prime). Show that modulo 2,

ENEE 457: Computer Systems Security. Lecture 5 Public Key Crypto I: Number Theory Essentials

Linear diophantine equations for discrete tomography

Factoring Algorithms Pollard s p 1 Method. This method discovers a prime factor p of an integer n whenever p 1 has only small prime factors.

On generalizing happy numbers to fractional base number systems

arxiv:math/ v2 [math.nt] 21 Oct 2004

t s (p). An Introduction

Idempotent Elements in Quaternion Rings over Z p

A Curious Property of the Decimal Expansion of Reciprocals of Primes

1. Introduction. 2. Background of elliptic curve group. Identity-based Digital Signature Scheme Without Bilinear Pairings

Class Field Theory. Peter Stevenhagen. 1. Class Field Theory for Q

The Euler Phi Function

arxiv: v2 [math.nt] 9 Oct 2018

Chapter 3. Number Theory. Part of G12ALN. Contents

MAT 311 Solutions to Final Exam Practice

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

.4. Congruences. We say that a is congruent to b modulo N i.e. a b mod N i N divides a b or equivalently i a%n = b%n. So a is congruent modulo N to an

Elliptic Curves and Cryptography

HASSE INVARIANTS FOR THE CLAUSEN ELLIPTIC CURVES

arxiv: v1 [math.nt] 4 Nov 2015

SQUARES IN Z/NZ. q = ( 1) (p 1)(q 1)

Introductory Number Theory

POINTS ON CONICS MODULO p

Introduction to Cryptology. Lecture 20

(IV.D) PELL S EQUATION AND RELATED PROBLEMS

AN IMPROVED BABY-STEP-GIANT-STEP METHOD FOR CERTAIN ELLIPTIC CURVES. 1. Introduction

Galois Fields, Linear Feedback Shift Registers and their Applications

Security Level of Cryptography Integer Factoring Problem (Factoring N = p 2 q) December Summary 2

MA257: INTRODUCTION TO NUMBER THEORY LECTURE NOTES 2018

A CONCRETE EXAMPLE OF PRIME BEHAVIOR IN QUADRATIC FIELDS. 1. Abstract

Frobenius Elements, the Chebotarev Density Theorem, and Reciprocity

A structure theorem for product sets in extra special groups

Genus theory and the factorization of class equations over F p

LECTURE 10: JACOBI SYMBOL

Pythagorean triples and sums of squares

Algorithms CMSC Basic algorithms in Number Theory: Euclid s algorithm and multiplicative inverse

Discrete Logarithms. Let s begin by recalling the definitions and a theorem. Let m be a given modulus. Then the finite set

Almost All Palindromes Are Composite

CERIAS Tech Report The period of the Bell numbers modulo a prime by Peter Montgomery, Sangil Nahm, Samuel Wagstaff Jr Center for Education

Prime Reciprocal Digit Frequencies and the Euler Zeta Function

Research Article New Mixed Exponential Sums and Their Application

DISCRIMINANTS IN TOWERS

Groups in Cryptography. Çetin Kaya Koç Winter / 13

Some sophisticated congruences involving Fibonacci numbers

2 Asymptotic density and Dirichlet density

2 Asymptotic density and Dirichlet density

International Mathematical Olympiad. Preliminary Selection Contest 2013 Hong Kong. Outline of Solutions

394 T. FURUTA AND Y. SEO An alternative roof of Theorem A in [5] and the best ossibility oftheoremaisshown in [3]. Recently a Kantorovich tye characte

Multiplicative group law on the folium of Descartes

GENERALIZED FACTORIZATION

#A37 INTEGERS 15 (2015) NOTE ON A RESULT OF CHUNG ON WEIL TYPE SUMS

Transcription:

Let Z = {..., 2, 1, 0, 1, 2,...} denote the set of integers. Let Z+ = {1, 2,...} denote the set of ositive integers and = {0, 1, 2,...} the set of non-negative integers. If a, are integers with > 0 then there are uniue integers r, such that a = + r and 0 # r <. CS 6260 Some number theory We associate to any ositive integer the following two sets: Z ={0, 1,..., 1}, Z ={ i!z : 1#i#1 and gcd(i,)=1 } Grous Def. Let G be a non-emty set and let! denote a binary oeration on G. We say that G is a grou if it has the following roerties: 1. Closure: For every a, b G it is the case that a! b is also in G. 2. Associativity: For every a, b, c G it is the case that (a! b)! c = a! (b! c 3. Identity: There exists an element 1 G such that a! 1 = 1! a = a for all a G. 4. Invertibility: For every a G there exists a uniue b G such that a! b = b! a = 1. inverse, denoted a -1 Fact. Let be a ositive integer. Then Z is a grou under addition modulo, and Z* is a grou under multilication modulo. In any grou, we can define an exonentiation oeration: if i = 0 then a i is defined to be 1, if i > 0 then a i = a! a!!! a (i times) if i < 0 then a i = a -1! a -1!!! a -1 (j=-i times) For all a G and all i,j Z: i+j i j a = a! a i j (a ) = a ij a -i = (a i ) -1 = (a -1 ) i

The order of a grou is its size Fact. Let G be a grou and let m = G be its order. Then a m = 1 for all a G Fact. Let G be a grou and let m = G be its order. Then a i = a i mod m for all a G and all i Z. Examle. Let us work in the grou Z * 21 ={1, 2, 4, 5, 8, 10,, 13, 16, 17, 19, 20} under the oeration of multilication modulo 21. m=12. If G is a grou, a set S G is called a subgrou if it is a grou in its own right, under the same oeration as that under which G is a grou. If we already know that G is a grou, there is a simle way to test whether S is a subgrou: it is one if and only if x! y 1 S for all x, y S. Here y 1 is the inverse of y in G. Fact. Let G be a grou and let S be a subgrou of G. Then the order of S divides the order of G. 5 86 mod 21 = 5 86 mod 12 mod 21 = 5 2 mod 12 mod 21 = 25 mod 21 = 4 Algorithms and their running times Since in crytograhy we will be working with BIG numbers, the comlexity of algorithms taking numbers as inuts is measured as a function of the bit-length of the numbers. E.g. PrintinBinary (A), where A=2 k takes k oerations Some basic algorithms Algorithm Inut Outut Running Time IT-DIV a, ( > 0) (, r) with a = + r and 0 r < O( a ) MOD a, ( > 0) a mod O( a ) EXT-GCD a, b ((a, b) (0, 0)) (d, a, b) with d = gcd(a, b) = aa + bb O( a b ) MOD-ADD a, b, (a, b Z ) (a + b) mod O( ) MOD-MULT a, b, (a, b Z ) ab mod O( 2 ) MOD-IV a, (a Z ) b Z with ab 1 (mod ) O( 2 ) MOD-EXP a, n, (a Z ) a n mod O( n 2 ) EXP G a, n (a G) a n G 2 n G-oerations

Cyclic grous and generators If g G is any member of the grou, the order of g is defined to be the least ositive integer n such that g n = 1. We let <g> = { g i : i Z n } = {g 0,g 1,..., g n-1 } denote the set of grou elements generated by g. This is a subgrou of order n. Def. An element g of the grou is called a generator of G if <g>=g, or, euivalently, if its order is m= G. Def. A grou is cyclic if it contains a generator. If g is a generator of G, then for every a G there is a uniue integer i Z m such that g i = a. This i is called the discrete logarithm of a to base g, and we denote it by DLog G,g (a DLog G,g (a) is a function that mas G to Z m, and moreover this function is a bijection. Examle. Let =. Then Z * = {1,2,3,4,5,6,7,8,9,10} has order # 1 = 10. We find the subgrous generated by grou elements 2 and 5. We raise them to the owers 0,...,9. i 0 1 2 3 4 5 6 7 8 9 2 i mod 1 2 4 8 5 10 9 7 3 6 5 i mod 1 5 3 4 9 1 5 3 4 9 <2> = {1,2,3,4,5,6,7,8,9,10}=Z * <5> = {1,3,4,5,9} 2 is a generator and thus Z* is cyclic. DLog Z,2(a) 0 1 8 2 4 9 7 3 6 5 The function of Z m to G defined by i! g i is called the discrete exonentiation function Choosing cyclic grou and generators The discrete log function is conjectured to be one-way (hard to comute) for some cyclic grous G. Due to this fact we often seek cyclic grous. Examles of cyclic grous: Z * for a rime, a grou of rime order We will also need generators. How to chose a candidate and test it? Fact. Let G be a cyclic grou and let m = G. Let 1!!! 1 n n be the rime factorization of m and let m i = m/ i for i = 1,...,n. Then g G is a generator of G if and only if for all i = 1,..., n: g m i $ 1. Examle. Let us determine all the generators of the grou Z. Its size is m = $() = 10, and the rime factorization of 10 is 2 1! 5 1. Thus, the test for whether a given a! Z is a generator is that a 2 % 1 (mod ) and a 5 $ 1 (mod Gen(Z ) = {2,6,7,8}. a 2 mod 1 4 9 5 3 3 5 9 4 1 a 5 mod 1 10 1 1 1 10 10 10 1 10 Double-checking: Z =10, Z 10 ={1,3,7,9} { 2 i G : i Z 10 }={ 2 1, 2 3, 2 7, 2 9 (mod )} = {2,6,7,8} Fact. Let G be a cyclic grou of order m, and let g be a generator of G. Then Gen(G) = { g i G : i Z m } and Gen(G) = $(m

Algorithm for finding a generator The most common choice of a grou in cryto is Z for a rime. Idea. Pick a random element and test it. Chose s.t. the rime factorization of the order of the grou (-1) is known. E.g., chose a rime s.t. =2+1 for some rime. Algorithm FID-GE() ( 1)/2 found 0 While (found 1) do g $ Z {1, 1} If (g 2 mod 1) and (g mod 1) then found 1 EndWhile Return g The robability that an iteration of the algorithm is successful in finding a generator is Gen(Z ) Z 2 = ϕ( 1) 3 = ϕ(2) 2 2 = 1 2 2 = 1 2. Suares and non-suares Def. An element a of a grou G is called a suare, or uadratic residue if it has a suare root, meaning there is some b G such that b 2 = a in G. We let QR(G) = { g G : g is uadratic residue in G } We are mostly interested in the case where the grou G is Z for some integer. Defs. An integer a is called a suare mod or uadratic residue mod if a mod is a member of QR(Z If b 2 = a (mod ) then b is called a suare-root of a mod. An integer a is called a nonsuare mod or uadratic non-residue mod if a mod is a member of Z # QR(Z Def. Let be a rime. Define the Legendre symbol of a 1 if a is a suare mod J (a) = 0 if a mod = 0 1 otherwise. Examle. QR(Z )? a 2 mod 1 4 9 5 3 3 5 9 4 1 QR(Z )={1, 3, 4, 5, 9} Recall that Z is cyclic and 2 is a generator. Fact. A generator is always a non-suare. (But not all non-suares are generators DLog Z,2(a) 0 1 8 2 4 9 7 3 6 5 J (a) 1 1 1 1 1 1 1 1 1 1 Facts. Let % 3 be a rime. Then J (a) a 1 for any a Z 2 (mod ) 2 1 (mod ) for any generator g Z g 1 J (ab mod ) = J (a) J (b) for any a Z J (g xy mod ) = 1 if and only if J (g x mod ) = 1 or J (g y mod ) = 1 for any generator g Z and any x,y Z -1 [ ] Pr x $ Z 1 ; y $ Z 1 : J (g xy ) = 1 =3/4 for any generator g Z Fact. Let % 3 be a rime and let g be a generator of Z. Then QR(Z ) = { g i : i! Z!1 and i is even }, and QR(Z ) = ( # 1)/2

Grous of rime order Def. An element h of a grou G is called non-trivial if it is not eual to the identity element of the grou. Fact. Any non-trivial member of a grou of rime order is a generator of the grou. Fact. Let % 3 be a rime such that = 2 + 1 is also rime. Then QR(Z ) is a grou of rime order. Furthermore, if g is any generator of Z, then g 2 mod is a generator of QR(Z Fact. Let g be a generator of a grou of rime order. Then for any element Z of the grou [ ] Pr x $ Z ; y $ Z : g xy = Z = 1 1 ( 1 1 ) ( 2 1 ) if Z 1 if Z = 1 Examle. Let = 5 and = 2 + 1 =. QR(Z ) = {1, 3, 4, 5, 9} We know that 2 is a generator of Z Let s verify that 4 = 2 2 is a generator of QR(Z i 0 1 2 3 4 4 i mod 1 4 5 9 3

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback